Observer Reference Guide September 2003
Trademark Notices © 1994-2003 by Network Instruments, LLC (Limited Liability Corporation). All rights reserved. “Observer”, “Network Instruments” and the “N with a dot” logo are registered trademarks of Network Instruments, LLC, Minneapolis, Minnesota, USA. Limited Warranty—Hardware Network Instruments, LLC. ("Network Instruments") warrants this hardware product against defects in materials and workmanship for a period of 90 days from the date of shipment of the product from Network Instruments, LLC.
Technical Support Network Instruments provides technical support: By phone (depending on where you are located): US & Countries outside Europe at (952) 932-9899 UK and Europe at +44 (0) 1959 569880 By fax (depending on where you are located): US & Countries outside of Europe at (952) 932-9545 UK and Europe at +44 (0) 1959 569881 Or by email at: support@networkinstruments.com Network Instruments provides technical support for a period of 90 days after the purchase of the product at no charge.
Table of Contents Introduction .................................................................................................. 1 About this Guide.............................................................................................. 1 Installing Observer ..................................................................................... 3 System Requirements..................................................................................... 3 Licensing Observer ................................
Saving and Replaying Saved Statistical Modes.......................................... 166 Trending and Analysis Menu ............................................................... 167 Network Trending Mode.............................................................................. 167 WAN Delay Analysis ................................................................................... 186 Application Analysis ....................................................................................
SNMP Overview.......................................................................................... 329 Introduction to SNMP Management Console.............................................. 333 Using SNMP Management Console ........................................................... 336 Configuring SNMP Agents .......................................................................... 338 Collecting SNMP Agent Information............................................................ 344 The MIB Editor ....
vi Network Instruments Observer Reference Guide
Introduction About this Guide Purpose The Observer Reference Manual comprehensively describes every menu option, mode, tool and setup dialog in the Observer protocol analyzer. It is intended as a companion to Installing and Using Network Instruments Observer, which is more task-oriented, providing tutorials and examples. The content of both manuals is available in Observer’s online help system.
2 Introduction
Installing Observer System Requirements Windows PC requirements: Pentium 400 or better with 256MB minimum RAM, 512MB recommended. Display: SVGA running at least 800x600. Operating System: Windows 2000 or XP. Licensing Observer Observer is always distributed and sold in a demo version. The demo mode is provided so that a potential Observer user can get a feel for the package without having to purchase it.
Network Instruments’ fax numbers are: • (952) 932-9545 in the US and outside of Europe, and • +44 1959 569881 in Europe and the UK. Depending on where and how you purchased Observer, you may have a “Right to Use” (RTU) certificate or a set of activation numbers document. Follow the instructions on the RTU or the activation number document to license Observer.
Running Observer or a Probe You must reboot your PC before you can run Observer (or a Probe). Once rebooted, you can run Observer or the Probe by double-clicking on the Observer icon in the Observer group or the (Advanced or RMON) Probe icon from the Network Instruments’ (Advanced or RMON) Probe group. Step-by-Step Installation Instructions This describes installing a licensed version of Observer using Microsoft Windows 2000/XP: Copy the Observer Files to the Windows PC 1.
5. Next, setup will ask if you want to install Observer, Advanced Probe, or RMON Probe. Select Observer. 6. Setup will ask where to copy the Observer files. Unless you have a specific reason to install Observer elsewhere, we suggest that you install Observer in this default destination. 7. Setup will copy the Observer files onto your PC. Probe Installation For instructions on Probe installation, see the Network Instruments’ Probe manual.
packet in any way. Without some way of passing error packets up to the operating system or application, there is no way for the operating system or application to obtain information about the source and nature of the errors. Network Instruments has worked with a number of card manufacturers to modify the standard network card NDIS driver so that it will maintain error counts, and pass error packets up to Observer for processing. Observer ships with a number of these ErrorTrak™ drivers.
• For PCMCIA adapters http://www.networkinstruments.com/html/osup1002.html Wireless NIC Driver Installation For Observer to properly analyze wireless packets, the driver must pass through all of the packets, not just those packets addressed to that NIC (i.e., it must put the card in ‘promiscuous’ mode). Observer must also have access to the ‘raw’ wireless packets.
2. Click the Hardware tab and then the Device Manager... button to display the Device Manager: 3. Right-click on the wireless driver (e.g. Nortel Networks e-mobility) and choose Properties. 4. Click on the Driver tab and then click the Update Driver... button.
5. Click Next. The Wizard asks you how you want to update the driver: 10 6. Choose “Search for a suitable driver for my device (recommended)” and click Next. The Wizard asks where you want to search for the driver: 7. Choose “Specify a location” and click Next.
