Surveyor User’s Guide
Surveyor User’s Guide Trademarks and Copyrights Finisar, Surveyor, THGm, THGs, THGsE, THGnotebook, THGp, Century 12-Tap, 12-Tap, Century Tap, Packet Blaster plug-in, Remote plug-in, Expert plug-in, Multi-QoS plug-in, and Century Tool Kit are trademarks of Finisar Corporation. Windows NT, Windows XP, Windows 2000, Microsoft Mail, and Excel are trademarks of Microsoft Corporation. Pentium is a trademark of Intel Corporation. Magic Packets is a trademark of Advanced Micro Devices.
Surveyor User’s Guide Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subdivision (c)(l)(lI) of the Rights in Technical Data and Computer Software clause at DOD FAR 52.227-7013 Finisar 1389 Moffett Park Drive Sunnyvale CA 94089 Limited Software Warranty A Finisar Limited Software Warranty is provided with each Software Product purchased through one of Finisar’s authorized distribution channels.
Surveyor User’s Guide About This Guide This guide provides descriptions of the software components, features, and capabilities of the Surveyor product, Release 5.0. It also contains detailed tutorials and examples that will enable you to install, configure, and run the Surveyor software. On-line Help System We have included an extensive, on-line Help system with the Surveyor software.
Table of Contents Chapter 1 2 Page Introduction ................................................................................... Surveyor Functions ..................................................................................... Analyzer Devices ........................................................................................ Protocols Supported .................................................................................... What's New in Release 5.0...................................
Surveyor User’s Guide Detail View Toolbar ............................................................................ Data Views Toolbar ............................................................................ Filter Design Toolbar.......................................................................... Filter States Design Toolbar .............................................................. Capture View Toolbar.........................................................................
Contents (continued) Advanced Configuration.............................................................................. 4-20 surveyor.ini File.......................................................................... 4-20 Customizing Expert Diagnostic Information .................................... 4-20 Assigning Names to Protocols (Monitor) ........................................... 4-21 Assigning TCP or UDP Ports to Protocol Parsers............................. 4-26 5 Resources and Modes ..........
Surveyor User’s Guide Network Layer Matrix View .............................................................. Application Layer Matrix View.......................................................... VLAN View.......................................................................................... Address Mapping View....................................................................... Packet Summary View .......................................................................
Contents (continued) Stream Modes ..................................................................................... 8-7 Bursts .................................................................................................. 8-7 Transmission Mode............................................................................. 8-8 Specifying Transmit Data ............................................................................ 8-8 Packet Editor ..........................................................
Surveyor User’s Guide Expert Diagnostic Messages ........................................................................ 10-15 Working with the Expert System................................................................. 10-16 Configuring the Expert System ......................................................... Module Settings for the Expert System............................................. Setting Expert Alarms........................................................................
Contents (continued) TCP Retransmissions ......................................................................... TCP RST Packets................................................................................ TCP SYN Attack ................................................................................. TCP Window Exceeded....................................................................... TCP Window Probe............................................................................. TCP Zero Window ...
Surveyor User’s Guide RIP Broadcasts.................................................................................... Router Storm....................................................................................... Same Network Addresses................................................................... SAP Broadcasts................................................................................... Total Router Broadcasts .....................................................................
Contents (continued) Field Descriptions for Call Range Summaries.................................. 11-15 VQMon Metrics........................................................................................... Utilization Graph ......................................................................................... Field Descriptions for Call Details .............................................................. Channel Table Details ........................................................................
Surveyor User’s Guide A Implementation Profile ................................................................. Buffers ......................................................................................................... How Resources Use Buffers ........................................................................ Hardware Dependencies .............................................................................. About NDIS Mode....................................................................
List of Figures Figure 5-1. 5-2. 6-1. 6-2. 6-3. 6-4. 6-5. 6-6. 7-1. 7-2. 7-3. 7-4. 7-5. 7-6. 7-7. 7-8. 8-1. 8-2. 8-3. 9-1. 9-2. 9-3. 9-4. 9-5. 9-6. 9-7. 9-8. 9-9. Page Remote Host Connections ............................................................................... Host Properties Dialog Box for Establishing an Alias .................................... Histogram Display and Button Controls ......................................................... Histogram Display Showing Colors ...................
Surveyor User’s Guide 9-10. 10-1. 10-2. 10-3. 10-4. 10-5. 10-6. 11-1. 11-2. 11-3. 11-4. 11-5. 11-6. 11-7. 11-8. 11-9. 11-10. 11-11. 11-12. 11-13. 11-14. 13-1. Alarm Example, Expert and Application Response ........................................ Expert Overview Example ............................................................................... Expert Overview Detail Table Example .......................................................... Expert Application Layer Example ..............................
List of Tables Table 1-1. 1-2. 1-3. 1-4. 1-5. 2-1. 2-2. 2-3. 3-1. 4-1. 4-2. 4-3. 4-4. 4-5. 4-6. 4-7. 4-8. 4-9. 4-10. 4-11. 4-12. 5-1. 5-2. 5-3. 6-1. 6-2. 6-3. 6-4. Page Surveyor Functions ......................................................................................... Surveyor Optional Software Modules and Their Functions ........................... Finisar Analyzer Devices ................................................................................ Protocols Supported in Surveyor ...........
Surveyor User’s Guide 6-5. 6-6. 6-7. 6-8. 6-9. 6-10. 6-11. 6-12. 6-13. 6-14. 6-15. 6-16. 6-17. 6-18. 6-19. 6-20. 7-1. 7-2. 7-3. 7-4. 7-5. 7-6. 7-7. 7-8. 8-1. 8-2. 8-3. 8-4. 8-5. 9-1. 9-2. 9-3. 9-4. 10-1. 10-2. 11-1. 11-2. 11-3. 11-4. 11-5. 11-6. Packet Editor Buttons ..................................................................................... Frame Size Distribution View, Frame Size Statistics ..................................... Protocol Distribution View, Chart Buttons - Protocols.............
Tables (continued) 11-7. 11-8. 11-9. 11-10. 11-11. 11-12. 12-1. 12-2. 12-3. 12-4. 12-5. 13-1. 13-2. 13-3. A-1. A-2. A-3. A-4. A-5. A-6. B-1. B-2. B-3. B-4. B-5. B-6. B-7. B-8. C-1. C-2. C-3. C-4. C-5. C-6. D-1. D-2. D-3. D-4. D-5. D-6. D-7. SCCP Call Field Descriptions ........................................................................ H.323 Call Field Descriptions ........................................................................ SIP Call Field Descriptions ....................................
Surveyor User’s Guide D-8. D-9. D-10. D-11. D-12. D-13. D-14. D-15. D-16. D-17. D-18. D-19. Parser Names, IBM Suite................................................................................ Parser Names, Internet Suite........................................................................... Parser Names, Internet Next Generation Suite ............................................... Parser Names, Netware Suite..........................................................................
Chapter 1 1 Introduction Finisar is the technology leader in providing LAN and SAN analysis tools. Finisar's fully distributed, full-line-rate performance network analysis products monitor, measure, analyze, and troubleshoot 10/100/1000 Ethernet and VoIP. These products deliver unrivaled scalability, performance, accuracy and value to customers worldwide. Finisar's Surveyor software is a Windows-based (2K, NT 4.x, XP) software analyzer-plus-monitor application for 10/100/1000 Ethernet networks.
Surveyor User’s Guide Surveyor's user interface provides both a comprehensive view of the network as well as the ability to easily drill down to a specific network segment. Surveyor's main window provides a single, user-defined view for each of the segments being monitored. The user determines what information to view for each segment such as network utilization, protocol distribution, host table, etc. In this same window, the user can create alarms that monitor multiple segments simultaneously.
Introduction Surveyor Functions 1 Table 1-1. Surveyor Functions (continued) Log Record counter information. Surveyor enables you to capture all byte, frame, and error counter values compiled during the capture or transmission of data. Monitor Real-time views for data seen on a network segment. The data can be viewed in numerous ways and from different perspectives. Display of the data can be either graphical charts or row-and-column tables.
Surveyor User’s Guide Analyzer Devices The full power of Surveyor is realized through optional hardware analyzer cards available from Finisar. Analyzer cards from Finisar are installed in a PC, a notebook PC, or in a separate analyzer device. The table below provides a brief summary of the Finisar analyzer devices used by Surveyor: Table 1-3.
Introduction Protocols Supported 1 Table 1-4. Protocols Supported in Surveyor MAC Layer TCP/IP Suite TCP/IP Suite (Cont.) TCP/IP Suite (Cont.) IEEE 802.2 (LLC) ARP Ident RPC IEEE 802.3 ASF-RMCP iFCP RTSP Ethernet II BGP (Version 4) IGMP SGCP IEEE 802.5 BOOTP IMAP SLP Loopback CharGen IMSP IP SMTP MAC Control Frame DHCP iSCSI SNMP (v1, v2, v3) IEEE SNAP Discard LDAP TCP IEEE 802.
Surveyor User’s Guide Oracle Suite IPX/SPX Suite (cont.
Introduction Protocols Supported IBM ISO Intel MPLS NetBEUI CLNP MTP2 CR-LDP NetBIOS CONP MTP3 RSVP-TE ESIS RTSP ISIS TCAP 1 ISO Table 1-5. Supported Multi-Media Protocols Multi-Media ITU H.323 IETF Cisco Codec ASN.1 H.248 / Megaco RUDP CellB GK DISC MGCP SCCP G.711 H.225.0 RTCP SSP G.721 H.245 RTP G.722 H.323v4 RTSP G.723 H.450.1 SGCP G.728 Q.921 SIP G.729 Q.931 H.261 RAS H.263 T.120 JPEG T.
Surveyor User’s Guide What's New in Release 5.0 A synopsis of what's new in Surveyor 5.0 is provided below. Capture to Disk and THGsE Analyzer Support Surveyor now supports streaming large amounts of data to disk. A new hardware analyzer, named THGsE, has been developed to make streaming of capture data to disk possible. The THGsE is the essentially the same hardware analyzer device as the THGs, with the addition of an internal disk. With THGsE, up to 80GB of disk space is available for capture.
Introduction What's New in Release 5.0 1 Expanded Multi-QoS Support The Multi-QoS software has been expanded to recognize a broader range of VoIP calls.This includes call formats used by Avaya and Alcatel. Multi-QoS now has the capabilities to build the call table without signaling information. Such calls are listed with a protocol type of UNKNOWN. This can be useful to see calls where signaling packets are unsupported or for probing end points that do not see signaling packets.
Surveyor User’s Guide 1-10
Chapter 2 2 Installation System Requirements The system requirements for installing and running the Surveyor software are shown in the table below. Table 2-1. System Requirements CPU Pentium @ 233Mhz for 10/100 Ethernet applications Pentium@ 1Ghz for Gigabit Ethernet applications (see processing memory below for type of processor required) Operating System Software Windows 2000, Windows NT 4.0 with Service Pack 3, 4, 5, and 6 plus administrative privileges, or Windows XP.
Surveyor User’s Guide Table 2-2. Supported Analyzer Cards and Network Adapter Cards Network Analyzer Cards Desktop PC: THGm (Ten/Hundred/Gigabit module) analyzer card THGm analyzer cards require an available PCI slot. Analyzer cards require processing memory based on the capture buffer memory available on the card. Network Adapters, Network Adapter/ Analyzer Cards Desktop PC: NDIS-compatible Ethernet adapter or NDIS-compatible 4/16 Token Ring adapter card.
Installation Installing Surveyor 2 Installing Surveyor Begin by installing any local hardware analyzer cards and/or adapter cards. Hardware analyzer cards are packaged separately from the Surveyor software. Multiple cards may be installed in a single PC. If you need information on PC card installation, see the following section in this chapter for hardware installation, setup, and connection instructions. Perform the following steps to install the Surveyor software: 1.
Surveyor User’s Guide Installing Analyzer Hardware The sections below provide installation information for the Finisar analyzer cards in different hardware and software environments. Installing Analyzer Hardware in a Desktop PC Finisar offers an analyzer card that can be installed in a desktop PC. For PCI bus expansion slots, Finisar offers the THGm analyzer card for 10/100/1000 Ethernets.
Installation Installing Analyzer Hardware 2 2. Install the THGm card in your system. This requires opening the case of your computer, inserting the card in an available PCI slot, and closing the case of your computer. Refer to the THGm Hardware Installation Guide and your computer’s documentation for instructions. 3.
Surveyor User’s Guide • The Ethernet card uses a CardBus interface. • Separate installation instructions are provided for Windows NT. Installation of the Ethernet analyzer card in a notebook PC running Windows NT requires CardWizard V5.00.10. • Installation requires the Surveyor CDROM and may require the Windows CDROM. • It is recommended that Surveyor be installed into a dedicated notebook computer used exclusively for network analysis.
Installation Installing Analyzer Hardware 2 8. Insert the Surveyor CD in the CDROM drive. 9. Enter the path of the Ethernet Driver directory (\drivers) on the Surveyor CDROM and click OK. 10. The Select OEM Option window will appear. Select the “Finisar 10/100 Ethernet CardBus Adapter Plug & Play” driver. Click the OK button. 11. In the Settings window, all settings should remain as “CardWizard”. Click the OK button to begin copying driver software to your hard disk.
Surveyor User’s Guide 5. To update the device driver, click with the right mouse on My Network Places. Select Properties from the menu. 6. Double-click on Local Area Connection. The Racore device driver should appear in the Connect box. 7. Press Configure and then select the Device Driver tab. 8. Press Update Driver.... The Upgrade Device Driver Wizard displays. Click the Next button to continue. 9. Select the Display a list of the known device.... radio button and then click Next. 10. Click the Have Disk.
Installation Compatibility Matrix 2 Compatibility Matrix Table 2-3.
Surveyor User’s Guide 2-10
Chapter 3 3 Getting Started The Surveyor System A complete Surveyor system consists of Surveyor software and at least one Finisar distributed net QoS system, analyzer card, or NDIS-compatible Ethernet adapter. Multiple devices can be installed in the local host PC. With the Remote plug-in you have access to other PCs containing Finisar analyzer cards, NDIS adapters, or other devices such as Finisar’s THGs or tap device.
Surveyor User’s Guide each port on which you have installed a THGm analyzer card. Do not select ports for other devices. Click OK. Use the Local Ports for Switching Taps tab in the dialog box to tell Surveyor which local COM port is attached to the tap device. Click the check box opposite the correct port number. You can change the ports to be scanned or the local port for a tap device at any time. Select the System Settings... option of the Configuration menu to display the System Settings dialog box. 3.
Getting Started Basic Navigation Tips 3 5. THGm analyzer cards have two interfaces, RJ45 for 10/100 copper wire and a G-BIC for 1000 Mbps fiber optic. If you selected a THGm, you may need to change the interface. From the Module menu, choose Interface. On Board RJ45 selects the bidirectional 10/100BASE-T port. The default is the G-BIC which selects the G-BIC send/receive port pair. 6. If you selected a THGm for 10/100BASE-T, you may need to set the Interface Mode.
Surveyor User’s Guide You can also access Capture View from Summary View to view a Capture file. From Summary View, click the button in the Surveyor toolbar. The contents of the Capture file are displayed in the Capture View window. You’ll notice that many of the same functions can be performed from the different windows. This design allows you to perform all the tasks you might expect to do from any one of the major windows without having to switch to a different window.
Getting Started Basic Navigation Tips • If you have the Expert plug-in, use the the expert views. • If you have the Multi-QoS plug-in, use the button in Detail View to bring up the charts and tables for Voice over IP and Multimedia protocols. • If you are running Packet Blaster plug-in, use the in Detail View to bring up the Transmit Specification dialog box to create data streams for transmit.
Surveyor User’s Guide Buttons and Toolbars Surveyor Toolbar Open button Opens a file, typically a capture file (.CAP). A dialog box displays showing all files with extension.CAP in the current directory. From the Summary Viewer, selecting a capture file to open will bring up Capture View. Save button Saves the current contents of the capture buffer to a file. A dialog box displays to select the file name and directory. Print button Prints the contents of the current view.
Getting Started Buttons and Toolbars 3 Capture Mode button Places the currently selected resource in capture mode. This button is gray if the resource is currently active (started). Monitor Mode button Activates the monitor functions for the currently selected resource. If the resource does not support monitoring functions, the resource is put into capture mode. This button is gray if the resource is currently active (started). Cap+Disk Mode button Places the currently selected resource in Cap+Disk mode.
Surveyor User’s Guide Detail View Toolbar Save button Saves the current contents of the capture buffer to a file. A dialog box displays, allowing you to select the file name and directory. Print button Prints the contents of the current view. Start button Starts a module. The module captures or transmits packets, depending on the whether the mode is set to transmit or capture. Stop button Stops a module. The module ceases to capture packets or transmit packets.
Getting Started Buttons and Toolbars 3 Capture Filter button Display the Capture Filter window. The window displays a previously opened filter or the default filter. Load Filter button Brings up a dialog box to select a saved capture filter (.CFD extension). If a capture filter is opened, that filter is applied to the currently selected resource. This button is gray if the resource is currently active (started).
Surveyor User’s Guide Data Views Toolbar (Expert and Multi-QoS buttons) Ring Statistics View button (Token Ring Only) Brings up tables showing information about the rings and the ring stations detected on the network. This button is available for Token Ring adapters only. MAC Statistics View button Brings up MAC Statistics View for graphically viewing packet and error counters. This view also contains module and capture buffer status information.
Getting Started Buttons and Toolbars 3 Host Table View button Selects Host Table View for viewing information. You can see MAC stations and their associated traffic in this view. Network Layer Host Table View button Selects Network Layer Host Table View for viewing information. You can see network (IP/IPX) stations and their associated traffic in this view. Application Layer Host Table View button Selects Application Layer Host Table View for viewing information.
Surveyor User’s Guide Refresh button Update the information in all open views. Duplicate Address Button (Expert plug-in only) Brings up a table showing all duplicate IP and IPX addresses. The duplicate network and MAC addresses associated each duplicate are displayed. Expert View Button (Expert plug-in only) Brings up a table showing all expert symptoms detected. There are two views of the expert information. The Analysis tab shows all expert symptoms detected.
Getting Started Buttons and Toolbars 3 Filter Design Toolbar Create Filter button Creates a new filter. The default window appears for the Filter Design window. Open Filter button Opens a filter. A dialog box displays to select the file. Capture filters are designated with an extension of .CFD files and display filters with an extension of .DFD. Save Filter button Saves the current contents of the filter to a file. A dialog box displays to specify the file name and directory.
Surveyor User’s Guide are designated with an extension of .CFD files and display filters with an extension of .DFD. Save Filter button Saves the current contents of the Filter States Design window to a file. A dialog box displays to specify the file name and directory. Capture filters are saved as .CFD files and display filters as .DFD files. Load Filter button Load the contents of the Filter States Design window to the currently active module. Disable Filter button Disable the current capture filter.
