Introduced in CloudShark 2.7, the Ladder analysis tool offers a new way to trace packets in your capture file.
The Ladder view is a great way to visualize the flow of packets between different nodes in your capture file. Through a combination of filters, labels, ordering and narrowing-down the traffic you’re interested in, you can generate an easy to follow view that can assist in protocol debugging and traffic analysis.
The Ladder view works best in combination with a few of the other CloudShark analysis tool windows. At the top of the screen are buttons for Conversations, Protocol Hierarchy, and Endpoints. These buttons open each tool and allow you to select which packets you wish to see in your Ladder.
Selecting a conversation will narrow the display down to those two endpoints. Choosing a single endpoint will display all the packets sent and received by that endpoint. A protocol specific view will limit output to only the traffic of that protocol.
Like Display Filters elsewhere in CloudShark, these will auto-complete as you start to type to make it easier to remember all the protocols and fields. Press “Apply” to update the diagram with the filtered packets.
Endpoints are generated using the source and destination information of each packet in the capture file. The following options can be used to configure how CloudShark will determine the source and destination of a packet:
By default CloudShark will choose the network address to generate the endpoints
or the hardware address if there is no network address for the packet. If
CloudShark is not able to determine a source or destination address for a
packet it will use an endpoint named
<NotAvailable> for the packet.
Packet arrows can be labeled either by the Info field from the decoder, or by the protocol detected in the packet. Change the drop-down to pick a different label.
All the endpoints in the Ladder Diagram are sorted by appearance in the capture file. This order can be changed by dragging and dropping the endpoint labels into different positions. Click and Drag a label to move it horizontally into a different position. The endpoint will be redrawn in the new position, and all the packet arrows will be updated.
CloudShark encodes the position of the endpoints in the URL for easy sharing. Simply copy and paste the current URL and the order and filter will be preserved.
To change the sort order back to what it was before, you can use the browsers “Back” button. The Ladder Diagram uses the browsers history to store the state of the view in the URL. This makes it easy to share views that have been sorted and organized exactly how you want them, but also easy to go backwards and undo changes.
If there is an endpoint you no longer need in your view, simply drag and drop that endpoints label down off the label bar. As you drag down, it’s text will change to “remove.” The ladder view will be redrawn removing any packets that were sent or received by that endpoint.
Like sorting, hiding an endpoint can be undone by pressing your browsers “Back” button.
Clicking the Apply as Display Filter link will return you to the capture view with the display filter and the current endpoints in the ladder view applied.
CloudShark limits the output to the first 3,000 packets that match the given display filter. If you have more packets than that, it is recommended that you use the standard table view to analyze your data.
The Ladder Diagram is also only usable while you can see all the endpoints listed across the top of the browser window. It is recommended that you apply filters that limit the number of endpoints to 15 or 20, depending on the address length, and width of your browser.