Finisar Surveyor User Manual Download Page 145

Page: 145 / 454

7-9

Capture and Display Filters

Creating Filters with Filter Templates

You then save the template. When you save a custom template, Surveyor asks for a

custom template name. Surveyor will assign a default name such as

Template1

no name is provided.
Once you create a filter template, its name will appear in the

Custom_Templates

section of the

Available Filter Templates

box. Custom tem-

plates can be reused again and again once added to the list of templates. You must

use the

Add

button so the filter template name appears in the

Template Combination

box for the template to be used in the current filter.

Custom Templates Based on Specification of Byte Patterns

You can create custom templates by entering values in the offsets within the

Current

Filter Template Display

area. The small fields in this area define the data patterns

that comprise a filter template. The offset defines the position within the packet to

start comparing the packet contents with the values in the pattern. If a match occurs,

then this portion of the condition is satisfied. The pattern can be specified as a deci-

mal, hexadecimal, or ASCII value.
Use the

Data Format

pull-down box on the right to specify if the pattern is in deci-

mal, hexadecimal, or ASCII. Use the

Offset Format

pull-down box to specify if the

column and row headers display in decimal or hexadecimal. Note that although you

can display the data in different formats, all formats use a byte boundary. Only byte

quantities can be entered or displayed.
Any specific value you create for filter templates can have “don't care” values. For

example, assume you're only looking for

FF34

in the first two bytes of the MAC

destination address. You could specify the values in your filter as

FF34XXXXXX

where X indicates you don't care about the values in the last three offsets. Note that

for IP addresses using decimal values you can only use

characters for complete

sub-addresses. For example,

128.XXX.2.2

is allowed, but

128.12X.2.2

is not

allowed.
The hex or decimal patterns display in black or magenta. The magenta color indi-

cates the bytes are a macro pattern, such as the logical OR of two different patterns,

or a conversation. Displays in magenta within the

Current Filter Template Display

area do not provide a complete view of the filter template. The

Template Descrip-

tion…

information box provides complete details about any macro pattern. Use the

Template Description…

button to see the exact offsets, patterns, and logical opera-

tors you have used to create the filter template. Many ASCII patterns have no corre-

sponding display character.
Use the

Template Description

button to see the exact offsets, patterns, and logical

operators you have used to create the filter template. See Figure 7-2 for an example

of this window.

Summary of Contents for Surveyor

Page 1: ...Surveyor User s Guide ...

Page 2: ...other transfer of the designated Software from Finisar and shall remain in full force and effect in perpetuity unless terminated pursuant to the provisions of this License This agreement can be terminated at any time by returning or destroying all copies of the Software and related written materials and documentation and by notifying Finisar in writing of your termination of the License If either ...

Page 3: ...ith designs plans or specifications furnished by or on behalf of the Licensee as to the Products or services 2 alterations of the Products or services by the Licensee 3 failure of the Licensee to use updated Products or services including error corrections and updates provided by Finisar for avoiding infringement 4 use of Products or services in a manner for which the same was neither designed nor...

Page 4: ... get the most from your Surveyor Be sure to browse on line Help From any location in the Surveyor program and with just a few clicks of the mouse you will find that you can locate the answer to almost any question you might have Specific task information is included in the on line Help system that is not included in this manual Quick Start Surveyor includes a Quick Start guide to get you up and ru...

Page 5: ...nced Protocol Decodes 1 9 2 Installation 2 1 System Requirements 2 1 Upgrading Surveyor 2 2 Installing Surveyor 2 3 Installing Analyzer Hardware 2 4 Installing Analyzer Hardware in a Desktop PC 2 4 Installing Analyzer Hardware in a Notebook PC 2 5 Installing More Than One Analyzer Card in a Notebook PC 2 8 Compatibility Matrix 2 9 3 Getting Started 3 1 The Surveyor System 3 1 Launching Surveyor 3 ...

Page 6: ...ndows 4 1 Capture View Display Options 4 2 Histogram Options 4 4 Setting the Monitoring View for a Module 4 5 Configuring Chart Views 4 6 Table Views 4 6 Module Settings Properties 4 7 Buffer Size 4 8 Packet Slice Slicing Size 4 8 Stop and Save Capture Buffer 4 9 Modes 4 9 MAC Control Frame 4 10 System Settings 4 10 Configuring Ports to Scan 4 10 Configuring Remote Communications 4 11 Protocol Col...

Page 7: ...tor Mode in Detail View 6 6 Capture View 6 7 Capture View Window 6 7 Creating Filters from Capture View 6 8 Exporting and Printing Decodes 6 8 Configuring the Capture View Display 6 8 Using the Histogram Control 6 9 Histogram Color Coding 6 10 Histogram Button Controls 6 14 Histogram Mouse Controls 6 15 Saving Portions of the Data 6 16 Resume Analysis 6 17 Packet Editor 6 17 Data Views 6 18 Ring S...

Page 8: ...eating Custom Filter Templates 7 8 Filter Creation 7 12 Creating Filter Template Combinations 7 12 Filter Actions 7 13 Counter Conditions for Filters 7 15 Frame Types 7 16 Multi State and Multi Statement Filters 7 17 Filter Structure 7 19 Filter States 7 20 Filter Statements 7 21 Capture and Display Filter Differences 7 22 Activating Display Filters 7 22 Activating Capture Filters 7 22 Filter Exam...

Page 9: ...ing Alarms with Different Devices 9 7 Thresholds and Alarms 9 8 Alarm Actions 9 9 Log File Settings 9 10 E Mail Settings 9 10 Pager Settings 9 11 SNMP Trap Settings 9 11 Viewing the Alarm List and the Alarm Log 9 14 Hints and Tips for Alarms 9 14 Alarm Examples 9 15 Alarm Example Utilization 9 15 Alarm Example MAC Errors 9 16 Alarm Example Frame Size 9 17 Alarm Example VoIP Calls 9 18 Alarm Exampl...

Page 10: ...3 NCP Read Write Overlap 10 24 NCP Request Denied 10 25 NCP Request Loop 10 26 NCP Server Busy 10 27 NCP Too Many File Retransmissions 10 28 NCP Too Many Requests Denied 10 29 NCP Too Many Request Loops 10 30 NFS Retransmissions 10 31 No HTTP POST Response 10 32 No Server Response 10 33 Slow HTTP GET Response 10 34 Slow HTTP POST Response 10 35 Slow Server Connect 10 36 Slow Server Response 10 37 ...

Page 11: ...t Reassembly Time Exceeded 10 70 ICMP Fragmentation Needed D F set 10 71 ICMP Host Redirect 10 72 ICMP Host Redirect for TOS 10 73 ICMP Host Unreachable 10 74 ICMP Host Unreachable for TOS 10 75 ICMP Inconsistent Subnet Mask 10 76 ICMP Network Redirect 10 77 ICMP Network Redirect for TOS 10 78 ICMP Network Unreachable 10 79 ICMP Parameter Problem 10 80 ICMP Port Unreachable 10 81 ICMP Protocol Unr...

Page 12: ...versized Frame 10 115 Overload Frame Rate 10 116 Overload Utilization Percentage 10 117 Physical Errors 10 118 Runt Frame 10 119 Same MAC Addresses 10 120 Total MAC Stations 10 121 Hints and Tips for Expert Features 10 122 Summary of Expert Counters and Symptoms 10 123 11 Multi QoS 11 1 Protocols Supported by Multi QoS 11 2 Using Multi QoS with Analyzer Hardware 11 2 Multi QoS User Interface Overv...

Page 13: ...ket Counters 12 1 Custom Counters 12 2 Error Counters 12 2 Expert Counters 12 5 Multi QoS Counters 12 9 Counter Log File Overview 12 9 Log Directory Structure 12 10 13 Utilities 13 1 Name Table Utility 13 2 Building a Name Table From the Network 13 4 NIS to Name Table Conversion Utility 13 5 Sniffer Translator Utility 13 6 Internet Advisor Translator Utility 13 6 Get Version Information Utility 13...

Page 14: ...ransmit Speed A 5 Counters A 5 Rx Counter Display A 5 Transmit Specification A 5 NDIS Configuration Options A 6 Setting the Interface A 6 Set Capture Buffer and Packet Slicing Size A 6 B Pre Defined Filter Templates B 1 Filter Templates B 1 C Keyboard Shortcuts C 1 Function Keys C 1 Standard and Navigational Keys C 2 D Parser Names D 1 Recognized Parser Names D 1 Glossary Index ...

Page 15: ...7 4 Example Filter States Design Window 7 18 7 5 Filter Design Window Conversation Example 7 23 7 6 Filter Design Window Template Combination Example 7 25 7 7 Filter Design Window Capture TCP Port Example 7 27 7 8 Advanced Filter Filter States Design Window 7 29 8 1 Transmit Specification Dialog Box 8 2 8 2 Transmit Specification Dialog Box Packet Gaps 8 13 8 3 Transmit Specification Dialog Box Bu...

Page 16: ...n 11 6 11 3 Multi QoS All Calls Table 11 9 11 4 Multi QoS Jitter Graph Example 11 11 11 5 Multi QoS Configuration Call Jitter Ranges 11 12 11 6 Multi QoS Packets Dropped Graph Example 11 13 11 7 Multi QoS Configuration Packets Dropped 11 14 11 8 Multi QoS R factor Example 11 17 11 9 Multi QoS Configuration R factor Ranges 11 18 11 10 Multi QoS Utilization Graph Example 11 19 11 11 Example Call Det...

Page 17: ...ware Device Properties 4 7 4 4 Default Module Settings 4 8 4 5 Remote Communications Tab Functions and Default Settings 4 11 4 6 Remote Polling Timers 4 13 4 7 Strip Chart Display Timers 4 13 4 8 Default Display Timer Settings 4 13 4 9 History Log File Settings and Default Values 4 15 4 10 Alarm Actions 4 16 4 11 Default Names for Non WKP TCP Ports 4 25 4 12 Default Names for Non WKP UDP Ports 4 2...

Page 18: ...ons 6 35 6 20 Application Response Time View Column Descriptions 6 36 7 1 Defining Conversations 7 5 7 2 Defining Port Numbers 7 7 7 3 Operator Buttons for Template Combinations 7 13 7 4 Capture Filter Actions 7 14 7 5 Display Filter Actions 7 15 7 6 Capture Filter Global Values 7 16 7 7 Capture and Display Frame Types Size 7 17 7 8 Logic Sequence for Capture and Display Filter Statements 7 21 8 1...

Page 19: ...dware Real Time Functions A 3 A 4 Hardware Transmit Functions A 3 A 5 Hardware Capture Functions A 4 A 6 Hardware Connectivity A 4 B 1 Surveyor Filter Templates Ethernet EV2 B 2 B 2 Surveyor Filter Templates IP and IPX over Ethernet EV2 B 3 B 3 Surveyor Filter Templates TCP IP over Ethernet EV2 B 5 B 4 Surveyor Filter Templates UDP IP over Ethernet EV2 B 7 B 5 Surveyor Filter Templates Ethernet LL...

Page 20: ...ion Suite D 6 D 11 Parser Names Netware Suite D 6 D 12 Parser Names PPP Suite D 7 D 13 Parser Names XNS Suite D 7 D 14 Parser Names H 323 Suite D 8 D 15 Parser Names ITU Codecs D 8 D 16 Parser Names Cisco IP Telephony Suite D 9 D 17 Parser Names Other Multimedia D 9 D 18 Parser Names Intel Suite D 9 D 19 Parser Names VPN Suite D 9 ...

Page 21: ... QoS software plug in monitors measures and analyzes QoS of VoIP Voice Over IP calls Multi QoS includes Telchemy s VQMon VoIP call quality analysis engine VQMon enables you to measure call quality from ear to ear using ITU standard passive test methods This feature allows you to accurately predict MOS scores and confirm SLA performance Multi QoS reports over 20 QoS metrics jitter packet loss delay...

Page 22: ...r and troubleshoot your network As your Surveyor expertise grows you will find that the number of ways you can set up and apply the tool are virtually limitless The basic functions of Surveyor are described in Table 1 1 Table 1 2 on the next page shows the additional functions available with the optional Surveyor software modules called plug ins Table 1 1 Surveyor Functions Function Description Ca...

Page 23: ...k streams of captured data or you can transmit edited data You can edit a stream of captured data by changing the sequence of the packets deleting or adding inserting pack ets creating bad packets eliminating all packets of a certain type protocol and so on Surveyor also gives you complete control of when how fast how long and how often it transmits the data you want to send over the network Exper...

Page 24: ...odule PCI bus hardware card that installs in a PC for analyzing 10 100 Ethernet or Gigabit Ethernet networks THGs Analyzer device accessed remotely by Surveyor THGs contains two syn chronized THGm modules for analysis of full duplex 10 100 or Gigabit Ethernet traffic at full line rate THGsE Analyzer device accessed remotely by Surveyor THGsE contains two syn chronized THGm modules for analysis of ...

Page 25: ... DNS MIME TELNET Echo Mobil_IP A11 TFTP PPP Suite EGP MOUNT TPKT PPPCHAP Finger NetBIOS UDP PPPIPCP FTP NFS UNIX Remote Svcs PPPIPX GGP NIS lpr rcp rexec login rsh PPPLCP Gopher NNTP VRRP PPPNBFCP HTTP NTP WebNFS PPP over Ethernet HTTPS OSPF WhoIs ICMP PH XDR Cisco Suite POP3 XDMCP CDP IPX SPX Suite PORT MAPPER Xwindows DISL Diagnostic RARP EIGRP Error RIP Version 2 XNS HSRP IPX Echo Protocol IGRP...

Page 26: ...hdog Fujitsu Suite ATP DECnet Phase IV FNA AURP CTERM LNDFC SNA Protocol Suite DDP DAP 3270 DDP EIGRP DRP Applications FDC LAP FOUND cc Mail FID2 NBP LAT Lotus Notes FM PAP LAVC Finisar RSP NC RTMP MOP XWIN XID ZIP NICE SC NSP IPV6 IpSec VPN Bridge Protocols DHCPng AH L2TP BDPU ICMPng ESP LDP IEEE 802 1D IDRPng ISAKMP PPPOEDS IEEE 802 1Q VLAN IPng KERBEROS PPPOESS GARP 802 1p OSPFng RADIUS GMRP RI...

Page 27: ...LNP MTP2 CR LDP NetBIOS CONP MTP3 RSVP TE ESIS RTSP ISIS TCAP ISO Multi Media ITU H 323 IETF Cisco Codec ASN 1 H 248 Megaco RUDP CellB GK DISC MGCP SCCP G 711 H 225 0 RTCP SSP G 721 H 245 RTP G 722 H 323v4 RTSP G 723 H 450 1 SGCP G 728 Q 921 SIP G 729 Q 931 H 261 RAS H 263 T 120 JPEG T 38 MPEG v1 v2 PCMU PCMA ...

Page 28: ...hat capture to disk at full line rate is not supported for 100Mbps or Gigabit Ethernet speeds Disk Caching Large capture segments when opened are now saved to a Cache location on the local hard drive This is a useful performance enhancement since capture segments from a remote module are now handled locally Capture segments no longer need to be downloaded again when decoding filtering editing or s...

Page 29: ...Such calls are listed with a protocol type of UNKNOWN This can be useful to see calls where signaling packets are unsupported or for probing end points that do not see signaling packets SMNP Extended Agent The SNMP agent for Surveyor has been expanded to include management fields other than alarms The new Surveyor agent implementation uses SNMPv2 New and Enhanced Protocol Decodes The following pro...

Page 30: ...1 10 Surveyor User s Guide ...

Page 31: ...hernet applications Pentium 1Ghz for Gigabit Ethernet applications see processing memory below for type of processor required Operating System Software Windows 2000 Windows NT 4 0 with Service Pack 3 4 5 and 6 plus administrative privileges or Windows XP System Memory for Opening Capture Files Capture Buffer Size Pentium Virtual Local or Remote Processor RAM Memory 16MB PII 64MB 64MB 32MB PII 128M...

Page 32: ... may work without upgrading you may see data that is out of order or missing in Surveyor tables Table 2 2 Supported Analyzer Cards and Network Adapter Cards Network Analyzer Cards Desktop PC THGm Ten Hundred Gigabit module analyzer card THGm analyzer cards require an available PCI slot Analyzer cards require processing memory based on the capture buffer memory available on the card Network Adapter...

Page 33: ...he installation program instructions to install the software Enter your serial number and software license key code when prompted Approximately 20MB of free disk space is required to install the Surveyor software 4 When you install over a previous version of Surveyor in the same directory you are given the option to save existing files to a different location You may want to save capture files nam...

Page 34: ...low Installing the THGm Windows NT 1 Power down your system 2 Install the THGm card in your system This requires opening the case of your computer inserting the card in an available PCI slot and closing the case of your computer Refer to the THGm Hardware Installation Guide and your computer s documentation for instructions 3 Secure the network connectors to the THGm RJ 45 for 10 100Mbps Ethernet ...

Page 35: ...ase consult your Windows manual for possible reasons for this occurrence before contacting Finisar Technical Support 5 Insert the Surveyor CD in the CDROM drive 6 Use the Browse button to find the Ethernet Driver directory CDROM drive letter drivers on the Surveyor CDROM The name of the driver is ww_w2000 inf 7 The Update Device Driver Wizard window will appear with the name of the driver Click th...

Page 36: ...ce conflicts Installing Portable Surveyor 10 100 Ethernet Analyzer Card Windows NT Use the procedures below for installing Finisar adapter cards in a notebook PC running Windows NT 1 Install CardWizard V5 00 10 software to your notebook computer Follow the installation instructions that come with the software CardWizard is available from SystemSoft Corporation If you have other card installation s...

Page 37: ...exists highlight the problem adapter in the Network folder and press the Remove button Reboot the notebook computer and attempt the installation again If the problem persists contact Technical Support 13 Reboot your system Installing the Portable Surveyor 10 100 Ethernet Analyzer Card Windows 2000 XP The Portable Surveyor 10 100 Ethernet Analyzer Card is not recognized automatically by Windows 200...

Page 38: ... Signature Not Found dialog box Click Yes Note You can safely ignore the warning message The message appears because Windows 2000 does not recognize the card properly at this time 15 The Finisar driver will be copied to the hard drive Windows 2000 XP may request the Windows CDROM to install system files Many of these system files can be found directly on the hard drive in the C windows system and ...

Page 39: ...3 Hardware Software Compatibility Matrix Finisar THGm Portable Surveyor 10 100 Ethernet Analyzer Card Ethernet NDIS 3rd party Desktop Win NT Yes Yes Desktop Win 2000 Yes Yes Desktop Win XP Yes Yes Notebook Win NT Yes Yes Notebook Win 2000 Yes Yes Notebook Win XP Yes Yes ...