Getting Started Buttons and Toolbars 3 Capture View Toolbar Open File button Opens a capture file (.CAP). A dialog box will display showing the current directory with all files with extension .CAP. Save File button Saves the current contents of this view to a file. Search Box Use the box to specify an ASCII text string for which to search. Once the string is entered, press the search button to the right of the search box. Search button Start search of the capture file contents for an ASCII text string.
Surveyor User’s Guide Resume Load button Capture files are loaded to Capture View as a background process. Pressing this button resumes the background process. Go To Trigger button Pressing this button moves you to the line in the capture file that was set as the trigger position. If no trigger position is set, this button moves you to the first captured frame. Navigation buttons Navigation buttons move you through the capture file.
Getting Started Buttons and Toolbars 3 Host Matrix View button Selects Host Matrix View for viewing captured information. You can see all conversations between MAC stations in this view. Network Layer Matrix View button Selects Network Layer Matrix View for viewing captured information. You can see all network conversations for IP and IPX traffic in this view. Application Layer Matrix View button Selects Application Layer Matrix View for viewing captured information.
Surveyor User’s Guide File Formats The following file formats are supported in Surveyor: .HST Extension – Capture Files File extension for capture data files. The .HST file contains formatting information and a list of .CAP files that contain the actual capture data. All new captures made by Surveyor are saved as .HST files. The .HST file is a master capture management file that organizes large captures (>10M) into multiple capture (.CAP) files. When the .
Getting Started Providing a Name Table to Surveyor 3 Providing a Name Table to Surveyor A default name table file, hosts.nam, is included with the software. Surveyor boots using this default name table. If you wish to change the start up default name table, you must edit the surveyor.ini file by following these instructions: 1. Locate the surveyor.ini file in your Windows directory. 2. Open the surveyor.ini file with your text editor software. 3.
Surveyor User’s Guide Establishing Links for THGm The THGm is often connected to a device that cannot auto negotiate the connection, such as when monitoring/analyzing a connection through a tap device. The device will automatically go through a sequence of attempts to disable auto negotiation and establish a link with a device that cannot auto negotiate. However, if a link cannot be automatically established with a device, you can attempt to establish a link manually by disabling auto negotiation mode.
Chapter 4 4 Configuring Surveyor Configuring the Interface In Surveyor, you can control the appearance of windows, the primary monitor view, the appearance of tables and charts, and the colors of decode displays. The following sections describe how to set up the interface to best meet your needs. Customizing Views and Windows The Surveyor graphical user interface is extremely flexible. It takes advantage of the features of Windows to allow you to customize your interface.
Surveyor User’s Guide completely close a docking window. If you close a docking window, use the options from the View menu to get the window back. You can extract any docking window from the Summary View window and make it a stand-alone window. If you turn off docking using the right mouse functions, the window will not dock again when it is moved back over the Summary View window, allowing you to cascade windows. You can also “float” a docking window within the main window.
Configuring Surveyor Configuring the Interface 4 Table 4-1. Configurable Capture View Columns Capture View Column Description Abs Time The absolute time of arrival for each packet taken from the system clock when the capture was performed. format: hh:mm:ss.mmm.uuu.nnn where ss=seconds, mmm=milliseconds, uuu=microseconds, nnn=nanoseconds Delta Time The time between each packet (interpacket gap). format: s.mmm.uuu.
Surveyor User’s Guide Use the bottom portion of the dialog box to set the point from which Surveyor will measure time when calculating and displaying the elapsed time stamp of each packet. Set “time-zero” for capture in the Elapsed Time Set Mark Option portion of the Display Options dialog box. The default option is Module Arm Time, which starts time zero at the time the module is started.
Configuring Surveyor Configuring the Interface 4 Table 4-2. Histogram Color Defaults (continued) Graphic Element Description Default Color Zoom Cursor Color Color of the zoom cursor. White Zoom Window Color Color of the area in the lower histogram that is currently being display in the upper histogram. Grey Setting Histogram Zoom Factor Set the Zoom Factor changes the number of data points that remain in the upper zoom window when pressing the zoom button.
Surveyor User’s Guide Configuring Chart Views Protocol distribution view and frame size distribution view can be customized using buttons within the chart. The type of information in some chart views can be customized using the procedures below. Charts graph the “top ten” stations or conversations based on a byte count. The count is the absolute percentage of the number of bytes out for stations, or the absolute number of bytes passed between stations for conversations.
Configuring Surveyor Module Settings (Properties) 4 Module Settings (Properties) Module settings configure options for the capture, monitor, and transmit functions of devices. To configure modules, select Module Settings... from the Configuration menu. Tabs appear that apply to the currently active device type; a tab will only appear if this option can be set for the current device type. Hardware devices can have properties set according to Table 4-3 below: Table 4-3.
Surveyor User’s Guide Module settings are described in the subsections below. Default values for Module Settings are shown in Table 4-4: Table 4-4.
Configuring Surveyor Module Settings (Properties) 4 For THGm modules, the default is no packet slicing (full packet length). For THGm, the slicing size must be 64 bytes or greater and packet slicing of 128 bytes is not supported for 1Gbps Ethernet. For Portable Surveyor 10/100 Ethernet Analyzer Cards, and NDIS cards, the default setting is no packet slicing for capture, 128-byte packet slice for monitor. For NDIS modules, you cannot have both monitor and capture set to full packet size.
Surveyor User’s Guide will be listed in the Application Tables as in the following example: UDP nonWKP:4620 This feature only affects the tables or charts that display TCP/UDP port numbers. The display is affected for monitor views only of local modules. If you want to display port numbers and name the ports in the display for remote devices, see “Assigning Names to Protocols (Monitor)” on page 21 of this chapter. Also refer to this section for more information on non-WKP numbers.
Configuring Surveyor System Settings 4 2. A dialog box appears showing the ports within the local system. Check the box of only those ports you want Surveyor to scan for an analyzer card. 3. Click the OK button. Configuring Remote Communications The remote server protocol (RSP) is used to control the interface for connecting with remote systems. You configure the options that effect connection time outs, encryption of control packets, and auto-discovery of resources.
Surveyor User’s Guide Protocol Color Coding Surveyor provides a real-time protocol decode called Packet Summary View and protocol decodes in Capture View. To use these displays more effectively, you may want to set the colors used for packet display. For example, you might want to display all transport layer packets in red and all others in black if you are looking only for protocol decode information in the transport layer. To set up or change color coding for protocol decode, do the following: 1.
Configuring Surveyor System Settings : 4 Table 4-6. Remote Polling Timers Polling Timers Description MAC Layer Counters Sets the interval for polling devices for MAC layer counters. Protocol Distribution Sets the interval for polling devices for the protocol distribution information. Host Table Sets the interval for polling devices for MAC layer host table information. Matrix Views Sets the interval for polling devices for information on MAC, network, and application layer conversations.
Surveyor User’s Guide Disk Options Surveyor supports saving and examining very large capture files. Two disk options are available to support large captures, Cache File Location and Disk Capture Location. Choose System Settings… from the Configuration menu and select the Disk Options tab to set either option. Cache File Location To support viewing very large captures (greater than 10MB), you can specify the size and location of a disk cache in the Cache File Location area.
Configuring Surveyor Configuring Alarms 4 Configuring Counter Logging Counter log files contain snapshots of Surveyor counter information. All MAC layer statistics can be recorded in the log file. To configure counter logging, select Log File Settings… from the Configuration menu. To enable counter logging, check the Enable Logging field. Set the time interval for capturing counter information in the Time Interval field.
Surveyor User’s Guide Using E-mail with Surveyor is turned off by default. If you want to use this feature, you must reset a parameter in the Surveyor.ini file. Set Enable MAPI=1 to enable the e-mail alarms feature through Microsoft Mail Exchange. To configure alarm actions, select Alarms from the Configuration menu and then select either E-Mail Settings, Pager Settings, or Log File Settings from the submenu. . Table 4-10.
Configuring Surveyor Configuring a Multi-Port Tap or Switch 4 The Surveyor software can be used to control which LAN segment is selected by the tap or switch. To set the LAN segment: 1. In the resource browser, click on the local or remote resource connected to the switch. The current port being monitored will display under the tap or switch resource. The example below shows a switch with the LAN Segment connected to port 5 selected. 2. Double-click on the tap or switch icon in the resource browser. 3.
Surveyor User’s Guide 4. Use the Bypass check boxes to set any network segments that you want to restrict from being used with the analyzer. Any segment with the Bypass box checked cannot be set as the LAN segment. 5. Click the OK button. Information about the exact type of switch or tap is shown at the bottom of the dialog box. Setting the Local COM Port for Taps and Switches The tap or switch can be controlled from a PC running Surveyor software.
Configuring Surveyor Settings for Analyzer Devices 4 2. Click on the icon for the remote analyzer device in the Resource Browser. 3. Choose Properties from the Host menu. 4. Click the Reset Host/Image Upgrade button. 5. Check the Warm Boot radio button under Reset Options. Leave all other fields blank or unmarked. 6. Click the OK button. When you reset a remote analyzer device, you will lose the connection. Use the Connect option from the Remote menu to reconnect.
Surveyor User’s Guide 8. Enter the IP address of a server that runs BOOTP and/or TFTP protocols in the IP Boot Server field. 9. If you are updating the image, set the path name to the software image file in the Boot Image Filename field. 10. Check the Warm Boot radio button under Reset Options. 11. Click the OK button. ! Caution You must use the Warm Boot option to load the new image from the network. The Cold Boot option will not update the image. When you reset the device, you will lose the connection.
Configuring Surveyor Advanced Configuration 4 directory and will use that file for its diagnostic information. If no EXPERTMSG.INI file is found in the directory, Surveyor will not provide diagnostic information. You can change the diagnostic information if you want. Changing the diagnostic information may be a useful way to customize Surveyor for your environment.
Surveyor User’s Guide is a two-byte value that appears in a port fields of a TCP or UPD packet header. It identifies the protocol, by port number, to be included as a discrete protocol in Surveyor’s monitor views. is an alpha numeric string that is be between 1 and 12 characters This string is used as the name for the protocol in Surveyor’s monitor tables. is an alpha numeric string that should be between 1 and 50 characters.
Configuring Surveyor Advanced Configuration 4 Example 2 Assume that a company is using a proprietary protocol named “Company X Protocol” that uses UPD port 921. By default this protocol would appear with the generic name “UDP WKP 921” in the monitor tables. Making the following entry to the MONITOR.INI file UDP section would give the protocol a name with more meaning: [UDP] mapping=921,CXP,Company X Protocol Example 3 X Windows could use non-WKP TCP ports in the range 6000 to 6063.
Surveyor User’s Guide How Surveyor Assigns Protocol Names Surveyor explicitly monitors a predefined set of protocols/applications that use TCP or UDP as their transport layer. However, some of the TCP or UCP ports monitored are not given a well-known name. Also, some TCP and UDP ports are not explicitly monitored, and information about these remaining protocols are collected as though they were a single entity, one for TCP and one for UDP.
Configuring Surveyor Advanced Configuration 4 Monitoring Non Well-Known Ports Surveyor also collects information about a subset of ports that fall outside of the WKP range, port numbers greater than 1023. These ports are called non-WKP. Some of these ports are monitored by Surveyor since applications associated with them are widely accepted. The non-WKP ports that Surveyor monitors and their associated port values are listed in Table 4-11 and Table 4-12. Table 4-11.
Surveyor User’s Guide Assigning TCP or UDP Ports to Protocol Parsers Use the ANALYSIS.INI file to assign any built-in Surveyor parser to a TCP or UDP port. This is useful when a network is running a protocol/application over a TCP or UDP port that is not using the default port. The assignment of a proper parser allows Surveyor to properly decode and analyze the packets associated with the TCP or UDP port. The assigning of parsers does not effect how the information is displayed in monitor views.
Configuring Surveyor Advanced Configuration 4 thermore suppose the network administrator only wants to decode TCP port 11964 when associated with IP address 192.168.1.98. The entry in the ANALYSIS.INI file would be: [TCP] mapping=11964,192.168.1.98,TDS,Sybase TDS Example 3 Assume that two real-time applications have been installed on a network that both use RTP (Real-Time Transport Protocol). Assume that one of the applications uses UDP port 10564 and the other uses 11964.
Surveyor User’s Guide 4-28
Chapter 5 5 Resources and Modes Surveyor can gather statistical information and view network data from a variety of hardware sources. The types of information you receive from a resource depends on the hardware. Surveyor’s auto-discovery feature automatically scans the network for available resources, or you can enter the IP address of any host you can reach through a TCP/ IP connection. Surveyor remembers the name of the most recent connection made so you can quickly reconnect to the host.
Surveyor User’s Guide Double-click on a resource to display a default view of the resource in Summary View. If a remote resource is protected, you are asked for a user name and password. Drag and drop resources onto alarms in the Alarm Browser to activate an alarm for a resource. Local resources are those within the local PC running Surveyor. Remote Resources Remote resources are all resources that can be reached through a TCP/IP connection.
Resources and Modes Remote Resources Local LAN Segment 5 Local Host Surveyor Surveyor Software Software Storage Device Data Stream Local Monitor/ Transmit/Capture NDIS, Finisar Analyzer Card CMM orAdapter CMM2 or NDIS Board Remote Monitor/ Transmit/Capture TCP/IPTCP/IP Connection Connection (LAN, (LAN, modem, etc.) modem, etc.) Network Remote Host Surveyor Software Surveyor Software Remote LAN Segment TCP/IP Connection (LAN, modem, etc.
Surveyor User’s Guide Naming Remote IP Resources (Aliases) The Resource Browser initially displays all nodes on a subnet using the IP Address. Users can assign an alias (user defined name) to a node for easy identification. For example, you can assign a name like “Chicago Node One” to the node. In addition, you can add a descriptive comment for any node. There are two methods for bringing up the Host Properties dialog box to create an alias: • Single-click with the mouse on the node.
Resources and Modes Remote Resources 5 Hovering the mouse over a top-level node which has an alias displays the name with the IP Address in parenthesis along with the optional comment. For example, “Chicago Node One (192.1.68.2). This is Mount Prospect node”. Resource Protection You are in control of local resources within a PC. Use the functions on the Host menu to add and delete users for a resource, change passwords and protections, or view the users currently logged in.
Surveyor User’s Guide Modes Modes are applied to resources. Each resource can be in a different mode. The modes available with Surveyor depend on the underlying hardware resource as shown in Table 5-2 below: Table 5-2. Surveyor Resource Modes Mode Description Resource Type Monitor Provides real-time views and decodes of packets received by a device. All Capture Allows packets received by a device to be stored in a buffer for analysis.
Resources and Modes Hardware Devices . 5 Table 5-3. Hardware Device Capabilities Device Hardware Device Capabilities THGm (Ten/Hundred/Thousand module) THGm is Finisar’s premier analyzer card for 10/100/1000 Ethernet networks. THGm supports all counters in Surveyor and supports all capture functions at full line rate. TheTHGm also supports monitor and transmit functions. Special views are supported for viewing the capture buffer when the device is stopped.
Surveyor User’s Guide Table 5-3. Hardware Device Capabilities (continued) Portable Surveyor 10/100 Ethernet Analyzer Card Portable Surveyor 10/100 Ethernet Analyzer Card is an adapter/analyzer card for 10/100 Ethernet networks in a notebook PC environment. Portable Surveyor 10/100 Ethernet Analyzer Card adapters can be used to capture, transmit, or monitor. When using an Portable Surveyor 10/100 Ethernet Analyzer Card adapter, all counters are supported.
Resources and Modes Hints and Tips for Resources 5 resources are recognized by the synchronized resource icon in the Resource Browser. Synchronizing resources allows single actions to start a resource pair. All statistics and all data about stations and conversations will appear as one resource to Surveyor. This enables you to perform all capture or monitoring functions on a fullduplex network segment. Synchronized resources can also monitor two half-duplex segments.
Surveyor User’s Guide 5-10 • Use synchronized THGm modules for full-duplex capture. • For options to be displayed under the Host menu, you must select the local host name in the Resource Browser. Selecting a resource within the local host makes the options in the Host menu unavailable. • Use the Properties… option from the Host menu to find out information about the host. Information includes host type, IP address, and the Surveyor software version.
Chapter 6 6 Views There are numerous ways to view data from Surveyor. This section describes the primary windows you use to view data, and the actual data views you can see within each window. The primary windows for viewing information are shown in Table 6-1. Table 6-1. Surveyor’s Primary Windows for Viewing Information Primary GUI Window Description Summary View From Summary View you can see one view of many different resources. Viewing options include configurable charts and tables.
Surveyor User’s Guide Table 6-2.
Views Summary View 6 Summary View Summary View is Surveyor’s global monitoring tool for network data. You can view real-time data from any local resource or any resource you can connect to on the network. You can filter the data before viewing by applying a capture filter. Each resource is viewed through its own window within Summary View. You can open windows for as many resources as you wish. Furthermore, each resource window can be displayed in six different views.
Surveyor User’s Guide • Protocol Distribution • Host Table • Network Layer Host Table • Application Layer Host Table • Host Matrix • Network Layer Matrix • Application Layer Matrix • VLAN • Address Map • Packet Summary • MAC Statistics • Ring Statistics • Expert • Application Response Time • Duplicate Address You can change the monitoring view for Summary View by choosing Monitor View Preferences from the Module option in the Configuration menu.
Views Detail View 6 You can have as many windows with data views as are available in Detail View. The initial data view you get of a resource is the view set in the Configuration menu for Summary View. Many of the table or chart views within Detail View can be customized. Files or buffers, such as a capture file or capture buffer, are considered resources just like physical devices that are available from the Resource Browser.
Surveyor User’s Guide Application Layer Host Table Host Matrix Network Layer Matrix Application Layer Matrix VLANs Address Map Duplicate Address (Expert plug-in only) Expert (Expert plug-in only) Application Response Time (Expert plug-in only) Multi-QoS (Multi-QoS only) Using Capture + Monitor Mode in Detail View In Detail View you can have both Monitor and Capture views of data.
Views Capture View 6 that you have of the capture buffer are still open windows within Detail View. In other words, the “view” and decode of previous information is still available, even though the capture buffer itself is refilling with new information. If you do not need this previous view of captured information, it is recommended that you close the Capture View window and all associated capture view windows. You can, of course, save this information to a file.
Surveyor User’s Guide • Detail Pane The Detail Pane shows the values of the protocol elements associated with each protocol. For example, for the Data Link Control the values for the source address, destination address, and packet length are shown. Single-clicking on a value highlights the value in both the Detail Pane and the Hex Pane. • Hex Pane The Hex Pane shows the hex and ASCII values for all the bytes in the packet.
Views Using the Histogram Control 6 Protocol Color Coding tab from the System Settings menu option. See “Appendix D” for a list of Surveyor’s default protocol color codes. If you have special decoding or display needs for non-standard protocols, see the “Advanced Configuration” section in Chapter 4 for information on assigning protocol parsers and assigning names to protocols.
Surveyor User’s Guide • The Lower Histogram represents the entire capture. The gray area on the histogram corresponds to the detail area. Figure 6-1. Histogram Display and Button Controls The vertical axis represents utilization in bytes per second. Data is loaded for viewing in 10 MB increments. The Upper Histogram and the amount of data selected for decode always spans an interval equal to a multiple of this 10MB minimum.
