® Transcend® Traffix™ Manager User Guide Software version 3.0 for Windows NT® http://www.3com.com/ Part No.
3Com Corporation 5400 Bayfront Plaza Santa Clara, California 95052-8145 Copyright © 1999 3Com Technologies. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Technologies.
CONTENTS ABOUT THIS GUIDE How To Use The Traffix Manager Documentation Conventions 13 Terminology Used in this Guide 14 Related Documentation 14 Documents 14 Web Sites 14 Documentation Comments 15 Year 2000 Compliance 16 PART I 1 GETTING STARTED WITH TRAFFIX MANAGER TRAFFIX MANAGER OVERVIEW What to Read First 19 Features of Traffix Manager 20 How Does Traffix Manager Work? Strategy for New Users 23 2 11 21 LAUNCHING TRAFFIX MANAGER FOR THE Installing RMON Agents on Your Network 25 Launching the
PART II 3 HOW TRAFFIX MANAGER WORKS COLLECTING DATA How Traffix Manager Processes Collected Data 35 RMON Overview 37 Remote Monitoring 37 RMON-2 Standard 37 How Traffix Manager Discovers Network Devices Using RMON-2 4 GROUPING NETWORK DEVICES IN THE Overview 39 Attributes 40 Predefined Attributes 40 Groupings 42 Predefined Groupings 43 Creating and Assigning Attributes 44 Creating Groups and Ordering Attributes PART III 5 38 MAP 45 RUNNING TRAFFIX MANAGER LAUNCHING TRAFFIX MANAGER AFTER THE FI
7 DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW Loading Network Traffic Data 57 Working with Objects in the Main Window 58 Displaying Object Information 58 Searching for Objects 59 Selecting and Deselecting Objects 59 Locating Objects in the Map 59 Displaying Network Traffic Data 59 Displaying Connections Between Objects 60 Displaying Connections To and From Objects 60 Combining To and From and Between 61 Removing and Hiding Traffic 61 Protocols, Applications and Favorites 61 Protocol Tools 62 User-defi
10 VIEWING EVENTS Overview 81 Viewing Events 82 Filtering Events 83 Summarizing Events 84 Output of Events 84 Viewing and Managing Selected Events 85 Deleting Events 85 Ignoring Devices or Connections 85 Displaying an Event in the Map 85 Displaying an Event in the Launch Graph Dialog Box 85 Forwarding Events as SNMP Traps 86 Integrating Traffix Manager SNMP Traps with HP OpenView 11 OVERVIEW OF REPORTING Overview 89 Types of Report 89 Report Instances 90 Output 90 Periods Covered by Reports 90 Managin
12 REPORT TYPES Report Templates 99 Activity Reports 99 Top N Reports 99 Connection Activity Report 100 Device Activity Report 101 Group Activity Report 102 Segment Activity Report 103 Top N Connections Report 105 Top N Devices Report 107 Top N Groups Report 109 Top N Segments Report 110 PART IV A APPENDICES AND INDEX TROUBLESHOOTING TRAFFIX MANAGER Troubleshooting Traffix Manager 115 Troubleshooting Reports 116 Diagnosing Reporting Problems 116 B DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL Over
C AGGREGATING DEVICES Overview 129 Default Aggregation 129 Specifying an Aggregation Policy D USING THE SUBNETSDB FILE Using the SubnetsDB File 133 How Subnet Grouping Works E 130 135 AUTOMATIC ATTRIBUTE ASSIGNMENT Overview 137 Contents of the User-defined Attributes Configuration File 138 File Format 139 Performing Attribute Assignment 140 Using the fileattrs Program 140 Configuration File Format 140 Running fileattrs 141 How fileattrs Works 141 Using the dblookup Program 142 Lookup Database Stru
G CONFIGURING 3COM STANDALONE RMON-2 AGENTS Downloading Firmware to 3Com Standalone Agents 153 Setting the Operational Mode on 3Com Standalone RMON-2 Agents 154 H DHCP How Traffix Manager Monitors DHCP Devices 157 What Effect Do DHCP Devices Have On The Map? 157 I USING RMON-1 AGENTS Monitoring Network Segments Using RMON-1 Agents J RMON AND SNMP TABLES RETRIEVAL SNMP Tables used by Traffix Manager K 161 TECHNICAL SUPPORT Online Technical Services 163 World Wide Web Site 163 3Com Knowledgebase
ABOUT THIS GUIDE This guide describes Transcend® Traffix™ Manager version 3.0 for Windows NT. This application gathers, displays and analyzes enterprise-wide network traffic. Procedural information on how to perform all tasks using Traffix Manager, as well as context-sensitive information about each dialog box, is provided in the online help. This guide is intended for network administrators. It assumes a working knowledge of local area network (LAN) operations.
ABOUT THIS GUIDE Table 1 Where to find specific information (continued) If you are looking for Turn to An overview of the RMON-1 and RMON-2 standards, and an introduction to how Traffix Manager uses RMON-2 agents to collect data from your network. Chapter 3 Information on grouping devices to create views of your network in the Map. Chapter 4 Procedures for launching Traffix Manager after the first time.
Conventions 13 Table 1 Where to find specific information (continued) If you are looking for Turn to Information about what’s new in this release of Traffix Manager. Release Notes A list of known problems in this release of Traffix Manager. Release Notes Conventions Table 2 and Table 3 list conventions that are used throughout this guide.
ABOUT THIS GUIDE Table 3 Text Conventions (continued) Convention Description Words in italics Italics are used to: ■ ■ ■ Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents. Click OK. Terminology Used in this Guide Refer to the Glossary at the end of this User Guide for definitions of terms.
Documentation Comments 15 RMON-2 Protocol Identifiers: http://www.it.kth.se/docs/rfc/rfcs/rfc2074.txt Miscellaneous List of third-party agents which are supported by Traffix Manager: http://www.3com.com/network_management/probe_interop Links to network management information: http://snmp.cs.utwente.nl Internet Engineering Task Force home page: http://www.ietf.cnri.reston.va.us Network Management Resource Database: http://www.cforc.com/cwk/net-manage.
ABOUT THIS GUIDE Year 2000 Compliance For information on Year 2000 compliance and 3Com products, visit the 3Com Year 2000 Web page: http://www.3com.com/products/yr2000.
GETTING STARTED MANAGER I WITH Chapter 1 Traffix Manager Overview Chapter 2 Launching Traffix Manager for the First Time TRAFFIX
1 TRAFFIX MANAGER OVERVIEW This chapter introduces you to Traffix™ Manager. It contains the following sections: What to Read First ■ What to Read First ■ Features of Traffix Manager ■ How Does Traffix Manager Work? ■ Strategy for New Users Chapters 1–5 contain a conceptual overview of the processes you need to follow in order to get to the stage where Traffix Manager is displaying network traffic data for analysis.
CHAPTER 1: TRAFFIX MANAGER OVERVIEW The Traffix Manager online help contains detailed procedural information on how to perform all tasks, and information about each application dialog box. The Traffix Manager Release Notes contain installation information, and a list of known problems with this release.
How Does Traffix Manager Work? How Does Traffix Manager Work? 21 ■ Industry standards — Traffix Manager supports the IETF RMON-2 standard, which enables information about network and application layer protocol communication patterns to be collected. See “RMON Overview” on page 37 for more information. ■ Open Database for Storage — Traffix Manager has a relational database as its core data repository, enabling easy management of large quantities of data collected from several monitoring points.