Page 40: ...2 10 Surveyor User s Guide ...

Page 41: ... following steps to set up your environment and launch the Surveyor software 1 Launch the Surveyor program Double click on the icon in the Surveyor group or other group where you installed the Surveyor application 2 The first time you launch Surveyor you ll be asked if you have any local analyzer or tap devices If you do not have any local analyzer devices do not check any boxes click OK and skip ...

Page 42: ...e resources If a remote resource will not permit access with either of these accounts then get the user name and password from the resource owner and establish an account on that resource To access a remote resource you must have an account and password set up on the remote system containing the resource or use the remote system s guest account You can also password protect local resources See the...

Page 43: ...g Links for THGm on page 20 of this chapter Basic Navigation Tips There are three main windows in Surveyor Surveyor Main Window Summary View Detail View Window Capture View Window Summary View is used primarily for monitoring as it shows a single view of many different resources It also contains the docking windows for selecting resources Resource Browser setting alarms Alarm Browser and viewing s...

Page 44: ... include these tips in the help system and pass these tips on to other customers and to user groups Here are some tips to help you use the Surveyor interface Click on a resource in the Resource Browser to select that resource Press the button to bring up Detail View for a resource You can also bring up Detail View by double clicking with the left mouse button on the active monitor view displayed w...

Page 45: ...g up the expert views If you have the Multi QoS plug in use the button in Detail View to bring up the charts and tables for Voice over IP and Multimedia protocols If you are running Packet Blaster plug in use the in Detail View to bring up the Transmit Specification dialog box to create data streams for transmit ...

Page 46: ...select the file name and directory Print button Prints the contents of the current view Name Table button Brings up the Name Table dialog box for editing the current name table saving a name table to a file or loading a name table from a file Help button Displays the help contents Module Toolbar Summary View Start button Starts a module The module captures or transmits packets depending on whether...

Page 47: ...y Detail View button Brings up Detail View for the currently active resource Load Filter button Brings up a dialog box to select a saved capture filter CFD extension If a capture filter is opened that filter is applied to the currently selected resource This button is gray if the resource is currently active started Unload Filter button If a filter is loaded for the currently selected module press...

Page 48: ...e started Monitor Mode button Activates the monitor functions for the currently selected resource If the resource does not support monitoring functions the resource is put into capture mode This button is gray if the resource is currently active started Cap Disk Mode button Places the currently selected resource in Cap Disk mode Captured data is automatically saved to disk This button is gray if t...

Page 49: ...isplay Filter button Display the Display Filter window The window displays a previously opened filter or the default filter Unload Display Filter button Unloads the current display filter All frames in the current capture will display Transmit Specification button Brings up the Transmit Specification dialog box to define load a transmit specification Packet Blaster plug in only Transmit from Buffe...

Page 50: ...ize Distribution View button Selects Frame Size Distribution View for viewing the distribution of frame sizes Protocol Distribution View button Selects Protocol Distribution View for viewing a chart of the distribution of major protocols Control buttons in this view allow you to customize the way you view the protocol distribution Utilization Error View button Rx Brings up a strip chart that plots...

Page 51: ...ts Host Matrix View for viewing information You can see all conversations between MAC stations in this view Network Layer Matrix View button Selects Network Layer Matrix View for viewing information You can see all network layer conversations and their associated traffic in this view Application Layer Matrix View button Selects Application Layer Matrix View for viewing information You can see all ...

Page 52: ...ted There are two views of the expert information The Analysis tab shows all expert symptoms detected The Overview tab shows the total number of expert symptoms detected in each expert category Application Response Time Button Expert plug in only Brings up a table showing the applications detected and their minimum maximum and average response times The number of connections for each application i...

Page 53: ...ters are saved as CFD files and display filters as DFD files Load Filter button Load the current filter to the currently active module Disable Filter button Disable the current filter Subsequent starting of the module will capture all packets use default filter Filter Window Toggle button Brings up the Filter States Design window The Filter States Design window is used to create advanced filters w...

Page 54: ...packets use default filter Filter Window Toggle button Brings up the Filter Design window for the current statement The Filter Design window is used to edit the statement Cut button Cut the selected State or ELSE IF statement The button does not work if other types of statements are selected Add button Adds a new level if an ELSE statement or ROOT statement is selected Adds a new ELSE IF statement...

Page 55: ...e contents for an ASCII text string Specify the string in the search box to the left The first instance of the string is found starting from the current position in the capture file Copy button Copies the current contents of the Summary pane for pasting into other documents A window displays with the text converted to ASCII format Use the window to select the text you want and copy it to the clip ...

Page 56: ...utton Selects Frame Size Distribution View for viewing the distribution of frame sizes Protocol Distribution View button Selects Protocol Distribution View for viewing a chart of the distribution of major protocols Control buttons in this view allow you to customize the way you view the protocol distribution Host Table View button Selects Host Table View for viewing captured information You can se...

Page 57: ...associations between MAC station names and addresses and network station names and addresses Duplicate Address Button Expert plug in only Brings up a table showing all duplicate IP and IPX addresses The duplicate network and MAC addresses associated each duplicate are displayed Expert View Button Expert plug in only Brings up a table showing all expert symptoms detected There are two views of the ...

Page 58: ...nal files used within HST files Older CAP files opened in Surveyor are converted to the new format and are then available as HST files NAM Extension Name Table Files Name table files contain equivalencies between symbolic names and hexadecimal names The name table file format is identical to ini file format The default hosts nam file contains names associated with well known hexadecimal repre sent...

Page 59: ...h for this variable NameTable install directory hosts nam 4 Delete the hosts nam text on that line 5 Replace text with your default name table file It should have the nam extension 6 Save the surveyor ini file exit your editor and start Surveyor application Address and symbolic name associations can be discovered by Surveyor This table can be saved as a file with the nam extension and used as the ...

Page 60: ...Make sure the No Auto Negotiation item is selected from the menu Auto negotiation enabled is the default value The Module menu also has a Fiber Link Link Status option which provides information about a 1000 Mbps link If the carrier wave is present this option returns a link OK message If there is a problem with the link a message screen appears with diagnostic information that may help you troubl...

Page 61: ...se sub windows can be minimized maximized expanded reduced and tiled within the area of the Summary or Detail View You can open as many windows as you have resources in Summary View You can have all available views of a single resource in Detail View You can have one view per resource open within Summary View Docking Windows Summary View opens when Surveyor is started The Summary View window is co...

Page 62: ...complete description of docking windows It is suggested that you do not undock windows Capture View Display Options When using Capture View you can control the display of data for packet decoding You can view the time as absolute as a delta as elapsed or any combination of the three You can show hide most fields in the decode display You can also show hide protocol information about packets and se...

Page 63: ... will display in reverse video in Capture View Table 4 1 Configurable Capture View Columns Capture View Column Description Abs Time The absolute time of arrival for each packet taken from the system clock when the capture was performed format hh mm ss mmm uuu nnn where ss seconds mmm milliseconds uuu microseconds nnn nanoseconds Delta Time The time between each packet interpacket gap format s mmm ...

Page 64: ...The table below shows the graphic elements of the histogram display and the default colors for each Table 4 2 Histogram Color Defaults Graphic Element Description Default Color Line Color Color of the line graph showing frames time in the histo gram Red Back Color Background color for the histogram Sections that are not currently part of any other category are shown in this color Black Current Sec...

Page 65: ...ce each time a request is made for new capture data The download size can be set between 1 and 50 10MB increments The default is 6 or 60MB of data Set this value high if you need to load and view large sections of data at one time A greater download size will increase the time it takes to perform each download Surveyor also has a setting for local disk cache size which will also affect the perform...

Page 66: ...nt to customize is the currently active window 2 Choose Table from the tab at the bottom of the view 3 The data view appears as a table Click on the column you want to use to create a top ten list Note that the information in the table sorts in descending order for the column you selected If the column you want is not there see Customizing Table Views for information on how to insert a column into...

Page 67: ... device type Hardware devices can have properties set according to Table 4 3 below This option affects the display of tables for local devices only for 10 100 networks Table 4 3 Hardware Device Properties Hardware Device Set Buffer Size Packet Slice Stop and Save Capture Modes Expert Mode Modes Non WKP Modes M QoS Only MAC Control Frame THGm NO YES YES YES YES YES YES THGs NO YES NO YES NO YES YES...

Page 68: ...tion layer or the full length of the packet Packet slicing can be set separately for monitor and capture except for THGm For monitor packet slicing can improve performance when monitoring the entire packet contents is not required For capture packet slicing can save space in the capture buffer for more packets when analysis of the entire contents of each packet is not required Table 4 4 Default Mo...

Page 69: ... save the capture buffer to disk Modes Select the Modes tab from the Configuration Module Settings to set the modes for a module Expert Analysis Mode Expert Views and Alarms can be disabled When disabled no Expert Views or Alarms will display in Surveyor software Uncheck the Enable Expert Analysis Mode box to disable Expert Views and Alarms The default is to enable Expert Analysis If you do not ha...

Page 70: ... to any local analyzer device For remote devices Monitor M QoS Only mode can only be set for THGm THGs THGp devices MAC Control Frame For Gigabit Ethernet a MAC Control Frame is sent to ensure that sending devices do not overflow receive buffers For THGm devices you can select to capture these frames or ignore them The default is to capture MAC Control Frames This setting applies only to THGm devi...

Page 71: ...rypt RSP Packets check box Select encryption if there is a need for security in the network when transferring packets between the remote resource and the local system The default setting is Not Selected No Autodiscovery check box Select this box to prevent auto discovery of remote resources If selected you will only be able to access remote resources by manual discovery of resources using the Conn...

Page 72: ... required for other protocol layers 5 Make sure that the Use Color Coding box is checked 6 Click the OK button Use the Default All button to return all color settings to their default values Use the Set Default button to reset the default to the colors currently displayed Setting Update Timers Timers control how often counters tables and displays are updated There are two types of timers display t...

Page 73: ...Views Sets the interval for polling devices for information on MAC network and application layer conversations Expert Data Sets the interval for polling devices for expert data Remote Name Table Sets the polling interval for refreshing the local copy of the name table for a remote resource Display Timers Description Strip Chart Display Timer Local Sets the time between refreshing counters in strip...

Page 74: ...ion for the cache directory and use the slider to specify its maximum size Surveyor will not allow you to specify a size greater than the available free space on your disk drive The minimum cache size is 40MB The cache directory is cleared of files containing information related to a capture when you close the capture or exit the Surveyor application Disk Capture Location To support local disk cap...

Page 75: ... and new counter information is recorded starting with the first line of the file History files are named by date and time The format for the name of history files is mmddhhmm ss mm month dd day hh hour mm minute ss second The minimum time between creation of unique history files is one second If you disable the creation of history files and the log file for the module is full a new log entry caus...

Page 76: ...its icon will be visible in the resource browser The port of the tap or switch currently being monitored will show under the resource If you cannot see the tap or switch icon refer to the analyzer or tap hardware documentation for more information on connecting these devices to the network Although the taps and switches show as a resource to the Surveyor software they do not directly perform monit...

Page 77: ... current port being monitored will display under the tap or switch resource The example below shows a switch with the LAN Segment connected to port 5 selected 2 Double click on the tap or switch icon in the resource browser 3 A list box appears showing the port pairs on the tap or switch You must know which LAN segments are connected to the port pairs on the tap or switch Use the radio buttons to ...

Page 78: ...he port for a Finisar multi port tap or switch Select the Local COM Port for Switch Device tab to set the port for a switch 3 Set the COM port value to the COM port COM1 through COM4 where the tap or switch is connected to the PC Only one port can be selected The tap or switch is connected to the PC using a standard 9 pin serial cable Only one tap or switch device can be connected to the PC Connec...

Page 79: ... site http www finisar com Go to the software updates section of the Web site to find the new analyzer image Place the software on the server that runs the TFTP protocol Before you can update the analyzer address information automatically you must have a server that contains the new address information and runs the BOOTP proto col Use the following procedure to update the analyzer image software 1...

Page 80: ...on surveyor ini File Surveyor uses configuration settings from a ini file called surveyor ini If you want to run the product with different configurations you can save different sets of configuration information in different ini files Sur veyor always looks for the file named surveyor ini in the directory where Sur veyor is installed and will use that file for its configuration If no surveyor ini ...

Page 81: ...INI file allow you to Rename the protocols that are currently being detected For protocols that use TCP or UDP as their transport protocol the protocol can be assigned a name to override it s default name Extend the list of protocols that are monitored by Surveyor You can extend the monitoring of protocols that use TCP or UDP as their transport protocol See the section on How Surveyor Assigns Prot...

Page 82: ...ng name is an alpha numeric string that should be between 1 and 50 characters This string is used as the name of the protocol where Surveyor displays a long name The structure of the MONITOR INI file is TCP mapping port num short name long name mapping port num short name long name UDP mapping port num short name long name mapping port num short name long name MONITOR INI Examples Example 1 Assume...

Page 83: ...e Protocol Distribution table would report that 300 hundred XWIN packets were detected If the network manager wanted the Protocol Distribu tion table to report the number of packet seen on each of the 64 X Window ports the MONITOR INI would need the following 64 entries TCP mapping 6000 XWIN6000 X Windows on port 6000 mapping 6001 XWIN6001 X Windows on port 6001 mapping 6063 XWIN6063 X Windows on ...

Page 84: ...been assigned a name TCP OTHER or UDP OTHER By changing the MONITOR INI file you can change names of generic names of WKPs and assign names to non WKPs that are not assigned names by default Monitoring Well Known Ports Surveyor monitors all protocols that fall in the WKP Well Known Port range ports with a value between 0 and 1023 If Surveyor detects a TCP or UDP with a port in the WKP range inform...

Page 85: ...treats all other non WKP as a single entity given a single generic name The name for TCP non WKP ports is TCP OTHER The name for UDP non WKP ports is UDP OTHER For example if 900 occurrences of the TCP port 11964 was detected and 200 occurrences of the TCP port 10564 there would be a single name to identify these 1100 occurrences of the TCP non WKPs called TCP OTHER Table 4 11 Default Names for No...

Page 86: ...tries with the following format mapping port num ip addr parser name name port num is any valid 2 byte value that represents a TCP or UDP port value It identifies the protocol by port number to be parsed in Surveyor s decode views ip addr is a valid IP address in dotted decimal notation This field can have an asterisk to represent all IP addresses parser name is the name of a valid Surveyor built ...

Page 87: ...t Protocol Assume that one of the applications uses UDP port 10564 and the other uses 11964 Both of the UDP ports differ from the default port of 5004 The entries in the ANALYSIS INI file would be UDP mapping 10564 RTP RTP APPLICATION 1 mapping 11964 RTP RTP APPLICATION 2 Parser Names The tables in Appendix D contain the Parser Names that are built into Surveyor Each parser is responsible for deco...

Page 88: ...4 28 Surveyor User s Guide ...

Page 89: ...urces in a hierarchical relationship Branches can be expanded or collapsed via point and click so you can quickly customize your view of available resources Remote systems containing resources are listed by IP address unless there is a Surveyor name table on the system If an entry exists in the name table for the IP address of a resource the symbolic name in the name table is used to represent the...

Page 90: ...Both the local and the remote resource require Remote plug in software for remote access to function Access to remote resources are controlled from the PC that contains the resource For example if your PC contains two THGm modules accounts privileges and passwords for the modules are established at your PC Remote users must have access to a valid account to use the THGm modules in your PC A remote...

Page 91: ...l Host Storage Device NDIS CMM or CMM2 Board Remote Host Local Monitor Transmit Capture TCP IP Connection LAN modem etc Remote Monitor Transmit Capture Surveyor Software TCP IP Connection LAN modem etc Data Stream Data Stream Network Finisar Analyzer Card or NDIS Adapter Finisar Analyzer Card or NDIS Adapter TCP IP Connection LAN modem etc Surveyor Software Surveyor Software ...

Page 92: ...erties dialog box Right click with the mouse on a top level node IP Address Alias Name and select the Properties option from the popup menu This brings up the Host Properties dialog box for setting the alias Within the Host Properties dialog box set the alias name and any optional comment An example of the Host Properties dialog box is shown below Additional fields may be available in this dialog ...

Page 93: ...those described in Table 5 1 below Table 5 1 Remote User Privileges Privilege Description Monitor Only Allows a remote user to use the local device to monitor network activ ity only You can access real time monitor views on an armed started module but cannot start stop a module or define load a filter Capture Monitor Allows a remote user to use the local device to monitor activity or cap ture netw...

Page 94: ...ry of all differences between hardware devices Table 5 2 Surveyor Resource Modes Mode Description Resource Type Monitor Provides real time views and decodes of packets received by a device All Capture Allows packets received by a device to be stored in a buffer for analysis All Capture Monitor Provides both real time monitoring views and the ability to store packets for later analysis Viewed captu...

Page 95: ...er system consisting of a Note book PC running analyzer software and a portable undercarriage containing two THGm cards The THGm modules in THGnotebook support all features and functions in Surveyor THGm supports all capture functions at full line rate and has a monitoring capability When two THGm modules are present they are synchronized so you can analyze a full duplex network seg ment from a si...

Page 96: ...only or Capture only mode to improve performance Capture rates can approach full line rate for 10 Mbps networks if other PC functions are limited NDIS Surveyor NDIS supports up to four adapters The first adapter found during system initialization is seen by Surveyor software as module 1 the second as module 2 and so on Standard Ethernet or Token Ring adapters can be used to capture transmit or mon...

Page 97: ...witch between segments Contact customer support for more information on Finisar tap products Hints and Tips for Resources The following are a collection of hints and tips you may find useful when using resources or the Resource Browser When launching Surveyor be sure to enter the password on the log in screen so you can see remote devices If you fail to enter a password Surveyor will not allow you...

Page 98: ...source Browser If the host for the remote resource is not there the connection has been lost with the remote host and the resource is not available Red Xs appearing over a host in the Resource Browser indicate that the host is disconnected To see which capture filter or transmit specification is associated with a particu lar resource choose Active TSP and Capture Filter from the Module menu Use al...

Page 99: ...n a data view is virtually identical no matter which primary view you are using Table 6 2 shows which data views are supported from each primary window Table 6 1 Surveyor s Primary Windows for Viewing Information Primary GUI Window Description Summary View From Summary View you can see one view of many different resources Viewing options include configurable charts and tables Detail View From Deta...