Views Using the Histogram Control 6 For the Upper Histogram, the Selected Section is changed by sliding a movable “window” over a portion of the data. This window is called the Capture Selection Window. For the Lower Histogram, the data to display in the Upper Histogram is changed by sliding a movable “window” over a portion of the data. This window is called the Capture Detail Window. Downloaded sections are indicated in the histogram.
Surveyor User’s Guide of the capture that are not shown in the Upper Histogram are available from the disk cache. Figure 6-2. Histogram Display Showing Colors The example below shows a large capture with many sections. In the Upper Histogram, the first section shown in magenta is the Current Section. By using the mouse, the section(s) near the end of the Upper Histogram are now the Selected Section(s). The gray-colored Capture Selection Window defines the Selected Section(s).
Views Using the Histogram Control 6 shown in black. The gray and black colors indicate that these sections are not downloaded. Figure 6-3. Histogram Display, Large Capture Example Once you press the download button, the colors will change and the decodes for the Selected Section in the Upper Histogram are loaded into the Summary area. Immediately after downloading, the histogram shows only the colors listed in the left hand column below, as the Selected Section and the Current Section will match.
Surveyor User’s Guide Table 6-4. Histogram Default Colors (continued) Blue Bright Blue Any incomplete sections. These are sections for which a download was started and the user aborted the operation in the middle of the transfer. Gray Black Any sections not currently downloaded. Histogram Button Controls Histogram controls allow you to focus on a smaller area of the capture, change the appearance of the graph, and load sections of the capture to the decode area.
Views Using the Histogram Control 6 Downloads the data currently selected in the Upper Histogram to the capture view decode. Only the data within the selection area (gray shaded area) is downloaded. To decrease or increase the size of the download, go to the Sections tab in the Configuration→ Capture View Options → Histogram… menu or press the Set Options button. Set the number of sections to download. Minimum size is one section, which is 10MB of data.
Surveyor User’s Guide If you attempt to select an area smaller than 20MB, the closest sections that form 20MB of data become the Capture Selection Window. The picture below shows double-arrow mouse icon in the Upper Histogram. The special mouse icons described above only appear when the mouse is over an area that will respond to cursor actions. Figure 6-4. Histogram Showing Mouse Control Right Mouse Options in the Histogram A right mouse brings up a menu of display options for both histograms.
Views Packet Editor 6 radio button and press the Range... button. Click, hold, and drag with the left mouse in the histogram to select the range you want to save. Resume Analysis You can set Surveyor to save the downloads you make from the THGsE or local disk when analyzing a histogram file. To retain the downloads of the histogram when working with the data on a remote THGsE, set the Resume Analysis on host with the following Histogram file... option in the Connect...
Surveyor User’s Guide Use the Undo and Redo functions from the Edit menu to remove or reapply the last packet edit. Editing in Decode View Editing in decode view allows you to edit packets without remembering offsets. Click on a field. A dialog box pops up showing the current value for the field and asks for a new value. The dialog box for each field is slightly different. Most dialog boxes can display and allow you to enter hexadecimal or decimal values.
Views Data Views 6 tables are updated approximately every 7 seconds. MAC Statistics View (Rx) From Detail View, click on the button to open a window with MAC Statistics View for capture. From Summary View, set the view preferences to MAC Statistics (Rx) to see this view in the first tab. MAC Statistics View for capture shows module activity and counters during capture. It provides a visual reference for what a resource is doing. Counters are incremented as the resource captures packets.
Surveyor User’s Guide MAC Statistics View (Tx) From Detail View, click on the button to open a window with MAC Statistics View for transmit. From Summary View, set the view preferences to MAC Statistics (Tx) to see this view in the first tab. MAC Statistics View also shows module activity during transmit. It provides a visual reference for module activity. The module identifier and the current mode are displayed in the window title bar. Counters are incremented as the module performs transmit functions.
Views Data Views 6 Frame Size Distribution View is available as a chart or a table. For the chart, the Bar and Pie buttons toggle the type of graphic display. The Pause/Resume button allows you to pause or resume real-time update of the graph. For both the chart and the table, each range of frame sizes is expressed as a percentage of the total number of frames counted.
Surveyor User’s Guide :. Table 6-7. Protocol Distribution View, Chart Buttons - Protocols Chart Button Description/Action NET Shows percentages of all packets by network layer protocol type, such as IP and IPX. IP Shows percentages of other protocols used within IP packets only. IPX Shows percentages of other protocols used within IPX packets only. All Shows percentages of all packets by application. Table 6-8.
Views Data Views 6 and IPX buttons show the percentages of only those packets that can be identified as containing IP or IPX information respectively. Table 6-9. Protocol Distribution View, Graph Type Buttons Display Button Description/Action BAR Display distributions as a bar graph. PIE Display distributions as a pie chart. II Pause the display. When pressed again, counters resume real-time update. Table Protocol Distribution View as a table shows frame and byte counts by protocol. . Table 6-10.
Surveyor User’s Guide Host Table View From Detail View, click on the button to open a window with Host Table View. From Summary View, set the view preferences to Host Table to see this view in the first tab. Host Table View is available as a chart showing the ten MAC stations with the most traffic or as a table showing all MAC stations. Click on the tab at the bottom of the window to select Table or Chart. The station address and name are provided in the table or chart.
Views Data Views 6 Table 6-11. Host Table View, Table Column Descriptions (continued) Rel % Frames Out Percentage of frames sent by this MAC station relative to the total number of frames Bytes In Number of bytes received by the MAC station Rel % Bytes In Percentage of bytes received by this MAC station relative to the total number of bytes Abs % Bytes In Percentage of bytes received by this MAC station relative to the total network capacity (measured in bytes) Avg.
Surveyor User’s Guide Table Network Layer Host Table View as a table shows network activity from the view of network stations. The table lists statistics for all stations found. The table can be customized to include other columns of information. Table columns listed in italics are the default Network Layer Host Table View columns. Press the right mouse button on any table entry to create a filter using the selected network layer host. See Chapter 7 for information on filters.
Views Data Views 6 Application Layer Host Table View From Detail View, click on the button to open a window with Application Layer Host Table View. From Summary View, set the view preferences to Application Layer Host Table to see this view in the first tab. Application Layer Host Table View is available as a chart showing the ten network stations with the most traffic or as a table showing all network stations. The network station address and name are provided in the table or chart.
Surveyor User’s Guide Table 6-13.
Views Data Views 6 Chart Host Matrix View as a chart shows only ten MAC conversations. The ten conversations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the “top ten” conversations based on a different information field. The Bar and Pie buttons toggle the type of graphic display. The Pause/Resume button allows you to pause or resume real-time update of the graph.
Surveyor User’s Guide Table 6-14. Host Matrix View, Table Column Descriptions (continued) Abs % Bytes 1<—>2 Percentage of bytes sent in either direction between MAC Station 1 and MAC Station 2relative to the total MAC capacity (measured in bytes) Average Size 1<—>2 Average size of the frames sent in either direction between MAC Station 2 and MAC Station 1 Network Layer Matrix View From Detail View, click on the button to open a window with Network Layer Matrix View.
Views Data Views 6 Table 6-15. Network Layer Matrix View, Table Column Descriptions (continued) Net Station Name 2 Network layer address of a second network station Net Station Address 2 Address of a second network station in IP address format VLAN Id Decimal number of the virtual LAN. Virtual LANs using Cisco’s ISL protocols are the only virtual LANs recognized at this time.
Surveyor User’s Guide The station addresses and names in the conversation are provided in the table or chart. The name and address are the same if Surveyor does not have a name table with address-to-name correspondences. Chart Application Layer Matrix View as a chart shows only ten applications over network conversations. The ten conversations displayed are those transmitting the largest relative percentage of frames.
Views Data Views 6 Table 6-16.
Surveyor User’s Guide Table VLAN View as a table shows network activity from the view of virtual LAN traffic. The table lists statistics for all VLANs found. The table can be customized to include other columns of information. You can click on any VLAN ID and see a Network Layer Host Table View or a Network Conversation Matrix View for that VLAN. Table columns listed in italics are the default VLAN View columns. Table 6-17.
Views Data Views 6 Table 6-18. Address Map View, Table Column Descriptions MAC Station Address MAC station address Network Station Name Name of the network station Network Station Address Network layer address of the network station Packet Summary View Packet Summary View shows a real-time protocol decode. Packets received are decoded and the result of the decode is displayed. The packets scroll up the screen as they are decoded.
Surveyor User’s Guide Expert View (Expert plug-in only) From Detail View, click on the button to open a window with Expert View. From Summary View, set the view preferences to Expert View to see this view in the first tab. Multiple tables are available in Expert View. Select a layer on the left and tab on the bottom to create the view you want. Expert View is not available as a chart. Refer to the chapter on the Expert System for complete information on Expert Views.
Views Hints and Tips for Using Views 6 Multiple tables are available in Multi-QoS View. You can view all calls, subsets of calls filtered by protocol or by a QoS metric, single call details, and channel details. Refer to the chapter on Multi-QoS for complete information on Multi-QoS Views. Hints and Tips for Using Views • When viewing a table, single click on columns to sort the table data. Click on a column header to list rows in descending order of the values for that column.
Surveyor User’s Guide 6-38 • Double-click on the MAC Statistics View in Detail View to bring up Capture View. • Data in a chart will be sorted by the last sorted column in the corresponding table. • Click the right mouse button on a table entry in Host Table, Network Table, Application Table, Host Matrix, Network Matrix, or Application Matrix view to bring up a menu for creating a filter. You’ll get a choice of creating a capture or display filter.
Chapter 7 7 Capture and Display Filters For most data analysis operations, you’ll want to look at only a subset of all data. Filters allow you to select and count data in just about any way you can imagine. Capture filters allow you to capture a subset of the network data. Display filters allow you to view a subset of the data you have already captured. They can be used to refine your view of captured information.
Surveyor User’s Guide 5. Enter an address in the Add Conversation to Filter Template area and select the Apply Conversation to Template check box. Enter addresses by selecting their corresponding names in the name table. Suggestion: Try selecting one MAC station from the name table. You will now capture only HTTP traffic for a single station. 6. Press the Save Custom Template button. The newly-created filter template appears in the Available Filter Templates box. 7. Press the Add button.
Capture and Display Filters Creating Filters with Filter Templates 7 Conversation to Filter Template area in the display provides a convenient means of adding addresses to a custom filter template. • Add Port Numbers to Custom Filter Templates A port is a data pattern specific to the source and destination port numbers, including the protocol type and the direction of traffic.
Surveyor User’s Guide A sample Filter Design window is shown below.
Capture and Display Filters Creating Filters with Filter Templates 7 Creating and Applying a Conversation The Add Conversation to Template area of the Filter Design window provides a convenient way to add address byte patterns to a filter. The area consists of a protocol selection, frame type selection, two station addresses, a direction indicator, and an enable/disable check box. Refer to the table below for field definitions that comprise a conversation. Table 7-1.
Surveyor User’s Guide There are four station address types: • MAC address – 12 hexadecimal digits. For example, 34FD34AA0001. • IP dot notation address – 4 decimal numbers in the range of 0 to 255, separated by dots. For example, 12.235.96.2. • IPX address – 20 hexadecimal digits (without port number) or 22 hexadecimal digits (with port number). For example, 34FD34AA0001000000A1. • Atalk address - 2 decimal numbers separated by dots. The first can range from 0 to 65534 and the second from 0 to 255.
Capture and Display Filters Creating Filters with Filter Templates 7 Creating and Applying a Port Number Surveyor provides a convenient way to add a port number to a filter. You specify port numbers for the filter by filling out the Add Port to Template area of the Filter Design window. This area consists of a protocol selection, frame type selection, a port number, a direction indicator, and an Apply Port to Template check box.
Surveyor User’s Guide Multiple Byte Patterns in Filter Templates Filter templates can be “several templates in one.” For example, HTTP, TELNET, and SNMP are provided as single filter templates, but they consist of both source and destination ports. In other words, the template itself contains an OR condition, and will capture a packet whether it appears in the offset for the source port or the offset for the destination port. An example Template Description window is shown below.
Capture and Display Filters Creating Filters with Filter Templates 7 You then save the template. When you save a custom template, Surveyor asks for a custom template name. Surveyor will assign a default name such as Template1 if no name is provided. Once you create a filter template, its name will appear in the Custom_Templates section of the Available Filter Templates box. Custom templates can be reused again and again once added to the list of templates.
Surveyor User’s Guide Entering Values that Cross Byte Boundaries Port values are generally understood as decimal numbers. For example, an NFS port is known as decimal 2049. Filter patterns are expressed as bytes and begin on byte boundaries. It takes two bytes to express a port number. Therefore, for port numbers you must convert the decimal number to a value that can be entered on a byte boundary. The example below shows how to enter NFS port 2049 in the filter window. 1.
Capture and Display Filters Creating Filters with Filter Templates 7 Bit-Level Filtering Surveyor can filter at the bit level. To set a bit pattern, place the cursor within a byte field in the Edit/Create Custom Filter Template area. Press the Set Bit Pattern button.The Bit-Level Pattern dialog box displays. The dialog box gives the number of the offset you are currently changing in its title bar. Enter any values for each bit that you want included in the filter.
Surveyor User’s Guide Filter Creation The FILTER CREATION portion (left side) of the Filter Design window is the area that actually specifies what conditions are tested and what actions are taken for this filter statement. See Figure 7-1 for an example of the FILTER CREATION area. • Create Template Combinations A template combination is built up from various custom or pre-defined filter templates. Logical operators such as AND, OR, and NOT are used to create the logic sequence.
Capture and Display Filters Filter Creation 7 a test against incoming frames. If the operation you try makes no sense in the context of creating a template combination, the operation is not allowed. For example, an OR operator makes no sense after an AND operator. As another example, inserting a filter template immediately after another filter template makes no sense and the operation is not allowed. The following table describes the buttons that are used as operators to create template combinations.
Surveyor User’s Guide Actions for Capture Filters Table 7-4 shows actions available for capture filters: Table 7-4. Capture Filter Actions Action Description Capture Capture the frame. Trigger Capture the frame. Continue capture and fill the buffer to the percentage specified by the user in the After trigger, continue to capture packets until the buffer is: %% full field. Increment Custom Counter Increment the custom counter. For THGm, any combination of seven counters can be incremented.
Capture and Display Filters Filter Creation 7 Actions for Display Filters Table 7-5 shows actions available for display filters: Table 7-5. Display Filter Actions Action Description Display Packet Display the resultant data. Change Filter Operation Go to a different filter state for processing the next incoming packet. The state can be the current state or any other state defined in the display filter.
Surveyor User’s Guide Global Values that Affect Capture Filter Actions Table 7-6 describes the options and settings available that have a global setting. If you set the value in one statement, the value will apply to all other statements. The post trigger buffer position set in the After trigger, continue to capture packets until the buffer is: %% full field is a global value.
Capture and Display Filters Multi-State and Multi-Statement Filters 7 Frame types are shown in Table 7-7: Table 7-7. Capture and Display Frame Types/Size Frame Type/Size Description Good Frames Frames that have no errors. CRC Error Frames All frames that contain CRC or Alignment errors (default is packets of 64 to 1518 bytes). Fragment/Undersize All fragments and undersized frames (default is packets less than 64 bytes).
Surveyor User’s Guide Click on the State button in the Filter Design window to view the Filter States window for the filter. An example is shown below. Design Figure 7-4. Example Filter States Design Window From the Filter States Design window you view the entire structure of the filter. The window shows all the filter statements and the structure of the filter. Each statement is composed of conditions and actions to take if the condition is satisfied. Windows are used to create/modify each statement.
Capture and Display Filters Multi-State and Multi-Statement Filters 7 Filter Structure The capture or display filter consists of states, each with a unique label so it can be referenced. Each state contains an IF statement, an ELSE statement, and optional ELSE IF statements. Each IF or ELSE IF statement is comprised of a condition to match against packets and the actions to implement if the condition matches. The ELSE statement is a set of actions to take when the other statements are false.
Surveyor User’s Guide Filter States States are used to group a set of statements. Since statement contain conditions and actions, states are a way to create a set of conditions and actions. You can specify up to 4 states with THGm. You always start and stay in State0 until an action takes you to a different state. The hardware device stays in a given state until a condition is met which results in an action that changes the filter operation.
Capture and Display Filters Multi-State and Multi-Statement Filters 7 Filter Statements To create statements, press the button from the Filter States Design window. Use the window that appears to create a condition and to specify actions to be taken if the condition is satisfied. Once a condition is true, the next condition is not examined. For the next frame you remain in the current state or go to a different state, depending on the GoTo action specified in the statement.
Surveyor User’s Guide Capture and Display Filter Differences Display and capture filters are activated in different ways. Also, some options for capture filters are not used in display filters. Some options available in capture filters make no sense for display and are therefore not supported: • Display filters do not use custom counters. • The action “display” is available for display filters. The actions “capture” and “trigger” and “increment customer counter” are available with capture filters.
Capture and Display Filters Filter Examples 7 Filter Examples Filter examples are supplied with Surveyor. To see examples, open a capture filter file (.CFD extension) or a display filter file (.DFD extension) from the Filter window. From the Module menu, select Filter Description to access a description of any filter. To find more examples, look in the ...\examples\filter directory.
Surveyor User’s Guide The steps used to create the filter template and load it to a resource are shown below: 1. Press the Clear Template button. button for Station Address 1. Select the address from the 2. Press the Name name table and click OK. button for Station Address 2. Select the address from the 3. Press the Name name table and click OK. 4. Pull down the Direction box and set the indicator to bi-directional (<->). 5.
Capture and Display Filters Filter Examples 7 Filter Example, Template Combination The Filter Design window in Figure 7-6 shows the capture filter with a logical combination built in the Template Combination box. This filter collects all traffic to and from a single station that make use of the HTTP or FTP protocols. The two templates are combined with an OR statement to collect both types of protocols.
Surveyor User’s Guide The following steps describe how to create two filter templates, logically combine them using an OR operator, and load the resulting Template Combination to a resource: 1. Select the HTTP pre-defined filter template from the Available Filter Templates box. button for Station Address 1. Select the address from the 2. Press the Name name table and click OK. 3. Pull down the Direction box and set the indicator to source address (->). 4.
Capture and Display Filters Filter Examples 7 Filter Example, Capture TCP Port Traffic The Filter Design window in Figure 7-7 shows the capture filter for a specific TCP Port. This filter collects all TCP/IP traffic that uses the BootPS port number. Figure 7-7.
Surveyor User’s Guide The following steps describe how to create the BootPS filter template and load in to a resource. 1. Press the Clear Template button. 2. In the Apply Port to Template area, enter the Protocol and Frame Type. For the BootPS port, use the IP/TCP protocol. In the example, the frame type is set to EV2. 3. Enter the port number in decimal in the Apply Port to Template area. The decimal port number for BootPS is 67. 4.