CHAPTER 1: TRAFFIX MANAGER OVERVIEW Figure 1 Traffix Manager Gathers Data from the Network Workstations running the Traffix Manager client display the collected data Traffix Manager server processes the collected data Network management station Printer Dedicated & embedded RMON-1 & RMON-2 agents collect network data Network Servers Network PCs Printers Workstations Printer The collected data is stored in the database, and checked against configured event rules to see whether a traffic event
Strategy for New Users Strategy for New Users 23 If you have just begun using Traffix Manager to monitor your network, you should do the following: ■ Set up a limited number of agents from which to collect data until you become familiar with the data collection process. Then you can configure other agents on your network. See “Configuring RMON-1 and RMON-2 Data Sources” on page 52 for more information.
CHAPTER 1: TRAFFIX MANAGER OVERVIEW
2 LAUNCHING TRAFFIX MANAGER FOR THE FIRST TIME This chapter provides information on launching Traffix™ Manager for the first time. Information on installing Traffix Manager is documented in the Release Notes which are shipped with this product.
CHAPTER 2: LAUNCHING TRAFFIX MANAGER FOR THE FIRST TIME Launching the Traffix Manager Server There are two steps to launching Traffix Manager: you must launch the Traffix Manager server first and then launch the Traffix Manager client. To launch the Traffix Manager server: 1 Select Programs from the Start menu, and open the directory in which you installed the Traffix Control Panel. The default path is: Start>Programs>Transcend Traffix Manager>Transcend Traffix Manager v3.0 Control Panel.
Launching the Traffix Manager Client 27 configuration of data sources, and take you to the point where traffic data is displayed in the main window. The startup wizard first prompts you for the DNS domain(s) of those devices which you want to monitor in detail. Traffix Manager considers this specified DNS domain to be your “local network”. The wizard automatically defaults to specify the domain in which the management station is running, but you can make your own selection.
CHAPTER 2: LAUNCHING TRAFFIX MANAGER FOR THE FIRST TIME Figure 2 Traffix Manager Main Window Stopping Traffix Manager To stop a Traffix Manager client, click Exit on the File menu in the main window. To stop the Traffix Manager server, click Stop Server in the Traffix Control Panel. Stopping the server will exit all clients.
Main Window Reference Grouping of Objects 29 ■ Map — Contains a graphical representation of the network, showing the hierarchy of objects and the traffic flowing between them. ■ Graph Panel — Shows the most significant network activity of the currently selected objects in graphical form. See Chapter 8, “Displaying Traffic in Graphs”, for further information about graphing. Within the Object List and the Map, objects are grouped in a hierarchy.
CHAPTER 2: LAUNCHING TRAFFIX MANAGER FOR THE FIRST TIME Table 4 Traffix Manager Main Window Menu Options (continued) Menu Display Option Function Groupings... Launches the Groupings dialog box from which you can create, modify and delete groupings from this dialog box. Reload Attributes Launches the Reload Attributes dialog box from which you reload attributes for devices in the Map.
Main Window Reference 31 Table 4 Traffix Manager Main Window Menu Options (continued) Menu Option Function Zoom... Launches a sub-menu in which you select from the following: ■ ■ ■ ■ Zoom In — Zooms into area containing currently selected objects. If no objects are selected, the currently displayed area is magnified. Zoom To — Zooms to selected objects, magnifying them in the Map as much as possible. Zoom Out — Zooms out of area containing currently selected objects.
CHAPTER 2: LAUNCHING TRAFFIX MANAGER FOR THE FIRST TIME Table 4 Traffix Manager Main Window Menu Options (continued) Menu Option Function Index Launches online help with the Index tab selected. About Launches the About Traffix Manager screen, giving the version name and numbers of the application. See Chapter 7, “Displaying Network Traffic in the Main Window” for detailed information on working with objects in the main window.
HOW TRAFFIX MANAGER WORKS II Chapter 3 Collecting Data Chapter 4 Grouping Network Devices in the Map
3 COLLECTING DATA This chapter describes how Traffix™ Manager collects data from your network. It contains the following sections: How Traffix Manager Processes Collected Data ■ How Traffix Manager Processes Collected Data ■ RMON Overview ■ How Traffix Manager Discovers Network Devices Using RMON-2 Traffix Manager collects and correlates data from stand-alone and embedded RMON-1 and RMON-2 agents, from both 3Com and other vendors.
CHAPTER 3: COLLECTING DATA Figure 3 Collected Data is added to a Relational Database Map Reporter Collector Relational database RMON-2 RMON-1 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 MAC Layer 1 Physical Layer From the collected data, you can build up a picture of normal levels of network traffic and typical network usage.
RMON Overview RMON Overview 37 Traffix Manager supports all agents that are compliant with the Internet Engineering Task Force (IETF) Remote MONitoring Management Information Base Version 1 (RMON-1 MIB), defined in RFC 1757, and Version 2 (RMON-2 MIB), defined in RFCs 2021 and 2074. The RMON standards bring the following advantages to network monitoring: ■ They provide an effective and efficient way to monitor the behavior of the entire LAN.
CHAPTER 3: COLLECTING DATA single segment. Traffix Manager uses RMON-2 functionality to build up a picture of communicating devices on the network and the traffic flowing between them, including network layer addresses and protocols seen. For further information on RMON-1 and RMON-2, refer to the 3Com® RMON-1 and RMON-2 Backgrounder on the 3Com Web Site: http://www.3com.com/nsc/501305.html.
4 GROUPING NETWORK DEVICES IN THE MAP This chapter contains the following sections: Overview ■ Overview ■ Attributes ■ Groupings With Traffix™ Manager, you can group devices in the Map according to your own criteria. You can view the use of your network by, for example, cost center, business unit, workgroup, business-critical connection or geographical location. You can then filter the display of traffic data further by selecting which protocols to display.
CHAPTER 4: GROUPING NETWORK DEVICES IN THE MAP Attributes To understand how Traffix Manager groups devices in the Map, it helps to be familiar with the concepts of attributes and groupings. An attribute is a label for a piece of information about a device: for example, location or IP address. Traffix Manager has a number of predefined attributes; you can change these or add your own.
Attributes Table 5 Predefined Attributes (continued) Name Description MAC Addr Only devices which are in the same broadcast domain as the interface on an RMON-2 agent will have the MAC address attribute assigned to them. See “Assigning MAC Addresses” on page 42 for an example of this. Vendor The Vendor attribute is only assigned if the following criteria are met: ■ ■ The MAC Address attribute is assigned (see above). The MAC address matches a vendor prefix in the vendor.
CHAPTER 4: GROUPING NETWORK DEVICES IN THE MAP Assigning MAC Addresses When the client is first started, it tries to locate the Traffix Manager server through the use of a broadcast message. If the system on which the client is running is not in the same broadcast domain as the server, this broadcast message will fail, and the client will not be able to connect to the server. In order to solve this problem, you may tell the client explicitly where the server is.
Groupings 43 The Map shows a hierarchical view of the devices in your network according to the selected grouping. By selecting a Geographical grouping for example, devices will be grouped according to which country they are in. Within each country, devices may be grouped according to which city they are in. The hierarchy of groups in the Map corresponds to the order of attributes in the selected grouping.
CHAPTER 4: GROUPING NETWORK DEVICES IN THE MAP a Add appropriate entries to the SubnetsDB configuration file. See Appendix D, “Using the SubnetsDB File”, for details. b Either start a new database or use Reload Attributes... with Subnets checked to update the attributes of existing devices in the database. c Create a new grouping using the following attributes (in the order given): ■ NL Type. ■ Subnet. ■ Deselect Collapse Redundant Grouping. d Select this grouping.
Groupings 45 Figure 5 Attributes dialog box The Attributes dialog box displays, in rows, a list of selected devices on your network, and in columns, a list of available attributes. By default, devices currently selected in the Map are listed, with values for the attributes that apply to the selected grouping. If no devices are selected, the Attributes dialog box displays all devices that are loaded into the Map. You can choose to list the attributes for any grouping.
