Traffic View

The Traffic View is the most feature-rich component in Ubiqua. This chapter describes the full functionality of the Traffic View including instructions on topics such as: how to manage capture files, the actions that can be performed with packets selected on the grid, how to filter packets, and other related features.

The Traffic View is mainly composed of 2 components: a grid, and a set of toolbars (see the figure below). The grid shows all the packets captured with devices or loaded from capture files. Toolbars provide access to most of the functionality available throughout the system and because of this, the Traffic View can be seen as the central point of Ubiqua. Many of the actions performed on it produce changes or updates in other views. For instance, selecting a packet on the grid changes the Packet View contents. Also, actions in other views could cause the Traffic View to update its contents. For instance, starting a sniffer in the Device Manager will cause the grid to update itself to show incoming packets.

The following image depicts a traffic view with some packets captured. Also, note that the first column shows an icon that depicts additional information about the packet on its corresponding row, for example whether there's a comment for the packet (call out icon), if there was an error when decoding (cross mark icon) or if the packet was encrypted (closed lock) and the decryption was successful (open lock).

Color Codes

The Traffic View provides a helpful coloring scheme to easily identify the layer and protocol for each packet captured. The following table lists the available options:

Layer Color Name Protocol
Dark Green TCP Thread, Zigbee IP, IP
Dark Green UDP Thread, Zigbee IP, IP
Dark Green ICMPv6 Thread, Zigbee IP, IP
Dark Green HTTPS Thread, Zigbee IP, IP
Dark Green PANA Thread, Zigbee IP, IP
Dark Green mDNS Thread, Zigbee IP, IP
Dark Green MLE Zigbee IP, IP
Orange MLE Thread
Light Green CoaP Thread, Zigbee IP, IP
Dark Blue Ethernet Thread, Zigbee IP, IP
Purple HTTP Thread, Zigbee IP, IP
Orange SE2 Zigbee IP, IP
Orange JenNet-IP JenNet-IP
Gray MAC-Beacon Zigbee IP, Thread, Zigbee
Brown Mac-Data Zigbee IP, Thread, Zigbee
Black MAC-Acknowledgement Zigbee IP, Thread,Zigbee
Red MAC-Command Zigbee IP, Thread, Zigbee
Red NetBios Zigbee IP, Thread, Zigbee
Gray PopNet- Beacon PopNet
Brown PopNet- Mac-Data PopNet
Black PopNet- MAC-Acknowledgement PopNet
Red PopNet- MAC-Command PopNet
LightGreen PopNet-APP PopNet
LightBlue PopNet-NWK PopNet
Black Pop-Nwk_Acknowledgement PopNet
Purple DHCPv6 Thread, Zigbee IP, IP
Purple DTLS Thread, Zigbee IP, IP
DarkGreen ZDP Zigbee
LightGreen ZCL Zigbee
Purple APS Zigbee
DarkBlue NWK Zigbee
DarkBlue NWK-GP Zigbee
LightBlue 6LowPAN Zigbee IP, Thread
DarkGreen EAP Zigbee IP
LightBlue IPv4 Thread, Zigbee IP, IP
Red IPv6 Zigbee IP, Thread, Zigbee, IP

Timestamp & Time Delta

The Timestamp columns displays the exact date and time when a data packet was captured. You have the possibility to choose one of the 2 formats in which the information can be displayed, the 'Date and time' or just the 'Time' format. To configure it, click the Tools > Options menu item, and then select the 'Traffic' tab, at the bottom of the tab body are the 'Date and Time' and 'Only time' radio buttons, select one of these options and then click the 'OK' button to determine the format in which information will be displayed in the Timestamp column.

The Time Delta is the time interval between 2 captured packets, which is calculated based on the elapsed time from the previous packet regardless of its source network or channel. In case a data filter is applied to the capture, the time intervals will be recalculated based on the result.

Capture Files

Ubiqua uses capture files not only to store the packets you see in the Traffic View, but also to store other data such as the layout and settings of the nodes in the Graphic View, or the security keys used for decoding. When saving a capture, the data available in all views is retrieved and stored into a new file. Note that this process does not store decoded data, so when you open a capture file all the stored packets will be decoded again to populate data in all views.

Saving Capture Files

To save the available capture data into a new file, follow the next steps:

  1. Start the Save As dialog by either selecting the File > Save Capture As… menu item, clicking the Save Capture toolbar button (see the figure below), or pressing Ctrl+S on your keyboard.

  2. Select the location where you want to store the new capture file, specify the file name, and press the Save button. Ubiqua capture files have the .cubx file extension but you can also save the capture in the .cubx and .pcap file formats.