A file locator dialog is displayed: 8. Enter (or browse to) the following directory (assuming that C:\Observer Files is your Observer directory): C:\Observer Files\drivers\wireless The Wizard displays the following: 9. Choose “Install one of the other drivers” and click Next.
The wizard displays a list of compatible drivers: 10. Choose the appropriate analyzer driver with the “NI” prefix (“NI/Nortel Networks e-mobility 802.11b Wireless network PC Card,” for example) and click Next.* The Wizard informs you that the driver lacks a Microsoft digital signature: 11. Click Yes. Network Instruments has tested the driver and verified that it works with Windows and with Observer. When the installation is complete, click Finish to close the Wizard.
*The table below shows what driver to select for each of the supported wireless NICs: NIC Analyzer Driver Symbol Spectrum24 - 41x1 models NI/Symbol LA-41x1 [or 41x3] Spectrum24 Wireless network PCMCIA [or PCI] Card Driver Nortel 41x1 models NI/Nortel Networks e-mobility 802.
14 Installing Observer
Main Observer Display The main Observer display includes a number of display components that can be docked or free floating. Most display areas can be configured to be displayed or hidden. Right-clicking on most display areas will offer a display configuration menu.
Observer Basics Observer Menus File Menu 16 • License Observer—when Observer is not licensed, this displays the Licensing dialog. If Observer is licensed, the relicense (upgrade) dialog will be displayed with your current identification and license number. If Observer is licensed, you will be prompted to relicense your copy of Observer. • Select Menu Language—allows you to select a language in which Observer menus will be displayed.
• Load and Analyze Observer Capture Buffer—allows you to load a previously saved packet buffer for analysis by the Decode and Analysis submode of Packet Capture mode. • Save Observer Capture Buffer—allows you to save the present capture buffer in Observer (.BFR) format. • Save Decode as Text—allows you to save the present decode as a text file. • Exit—exits Observer. View Menu • Advanced, RMON and SNMP Probe lists—this toggles the left hand display of the list of Probes.
Capture Menu • Packet Capture—displays the Packet Capture mode. • Decode and Analysis—displays the Decode and Analysis submode. Decode and Analysis Submode Menu • Load and Analyze Observer Capture Buffer—allows you to load a previously saved packet buffer for analysis by the Decode and Analysis submode of Packet Capture mode. • Save Observer Capture Buffer—allows you to save the present capture buffer in Observer (.BFR) format.
• Efficiency History—displays the Efficiency History mode. See “Efficiency History” on page 73. • Errors by Station—displays the Ethernet/Token Ring/FDDI Errors By Station mode. See “Network Errors by Station Mode” on page 93. The window’s title, when the mode is displayed, will display the type of network—e.g., Ethernet, FDDI, or Wireless. • Internet Observer (IP Matrix)—displays the Internet Observer mode. See “Internet Observer Mode (Internet Patrol, Pairs Matrix, IP Subprotocols)” on page 76.
• Triggers and Alarms—displays the Triggers and Alarms mode. See “Triggers and Alarms Mode” on page 148. Trending/Analysis Menu • Network Trending—displays the Network Trending mode. • Start Network Trending Viewer—starts the Network Trending viewing console. • Start Web Browser Report—displays the Web Publishing Service window. • Application Analysis—displays the Application Analysis Mode, which shows how various types of servers are performing.
• Ping/Trace Route—opens the Ping/Trace Route window. • Replay Packet Buffer—displays the Replay Packet Buffer mode. • SNMP MIB Editor—displays the SNMP MIB Editor. To display SNMP MIB Editor you will need to purchase Network Instruments’ Observer Suite. • SNMP MIB Walker—displays the Walk Agent MIB dialog, permitting the user to examine an SNMP Agent in detail. To display SNMP agent information you will need to purchase Network Instruments’ Observer Suite.
Actions Menu • Redirect Probe—displays the Probe Redirection dialog. Redirecting a Probe lets the Observer console connect and direct a Probe’s data to either the local Observer console or a (different) remote Observer console. • Notify Probe User—activates the Observer console-to-Probe chat utility. • Add RMON Probe—displays the dialog to add either a Network Instruments’ RMON Probe or a third-party RMON Probe.
• Observer General Options—displays the Observer General Options dialog. These options include general Observer options and options for email and pager notification, as well as SNMP general configuration information. • Observer Memory and Security Administration—displays the dialogs that let you set up users and passwords, and configure memory usage of Observer and Probes.
• Windows—opens the Windows dialog that displays all open modes. Help Menu • Contents—displays the Help files contents. • Search Help—displays the Help system word search function. • How to Use Help—displays Help information on Windows help. • About Observer—displays the Observer “About” dialog, which includes version numbers, licensing status information, and a list of the Extension(s) that Observer is licensed for.