CHAPTER 4: GROUPING NETWORK DEVICES IN THE MAP Figure 6 Groupings dialog box
RUNNING TRAFFIX MANAGER III Chapter 5 Launching Traffix Manager After the First Time Chapter 6 Configuring Agents for Data Collection Chapter 7 Displaying Network Traffic in the Main Window Chapter 8 Displaying Traffic in Graphs Chapter 9 Using Event Rules Chapter 10 Viewing Events Chapter 11 Overview of Reporting Chapter 12 Report Types
5 LAUNCHING TRAFFIX MANAGER AFTER THE FIRST TIME This chapter provides information on how to launch Traffix™ Manager, after the first time. It contains the following sections: Launching the Traffix Manager Server ■ Launching the Traffix Manager Server ■ Launching a Traffix Manager Client ■ Client Access Levels Start the Traffix server using the Traffix Control Panel. The Traffix Control Panel is also used for database administration.
CHAPTER 5: LAUNCHING TRAFFIX MANAGER AFTER THE FIRST TIME To use a remote server, you must add the IP address of the machine running the server to the shortcut in the Start menu. To do so, follow these steps: 1 Select Settings from the Start menu, and then Taskbar... 2 In the Taskbar Properties dialog box, select the Start Menu Programs tab. 3 Click Advanced... 4 In the Exploring - Start Menu window, select the Traffix Manager Client icon.
6 CONFIGURING AGENTS FOR DATA COLLECTION This chapter describes how to use Traffix™ Manager to identify and enable RMON agents on your network for data collection. It contains the following sections: ■ Supported RMON Agents and Interfaces ■ Finding Agents for Data Collection See “RMON Overview” on page 37 for more information about RMON agents. Supported RMON Agents and Interfaces Traffix Manager supports all agents which implement all the relevant groups of RMON-1 and RMON-2 standards.
CHAPTER 6: CONFIGURING AGENTS FOR DATA COLLECTION Finding Agents for Data Collection The agents used may be devices with RMON-1 or RMON-2 embedded within them, such as switches or hubs, or they may be dedicated stand-alone RMON probes. You can search for compatible agents from the startup wizard and from the Configure Agents dialog box. There are two ways of finding agents on your network: ■ You can ask Traffix Manager to search your network automatically for compatible agents.
Finding Agents for Data Collection 53 To enable you to manage large numbers of collection agents, agent folders can be created in the tree and the agents dragged and dropped into them. Adding and Editing Agents From the Configure Agents dialog box you can use Traffix Manager to automatically find agents on your network, or you can add agents yourself. You can then add these new agents to the list in the agent tree.
CHAPTER 6: CONFIGURING AGENTS FOR DATA COLLECTION Viewing Agent Statistics You can view the statistics of a selected agent from the Agent Statistics dialog box. This dialog box displays various statistics related to SNMP communication with the agent. Refer to the online help for more detailed information about the Agent Statistics dialog box. Polling for Data Collection Traffix Manager collects data periodically once compatible RMON-1 and RMON-2 agents have been located on your network.
Finding Agents for Data Collection 55 Traffix Manager. See Appendix G for more information about setting the mode on 3Com standalone RMON-2 agents.
CHAPTER 6: CONFIGURING AGENTS FOR DATA COLLECTION
7 DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW This chapter contains the following sections: ■ Loading Network Traffic Data ■ Working with Objects in the Main Window ■ Displaying Network Traffic Data ■ Protocols, Applications and Favorites ■ Device Aggregation Before you can display traffic data, you need to use Traffix™ Manager to collect it from your network. To find out if there is data already collected, open the Load Traffic dialog box from the File menu.
CHAPTER 7: DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW Figure 7 Load Traffic dialog box Working with Objects in the Main Window Displaying Object Information Once you have loaded network traffic data, you can display information about objects on your network, search for and select objects, and locate objects in the Map.
Displaying Network Traffic Data ■ Grey — Inactive ■ Green — Transmitting traffic only ■ Yellow — Receiving traffic only ■ Orange — Transmitting and receiving traffic 59 A selected object is colored blue. The shade of grey used to color the inside of a group is only used to make it more visible in the Map and does not denote a specific state.
CHAPTER 7: DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW Table 7 describes the traffic display options available from the Display menu and from buttons in the main window. Table 7 Description of Display Buttons Button Function Add Connections To and From Shows all traffic connections going to and from the selected objects to any other objects on the network. Use to determine who the selected objects are talking to. Remove Connections To and From Removes all traffic for the selected objects on the Map.
Protocols, Applications and Favorites Combining To and From and Between Removing and Hiding Traffic 61 You can use the To and From and Between options in combination to turn off a subset of the traffic connections. To remove all traffic from selected objects in the Map, select Remove All Connections from the Display menu. To hide all traffic in the Map, select Hide Mapped Connections in the Display menu.
CHAPTER 7: DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW If you want to change the protocols in an application, create a new favorite rather than edit a predefined application grouping. The concept of having applications and favorites (collections of related protocols) also applies also to graphs, reports and events, as well as to viewing in the Map. See Chapter 8, “Displaying Traffic in Graphs”, Chapter 9, “Using Event Rules”, and Chapter 11, “Overview of Reporting” for further information.
Protocols, Applications and Favorites 63 You might then create a favorite called Server, containing both user-defined protocols. You could display this favorite in the Map as a single color, to show the overall use of both protocols on your network. To set up a user-defined protocol, you need: ■ The name of the parent protocol over which it runs, for example TCP. ■ The protocol number. For example if the protocol runs on TCP port 678, the protocol number is 678. ■ The name for the protocol.
CHAPTER 7: DISPLAYING NETWORK TRAFFIC IN THE MAIN WINDOW ■ You can only create child protocols if the protocol you are extending supports the addition of child protocols. Many current implementations of RMON-2 agents do not support user-defined protocols. If in doubt, check with your agent vendor. Device Aggregation Aggregation is a way of limiting the number of devices Traffix Manager has to track.
8 DISPLAYING TRAFFIC IN GRAPHS This chapter contains the following sections: Overview ■ Overview ■ Using the Graph Panel ■ Using the Launch Graph Dialog Box You can use the graph tools in Traffix™ Manager to analyze mapped traffic. The graph panel of the main window shows summary information about the most significant items selected in the Map. In addition to this, you can open the Launch Graph dialog box to display more detailed information about selected items.
CHAPTER 8: DISPLAYING TRAFFIC IN GRAPHS Using the Graph Panel The Graph Panel of the main window shows basic information about the network activity of selected items in the Map as a number of graphs. Figure 8 Graph Panel The following graphs of objects selected in the Map are displayed in the main window: ■ Summary Bar — Shows the sum of all the traffic displayed in the Map for the object(s) selected in the Map.
Using the Launch Graph Dialog Box 67 Use the Graph Panel Settings dialog box to configure the display of the Graph Panel. Figure 9 Graph Panel Settings dialog box The options for display are: Using the Launch Graph Dialog Box ■ Units — The unit of measurement used when calculating the charts: ■ Media Types — Only active if bits per second or % utilization are selected in the Units field.
CHAPTER 8: DISPLAYING TRAFFIC IN GRAPHS Figure 10 Launch Graph dialog box The settings used to create the launched graph are those used in the Map at the time you launch the dialog box. If the data is filtered in some way, for example by protocol, that filtering is used when producing the graphs. Each graph will only use the connections which are plotted and displayed in the Map when the graph is launched.
Using the Launch Graph Dialog Box 69 ■ Top Objects — Show the busiest objects. Which objects are considered depends on the level set in the Graph Settings dialog box. ■ Top Connections — Shows the busiest connections. Which connections are considered depends on the Level and Unit Total set in the Graph Settings dialog box. Because the necessary calculations can be lengthy, the status bar at the bottom of the Launch Graph dialog box shows a progress bar.