Capture and Display Filters Filter Examples 7 Filter Example, Advanced Filter The Filter States Design window below shows the capture filter Example.CFD. The Filter States Design window shows the structure of the filter. In the example, the filter has multiple states and statements. From the Filter States Design window, shown in Figure 7-8, double-click on a statement to bring up its Filter Design window to see the details of how the statement is constructed. Figure 7-8.
Surveyor User’s Guide Rules of the Capture or Display Filter 7-30 • There must be at least one IF and one ELSE statement per state. ELSE IF statements are optional. • The Post Trigger Buffer Position must be greater than zero and less than 100. • There is always one and only one ROOT statement; you can’t delete the ROOT statement. • In the capture filter, setting trigger will always set capture.
Capture and Display Filters Hints and Tips for Using Filters 7 Hints and Tips for Using Filters • Remember to load the Capture filter on the module before you start capture. • If you want to look at captured data in many different ways, use display filters rather than capture filters. Capture large blocks of unfiltered data and look at different subsets of the data by using a variety of display filters.
Surveyor User’s Guide • From the Detail View pane of the Capture View window, you can copy the contents of any field to create a Capture or Display filter. Select the field with the left mouse and then click the right mouse button. Selections for copy to capture or display filter appear. Select the option, and the Filter Design window appears.
Chapter 8 8 Transmit Specification Packet Blaster plug-in allows you to generate packets and send them onto a network. This can be used to force the network to respond to known or suspected problem conditions or loads. Transmitted data can answer “What If?” questions about the network or particular network resources. To transmit data, you first set up a Transmit Specification. After the Transmit Specification is loaded to a module, click on the Start button to begin transmit.
Surveyor User’s Guide Transmit Specification Dialog Box Transmit Specifications are defined in a dialog box. The Transmit Specification dialog box contains: • A Defined Streams list box (top) for viewing defined streams.
Transmit Specification Transmit Specifications 8 options available from the dialog box and click on the Add button. You can also add a capture file as a defined stream using the Add File… button. The added stream appears in the Defined Streams list box. Streams are transmitted by the module in the order in which they are defined. A defined stream may be activated or deactivated by double-clicking on the stream.
Surveyor User’s Guide the stream. The Auto CRC check box specifies if a valid CRC will be automatically generated for the stream. Stream Buttons The Add, Add File..., Modify, Delete, and Edit Data... buttons perform functions for a single stream. Table 8-1. Stream Function Buttons Stream Button Stream Function Add Adds a new stream after the currently selected stream in the Defined Streams window.
Transmit Specification Transmit Specifications 8 Transmit Specification control buttons are described in Table 8-2: Table 8-2. Transmit Specification Control Buttons Control Button Transmit Specification Function Load Module Loads the current resource with the currently defined Transmit Specification. Be sure to use the Load Module button to load the specification to the resource before you begin transmission. Open Specs... Opens a previously saved Transmit Specification.
Surveyor User’s Guide ! Caution Repeating frames using the transmission mode feature is a function implemented in software; there is a time gap of about 50ms between each transmission of the entire specification. Use Repeat Frames ‘n’ Times or Bursts where timing issues are critical when sending frames for these devices. Ways of repeating frames can be used together.
Transmit Specification Transmit Specifications 8 Stream Modes An interpacket gap for a frame can be set in three different ways; Packet Gap, Frame Rate and Traffic Rate. The stream mode defines the rate at which packets are transmitted from a module. The modes are as shown in Table 8-4 below: Table 8-4. Stream Modes Stream Mode Rate Setting Packet Gap The rate is set as an interval of time between packets. The interval can be set in seconds, milliseconds, or microseconds.
Surveyor User’s Guide Transmission Mode You can either transmit the specification continuously or transmit it n times. Select Transmit Continuously to transmit activated streams in a loop until the module is stopped. Select Transmit Spec (N frames) to transmit activated streams a specific number of times. The number of streams does not necessarily equate to the number of frames transmitted. ! Caution The transmission mode should always be set prior to loading the module.
Transmit Specification Specifying Transmit Data 8 Table 8-5 shows the buttons that are available from within the packet editor: : Table 8-5. Packet Editor Buttons Packet Editor Button Editing Function Compute CRC Inserts the correct CRC error check value for the frame. You can use this option to create frames with or without correct CRC error check values.
Surveyor User’s Guide DA and SA Fields The DA and SA fields define the MAC layer destination address and MAC layer source address for the stream. Note that the MAC address values appear in the stream synopsis in the Defined Streams list box. Use an X in any offset of the DA or SA fields to indicate “wild card” addresses. Surveyor will generate packets with different values in that offset. For example, set the DA field to 432FFFFFXX.
Transmit Specification Specifying Transmit Data 8 packets can be generated using Finisar analyzer cards. NDIS modules cannot generate bad CRC packets. Using Templates If you are inserting a new stream, you can use a template as the starting point for packet data. To select a template, click on the Template… button at the bottom of the Transmit Specification dialog box. Nested menus to select a template will display.
Surveyor User’s Guide Transmitting Capture Files You can transmit the contents of a capture file as one of the streams in the Transmit Specification. Place a capture file as a stream into the Defined Streams list box using the Add File… button. The entire contents of the capture file is transmitted with timestamps intact. As with any other stream, you can repeat transmission by using the Repeat Stream field. All other fields do not apply when the stream is defined by a capture file.
Transmit Specification Transmit Specification Examples 8 Transmit Specification Example, Packet Gaps A Transmit Specification example in its dialog box is shown in Figure 8-2. The dialog box only shows the values for the currently highlighted stream. The current stream appears highlighted within the Defined Streams window. Multiple streams are defined in the specification. All activated streams (indicated by the check mark in the Defined Streams window) will be transmitted. Figure 8-2.
Surveyor User’s Guide Transmit Specification Example, Bursts A Transmit Specification dialog box is shown in Figure 8-3. The dialog box only shows values for one stream, the stream that contains a burst. Multiple streams are defined in the specification. Since a burst of 100 is specified, 101 frames will be transmitted even though there are only two “streams” defined. Figure 8-3.
Transmit Specification Hints and Tips for a Transmit Specification 8 Hints and Tips for a Transmit Specification • Take care with what you transmit. Surveyor can transmit packets at more than 100% of network bandwidth. It is possible to flood the network and cripple performance. • Make sure to activate streams before loading the specification to the module. • Always set the transmission mode before loading the specification to a module.
Surveyor User’s Guide 8-16
Chapter 9 9 Alarms Surveyor’s alarms facility enables you to create alarms to automatically monitor network resources. Access to Surveyor’s alarms facility is through the Resource Browser docking window located in Surveyor’s main window. The Resource Browser window features a hierarchical directory comprising all hardware devices and hosts discovered. Right-click on a resource to bring up its alarms. A unique set of alarms exist for each analyzer device on the network.
Surveyor User’s Guide Current Module Alarms When you right-click on an analyzer device in the Resource Browser, a menu appears. Select Alarms... and the Current Module Alarms dialog box appears with a list of alarms set up for the resource. If you have no alarms set for the resource, no alarms will display. Alarms apply to each analyzer card. If the host contains two analyzer cards, a separate Current Module Alarms dialog box appears for each card. Figure 9-1.
Alarms Current Module Alarms 9 Press New Alarm to enable new alarms for a resource. The Alarm Editor dialog box appears. Multiple alarms of any type may be added. See the following section for more information on the Alarm Editor. Figure 9-2. Alarm Editor Highlight one or more alarms in the Current Module Alarm window. Press Modify Alarm to modify the highlighted alarms. From the Modify Alarms dialog box, change the characteristics for current alarms.
Surveyor User’s Guide Alarm Editor There are six alarm groups that appear on the tabs in the Alarm Editor. The Expert tab and Application Response tab are only available if you have the Expert plug-in. The Multi-QoS tab only appears if you have the Multi-QoS software plug-in. Table 9-1 lists the alarm groups in the Alarm Editor. Table 9-1. Alarm Editor Alarm Editor Description MQOS Allows you to modify and enable any of the 7 Multi-QoS alarms.
Alarms Alarm Editor 9 Multi-QoS Alarms For Multi-QoS alarms, alarms can be created from the Multi-QoS Views interface as well as by double-clicking on the host. The Codecs field within the alarm editor allows you select a specific codec or to ignore the type of codec used. For example, to trigger the alarm only when a G.711 codec is used, set the Codecs field to G.711. To trigger the alarm without looking at the codec type, set the Codecs field to All Codecs.
Surveyor User’s Guide Expert Alarms During transmit or receive, expert symptoms are logged as they occur. You can test for certain thresholds for these conditions by setting alarms using the Expert tab of the Alarm Editor. See the chapter on the Expert system for more information about the expert alarms listed below. Expert Alarms are only available if you are using Expert plug-in. Table 9-2 lists all Expert Alarms. Table 9-2.
Alarms Alarm Editor 9 Using Alarms with Different Devices Alarms can be used with the following hardware analyzer devices or adapters. For analyzer cards or adapters, the hardware device must reside in a host that is running a version of Surveyor 4.1 or greater. The software image for THGs analyzers must be at version 4.1 or greater. Table 9-3 shows the alarms that can be used with each Finisar analyzer device. Table 9-3.
Surveyor User’s Guide Thresholds and Alarms Alarm thresholds are set by specifying the values in the Sample Type, Rising Value, Falling Value, and Interval fields for each alarm row in the alarm table. The numbers or percentages set for rising and falling values are referred to as thresholds. The key to creating a meaningful alarm is to specify these values so you get alerted to the exact network conditions you want to analyze. The sample type can be set to either Delta or Absolute.
Alarms Alarm Actions 9 Alarm Actions Each line in an alarm table has a unique set of actions associated with it that will occur if the alarm is triggered. By default, two actions always occur when an alarm is triggered – an audible alarm and a message in the Message window. You can set one additional action to occur when you set the action to a type other than Message. For example, setting the alarm action to E-mail results in an audible alarm, a message, and an e-mail message when the alarm is triggered.
Surveyor User’s Guide Table 9-4. Alarm Actions (continued) SNMP Trap sends an SNMP trap to a specified management station(s). The trap destinations are configured as part of the host configuration for devices containing analyzer cards. Surveyor, THGs/THGsE The SNMP service must be installed and started for the trap to be sent. The Surveyor MIB or THGs MIB for the host will be available for the SNMP management station. Execute starts an executable file.
Alarms Alarm Actions 9 E-mail settings for Surveyor hosts and THGs hosts are slightly different. For analyzer devices in Surveyor hosts, you set the list e-mail recipients for alarms from the Host → Alarm Setting → E-mail Settings... menu. All other e-mail configuration is performed from the local e-mail utility. For THGs, e-mail is completely configured from the Host → Alarm Setting → E-mail Settings... menu.
Surveyor User’s Guide Trap Settings for THGs The stations to receive traps for a remote THGs can be established from the local host running Surveyor. To set up trap destinations for a remote THGs device, select the THGs device in the Resource Browser and from the menu bar select Host → Alarms Settings → SNMP Trap settings. The SNMP Traps dialog box appears. Use the Community Settings area to add or delete communities. List all IP addresses for the community in the Trap Destinations area.
Alarms Alarm Actions 9 Multiple IP addresses may be set for each trap. A maximum of 15 trap destinations can be assigned to each community. All alarms will be sent to all specified trap destinations. The traps and MIB variables defined for THGs are defined in SNMPv2. Refer to the THGs User’s Guide for more information on SNMP management capabilities for THGs and MIB information. Trap Settings for Surveyor Hosts PCs running Surveyor 4.
Surveyor User’s Guide Viewing the Alarm List and the Alarm Log There are several ways to access the list of alarms or a log of alarm events. From Detail View, click on the button to open a window from which you can see the Alarms List and Alarm Log tab. From Summary View, click on the Alarms or Alarm Log tab for the resource. Click on the Alarms List tab to view all alarms set for this resource. This is same view as the alarms listed in the Current Module Alarms dialog box.
Alarms Alarm Examples 9 Alarm Examples The following are six examples for alarms and alarm groupings. Each provides a picture of the Current Module Alarms dialog box and a description of what will occur when for the alarms are triggered. Alarm Example, Utilization Figure 9-6. Alarm Example, Utilization This simple example shows an alarm group consisting of one MAC Layer alarm for Utilization. This alarm samples network traffic at five-second intervals.
Surveyor User’s Guide Alarm Example, MAC Errors Figure 9-7. Alarm Example, MAC Errors This example shows an alarm group consisting of five MAC Layer alarms: Errors (two alarms), Oversize Frames, CRC/Alignment, and Fragments. Each of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these five alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s message window.
Alarms Alarm Examples 9 Alarm Example, Frame Size ” Figure 9-8. Alarm Example, Frame Size This example shows an alarm group consisting of four MAC Layer alarms: Oversize Frames, 256-511 Byte Frames, 512-1028 Byte Frames, and 1024-1518 Byte Frames. Each of these alarms samples network traffic at five-second intervals. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s Message window.
Surveyor User’s Guide Alarm Example, VoIP Calls ” Figure 9-9. Alarm Example, Call Jitter and Call Setup Time This example shows an alarm group consisting of four alarms: Call Setup Time, Call Jitter, severe Call Jitter, and User R-factor. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s Message window. The Severity setting instructs Surveyor to include Warning message when the call jitter exceeds 200ms.
Alarms Alarm Examples 9 Alarm Example, Expert and Application Response Figure 9-10. Alarm Example, Expert and Application Response This example shows alarms consisting of three Application Response and one Expert alarm. All of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a warning message in Surveyor's message window.
Surveyor User’s Guide 9-20
Chapter 10 10 Expert Features Automatic diagnostic analysis, expert data views, application response times, and expert alarms are referred to collectively as Surveyor Expert Features. The Expert Features are available only from Surveyor menus and toolbars if you have the Expert plug-in. Surveyor observes the traffic on network segments, learns their unique characteristics, and constructs a database of network entities from the traffic it sees.
Surveyor User’s Guide Expert System Views The expert views present expert information on capture files, a capture buffer, or in monitoring mode. The following Expert views are available from the Data Views or Capture View toolbar: Expert View Expert views are available from the Data Views or Capture View toolbars, if supported by the current resource. The Expert system presents a matrix of different views showing network symptoms, analyses, and entities by protocol layer.
Expert Features Getting Started with Expert View 10 Figure 10-1.
Surveyor User’s Guide Expert Overview Details Click on any counter in the display to view a table listing only the events for the selected symptom. The display has a summary area showing all symptoms and a detail area for the current selected symptom. The summary area contains a table showing frame ID (Capture View only), source address, destination address, VLAN ID, timestamp and other information for each event.
Expert Features Getting Started with Expert View 10 Figure 10-2.
Surveyor User’s Guide Expert Layers Surveyor categorizes network problems according to the network “layer” at which they occur. During capture or monitor, Surveyor decodes frames. The decode information embedded in each frame is used to categorize the problem. Layers are selected from the panel on the left of the Expert window. A display of symptoms can be refined by pressing one of the layer icons in the display. The categories used by the Expert system are shown below.
Expert Features Expert Layers 10 Figure 10-3.
Surveyor User’s Guide The interface provides a matrix of expert information views. For each layer, the symptoms, analyses, and objects can be displayed by selecting a tab at the bottom of the window. Click on a column header to sort the symptoms in the summary area by the values in the column. Clicking a column header a second time changes the sort order from descending to ascending.
Expert Features Expert Layers 10 Table 10-1.
Surveyor User’s Guide Expert Symptoms, Analyses, and Network Entities When you capture or monitor packets on a network segment, Surveyor immediately begins constructing a database of network entities from the traffic it sees. Surveyor uses protocol decoding to learn all about the connections, network stations, routing nodes, and subnetworks related to the frames in the capture buffer. From this information, Surveyor can detect potential problems on the network.
Expert Features Expert Symptoms, Analyses, and Network Entities 10 Analyses High rates of recurrence of specific symptoms or single instances of particular network events cause the software to assert that the network has a real problem. These are logged as analyses. Analyses should be investigated immediately. Counters for analyses can be used to trigger alarms. Press the Analyses tab on the Expert window to view the diagnoses derived from the current packet analysis.
Surveyor User’s Guide Press the Entities tab on the Expert View window to view network objects discovered from the current packet analysis.The example below shows the entities discovered for the Transport Layer. The detail area shows details for both the conversation and the individual stations in the conversation. Figure 10-4.
Expert Features Expert Symptoms, Analyses, and Network Entities 10 Application/Session Lists for Entities The list displays the number of packets and bytes of application data that are sent and received by the server. The times when the first and last packets seen by this server are noted, and the duration is the difference between the times. The maximum and minimum response times of this server are shown. The average response time is the total response time divided by the number of responses.
Surveyor User’s Guide Data Link Lists for Entities The first list displays the network traffic of the physical station. It shows how many packets and bytes of data are sent and received by the station. It shows the network addresses associated to the station. The second list displays the protocols this station used, the number of packets and bytes of data of that protocol sent and received by the station, and the first and last frames in which the protocol occurred.
Expert Features Expert Diagnostic Messages 10 Expert Diagnostic Messages From any summary table you can double-click on any symptom or analysis to display an Expert Diagnostic Message. Contents of the Expert Diagnosis window include: • A summary of the symptom or analyses, including addresses and frame IDs • A description of the Expert symptom or analyses • Possible causes • Recommended actions Figure 10-5 shows an example of the Expert Diagnosis window. Figure 10-5.
Surveyor User’s Guide Working with the Expert System Configuring the Expert System Use the Expert Configurations dialog box to change expert settings. With the Expert View visible, select Expert Settings from the Configuration menu to view configuration options. An example Expert Configurations dialog box is shown below. Figure 10-6. Expert Configuration Example Settings are organized in a tree structure, with different network layers as the main branches in the tree.
Expert Features Working with the Expert System 10 The tree can be expanded or collapsed by clicking on the plus or minus icon, double-clicking on the item, or using direction keys. The checkbox can be checked or unchecked by clicking on the checkbox or by selecting the symptom and pressing the Space bar. The edit control is activated by selecting the value and clicking on it or pressing the Space bar. When a setting is changed, the number is checked against minimum and maximum values.
Surveyor User’s Guide The ExpertMsg.INI file contains Surveyor’s diagnostic information. This file can be changed using a text editor, thus giving you a way to add information. Rules for adding information to ExpertMsg.INI are included at the beginning of the file. Either possible causes or recommended actions can be added, or any other special technical note. Surveyor always looks for the file named ExpertMsg.INI in the Surveyor installation directory and will use that file for its diagnostic information.
Expert Features Application Response Time 10 Working with Analyzer Devices For THGm or NDIS resources, expert views present expert information on capture files, capture buffers, or in real-time monitor mode. An analyzer card with a hardware capture buffer is typically used for expert analysis. Use of an NDIS or Portable Surveyor 10/100 Ethernet Analyzer Card severely limits the number of packets that can be analyzed and the effectiveness of network diagnostics.
