BLOG     |     FORUM
The Visual Breakout

"Say goodbye to raw hex dumps and navigation trees"

The visual breakout is one of the key innovations in Unsniff. This type of layout is quite common in text books, protocol design guides, RFCs, teaching aids, and protocol specifications. Despite its widespread use, there is no network analyzer which can produce this representation. Unsniff is the first network analyzer which can draw these diagrams on the fly for all protocols. No more wading through hard to understand tree views or raw hex dumps. Any plugins written by you using the Unsniff API will automatically avail of all the features of Unsniff including the visual breakout.

Special Note: Instructors of Networking Courses - you will be amazed how much the Visual Breakout cuts the communication gap between you and your students.

Visual Breakout Areas

The visual layout consists of these areas (see image shown below) The Visual Breakout picture

Mini Breakout Shows a small box with a summary of that layer
Full Visual Breakout Shows each field in a protocol in a intuitive diagram
Bit Flags Breakout For bit fields, this accounts for each bit in the field
Expand / Collapse Collapses a full breakout into a mini breakout, expands a mini breakout into a full breakout
Field LabelsThese labels provide more useful information about a protocol field

Key Features of The Visual Breakout

 

  • Collapses into a Mini Layout if you are not interested in the detail for a given layer.
  • Provides field level Bubble Help. (See image shown below) Full Bubble help is available for all fields
  • Colors records within a protocol
  • Can breakout flags into individual bits
  • Provides a Bit Flags Layout
  • Can label individual fields via a caption
  • Uses an intelligent layout algorithm specifically designed by Unleash Networks for this very purpose
  • Allows you to control the left and right margins via guides
  • Can show 2 , 4, or 8 bytes per row for maximum flexibility
  • Can offset protocol layers for easier reading
  • Can show a compressed representation of large fields
  • Can draw the breakout in a nifty ASCII art box
  • Provides zoom-in , zoom-out and fit-width options
  • Supports Print and Print Preview
  • Many customization options

Things you can do with the Visual Breakout

How can I collapse a breakout ?
Click on the '+' sign on the left side of the breakout panel.

How can I display bubble help ?
Hover your mouse above the field for which you seek bubble help for approximately 3 seconds.

Why is bubble help not appearing for field "xyz" ?
Bubble help may not appear for the following two reasons

  • The plugin for that particular protocol has not specified any help for that field
  • The bubble help feature has been disabled Set "Tools"->"Customize"->"Advanced"->"Miscellaneous"->"Enable Bubble Tips"

How can I adjust the layout of the visual breakout ?

  • Right click on the visual breakout. Select "Layout Guides" from the popup menu
  • Use the small yellow tabs on the top ruler to adjust the left and right margins
  • After you are done; Deselect "Layout Guides" from the popup menu

How can I use the ASCII art diagram ?
The ASCII art diagram is a feature of Unsniff which allows you to paste the contents of a packet into a text file in a familiar ASCII diagram. TO use this feature

  • Collapse any unwanted layer into a mini layout
  • Right click and select "Copy Text Diagram" from the popup menu
  • Unsniff automatically creates a ASCII art diagram of the selected packet and copies it into the clipboard
  • Open any text editor (eg. Notepad, Vim, Word, Outlook, etc ) and paste the diagram from the clipboard

Can I change the Bubble Help text ?
The Bubble Help text is provided by the author of the plugin for that particular protocol. If the author of the plugin used an XML file to specify bubble help, you may be able to simply edit that file. If the author used the Unsniff API helper macros you may not be able to change the help text. Please contact Unsniff (or the Plugins author) if you must change the help text.
For further details about the Unsniff API, consult the Unsniff API Developers Guide

How can I customize the appearance of the visual breakout ?
The visual breakout can be customized by :

  • Right click and use the context menu to change the zoom and layout
  • For common options: Use the "Tools"->"Customize"->"Display" page
  • For advanced options: Use the "Tools"->"Customize"->"Advanced" page

 

 

Why Unsniff ?

Unsniff Network Analyzer offers multi layer monitoring with deep content awareness right out of the box.   The unique advantages of Unsniff are :

  1. Multi layer monitoring - flows, PDUs as top level objects
  2. Advanced NFAT (Network Forensics) abilities
  3. Scriptable for automation
  4. Fast native Windows UI w/ new visualization
  5. USNF format instantly opens huge capture files
  6. Advanced TLS decryption and analysis (incl TLS1.2 AEAD)
Unsniff can be a great complement to Wireshark known for its legendary bit level dissection abilities.

Scriptable : Automate your analysis

Unsniff exposes all entities as scriptable objects. They include Packets, Flows, PDUs, User Objects too. Write tiny but powerful scripts to automate the most tedious proceses. Some use cases

  • Automatically extract all images greater than 200K into a directory ?
  • Save each VOIP call as a separate .WAV file
  • Save the first 100K of each TCP flow
  • Reassemble and save in and out directions of each flow with a custom naming scheme ?
  • Import from Wireshark, apply custom filters, then export back into Wireshark
  • Pretty much anything you can do manually can be automated
Languages supported : VBScript and Ruby (via Win32OLE) / Documentation is available at "Unsniff Scripting Guide Home" / VBScript and Ruby sample scripts are at "Script Samples"
-

Not just packets : PDUs , flows , and content too

Network flows are TCP streams. Each flow is treated as a top level object in Unsniff. You are presented with a list of flows in addition to packets and you can choose to work on flows as a unit instead of per packet.

Protocol Data Units (PDUs) are reassembled messages that are extracted from raw packets. Unsniff lets you see these messages instead of just packet. For example you can view and monitor SSL/TLS Records instead of fragments of packets. Unsniff supports SNMP, LDAP, TLS, and other PDUs.

User Objects are extracted content ; such as images, emails, files, video, audio. The Unsniff User Objects Sheet allows you to work with them for forensics and investigative purposes. Most use cases are covered.

User Objects : Advanced Forensics and reconstruction

Unsniff has top notch and deep network forensics analysis (NFAT) capabilities. All objects are extracted and shown in the User Objects sheet. A subset of support.

  • HTTP : Full page reconstruction, images, POST messages, all CSS/JS, video, flash, and every kind of content can be extracted
  • Deep Keyword Search : Search in content
  • Email SMTP, POP3, IMAP, FTP files, SMB files,
  • Yahoo! Chat, MSN Chat, AOL Chat
  • Yahoo! / MSN Voice chat.
  • Google video chat - incl support for VP8 video/SPEEX audio codec
  • SIP/RTP/H.323/IAX2 - VOIP calls - incl all major codecs
  • Youtube reconstruction
All of the above can be automated. Unsniff's internal format USNF stores these objects natively for maximum performance.