  3. A progress dialog will appear showing the status of the save process.

Opening Capture Files

The process to open a capture file is very similar to saving:

  1. Start the Open dialog by either selecting the File > Open Capture menu item, clicking the Open Capture toolbar button (see the above figure), or pressing Ctrl+O on your keyboard.

  2. Select or specify the capture file and press the Open button. Additionally to its own .cubx format. Ubiqua supports opening captures in a number of other file formats such as .dcf and .pcap. If the capture file does not hold Protocol information at the time a dialog opens with the available protocols and the user can select one of them to decode the capture.

  3. A progress dialog will appear showing the status of the opening process. Note that depending on the file size (directly related to the number of packets stored), this process may take some time as the contained packets are being decoded on the fly to populate data in the corresponding views.

Merge Capture Files

This feature allows the user to merge .cubx files. This process consists in bringing together in one file all the packets from the different source files, order them chronologically and — for the case of Zigbee frames — detect duplicates and mark them with a comment or delete them.

To use this feature click on menu Tools > Merge Captures or press Ctrl+M on your keyboard, after this action a dialog window will appear on your screen; In the toolbar area of the window there is the Add Capture button, that allows you to add the capture files to merge to a list, a maximum of ten files is allowed to be added to the list, as a second option is the Remove button that works once the capture files have been loaded, and has the function of remove one of the files of the list, just clicking the item you want to delete and then clicking the Remove button on the toolbar, next to it is the Remove All button, that clears the element list just pressing this button or with the Ctrl+Delete combination on your keyboard. Finally there is a combo box with 2 options, the default option Comment Duplicates that adds a comment to those packets that are duplicated, and the Remove Duplicates option that delete those packets that appear more than once in the merged capture file.

Once you have a list of selected files click the Merge Captures button at the bottom right of the window, after this action, a browse window will appear for you to indicate where do you want to save the merged file and how you want to name it, then save it.

Once the new file is generated a notification will appear asking if you want to open the new merged file, if you accept press the Yes button, and the new file will be loaded on the Traffic View, if you want to open it later, press the No button or just close the notification, following this action the merged the file list will be cleared, letting you to make a new merge if needed.


Auto Scroll and Selection

The Traffic View features two options that are useful to track the latest packet on the grid, this options are Auto Scroll and Auto Select. The Auto Scroll option moves the scroll position to bring into view the latest packet captured, while the Auto Select option selects the latest captured package (which also brings its contents into the Packet View). To activate or deactivate this options, use its corresponding toolbar toggle buttons (see the above figure).

Clear

The clear functionality resets all the information available for 4 different types of data (see below). You can choose any or all types of data to clear by clicking the down arrow next to the Clear button.

This functionality is accessible from the Clear toolbar button, and you can choose among what types of data to clear by clicking the down arrow next to the Clear button (see the figure above).

The types of data to clear are:

  • Clear Packets – Removes all the packets in the Traffic View.

  • Clear Nodes – Clears the nodes information in the Graphic View, the Network Explorer and the properties window.

  • Clear Security Keys – Removes the security keys stored in the keychain. (For more info see security keys).

  • Clear Addresses – Removes the network addresses listed in the addresses table in the Security tab of the Options window.

Go To Packet

This feature is similar to the Auto Scroll and Auto Select options. The difference is that this option will scroll and then select, not the latest packet, but the packet with the ID you specify. To start using this option, click the Go To Packet toolbar button (see the figure above), or press the Ctrl+G keys on your keyboard. A pop-up box will appear at the top right area of the Traffic View. Type the ID of the packet you want to look and then press Enter. The grid will scroll and the packet will be selected. If the ID you specified does not correspond to any of the available packets you will hear an exclamation sound. Close the pop-up by clicking the × button or pressing the Esc key.

Find Packets

This tool allows you to quickly make a detailed search by key words of the information contained in each packet of the Traffic View.

To start using this feature click the Tools > Find menu item or press Ctrl+F on your keyboard, after this a search bar will appear at the bottom of the Traffic View, next to the Find label there’s a text input where you have to type the key word you are looking for which must have a minimum length of 3 characters, then click the arrow buttons at the right of the text input for select next/previous packet that match with search criteria, if the typed word does not match with the information contained in the Traffic View, a label will say No match found, in the opposite case, it will appear a label indicating a number of a list of matches where you are at, and the total number of matches existing with that key word.

When you are navigating through the matches, the packets that contain the searched word will be highlighted, making an easier search.

To the right side end of the Find bar there is a three dotted icon button that being pressed shows a context menu with 3 different checkbox options,“Display all packets” which is the default option and show all the packets,“Display only matches” that will only let you see those packets that match with the string search typed in the text input, and the third option “Hide all matches” which hides those matching packets with the search criteria. To re-display all packets check the default option “Display all packets” or just close the Find bar.