Surveyor User’s Guide Application Layer Excessive Mailslot Broadcasts Counter Excessive Mailslot Broadcasts is a counter of Mailslot Broadcasts packets per second that exceed a threshold. A count of all Excessive Mailslot Broadcasts events displays in the Overview counters of Expert View. Expert Analysis Excessive Mailslot Broadcasts events are automatically logged as expert symptoms.
Expert Features Application Layer 10 FTP Login Attempts Counter FTP Login Attempts is a counter of FTP login attempts that exceed a threshold. A count of all FTP Login Attempt events displays in the Overview counters of Expert View. Expert Symptom FTP Login Attempt events are automatically logged as expert symptoms. The Symptom Summary field provides the number of login attempts. For example: Login attempts=4 (> 3) The threshold value for this symptom can be changed.
Surveyor User’s Guide Missed Browser Announcement Counter Missed Browser Announcement is a counter of events where the time elapsed since the last browser announcement exceeds a threshold. A count of all Missed Browser Announcement events displays in the Overview counters of Expert View. Expert Symptom Missed Browser Announcement events are automatically logged as expert symptoms. The Symptom Summary field provides the time elapsed since the last browser announcement compared to a threshold value.
Expert Features Application Layer 10 NCP File Retransmission Counter NCP File Retransmission is a counter of all times where a portion of a file is retransmitted. A count of all NCP File Retransmission events displays in the Overview counters of Expert View. Expert Symptom NCP File Retransmission events are automatically logged as expert symptoms. The Symptom Summary field provides the two addresses between which the retransmission occurred. For example: Between [00000010.0207012303E3] and [302A9950.
Surveyor User’s Guide NCP Read/Write Overlap Counter NCP Read/Write Overlap is a counter of all times where a portion of a file overlaps the transmission of other parts of the file. A count of all NCP Read/Write Overlap events displays in the Overview counters of Expert View. Expert Symptom NCP Read/Write Overlap events are automatically logged as expert symptoms. The Symptom Summary field provides the two addresses between which the overlap occurred. For example: Between [00000010.
Expert Features Application Layer 10 NCP Request Denied Counter NCP Request Denied is a counter of all times where the number of request denied replies exceed a threshold within an interval. A count of all NCP Request Denied events displays in the Overview counters of Expert View. Expert Symptom NCP Request Denied events are automatically logged as expert symptoms. The Symptom Summary field provides the number of requests denied within the 100 ms interval.
Surveyor User’s Guide NCP Request Loop Counter NCP Request Loop is a counter of all times where the same request occurs within an interval. A count of all NCP Request Loop events displays in the Overview counters of Expert View. Expert Symptom NCP Request Loop events are automatically logged as expert symptoms. The Symptom Summary field provides the following information: Loops on same request in 100 ms The interval of time to look for repeating requests can be changed. The default is 100 ms.
Expert Features Application Layer 10 NCP Server Busy Counter NCP Server Busy is a counter of all NCP Server Busy responses that exceed a threshold for a single station. A count of all NCP Server Busy displays in the Overview counters of Expert View. Expert Symptom NCP Server Busy events are automatically logged as expert symptoms. The Symptom Summary field provides the number of busy responses measured in packets per second.
Surveyor User’s Guide NCP Too Many File Retransmissions Counter NCP Too Many File Retransmissions is a counter of events where the ratio of file retransmissions to file requests exceeds a threshold value for a single station. A count of all NCP Too Many File Retransmission events displays in the Overview counters of Expert View. Expert Analysis NCP Too Many File Retransmissions events are automatically logged as expert analyses.
Expert Features Application Layer 10 NCP Too Many Requests Denied Counter NCP Too Many Requests Denied is a counter of events where the ratio of file requests denied to file requests exceeds a threshold value for a single station. A count of all NCP Too Many Requests Denied events displays in the Overview counters of Expert View. Expert Analysis NCP Too Many Requests Denied events are automatically logged as expert analyses.
Surveyor User’s Guide NCP Too Many Request Loops Counter NCP Too Many Request Loops is a counter of events where the ratio of file request loops to file requests exceeds a threshold value for a single station. A count of all NCP Too Many Request Loops events displays in the Overview counters of Expert View. Expert Analysis NCP Too Many Request Loops events are automatically logged as expert analyses.
Expert Features Application Layer 10 NFS Retransmissions Counter NFS Retransmissions is a counter of all NFS Retransmissions over a period of time per segment. A count of all NFS Retransmissions displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom NFS Retransmission events are automatically logged as expert symptoms. The Symptom Summary field provides information about the addresses of the client and server involved.
Surveyor User’s Guide No HTTP POST Response Counter No HTTP POST Response is a counter of all POST requests to an HTTP server that never receive a response or exceed a time out value. A count of all No HTTP POST Responses displays in the Overview counters of Expert View. Expert Analysis No HTTP POST Response events are automatically logged as expert analyses.
Expert Features Application Layer 10 No Server Response Counter No Server Response is a counter of responses to server requests that never happen or exceed a time out value. A count of all No Server Responses displays in the Overview counters of Expert View. Expert Analysis No Server Response events are automatically logged as expert analyses. The Symptom Summary field provides information about the type of server involved.
Surveyor User’s Guide Slow HTTP GET Response Counter Slow HTTP GET Response is a counter of all Slow HTTP GET Responses that exceed a threshold. A count of all Slow HTTP GET Responses displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Slow HTTP GET Response events are automatically logged as expert symptoms. The Symptom Summary field provides information about the time required for the response and the threshold value.
Expert Features Application Layer 10 Slow HTTP POST Response Counter Slow HTTP POST Response is a counter of all HTTP POST responses that exceed a threshold. A count of all Slow HTTP POST Responses displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Slow HTTP POST Response events are automatically logged as expert symptoms. The Symptom Summary field provides information about the time required for the response and the threshold value.
Surveyor User’s Guide Slow Server Connect Counter Slow Server Connect is a counter of all server connect responses that exceed a threshold. A count of all Slow Server Connects displays in the Overview counters of Expert View. Expert Symptom Slow Server Connect events are automatically logged as expert symptoms. The Symptom Summary field provides information about the type of application server, the time taken for the server to connect, and the threshold value.
Expert Features Application Layer 10 Slow Server Response Counter Slow Server Response is a counter of server responses that exceed a threshold. A count of all Slow Server Responses displays in the Overview counters of Expert View. Expert Symptom Slow Server Response events are automatically logged as expert symptoms. The Symptom Summary field provides information about the type of application server, the time taken for the server to respond, and the threshold value.
Surveyor User’s Guide SMB Invalid Network Name Counter SMB Invalid Network Name is a counter of SMB sessions that could not be established because of invalid network names. A count of all SMB Invalid Network Name displays in the Overview counters of Expert View. Expert Analysis SMB Invalid Network Name events are automatically logged as expert symptoms.
Expert Features Application Layer 10 SMB Invalid Password Counter SMB Invalid Password is a counter of SMB sessions that could not be established because of an invalid password. A count of all SMB Invalid Password displays in the Overview counters of Expert View. Expert Analysis SMB Invalid Password events are automatically logged as expert symptoms.
Surveyor User’s Guide Session Layer No WINS Response Counter No WINS Response is a counter of responses to WINS server requests that never happen or exceed a time out value. A count of all No WINS Responses displays in the Overview counters of Expert View. Expert Analysis No WINS Response events are automatically logged as expert analyses. The Symptom Summary field provides the following information: WINS request not responded within 1000 ms The time out value for this symptom can be changed.
Expert Features Session Layer 10 TNS Slow Server Connect Counter TNS Slow Server Connect is a counter of all TNS server connect responses that exceed a threshold. A count of all TNS Slow Server Connects displays in the Overview counters of Expert View. Expert Symptom TNS Slow Server Connect events are automatically logged as expert symptoms. The Symptom Summary field provides information about the time elapsed for the server connect and the threshold value.
Surveyor User’s Guide TNS Slow Server Response Counter TNS Slow Server Response is a counter of TNS server responses that exceed a threshold. A count of all TNS Slow Server Responses displays in the Overview counters of Expert View. Expert Symptom TNS Slow Server Response events are automatically logged as expert symptoms. The Symptom Summary field provides information about the time elapsed for the server to respond and the threshold value.
Expert Features Transport Layer 10 Transport Layer Idle Too Long Counter The Idle Too Long counter increments when a connection is idle for greater than a threshold value, measured in seconds. A count of all Idle Too Long events displays in the Overview counters of Expert View. Expert Symptom Idle Too Long events are automatically logged as expert symptoms. The Symptom Summary field provides information about the duration of the idle connection.
Surveyor User’s Guide Non Responsive Station Counter Non Responsive Station is a counter of all non-responsive stations over a period of time per segment. A non-responsive station is defined as successive TCP/IP retransmissions over the same connection that are greater than a threshold value. A count of all non-responsive stations displays in the Overview counters of Expert View. A threshold for the number of Non Responsive Station events can be set in Expert Alarms.
Expert Features Transport Layer 10 TCP Checksum Errors Counter TCP Checksum Errors is a counter of all incorrect TCP checksums over a period of time per segment. A count of all TCP Checksum Errors events displays in the Overview counters of Expert View. Expert Symptom TCP Checksum Errors events are automatically logged as expert symptoms. The Symptom Summary field provides the IP source and destination address for the checksum error. For example: SA=[206.250.228.69] DA=[206.250.228.
Surveyor User’s Guide TCP Fast Retransmission Counter TCP Fast Retransmission is a counter of all TCP retransmissions that are less than a threshold value. A count of all TCP Fast Retransmissions displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP Fast Retransmission events are automatically logged as expert symptoms. The Symptom Summary field provides the IP addresses of the client and server involved.
Expert Features Transport Layer 10 TCP Frozen Window Counter The TCP Frozen Window counter increments when the TCP window is frozen for greater than a threshold value, measured in seconds. A count of all TCP Window Frozen events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP Frozen Window events are automatically logged as expert symptoms.
Surveyor User’s Guide __________________________________________________________________ Recommended Action(s): 1. Upgrade the receiver’s CPU and/or Memory. 2. Reduce the number of connections to the receiver. 3. Increase the network bandwidth.
Expert Features Transport Layer 10 TCP Long Ack Counter The TCP Long Ack counter increments when the TCP acknowledgment for a connection is not seen for greater than a threshold value, measured in milliseconds. A count of all TCP Long Ack events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP Long Acks are automatically logged as expert symptoms.
Surveyor User’s Guide TCP Repeat Ack Counter The TCP Repeat Ack counter increments when the TCP acknowledgment number is less than the immediately preceding acknowledgement. A count of all TCP Repeat Ack events displays in the Overview counters of Expert View. Expert Symptom TCP Repeat Acks are automatically logged as expert symptoms. The Symptom Summary field indicates that the acknowledgement numbers are out of sequence.
Expert Features Transport Layer 10 TCP Retransmissions Counter TCP Retransmissions is a counter of all TCP Retransmissions over a period of time per segment. This variable counts the number of retransmitted packets to measure excessive retransmission in TCP/IP. A count of all TCP Retransmissions displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms.
Surveyor User’s Guide TCP RST Packets Counter TCP RST Packets is a counter of all TCP RST Packets over a period of time per segment. This variable counts the number of RST responses to monitor resets in TCP/IP. A count of all TCP RST packets displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms.
Expert Features Transport Layer 10 TCP SYN Attack Counter The TCP SYN Attack counter increments when a change in the number of SYN requests per second exceeds a threshold. A count of all TCP SYN Attack events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP SYN Attack events are automatically logged as expert symptoms. The Symptom Summary field provides information about the rate of change for SYN requests.
Surveyor User’s Guide TCP Window Exceeded Count TCP Window Exceeded is a counter of all events where the data length of a TCP packet exceeds the current window size. A count of all TCP Window Exceeded events displays in the Overview counters of Expert View. Expert Symptom TCP Window Exceeded events are automatically logged as expert symptoms. The Symptom Summary field provides information about the length of the data length TCP packet and the current TCP window size on the receiving end.
Expert Features Transport Layer 10 TCP Window Probe Counter TCP Window Probe is a counter of all TCP Window Probe events over a period of time per segment. A count of all TCP Window Probe events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP Window Probe events are automatically logged as expert symptoms.
Surveyor User’s Guide TCP Zero Window Counter TCP Zero Window is a counter of all TCP Zero Window events over a period of time per segment. A count of all TCP Zero Window events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom TCP Zero Window events are automatically logged as expert symptoms.
Expert Features Transport Layer 10 Too Many Retransmissions Counter Too Many Retransmissions is a counter of events where the ratio of retransmissions to packets sent exceeds a threshold value for a single station. A count of all Too Many Retransmissions events displays in the Overview counters of Expert View. Expert Analysis Too Many Retransmissions events are automatically logged as expert analyses.
Surveyor User’s Guide Network Layer Duplicate Network Address A separate table showing duplicate network addresses is available. Press the button on the Data View or Capture View toolbar to see this table. Counter Duplicate Network Address is a counter of all duplicate network addresses over a period of time per segment. A count of all duplicate network addresses displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms for all duplicate network addresses.
Expert Features Network Layer 10 HSRP Coup Counter HSRP Coup events are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. A Coup message indicates that the router wishes to become active. A threshold can be set in Expert Alarms for HSRP Coup/ Resign packets, which includes both Resign and Coup HSRP messages. Expert Symptom HSRP Coup events are automatically logged as expert symptoms.
Surveyor User’s Guide HSRP Errors Counter Some Hot Standby Routing Protocol (HSRP) packets are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. Both Coup and Resign packets are counted. Coup/Resign packets in the HSRP are used to activate/deactivate routers. A threshold can be set in Expert Alarms for HSRP Coup/ Resign packets, which includes both Resign and Coup HSRP messages.
Expert Features Network Layer 10 HSRP Resign Counter HSRP Resign events are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. A Resign message indicates that the router is requesting to become inactive. A threshold can be set in Expert Alarms for HSRP Coup/Resign packets, which includes both Resign and Coup HSRP messages. Expert Symptom HSRP Resign events are automatically logged as expert symptoms.
Surveyor User’s Guide ICMP All Errors Counter ICMP All Errors is a counter of all ICMP symptoms. A count of all ICMP symptoms displays in the Overview counters of Expert View. This counter can also be set in Expert Alarms to set a threshold for all ICMP errors.
Expert Features Network Layer 10 ICMP Bad IP Header Counter ICMP Bad IP Header events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Bad IP Header events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. Examples are: Sent by Destination Host [206.250.228.69] to [206.250.228.11].
Surveyor User’s Guide ICMP Destination Host Access Denied Counter ICMP Destination Host Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Expert Features Network Layer 10 ICMP Destination Host Unknown Counter ICMP Destination Host Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Surveyor User’s Guide ICMP Destination Network Access Denied Counter ICMP Destination Network Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Expert Features Network Layer 10 ICMP Destination Network Unknown Counter ICMP Destination Network Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Surveyor User’s Guide ICMP Destination Unreachable ICMP Destination Unreachable is a counter of all ICMP destination unreachable errors over a period of time per segment. A count of all destination unreachable ICMP symptoms displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms for all destination unreachable ICMP errors.
Expert Features Network Layer 10 __________________________________________________________________ Recommended Action(s): 1. Check the routing tables of the router that this message was generated from. 2. Check the netmask configuration of the source. 3. Ignore this message if the destination is truly unreachable (no action required).
Surveyor User’s Guide ICMP Fragment Reassembly Time Exceeded Counter ICMP Fragment Reassembly Time Exceeded events are counted in the All ICMP Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Fragment Reassembly Time Exceeded events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved.
Expert Features Network Layer 10 ICMP Fragmentation Needed [D/F set] Counter ICMP Fragmentation Needed [D/F set] events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Surveyor User’s Guide ICMP Host Redirect Counter ICMP Host Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors. Expert Symptom ICMP Host Redirect events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Host Redirect for TOS Counter ICMP Host Redirect for TOS events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors. Expert Symptom ICMP Host Redirect for TOS events are automatically logged as expert symptoms.
Surveyor User’s Guide ICMP Host Unreachable Counter ICMP Host Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors. Expert Symptom ICMP Host Unreachable events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Host Unreachable for TOS Counter ICMP Host Unreachable for TOS events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Surveyor User’s Guide ICMP Inconsistent Subnet Mask Counter ICMP Inconsistent Subnet Mask events are counted in the ICMP All Errors counter. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom IMCP Inconsistent Subnet Mask events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Network Redirect Counter ICMP Network Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors. Expert Symptom ICMP Network Redirect events are automatically logged as expert symptoms.
Surveyor User’s Guide ICMP Network Redirect for TOS Counter ICMP Network Redirect for TOS events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors. Expert Symptom ICMP Network Redirect for TOS events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Network Unreachable Counter ICMP Network Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Surveyor User’s Guide ICMP Parameter Problem Counter ICMP Parameter Problem events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Parameter Problem events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. For example: Bad IP Header sent from [206.250.228.11] to [206.250.228.69].
Expert Features Network Layer 10 ICMP Port Unreachable Counter ICMP Port Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors. Expert Symptom ICMP Port Unreachable events are automatically logged as expert symptoms.
Surveyor User’s Guide ICMP Protocol Unreachable Counter ICMP Protocol Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors. Expert Symptom ICMP Protocol Unreachable events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Redirect Counter ICMP Redirect is a counter of all ICMP redirect errors over a period of time per segment. A count of all redirect ICMP symptoms displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. The following types of ICMP redirect errors are counted: Network Redirect, Host Redirect, Network Redirect for TOS, Host Redirect for TOS, ICMP Redirect (catches all other Redirect errors).
Surveyor User’s Guide ICMP Required IP Option Missing Counter ICMP Required IP Option Missing events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Required IP Option Missing events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. For example: Bad IP Header sent from [206.250.
Expert Features Network Layer 10 ICMP Source Quench Counter ICMP Source Quench events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Source Quench events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. Examples are: Sent by Destination Host [206.250.228.69] to [206.250.228.11].
Surveyor User’s Guide ICMP Source Route Failed Counter ICMP Source Route Failed events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors. Expert Symptom ICMP Source Route Failed events are automatically logged as expert symptoms.
Expert Features Network Layer 10 ICMP Time Exceeded Counter ICMP Time Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Time Exceeded events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. For example: Sent by Gateway [206.250.228.61] to [206.250.228.
Surveyor User’s Guide ICMP Time to Live Exceeded Counter ICMP Time to Live Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview counters of Expert View. A threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Time to Live Exceeded events are automatically logged as expert symptoms. The Symptom Summary field provides information about the IP addresses involved. For example: Sent by Gateway [206.250.228.61] to [206.250.228.
Expert Features Network Layer 10 Illegal Network Source Address Counter Illegal Network Source Address is a counter of all illegal network source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Illegal network source addresses are automatically logged as expert symptoms. The field provides the illegal address encountered.
Surveyor User’s Guide IP Checksum Errors Counter IP Checksum Errors is a counter of all incorrect IP checksums over a period of time per segment. A count of all IP Checksum Errors events displays in the Overview counters of Expert View. Expert Symptom IP Checksum Errors events are automatically logged as expert symptoms. The Symptom Summary field provides the IP source and destination address for the checksum error. For example: SA=[206.250.228.69] DA=[206.250.228.