Page 100: ...ureView Static Data MAC Statistics Y Y N Utilization Errors Strip Chart Y Y N Frame Distribution Y Y Y Protocol Distribution Y Y Y Host Table Y Y Y Network Layer Host Table Y Y Y Application Layer Host Table Y Y Y Host Matrix Y Y Y Network Layer Matrix Y Y Y Application Layer Matrix Y Y Y VLANs Y Y Y Address Mapping Y Y Y Duplicate Address Expert plug in only Y Y Y Expert Expert plug in only Y Y Y...

Page 101: ... etc The first tab contains the monitoring view which can be configured to display any of the views listed on the following page Multiple monitoring views are available from within Summary View Each view can display as a table or a chart with the exception of Address Map View or Expert Views These two views only display as tables Remember that in Summary View the view you set applies to all resour...

Page 102: ... one monitoring view of many different resources Use Detail View to get many different views of a single resource or to perform detailed analysis functions on captured data Double click on the view for the resource or press the button to go to Detail View Detail View Detail View is the tool for performing detailed analysis of network data You can view real time data from the resource for which you...

Page 103: ... resource For example if you open the capture file it automatically puts you into Capture View Buttons for capture transmit and monitor are grayed out on the Detail View toolbar since these functions make no sense for a file If you select another view of the information in the file it will appear in a table with a gray background indicating its a view of a static resource Detail View can display m...

Page 104: ...data and also view a host table for the contents of the capture buffer Because the formatting of the data in both of these views is identical Surveyor provides the following visual distinctions to help you distinguish between capture and monitor views For table information of the capture buffer data all data in the table is grayed For monitor data the column and row titles are gray but the data in...

Page 105: ...iew also opens automatically when you open a capture file file with CAP extension If opening a large capture file or buffer a window will display showing the progress of decoding packets The initial Capture View display provides a protocol decode of all packets Other views of captured information are available from the Capture View toolbar Although similar to the Monitoring View toolbar buttons th...

Page 106: ...filter Click the right mouse on the field you want to filter on Selections for copy to a capture or display filter appear Select the option and the Create Modify Filter window appears with the field values inserted in the display See Chapter 7 for more complete information on creating filters Exporting and Printing Decodes You can export packet decode information to another source You can also pri...

Page 107: ...s how much data is downloaded from external capture devices when the data is requested by pressing the down load button in the histogram window See Histogram Options on page 4 4 for complete information on setting up capture view histogram options Other Options You can enable or disable Expert Analysis views from the Configuration Capture View Options menu You can also enable or disable the Packet...

Page 108: ...ve the decodes appear in the Summary area of Capture View Note Capture files are now saved in a new file format with the extension of HST Capture files created with previous releases of Surveyor in CAP format are automatically converted to the new format when you open and save them Captures are now stored as one HST file and a folder containing a series of CAP files that are part of the HST file f...

Page 109: ...ese sections they will appear in a darker shade of purple When either window does not span the last downloaded section this section will appear in a lighter purple magenta The example below shows a capture with seven sections The first section is the Current Section By using the mouse the second section in the capture is now the Selected Section Five of the total seven sections available in the ca...

Page 110: ... Upper Histogram are now the Selected Section s The gray colored Capture Selection Window defines the Selected Section s The sections that are not the Current Section are not available from the disk cache black and gray colored sections The Lower Histogram always shows all sections in the capture In the example the gray area indicates that the first part of the capture is displayed in the Upper Hi...

Page 111: ...of the Capture Selection or Capture Detail Window Color When NOT Part of the Capture Selection or Capture Detail Window Meaning of the Color in the Histogram Display Purple Magenta Currently decoded sections of the capture These are the sections that are decoded within the Summary area Green Bright Green Sections of the capture currently in the disk cache on your local system that are not cur rent...

Page 112: ...s are grayed when you reach the end of the data shown in the Upper Histogram Zoom In Zooms in to show finer granularity of the capture The amount of data viewed is reduced between 20 and 1 depending on the setting for the Zoom Factor Zooming ceases when the Upper Histogram contains 2 capture sections 20MB of data Zoom Out Zooms out to show a larger scope of the capture The amount of data viewed is...

Page 113: ...ick on an area outside the Capture Selection Window the new section becomes the Selected Section In the Lower Histogram when you double click on an area outside the Capture Detail Window the new section becomes the contents of the Upper Histogram Double Arrow Mouse Icon When you pass the mouse over the Capture Detail Window or the Capture Selection Window the double arrow mouse appears Click and d...

Page 114: ...h and high to low Stair Step is the default Linear Scale or Logarithmic Scale Linear scale can show larger visual differential between high and low values than the logarithmic scale Linear Scale is the default Options Brings up the dialog box to set the configuration options for the histogram See Histogram Options on page 4 4 for information on the histogram configura tion options Saving Portions ...

Page 115: ... packet in the Summary Pane of Capture View to edit a packet The editor must be enabled for use To enable the Packet Editor check Enable Packet Edit from the Configuration Capture View Options menu Table 6 5 shows the buttons that are available within the Packet Editor Table 6 5 Packet Editor Buttons Button Description Action Auto CRC Causes the 4 byte CRC error check value to be automatically cal...

Page 116: ... This provides the option of creating error packets that can t be decoded properly Data Views Ring Statistics View Token Ring Only From Detail View click on the button to open a window with Ring Statistics View This view is available only if the Token Ring protocol is used by the resource Ring Statistics View is not available from Summary View Ring Statistics View is available as two different tab...

Page 117: ...ences to MAC Statistics Rx to see this view in the first tab MAC Statistics View for capture shows module activity and counters during capture It provides a visual reference for what a resource is doing Counters are incremented as the resource captures packets This view also provides general information about the resource The MAC Statistics View in capture mode is shown in Figure 6 5 Figure 6 5 MA...

Page 118: ...es a visual reference for module activity The module identifier and the current mode are displayed in the window title bar Counters are incremented as the module performs transmit functions The MAC Statistics View in transmit mode is shown in Figure 6 6 Figure 6 6 MAC Statistics View Transmit Frame Size Distribution View From Detail View click on the button to open a window with Frame Size Distrib...

Page 119: ...ion View is available as a chart or a table Protocol Distribution View shows the distribution of major network protocol types Chart Protocol Distribution as a chart can be viewed in many different ways depending on the buttons selected in the view There are three types of buttons Protocol Buttons select the types of protocol distribution you want to see There are four protocol buttons that change ...

Page 120: ...IP Shows percentages of other protocols used within IP packets only IPX Shows percentages of other protocols used within IPX packets only MoIP Shows percentages of multimedia protocols used All Shows percentages of all packets by application Frame Byte Buttons Selects to view the distribution by byte count or frame count or can be used to select distribution relative to network capacity There are ...

Page 121: ...tton or the Transmit button to open a window with the Utilization strip chart From Detail View the Utilization Error chart is presented with the tables of transmit or receive counters Table 6 9 Protocol Distribution View Graph Type Buttons Display Button Description Action BAR Display distributions as a bar graph PIE Display distributions as a pie chart II Pause the display When pressed again coun...

Page 122: ...relative percentage of frames The chart can be customized to show the top ten stations based on a different station information field The Bar and Pie buttons toggle the type of graphic display The Pause Resume button allows you to pause or resume real time update of the graph Table Host Table View as a table shows network activity from the view of MAC stations The table lists statistics for all st...

Page 123: ...d The Bar and Pie buttons toggle the type of graphic display The Pause Resume button allows you to pause or resume real time update of the graph Rel Frames Out Percentage of frames sent by this MAC station relative to the total number of frames Bytes In Number of bytes received by the MAC station Rel Bytes In Percentage of bytes received by this MAC station relative to the total number of bytes Ab...

Page 124: ...mes received by the network station Rel Frames In Percentage of frames received by this network station relative to the total number of frames Frames Out Number of frames sent by the network station Rel Frames Out Percentage of frames sent by this network station relative to the total number of frames Bytes In Number of bytes received by the network station Rel Bytes In Percentage of bytes sent by...

Page 125: ...ton allows you to pause or resume real time update of the graph Table Application Layer Host Table View as a table shows network activity from the view of application protocols running on network stations The table lists all application protocols found on each network station Each network station may have many application protocols in use The table lists statistics of all applications within the s...

Page 126: ...s Out Percentage of frames sent by this network station for this application relative to the total number of frames Bytes In Number of bytes received by the network station for this application Rel Bytes In Percentage of bytes received by this network station for this application relative to the total number of bytes Abs Bytes In Percentage of bytes relative to the total network capacity measured ...

Page 127: ...ns Table Column Description MAC Station Name 1 Name of a MAC station MAC Station Address 1 MAC station address MAC Station Name 2 Name of a second MAC station MAC Station Address 2 Address of a second MAC station Frames 1 2 Number of frames sent from MAC Station 1 to MAC Station 2 Frames 2 1 Number of frames sent from MAC Station 2 to MAC Station 1 Frames 1 2 Number of frames sent in either direct...

Page 128: ...tion field The Bar and Pie buttons toggle the type of graphic display The Pause Resume button allows you to pause or resume real time update of the graph Table Network Layer Matrix View as a table shows network activity from the view of network station pairs The table lists statistics for all pairs found The table can be customized to include other columns of information Table columns listed in it...

Page 129: ...ither direction between Network Station 1 and Network Station 2 Rel Frames 1 2 Percentage of frames sent in either direction between Network Station 1 and Network Station 2 relative to the total number of frames Bytes 1 2 Number of bytes sent from Network Station 1 to Network Station 2 Average size 1 2 Average size of the frames sent from Network Station 1 to Network Station 2 Bytes 2 1 Number of ...

Page 130: ...re the Application Layer Matrix View default columns Press the right mouse button on any table entry to create a filter using the selected network layer conversation See Chapter 7 for information on filters Table 6 16 Application Layer Matrix View Table Column Descriptions Table Column Description Net Station Name 1 Name of a network station Net Station Address 1 Network layer address of a network...

Page 131: ...ve to the total number of frames Bytes 1 2 Number of bytes sent from Network Station 1 to Network Station 2 for this application Average size 1 2 Average size of the frames in bytes sent from Network Station 1 to Network Station 2 for this application Bytes 2 1 Number of bytes sent from Network Station 2 to Network Station 1 for this application Average Size 2 1 Average size of the frames in bytes...

Page 132: ...termine what MAC stations are associated with what network stations Table 6 17 VLAN View Table Column Descriptions Table Column Description VLAN Id Number in decimal of the virtual LAN Click on the VLAN ID to see network layer and application layer host and matrix tables of that VLAN VLAN Type Indicates the VLAN type IEEE 802 1Q or Cisco ISL Frames Total frames captured that are associated with a ...

Page 133: ... names and addresses and network station names and addresses Duplicate Address View is not available as a chart Use this table if you need to determine what stations may have duplicate addresses If you are monitoring a remote device you must open one of the host tables for that remote device for new duplicate addresses to show in Duplicate Address View MAC Station Address MAC station address Netwo...

Page 134: ...to find out which applications are responding very slowly in the network To calculate application response time Surveyor causes a stimulus packet to be transmitted so the application layer round trip time can be assessed However the packet cannot be sent if the analyzer device used by Surveyor is connected through a tap device The application response time will only work if the transmit port of th...

Page 135: ...ort of data in ascending order is not available as a chart A Pause button is available on some charts and tables to freeze the display Click the button again to resume display updating The fields shown in some tables can be customized Choose View Options from the View menu in Detail View to change the columns that display for a table There are many view windows you can open Keep the number of open...

Page 136: ...n click the right mouse Selections for copy to capture or dis play filter appear Select the option and the Create Modify Filter window appears In Capture View press the F11 key to zoom in on any of the three panes in the window Press F11 again to restore the view to all three panes To see which capture filter or transmit specification is associated with a particu lar resource choose Active TSP and...

Page 137: ...cified from a single window However if you need to create an advanced filter with multiple states and searches to refine exactly what you re looking for Surveyor supports a complete filtering language Example filters are provided to give you an idea of the types of filters that can be created This section describes both Capture and Display Filters the minor differ ences are noted in the text Getti...

Page 138: ...Design window is essentially the same for capture or display fil ters See one of the filter examples for a picture of this window and information about its parts You can define a filter using a single filter template There are two types of filter templates Pre defined Filter Templates A pre defined filter template looks for a specific data pattern or a collection of data patterns The filter templa...

Page 139: ...late There are three key steps to apply a filter template to a hardware resource 1 After creating custom template you must save it using the Save Custom Template button This step is not required if you are using a pre defined template 2 You must add the template to the Template Combination box Select the template and click on the Add button the name of the template will appear in the Template Comb...

Page 140: ...tes Box Add Button add Filter Template to Template Combination box Template Description Delete Custom Template Button Add Conversation to Template Area Add Port to Template Area Save Custom Template Button Clear Template Button View Filter Button Template Combination Operator Buttons Button Edit Create Custom Filter Template Area Hex Dec ASCII Displays of Offsets Lengths Set Filter Actions Increme...

Page 141: ...ame Table window shows all name and address associations including the protocol and the frame type The name and address associations displayed are those in the currently active name table Double clicking on a name table entry will load that name into the currently selected Station Address field Table 7 1 Defining Conversations Conversation Element Description Protocol MAC IP IPX or Atalk AppleTalk...

Page 142: ... exam ple if you set an address for Station 1 no address for Station 2 and set the direction to all packets having Station 1 as the Source Address are captured regardless of the Destination Address Use wildcards when specifying addresses to capture data on more than one station An X used as a character for an address string means that any value will be accepted for that position for example 343F4A...

Page 143: ... plate combination Pre defined filter templates are provided that can be used as is or you can define your own filter templates See Standard Filter Templates in Appendix B for the filter templates supplied with Surveyor You cannot alter the pre defined filter templates Most filter templates have a defined offset and pattern within a frame However one template has no specific offset and length Matc...

Page 144: ...0 Figure 7 2 Template Description Window Showing a Macro Filter Creating Custom Filter Templates Custom filter templates are created from the Filter Design window Custom filter templates display under Custom_Templates in the Available Filter Templates box of this window Custom templates allow precise control over the information captured or displayed Custom templates are created by modifying a pre...

Page 145: ...ify if the column and row headers display in decimal or hexadecimal Note that although you can display the data in different formats all formats use a byte boundary Only byte quantities can be entered or displayed Any specific value you create for filter templates can have don t care values For example assume you re only looking for FF34 in the first two bytes of the MAC destination address You co...

Page 146: ...P dot notation this could be expressed as 8 1 2 Set the Data format pull down box in the filter window to Decimal Values in the Data pattern area will be entered in decimal 3 Enter 8 in offset 34 and enter 1 in offset 35 Enter 8 in offset 36 and 1 in offset 37 This sets the filter for both source and destination port If a port number is a decimal value less than 256 then the value of the first byt...

Page 147: ... Level Pattern dialog box is shown below When you view bytes within the Edit Create Custom Filter Template area those which have bit level filters applied appear with BW in the field If you place the cursor in the byte field and press the Set Bit Pattern button the Bit Level Pattern dia log box pops up allowing you to view change the current bit level filter A portion of the Filter Design window w...

Page 148: ... counter condition is a special condition for accepting rejecting a packet based on a counter value Logically a counter condition functions like a filter tem plate The settings for counters are test values that can be compared to actual packet counts and thereby determine subsequent actions Filter Packet Types Four types of frames can be collected and displayed Refine your selection crite ria by s...

Page 149: ... and continue Table 7 3 Operator Buttons for Template Combinations Button Description AND Insert logical AND operator The AND operator has a higher priority than the OR operator i e will be interpreted first OR Insert logical OR operator NOT Insert logical NOT operator Insert Open Parentheses Along with the closed parentheses estab lishes the ordering and interpretation of the operands For example...

Page 150: ...7 4 Capture Filter Actions Action Description Capture Capture the frame Trigger Capture the frame Continue capture and fill the buffer to the percent age specified by the user in the After trigger continue to capture packets until the buffer is full field Increment Custom Counter Increment the custom counter For THGm any combination of seven counters can be incremented Change Filter Operation Go t...

Page 151: ...00 the filter will carry out the actions that you have chosen for subsequent packets You can use a counter just like a filter template For example you could create the phrase FTP AND Counter 4 20 in the Template Combination box This would select FTP packets when Counter 4 reaches a value of 20 For THGm one of seven custom counters can be used as the test counter The counter test values set in this...

Page 152: ...ames leave the Good Frames box checked and deselect all other frame types If you want to capture only error frames leave all frame types selected with the exception of the Good Frames box For other hardware devices other than THGm the values that define Undersize and Oversize packets are fixed Fragments Undersize packets are those with less than 64 bytes and Jabbers Oversize are those over 1518 by...

Page 153: ...ttempting to create advanced filters Table 7 7 Capture and Display Frame Types Size Frame Type Size Description Good Frames Frames that have no errors CRC Error Frames All frames that contain CRC or Alignment errors default is packets of 64 to 1518 bytes Fragment Undersize All fragments and undersized frames default is packets less than 64 bytes Jabber Oversize All jabbers and oversize frames defa...

Page 154: ...u add or modify a statement its associated window is displayed All changes and additions to the filter are made from windows Windows appear when you double click on the statements shown in the Filter States Design window Keystrokes and the right mouse button in the Filter States Design window are also context sensitive For example pressing the Insert key when the ROOT statement is selected inserts...

Page 155: ...ng structure ROOT statement The root statement for capture filters con tains settings for global variables The root statement for display filters contains no variables STATE0 identifier Label for GoTo Action to Change the Fil ter Operation Initial Starting Point IF statement Specify conditions and actions ELSE IF statement optional same structure as IF statement other ELSE IF statements ELSE state...

Page 156: ...lter2 Counter2 Capture GoTo CurrentState ELSE GoTo State0 Changing States Changing Filter Operation When you select a state other than the current state a GoTo phrase will display as part of the statement in the Filter States Design window showing the next state for example GoTo State1 To change the state based on the conditions in a statement double click on the state ment in the Filter states De...

Page 157: ...nt you cannot load the filter until you return to the Filter States Design window The Load Filter and Unload Filter buttons on the Filter Design toolbar are disabled The window for the ELSE statement specifies the actions when no conditions for previous statements are satisfied You can only specify actions and the next state to execute Table Table 7 8 shows a synopsis of the logic sequence for sta...

Page 158: ...play filter ON at all times if you make changes the next time you view data in Capture View the new filter will be used immediately If you already have a Capture View window open for the capture file select the Refresh option from the File menu in Capture View to refresh the view using the new filter You can also create and immediately activate a display filter from Multi QoS tables using the righ...