CHAPTER 8: DISPLAYING TRAFFIC IN GRAPHS
9 USING EVENT RULES This chapter describes how to use event rules to analyze the data collected by Traffix™ Manager and to inform you of traffic changes on your network. This chapter contains the following sections: Overview ■ Overview ■ Predefined Event Rules ■ Examples of Event Rules ■ Configuring Event Rules ■ Using Event Rules Using Traffix Manager, you can set up event rules to provide you with information about the security of your network, and the level of traffic on the network.
CHAPTER 9: USING EVENT RULES The event rules in Traffix Manager fall into two broad categories: ■ Security — An event is generated when some aspect of network security may have been compromised. ■ Traffic — An event is generated when a significant change in traffic patterns is detected. The various types of event rule are discussed in more detail in the following section. Traffix Manager provides a number of predefined event rules that cover common network issues.
Examples of Event Rules Examples of Event Rules Security Event Rules 73 There are a total of eight types of event rule, the possible uses of which are discussed below. These types of event rule help you to protect your network from unauthorized access or improper use. Detect Unauthorized Machine Access You use this type of event rule to help you enforce policies about access to specified machines.
CHAPTER 9: USING EVENT RULES Traffic Event Rules These types of event rule help you to detect significant changes in the behavior of a machine or connection. Such changes are often causes or indicators of problems on the network. They may also indicate that some part of the network is overloaded, and could give advance warning that the load on a device is increasing. Monitor Network Resource Usage You use this type of event rule to detect machines that are using more than their share of the network.
Configuring Event Rules 75 By applying the protocol filter to an event rule of this type, you can use it to monitor the usage of specific network services on the devices. For example, you can use this event rule to: ■ Monitor the activity of your e-mail servers. ■ Monitor the activity of your router. Monitor Critical Connections Changes on an important link can lead to unexpected congestion.
CHAPTER 9: USING EVENT RULES Figure 11 Event Rules dialog box Traffix Manager provides wizards to help you add and edit event rules. Refining Event Rules When you add or edit an event rule, you can modify it to monitor the traffic on your network and your network security, according to your own requirements. Specifying Devices You can specify the groups and devices to which an event rule applies.
Using Event Rules 77 Specifying the Time Filter With certain types of event rule, you can specify the times at which rules apply. For example, you could choose to restrict unauthorized traffic at all times, or only during certain periods. Specifying Sensitivity For most event rule types, you can specify how sensitive you want the rule to be: ■ Security event rules — high sensitivity generally means that only a small amount of prohibited traffic is required for an event to be generated.
CHAPTER 9: USING EVENT RULES Maintaining Network Security You can configure Detect Network Sweep Attack and Detect New Devices event rules to generate security events. There are event rules of both types already preconfigured. However, your firewall may be a more appropriate source of information about attacks from outside the network than Traffix Manager.
Using Event Rules 79 The Map can provide you with immediate information about which devices have been using particular servers. Detecting Unauthorized Servers You can use the Detect Network Sweep Attack rule to spot users creating unauthorized servers on the network. For example, you can detect unauthorized FTP servers by creating a rule which detects FTP traffic on the network, but which ignores traffic to and from known FTP servers.
CHAPTER 9: USING EVENT RULES Implementing Business Policies Some organizations and network administrators have specific policies about how the network can be used, in general or at different times of day. Detect Network Misuse and Detect Unauthorized Machine Access event rules are powerful tools for detecting behavior that does not conform to such policies. You might require that most of your network bandwidth is available for backups at night.
10 VIEWING EVENTS This chapter describes use of the Event List. It contains the following sections: Overview ■ Overview ■ Viewing Events ■ Viewing and Managing Selected Events ■ Forwarding Events as SNMP Traps Traffix™ Manager enables you to create event rules about the traffic on your network and network security. When the conditions for a rule are met, an event is generated. See Chapter 9 for information on configuring event rules.
CHAPTER 10: VIEWING EVENTS Viewing Events You use the Event List to display information about events. Figure 12 Event List The Event List provides the following information about each event: ■ Acknowledged — whether the event has been acknowledged. By default only unacknowledged events are displayed.
Viewing Events ■ The severity of the event. ■ The rule that generated the event. ■ A detailed explanation of the reason for the event. ■ 83 The activity of the device before and after the change that caused the event. You can sort, filter, and summarize the display of events. These last two operations are described in more detail below. Filtering Events You filter event data from the Filter dialog box.
CHAPTER 10: VIEWING EVENTS ■ By event rule. ■ By device / group — You can select a grouping and a group or device. When launched for a particular group or device from the Map, the Event List shows all events in the event log which relate to the selected device or group. Only events generated by event rules can be displayed in this way. Summarizing Events ■ By the time period in which events were generated — today, previous day, previous week, or previous month.
Viewing and Managing Selected Events Viewing and Managing Selected Events 85 By selecting an event in the Event List, you can carry out the following actions. These actions do not apply to events generated by the Collector or the Reporter. ■ Show detailed information about the event. ■ Acknowledge the event. ■ Modify the event rule on which the event is based, and increase or decrease the rule’s sensitivity. ■ Disable the event rule.
CHAPTER 10: VIEWING EVENTS Forwarding Events as SNMP Traps By selecting an event in the Event Generation dialog box, you can choose to forward the event as an SNMP trap to your own Open Management Platform (for example, HP OpenView or SunNet Manager). The Event Generation dialog box allows you to configure the following: ■ The severity of events generated by event rules.
Forwarding Events as SNMP Traps 87 2 The MIB files that define events are supplied by a number of enterprises. Select 3Com in the Enterprises field of the Event Configuration dialog box. The system object ID corresponds to the value supplied with the SNMP Trap. 3 The list in the bottom half of the Event Configuration dialog box lists events associated with the enterprise selected in the top half. In the Events for Enterprise 3Com field, double-click 3Com_RmonEventTrig to open the Modify Events dialog box.
CHAPTER 10: VIEWING EVENTS
11 OVERVIEW OF REPORTING This chapter contains the following sections: Overview ■ Overview ■ Managing Reports ■ Strategy for Reporting ■ Effects of Grouping on Reports You use the reporting tools in Traffix™ Manager to produce professional, multi-page reports from collected data about the traffic in your network. There are eight types of report, incorporating over 40 different charts that can extract and display the most significant information about traffic during a specified period.
CHAPTER 11: OVERVIEW OF REPORTING ■ Use top N reports to determine and report on the most active objects on your network. Here, N is a number between 1 and 50 that you can choose for each report. The different types of report are detailed in Chapter 12. Report Instances You can set up reports for your specific needs. To set up a report, you add an instance of a selected report type, specifying which objects to report on. For example, you might set up a top N report on the top 10 devices in Europe.
Overview 91 Weekly Reports These reports use all data collected on the day specified and the following 6 days. The report is generated in the early hours of the day after the last day covered by the report. For example, if you select from Friday through to the following Thursday (Figure 15), data covering the 7 days from 00:00 Friday to 24:00 Thursday of the following week is used. The report is generated in the early hours of Friday morning.
CHAPTER 11: OVERVIEW OF REPORTING Managing Reports You use the Report Manager to add, schedule, edit and delete reports. Figure 17 Report Manager The Report Manager has three main areas: ■ Reports — Displays a tree of report types, instances, raw data, and output. You can add, edit and delete items in the tree. You can display reports by the Date they were created, or by Report Type. ■ Report Specification — Displays a summary of key information about a report instance.
Managing Reports 93 The reporting features available depend on the client access level. A read-only user can browse existing reports, view report details, and view reports in the output queue. An administrator can also add, edit and delete reports, change report scheduling and output options, and run ad hoc reports. See “Client Access Levels” on page 50 for further information about access levels.
CHAPTER 11: OVERVIEW OF REPORTING You can choose to delete raw data to reclaim disk space if required. See “Setting Global Report Options” on page 96 for more information about deleting raw report data. ■ Report output — If you have scheduled the output of a report instance as HTML, the generated HTML output is shown as a child of the raw data. You can display a summary of key information about the HTML output. See “Interpreting Summary Information” on page 94 for more information.
