WildPackets markets several versions of OmniPeek with increasing feature sets, up to the OmniPeek Enterprise version with Enhanced Voice Option. We were sent the OmniPeek Workgroup Pro version to test. OmniPeek runs on engines that can be situated in remote locations (think branches), letting OmniPeek peek in on branch operations for diagnostic purposes. It's a Windows XP SP2-only platform that tracks many protocols, including VoIP.
WildPackets markets several versions of OmniPeek with increasing feature sets, up to the OmniPeek Enterprise version with Enhanced Voice Option.
We were sent the OmniPeek Workgroup Pro version to test. OmniPeek runs on engines that can be situated in remote locations (think branches), letting OmniPeek peek in on branch operations for diagnostic purposes. It's a Windows XP SP2-only platform that tracks many protocols, including VoIP.
OmniPeek's analyzing method has an interesting architecture: Everything is ignored unless it is specifically selected to be watched. A long, rich list of protocols can be actively selected for examination, along with attack-specific filters (such as worm traffic and damaged-packet errors that indicate distributed denial-of-service attacks) and packets associated with specific services (including DNS requests, VoIP and HTTP traffic).
Filters can be constructed and turned on, leaving it up to operators to build what they believe will be a sufficient filter list, along with triggers. However, some conditions don't require a quantity or quality setting; the mere appearance of a condition can be sufficient to trigger an alarm.
As previously mentioned, OmniPeek connects with the Cognio spectrum analyzer card, which lets a notebook user gauge and identify radio-frequency noise using the card's antenna. Interfering sources can be identified, and it recognizes the interfering signal type often by device, such as a noisy microwave oven or a 2.4GHz wireless phone.
The OmniEngine core-sniffing application can be remotely or locally deployed. The engine doesn't have an easily downloadable installation routine (you need the product CD and appropriate license) for remotes, but we found installation to be reasonable, covering a spread of popular network cards.
Filters for common virus and worm traffic are available from WildPackets' Web site. These filters can be used to set alarms in monitor mode or for later analysis of specific captures. Packet pattern matching was simple to use with the filters, and we could change them on the fly without having to stop our packet captures.
You have to set up the filters to bring OmniPeek to a useful state, but this is helped dramatically with a highly useful visual filter editor.
The selection-capture templates for the WLAN channels (802.11a, b and g) were easy to set up, and contained several selections and combinations that could be saved and progressively tailored as needed. Notes can be added to packets or portions of traces for later review as things get busy during capturing sessions. Instructions about how to set up the filters were explicit and useful, but we found it helpful to understand the types of 802.11 attacks in order to get the best results from the filters.
In testing, our MAC spoof and 802.11 auth flood (and others) were easily detected, though the auth flood was slightly misidentified as a multicast storm, which has similar characteristics. We then built a filter to describe how to recognize and make an alarm from the auth flood we had seen. A dictionary attack also was identified in this way.
The lesson we learned was to pay attention to multicast storms, as they may be one of several kinds of attacks -- it's a catch basin for OmniPeek, and a few custom filters will be needed.
OmniPeek can send alarms as SNMP traps to SNMP-management platforms, syslog applications (and those that analyze them) or via e-mail. In this regard -- messaging of alarm conditions -- OmniPeek excelled over the other products tested.
OmniPeek's reports were lacking, though this category of product is usually designed for field analysis. Reports lacked formatting or correlation and were inarticulate compared with the other products tested. The OmniReport service, which ostensibly provides better reporting, wasn't compatible with the Workgroup Pro version we received, so Enterprise version users may have more luck than we did.
Learn more about this topic
Buyer's Guide: Application Acceleration ManagementReview: WildPackets' OmniPeek 09/18/06WildPackets offers free network analyzer 06/19/06