Page 159: ...ow in Figure 7 5 shows a template that captures all packets going to and coming from two IP stations The conversation is specified by entering the two IP addresses using the indicator to capture packets in both directions The Apply Conversation to Template check box is selected to apply the conversation to the filter template The filter template is named Station_7and_8_Conversation Note that the f...

Page 160: ... Save Custom Template button 7 Enter the name of the new filter template in the Add to Available Filter Templates dialog box The name in the example is Station_7and_8_Conversation The new filter template name appears in the Custom_Templates section of the Available Filter Templates box 8 Press the Add button to apply the filter template The filter template appears in the Template Combination box 9...

Page 161: ...ed with an OR statement to collect both types of protocols The two templates are named HTTP_Activity_Station2 for the user defined HTTP template and FTP_Activity_Station2 for the user defined FTP tem plate The conversation is specified without a second station and uses the indicator Traffic is captured in the sending direction for a single station regardless of the other station in the conversatio...

Page 162: ...perations 7 Using the FTP pre defined filter template as the starting point repeat steps 1 through 6 to create a similar custom template for FTP 8 Highlight the HTTP_Activity_Station2 template in the Custom_Templates section of the Available Filter Templates box Press the Add button to apply the filter template The filter template appears in the Template Combination box 9 Press the OR operator but...

Page 163: ...lter Example Capture TCP Port Traffic The Filter Design window in Figure 7 7 shows the capture filter for a specific TCP Port This filter collects all TCP IP traffic that uses the BootPS port number Figure 7 7 Filter Design Window Capture TCP Port Example ...

Page 164: ...ate area Be sure the Apply Conversation to Template check box is NOT selected in the Add Conversation to Filter Template area No specific stations are associated with the new filter template 6 Press the Save Custom Template button 7 Enter the name of the new filter template in the Add to Available Filter Templates dialog box The name in the example is BootPS_Activity The new filter template name a...

Page 165: ... Advanced Filter Filter States Design Window Packets are tested first by the IF statement in State0 If the packet matches the broadcast mask FFFFFFFFFFFF in the first six bytes the packet is captured the buffer is triggered and the next packet is filtered by State1 If the packet does not contain the Broadcast address the packet is not captured and the next packet is fil tered State1 is executed af...

Page 166: ...be used as a counter condition in a filter template For THGm all 7 custom counters can be used as a counter condition The maximum number of states allowed is four for THGm The number of filters allowed depends on the analyzer card hardware A maxi mum of 16 total hardware filters are allowed for THGm modules which can be distributed across its four allowed states Depending on the number of states t...

Page 167: ... Design window make sure that the templates you want in the filter are displayed in the Template Combination box If a template is not displayed in the Template Combination box it is not part of the filter to be applied Be sure to click the Apply Conversation to Template check box to include a con versation as part of your filter AND operations narrow the search results and are typically used betwe...

Page 168: ...rrent filter Make sure all templates display in the Template Combination box that you want to use in the filter You can create a new capture file by running an existing capture file through a filter From the Tools menu select Extract Frames From File Using Filter Enter the path name of an existing capture file apply a filter and name the output file Filtering Tips Unique to THG class Devices When ...

Page 169: ...ll network speed or faster This allows you to set up high traffic conditions and see how the network performs Surveyor can also transmit a variety of user defined packet contents to see their effect on the network With multiple modules transmitted data can be captured by another analyzer card You can use the capture and view features in the Surveyor software to analyze the results all from the sam...

Page 170: ...a stream middle Buttons for adding modifying or deleting streams editing data Transmission status information Buttons for loading the module opening saving the specifications and adding streams using templates and Magic Packets Figure 8 1 Transmit Specification Dialog Box Defined Streams List Box A defined stream is a specification for transmitting frames from a module Multiple streams can be defi...

Page 171: ...t box If you modify the values in the current stream and click on Add a new stream is added as the stream after the currently selected stream in the Defined Streams list box If you modify the values in the current stream and click on Modify the definition of the current stream is changed Radio Buttons and Fields for Defining a Stream Specify the contents and the size of the stream using the DA SA ...

Page 172: ...cification Be sure to use the Load Module button to load the specification to the module before you begin transmission The Template button allows you to use predefined data as a starting point for new stream It also lets you create Magic Packets Table 8 1 Stream Function Buttons Stream Button Stream Function Add Adds a new stream after the currently selected stream in the Defined Streams window Th...

Page 173: ... template places the values of the template in the fields of the Transmit Specification dialog box You can then change the val ues of the fields in the Transmit Specification dialog box or use the Edit Data button to create exactly the packet you wish Cancel Exit the Transmit Specification dialog box Make sure you have added modified all streams saved new Transmit Specifications and loaded the res...

Page 174: ... Stream 2 packet gap 200msec no burst The example results in the following Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 104msec Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 100msec Transmit Stream 1 Wait 104msec Transmit Stream 2 Wait 200msec If the transmission mode is set to continuous ...

Page 175: ...lowing example shows how bursts and burst timing work Assume three streams are defined as follows Stream 1 Packet Gap 100msec No burst Stream 2 Packet Gap 20msec Burst Count 3 Burst Gap 4msec Stream 3 Packet Gap 5msec No burst The example results in the following Transmit Stream 1 Wait 100msec Transmit Stream 2 Wait 20msec Transmit Stream 2 Wait 20msec Transmit Stream 2 Wait 24msec Transmit Stream...

Page 176: ...y active module the number of streams that are active and the total memory in the buffer required to transmit the specification The total memory increments as you add change streams giving you an instant reflection of how much data you are transmitting A warning message is shown if you exceed the transmit buffer size Specifying Transmit Data Data fields for the Transmit Specification can be modifi...

Page 177: ...rsor location in hex view so offsets remain correct Press the Decode button to display edits made in hex view in the decode view Note that changes to the decode view are not automatic This provides the option of creating error packets that can t be decoded properly Note NDIS modules cannot transmit without a valid CRC Changing Fields Directly in the Dialog Box The values of various fields in the c...

Page 178: ... the current stream Use the pull down box to see available options In the example stream the packet is an IP packet This field can also be used to enter the packet length for IEEE802 2 or SNAP frames Packet Size Sets the packet size Use the pull down box to view common sizes The size must be from 8 to 15 000 bytes Data Field Specifies the data to be sent as part of the packet Use the pull down box...

Page 179: ...n the button and open a capture file or use packets within the capture buffer that are displayed in Capture View 2 Find the packet you want to add as a transmit template You must make this packet the first packet in the capture file or capture buffer Either delete all packets that come before the packet you want or filter out all other packets using a display filter 3 Select the first line first p...

Page 180: ...m field All other fields do not apply when the stream is defined by a capture file Transmit Specification Examples Transmit Specification examples are supplied with Surveyor Open a transmit specification file transmit subdirectory TSP extension from the Transmit Specification dialog box to see examples Two Transmit Specification examples are shown in the following sections The Packet Gaps example ...

Page 181: ...in Figure 8 2 The dialog box only shows the values for the currently highlighted stream The current stream appears highlighted within the Defined Streams window Multiple streams are defined in the specification All activated streams indicated by the check mark in the Defined Streams window will be transmitted Figure 8 2 Transmit Specification Dialog Box Packet Gaps ...

Page 182: ...n in Figure 8 3 The dialog box only shows values for one stream the stream that contains a burst Multiple streams are defined in the specification Since a burst of 100 is specified 101 frames will be transmitted even though there are only two streams defined Figure 8 3 Transmit Specification Dialog Box Bursts ...

Page 183: ...ckets at the receiving end Using bursts is the easiest way to simulate high traffic conditions Always save your defined specification The Transmit Specification can only be saved using the dialog box An NDIS module cannot transmit bad physical layer error packets such as bad CRC packets runt packets oversized packets packets with less than minimum packet size and so on Use Finisar analyzer cards t...

Page 184: ...8 16 Surveyor User s Guide ...

Page 185: ...ling interval value and an Enable Disable click box Starting a resource automatically activates the alarms associated with that resource You must have Monitor mode set for a resource to have alarms trigger and have alarm actions occur Actions resulting from alarms are varied and flexible because they are assigned to each individual alarm Whenever an alarm threshold is exceeded an audible beep soun...

Page 186: ...ppears with a list of alarms set up for the resource If you have no alarms set for the resource no alarms will display Alarms apply to each analyzer card If the host contains two analyzer cards a separate Current Module Alarms dialog box appears for each card Figure 9 1 Current Module Alarms From the Current Module Alarms dialog box you can add modify or delete alarms for the resource ...

Page 187: ... in the Current Module Alarm window Press Modify Alarm to modify the highlighted alarms From the Modify Alarms dialog box change the characteristics for current alarms The alarm variable name or alarm group name cannot be changed Use the New Alarm option to add an alarm with a different variable Figure 9 3 Modify Alarms To delete one or more alarms select the alarm s and press Delete Alarm in the ...

Page 188: ...all jitter times call setup times dropped packets and R factors in VoIP calls You can set alarms to test against specific codecs Expert Allows you to modify and enable any of the 35 Expert alarms Alarms test for discrete conditions at different protocol layers such as NFS retransmissions at the application layer overload utilization percent ages at the MAC layer or TCP IP SYN packets at the transp...

Page 189: ... at the codec type set the Codecs field to All Codecs Multi QoS uses a simple threshold value to trigger the alarm When the threshold value is crossed the alarm is triggered and the alarm action is taken Most alarms trigger when the current value exceeds a threshold such as for call jitter However the R factor alarms trigger when the current value goes below the threshold value The lower the R fac...

Page 190: ...yer Application Layer Network Layer ICMP All Errors HSRP Coup Resign ICMP Destination Unreachable Duplicate Network Address ICMP Redirect Unstable MST Excessive BOOTP SAP Broadcasts Excessive ARP OSPF Broadcasts NFS Retransmissions RIP Broadcasts Total Router Broadcasts Transport Layer ISL Illegal VLAN ID TCP IP SYN Attack ISL BPDU CDP Packets TCP IP RST Packets IP Time to Live Expiring TCP IP Ret...

Page 191: ...e at version 4 1 or greater Table 9 3 shows the alarms that can be used with each Finisar analyzer device Table 9 3 Alarms and Hardware Devices Ethernet Token Ring Network Application Response Expert Multi QoS THGm THGs THGsE THGp THGnotebook YES N A YES YES YES YES Local NDIS Module YES YES YES YES YES YES Remote NDIS Module YES YES YES YES YES YES Local Portable Surveyor 10 100 Ethernet Ana lyze...

Page 192: ...e threshold A delta sample type means that if a difference between samples increases rising or decreases falling over time is more than the specified threshold an alarm event occurs The Interval field sets the time period between samples Samples are actually taken at least twice as often as the interval This allows the detection of threshold crossings that span the sample boundary For example if t...

Page 193: ...the audible alarm No other actions occur if this setting is selected This is the default value for alarm actions Surveyor THGs THGsE E mail sends the message to pre configured e mail addresses Your e mail application does not need to be running for alarms to generate e mail messages Surveyor THGs THGsE Pager sends alarms to pre configured pager numbers Surveyor only Log records alarms in a pre con...

Page 194: ... accept a complete path name for the THGs log file E Mail Settings Microsoft Exchange or message utilities must be installed and enabled before E mail and pager actions can occur When sending E mail multiple addresses can be configured from the Host Alarm Setting E mail Settings menu Setting the addresses for alarm actions is a global setting for the host All alarms reported by Surveyor will go to...

Page 195: ...E Mail Settings for THGs Pager Settings The host must have a modem to use a pager You must set an appropriate delay time when making a call to a pager When making a call to a pager a single number can be configured from the Host Alarm Setting Pager Settings menu Setting the pager number for alarm actions is a global setting for the host All alarms reported for analyzer devices in the host will go ...

Page 196: ...ears Use the Community Settings area to add or delete communities List all IP addresses for the community in the Trap Destinations area The community does not require read or write privileges to receive SNMP traps containing alarms You can disable any community from receiving traps by setting the Disable radio button When you click the Disable button for a community all IP addresses set as Trap De...

Page 197: ...nnot perform SNMP Trap Setting for a remote Surveyor host only set alarms and alarm actions Refer to Microsoft Windows documentation for information about how to install run and configure SNMP trap destinations on your Windows system Surveyor has six different traps one for each of the alarm groups The number of alarm variable is the same except for Multi QoS alarms which contain some additional i...

Page 198: ...m table To set more than one alarm of the same type click on the type you want to duplicate and press the Insert key A new alarm row appears below the current row Fill out the settings in the new row To set one alarm that has multiple actions click on the alarm type you want to duplicate and press the Insert key Change the Actions field of the new row to the additional action you want For example ...

Page 199: ...cur when for the alarms are triggered Alarm Example Utilization Figure 9 6 Alarm Example Utilization This simple example shows an alarm group consisting of one MAC Layer alarm for Utilization This alarm samples network traffic at five second intervals When the absolute rising value of 50 percent utilization is exceeded Surveyor issues an audible alarm and displays a message in Surveyor s message w...

Page 200: ... an alarm threshold for any of these five alarms is exceeded Surveyor issues an audible alarm and displays a message in Surveyor s message window Assume that overall error rate is of particular interest in this example The Severity setting instructs Surveyor to include a Warning message with all alarm messages when the error rate is greater than 250 The Actions setting instructs Surveyor to send a...

Page 201: ...ames 512 1028 Byte Frames and 1024 1518 Byte Frames Each of these alarms samples network traffic at five second intervals When an alarm threshold for any of these four alarms is exceeded Surveyor issues an audible alarm and displays a message in Surveyor s Message window In addition the alarms will be logged to the Log file specified For Oversize Frames the notification is a warning message ...

Page 202: ...n Surveyor s Message window The Severity setting instructs Surveyor to include Warning message when the call jitter exceeds 200ms A Critical message is included with all alarm messages when the call jitter exceeds 500ms plus instructions to Surveyor to stop and save frame contents to a capture file For the R factor alarm the alarm triggers when the User R factor value drops below the threshold val...

Page 203: ... consisting of three Application Response and one Expert alarm All of these alarm counters are checked at five second intervals When an alarm threshold for any of these four alarms is exceeded Surveyor issues an audible alarm and displays a warning message in Surveyor s message window Two different alarm groups are represented Expert and Application Response ...

Page 204: ...9 20 Surveyor User s Guide ...

Page 205: ...s When Surveyor detects an abnormal or unusual network event it logs a symptom A symptom indicates that a threshold has been exceeded and may indi cate a problem on your network Several symptoms analyzed together high rates of recurrence of specific symptoms or single instances of particular network events causes Surveyor to conclude that the network has a problem These are logged as analyses In a...

Page 206: ...ime Min Time Maximum Response Time Max Time Average Response Times Avg Time and the Number of Connections Connec tions processed to derive these times Duplicate Network Address View The Duplicate Network Address view depicts each duplicate network IP IPX address detected and its associated MAC layer bindings See Chapter 6 Views for more information on Expert Views Getting Started with Expert View ...

Page 207: ...10 3 Expert Features Getting Started with Expert View10 Figure 10 1 Expert Overview Example ...

Page 208: ...s shown in Figure 10 2 The summary area top lists all occurrences of the selected symptom The detail area bottom left shows an object tree view of the symptom selected in the summary area This provides information about the stations and ports that are associated with the selected symptom The vital statistics for the symptom selected in the summary area is shown in the detail area to the right The ...

Page 209: ...10 5 Expert Features Getting Started with Expert View10 Figure 10 2 Expert Overview Detail Table Example ...

Page 210: ...ed for this conversation Detailed statistics for each entity in the conversation and statistics for the conversation itself are also included The summary and detail areas are separated by large gray bars one vertical and one horizontal which can be used to size each area as needed Layer Description Application Surveyor checks for application problems These are generally servers running protocols w...

Page 211: ...10 7 Expert Features Expert Layers 10 Figure 10 3 Expert Application Layer Example ...

Page 212: ...ader a second time changes the sort order from descending to ascending Double click the network address in Station 1 in the Application Session Layer to jump to the first connection to that server in the Transport Layer Double click the network address in Station 2 in the Application Session Layer to jump to the first connection from the client to that server in the Transport Layer Table 10 1 is a...

Page 213: ...transmissions NCP Too Many Requests Denied NCP Too Many Request Loops Session TNS Slow Server Connect TNS Slow Server Response No WINS Response Transport Idle Too Long TCP Checksum Errors TCP Fast Retransmission TCP Frozen Window TCP Long Ack TCP Repeat Ack TCP Retransmission TCP SYN Attack TCP Window Exceeded TCP Window Probe TCP Zero Window Non Responsive Station Too Many Retransmissions Network...

Page 214: ...xpert detects an abnormal or unusual network event it logs a symptom A symptom indicates that a threshold has been exceeded and may indicate a problem on your network Counters for symptoms can be used to trigger alarms Press the Symptoms tab on the Expert window to view network events that may result in network problems See Figure 10 1 and Figure 10 3 for examples of displays of symptoms Tables in...

Page 215: ...en the two network stations The second list displays the network traffic of the first network station It shows how many packets and bytes of data are sent and received by the station It shows how many broadcast packets the station sent and the MAC addresses associated with the station The third list displays the network traffic of the second network station if present The fourth list displays the ...

Page 216: ...twork objects discov ered from the current packet analysis The example below shows the entities discov ered for the Transport Layer The detail area shows details for both the conversation and the individual stations in the conversation Figure 10 4 Entities for the Transport Layer Example ...

Page 217: ...f zero window size events that occurred in this TCP connection The number of diagnoses and symptoms found are also shown The maximum and minimum acknowledge times are displayed if they are present The average acknowledge time is the total acknowledge time divided by the number of acknowledgments The third list displays the same statistics described above for the other station in the conversation N...

Page 218: ... list displays the protocols this station used the number of packets and bytes of data of that protocol sent and received by the station and the first and last frames in which the protocol occurred The third list displays the network traffic between this station and other physical stations It shows how many packets and bytes of data are passed between the two stations and how many packets and byte...

Page 219: ...lysis to display an Expert Diagnostic Message Contents of the Expert Diagnosis window include A summary of the symptom or analyses including addresses and frame IDs A description of the Expert symptom or analyses Possible causes Recommended actions Figure 10 5 shows an example of the Expert Diagnosis window Figure 10 5 Expert Diagnosis Example ...

Page 220: ... in front of each item that can be enabled disabled Disabling an entire branch in the tree such as Data Link disables all expert symptoms that can be disabled for that layer Transport or application symptoms cannot be disabled completely so there is no checkbox by these items The entire expert system can be disabled by removing the top level check next to Expert If the symptom has a threshold valu...