Managing Reports Setting Output Options 95 ■ Period — The time range covered by the selected raw data or output. ■ Keep Report — The date the report is to be deleted, or Keep Forever, if the report is to be kept indefinitely. ■ Status — Whether raw data or output was generated successfully. To display the generation history for reports, see “Monitoring Report Generation and Output” on page 96.
CHAPTER 11: OVERVIEW OF REPORTING Monitoring Report Generation and Output Use the Output Queue to view output requests that are due to be run, that are complete, or have failed. (Report output could fail if, for example, a file cannot be written to, or a printer is off line. See “Troubleshooting Reports” on page 116 if necessary.) You can show output for all reports, or only for the report currently selected in the Report Manager.
Strategy for Reporting Strategy for Reporting Getting Started 97 This section contains a strategy to help new users begin reporting with Traffix Manager. One of the most beneficial features of the Report Manager is that you can use it to obtain a picture of your network’s usual behavior. The quickest report to run is the top N segments report. This report shows you the activity on your network and helps you determine whether that activity is predictable and consistent from week to week.
CHAPTER 11: OVERVIEW OF REPORTING groups, rather than for your entire network. See “Creating and Assigning Attributes” on page 44 for more information. Generate a top N Summary Report to Determine Objects for an Activity Report You can run top N reports in two modes: ■ Summary mode just identifies the top N objects. ■ Summary plus detail mode generates a report including detailed information for each of the top N objects. Reports run in this mode take longer to generate.
12 REPORT TYPES This chapter describes in detail each type of report in Traffix™ Manager. Report Templates Activity Reports Top N Reports For each kind of object — connections, devices, groups of devices, and segment — there are two types of report template, activity and top N. Each activity report consists of two sections: ■ The first section contains detailed information on the activity of each specified object.
CHAPTER 12: REPORT TYPES ■ The last section contains information about the report itself such as its title, whether it was scheduled or run ad hoc, and when it was created. The different types of report are described in turn in the remainder of this chapter. Connection Activity Report This report contains detailed information on each specified connection. Traffic flowing in both directions between the selected end points is used.
Device Activity Report 101 Table 8 Connection Activity Report Charts (continued) Device Activity Report Report Section Chart Title Description 2 Information about the report itself. Report Information This report contains detailed information on each specified device. Table 9 Device Activity Report Charts Report Section Chart Title Description 1 Device Activity 1.1 Protocol A pie chart showing the total octets sent and received Distribution For by the device broken down by protocol.
CHAPTER 12: REPORT TYPES Group Activity Report This report contains detailed information on each specified group. There are three ways you can report on groups: ■ External — Traffic flowing into or out of the group only ■ Internal — Traffic flowing within the group only ■ Overall — Both external and internal traffic Table 10 Group Activity Report Charts Report Section Chart Title Description 1 Group Activity 1.
Segment Activity Report Segment Activity Report 103 This report contains detailed information on each specified segment. For the purposes of reporting, it is assumed that each separate segment of your network is monitored by an agent interface. Many sites (particularly in a switched environment) have large numbers of segments and it may be too expensive to instrument all of them with RMON-2 agents. One option at such sites is to use any existing, embedded RMON-1 only devices (hubs, switches, routers etc.
CHAPTER 12: REPORT TYPES Table 11 Segment Activity Report Charts (continued) Report Section Chart Title 2 Description Error History With Baseline A baseline chart showing the actual total number of error packets over the report period as a line. This is overlaid on bands representing normal, borderline and unusual error totals. These baselines are calculated using a statistical analysis of data from previous report periods. Note that baseline information does not appear immediately.
Top N Connections Report Top N Connections Report 105 This report calculates the top N connections by total octets sent and received over the report period.
CHAPTER 12: REPORT TYPES ■ “From US at Country level to UK at City level” tells you which cities in the U.K. communicated most with the U.S. ■ “From US at Device level to UK at Device level” tells you the busiest connections between individual devices in the U.S. and U.K., such as server1 to pc-42 or pc48 to ukServer. The following are examples of reports on the default Type and Network grouping. See Chapter 4, “Grouping Network Devices in the Map” for more information about the default groupings.
Top N Devices Report 107 Table 12 Top N Connections Report Charts (continued) Report Section Chart Title 3 Top N Devices Report Description Long Term Trend A line chart showing the total octets sent and received by the device for as long as Traffix™ Manager has records. Top Conversations Within The Connection A stacked bar chart showing the top 10 device to device conversations within the detail group, broken down by protocol.
CHAPTER 12: REPORT TYPES Table 13 Top N Devices Report Charts (continued) Report Section Chart Title 1.2 Description Top Devices By Hits A stacked bar chart containing the top N devices as measured by total hits, broken down by protocol. A hit is a conversation of a particular protocol between the device and another device. Protocol Distribution Of Top Devices A pie chart showing the top 10 protocols seen across all of the N devices.
Top N Groups Report Top N Groups Report 109 This report calculates the top N groups by total octets sent and received over the report period. You can limit the report to consider only groups at a specified level in the grouping scheme within a parent group. Some examples of group reports are: ■ Geographical grouping — Top 10 at City level within the US group shows you the most active cities in the U.S.
CHAPTER 12: REPORT TYPES Table 14 Top N Groups Report Charts (continued) Report Section Chart Title Top N Segments Report Description Long Term Trend A line chart showing the total octets sent and received by the device for as long as Traffix Manager has records. 2.1 Top Sub-Groups With Protocol Distribution By Octets A stacked bar chart showing the top 10 sub-groups within the detail group, broken down by protocol.
Top N Segments Report 111 Table 15 Top N Segments Report Charts (continued) Report Section Chart Title 1.2 Description Utilization History A multiple line chart showing the history of the utilization for each of the N segments over the report period. Utilization Health Chart An alternative way of viewing the utilization history. Utilization values are shown as cells with the cell color indicating the band of utilization.
CHAPTER 12: REPORT TYPES Table 15 Top N Segments Report Charts (continued) Report Section Chart Title 3 Description Utilization History With Baseline A baseline chart showing the actual utilization over the report period as a line. This is overlaid on bands representing normal, borderline and unusual utilization. These baselines are calculated using a statistical analysis of data from previous report periods. Note that baseline information does not appear immediately.
IV APPENDICES AND INDEX Appendix A Troubleshooting Traffix Manager Appendix B Database Management Using Traffix Control Panel Appendix C Aggregating Devices Appendix D Using the SubnetsDB File Appendix E Automatic Attribute Assignment Appendix F Supported RMON-2 Devices Appendix G Configuring 3Com Standalone RMON-2 Agents Appendix H DHCP Appendix I TFTP Server Appendix J RMON and SNMP Tables Retrieval Appendix K Technical Support Glossary Index
A TROUBLESHOOTING TRAFFIX MANAGER This appendix is divided into two sections: ■ Troubleshooting Traffix Manager ■ Troubleshooting Reports For information on reporting problems to 3Com, see Appendix K, “Technical Support”. Troubleshooting Traffix Manager Table 16 contains descriptions of problems you might encounter when running Traffix™ Manager, and their solutions. Table 16 Diagnosing Traffix Manager Problems Problem Cause Solution Client Will Not Start. Traffix server is not running.
APPENDIX A: TROUBLESHOOTING TRAFFIX MANAGER Table 16 Diagnosing Traffix Manager Problems (continued) Problem Cause No Data in the Map. Solution Check the following: ■ ■ ■ ■ Event Rule does not generate any events. that you have selected an appropriate time range in the Load Traffic dialog box. one or more interfaces must be enabled in the Configure Agents dialog box. See Chapter 6, “Configuring Agents for Data Collection”. any collector error events in the Event Log.