WAN Delay Analysis Start Web Report Packet Capture Bandwidth Utilization Internet Observer Top Talkers Statistics Protocol Distribution Network Trending Settings Toolbar You can decide the look of certain mode views and you can choose the general settings of Observer. Each of Observer’s settings is accessible through the toolbar menu or the icons on the toolbar.
Each icon launches a certain action. Actions are described below: Redirect Probe Notify Probe user—when connected to a remote Probe. RMON Probe Configuration Network Device Properties Delete Probe(s) Mode Commands Toolbar All of Observer’s modes share some common buttons on the toolbar located at the top of each display window. Each icon’s function is listed below. Start capturing packets or statistics. Stop capturing packets or statistics without clearing the display.
Moving Buttons To move buttons from the main Observer display, drag the button and drop it in the desired location while holding down the Alt key. Deleting Buttons To delete a button, drag the button from the toolbar while holding the Alt key and drop it anywhere except on a toolbar. Customizing Toolbars To start a configuration session, select View > Tool Bar Setup. The Customize dialog will be displayed.
• Reset button—allows you to reset the currently-selected button to its original values. Toolbar Setup – Commands Tab • Categories—allow you to select the category for which buttons are available: Analysis, Capture, Statistics, Trending, Actions, Tools, Options. • Buttons—displays the buttons available in each category. Any button can be added to any toolbar, regardless of the category.
Activate Map mode by selecting View > Show Probe List as a Map. Once a Probe is displayed on the map, you will need to place the Probe in the desired location on the map. Click and drag a Probe icon to move it on the map. Customizing the Probe Map When the list of Probes is in map format, you can display your network graphically, either geographically or topologically, with respect to the positions of the Probes.
Map sizes and color: • “Horizontal size” textbox—allows you to select the horizontal size of the map. • “Vertical size” textbox—allows you to select the vertical size of the map. • “Background color” dropdown—allows you to enter the map background color. • “Lock map objects” checkbox—allows you to lock in place all map objects so they cannot be (mistakenly) moved. • Note—allows you to enter any notes you may want to keep about the map.
• Insert Ellipse—displays the Shape Description dialog. • Show Probe and SNMP Devices List—allows you to view the Probe and SNMP Devices list. Modifying a Probe Map Item When new Probes are displayed in map mode, they appear in the upper left corner of the map. You can change how Probes are displayed by right-clicking on the Probe map item and selecting “Modify Probe or SNMP Device Display Properties.” • “Probe or SNMP Device” textbox—displays the name of the Probe map item; not editable.
32 Main Observer Display
The Capture Menu Packet Capture Mode Packet Capture mode captures network traffic and stores the data for later viewing in the Packet View Decode window. Packet capture is also used to view specific packets during a network conversation. From looking directly at the information being sent and the specific reply, you can often get a clear view of a problem or of an incorrect communication.
Capture and then clicking on the Settings button. The Capture Setup dialog will be displayed. • “Capture Buffer size (Kilobytes)” textbox—allows you to set the amount of Windows memory that Observer will set aside to store captured packets. Values are in kilobytes. For example, a 2048 KB buffer would represent a 2.048 MB buffer. Observer will show the buffer percentage full and give you an idea of what the best buffer size is for a particular situation.
Windows to multi-task the receiving and analysis of the data going and coming from the Observer PC. • Do not include traffic from Observer/Probe local MAC address—excludes packets sent and received from the station running Observer or Probe (the MAC address of the station from which you are capturing packets). • “Include Expert Load information marker frames” checkbox—When checked, Observer will not strip out the timestamp informational markers used by Expert Time Interval and What If analysis modes.
Additionally, since it is more efficient collecting only partial packets, if you are having trouble keeping up with your bandwidth, setting this to a lower number will help keep CPU utilization (per captured packet) at a minimum. • “Partial packet header size” spinbox—indicates the actual number of bytes per packet Observer will capture. Minimum = 16; maximum =10,000. Packet Capture-Graph View Select Capture > Packet Capture to display the Packet Capture window. Dropped packets 1.
5. To clear the capture buffer and stop the capture, click the CLEAR button. 6. To view captured packets, click the Decode button. In most cases, Packet Capture is more useful if you apply appropriate filters (Tools->Filter Setup for Selected Probe). See “Filter Setup for Selected Probe” on page 219.
other independent modes, Ethernet Vital Signs and Collision Expert are accessed, enabling the user to view an Ethernet network’s vital signs and more specifically test for collisions that may be caused by a malfunctioning NIC card somewhere on the network. Decode and Analysis – Decode View 1. To view the packets in the capture buffer, click on the VIEW icon from the Packet Capture button bar or select Capture > Packet Capture, click on the Decode button, and then click on the Decode tab.