Page 221: ...ail as with all other Surveyor alarms Alarms test for thresholds at different protocol layers such as the number of NFS retransmissions at the application layer or a specific overload utilization percentage at the MAC layer Some network problems are not single events but are indicated by certain thresholds or counters being exceeded To catch these type of problems use Expert Alarms Many event coun...

Page 222: ...nt expert data With an Expert window active select Print from the File menu or press the print button on the Detail View toolbar The symptom list in the top panel is printed by default From the Overiew tab all counters are printed If you want to print the Detail data in the bottom right panel of an Expert display click on any field in any table in this panel and select Print from the File menu Dat...

Page 223: ...in milliseconds ms A threshold can be set in the Application Response Time Alarms for all supported applications Supported applications are DNS FTP Gopher HTTP NFS NNTP POP SMTP TELNET From Detail View press the Application Response Time button to see applica tion response times See Chapter 6 on Views for more information on the Applica tion Response Time table To calculate application response ti...

Page 224: ...nt For example Rate of change of SMB Mailslot Broadcasts 40 The threshold value for this symptom can be changed The default threshold value is 6 mailslot broadcasts per second Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for SMB Mailslot broadcasts has been exceeded for this segment resulting in an Excessive Mailslot...

Page 225: ...n attempts 4 3 The threshold value for this symptom can be changed The default threshold value is greater than 3 login attempts Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the number of FTP login attempts has been exceeded __________________________________________________________________ Probable Cause s 1 The ...

Page 226: ...nged The default threshold value is multiplier of 2 The time interval to use is read from the announcement packet For example assume that the time out value read from an SMB packet is 480 000 ms If the multiplier value is set to 2 then the symptom displays when there is no browser announcement for 960 000 ms 2 X 480 000 ms Diagnostic Details ________________________________________________________...

Page 227: ...m Summary field provides the two addresses between which the retransmission occurred For example Between 00000010 0207012303E3 and 302A9950 000000000001 Diagnostic Details __________________________________________________________________ Problem Description A part of a file has been retransmitted __________________________________________________________________ Probable Cause s 1 There may be a ...

Page 228: ...ptom Summary field provides the two addresses between which the overlap occurred For example Between 00000010 0207012303E3 and 302A9950 000000000001 Diagnostic Details __________________________________________________________________ Problem Description A part of a transmitted file overlaps with the other parts __________________________________________________________________ Probable Cause s 1 ...

Page 229: ...ged The default is 2 requests The interval can be changed by setting the NCP Request Loop time value which specifies the interval of time to look for repeating requests The default is 100 ms Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the number of request denied replies within the request loop time has been exc...

Page 230: ...me request in 100 ms The interval of time to look for repeating requests can be changed The default is 100 ms Diagnostic Details __________________________________________________________________ Problem Description The same request has been sent repeatedly within the threshold value __________________________________________________________________ Probable Cause s 1 Some reply packets may have b...

Page 231: ...ackets per second For example Rate of change of NCP Server Busy 5 The threshold value for this symptom can be changed The default value is 10 packets per second Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the number of NCP Server Busy responses has been exceeded for this station _________________________________...

Page 232: ... number of retransmissions divided by the total number of file requests For example File retransmission ratio is 8 28 28 The threshold value for this symptom can be changed The default value is a 20 retransmission ratio Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the ratio of file retransmissions over file reque...

Page 233: ...ided by the total number of file requests For example Requests denied ratio is 8 28 28 The threshold value for this symptom can be changed The default value is a 20 requests denied ratio Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the ratio of requests denied over requests sent has been exceeded ________________...

Page 234: ...request loops divided by the total number of requests For example Requests loops ratio is 8 28 28 The threshold value for this symptom can be changed The default value is a 20 request loops ratio Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the ratio of request loops over requests sent has been exceeded _________...

Page 235: ...ails __________________________________________________________________ Problem Description There is a retransmission of an NFS request packet The RPC identifier for this connection has been reused __________________________________________________________________ Probable Cause s 1 An NFS data may be transmitted over several fragmented IP packets If any of the IP fragments is missing it will resu...

Page 236: ... as expert analyses For example HTTP POST request not responded Diagnostic Details __________________________________________________________________ Problem Description There is no HTTP server response to a POST request resulting in a connection reset __________________________________________________________________ Probable Cause s 1 The server was very busy 2 There may be a problem with the HT...

Page 237: ... the type of server involved For example SMTP server not responded This analysis applies to text based application protocol servers such as FTP SMTP NNTP and POP3 Diagnostic Details __________________________________________________________________ Problem Description There is no server ready message for the server __________________________________________________________________ Probable Cause s...

Page 238: ...reshold value for this symptom can be changed The default value is 2000 milliseconds Diagnostic Details __________________________________________________________________ Problem Description An HTTP server response to a GET request has taken longer than the threshold value to reach the sender __________________________________________________________________ Probable Cause s 1 The server was very ...

Page 239: ... The threshold value for this symptom can be changed The default value is 2000 milliseconds Diagnostic Details __________________________________________________________________ Problem Description An HTTP server response to a POST request has taken longer than the threshold value to reach the sender __________________________________________________________________ Probable Cause s 1 The server w...

Page 240: ...nd POP3 These servers send a ready message when a client first logs in If the response time is too long exceeds the threshold the symptom is recorded For slow responses other than the ready message see the Slow Server Response symptom Diagnostic Details __________________________________________________________________ Problem Description The first server ready message has taken longer than the th...

Page 241: ... such as FTP SMTP NNTP and POP3 The symptom is recorded whenever the server response exceeds the threshold for a client request For slow responses to initial log on server ready message see the Slow Connect Response symptom Diagnostic Details __________________________________________________________________ Problem Description A response from the server has taken longer than the threshold value t...

Page 242: ...ing information Invalid network name in tree connect Diagnostic Details __________________________________________________________________ Problem Description An SMB session could not be established because the requesting station had specified a network resource name that does not exist on the target station __________________________________________________________________ Probable Cause s 1 The ...

Page 243: ...oms The Symptom Summary field provides the following information Invalid password Diagnostic Details __________________________________________________________________ Problem Description An SMB session could not be established because the password was invalid __________________________________________________________________ Probable Cause s 1 The client software specified an invalid user name or...

Page 244: ... request not responded within 1000 ms The time out value for this symptom can be changed The default value is 1000 ms Diagnostic Details __________________________________________________________________ Problem Description There is no response from the WINS server __________________________________________________________________ Probable Cause s 1 The UDP packets have been lost 2 The WINS server...

Page 245: ...ervers only If the response time is too long exceeds the threshold the symptom is recorded For slow responses other than the ready message see the TNS Slow Server Response symptom Diagnostic Details __________________________________________________________________ Problem Description The TNS server has taken longer than the threshold value to accept refuse a connection ___________________________...

Page 246: ...e symptom is recorded whenever the server response exceeds the threshold for a client request For slow responses to initial log on see the TNS Slow Connect Response symptom Diagnostic Details __________________________________________________________________ Problem Description A response from the TNS server has taken longer than the threshold value to reach the sender ____________________________...

Page 247: ...r 128 s An idle connection is defined as no packet activity for the connection The threshold for this symptom can be changed The default threshold is an idle connection for 60 seconds Diagnostic Details __________________________________________________________________ Problem Description The connection has been idle for longer than the threshold value _____________________________________________...

Page 248: ...ot responding The threshold value for the number of retransmissions can be changed The default threshold is 3 successive retransmissions Diagnostic Details __________________________________________________________________ Problem Description The threshold set for consecutive retransmissions has been exceeded This resulted in a Non Responsive Station symptom _______________________________________...

Page 249: ...228 69 DA 206 250 228 11 Diagnostic Details __________________________________________________________________ Problem Description A TCP IP packet has a checksum value that is in error The packet may be discarded __________________________________________________________________ Probable Cause s 1 The station that sent this packet may have a faulty network stack 2 The router that forwarded this pa...

Page 250: ...___________________________________ Problem Description A TCP IP packet has been retransmitted There was no ACK form the receiver causing the sender to retransmit the packet And the time from the last transmission is less than the threshold value __________________________________________________________________ Probable Cause s 1 An ACK sent by the receiver was lost 2 The network is overloaded 3 ...

Page 251: ... over a threshold interval for one connection in one direction If only one packet is detected over the threshold interval it is logged as a TCP frozen window event Events of this type can indicate when a problem with the TCP IP connection or excessive network traffic The threshold for this symptom can be changed The default threshold is a frozen window of 5 seconds Diagnostic Details _____________...

Page 252: ...s Guide __________________________________________________________________ Recommended Action s 1 Upgrade the receiver s CPU and or Memory 2 Reduce the number of connections to the receiver 3 Increase the network bandwidth ...

Page 253: ...d for every packet When a value exceeds a threshold value the event is logged as an Expert Symptom The threshold for this symptom can be changed The default threshold is no acknowledgment for 200 milliseconds Diagnostic Details __________________________________________________________________ Problem Description A TCP IP ACK Acknowledgment has taken longer than threshold value to reach the sender...

Page 254: ...es that the acknowledgement numbers are out of sequence For example Acknowledgement number is less than the one before Diagnostic Details __________________________________________________________________ Problem Description A TCP IP acknowledgement number is less than the one before __________________________________________________________________ Probable Cause s 1 The network is overloaded 2 T...

Page 255: ...ts WKP involved including the port number and the IP address For example Between 206 250 228 69 TCP IP WKP 1988 and 206 250 228 11 TCP IP WKP 197 Diagnostic Details __________________________________________________________________ Problem Description A TCP IP packet has been retransmitted There was no ACK from the receiver causing the sender to retransmit the packet ______________________________...

Page 256: ...unter of all TCP RST Packets over a period of time per segment This variable counts the number of RST responses to monitor resets in TCP IP A count of all TCP RST packets displays in the Overview counters of Expert View A threshold for this counter can be set in Expert Alarms ...

Page 257: ...ond Diagnostic Details __________________________________________________________________ Problem Description The threshold for the number of SYN connections on the segment has been exceeded There may be a SYN attack __________________________________________________________________ Probable Cause s 1 An intruder is trying to break into your network 2 The network is heavily overloaded 3 Your Web s...

Page 258: ...size on the receiving end For example Data length of 128 bytes exceeds last window size of 0 Diagnostic Details __________________________________________________________________ Problem Description The TCP packet data size exceeds the TCP window of the receiving end __________________________________________________________________ Probable Cause s 1 The network is overloaded so that the new wind...

Page 259: ...ogged One byte data packets are sent periodically by the sender to see if the receiver s window has reopened to allow the sender to resume transmitting Diagnostic Details __________________________________________________________________ Problem Description A TCP IP packet with one byte of data has been sent to check whether the receiver s window has been reopened _________________________________...

Page 260: ...on the event is logged Events of this type indicate when a receiver s buffer is full which can indicate problems with the network Expert Diagnosis __________________________________________________________________ Problem Description A TCP IP packet indicates zero window size for longer than the threshold interval The receiver is shutting down communication and will accept no more data from the ot...

Page 261: ...is 49 50 98 The threshold value for this analysis can be changed The default value is a 20 retransmission ratio Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the ratio of retransmissions over packets sent has been exceeded __________________________________________________________________ Probable Cause s 1 The ne...

Page 262: ...uplicate IP Address or Duplicate IPX Address expert symptoms The Symptom Summary field provides information about the duplicate IP or IPX address For example Addr 206 250 228 67 Diagnostic Details __________________________________________________________________ Problem Description This network address has multiple MAC station address associations This is a serious problem if the associated MAC s...

Page 263: ...y field provides the IP address of the router trying to become active For example SA 206 250 226 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description A Router has generated an HSRP Coup message __________________________________________________________________ Probable Cause s 1 A stand by router has assumed the function of ...

Page 264: ...the HSRP Errors counter which displays in the Overview counters of Expert View Both Coup and Resign packets are counted Coup Resign packets in the HSRP are used to acti vate deactivate routers A threshold can be set in Expert Alarms for HSRP Coup Resign packets which includes both Resign and Coup HSRP messages ...

Page 265: ...mary field provides the IP address of the router trying to become inactive For example SA 206 250 226 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description A router has generated an HSRP Resign message __________________________________________________________________ Probable Cause s 1 The stand by router is returning routin...

Page 266: ...ded D F Set Source Route Failed Destination Net work Unknown Destination Host Unknown Destination Network Access Denied Destination Host Access Denied Network Unreachable for TOS Host Unreachable for TOS Destination Unreachable catches all other Destination Unreachable Errors Source Quench Redirect Network Redirect Host Redirect Network Redirect for TOS Host Redirect for TOS ICMP Redirect catches ...

Page 267: ...1 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Parameter Problem IP header is bad message has been sent __________________________________________________________________ Probable Cause s 1 A host router may send this message if the IP header parameters have problems that prevent it from processing the packet 2 ...

Page 268: ...not be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Host Administratively Prohibited message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message...

Page 269: ...50 228 69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Host Unknown message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A ro...

Page 270: ...69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Network Administratively Prohibited message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send thi...

Page 271: ...50 228 69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Network Unknown message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A...

Page 272: ...Unreachable is also an expert symptom and has its own Diagnostic Details However this expert symptom reflects only those destination unreachable conditions which cannot be assigned to one of the other destination unreachable symptoms defined above ICMP Destination Unreachable events are automatically logged as expert symptoms The Symptom Summary field provides information about the IP addresses in...

Page 273: ..._______________________________________ Recommended Action s 1 Check the routing tables of the router that this message was generated from 2 Check the netmask configuration of the source 3 Ignore this message if the destination is truly unreachable no action required ...

Page 274: ...06 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Fragment Reassembly Time Exceeded message has been sent __________________________________________________________________ Probable Cause s 1 A host may send this message if it cannot reassemble the fragments due to missing fragments on time 2 There may be a lot of missin...

Page 275: ...not be reached by 206 250 228 11 as D F Set SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Fragmentation needed but D F set Unreachable message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem i...

Page 276: ...206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Host Redirect message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A router may send this message if according to its proper routing tables it finds ...

Page 277: ...06 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Redirect for TOS and Host message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A router may send this message if according to its pr...

Page 278: ... cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Host Unreachable message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A host ma...

Page 279: ...69 unavailable for 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Host is Unreachable for TOS message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A...

Page 280: ...ically logged as expert symptoms The Symptom Summary field provides information about the IP addresses involved For example Addr 206 250 228 69 Subnet mask 255 255 255 240 Diagnostic Details __________________________________________________________________ Problem Description The subnet mask reply does not match the one used by the two stations ____________________________________________________...

Page 281: ...28 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Network Redirect message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A router may send this message if according to its proper routing tabl...

Page 282: ... 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Redirect for TOS and Network message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A router may send this message if according to its p...

Page 283: ... 250 228 69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Network Unreachable message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this messa...

Page 284: ...r as a Missing IP Option Diagnostic Details __________________________________________________________________ Problem Description An ICMP Parameter Problem message has been sent __________________________________________________________________ Probable Cause s 1 A host router may send this message if the IP header parameters have problems that prevent processing of the packet 2 A host router may...

Page 285: ... cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Port Unreachable message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this message 2 A host ma...

Page 286: ...206 250 228 69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Protocol Unreachable message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing table problem it may send this m...

Page 287: ...ary field provides information about the IP addresses involved For example Use Gateway 206 250 54 61 to reach 206 250 228 69 from 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Redirect message has been sent __________________________________________________________________ Probabl...

Page 288: ...________________________________ Problem Description An ICMP Parameter Problem IP Options required but missing message has been sent __________________________________________________________________ Probable Cause s 1 A host router may send this message if the IP header parameters have problems that prevent processing of the packet 2 A host router may have a bad network stack or a bad interface c...

Page 289: ...250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Source Quench message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a buffer space problem it may send this message 2 A host may send this message if it can t keep up with processing of p...

Page 290: ... involved For example 206 250 228 69 cannot be reached by 206 250 228 11 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Destination Unreachable Source Route Failed message has been sent __________________________________________________________________ Probable Cause s 1 If a router has a routing...

Page 291: ...etails __________________________________________________________________ Problem Description An ICMP Time Exceeded message has been sent __________________________________________________________________ Probable Cause s 1 A router may send this message if it encounters an IP packet with a TTL value of 0 2 The source may have an incorrectly configured subnet mask causing longer hops 3 The routing...

Page 292: ...n forwarding to Destination 206 250 228 69 SA 206 250 228 11 DA 206 250 228 69 Diagnostic Details __________________________________________________________________ Problem Description An ICMP Time To Live Exceeded message has been sent __________________________________________________________________ Probable Cause s 1 A router may send this message if it encounters an IP packet with a TTL value...

Page 293: ...ntered For example Addr 255 255 255 255 This symptom can help catch malfunctioning routers or bad addresses generated due to collisions Diagnostic Details __________________________________________________________________ Problem Description A broadcast network address has appeared as a source address This is a problem associated with a bad host ____________________________________________________...

Page 294: ...DA 206 250 228 11 Diagnostic Details __________________________________________________________________ Problem Description An IP packet has a checksum value that is in error The packet may be discarded __________________________________________________________________ Probable Cause s 1 The station that sent this packet may have a faulty network stack 2 The router that forwarded this packet may h...

Page 295: ...symptoms The Symptom Summary field provides information about the time to live TTL and the source and destination addresses For example TTL 1 SA 206 250 228 69 and DA 206 250 228 11 Diagnostic Details __________________________________________________________________ Problem Description An IP packet has a time to live value that is going to expire The packet may be discarded ______________________...

Page 296: ...s Counter ISL BPDU CDP Packets is a counter of all Bridge Protocol Data Unit BPDU or Cisco Discovery Protocol CDP packets in an ISL frame over a period of time per segment A count of BPDU CDP packets displays in the Overview counters of Expert View ...

Page 297: ...umber of the illegal VLAN ID For example VLAN ID 1036 Diagnostic Details __________________________________________________________________ Problem Description The VLAN ID in the ISL protocol is illegal The allowable range is from 1 to 1024 __________________________________________________________________ Probable Cause s 1 An error made in the VLAN configuration for the Switch may have introduce...

Page 298: ...roadcasts over a period of time per segment A count of all OSPF broadcasts displays in the Overview counters of Expert View A threshold for this counter can be set in Expert Alarms If OSPF broadcasts fall below a certain threshold this may indicate that a OSPF router is not functioning properly ...

Page 299: ... RIP broadcasts over a period of time per segment A count of all RIP broadcasts displays in the Overview counters of Expert View A threshold for this counter can be set in Expert Alarms If RIP broadcasts fall below a certain threshold this may indicate that a RIP router is not functioning properly ...