Troubleshooting Reports 117 Table 17 Diagnosing Reporting Problems Problem Cause Raw report fails when running ad hoc or scheduled reports. Database directory is full (raw report data is stored in the database). Solution HTML output fails even though raw data is generated successfully. HTML output directory For information on why it failed, select the HTML entry and click is not writable. Report Info…. ■ ■ Increase the disk space available to the database.
APPENDIX A: TROUBLESHOOTING TRAFFIX MANAGER Table 17 Diagnosing Reporting Problems (continued) Problem Cause Reports take very long time to run. Reports using large amounts of data can take some time to complete. Solution ■ ■ ■ ■ ■ Scheduled reports do not run. Ad hoc reports appear as pending but never run. Speed up ad hoc report generation by generating reports for fewer numbers of devices, groups, protocols or segments.
Troubleshooting Reports 119 Table 17 Diagnosing Reporting Problems (continued) Problem Cause “ERROR could not The reporter was open output file: unable to create an ” in event output file. viewer. Solution This is most often caused by insufficient permissions — you do not have permission to create output files where requested.
APPENDIX A: TROUBLESHOOTING TRAFFIX MANAGER
B DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL This appendix contains: Overview of Traffix Control Panel ■ Overview of Traffix Control Panel ■ Overview of Database Applications ■ Upgrading Traffix Manager 2.0 From the Traffix Control Panel, you can manage the operation of the Traffix™ Server, and the setup and maintenance of the data collected. Traffix Manager uses a database to store topology, trend data, collector configurations, device attributes, scheduled report templates and report data.
APPENDIX B: DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL Figure 18 Traffix Control Panel These applications help you to manage and organize a number of databases, for example, if you want to keep extra databases for backup purposes or to provide snap shots of your network or portions of your network over time. Overview of Database Applications The Traffix Manager Configuration panel in the Traffix Control Panel provides the following applications for managing databases.
Overview of Database Applications ■ The amount of free disk space remaining on your PC for data collection to the database. ■ The location of HTML reports. 123 From this dialog box, you can launch the following operations: ■ Create a new database to write data from the network to. Unless you want to get rid of the contents of a database entirely, you should always use the Clean Database application instead of deleting a database and creating a new one. You may already have a valid Traffix Manager 3.
APPENDIX B: DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL ■ The amount of hourly and daily data which has already been collected. In this dialog box, you can specify the maximum amount of data that you want the Traffix Manager databases to hold altogether. You can carry out the following operations from the Database Maintenance dialog box: Clean databases Clean the current Traffix Manager database by selecting from the following options: ■ Delete all topology information.
Overview of Database Applications 125 3Com recommends that you back up your database regularly, the frequency depending on how important your trend data is to the way you monitor your network. If you want to view and report on your weekly data, you should back up your database once a week. If viewing and storing your trend data is less important, backing up your database once a month may be adequate. To back up your database: 1 Stop the Traffix Server. See “Stopping Traffix Manager” on page 28.
APPENDIX B: DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL This dialog box also allows you to select whether Traffix Manager starts automatically every time you log on to your machine. Default DNS Domain Allows you to set a default DNS domain, if you wish to change the previously configured default. You can specify a default domain to be used for devices discovered on your local network when the DNS lookup does not return fully-qualified local names. For example, if the default DNS domain is acme.
Upgrading Traffix Manager 2.0 Deinstalling Traffix Manager 2.0 127 To deinstall Traffix Manager 2.0 for NT: 1 Close Traffix Manager and all related processes. To check which processes are running, right-click the Windows NT Taskbar and select Task Manager. The Applications and Processes tabs contain a list of any active programs. 2 From the Start menu, select Settings > Traffix Control Panel to open the Traffix Control Panel.
APPENDIX B: DATABASE MANAGEMENT USING TRAFFIX CONTROL PANEL 1 To display a program group, right-click Start and select Open All Users. Double-click a program entry to display the program group. 2 Right-click the control button in the top left corner of the Traffix Manager program group title bar. 3 From the drop-down menu, select Delete. 4 When prompted, confirm the deletion of this program group by clicking Yes or click No to abandon it.
C AGGREGATING DEVICES This appendix describes: Overview ■ Overview ■ Default Aggregation Aggregation reduces the amount of memory and disk resources required by Traffix™ Manager by collating the data collected for many devices into a single device. For example, in sites where there is a lot of Internet traffic, some or all external devices can be aggregated together. This may be the only way to limit the resource usage to an acceptable level. Use the Aggregation dialog box to set up aggregation.
APPENDIX C: AGGREGATING DEVICES Specifying an Aggregation Policy To aggregate devices on a particular network, it is necessary for the aggregator to be configured for that network. This is done by specifying an aggregation policy. Once an aggregation policy has been configured, it only affects data collected from that point on. An aggregation policy consists of three parts: a local domain specification, a default action and a maximum device limit.
Default Aggregation 131 Selecting the Default Aggregation Action The default aggregation action is the method of aggregation applied to network devices which have a DNS name, but which are not contained within one of the local DNS domains. There are three default aggregation actions, from which you can select and apply one to non-local DNS domains. In the following examples, it is assumed that acme.com is not in the Local Domain Specification.
APPENDIX C: AGGREGATING DEVICES If layer 2 above the name is selected, the device office.acme.com is aggregated into the device representing .com. If a network device does not have the selected layer above the name, then the device is aggregated into a device representing the highest DNS layer possible. office.acme.com does not have a layer three above its name and would therefore be aggregated into the device representing the DNS layer .com.
D Using the SubnetsDB File USING THE SUBNETSDB FILE This facility allows you to group the devices on your network by subnet. Click Subnets Editor in the Traffix™ Control Panel to edit the subnet definition file, which contains information about subnet groupings. This file can be edited and reapplied at any time. ■ This facility extends the basic subnetting provided by the NL attribute. See “Predefined Attributes” on page 40. ■ Subnets can only be applied to devices with IP addresses.
APPENDIX D: USING THE SUBNETSDB FILE Subnet masks must comply with the primary internet network class types by covering at a minimum the part of the address that represents the network bits. In Table 18, * is any number between 0 and 255. Table 18 Subnet Masks Class Description Mask A 1 7 24 0 Network B 1 1 14 1 0 Network C 1 1 1 21 8 1 1 0 Network Host 255.*.*.* Host 16 255.255.*.* Host 255.255.255.
Using the SubnetsDB File 135 4 If you already have devices showing in the Map, reload the subnets attributes using the Reload Attributes dialog box, which you access from the Edit menu in the main window. 5 Create a subnets grouping. See “Predefined Groupings” on page 43 for information on how to create a site-specific subnet grouping. 6 Apply the grouping.
APPENDIX D: USING THE SUBNETSDB FILE For example, if the SubnetsDB file was to contain the following entries with the same subnet address: subnet mask name domain 89.0.0.0 255.0.0.0 Group1 3com.com 89.0.0.0 255.255.0.0 Group2 3com.com Any device matching both of these subnets would be placed in Group 2, as this has 16 set bits in its subnet mask, whereas Group 1 has only 8 set bits.
E AUTOMATIC ATTRIBUTE ASSIGNMENT This appendix describes: Overview ■ Overview ■ Contents of the User-defined Attributes Configuration File ■ Performing Attribute Assignment ■ Using the fileattrs Program ■ Using the dblookup Program ■ Writing your own program Automatic attribute assignment within Traffix™ Manager lets you automatically import attribute values from various data sources to create groupings and to identify objects in the Map.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT By editing the user-defined attributes configuration file, you select which programs are used to determine attributes for objects. You can use the standard programs supplied, or you can create your own custom programs.