Expert Features Network Layer 10 IP Time to Live Expiring Counter IP Time to Live Expiring is a counter of all expiring connections over a period of time per segment. A count of all IP Time to Live Expiring events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms to generate an alarm based on a specific number of expiring connections. Expert Symptom IP Time to Live Expiring events are automatically logged as expert symptoms.
Surveyor User’s Guide ISL BPDU/CDP Packets Counter ISL BPDU/CDP Packets is a counter of all Bridge Protocol Data Unit (BPDU) or Cisco Discovery Protocol (CDP) packets in an ISL frame over a period of time per segment. A count of BPDU/CDP packets displays in the Overview counters of Expert View.
Expert Features Network Layer 10 ISL Illegal VLAN ID Counter ISL Illegal VLAN ID is a counter of all ISL illegal VLAN IDs over a period of time per segment. A count of all ISL Illegal VLAN ID displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom ISL Illegal VLAN IDs are automatically logged as expert symptoms. The Symptom Summary field provides the number of the illegal VLAN ID.
Surveyor User’s Guide OSPF Broadcasts Counter OSPF Broadcasts is a counter of all OSPF broadcasts over a period of time per segment. A count of all OSPF broadcasts displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. If OSPF broadcasts fall below a certain threshold, this may indicate that a OSPF router is not functioning properly.
Expert Features Network Layer 10 RIP Broadcasts Counter RIP Broadcasts is a counter of all RIP broadcasts over a period of time per segment. A count of all RIP broadcasts displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. If RIP broadcasts fall below a certain threshold, this may indicate that a RIP router is not functioning properly.
Surveyor User’s Guide Router Storm Counter Router Storm is a counter of all events where the router broadcasts exceed a threshold for a single router. A count of all Router Storm events displays in the Overview counters of Expert View. Expert Symptom Router Storm events are automatically logged as expert symptoms. The Symptom Summary field provides the number of router broadcasts measured in packets per second.
Expert Features Network Layer 10 Same Network Addresses Counter Same Network Addresses is a counter of all events where the same source and destination network addresses are seen in the same packet. A count of all Same Network Address events displays in the Overview counters of Expert View. Expert Symptom Same Network Address events are automatically logged as expert symptoms. The Symptom Summary field provides the network address. For example: Addr=[255.23.252.
Surveyor User’s Guide SAP Broadcasts Counter SAP Broadcasts is a counter of all SAP broadcasts over a period of time per segment. A count of all SAP broadcasts displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. If SAP broadcasts fall below a certain threshold, this may indicate that a SAP router is not functioning properly.
Expert Features Network Layer 10 Total Router Broadcasts Counter Total Router Broadcasts is a counter of all total router broadcasts over a period of time per segment. A threshold for this counter can be set in Expert Alarms for total router broadcasts. If total router broadcasts go above a certain threshold, this may indicate that a router in the network is generating excessive broadcast messages.
Surveyor User’s Guide Unstable MST Counter The Unstable MST counter increments when a change in the number of MST topology changes per second exceeds a threshold. The default threshold is a delta of 5 topology changes per second; however, this value can be changed from the Expert Thresholds tab in the Configuration → Module → Settings... menu. A count of all Unstable MST events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms.
Expert Features Network Layer 10 Zero Broadcast Address Counter Zero Broadcast Address is a counter of all events where the destination network addresses is all zeros. A count of all Zero Broadcast Address events displays in the Overview counters of Expert View. Expert Symptom Zero Broadcast Address events are automatically logged as expert symptoms. The Symptom Summary field provides an indication that a zero network address has been discovered. For example: Addr=[0.0.0.
Surveyor User’s Guide MAC Layer Bad Frames Counter Bad Frames is a counter of all bad frames over a period of time per segment. A count of all bad frames displays in the Overview counters of Expert View. The Bad Frames counter is a total count of several MAC layer symptoms. The bad frames counter includes the following MAC layer events: 10-102 • CRC Frames -- Frames from 64 to 1518 bytes with a CRC error. • Fragment Frames -- Frames less than 64 bytes with a CRC error.
Expert Features MAC Layer 10 Broadcast/Multicast Storms Counter The Broadcast/Multicast Storms counter increments when a change in the number of total Broadcast/Multicast packets per second exceeds a threshold. Broadcast/ Multicast Storms can be used to monitor extreme peaks in the number of broadcast and/or multicast messages. A count of all instances where the threshold is reached displays in the Overview counters of Expert View.
Surveyor User’s Guide CRC Frame counter Counter The CRC Frame counter increments when a frame has a CRC error and is greater than 63 bytes in length. A count of all CRC Frames is included in the Bad Frames counter. The CRC Frame counter is used for Expert Alarms. Expert Symptom CRC Frame events are automatically logged as expert symptoms.
Expert Features MAC Layer 10 Excessive ARP Counter The Excessive ARP counter increments when a change in the number of ARP requests per second exceeds a threshold. A count of all Excessive ARP events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Excessive ARP events are automatically logged as expert symptoms. The Symptom Summary field provides information about the rate of change for ARP requests.
Surveyor User’s Guide Excessive BOOTP Counter The Excessive BOOTP counter increments when a change in the number of BOOTP/DHCP requests per second exceeds a threshold. A count of all Excessive BOOTP events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Excessive BOOTP events are automatically logged as expert symptoms. The Symptom Summary field provides information about the rate of change for BOOTP/ DHCP requests.
Expert Features MAC Layer 10 Excessive Broadcasts Counter Excessive Broadcasts is a counter that can be used to monitor fluctuations in the number of broadcast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive broadcasts. An alarm event can also be generated based on an absolute number of broadcasts over time. The default is 400 broadcast packets per second on a 100MB network.
Surveyor User’s Guide Excessive Collisions Counter Excessive Collisions is a counter that can be used to monitor fluctuations in the number of collisions or the absolute number of collisions over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive collisions. An alarm event can also be generated based on an absolute number of collisions over time.
Expert Features MAC Layer 10 Excessive Multicasts Counter Excessive Multicasts is a counter that can be used to monitor fluctuations in the number of multicast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive multicasts. An alarm event can also be generated based on an absolute number of multicasts over time. The default is 400 multicast packets per second on a 100MB network.
Surveyor User’s Guide Fragment Frame Counter The Fragment Frame counter increments when a frame has a CRC error and is less than 64 bytes in length. The Fragment Frame counter is used for Expert Alarms. A count of all Fragment Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. Expert Symptom Fragment Frame events are automatically logged as expert symptoms.
Expert Features MAC Layer 10 Illegal MAC Source Address Counter Illegal MAC Source Address is a counter of all illegal MAC station source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Illegal MAC source addresses are automatically logged as expert symptoms. The Symptom Summary field provides the illegal address encountered.
Surveyor User’s Guide Jabber Frame Counter The Jabber Frame counter increments when a frame has a CRC error and is greater than 1518 bytes in length. A count of all Jabber Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. The Jabber counter is used for Expert Alarms. Expert Symptom Jabber Frame events are automatically logged as expert symptoms.
Expert Features MAC Layer 10 Network Overload Counter Network Overload is a counter of instances where a threshold for the percentage change in network utilization is exceeded. Network utilization is compared to the utilization for the previous time segment. The default threshold is a 40% change in network utilization. A count of all instances where the threshold is reached displays in the Overview counters of Expert View. Expert Symptom Network Overload events are automatically logged as expert symptoms.
Surveyor User’s Guide New MAC Stations Counter New MAC Stations is a counter of all the new MAC stations over a period of time per segment. A threshold for this counter can be set in Expert Alarms. The threshold for new MAC stations is typically set to 1 as an absolute value. The new MAC station counter detects new MAC stations (nodes) on a LAN segment. After a segment is stabilized with a specific number of stations, this counter can indicate possible intruder stations.
Expert Features MAC Layer 10 Oversized Frame Counter The Oversize Frame counter increments when a frame has a CRC error and is greater than 1518 bytes in length. A count of all Oversize Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. The Oversize Frame counter is used for Expert Alarms. Expert Symptom Oversized Frame events are automatically logged as expert symptoms.
Surveyor User’s Guide Overload Frame Rate Counter Overload Frame Rate counts frames over a one-second time period. A threshold for the number of frames per second can be set in Expert Alarms. Overload Frame Rate can help catch network overloads. Values for the threshold can range from 1 to 148,800 frames/sec for a 100 MB network. The default is 37,200 frames/sec.
Expert Features MAC Layer 10 Overload Utilization Percentage Counter Overload Utilization Percentage counts bits over time and compares this value to the maximum utilization possible (bandwidth). A threshold for this percentage value can be set in Expert Alarms. Overload utilization percentage can help catch network overloads. The default for a 100MB network is 25% of maximum utilization.
Surveyor User’s Guide Physical Errors Counter The Physical Errors counter increments when a change in the number of total MAC physical errors per second exceeds a threshold. Physical errors include CRC/ alignment errors, dropped events, collisions, jabbers, oversize packets, undersize packets, and fragments. A count of all instances where the threshold is reached displays in the Overview counters of Expert View. Expert Symptom Physical Error events are automatically logged as expert symptoms.
Expert Features MAC Layer 10 Runt Frame Counter The Runt Frame counter increments when a frame is less than 64 bytes in length. The Runt Frame counter is used for Expert Alarms. A count of all Runt Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. Expert Symptom Runt Frame events are automatically logged as expert symptoms.
Surveyor User’s Guide Same MAC Addresses Counter Same MAC Addresses is a counter of all events where the same source and destination network addresses are seen in the same packet. A count of all Same MAC Address events displays in the Overview counters of Expert View. Expert Symptom Same MAC Address events are automatically logged as expert symptoms. The Symptom Summary field provides the MAC address.
Expert Features MAC Layer 10 Total MAC Stations Counter Total MAC Stations is a counter of all the MAC stations over a period of time per segment. A count of all MAC stations displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms. The MAC station counter helps detect excessive MAC stations (nodes) on a LAN segment.
Surveyor User’s Guide Hints and Tips for Expert Features 10-122 • Double-click any symptom in a table to view Diagnostic information. • When looking at Expert View in Monitor only mode, Frame IDs are displayed for information only and you cannot examine a frame related to a symptom. If you need to look at specific frames related to Expert Symptoms, look at the frame information in the capture buffer or in a capture file. • Expert Views can be disabled on a per module basis.
Expert Features Summary of Expert Counters and Symptoms 10 Summary of Expert Counters and Symptoms Table Table 10-2 on the following page provides a summary of expert features by symptom/counter/application name. The meanings of the column headings are listed below. Expert Symptom Logged as an Expert Event and appears in the expert tables. Expert Analysis Logged as an Expert Event and appears in the expert tables.
Surveyor User’s Guide Table 10-2.
Expert Features Summary of Expert Counters and Symptoms 10 Table 10-2.
Surveyor User’s Guide Table 10-2.
Expert Features Summary of Expert Counters and Symptoms 10 Table 10-2.
Surveyor User’s Guide Table 10-2.
Expert Features Summary of Expert Counters and Symptoms 10 Table 10-2.
Surveyor User’s Guide Table 10-2.
Chapter 11 11 Multi-QoS Multi-QoS is a software plug-in to Surveyor that analyzes multimedia traffic over Ethernet-based networks. Multi-QoS validates Quality of Service (QoS) parameters presented by PSTN/IP Gateways, IP switches, and IPBXs. Multi-QoS provides a rich set of reported and calculated data to validate IP networks that carry the multimedia data. The transmission of voice and video over traditional “data-only” networks is one of the most active areas in today's telecommunications industry.
Surveyor User’s Guide Full decode of multimedia protocols by Multi-QoS provides users with the ability to look at any captured packet and understand its contents. Multi-QoS validates that the network is performing as it has been configured and helps you troubleshoot problems. Multi-QoS provides graphic summaries of Call Jitter, Dropped Packets, and Call Set-up Time to view network performance at-a-glance. Point-and-click on graphs to see call tables. Click on any call to get complete call details.
Multi-QoS Multi-QoS User Interface Overview 11 Multi-QoS User Interface Overview The Surveyor Multi-QoS interface can be used with capture files, a capture buffer, or in real-time monitoring mode. To view Multi-QoS graphs and tables, click on the Multi-QoS button on the Detail View toolbar or select Multi-QoS View from the Monitor or Capture menus. The Multi-QoS view consists of tabs for viewing graphs of VoIP call data and configuring the interface.
Surveyor User’s Guide Monitor View Capture View Multi-QoS Multi-QoS Select Multi-QoS from Capture or Monitor View Summary Range Graphs Select Range in Graph to View Associated Calls All Calls User R-factor Network R-factor Jitter RTCP Jitter Dropped Packets RTCP Dropped...
Multi-QoS Multi-QoS User Interface Overview • 11 Summary Range Graphs The Summary Range graphs provide a percentage breakdown of calls by key QoS metrics. Breakdowns are provided for Call Jitter, RTCP Jitter, Dropped Packets, RTCP Dropped Packets, Call Setup Time, Network R-factor, and User R-factor. Up to five ranges are allowed. The timing or packet-count ranges for each category can be configured by the user. • All Calls Table The All Calls table provides a summary table of all calls discovered.
Surveyor User’s Guide Also, the jitter calculation for Surveyor only measures network jitter. The application itself may implement a jitter buffer, which could make for further differences between the reported RTCP jitter and the jitter measured by Surveyor. The difference between the RTCP jitter and Surveyor-calculated jitter may provide some clues as to what is happening with calls where high jitter rates are disrupting network QoS.
Multi-QoS Configuring Multi-QoS 11 The configuration performed from the Configuration tab is described below: • Refresh Options (MQoS Window Management) By default, Multi-QoS tables are refreshed when you re-open any window containing a table. However, there may be instances where you want to compare data in the same table at different times. For this purpose, Multi-QoS provides an option to create a new window each time you view the data. To create new windows, click on the radio button on the right.
Surveyor User’s Guide Setting this value to a high number may help in identifying a wider range of calls, but may also decrease performance. The default settings is recommended unless you are trying to identify non-standard or partial calls as possible. Multi-QoS Performance Optimization Real-time monitoring of calls is supported, but the utilization of the network will greatly affect the calls that you see in the Multi-QoS tables. The monitor function can record all calls at 10 Mbps.
Multi-QoS All Calls Table 11 All Calls Table The All Calls table provides a summary table of all calls discovered. An example of the All Calls table is shown below. The buttons to the left of the table allow you to filter the call data. You can display only the calls that use a specific protocol or those that use an unknown protocol. You can also display completed calls only and/or incomplete calls only. Figure 11-3. Multi-QoS All Calls Table Buttons in the All Calls Table are described below.
Surveyor User’s Guide Field Descriptions for All Calls Table The following table provides brief descriptions of all fields in the All Calls table. Table 11-1. All Calls Table Field Descriptions 11-10 Table Column Description Protocol H.323, SCCP, SIP, or UNKNOWN. A protocol type of UNKNOWN means that Surveyor recognizes media packets but does not recognize related signaling packets for a call.
Multi-QoS Call Range Graphs and Summaries 11 Call Range Graphs and Summaries Each tab in the interface except the utilization and configuration tabs brings up a range breakdown of calls using the selected metric. Call Jitter, Call RTCP Jitter, Call Setup Time Figure 11-4 shows an example of the Call Jitter tab in the Multi-QoS View window. Double-click on a section of the bar or pie graph to see a table of calls for the selected jitter range.
Surveyor User’s Guide Ranges for the graph can be changed. An example configuration screen for setting Call Jitter ranges is shown below. All values are in milliseconds. Figure 11-5. Multi-QoS Configuration, Call Jitter Ranges The default ranges for Call Jitter, Call RTCP Jitter, and Call Setup Time are shown in the table below. Table 11-2.
Multi-QoS Call Range Graphs and Summaries 11 Dropped Packets, RTCP Dropped Packets Figure 11-6 shows an example of the Dropped Packets tab in the Multi-QoS Properties window. Click on a section of the bar or pie graph to see a table of calls for the selected dropped packets range. Click on the “pencil” button to change the ranges for dropped packets in the graph. RTCP Dropped Packets displays and configuration are identical to those for Dropped Packets. Figure 11-6.
Surveyor User’s Guide An example configuration screen for setting Dropped Packet ranges is shown below. Figure 11-7. Multi-QoS Configuration, Packets Dropped The default ranges for Packets Dropped, and RTCP Packets Dropped are shown in the table below. Table 11-3.
Multi-QoS Call Range Graphs and Summaries 11 Field Descriptions for Call Range Summaries The following tables provide brief descriptions of all table columns for call range summaries. Only the metric of interest will be displayed in the table. For example, if you are looking at calls in a specific range for Call Jitter, RTCP Jitter and other metrics will not be displayed. Table 11-4. Call Range Summary Field Descriptions Table Column Description Protocol H.323, SCCP, SIP, or Unknown.
Surveyor User’s Guide VQMon Metrics There are a variety of objective factors that contribute to call quality. Some of these factors, such as packet loss or packet delay variation (jitter), are reported in other Multi-QoS graph summaries. However, these individual measurements do not tell a complete story and do not attempt to quantify user perceptions of voice quality.
Multi-QoS VQMon Metrics 11 Table 11-5. Voice Quality, R-factors, and MOS Range Desirability Scale R-factor Range MOS Range Desirable 94 - 80 4.4 - 4.0 Acceptable 80 - 70 4.0 - 3.6 Reach Connection 70 - 50 3.6 - 2.6 Not Recommended 50 - 0 2.6 - 1 If you would like more detailed information about how R-factors are calculated, please call Finisar customer support. The R-factors used in Multi-QoS extend the ITU standard E Model for estimating transmission quality.
Surveyor User’s Guide Figure 11-9. Multi-QoS Configuration, R-factor Ranges The default ranges for Network R-factor and User R-factor are shown in the table below. Table 11-6.
Multi-QoS Utilization Graph 11 Utilization Graph When selected in Monitor mode, Multi-QoS displays the Utilization tab. The utilization graphs provides a view of total bandwidth utilization and Multi-QoS bandwidth utilization over time. The utilization for VoIP services is compared to total utilization and total bandwidth. An example utilization graph is shown below. Figure 11-10. Multi-QoS Utilization Graph Example The utilization is calculated after Surveyor has decoded packets.
Surveyor User’s Guide Field Descriptions for Call Details To view all details for any call, double-click on any call summary (row) in a call summary table. The Call Detail window appears showing all call fields for the selected call. An example Call Detail window for an H.323 call is shown below: Figure 11-11. Example Call Details Window (H.323) Click on View Channel Details to view channels for this call. Click on Single Call Display Filter to filter out all packets except the packets of this call.
Multi-QoS Field Descriptions for Call Details 11 The following tables provide brief descriptions of all fields in the Call Detail window for SCCP, H.323, or SIP calls. Table 11-7. SCCP Call Field Descriptions Table Column Description FID Frame ID of the first frame from which the conversation was detected. This field is useful when doing post capture analysis. If there is a need for in-depth analysis of a specific call, the first frame associated with the call can be quickly determined.