Page 300: ...asured in packets per second For example Rate of change of Router Broadcasts 5 The threshold value for this symptom can be changed Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the number of router broadcast messages has been exceeded for this router ________________________________________________________________...

Page 301: ...as expert symptoms The Symptom Summary field provides the network address For example Addr 255 23 252 6 Diagnostic Details __________________________________________________________________ Problem Description A packet with the source and destination network addresses has been received __________________________________________________________________ Probable Cause s 1 A protocol analyzer has bee...

Page 302: ...roadcasts over a period of time per segment A count of all SAP broadcasts displays in the Overview counters of Expert View A threshold for this counter can be set in Expert Alarms If SAP broadcasts fall below a certain threshold this may indicate that a SAP router is not functioning properly ...

Page 303: ...ounter of all total router broadcasts over a period of time per segment A threshold for this counter can be set in Expert Alarms for total router broadcasts If total router broadcasts go above a certain threshold this may indicate that a router in the network is generating excessive broadcast messages ...

Page 304: ...nning Tree MST is unstable Expert Symptom Unstable MST events are automatically logged as expert symptoms The Symptom Summary field provides information about the rate of change for the MST topology For example Rate of change of Topology 10 Diagnostic Details __________________________________________________________________ Problem Description The threshold for the number of IEEE 802 1D packets w...

Page 305: ... Summary field provides an indication that a zero network address has been discovered For example Addr 0 0 0 0 Diagnostic Details __________________________________________________________________ Problem Description A packet with a zero network address in its destination has been received __________________________________________________________________ Probable Cause s 1 A protocol analyzer has...

Page 306: ...es counter is a total count of several MAC layer symptoms The bad frames counter includes the following MAC layer events CRC Frames Frames from 64 to 1518 bytes with a CRC error Fragment Frames Frames less than 64 bytes with a CRC error Jabber Frames Frames greater than 1518 bytes with a CRC error Oversize Frames Frames greater than 1518 bytes without a CRC error Runt Frames Frames less than 64 by...

Page 307: ...ample Rate of change of Bcast Mcast Packets 500 The threshold value for this symptom can be changed The default threshold is a delta of 400 broadcast multicast events per second Diagnostic Details __________________________________________________________________ Problem Description The broadcast storm expert threshold has been exceeded for this segment resulting in a MAC Broadcast Storm symptom _...

Page 308: ...han 63 bytes Diagnostic Details __________________________________________________________________ Problem Description A packet with more than 63 bytes of data and a CRC error has been received __________________________________________________________________ Probable Cause s 1 The network is overloaded resulting in too many collisions 2 A faulty hub switch router device 3 An end station may have...

Page 309: ...P requests per second Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for ARP Broadcasts has been exceeded for this segment resulting in an Excessive ARP symptom __________________________________________________________________ Probable Cause s 1 The network is overloaded 2 Variations in application traffic patterns 3 ...

Page 310: ...ests 25 The threshold value for this symptom can be changed The default threshold is a delta of 10 BOOTP DHCP requests per second Diagnostic Details __________________________________________________________________ Problem Description The expert threshold for the number of BOOTP DHCP requests has been exceeded for this segment __________________________________________________________________ Pro...

Page 311: ...in the number of broadcast messages over a period of time per segment A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive broadcasts An alarm event can also be generated based on an absolute number of broadcasts over time The default is 400 broadcast packets per second on a 100MB network ...

Page 312: ...riod of time per segment A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive collisions An alarm event can also be generated based on an absolute number of collisions over time The Excessive Collision counter is incremented by counting runt packets and by counting packets with CRC errors The Excessive Collisions counter only applies to Ethernet ...

Page 313: ...in the number of multicast messages over a period of time per segment A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive multicasts An alarm event can also be generated based on an absolute number of multicasts over time The default is 400 multicast packets per second on a 100MB network ...

Page 314: ... information CRC error with less than 64 bytes Diagnostic Details __________________________________________________________________ Problem Description A packet with less than 64 bytes of data and a CRC error has been received __________________________________________________________________ Probable Cause s 1 The network is overloaded resulting in too many collisions 2 A faulty hub switch route...

Page 315: ...ch malfunctioning NICs or bad addresses generated due to collisions Illegal MAC source addresses may be discovered on Ethernet or Token Ring networks Diagnostic Details __________________________________________________________________ Problem Description A broadcast Ethernet or Token Ring address has appeared as a source address This is a problem associated with a bad adapter card _______________...

Page 316: ...ation CRC error with more than 1518 bytes Diagnostic Details __________________________________________________________________ Problem Description A packet with more than 1518 bytes of data and a CRC error has been received __________________________________________________________________ Probable Cause s 1 The network is overloaded resulting in too many collisions 2 A faulty hub switch router d...

Page 317: ...field provides information about the change in utilization For example Utilization 42 Diagnostic Details __________________________________________________________________ Problem Description The expert utilization threshold has been exceeded for this segment resulting in a LAN Overload symptom __________________________________________________________________ Probable Cause s 1 The network is ove...

Page 318: ...r segment A threshold for this counter can be set in Expert Alarms The threshold for new MAC stations is typically set to 1 as an absolute value The new MAC station counter detects new MAC stations nodes on a LAN segment After a segment is stabilized with a specific number of stations this counter can indicate possible intruder stations ...

Page 319: ...ptom Summary field contains the following information Oversized frame has more than 1518 bytes Diagnostic Details __________________________________________________________________ Problem Description A packet with more than 1518 bytes of data has been received __________________________________________________________________ Probable Cause s 1 A faulty hub switch router device 2 An end station m...

Page 320: ... frames over a one second time period A threshold for the number of frames per second can be set in Expert Alarms Overload Frame Rate can help catch network overloads Values for the threshold can range from 1 to 148 800 frames sec for a 100 MB network The default is 37 200 frames sec ...

Page 321: ...n Percentage counts bits over time and compares this value to the maximum utilization possible bandwidth A threshold for this percentage value can be set in Expert Alarms Overload utilization percentage can help catch network overloads The default for a 100MB network is 25 of maximum utilization ...

Page 322: ...lue for this symptom can be changed The default threshold is a delta of 400 physical error packets per second Diagnostic Details __________________________________________________________________ Problem Description The error threshold has been exceeded for this segment resulting in a MAC Physical Errors symptom __________________________________________________________________ Probable Cause s 1 ...

Page 323: ...contains the following information Runt frame has less than 64 bytes Diagnostic Details __________________________________________________________________ Problem Description A packet with less than 64 bytes of data has been received __________________________________________________________________ Probable Cause s 1 A faulty hub switch router device 2 An end station may have a faulty network int...

Page 324: ... symptoms The Symptom Summary field provides the MAC address For example Addr 00800F 13A65B Diagnostic Details __________________________________________________________________ Problem Description A packet with the source and destination MAC addresses has been received __________________________________________________________________ Probable Cause s 1 A protocol analyzer has been transmitting e...

Page 325: ...ount of all MAC stations displays in the Overview counters of Expert View A threshold for this counter can be set in Expert Alarms The MAC station counter helps detect excessive MAC stations nodes on a LAN segment This helps indicate possible intruder stations as well as help the network manager limit and control the number of stations allowed on a segment ...

Page 326: ...m Click hold and drag a column border to remove columns in any Expert View Table Double click on the same column border to bring back the display of a column Duplicate addresses appear both in the Duplicate Network Address Table and as a symptom in Expert View Thresholds can be set for Expert Symptoms Select Expert Settings from the Configuration menu and find the symptom you want to change Some t...

Page 327: ...t tables Expert Analysis Logged as an Expert Event and appears in the expert tables Counter in Expert View Has an associated counter that displays in the Overview page of Expert View The counter will display in the Symptoms tab if it is a symptom and in the Analyses tab if it is an analysis Expert Alarm Has an alarm you can set in the Expert Alarm editor Application Response Time Alarm Has an alar...

Page 328: ...t Storm X X X CRC Frames X z X DNS Response Time X Duplicate Network Address also displays as a sepa rate view X X X Excessive ARP X X X X Excessive BOOTP X X X X Excessive Broad casts X Excessive Collisions X Excessive Multicasts X Excessive Mailslot Broadcasts X X X Fragment Frames X z X FTP Login Attempts X X X FTP Response Time X Gopher Response Time X HSRP Coup X z z HSRP Errors X X HSRP Resi...

Page 329: ...P Destination Host Unknown X z z ICMP Destination Network Access Denied X z z ICMP Destination Network Unknown X z z ICMP Destination Unreachable X X X ICMP Fragment Reassembly Time Exceeded X z z ICMP Fragmenta tion Needed D F set X z z ICMP Host Redirect X z z ICMP Host Redirect for TOS X z z ICMP Host Unreachable X z z ICMP Host Unreachable for TOS X z z ICMP Inconsistent Subnet Mask X z z X pr...

Page 330: ...X z z ICMP Port Unreach able X z z ICMP Protocol Unreachable X z z ICMP Redirect X X X ICMP Required IP Option Missing X z z ICMP Source Quench X z z ICMP Source Route Failed X z z ICMP Time Exceeded X z z ICMP Time to Live Exceeded X z z Idle Too Long X X X Illegal MAC Source Address Ethernet or Token Ring X X X Illegal Network Source Address X X X IP Checksum Errors X X X present z does not exis...

Page 331: ...mes X z X Missed Browser Announcement X X X NCP File Retransmission X X NCP Read Write Overlap X X NCP Request Denied X X X NCP Request Loop X X X NCP Server Busy X X X NCP Too Many File Retransmissions X X X NCP Too Many Requests Denied X X X NCP Too Many Request Loops X X X New MAC Stations X Network Overload X X X NFS Response Time X NFS Retransmis sions X X X NNTP Response Time X X present z d...

Page 332: ...OSPF Broadcasts X X Overload Frame Rate X Overload Utilization Percentage X Oversize Frames X z X Physical Errors X X X POP Response Time X RIP Broadcasts X X Router Storm X X X Runt Frames X z X Same MAC Addresses X X Same Network Addresses X X SAP Broadcasts X X Slow HTTP GET Response X X X Slow HTTP POST Response X X X Slow Server Connect X X X X present z does not exist as a unique counter but...

Page 333: ...valid Password X X SMTP Response Time X TCP Checksum Errors X X TCP Fast Retrans missions X X X TCP Long Ack X X X TCP Repeat Ack X X TCP Retransmissions X X X TCP RST Packets X X TCP SYN Attack X X X X TCP Frozen Window X X X TCP Window Exceeded X X TCP Window Probe X X TCP Zero Window X X X TELNET Response Time X TNS Slow Server Connect X X X X present z does not exist as a unique counter but is...

Page 334: ...ication Response Time Alarm Expert Threshold TNS Slow Server Response X X X Too Many Retransmissions X X X Total MAC Stations X X Total Router Broadcasts X Unstable MST X X X X Zero Broadcast Address X X X present z does not exist as a unique counter but is counted in other categories Table 10 2 Summary of Expert Features continued ...

Page 335: ... between LANs and other networks Given the rapid acceptance of IP as the de facto protocol QoS has become one of the biggest challenges for network administrators especially for voice and video applications that require real time performance Policy based systems gateways switches and routers are often configured with a myriad of vendor and protocol combinations to work in unison to provide priorit...

Page 336: ...d T 120 SIP IETF The suite of protocols created by IETF including SIP SDP and others SCCP Cisco Skinny Client Control Protocol SCCP SCCP is the proprietary signalling and communications protocol in Cisco s AVVID Architecture for Voice Video and Integrated Data Multi QoS also recognizes and decodes all major Codec protocols used for VoIP Refer to Table 1 5 for a list of all protocols supported Chec...

Page 337: ...isplays the Jitter tab showing a percentage breakdown of calls based on Call Jitter values that are greater than a threshold value Using the mouse you can find more detailed information about VoIP calls and VoIP call data The figure on the next page shows the flow of the interface from the highest level view to the most detailed view The Multi QoS views can also be accessed by pressing the Multi Q...

Page 338: ... Call View All Calls RTCP Jitter Dropped Packets RTCP Dropped Buttons to Filter All Calls by Protocol or Call Status Select Range in Graph to View Associated Calls Select Tab to View a Range Breakdown Graph Select Multi QoS from Capture or Monitor View Select Single Call to See Call Details Jitter Set Alarms Monitor Set Refresh Options Set Max Calls Alarm Log Monitor Utilization Configuration Util...

Page 339: ...l The Channel Table provides detailed chan nel information in tabular format Surveyor and RTCP Jitter Values Multi QoS provides two different measurements views of call jitter and dropped packets one calculated by Surveyor and one extracted from RTCP packets RTCP Real Time Control Protocol is a control protocol for the RTP Real Time Transport Protocol RTP supports the transport of real time data s...

Page 340: ...mes and organizes call information into easy to read graphs and tables Configuration is not required to use the Multi QoS logic however the displays can be customized to view exactly the call information you want to see Multi QoS is primarily configured from the Configuration tab However there is some configuration for Multi QoS that is done on a per module basis Module configuration sets up the m...

Page 341: ... Setting this value low reduces the system memory used for call analysis A higher setting allows you to keep more call detail records The minimum number of calls is 2 000 The default value is 2 000 calls Multi QoS Alarms Monitor Only The Multi QoS Alarms alarm button on the Configuration tab applies to real time functions and can only be set in monitor mode The button brings up the Current Module ...

Page 342: ... specific module Select Configuration Settings and select the Modes tab Call Filtering with Multi QoS Multi QoS has a feature for quickly creating a filter from tables Click the right mouse button on any call in the table to see the filter options supported for this type of call This feature only works in capture mode after the analyzer is stopped For calls in Range Summary tables and the All Call...

Page 343: ...3 Multi QoS All Calls Table Buttons in the All Calls Table are described below Deselecting any button filters out that type from the table Leave all buttons selected to view all calls H323 Display H 323 calls If this button is selected H 323 calls will display SCCP Display SCCP calls If this button is selected SCCP calls will display SIP Display SIP calls If this button is selected SIP calls will ...

Page 344: ... expressed as a numeric value between 0 and 94 The value is calculated by Surveyor Surveyor uses a formula that includes packet loss jitter and transmission delay to determine the Network R factor Jitter Maximum jitter measured in milliseconds for all channels within a call The value is calculated by Surveyor Surveyor uses the formula described in RFC 1889 to calculate jitter Dropped Packets Maxim...

Page 345: ...nges for jitter in the graph A Range Editor dialog box appears which allows you to modify ranges for this chart type Call RTCP Jitter and Call Setup Time displays and configuration are identical to Call Jitter Figure 11 4 Multi QoS Jitter Graph Example The title of the graph indicates the minimum value for the selected metric All calls that meet this minimum value are included in the graphic break...

Page 346: ...Call Jitter Ranges The default ranges for Call Jitter Call RTCP Jitter and Call Setup Time are shown in the table below Table 11 2 Defaults for Call Jitter and Call Setup Time Ranges in milliseconds Range Call Jitter Call RTCP Jitter Call Setup Time Range 1 500 and up 500 and up 1000 and up Range 2 100 500 100 500 500 1000 Range 3 50 100 50 100 300 500 Range 4 30 50 30 50 200 300 Range 5 10 30 10 ...

Page 347: ...Dropped Packets displays and configuration are identical to those for Dropped Packets Figure 11 6 Multi QoS Packets Dropped Graph Example The title of the graph indicates the minimum value for the selected metric All calls that meet this minimum value are included in the graphic breakdown Calls that do not meet this minimum are not included In the example on the next page all calls that have one o...

Page 348: ...ti QoS Configuration Packets Dropped The default ranges for Packets Dropped and RTCP Packets Dropped are shown in the table below Table 11 3 Defaults for Packets Dropped Ranges Range Dropped Packets RTCP Dropped Packets Range 1 500 and up 500 and up Range 2 100 499 100 499 Range 3 10 99 10 99 Range 4 5 9 5 9 Range 5 1 4 1 4 ...

Page 349: ...ncy to determine the User R factor Network R Factor Voice quality measure expressed as a numeric value between 0 and 94 The value is calculated by Surveyor Surveyor uses a formula that includes packet loss jitter and transmission delay to determine the Network R factor Jitter Maximum jitter measured in milliseconds for all channels within a call The value is calculated by Surveyor Surveyor uses th...

Page 350: ... found to match well with users purely subjective ratings of voice quality These metrics are calculated by a formula that balances all equipment impairments and perception factors Each metric is reported as a single number on a per call basis typically in the range of 15 to 94 Lower numbers indicate greater equipment impairment or perceived poor voice quality In Multi QoS calls are broken down int...

Page 351: ...ted metric All calls that meet this minimum value are included in the graphic breakdown Calls that do not meet this minimum are not included In the example on the next page all calls that have an R factor of less than 80 are included Note that this means the total number of calls in a capture will not necessarily match the total number of calls in the graphic breakdown Ranges for the graph can be ...

Page 352: ...R factor Ranges The default ranges for Network R factor and User R factor are shown in the table below Table 11 6 Ranges for R factors Range Network R factor User R factor Range 5 25 25 Range 4 50 25 50 25 Range 3 70 50 70 50 Range 2 80 70 80 70 Range 1 94 80 94 80 ...

Page 353: ...raphs provides a view of total bandwidth utilization and Multi QoS bandwidth utilization over time The utilization for VoIP services is compared to total utilization and total bandwidth An example utilization graph is shown below Figure 11 10 Multi QoS Utilization Graph Example The utilization is calculated after Surveyor has decoded packets ...

Page 354: ...ry table The Call Detail window appears showing all call fields for the selected call An example Call Detail window for an H 323 call is shown below Figure 11 11 Example Call Details Window H 323 Click on View Channel Details to view channels for this call Click on Single Call Display Filter to filter out all packets except the packets of this call ...

Page 355: ...ng the call Caller Address IP Address of the end point initiating the call Caller Number Phone number of the calling party Start Time Time at which the call was started Stop Time Time at which the call was completed Setup Time ms Time that was taken for the call to be setup the time taken from the start of the call until the phone rings Callee Name Name of the receiver of the call Callee Port TCP ...

Page 356: ...roduct version being used by the initiator of the call Start Time Time at which the call was started Stop Time Time at which the call was completed Setup Time ms Time that was taken for the call to be setup the time taken from the start of the call until the phone rings Destination Reference Value The Call Reference Value for the conversation used by H 225 0 on the destination side Destination Add...

Page 357: ...ll was complete Setup Time ms Time that was taken for the call to be setup This is the duration from INVITE to the 180 or 183 ringing response if available or to the 200 response otherwise If none of these responses are received the field value is set to Unknown Call ID Globally unique ID to identify a SIP call Callee SIP URL or other URI of the callee The addr spec in the To parameter Callee Name...