Changing Protocol Stacks

This feature allows you to change the protocol stack of the packets already available in Ubiqua. The change protocol process will clear all the current capture data, apply the changes you selected, and then re-decode all the packets, producing new capture data. To start the process you must stop all capturing devices, then click the Change Protocol Stack tool bar button or press the Ctrl+H keys on your keyboard. The Change Protocol Stack dialog will appear (see the figure below). On it, you will have the choice to set what protocol stack will be used to re-decode the packets on a given channel (for a list of the available stacks see Supported Protocols).

There is also the option to set a new protocol stack in combinations of target channels and PAN IDs, giving you a fine-grained control over the changes. Once you have selected the new stacks, press the Apply button. After this point, all capture data will be cleared and the packets will be re-decoded using your settings (a progress bar will show you the status).

Please note that devices retain their own protocol setting. The change protocol stacks feature only affects previously captured packets.

Commenting Packets

Ubiqua features the ability to annotate the packets shown in the Traffic View. Capture files store this information so you will be able to share insights about packets with other Ubiqua users, or just give you the opportunity to store notes about your capture analysis.

To start using comments, select a packet on the grid. Right click on it to open the contextual menu and select the Add Comment menu item. The Comments dialog will appear (see the figure below), write your notes and press the OK button. To see the comment, just move the mouse cursor over the row header and it will display the comment on a tooltip. To delete a packet's comment from the grid, right click on it, and select the Delete Comment menu item.

The comments toolbar has 3 buttons (see image below), the first one opens the Comments dialog (where you can edit or delete the comments) and the Go To Previous/Next Comment buttons that you can use to move the scroll of the grid and select the previous or next commented packet.

Filtering Packets

There are certain times in which you don't want to see all the captured packets but a subset of them. To help with overload, Ubiqua features the ability to filter packets and show only the ones that fulfill a certain logical expression.

Filters are managed through the filters toolbar at the top of the Traffic View (see below).

To create a new filter click the Add Filter toolbar button. The Add Filter dialog will appear (see the figure below). You will find it very similar to the ones used to create playlists on music players. The dialog allows you to define filters by combining a set of rules grouped by a "match all" or "match any" operations. Each rule is composed of a field, an operator, and a set of values. Also, you have the possibility to specify subsets of rules for complex scenarios. A field is an element whose value can be obtained by decoding the packet, the operator defines the condition the field value must comply, and the set of values (which can vary depending on the used operator and the data type of the field) specify what are the expression values that will be used to evaluate the rule.

The figure below shows an example. The "OTA and length is 20 or 32" filter is composed of a simple rule and a rule group. Both rules must be matched. The first one asks to filter packets whose Channel is in the range of 11 to 25. The rule group asks to match any of 2 sub-rules, the first is that Length is equal to 20, and the second is that Length is equal to 32.

Once that filters have been created, select one from the Filters selection at the Filters toolbar and click the Apply Filter toolbar button. If there is not enough decoded information available to compute the filter, packets will be decoded again to retrieve any additional data needed to finally apply the filter. Once that filters have been applied, Ubiqua will only show the packets that the filter allows even when capturing new packets from devices. To edit the selected filter click the Edit Filter toolbar button, to remove it, click the Delete Filter toolbar button.

Filters are not stored on capture files. They will be stored on the environment and they will be available as long as you don't delete them. As with the layout of the views, they can be stored on an Environment File (more details on this in Setting Preferences).

Exporting Packets

If you need to extract packets of your capture and you need them on a different file format (not just a capture file), you can export the selected packets on the Traffic View. To start the export process, select the packets you want to export, Go to the File menu and choose the Export Packets item. Note that in order to select packets in the Traffic View, you must disable both the "Auto Select Last Packet" and the "Auto Scroll" options.

You can export either all the packets or only the selected packets in the following file formats: .xls (Microsoft Excel spreadsheets), .csv (Comma Separated Values), .opml (Outline Processor Markup Language), and .txt (simple text files). The .opml and .txt file formats will include all the decoded data of the packets while the .xls and .csv file formats will only include the data shown in the columns of the Traffic View.

Copying a Packet

You can copy a packet as it appears in the Traffic View or the Packet View's tree by selecting the packet you want to copy; right click on the selection and choose the Copy menu item. The clipboard will store the selected packet data and it can be pasted in any text editor. When traffic is being captured in fast rates, it is recommended to disable the "Auto Scroll" and "Auto Select Last" options to easily select the packet from the Traffic View.