Contents of the User-defined Attributes Configuration File File Format 139 Lines beginning with # are comments and are ignored. All other lines take the form:
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT Performing Attribute Assignment Attribute assignment is carried out on any newly discovered devices. In addition, you can force a refresh at any time by using the Reload Attributes dialog box. Refer to the online help for the Reload Attributes dialog box for more information. Using the fileattrs Program The fileattrs program assigns attributes to devices automatically based upon a configuration file which you provide.
Using the fileattrs Program 141 Configuration File Example 2 To assign user and operating system information to devices based upon their address: *KEY:2 *ATT:NL Type, NL Address, User, O/S IP, 104.240.20.10, Joe Bloggs, Solaris 2.5 IP, 104.240.20.8, Joe Bloggs, Windows 95 IP, 104.240.20.13, John Smith, Solaris 2.5 IP, 104.240.20.14, General Use, AIX 4.1 If the discovered device has the NL Type IP and an NL Address of 104.240.20.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT The KEY attribute(s) for that device can be any of the attributes which are assigned automatically by Traffix Manager, for example, NL Address and NL Type. See “Predefined Attributes” on page 40 for a list of attributes which are automatically assigned by Traffix Manager. If you have other attribute lookup programs running, you may also use attributes which have already been assigned by these programs as KEY attribute(s).
Using the dblookup Program 143 network-type lookup tables: for example, a database containing only IP_1 and other_2 lookup-tables is valid. For specific information about Access or Excel lookup-tables, see below. Default Values Devices may be assigned default values.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT Excel Worksheet The lookup-tables are stored in Excel named-ranges. Lookup named-ranges can be stored on separate worksheets or in the same worksheet. To create a named-range, simply select the cells containing your data, select Insert/Name/Define from the menu, supply a name for your range and click Add. The worksheet can contain any other information you want and this does not interfere with the lookup.
Writing your own program 145 Then, when a device is discovered, dblookup does the following: 1 dblookup builds a SQL string with the device’s key attributes values and runs a query against the database to find a match. 2 If no match is found, it waits for the next device. 3 Otherwise it takes the best match, that is to say the one with as few stars as possible. 4 If two full matches are returned, dblookup logs an error; otherwise, it takes the result of the first partial match encountered.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT (there is one version in Visual Basic and one in C): Figure 19 Simple attribute lookup process in C while ( GetNextLookup() ) { if ( strcmp( GetAttribute( "NL Type" ), "IP" ) == 0 ) SetAttribute( "New Device", "TRUE" ); } Figure 20 Simple attribute lookup process in Visual Basic While GetNextLookup <> 0 If GetAttribute "NL Type" = "IP" Then SetAttribute "New Device", "TRUE" End If Wend The idea behind this program is that every newly discovered IP device on
Writing your own program 147 an attribute New Device to the value TRUE. NL Type is a built-in attribute which is always set to the network type of a device. This means that every IP device is assigned the attribute New Device with a value of TRUE. ■ Because of the while loop in the program, the program keeps assigning attributes for devices until Traffix Manager is finished with it.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT Table 20 Example Programs (continued) Name Language Description country Visual Basic Simple example program which assigns an attribute country based on DNS name. template Visual Basic Empty attribute program which does nothing, but which contains all the necessary project files and declarations to build an attribute lookup program.
Writing your own program 149 Table 21 Functions available to lookup programs in the attripc DLL library Function Description GetAttribute Should be called sometime after GetNextLookup. Takes an attribute name as an argument. Returns the currently assigned value of that attribute for the current device as a string. Returns an empty string if the specified attribute is not assigned. SetAttribute Should be called sometime after GetNextLookup. Takes an attribute name and an attribute value as arguments.
APPENDIX E: AUTOMATIC ATTRIBUTE ASSIGNMENT attribute lookup programs which depend on the Name, NL Type, NL Address, Network or DNS attributes. Run the program AttrLooktest.exe in TraffixServer (this is not on the Windows Start Menu). The program displays a dialog box which allows you to run an attribute lookup program, providing command-line parameters if necessary.
F 3Com Agents SUPPORTED RMON-2 DEVICES The current list of 3Com agents is available from the 3Com web site: http://www.3com.com/network_management/probe_interop Using Firmware version 4.17, the agents support all RMON-1 and RMON-2 groups. Version 4.10 or later is needed on the single port and dual port agents for Y2K compatibility.
APPENDIX F: SUPPORTED RMON-2 DEVICES
G CONFIGURING 3COM STANDALONE RMON-2 AGENTS This appendix contains the following sections: Downloading Firmware to 3Com Standalone Agents ■ Downloading Firmware to 3Com Standalone Agents ■ Setting the Operational Mode on 3Com Standalone RMON-2 Agents You should always run the latest version of management software (firmware) in the agents on your network.
APPENDIX G: CONFIGURING 3COM STANDALONE RMON-2 AGENTS CAUTION: Downloading firmware to an agent causes the agent to cold restart. Refer to the Firmware Upgrade documentation or your agent documentation for a description of the data lost when an agent is cold restarted. The latest version of the Firmware Upgrade documentation is available from the 3Com web site: http://www.support.3com.com/infodeli/tools/netmgt/rmonprob/ family.htm.
Setting the Operational Mode on 3Com Standalone RMON-2 Agents 155 ■ Traffix Mode Sets appropriate table sizes on the device for use with Traffix Manager. ■ Off Disables RMON-2. With RMON-2 disabled you can download SmartAgent® software to the device. If you disable RMON-2 on an agent which supports both RMON standards, RMON-1 will still be enabled. Traffix Manager can only collect limited data, in the form of line statistics reports, from an agent that supports RMON-1 only.
APPENDIX G: CONFIGURING 3COM STANDALONE RMON-2 AGENTS
H DHCP This appendix contains the following sections: How Traffix Manager Monitors DHCP Devices ■ How Traffix Manager Monitors DHCP Devices ■ What Effect Do DHCP Devices Have On The Map? Traffix™ Manager normally uses the Network Layer Address (for example, IP address, IPX address) as the unique way to identify objects on your network.
CHAPTER H: DHCP (with the old MAC address) will also remain on the Map. There will therefore be two devices on the Map with the same IP address, although with different MAC addresses. Any conversation data retrieved for this IP address is subsequently assigned to the new device. This continues until the next time Traffix Manager detects that a MAC address has changed. Therefore, multiple objects can appear in the Map with the same Network Layer address, although with a different MAC address attribute.
I Monitoring Network Segments Using RMON-1 Agents USING RMON-1 AGENTS Many sites (particularly in a switched environment) have large numbers of network segments, and it may be too expensive to monitor all segments with RMON-2 agents. You can use any existing embedded RMON-1 only devices (hubs, switches, routers etc.) instead, to produce lightweight activity reports for these segments. Data from RMON-1 only agents is only used in segment activity reports, and does not appear in the Map.
APPENDIX I: USING RMON-1 AGENTS
RMON AND SNMP TABLES RETRIEVAL J This appendix lists the SNMP tables retrieved by Traffix™ Manager. Refer to the following URLs for descriptions of RMON tables: ■ RMON-1 Request for Comment: http://www.it.kth.se/docs/rfc/rfcs/rfc1757.txt ■ RMON-2 Request for Comment: http://www.it.kth.se/docs/rfc/rfcs/rfc2021.txt ■ RMON-2 Protocol Identifiers: http://www.it.kth.se/docs/rfc/rfcs/rfc2074.
APPENDIX J: RMON AND SNMP TABLES RETRIEVAL Table 24 SNMP Tables Used By Traffix Manager (continued) MIB Table Mandatory Comments RMON-2 protoDist no For protocol distribution (reports only) RMON-2 addressMap no Network Layer to MAC address mapping RMON-2 alMatrixTopN / alMatrix / nlMatrixTopN / nlMatrix At least one must be supported for RMON-2 data RMON-2 conversation traffic
K TECHNICAL SUPPORT 3Com® provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site.