Page 358: ...ication For example if you select a jitter range and select a call within that range the channel that has the highest jitter value for that call will be highlighted R factors are included for the audio channels of the call Figure 11 12 shows an example channel table for a call Field Name Description FID Frame ID of the first frame from which the conversation was detected The the frame ID of the fi...

Page 359: ... 25 Multi QoS Channel Table Details 11 Figure 11 12 Channel Table Example Table 11 11 and Table 11 12 describe the columns in the table for each protocol H 323 SIP and UNKNOWN channel tables are the same ...

Page 360: ...transmission delay to determine the Network R factor Max Network R Factor The highest Network R factor calculated during a sampling interval for a call Estimated MOS A conversion of the combined R factors to a Mean Opinion Score The MOS maps to a purely subjective evaluation of call quality where users rate speech samples on a scale of 1 to 5 Dst Addr The destination IP address Dst Port The destin...

Page 361: ...h Seq Num High Sequence Number reported by RTCP RTCP Sender Report Count Number of RTCP Sender Reports seen RTCP Receiver Report Count Number of RTCP Receiver Reports seen RTCP Source Descrip tion Count Number of RTCP Source Descriptions seen RTCP Goodbye Count Number of RTCP Goodbyes seen RTCP Application Defined Count Number of RTCP Application Definitions seen RTCP Unknown Report Count Count of...

Page 362: ...st Network R factor calculated during a sampling interval for a call Estimated MOS A conversion of the combined R factors to a Mean Opinion Score The MOS maps to a purely subjective evaluation of call quality where users rate speech samples on a scale of 1 to 5 Src Addr IP address of the caller Src Port UDP port of the caller Dst Addr IP address of the callee Dst Port UDP port of the callee Sync S...

Page 363: ...cally played To playback a call from Multi QoS perform these steps 1 Double click on a completed or active phone call which has RTP packets containing PCMU or PCMA data 2 Select View Channel Details from the Call Detail View window 3 The Channel Table appears Right click on an audio channel and select Playback PCMU PCMA Data 4 The Save As window prompts for the name of the file The audio data is s...

Page 364: ...contains all possible display fields with a check box Exclude fields from the table display by removing the check from the check box next to the field The default is to display all fields Customizing All Calls or Range Summary Tables Select Multi QoS Views for the Monitor Views or Capture Views menu With either the All Calls table or one of the Range Summary Tables displayed select View Options fr...

Page 365: ...gle call and from the Call Detail window select View Channel Details to bring up the Channel table Select View Options from the View menu Check the boxes for all fields you want to include in the table display The table modifications remain until the window is closed When the window is closed and reopened the default fields in the table are restored An example dialog box for configuring SCCP chann...

Page 366: ...e steps to export all Multi QoS table data 1 Make sure that one of the Multi QoS views is open and is the currently selected view 2 Choose Export Multi QoS Data from the File menu 3 Enter the file name in the Save As dialog box All call data will automatically be saved in CSV format and the file is given an extension of csv 4 Click the Save button The Multi QoS export information is arranged by pr...

Page 367: ...ew fields for a single call the channel table for a selected call or the all calls table 2 Choose Export from the File menu 3 Enter the file name in the Save As dialog box The data will automatically be saved in CSV format The file is given an extension of csv 4 Click the Save button Only the Multi QoS information displayed in the current table is exported For example when exporting the All Calls ...

Page 368: ...11 34 Surveyor User s Guide ...

Page 369: ...so provides counters of H 323 with the Multi QoS plug in Log files contain snapshots of Surveyor counter information All byte frame and error counter values are recorded in the log file Refer to the section on Logging for more information Packet Counters Packet counters count the number of packets bytes received or transmitted Packet counters are viewed from the MAC Statistics window Table 12 1 MA...

Page 370: ...Statistics view how many frames of a certain type have been captured Error Counters During receive error events are counted as they occur The MAC statistics view and the table associated with the Utilization Errors chart displays the receive error counters Table 12 2 contains an alphabetical list with descriptions of Surveyor s Ethernet error counters Table 12 2 Alphabetical List and Descriptions ...

Page 371: ...mpt The number of transmission attempts that have failed Tx Defer The number of times the transmitter had transmit data available and was ready to transmit but had to defer transmission due to sensing other traffic Tx Excessive Collision The number of times packets collided 16 times without successful transmission Tx Excessive Defer The number of times the transmitter had to defer for greater than...

Page 372: ...re the reporting Ring Station encounters signal transition or signal error on the Token Ring physical medium Frame Copy Records when a reporting Ring Station copies a frame containing the Ring Station s own duplicate address Frequency Records events where the reporting Ring Station attempts to receive a frame containing an improper ring clock frequency Internal Error Records events where the repor...

Page 373: ...ss The number of duplicate network addresses over a period of time per segment Excessive ARP The number of Excessive ARP events The event occurs when a change in the number of ARP requests per second exceeds a threshold Excessive BOOTP The number of Excessive BOOTP events The event occurs when a change in the number of BOOTP DHCP requests per second exceeds a threshold over a period of time per se...

Page 374: ...r a period of time per segment IP Time to Live Expiring The number of expiring connections over a period of time per seg ment ISL BPDU CDP Packets The number of Bridge Protocol Data Unit BPDU or Cisco Discov ery Protocol CDP packets over a period of time per segment ISL Illegal VLAN ID The number of ISL illegal VLAN IDs over a period of time per seg ment NCP Server Busy The number of NCP Server Bu...

Page 375: ... addresses over a period of time per segment SAP Broadcasts The number of SAP broadcasts over a period of time per segment Slow HTTP GET Response The number of slow HTTP GET responses over a period of time per segment Slow HTTP POST Response The number of slow HTTP POST responses over a period of time per segment Slow Server Connect The number of slow server responses over a period of time per seg...

Page 376: ...sts per second exceeds a threshold TCP IP Window Probe The number of TCP IP Window Probe events over a period of time per segment TCP IP Zero Window The number of TCP IP Zero Window events over a period of time per segment Total MAC Stations The number of the new MAC stations over a period of time per seg ment Total Router Broadcasts The number of total router broadcasts over a period of time per ...

Page 377: ...rectory structure starts from the installation directory for Surveyor For Surveyor in NDIS mode log files are maintained by the Ethernet adapter NDIS running the Surveyor software The directory for the NDIS log is named log local NDIS_n and the NDIS log file is named NDIS_n csv where n is the number of the adapter the NDIS driver detected The log files are text files in CSV format a format easily ...

Page 378: ...hmm ss second history file for module 2 mmddhhmm ss third history file for module 2 root log local module_n directory for module n module_n csv log file for module n history history directory for module n mmddhhmm ss first history file for module n mmddhhmm ss second history file for module n mmddhhmm ss third history file for module n root log local NDIS_1 directory for Ethernet Adaptor 1 NDIS_1 ...

Page 379: ...anslator Enables Surveyor and Internet Advisor systems to exchange captured data Get Version Information Provides information about analyzer devices or adapters installed in your PC Identify a Module Verifies that the correct module is connected to the correct network or network segment Merge Histogram Files Merge two historgram files into one file Convert Capture Files to Histogram Files Converts...

Page 380: ...ins the numeric address Names can be associated with MAC IP IPX or SNA addresses in a name table Name table data is presented as a table which can be sorted by clicking the column headers Click and drag on column dividers to size columns The Name Table dialog box initially displays the default name table You can manually add modify or delete name table entries You can also change the active name t...

Page 381: ...eated in the name column for that entry in the name table To learn only addresses that have corresponding symbolic names make sure the Learn Names check box is selected and the Learn Address check box is NOT selected in the Name Table Settings dialog box Surveyor will only add an item to the name table when it discovers a character string associated with an address from a DNS SAP or NetBIOS packet...

Page 382: ...the name table you want is the currently active name table loaded into memory This ensures that the proper symbolic names are available To use the same name table information for all systems running Surveyor you can set up a common default name table All Surveyor users can configure the path and name of the default name table which can be the same file stored on a server See Providing a Name Table...

Page 383: ...y to produce the new name table for use with Surveyor To execute the command on the UNIX system type NIS2NAM output name table output name table is the name you select for the new Surveyor name table The UNIX system is searched for the NIS name table If no NIS name table exists the utility returns an error message Once the new name table is created copy it as a text file to the directory where Sur...

Page 384: ...itional information fields not found in RFC 1761 Start a translator by selecting one of the following from the Tools menu Get Version Information Utility From Summary View click on the Description tab for a resource The following information displays Base address for the module Revision level Module type Serial number for the module board Table 13 2 Sniffer Translator Utility Tool Menu Options Too...

Page 385: ...ew histogram file Note that the hst file does not contain the actual data of the capture The capture data is within the cap files that reside in the new subdirectory created for the histo gram file The hst file is a list of all the cap files for this histogram file Removing renaming or deleting the subdirectory its contents or the hst file using the Win dows interface may make the histogram inacce...

Page 386: ...rveyor creates log files of counter expert and alarm information Log file size log file name and disabling or enabling log files can be configured in Surveyor To configure log files see the Configuring Surveyor chapter To access counter log files see the section called Counter Log File Overview in the Counters chapter For information on exporting counter log file information to an Excel spreadshee...

Page 387: ... Bitmap You can export tables to CSV format Excel or charts to BMP format bit mapped graphic When saving a chart to a bitmap it is recommended that the display settings for your monitor be greater than 256 colors to create an image with accurate colors 1 Select the view you want to export Press one of view buttons on the Data Views or the Capture View toolbar If you already have the desired view w...

Page 388: ...e Save button Surveyor logs both a start and stop time to the csv file The start time is the time the table chart window is first opened and the stop time is the last time the file is exported or saved to disk Exporting Counter Log Files to Excel Use these steps to view the counter data in the log files as Excel 5 0 graphics The Excel template charts xlt is located in the examples directory 1 Star...

Page 389: ...spreadsheet showing computed data are available Select a graph by clicking on one of the tabs at the bottom of the spreadsheet The rows of counter data displayed in a graph are the most current rows For example when displaying 500 rows of counter information only the 500 most recently captured sets of counter information are used in the graph Three types of graphs are available each with four diff...

Page 390: ...13 12 Surveyor User s Guide ...

Page 391: ...ters produces real time LAN analysis and monitoring informa tion Data captured from the network is copied to this area after filter ing The data is immediately available for evaluation and for streaming copy to disk after which it is discarded from the buffer Capture Buffer A capture buffer provides a durable data store of LAN traffic filtered and captured in real time which is kept for later anal...

Page 392: ...es To the extent that a system can keep up with traffic captured by an NDIS card all LAN traffic will be copied to Surveyor and filtered sliced if necessary then routed to the capture buffer real time buffer or both if desired System resource demands increase with the complexity of analysis and monitoring tasks and very much with the number of interfaces Surveyor is controlling All Surveyor real t...

Page 393: ...rate Packet Decode Summary Yes Yes Yes Alarm Thresholds All except errors not passed by NDIS All All Sync View Full Duplex No Yes No Packet Slicing Yes Yes Yes Monitor Filter Yes Yes Yes Table A 4 Hardware Transmit Functions Transmit Functions NDIS THGm Portable Surveyor 10 100 Ethernet Analyzer Card Transmit Buffer 64K 16M 128MB 64K 16M Intelligent Frame Edit Yes Yes Yes Transmit Frame Size 64 15...

Page 394: ...Capture No Yes Yes Post Capture Views Yes Yes Yes Frame Error Counter depends on adapter Yes Yes Packet Slicing Yes Yes Yes Limited by available PC system memory Smaller when running Windows NT Table A 6 Hardware Connectivity Connectivity NDIS Card THGm Portable Surveyor 10 100 Ethernet Analyzer Card Media 10 100 Ethernet 4 16 TR 10 100 Ethernet RJ45 for Copper or Gigabit Ethernet for Fiber Swappa...

Page 395: ...hernet adapter as well as frames transmitted by the Ethernet adapter Capture Rate Transmit Speed Capture transmit rates depend on the network adapter and the CPU Typically the rate will fall below the full line rate of the network Counters The error counters supported through the NDIS interface are those counters sup ported by the network adapter Some vendors do not support any error counters Only...

Page 396: ...dule is an NDIS module Set Capture Buffer and Packet Slicing Size The capture buffer memory size can be set in increments that double from 64K to 16MB To set the buffer size select the Buffer Size tab from the Configuration Module Settings menu and click the radio button corresponding to the buffer size Since the buffer uses virtual memory the system is not required to have more physical memory th...

Page 397: ...e frame to be captured displayed HEX indicates hexadecimal format and DEC indicates decimal format in the Value column Filter values are interpreted on byte boundaries Therefore port numbers expressed in decimal are shown in the table in dot notation For example port 1719 H 323_GD is shown as 6 183 in decimal the 6 displays in offset 34 and 183 displays in offset 35 For more information on convert...

Page 398: ...dress Fil ters for addresses at the MAC level 0 Brings up a dialog box for entering the 12 char acter address 1 MAC_DA_BROADCAST Collect all broadcast frames 0 HEX FFFFFFFFFFF 1 MAC_DA_MULTICAST Collect all multicast frames 0 HEX 01005E 1 MAC_Source_Address Template for setting a source address 6 Brings up a dialog box for entering the 12 char acter address 1 Packet_Type Template for setting the p...

Page 399: ... Version II frames 12 HEX 0800 1 IP_Destination_Address Template for setting the IP destination address when IP is embedded in Ethernet Version II frames 12 30 Brings up a dialog box for entering the IP address 1 IP_Source_Address Template for setting the IP source address when IP is embedded in Ethernet Version II frames 12 26 Brings up a dialog box for entering the IP address 1 IPX Collect all I...

Page 400: ...Ethernet II frames 12 30 OR 42 HEX 8137 HEX 0453 HEX 0453 2 RSVP Collect all frames where RSVP is embedded in Ethernet II frames 12 23 HEX 0800 DEC 46 1 SAP IPX Collect all frames with a SAP port in IPX packet types embedded in Ethernet II frames 12 30 OR 42 HEX 8137 HEX 0452 HEX 0452 2 Table B 2 Surveyor Filter Templates IP and IPX over Ethernet EV2 continued ...

Page 401: ...when TCP is embedded in an Ethernet II frame 12 23 34 OR 36 HEX 0800 HEX 06 DEC 0 143 DEC 0 143 2 LDAP Collect all frames with an LDAP port when TCP is embedded in Ethernet II frames 12 23 34 OR 36 HEX 0800 HEX 06 DEC 1 133 389 DEC 1 133 389 2 MGCP TCP Collect all frames with a MGCP port when TCP is embedded in Ethernet II frames 12 23 34 OR 36 HEX 0800 HEX 06 DEC 9 123 2427 DEC 9 123 2427 2 NB SE...

Page 402: ...frame 12 23 34 OR 36 HEX 0800 HEX 06 DEC 0 25 DEC 0 25 2 T 120 Collect all frames with a T 120 port when TCP is embedded in Ethernet II frames 12 23 34 OR 36 HEX 0800 HEX 06 DEC 5 223 1503 DEC 5 223 1503 2 TCP Collect all frames where TCP is embedded in Ethernet II frames 12 23 HEX 0800 HEX 06 1 TELNET Collect all frames with a TELNET port when TCP is embedded in Ethernet II frames 12 23 34 OR 36 ...

Page 403: ...es with an H 323_RAS port when UDP is embedded in Ethernet II frames 12 23 34 OR 36 HEX 0800 HEX 11 DEC 6 183 1719 DEC 6 183 1719 2 HSRP Collect all frames with an HSRP port when UDP is embedded in Ethernet II frames 12 23 34 HEX 0800 HEX 11 HEX 07C107C1 2 MGCP UDP Collect all frames with a MGCP port when UDP is embedded in Ethernet II frames 12 23 34 OR 36 HEX 0800 HEX 11 DEC 9 123 2427 DEC 9 123...

Page 404: ...n RTCP port when UDP is embedded in Ethernet II frames 12 23 43 HEX 0800 HEX 11 DEC 200 OR DEC 201 OR DEC 202 OR DEC 203 OR DEC 204 OR DEC 205 2 SIP Collect all frames with an SNMP port when UDP is embedded in an Ethernet II frame 12 23 34 OR 36 HEX 0800 HEX 11 HEX 13C4 HEX 13C4 2 SNMP Collect all frames with an SNMP port when UDP is embedded in an Ethernet II frame 12 23 34 OR 36 HEX 0800 HEX 11 ...

Page 405: ... 14 HEX 4242 2 NetBEUI Template for collect ing NetBEUI packets 14 HEX F0F0 2 Novell Collect Novell frames 14 HEX E0E0 1 NMPI Collect packets with NMPI ports embed ded in Novell frames 14 33 OR 45 HEX E0E0 HEX 0553 HEX 0553 2 RIP LLC Collect packets with RIP ports embedded in Novell frames 14 33 OR 45 HEX E0E0 HEX 0453 HEX 0453 2 SAP LLC Collect packets with SAP ports embedded in Novell frames 14 ...

Page 406: ...g CDP packet types embedded in Ethernet SNAP frames 14 20 HEX AAAA03 HEX 2000 1 SNAP_IP Filter template for col lecting IP packet types embedded in Ethernet SNAP frames 14 20 HEX AAAA03 HEX 0800 1 SNAP_IP_Destination _Address Template for setting the IP destination address when IP is embedded in an Ethernet SNAP frame 14 38 Brings up a dialog box for entering the IP address 1 SNAP_IP_Source _Addre...

Page 407: ...8 49 HEX 0800 DEC 88 1 ISL_FTP Collect all frames with FTP ports when TCP is embedded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0 21 DEC 0 21 2 ISL_HTTP Collect all frames with HTTP ports when TCP is embedded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0 80 DEC 0 80 2 ISL_ICMP Collect all frames where ICMP is embedded in ISL frames 38 49 HEX 0800 DEC 01 1 ISL_IGMP Collect all frames wh...

Page 408: ...ect all frames with NB SESSION ports when TCP is embed ded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0 139 DEC 0 139 2 ISL_NNTP Collect all frames with NNTP ports when TCP is embedded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0 119 DEC 0 119 2 ISL_OSPF Collect all frames where OSPF is embedded in ISL frames 38 49 HEX 0800 DEC 89 1 ISL_POP Collect all frames with POP ports when TCP is...

Page 409: ...7 208 2000 2 ISL_T 120 Collect all frames with DNS ports when TCP is embedded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 5 223 1503 DEC 5 223 1503 2 ISL_TCP Collect all where TCP is embedded in ISL frames 38 49 HEX 0800 DEC 06 1 ISL_TELNET Collect all frames with TELNET ports when TCP is embedded in ISL frames 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0 23 DEC 0 23 2 ISL_XWIN Collect all frames wit...