Surveyor User’s Guide Table 11-8. H.323 Call Field Descriptions 11-22 Field Name Description Frame ID Frame ID of the first frame from which the conversation was detected. This field is useful when doing post capture analysis. If there is a need for in-depth analysis of a specific call, the first frame associated with call can be quickly determined. Source Reference Value The Call Reference Value for the conversation used by H.225.0 on the source side.
Multi-QoS Field Descriptions for Call Details 11 Table 11-9. SIP Call Field Descriptions Field Name Description FID Frame ID of the first frame from which the conversation was detected. The the frame ID of the first INVITE message. Caller SIP URL or other URI of the caller. The addr-spec in the “From” parameter. Caller Name Display name of the caller. The display name in the “From” parameter, if it exists. Caller Tag The tag of “From”, if it exists.
Surveyor User’s Guide Table 11-10. UNKNOWN Call Field Descriptions Field Name Description FID Frame ID of the first frame from which the conversation was detected. The the frame ID of the first INVITE message. Caller Address The IP address of the initiator of the call. Callee Address The IP address of the receiver of the call. Start Time Time at which the call was started, i.e. the time of the first INVITE message of the call. Stop Time Time at which the call was complete.
Multi-QoS Channel Table Details 11 Figure 11-12. Channel Table Example Table 11-11 and Table 11-12 describe the columns in the table for each protocol. H.323, SIP, and UNKNOWN channel tables are the same.
Surveyor User’s Guide Table 11-11. H.323, SIP, or UNKNOWN Channel Table Column Descriptions 11-26 Table Column Description Channel Channel type, Audio, Video, or Data. Min User R Factor The lowest User R-factor calculated during a sampling interval for a call. User R Factor Voice quality measure expressed as a numeric value between 0 and 94. The value is calculated by Surveyor.
Multi-QoS Channel Table Details 11 Table 11-11. H.323, SIP, or UNKNOWN Channel Table Column Descriptions (continued) Max Jitter (ms) Maximum Jitter in milliseconds. The value is calculated by Surveyor. Surveyor uses the formula described in RFC 1889 to calculate jitter. Low Seq Num Lowest Sequence Number. Lowest RTP sequence number seen. High Seq Num Highest Sequence Number. Highest RTP sequence number seen. RTCP Packet Count Real-time Transport Control Protocol (RTCP) Packet Count.
Surveyor User’s Guide Table 11-12. SCCP Channel Table Column Descriptions 11-28 Table Column Description Channel Channel type, Audio, Video, or Data. Min User R Factor The lowest User R-factor calculated during a sampling interval for a call. User R Factor Voice quality measure expressed as a numeric value between 0 and 94. The value is calculated by Surveyor. Surveyor uses a formula that includes packet loss, jitter, transmission delay, and recency to determine the User R-factor.
Multi-QoS Channel Table Details 11 Table 11-12. SCCP Channel Table Column Descriptions (continued) Low Seq Num Lowest Sequence Number. Lowest RTP sequence number seen. High Seq Num Highest Sequence Number. Highest RTP sequence number seen. Filtering on Single Channels You can filter on channels within a single call. For the Channel View table, the filter menu available with the right-mouse click depends on the channel you select.
Surveyor User’s Guide Customizing Multi-QoS Table Displays You can customize the display of table information for Multi-QoS to include or exclude Multi-QoS fields from the All Calls, Summary Range, or Channel table displays. To change the view options, the table type you want to change must be in the foreground. For example, to change the fields that display in the All Calls table, the All Calls table must display in the foreground.
Multi-QoS Customizing Multi-QoS Table Displays 11 Customizing Channel Tables The channel table is different for each call type, H.323, SIP, or SCCP. The channel table fields for each call type can be customized. Select Multi-QoS Views for the Monitor Views or Capture Views menu. Select a single call, and from the Call Detail window select View Channel Details to bring up the Channel table. Select View Options... from the View menu. Check the boxes for all fields you want to include in the table display.
Surveyor User’s Guide Exporting Multi-QoS Data You can export Multi-QoS tables to CSV format. Multi-QoS data in .csv format can be imported to many spreadsheet and database applications like Microsoft Excel or to your own application, allowing you to display or report data. CSV is a commadelimited text format used by many applications to import/export text data. The order of the fields in the exported files is essential to proper interpretation of the data.
Multi-QoS Exporting Multi-QoS Data 11 Exporting a Single Multi-QoS Table to CSV Format Perform these steps to export the current Multi-QoS table to CSV format. 1. Select the view you want to export. If you already have the desired view open, click the window to make it the currently selected view.The table can be a range summary table, the detail view fields for a single call, the channel table for a selected call, or the all calls table. 2. Choose Export... from the File menu. 3.
Surveyor User’s Guide 11-34
Chapter 12 12 Counters Surveyor provides sophisticated counters to enable you to precisely monitor network activity. Surveyor features three types of counters at the MAC layer: Packet Counters, Custom Counters, and Error Counters. When the MAC Statistics window is in Capture mode, you can use all three types of counters. When the MAC Statistics window is in Transmit mode, custom counters are not relevant and do not appear in the MAC Statistics window.
Surveyor User’s Guide The following packet counters are supported: • Total Frames • Broadcast Frames • Multicast Frames • Unicast Frames • Error Frames • Total Bytes Received • A breakdown of the total number of error frames is provided by the error counters. Custom Counters Custom counters are user-defined counters established in capture filters.
Counters Error Counters 12 Table 12-2. Alphabetical List and Descriptions of Ethernet Error Counters (continued) Fragments The total number of packets received that were less than 64 octets and had either an FCS/CRC error or an Alignment Error. Jabbers The total number of packets that were received that were longer than 1518 octets and had either an FCS/CRC error or an Alignment Error.
Surveyor User’s Guide Table 12-3 contains an alphabetical list, with descriptions, of Surveyor’s Token Ring error counters. Table 12-3. Alphabetical List and Descriptions of Token Ring Error Counters 12-4 Token Ring Counter Description Abort Delimiter Records events where a reporting Ring Station encounters recoverable internal errors, forcing it to transmit an Abort Delimiter frame.
Counters Expert Counters 12 Expert Counters Expert counters count the number of Export events discovered by Surveyor’s expert logic. Some counters are used in the Expert Alarm editor and some display in the Overview Table of Expert View. See the Expert Systems chapter for more information on expert counters. The following table contains an alphabetical list, with descriptions, of Surveyor’s expert counters. . Table 12-4.
Surveyor User’s Guide Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) 12-6 Counter Type Description ICMP Destination Unreachable The number of ICMP destination unreachable errors over a period of time per segment.
Counters Expert Counters 12 Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) Counter Type Description Overload Utilization Percentage Counts bits over time and compares this value to the maximum utilization possible (bandwidth). No HTTP POST Response The number of no HTTP POST responses over a period of time per segment. No Server Response The number of no server responses over a period of time per segment. Physical Errors The number of Physical Error events.
Surveyor User’s Guide Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) 12-8 Counter Type Description TCP/IP Repeat Ack The number of TCP/IP Repeat Ack events over a period of time per segment. TCP/IP Retransmissions The number of TCP/IP Retransmissions over a period of time per segment. TCP/IP RST Packets The number of TCP/IP RST Packets over a period of time per segment. TCP/IP SYN Attack The number of TCP/IP SYN Attack events.
Counters Multi-QoS Counters 12 Multi-QoS Counters Multi-QoS counters count the number of packet events discovered by Surveyor’s Multi-QoS plug-in. The following table contains an alphabetical list, with descriptions, of the counters used in the Multi-QoS plug-in. . Table 12-5. Alphabetical List and Descriptions of Multi-QoS Counters Counter Type Description Byte Count (BC) The number of bytes associated with a Multi-QoS channel.
Surveyor User’s Guide Log Directory Structure The following is the directory structure for log files. The root directory is the installation directory for Surveyor. (root)\log\local\module_1 (directory for module 1) module_1.csv (log file for module 1) \history (history directory for module 1) mmddhhmm.ss (first history file for module 1) mmddhhmm.ss (second history file for module 1) mmddhhmm.ss (third history file for module 1) (root)\log\local\module_2 (directory for module 1) module_2.
Chapter 13 13 Utilities Surveyor includes the following utilities to enhance your ability to manage your Ethernet, Token Ring, or Fast Ethernet network. The utilities are briefly described in the table below: Table 13-1. Ethernet and Fast Ethernet Network Management Utilities Utility Description Name Table Provides associations between symbolic names and network addresses. NIS-to-Name-Table Converts an NIS name table on a UNIX system to Surveyor format.
Surveyor User’s Guide Name Table Utility A name table provides associations between easy-to-remember symbolic names (Mickey) and hard-to-remember network addresses (0x78AB00004235). Surveyor and Finisar analyzer devices learn names automatically by viewing the network portion of DNS, SAP, and NetBIOS packets. A default name table is supplied by Surveyor containing well-known name-to-address associations. You can change the default name table.
Utilities Name Table Utility 13 Figure 13-1. Example Name Table Dialog Box There are several options you can set for the display and recording of name table entries. Options are set by pressing the Settings… button to bring up the Name Table Settings dialog box To learn all addresses, select the Learn Addresses check box in the Name Table Settings dialog box. Surveyor will enter all new addresses.
Surveyor User’s Guide Name tables are limited to 5,000 entries. The Maximum Number of Entries field in the Name Table Settings dialog box must be at least 100 and no more than 5,000. For remote resources, Surveyor uses names learned from remote as well as local resources when displaying capture or monitor views. A local copy of the remote name table is updated at a specified time interval. The time interval for refreshing the remote name table is set in the Configuration menu of Surveyor.
Utilities NIS-to-Name Table Conversion Utility 13 NIS-to-Name Table Conversion Utility The NIS2NAM.SH utility converts an NIS name table on a UNIX system to the name table format used by Surveyor. It provides a method of creating a Surveyor name table with addresses and associated symbolic names without having to reenter information. NIS2NAM.SH is installed in the ...\scripts directory. It is a UNIX shell script, designed to run under a Bourne shell. To use the conversion utility, copy the NIS2NAM.
Surveyor User’s Guide Sniffer™ Translator Utility Translators convert captured data back and forth between Surveyor capture file format (.cap files) and Sniffer uncompressed trace format (.enc or .trc files). Capture files are stored in ‘Snoop’ format, compliant with RFC 1761. Capture files include extensions that provide additional information fields not found in RFC 1761. Start a translator by selecting one of the following options from the Tools menu. Table 13-2.
Utilities Convert Capture Files to Histogram Files • Capture memory size • Error counters supported • MAC address • Module type • Buffer size • Vendor name • Error counters supported 13 Convert Capture Files to Histogram Files The convert capture files utility allows you to convert capture files to histogram files. Files must be in histogram format to be viewed with the histogram. All new captures made by Surveyor are automatically created as histogram files.
Surveyor User’s Guide Extract Frames From a File Using a Filter This utility allows you to extract frames from existing capture files, using a filter to select the frames you want. To extract frames from capture files, do the following: 1. After capture is complete and the capture buffer is saved to a file, select Extract Frames From File Using Filter… from the Tools menu. 2. In the dialog box, specify the name of capture file to extract from in the Input File field. 3. Press the Load/Change Filter button.
Utilities Export Utilities 13 To export packet decode information, do the following: 1. Set the Summary Pane of the Capture View window to display the protocol decode information you want to export. For example, packets numbered -0004 through 0013. 2. Select a packet within the window. 3. Press the button. A window displays containing the protocol decode data that was visible in the summary pane of the Capture View window. 4. Select the data you want from the window and press Ctrl + C. 5.
Surveyor User’s Guide networks. Surveyor exports data into a special .csv file format that can be easily read by the Optimal Performance product. Perform the following steps to export data to Optimal Performance format: 1. Select Application Layer Matrix from the Monitor View or Capture View menus. 2. Select the Table tab to view the data in tabular format. 3. Choose View Options from the View menu.
Utilities Export Utilities 13 5. Switch to the previously opened Charts window. To change windows, pull down the Windows menu and click on Charts. 6. Click cell A1 of Data Sheet in the Charts window, the cell in the top-left corner of the worksheet. 7. Use Paste from the Edit menu or Ctrl + V to paste the data into the worksheet named Data Sheet. 8. Select one of the names on the bottom tabs to see a graph. Twelve graphs and one spreadsheet showing computed data are available.
Surveyor User’s Guide 13-12
Appendix A A Implementation Profile Buffers Three types of buffers are essential to the execution of Surveyor’s features: Table A-1. Buffer Types Used By Surveyor Buffer Type Description Real-Time (Monitor) Buffer A real-time buffer provides the transient data storage area for on-thefly frame analysis which, in conjunction with MAC statistics and error counters, produces real-time LAN analysis and monitoring information. Data captured from the network is copied to this area after filtering.
Surveyor User’s Guide Table A-2. Resource Use of Buffers Resource Buffer Usage THGm (Ten/Hundred/ Gigabit module) THGm is a high speed network analyzer card with a single on-board buffer. THGm supports full line-speed capture or for RJ45 10/100 Mbps Ethernet or Gigabit Ethernet. Filtering and all other Surveyor features are supported on THGm modules. The entire THGm buffer can be allocated for capture, monitor, or transmit functions.
Implementation Profile Hardware Dependencies A Hardware Dependencies The tables that follow in this section list functions supported by Surveyor that have hardware dependencies. Table A-3.
Surveyor User’s Guide Table A-5.
Implementation Profile About NDIS Mode A About NDIS Mode Surveyor in NDIS mode uses an NDIS driver and interfaces to a variety of network adapters. All basic capture, transmit, and monitor functions are the same in NDIS mode. However, it is not recommended that an NDIS module be used to transmit packets; the transmit rate is likely to fall below the specified transmission rate and transmission of error packets is not supported.
Surveyor User’s Guide NDIS Configuration Options Setting the Interface The Interface and Interface Mode options are grayed on the Module menu when an NDIS module is the currently selected module. The Identify option on the Module menu is grayed and does not function when the current module is an NDIS module. Set Capture Buffer and Packet Slicing Size The capture buffer memory size can be set in increments that double from 64K to 16MB.
Appendix B B Pre-Defined Filter Templates Filter Templates All filter templates supplied with Surveyor are described below. Templates are defined by an offset(s) and a value(s). These templates can be used in a capture or display filter to capture or display common protocol packets. An OR in the Offset column indicates that the associated value will cause the frame to be captured/displayed if the value is found in either offset.
Surveyor User’s Guide Table B-1. Surveyor Filter Templates, Ethernet EV2 B-2 Filter Template Description Offset Value No. of Filters Used AppleTalk Collect all AppleTalk packet types embedded in Ethernet Version II frames. 12 HEX 809B 1 ARP Collect all ARP packet types embedded in Ethernet Version II frames. 12 HEX 0806 1 DECNET Phase IV Collect all DECNET packet types embedded in Ethernet Version II frames.
Pre-Defined Filter Templates Filter Templates B Table B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2 Filter Template Description Offset Value No. of Filters Used EIGRP Collect all frames where EIGRP is embedded in Ethernet II frames. 12 23 HEX 0800 DEC 88 1 ICMP Filter template for collecting all PING 12 23 HEX 0800 HEX 01 1 activity. IGMP Filter template for collecting all IGMP activity.
Surveyor User’s Guide Table B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2 (continued) B-4 Filter Template Description Offset Value No. of Filters Used RIP (IPX) Collect all frames with a RIP port in IPX packet types embedded in Ethernet II frames. 12 30 OR 42 HEX 8137 HEX 0453 HEX 0453 2 RSVP Collect all frames where RSVP is embedded in Ethernet II frames. 12 23 HEX 0800 DEC 46 1 SAP (IPX) Collect all frames with a SAP port in IPX packet types embedded in Ethernet II frames.
Pre-Defined Filter Templates Filter Templates B Table B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2 Filter Template Description Offset Value No. of Filters Used DNS (TCP) Collect all frames with a DNS port when TCP is embedded in an Ethernet II frame. 12 23 34 OR 36 HEX 0800 HEX 06 DEC 0.53 DEC 0.53 2 FTP Collect all frames with an FTP port when TCP is embedded in an Ethernet II frame. 12 23 34 OR 36 HEX 0800 HEX 06 DEC 0.21 DEC 0.
Surveyor User’s Guide Table B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2 (continued) B-6 Filter Template Description Offset Value No. of Filters Used Q.931 Collect all frames with a Q.931 port when TCP is embedded in Ethernet II frames. 12 23 34 OR 36 HEX 0800 HEX 06 DEC 6.184 (1720) DEC 6.184 (1720) 2 SCCP Collect all frames with an SCCP port when TCP is embedded in an Ethernet II frame.
Pre-Defined Filter Templates Filter Templates B Table B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2 Filter Template Description Offset Value DHCP Collect all frames with a DHCP port when UDP is embedded in an Ethernet II frame. 12 23 34 OR 34 HEX 0800 HEX 11 HEX00440043 HEX00430044 2 DNS (UDP) Collect all frames with a DNS port when UDP is embedded in an Ethernet II frame. 12 23 34 OR 36 HEX 0800 HEX 11 DEC 0.53 DEC 0.53 2 H.323-GD Collect all frames with an H.
Surveyor User’s Guide Table B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2 (continued) B-8 Filter Template Description Offset NTP Collect all frames with an NTP port when UDP is embedded in Ethernet II frames. 12 23 34 RIP (UDP) Collect all frames with a RIP port when UDP is embedded in Ethernet II frames. 12 23 34 OR 36 RTCP Collect all frames with an RTCP port when UDP is embedded in Ethernet II frames.
Pre-Defined Filter Templates Filter Templates B Table B-5. Surveyor Filter Templates, Ethernet LLC/Novell Filter Template Description Offset DSAP Template for setting the LLC destination address point. 14 HEX XX 1 IEEE_802.1D Template for collecting IEEE-802.1D packets. 14 HEX 4242 2 NetBEUI Template for collecting NetBEUI packets. 14 HEX F0F0 2 Novell Collect Novell frames. 14 HEX E0E0 1 NMPI Collect packets with NMPI ports embedded in Novell frames.
Surveyor User’s Guide Table B-6. Surveyor Filter Templates, Ethernet SNAP B-10 Filter Template Description Offset Value No. of Filters Used SNAP Collect SNAP frames. 14 HEX AAAA03 1 SNAP_AppleTalk Filter template for collecting AppleTalk packet types embedded in Ethernet SNAP frames. 14 20 HEX AAAA03 HEX 809B 1 SNAP_ARP Filter template for collecting ARP packet types embedded in Ethernet SNAP frames.
Pre-Defined Filter Templates Filter Templates B Table B-7. Surveyor Filter Templates, Ethernet ISL Filter Template Description Offset ISL_ARP Filter template for collecting ARP packet types embedded in ISL frames. 38 HEX 0806 1 ISL_DNS (TCP) Collect all frames with DNS ports when TCP is embedded in ISL frames. 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0.53 DEC 0.53 2 ISL_EIGRP Collect all frames where EIGRP is embedded in ISL frames.