APPENDIX K: TECHNICAL SUPPORT 3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the 3Com public FTP site. This service is available 24 hours a day, 7 days a week. To connect to the 3Com FTP site, enter the following information into your FTP client: ■ Hostname: ftp.3com.com ■ Username: anonymous ■ Password: You do not need a user name and password with Web browser software such as Netscape Navigator and Internet Explorer.
Support from Your Network Supplier 165 Access by Digital Modem ISDN users can dial in to the 3Com BBS using a digital modem for fast access up to 64 Kbps. To access the 3Com BBS using ISDN, call the following number: 1 847 262 6000 3Com Facts Automated Fax Service The 3Com Facts automated fax service provides technical articles, diagrams, and troubleshooting instructions on 3Com products 24 hours a day, 7 days a week.
APPENDIX K: TECHNICAL SUPPORT When you contact 3Com for assistance, have the following information ready: ■ Product model name, part number, and serial number ■ A list of system hardware and software, including revision levels ■ Diagnostic error messages ■ Details about recent configuration changes, if applicable Here is a list of worldwide technical telephone support numbers: Country Telephone Number Country Telephone Number Asia, Pacific Rim Australia Hong Kong India Indonesia Japan Mala
Returning Products for Repair Returning Products for Repair 167 Before you send a product directly to 3Com for repair, you must first obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender’s expense.
GLOSSARY agent aggregation application application layer ARP A standalone or embedded source of RMON-1 or RMON-2 data. The process of adding the data from multiple devices in the same domain, and representing those devices as a simple “aggregated” device. Used to limit database growth. As used in Traffix™ Manager, this is a grouping of related RMON-2 defined protocols. It provides the user with a more recognizable and convenient way of selecting protocols.
GLOSSARY bit Either of the digits 0 or 1 when used in the binary numeration system. Eight bits equals a single byte. broadcast All good frames destined for the broadcast address, in other words sent out to all stations on the network. Some broadcasts are limited to the local network, and some broadcasts may cross onto other networks. client community name An application that provides a means of configuring data collection.
GLOSSARY 171 of the destination IP address, the station sends the message to the destination station. Due to the static nature of DNS, it can only be used when network stations have static IP addresses obtained through manual configuration, BOOTP or DHCP in static mode. domain Part of the naming hierarchy used on the Internet and represented by a series of names separated by dots. For example, the domain name user.net.3com.
GLOSSARY IP (network) address IPX MAC address Internet Protocol address. A unique identifier for a device attached to a network using TCP/IP. The address is written as four octets separated with full-stops (periods), and is made up of a network part, identifying which network the device resides on, and a host part, identifying individual devices on a given network. Internetwork Packet Exchange. Network Layer (OSI Layer 3) protocol used for transferring data from servers to workstations.
GLOSSARY OSI packet physical layer presentation layer probe protocol 173 Open Systems Interconnection, a body of standards set by the International Standards Organization to define the activities that must occur when computers communicate. The OSI Reference Model is a 7-layer framework within which communications protocols and standards have been defined. A unit of information that contains data, origin information and destination information, which is switched as a whole through a network.
GLOSSARY separated by periods. Devices and routers use the mask to identify the subnet on which a device resides. switch A device which filters, forwards and floods packets based on the packet’s destination address. The switch learns the addresses associated with each switch port and builds tables based on this information to be used for the switching decision. system descriptor A free-form field on RMON devices used by vendors to supply basic information about the device.
INDEX Numbers 3Com Bulletin Board Service (3Com BBS) 164 3Com Knowledgebase Web Services 163 3Com URL 163 3ComFacts 165 A Access tables dblookup program 143 acknowledging events 85 activity reports 89, 99 ad hoc reports 90, 94 Add Agents dialog box 53 adding agents 53 connections between objects 60 connections to and from objects 60 agent firmware 153 Agent Maintenance dialog box 54, 154 Agent Statistics dialog box 54 agent tree 52 agents adding 52, 53 configuring 52 deregistering user-defined protocols w
INDEX Bulletin Board Service 164 reports 93 CSV files description 95 C D B client access levels 50 administrator access 50 description 37 launching after the first time 49 launching for the first time 26 read-only user 50 running multiple clients against a single server 50 cold restart losing data 154 collecting data adding agents 53 disabling agents 52 editing agents 53 enabling agents 52, 54 polling interval 54 resuming collection 52, 54 RMON-1 agents only 38 suspending collection 52, 54 collec
INDEX network sweep attacks 73 new devices on your network 73 unauthorized machine access 73 device activity report contents 101 device aggregation default aggregation action 131 local domain specification 130 local domains 130 overview 23, 64 setting maximum device limit 132 specifying aggregation policy 130 device limit setting 132 devices assigning attributes 140 displayed in graph 29 in Map 29 in the Object List 28 setting RMON-2 mode on 54 specifying for an event rule 76 DHCP effect of DHCP devices on
INDEX excepting devices or connections from rules 85 filtering 83 forwarding as SNMP traps 86 generating 20, 36 ignoring devices or connections 85 modifying 85 monitoring critical connections 75 monitoring critical devices 74 monitoring long term trends 77 monitoring network resource usage 74 monitoring network trends 75 monitoring protocol usage 78 monitoring server devices 78 monitoring WAN and backbone links 79 network security 71, 78 network traffic 71 output to CSV file 84 overview 71 overview of
INDEX HTML can’t find HTML files? 117 index file 94, 95 lifetime of files 96 report directory, moving and linking to 94, 95 serving directory to Web server 94, 95 troubleshooting 117 viewing report output 95 I interface types supported 51, 151 invalid IP addresses 53 IP addresses default gateway device 170 DNS domains 130 invalid 53 K key to object status in Map 58 L Launch Graph dialog box 68 launching Traffix Manager no data collected 52 launching Traffix Manager after the first time launching client
INDEX detecting unauthorized machine access 73 general rules 78 network supplier support 165 network traffic typical 36 network traffic rules configuring events 71 monitoring critical connections 75 monitoring critical devices 74 monitoring long term trends 77 monitoring network resource usage 74 monitoring network trends 75 monitoring protocol usage 78 monitoring server devices 78 monitoring WAN and backbone links 79 typical network traffic levels 36 networking, related documentation 14 new user gett
INDEX report directory linking to HTML reports 94, 95 report formats 96 report instances overview 93 Report Manager 92 displaying information about output status 92 displaying information about raw data 92 displaying information about report instances 92 interpreting raw data and HTML output 94 interpreting summary information 94 regenerating output 92 report instances 93 rescheduling reports 92 running report generation 92 viewing report status 95 report output 90, 94, 95 Report Schedule dialog box 94, 95
INDEX RMON-2 Standard mode description 154 setting 54 RMON-2 Traffix mode description 154 setting 54 rules.
INDEX Traffix Manager assigning attributes automatically 137 database management 121 to 126 features 20 getting started 19, 23 how it works 21 how to use the documentation 11 launching after the first time 49 launching for the first time 25 launching with no data collected 52 main window 27, 28 menu options 29 monitoring DHCP devices 157 RMON tables retrieval 161 SNMP tables retrieval 161 starting.
INDEX
3Com Corporation LIMITED WARRANTY Transcend® Traffix™ Manager 3.0 for Windows NT® SOFTWARE 3Com warrants that each software program licensed from it will perform in substantial conformance to its program specifications, for a period of ninety (90) days from the date of purchase from 3Com or its authorized reseller. 3Com warrants the media containing software against failure during the warranty period. No updates are provided.
THE ALLEGED DEFECT OR MALFUNCTION IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY CUSTOMER’S OR ANY THIRD PERSON’S MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO OPEN, REPAIR OR MODIFY THE PRODUCT, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING, OTHER HAZARDS, OR ACTS OF GOD.