Page 410: ...en Token Ring MAC frames 1 17 HEX 03 HEX 03 1 MAC_Duplicate_Address Collect all Duplicate Address Token Ring MAC frames 17 HEX 07 1 MAC_Initialize_Ring_Station Collect all Initialize Ring Station Token Ring MAC frames 17 HEX 0D 1 MAC_Lobe_Test Collect all Lobe Test Token Ring MAC frames 17 HEX 08 1 MAC_Poll_Error Collect all Poll Error Token Ring MAC frames 17 HEX 27 1 MAC_Remove_Ring_Station Coll...

Page 411: ...ng_Station_State Collect all Report Ring Station State Token Ring MAC frames 17 HEX 23 1 MAC_Report_Transmit_Forward Collect all Report Trans mit Forward Token Ring MAC frames 17 HEX 2A 1 MAC_Request_Initialization Collect all Request Ini tialization Token Ring MAC frames 17 HEX 20 1 MAC_Request_Ring_Station_Addr ess Collect all Request Ring Station Address Token Ring MAC frames 17 HEX 0E 1 MAC_Re...

Page 412: ...MAC frames 1 17 HEX 04 HEX 04 1 MAC_Standby_Monitor_Present Collect all Standby Mon itor Present Token Ring MAC frames 1 17 HEX 06 HEX 06 1 MAC_Transmit_Forward Collect all Transmit For ward Token Ring MAC frames 17 HEX 09 1 NON_MAC Collect all non MAC Token Ring frames 1 HEX 40 1 Table B 8 Standard Filter Templates Token Ring continued ...

Page 413: ... from Summary and Detail View Key Summary View Detail View F1 Help Help F2 System Settings Capture View Display Options F3 Module Settings Module Settings F4 Module Monitor View Preferences Create Display Filter F5 Connect to Remote Create Capture Filter F6 Load Capture Filter Load Capture Filter F7 Open Capture File Expert Summary View F8 Save Capture Save Capture F9 Go to Detail View Capture Vie...

Page 414: ...trl T Start Module Ctrl P Stop Module Ctrl R Go to Detail View Table C 4 Shortcut Keys from Detail View Key s Action Ctrl T Start Module Ctrl P Stop Module Table C 5 Shortcut Keys from the Capture View Window Key s Action F11 Toggle display show hide current packet details Home Select the first line End Select the last line Page up Scroll up one page Page down Scroll down one page Up arrow Select ...

Page 415: ...c pad only Ctrl Asterisk Expand all branches Numeric pad only Space Bring up dialog box to edit statement Double click Bring up dialog box to edit statement Right mouse List possible actions Insert Add a statement or add a state If a ROOT or ELSE statement is selected add a state If an IF statement is selected add an ELSE IF statement before the ELSE statement If an ELSE IF selected add an ELSE IF...

Page 416: ...C 4 Surveyor User s Guide ...

Page 417: ...uite Parser Name Protocol ETHERNETV2 Ethernet Version 2 IEEE8023 IEEE 802 3 RAW IEEE8022 IEEE 802 2 LLC Logical Link Control IEEESNAP IEEE Sub Network Access Protocol IEEE8025 IEEE 802 5 Token Ring LOOPBACK IEEE 802 1d IEEE8021P IEEE 802 1p Generic Attribute Registration Protocol GARP IEEE8021Q IEEE 802 1q Virtual Bridged Local Area Networks Protocol Table D 2 Parser Names Applications and Others ...

Page 418: ...DDP Datagram Delivery Protocol LAP Link Access Protocol NBP Name Binding Protocol PAP Printer Access Protocol RTMP Routing Table Maintenance Protocol ZIP Zone Information Protocol Table D 4 Parser Names Banyan Suite Parser Name Protocol Name VARP Vines Address Resolution Protocol VFRP Vines Fragmentation Protocol VICP Vines Internet Control Protocol VIP Vines Internet Protocol VIPC Vines Interproc...

Page 419: ...uter System Interface ISL Inter Switch Link Protocol VTPADVT VLan Trunk Protocol Advertisement VTPSTAT VLan Trunk Protocol Status Table D 6 Parser Names DECnet Suite Parser Name Protocol Name CTERM Network Command Terminal DAP Data Access Protocol DRP DECnet Routing Protocol FOUND Foundation Services LAT Local Area Transport MOP Maintenance Operation Protocol NICE Network Information and Command E...

Page 420: ...y Routing Protocol GGP Gateway to Gateway Protocol ICMP Internet Control Message Protocol iFCP Internet Fibre Channel Storage Networking Protocol IGMP Internet Group Management Protocol IGRP Interior Gateway Routing Protocol IP Internet Protocol MOSPF Enhanced Interior Gateway Routing Protocol OSPF Open Shortest Path First PIM Protocol Independent Multicast RARP Reverse Address Resolution Protocol...

Page 421: ...IP Protocol MOUNT NFS Mount NBNAME NetBIOS Name Service over IP NBDATAGRAM NetBIOS Datagram Service over IP NBSESSION NetBIOS Session Service over IP NETCP NetScout Control Protocol NFS Network File Server NIS Network Information Services NNTP Network News Transfer Protocol NTP Network Time Protocol POP Post Office Protocol PORTMAP Port Mapper RADIUS Remote Authentication Dial In User Service REXE...

Page 422: ...Name DNCPNG Dynamic Host Configuration Protocol over IPng ICMPNG Internet Control Message Protocol over IPng IDRPNG Interdomain Routing Protocol over IPng IPNG Internet Protocol Version 6 Next Generation OSPFNG Open Shortest Path First over IPng RIPNG Routing Information Protocol over IPng RSVPNG Resource Reservation Protocol over IPng Table D 11 Parser Names Netware Suite Parser Name Protocol Nam...

Page 423: ...tocol Table D 12 Parser Names PPP Suite Parser Name Protocol Name PPPCHAP Challenge Handshake Authentication Protocol PPPIPCP IP Control Protocol PPPIPXCP IPX Control Protocol PPPLCP Link Control Protocol PPPNBFCP NetBIOS Control Protocol PPPoE PPP over Ethernet Table D 13 Parser Names XNS Suite Parser Name Protocol Name IDP Internetwork Datagram Protocol PEP Packet Exchange Protocol SSP Sequence ...

Page 424: ...s for Multimedia Conferencing T 38 T 120 Fax over IP Table D 15 Parser Names ITU Codecs Parser Name Protocol Name CELLB Sun s CellB video coding G711 G 711 Audio Codec G721 G 721 Audio Codec G722 G 722 Audio Codec G723 G 723 Speech Decoders 5 3 6 3 kbs G728 G 728 Coding for Speech at 16kbs using Low Delay Code Excited Linear Prediction G729 G 729 Coding of Speech at 8kbs using Conjugate Structure ...

Page 425: ...ion initiation Protocol Table D 18 Parser Names Intel Suite Parser Name Protocol Name H 248 Megaco H 248 Megaco Protocol MGCP Multimedia Gateway Control Protocol over TCP MTP2 Multicasting Transport Protocol 2 MTP3 Multicasting Transport Protocol 3 RTSP Real Time Stream Control Protocol SCCP Skinny Client Control Protocol SIP Session Initiation Protocol TCAP Transaction Capabilities Procedures Tab...

Page 426: ...D 10 Surveyor User s Guide ...

Page 427: ...ds events where the reporting Ring Station s nearest active upstream neighbor could not set the address recognized bits or frame copied bits in the newly transmitted frame after copying the bits on the last frame received Actions Events that occur as the result of testing conditions within statements in a filter Activated Stream A defined packet or set of packets that is included in a transmit spe...

Page 428: ...a to Surveyor Alarm Rising Threshold Rising threshold value to be compared to counter data If the counter value or its delta value over time raises above the threshold an alarm event is triggered Alarm Sample Type The type of the alarm Delta or Absolute Delta alarm types measure increases or decreases over time absolute alarm types measure only the absolute value of a counter Alarm Setting A set o...

Page 429: ... a set of packets sent at the maxi mum network speed and another set of packets sent at the maximum network speed Capture The processing of receiving frames from the network and storing them in the Sur veyor capture buffer Capture Buffer The DRAM memory in analyzer cards or system memory on an NDIS host that stores packets captured from the network Capture File File used to store frames captured f...

Page 430: ...packets arriving at exactly the same time on this Ethernet segment Transmit collisions are not counted CRC Align Error A counter that shows the total number of packets received that had a length between 64 and 1518 octets inclusive but had either a bad FCS with an integral number of octets FCS CRC Error or a bad FCS with a non integral number of octets Align ment Error CRC Errors Cyclical Redundan...

Page 431: ...tement The last statement for a level in a capture filter If no combination of conditions in other statements for this level are met the actions in the ELSE statement are taken ELSE IF statement Statement in a capture or display filter Always comes between an IF statement and an ELSE statement Provides for the specification of additional conditions and actions for a state Expert Alarms Messages po...

Page 432: ... own duplicate address Frame Rate The speed at which frames are received transmitted on the network Frequency A counter that records events where the reporting Ring Station attempts to receive a frame containing an improper ring clock frequency Frozen Window Condition where the TCP IP window size remains the same for all packets over a time period Good Frames Frames that pass all alignment and CRC...

Page 433: ... Line Error A counter that records events where the reporting Ring Station s checksum process detects an error in a received data frame or token that the Ring Station transmitted Link Speed The maximum rate at which a device can transmit receive data on the network typ ically described in bits second Local Host A networked computer that is running the program or resource being described In the con...

Page 434: ...odule Status Indicates whether or not the module is actively capturing transmitting frames Arm indicates that the module is capturing transmitting Monitor View activity on the network in real time Monitor and Capture Mode Allows Surveyor to view and receive data from a resource simultaneously Monitor Mode Allows Surveyor to view in real time the data coming to a resource Multi QoS Plug in module a...

Page 435: ...t displays the detailed breakdown of a packet that is stored in a capture file or capture buffer Packets are broken down by protocol and field value within the protocol Packet Drop A counter that shows the number of dropped packets when running in NDIS mode This counter is always zero when using a THGs and capturing packets at line rate Packet Editor A dialog box available from Capture View for ch...

Page 436: ...ed from the network This circular buffer is continuously updated and overwritten as information is received The Real Time buffer supports monitoring functions Remote Host A remote networked computer that is running the particular program or resource Surveyor can serve as a Remote Host but cannot access Remote Hosts unless you have the Remote plug in Remote Server Protocol RSP Remote Server Protoco...

Page 437: ...sequence starts The number can be used at the receiving end to note the start of a sequence State A symbolic label used as an address for a set of statements in a filter Stop Sequence Number A number assigned in the transmit specification that indicates where the transmis sion sequence stops The number can be used at the receiving end to note the end of a sequence Stream A continuous sequence of d...

Page 438: ...ber optic network THGp is often used in environments where a robust portable analyzer is needed THGp Ten Hundred Gigabit portable A Dolch PC based portable network analyzing troubleshooting and monitoring system available from Finisar THGm devices in a THGp can by accessed locally or remotely by Surveyor software which provides the tools to diagnose troubleshoot and monitor any full or half duplex...

Page 439: ...c Tx Excessive Collision Counter A counter that shows the number of times packets collided 16 times without suc cessful transmission Tx Excessive Defer Counter A counter that shows the number of times the transmitter had to defer for greater than 3 036 byte times Tx Late Collision Counter A counter that shows the number of collisions that occur greater than 512 bit times after a transmission has s...

Page 440: ...he Internet Protocol This term is sometimes used more broadly to indicate VoIP Multi Media communications via the H 323 or SCCP protocols WKP Abbreviation for well known port a known port address on the network Zero Window Condition where the TCP IP window size remains zero for all packets over a time period ...

Page 441: ...16 alarm actions overview 9 9 alarm editor 9 4 alarm thresholds 9 8 Delta Sample Type 9 8 examples 9 15 Frame Size 9 17 MAC Errors 9 16 Utilization 9 15 Falling Value field 9 8 hints and tips 9 14 Interval field 9 8 log file settings 4 16 overview 9 1 Packet Size example 9 15 pager settings 4 16 Rising Value field 9 8 Sample Type field 9 8 Alignment CRC Counter 12 2 All Calls table 11 9 Analyses 1...

Page 442: ... 6 7 data views supported 6 2 detail pane 6 8 hex pane 6 8 options 6 8 protocol decode color coding 4 12 summary pane 6 7 toolbar 6 7 Capture View toolbar 3 15 Capture View window 6 7 Capture Transmit Buffer A 1 Change Filter Operation 7 14 Channel Details 11 24 Channel Display Filter 11 29 Chart views 4 6 configuring 4 6 creating a Bottom Ten chart 4 6 creating a Top Ten chart 4 6 Cisco Discovery...

Page 443: ...Responsive Stations 10 44 10 46 OSPF Broadcasts 10 94 Overload Frame Rate 10 116 Overload Utilization Percentage 10 117 Oversize 10 115 Physical Errors 10 118 RIP Broadcasts 10 95 Router Storm 10 96 Runt 10 119 Same Network Addresses 10 97 SAP Broadcasts 10 98 Slow HTTP GET Response 10 34 Slow HTTP POST Response 10 35 Slow Server Connect 10 36 Slow Server Response 10 37 SMB Invalid Network Name 10...

Page 444: ...g 10 17 Diagnostic Messages 10 15 Direction Indicator 7 5 7 7 Disk Capture Location 4 14 Disk Options 4 14 Disk space 2 1 display filter 7 1 display filter activating 7 22 Display timers allowable values 4 13 Monitoring View local 4 13 Display timers Monitoring View remote 4 13 display vendor names 13 3 Distributed plug in 3 1 downloads saving 6 17 Dropped Packets 11 13 Duplicate Address View 6 35...

Page 445: ...12 Missed Broadcast Announcement 10 22 NCP File Retransmission 10 23 NCP Read Write Overlap 10 24 NCP Request Denied 10 25 NCP Server Busy 10 27 NCP Too Many File Retransmissions 10 28 NCP Too Many Request Loops 10 30 NCP Too Many Requests Denied 10 29 Network Overload 10 113 No HTTP POST Response 10 32 No Server Response 10 33 No WINS Response 10 40 Non Responsive Station 10 44 10 46 Oversized Fr...

Page 446: ...d Frames in filters 7 17 Goodbye Count 11 27 H H 323 11 1 Hardware Dependencies A 3 hardware devices 5 6 Help System on line iv Hints and Tips 10 122 Hints and Tips filters 7 31 History files 4 15 Host Information from Expert View 10 6 Host Matrix View 6 27 6 28 Host Table View 6 24 HSRP Coup 10 59 HSRP Errors 12 5 HSRP Resign 10 61 I ICMP All Errors 12 5 ICMP Destination Unreachable 12 6 ICMP Red...

Page 447: ...ify Alarms 9 3 Module buffer size 4 8 Detail View 6 4 forcing link 3 3 NDIS 5 8 default mode 5 8 numbering 5 1 supported counters 5 8 NDIS module numbering 5 8 setting the monitoring view 4 5 settings 4 7 set up 2 3 Module menu 3 3 Module number 3 1 Module settings 4 7 Module toolbar Summary View 3 6 Monitor Capture mode 6 6 Monitor mode 5 6 Monitor views see data views 6 18 monitoring performance...

Page 448: ...17 editing in Decode view 6 18 editing in Hex View 6 18 Set Size 6 17 Undo 6 17 Packet editor 8 8 Compute CRC button 8 9 Decode button 8 9 editing in Decode view 8 9 editing in Hex view 8 9 Undo button 8 9 Packet Size field 8 3 8 10 Packet slicing 4 8 Packet Summary View 6 34 6 35 6 36 color coding 4 12 Packet Type 8 10 Packet Type field 8 3 8 11 Packets editing 6 17 Packets Dropped counter 12 3 P...

Page 449: ...ime Out value 4 11 RST Responses 10 52 RTCP 11 27 RTCP Dropped Packets 11 13 RTCP Jitter 11 11 Runt 10 119 Runt Frame 10 119 S SA field 8 3 Same MAC Addresses 12 7 Same Network Address 10 97 Same Network Addresses 12 7 SAP Broadcasts 10 98 12 7 Scanning Ports tab 4 10 SCCP 11 2 select a filter template 7 7 Sequence Number 11 27 11 29 Sequence numbers 8 3 Sequence Numbers field 8 10 setting Buffer ...

Page 450: ...1 T Table views 4 6 TCP Checksum Errors 10 45 12 7 TCP Long Ack 10 49 TCP Repeat Ack 10 50 TCP Retransmissions 10 51 TCP SYN Attack 10 53 TCP Window Exceeded 10 54 TCP Window Frozen 10 47 TCP Window Probe 10 55 TCP Zero Window 10 56 TCP IP Frozen Window 12 7 TCP IP Long Acks 12 7 TCP IP Retransmissions 12 8 TCP IP RST Packets 12 8 TCP IP SYN Packets 12 8 TCP IP Window Probe 12 8 TCP IP Zero Window...

Page 451: ... Network Layer Matrix View button 3 11 Protocol Distribution View button 3 10 Refresh button 3 12 Utilization Error View button Rx 3 10 Utilization Error View button Tx 3 10 VLAN View button 3 11 Data Views toolbar 3 10 described 3 6 Detail toolbar Save button 3 8 Detail View toolbar 3 8 Alarm List and Log button 3 9 Capture Filter button 3 9 Capture Mode button 3 8 Capture View button 3 8 Display...

Page 452: ...ze 8 10 Packet Type 8 10 Sequence Numbers 8 10 specifying transmit data 8 8 transmission status 8 8 Transmitting capture files 8 12 trap destinations 9 12 Trap Settings for Surveyor Hosts 9 13 Trap Settings for THGs 9 12 Trigger action 7 14 Tx 6 3 Tx Attempt Counter 12 3 Tx Defer Counter 12 3 Tx Excessive Collision Counter 12 3 Tx Excessive Defer Counter 12 3 Tx Late Collision Counter 12 3 U Under...

Page 453: ...Index 13 Index continued resizing docking windows 4 1 X X offsets wildcard 8 10 Z Zero Broadcast Address 10 101 ...

Page 454: ...Index 14 Surveyor User s Guide ...

Search results

Summary of Contents for Surveyor

Reviews:

Related manuals for Surveyor

Brands by name

Popular brands

Finisar Surveyor, User Manual

Search results

Summary of Contents for Surveyor

Reviews:

Related manuals for Surveyor

Brands by name

Popular brands