Color Filtering Error Messages

  • Article

 

Color Filters in Network Monitor are a simple way to make frames stick out in a trace. Dealing with large traces often makes it difficult to see important information. The sea of data represented by network traffic becomes a difficult backdrop to catch errors that occur. This blog will focus on creating color filters to make these types of errors stick out.

The Protocols

For this blog, I concentrate on the protocols above the transport layer: Kerberos, LDAP, SMB and HTTP. I could have dove into TCP or ICMP as well, but those types of errors are in a different class. For instance TCP resets, don’t always indicate a problem. But this should give you a good background to understand how to create color filters to flag errors for other protocols you work with.

Kerberos

We’ll start with the simplest filter. When we flag an error in Kerberos, we use a structure called “KrbError”. So we’ll simply filter on any frame which has this structure created. We can do this by using the name of the structure as our filter.

                KrbError

LDAP

For LDAP, we need to look at frames where the LDAPResult is not zero. But due to an engine quirk, we can’t just search for frames where the Result code is not zero. Instead we’ll search for frames that have a ResultCode, and where the description string does not have success in it.

(!LDAPResult.ToString.contains("Success") && LDAPResult.ResultCode)

I also want to flag Abandon Request for LDAP, since these may also be an indication that something went awry. The following filter catches these.

                (LDAPAbandonRequest)

HTTP

HTTP return’s a status code that’s 400 or larger when an error occurs. But one problem is this value is a string. For this filter, we will use the StringToNumber plug-in and convert to a number first so we can use our mathematical operators.

http.Response.StatusCode.StringToNumber >= 400

SMB

SMB has an NTStatus code that is set when an error occurs. The only modification we are going to do here is ignore one specific error. This is because SMB will return an error STATUS_MORE_PROCESSING_REQUIRED (22) when SMB expects more frames with the rest of the data. This isn’t exactly an error, so my filter ignores that specific value.

smb.NTStatus.Code != 0 AND smb.NTStatus.Code != 22

Creating the Color Filter

Now that we’ve determined the various things we want to flag, now it’s time to create the color filter. Just go to the Filter menu and open the Color Filter dialog. Simply click on Add and paste the following.

(KrbError )

OR

(smb.NTStatus.Code != 0 AND smb.NTStatus.Code != 22)

OR

(!LDAPResult.ToString.contains("Success") && LDAPResult.ResultCode)

OR

(LDAPAbandonRequest)

OR

 (http.Response.StatusCode.StringToNumber >= 400)

Then choose an appropriate color, I chose red, and exit. Now any problem frames that match our filter will show up as red. Color filters are global to NM3.1, so any new instance of NM3 or any new traces you open will use this new color filter automatically.

Expand to your favorite Protocols

You could continue to do this for every protocol you work with. Sometime trying to find the proper filter is the trick, so hopefully these examples will help you understand different ways of doing this.