Surveyor User’s Guide Table B-7. Surveyor Filter Templates, Ethernet ISL (continued) B-12 Filter Template Description Offset Value ISL_LDAP Collect all frames with LDAP ports when TCP is embedded in ISL frames. 38 49 60 OR 62 HEX 0800 DEC 06 DEC 1.133 (389) DEC 1.133 (389) 2 ISL_MAC_DA_Broadcast Collect all broadcast frames in ISL packets. 26 HEX FFFFFFFFFFFF 1 ISL_MAC_DA_Multicast Collect all multicast frames in ISL packets.
Pre-Defined Filter Templates Filter Templates B Table B-7. Surveyor Filter Templates, Ethernet ISL (continued) Filter Template Description Offset Value No. of Filters Used ISL_SMTP Collect all frames with SMTP ports when TCP is embedded in ISL frames. 38 49 60 OR 62 HEX 0800 DEC 06 DEC 0.25 DEC 0.25 2 ISL_SSP Collect all frames with SSP ports when TCP is embedded in ISL frames. 38 49 60 OR 62 HEX 0800 DEC 06 DEC 7.208 (2000) DEC 7.208 (2000) 2 ISL_T.
Surveyor User’s Guide Table B-8. Standard Filter Templates, Token Ring B-14 Filter Template Description Offset Value No. of Filters Used MAC_Active_Monitor_Present Collect all Active Monitor Token Ring MAC frames. 1 17 HEX 05 HEX 05 1 MAC_Beacon Collect all Beacon Token Ring MAC frames. 1 17 HEX 02 HEX 02 1 MAC_Change_Parameters Collect all Change Parameters Token Ring MAC frames. 17 HEX 0C 1 MAC_Claim_Token Collect all “Claim Token” Token Ring MAC frames.
Pre-Defined Filter Templates Filter Templates B Table B-8. Standard Filter Templates, Token Ring (continued) Filter Template Description Offset Value No. of Filters Used MAC_Report_NAUM_Change Collect all Report NAUM Change Token Ring MAC frames. 17 HEX 26 1 MAC_Report_New_Active_Monitor Collect all Report New Active Monitor Token Ring MAC frames. 17 HEX 25 1 MAC_Report_Ring_Station_Addre ss Collect all Report Ring Station Address Token Ring MAC frames.
Surveyor User’s Guide Table B-8. Standard Filter Templates, Token Ring (continued) B-16 Filter Template Description Offset Value No. of Filters Used MAC_Ring_Purge Collect all Ring Purge Token Ring MAC frames. 1 17 HEX 04 MAC_Standby_Monitor_Present Collect all Standby Monitor Present Token Ring MAC frames. 1 17 HEX 06 HEX 06 1 MAC_Transmit_Forward Collect all Transmit Forward Token Ring MAC frames. 17 HEX 09 1 NON_MAC Collect all non-MAC Token Ring frames.
Appendix C C Keyboard Shortcuts Function Keys Function keys perform different operations depending on the window from which they are used. A table of the function keyboard shortcuts is provided below: Table C-1.
Surveyor User’s Guide Standard and Navigational Keys Function keys perform different operations depending on the window from which they are used. Tables of standard and navigational keyboard shortcuts are provided below: Table C-2. Shortcut Keys from All Windows Key(s) Action Alt + F4 Close Window Ctrl + O Open Ctrl + S Save Table C-3. Shortcut Keys from Summary View Key(s) Action Ctrl + T Start Module Ctrl + P Stop Module Ctrl + R Go to Detail View Table C-4.
Keyboard Shortcuts Standard and Navigational Keys C Table C-6.
Surveyor User’s Guide C-4
Appendix D D Parser Names Recognized Parser Names The Parser Names recognized by Surveyor are organized by protocol suite in the following tables. Parser Names must be spelled exactly as shown when used in the ANALYSIS.INI file. See “Advanced Configuration” in the “Customizing Surveyor” chapter for information on using Parser Names. Table D-1. Parser Names, DLC Suite Parser Name Protocol ETHERNETV2 Ethernet Version 2 IEEE8023 IEEE 802.3 (RAW) IEEE8022 IEEE 802.
Surveyor User’s Guide Table D-3.
Parser Names Recognized Parser Names D Table D-5.
Surveyor User’s Guide Table D-8. Parser Names, IBM Suite Parser Name Protocol Name 3270 3270 Terminal NETBEUI NetBIOS Extended User Interface SNA Server Network Architecture XID XID Table D-9.
Parser Names Recognized Parser Names D Table D-9.
Surveyor User’s Guide Table D-9. Parser Names, Internet Suite (continued) Parser Name Protocol Name SGCP Simple Gateway Control Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol (versions 1, 2, and 3) SNMPTRAP Simple Network Management Protocol Trap SUNRPC Sun’s Remote Procedure Call TELNET Remote Terminal Protocol TFTP Trivial File Transfer Protocol TPKT ISO Transport service over TCP XDMCP X Display Manager Control Protocol XWIN X Windows Table D-10.
Parser Names Recognized Parser Names D Table D-11. Parser Names, Netware Suite (continued) Parser Name Protocol Name NBCAST Netware Broadcast Message Protocol NCP Netware Core Protocol NDS Netware Directory Services NLSP Netware Link State Protocol NMPI Name Management Protocol SAP Service Advertising Protocol SERIAL Serialization Protocol SPX Sequenced Packet Exchanged SPX2 Sequenced Packet Exchanged Version 2 (use SPX) WDOG Netware Watch Dog Protocol Table D-12.
Surveyor User’s Guide Table D-14. Parser Names, H.323 Suite Parser Name Protocol Name ASN.1 Abstract Syntax Notation 1 H323GD H.323 - Gatekeeper Discovery H.225.0 H.225.0 - Call Signaling Protocols H245 H.245 - Control Protocol For Multimedia Communication H4501 H.450.1 - Supplementary Services for Multimedia Q921 Q.921 - Call Signaling Protocol Q931 Q.931 - Call Signaling Protocol H323RAS H.323 - Gatekeeper Registration/Administration/Status T120 T.
Parser Names Recognized Parser Names D Table D-16. Parser Names, Cisco IP Telephony Suite Parser Name Protocol Name SSP Skinny Station Protocol SCCP Skinny Client Control Protocol RUDP Reliable UDP Table D-17. Parser Names, Other Multimedia Parser Name Protocol Name MGCP Multimedia Gateway Control Protocol (over TCP) RTCP Real-Time Transport Control Protocol RTP Real-Time Transport Protocol SIP Session initiation Protocol Table D-18.
Surveyor User’s Guide D-10
Glossary .CAP extension File extension for all capture files. .CFD extension File extension for all capture filters. .DFD extension File extension for all view filters. .NAM extension File extension for all name tables. .TSP extension File extension for all transmit specifications. Abort Delimiter A counter that records events where a reporting Ring Station encounters recoverable internal errors, forcing it to transmit an Abort Delimiter frame.
Surveyor User’s Guide Alarm Browser A window used to list, select, and set alarms. Alarm Falling Threshold Falling threshold value to be compared to counter data. If the counter value or its delta value over time falls below the threshold, an alarm event is triggered. Alarm Generation Type Is this a rising, falling or “rising or falling” type of alarm. Used at the time of comparing the sampled value against a corresponding rising or falling threshold.
Glossary (continued) Application Response Time The time required to establish a session with an application protocol, measured in milliseconds. Surveyor tracks average time, the shortest time, and the longest time required for connections to a protocol over the monitored network segment. AVVID Architecture for Voice, Video and Integrated Data. Cisco’s architecture for supporting integrated multimedia communications.
Surveyor User’s Guide Capture Mode The mode in which Surveyor receives network data and stores it in the Capture Buffer. Capture View A window for viewing and decoding network packets saved to a file or in the capture buffer. Captured Frames Frames stored within Surveyor’s capture buffer. Century 12-Tap A fault-tolerant wiring device, available from Finisar, that can be inserted into twelve, full-duplex or half-duplex, 10 or 100 Mbps Ethernet links.
Glossary (continued) Detail View The primary monitoring view for a single network resource. Multiple views of each resource can display in the Detail View. Device A single hardware device that provides data to Surveyor. Display Filter Window A window for defining display filters. DRAM Direct Random Access Memory. Drop Events A counter that shows the total number of events in which packets were dropped by the probe due to lack of resources.
Surveyor User’s Guide Expert View Surveyor data view showing expert symptoms and expert counters for a time period. Fragments A counter showing the total number of packets received that were less than 64 octets and had either an FCS/CRC error or an Alignment Error. Fast Ethernet EEE 802.3 compliant MII (Media Independent Interface) network. Capable of speeds up to 100 Mbps. Frame Sequence of contiguous bits bracketed by and including beginning and ending flag sequences.
Glossary (continued) Host A computer upon which a particular program or resource is located. In the context of Surveyor, the host is the computer upon which the Surveyor program is running. IF Statement First statement for a level in a filter. Specifies conditions and actions. Use the IF statement dialog box to create a condition filter comprised of filter elements and operators specify the actions to take if the condition filter is satisfied.
Surveyor User’s Guide Mode of Operation Defines the current relationship between Surveyor and a resource. Surveyor can transmit data from a resource (transmit), receive data from a resource (capture), view a resource (monitor), or view and receive data from a resource simultaneously (monitor + capture) Module A hardware device attached to the network that can be used by Surveyor software to perform LAN analysis and monitoring functions.
Glossary (continued) NIS Name Information Service. Oversize A counter showing the total number of packets received that were longer than the 1518 octets and were otherwise well formed (good FCS). Overview Table Table in Surveyor’s Expert system that lists all counters for expert events discovered over time. Packet A sequence of digits including data and control signals that is switched as a composite whole. Data, control signals, and error control information are arranged in a specific format.
Surveyor User’s Guide Packet Type The type of packet sent in transmission mode. Packet types are IP, IPX, ARP, and AARP, or any other type specified by the user. It can also be the packet length field for 802.2 and SNAP frames. Pause Stop the continuous update of the data when viewing any resource. Portable Surveyor 10/100 Ethernet Analyzer Card Portable Surveyor 10/100 Ethernet Analyzer Card is an adapter/analyzer card for 10/100 Ethernet networks in a portable PC environment.
Glossary (continued) Root Statement The first statement in all capture filters. Specifies global variables and global values. SA Source address MAC level station address of where a frame is coming from. SCCP Skinny Client Control Protocol. The Skinny Client messaging system provides a means of establishing, controlling, and clearing information between a device that resembles a PBX digital telephone and H.323 clients. It provides a relatively low cost means to construct an IP phone.
Surveyor User’s Guide THGm (Ten/Hundred/Gigabit module) A hardware device available from Finisar that allows the capture/transmit of network data at full line rate and supports real-time monitoring functions for 10/100/ 1000 Ethernets. The THGm card is for use with 1000BASE-SX, 1000BASE-LX, and potentially other types of gigabit networks. The 1000Mbps network interface for THGm is a removable G-BIC interface connector. THGm also supports 10/100 copper-wire networks.
Glossary (continued) Traffic Rate When transmitting from Surveyor, a percentage of the maximum capacity of the network to carry packets. Transmit Mode One of the modes for using Surveyor. In transmit mode, data streams loaded are transmitted on the network when the resource is started. Transmit Specification A definition of packets to be transmitted on the network by Surveyor. Tx Attempt Counter A counter of the number of transmission attempts that have failed.
Surveyor User’s Guide Voice over IP (VoIP) Industry term for the carrying of voice traffic over the Internet Protocol. This term is sometimes used more broadly to indicate VoIP/Multi-Media communications via the H.323 or SCCP protocols. WKP Abbreviation for well known port, a known port address on the network. Zero Window Condition where the TCP/IP window size remains zero for all packets over a time period.
Index Symbols .CAP File Extension 3-18 .CFD File Extension 3-18 .DFD File Extension 3-18 .HST File Extension 3-18 .NAM File Extension 3-18 .
Surveyor User’s Guide –B– Bad Frames 12-5 bitmaps, exporting 13-9 Bridge Protocol Data Unit (BPDU) 10-92 Broadcast/Multicast Storms 10-103, 12-5 Buffer size 4-8 Buffer Usage A-2 Buffers A-2 Burst Error Counter 12-4 Burst timing 8-7 Bursts 8-7 bursts example 8-7 example 8-7 byte boundaries 7-10 Byte Count, Multi-QoS 12-9 –C– Cache File Location 4-14 calculating jitter 11-5 Call Detail window 11-20 Call Jitter 11-11 Call Jitter ranges 11-12 Call Playback 11-29 Call Properties H.
Index (continued) Token Ring, list of 12-4 Excessive BOOTP 10-106 Excessive Broadcasts 10-107 Excessive Collisions 10-108 Excessive Mailslot Broadcasts 10-20, 10-21 Excessive Multicasts 10-109 expert counters, list of 12-5 export Counter log file to Excel 13-10 Fragment 10-110 history files 12-9 HSRP Errors 10-59, 10-60 ICMP All Errors 10-62 ICMP Redirect 10-83 Idle Too Long 10-43 Illegal MAC Source Address 10-111 Illegal Network Source Address 10-89 IP Checksum Errors 10-90 IP Time to Live Expiring 10-91 I
Surveyor User’s Guide ICMP Fragmentation Needed 10-71 DA and SA fields 8-10 DA field 8-3 Data field 8-3 Data views 6-1, 6-18 Address Map View 6-34 Application Layer Host Table View 6-27 Application Layer Matrix View 6-31 Application Response Time View 6-36 Duplicate Address View 6-35 Expert View 6-36 Frame Size Distribution View 6-20 Host Matrix View 6-28 Host Table View 6-24 MAC Statistics View (Rx) 6-19 MAC Statistics View (Tx) 6-20 Network Layer Host Table View 6-25 Network Layer Matrix View 6-30 Packet
Index (continued) CRC Frame 10-104 Duplicate Network Address 10-58 Excessive ARP 10-105 Excessive BOOTP 10-106 Excessive Mailslot Broadcasts 10-20 Fragment Frame 10-110 FTP Login Attempt 10-21 HSRP Coup 10-59 HSRP Resign 10-61 ICMP Bad IP Header 10-63 ICMP Destination Host Access Denied 1064 ICMP Destination Host Unknown 10-65 ICMP Destination Network Access Denied 10-66 ICMP Destination Network Unknown 10-67 ICMP Fragment Reassembly Time Exceeded 10-70 ICMP Host Redirect 10-72 ICMP Host Redirect for TOS
Surveyor User’s Guide –F– Filter Actions 7-13 Capture 7-14 Counter 7-14 display 7-15 Filter Example, Advanced Filter 7-29 Filter Example, Capture Conversation 7-23 Filter Example, Capture TCP Port Traffic 7-27 Filter Example, Logical Combination 7-25 Filter templates 7-2, 7-7, 7-12 Filter, extracting frames from a capture file 138 Filtering with Multi-QoS 11-8 Filters creating 7-17 creating templates 7-8 custom templates 7-8 examples 7-23 frame types 7-16 hints and tips 7-31 overview 7-1 pre-defined templ
Index (continued) –K– Keyboard shortcuts C-2 –L– Launching 3-1 layers, expert system 10-6 learn addresses 13-3 learn names 13-2 remote resources 13-4 Line Error Counter 12-4 Link 3-3 Local resources 5-2 Log file 4-16 directory structure 12-10 Log File Settings, alarms 9-10 Log files in alarms 9-9 Logging Utility 13-8 logical operators 7-13 Login accounts 3-2 Login dialog box 3-2 Lost Frame Counter 12-4 –M– MAC Statistics View (Rx) 6-19 MAC Statistics View (Tx) 6-20 Macro Filters 7-8 masks in filters 7-8
Surveyor User’s Guide NCP Server Busy 12-6 NCP Too Many File Retransmissions 10-28 NCP Too Many Request Loops 10-30 NCP Too Many Requests Denied 10-29 NDIS 5-8, A-2 NDIS, configuring 4-7 Network adapters 2-2 Network Layer Host Table View 6-25 station address 6-25 Network Layer Matrix View 6-30 Network Overload 12-6 Network R-factor 11-16 Network security (See, Encryption) 4-11 New Alarm 9-3 New MAC Stations 12-6 New MAC stations 10-114 NFS Retransmissions 12-6 NIS-to-Name-Table Conversion Utility 13-5 No HT
Index (continued) Set Default button 4-12 protocols in conversations 7-5, 7-7 protocols supported 1-4 Quality of Service 11-1 Time Out value 4-11 RST Responses 10-52 RTCP 11-27 RTCP Dropped Packets 11-13 RTCP Jitter 11-11 Runt 10-119 Runt Frame 10-119 –R– –S– RAM 2-1 Range Editor, Dropped Packets 11-14 Real-Time Buffer A-1 Refresh Options, Multi-QoS 11-7 Remote communications configuring 4-11 Remote resources auto-discovery 4-11, 5-2 Remote Server Protocol (see RSP) 4-11 Repeat Streams field 8-3 Report
Surveyor User’s Guide Delete 8-4 Edit Data 8-4 Modify 8-4 Stream contents 8-3 Stream modes 8-7 Frame Rate 8-7 Packet Gap 8-7 Traffic Rate 8-7 Stream size 8-3 Streams modes 8-7 modifying data 8-8 stream mode 8-3 Summary View 6-3 Alarm Log tab 6-3 Alarms tab 6-3 changing views 6-3 data views supported 6-2 Description tab 6-3 getting one view of multiple resources 6-4 Monitor tab 6-3 monitoring views 6-3 Rx tab 6-3 selecting the monitoring view 6-4 setting the monitoring view 4-5 Supported Applications Layer A
Index (continued) Capture View toolbar 3-15 Address Map View button 3-17 Application Layer Host Table View button 3-16 Application Layer Matrix View button 317 Copy button 3-15 Frame Size Distribution View button 316 Go To Trigger button 3-16 Host Matrix View button 3-17 Host Table View button 3-16 navigation buttons 3-16 Network Layer Host Table View button 3-16 Network Layer Matrix View button 3-17 Open File button 3-15 Print button 3-15 Protocol Distribution View button 3-16 Resume Load button 3-16 Ri
Surveyor User’s Guide Total MAC stations 10-121 Total Router Broadcasts 12-8 Total Tx Collision Counter 12-3 Traffic direction indicator 7-5, 7-7 Transmission status 8-4, 8-8 transmitting capture files 8-12 Transmission mode status controls 8-4 Transmission modes 8-4, 8-8 Transmit Continuously 8-8 Transmit Spec (N frames) 8-8 Transmission status 8-8 Transmit repeat frames 8-5 Bursts 8-5 example 8-6 Repeat Streams 8-5 Transmission Mode 8-5 Transmit mode 5-6 Transmit Specification 8-1 control buttons 8-4 Canc
Index (continued) resizing docking windows 4-1 –X– X offsets (wildcard) 8-10 –Z– Zero Broadcast Address 10-101 Index-13
Surveyor User’s Guide Index-14