Observer’s active highlight option is activated. This option shows the highlighted sections of actual data in the raw area of the packet decode screen as well as the offset of the value from the beginning of the packet. This information can be used to configure an offset filter for that value. You can highlight an item of the decode in the Raw Packet Display area and right-click on it. Two options will be displayed: Start Packet Capture on Segment/Offset or Create Filter on Segment/Offset.
Access a dropdown menu from which you can: . Saving Capture Buffers and Decodes • Save Capture Buffer—displays the Save Packet Capture dialog. Clicking on the Advanced button will display these additional fields The Save Packet Capture dialog contains the following items: • Display of captured packets. • “First packet” textbox—allows you to set the first packet in the capture buffer to be saved to the file. By default, this is packet 1.
• “Append packets to existing file” checkbox—when selected, allows you to add packets to the existing file. • “Replace hardware address in all saved packets” checkbox—when selected, enables hardware address substitution in the saved buffer. • “Original address” dropdown—allows you to determine which hardware address will be searched for during the replacement. The hardware address must be entered manually the first time it is used. Observer will remember ten previously-entered addresses.
dialog you are interested in some particular section of the capture, you can specify only that section. • “First packet” textbox—allows you to set the first packet in the capture buffer to be saved to the file. By default, this is packet 1. • “Last packet” textbox—allows you to set the last packet in the capture buffer to be saved to the file. By default, this is the last packet in the capture buffer.
which can be most useful for a programmer analyzing packet details in depth. You can have Observer print Ethernet addresses or aliases as the printed headers. You can also choose whether Observer will print packets continuously or print each packet on a single page. (Providing that length of a packet allows it, every new packet will always start printing on a new page.) • Once you have made your print option selections, click on the PRINT button. • Print Setup—displays the Print Setup dialog.
To delete a comment from a packet header, right click the header and choose Delete comment... from the popup menu. Finding Packets within the Decode Click the Tools button on the Decode window’s button bar and select Find Packet to display the Find Packet Contents dialog. Here, you can set options to search the capture buffer in whatever format and for whatever string you specify. Multiple instances of the Find Packet dialog can be active at one time.
PostFilter • Choose PostFilter from the Decode window’s Tools menu to re-filter a captured buffer or saved buffer using a different filter profile and displays the Select Postfilter Profile dialog. • To select a filter profile, highlight the profile in the tree display. • If you click on the EDIT PROFILE button, the Filter dialog will be displayed.
• “Expand 2nd level trees” checkbox—when selected, causes the tree decode display to expand all second level trees. • “Expand 3rd level trees” checkbox—when selected, causes the tree decode display to expand all third level trees. • “Expand 4th level trees” checkbox—when selected, causes the tree decode display to expand all fourth level trees.
• “Assign protocols to dynamically assigned port numbers” checkbox—when selected, allows you to manually assign port numbers to dynamic port-based protocols. Create an Assignment 1. To create an assignment, right-click on the protocol you wish to assign port numbers to and select the ADD PORTS button. If you already have a port assigned, you may also click on the MODIFY PORTS button. The Add/Modify Port Range dialog will be displayed: • “First Port” spinbox—allows you to select the first port.
Packet View Settings – IPv6 Tab You can select from the following option buttons: 48 • Compressed hexadecimal • Not compressed hexadecimal • Compressed IPv4 compatible • Not compressed IPv4 compatible • Decimal “.
Packet View Settings – Column Order Tab You can select the column order by highlighting an item (the checkbox does not have to be selected) and then clicking on the BEFORE or AFTER button, depending on where you would like the item to fall on your list. The highlighted item will move up or down depending on the button you are clicking. If you do not select an item, it will not be displayed on the list. Decode List Columns Order and Visibility checkboxes available include the following.
Packet View Settings – Protocol Colors Tab • Text Color button—displays the Color dialog allowing you to select the text color. • Background Color button—displays the Color dialog allowing you to select the background color. Packet View Settings – Decode SNMP MIBs Tab Allows you to select the compiled MIB files you would like to decode. It is best to only select the MIBs that are necessary to save memory and shorten the load time. See “The MIB Editor” on page 352.
Packet View Settings – Protocol Forcing Protocol forcing allows you to examine packets that have unknown or proprietary packet headers. • “Enable Protocol Forcing” checkbox—selecting this box allows you to enter the desired protocol type and the offset. • “Protocol” combo box—allows you to select from IP, IPX, NetBIOS, AppleTalk, TCP, or UDP. Decode and Analysis – Decode View Display Properties This menu choice and the corresponding button displays the Protocol Colors dialog.
Decode and Analysis – Packet Header and Decode Panes Right-Click Menu • Start Packet Capture on Source Station Address—allows you to start the packet capture on the source station address. • Start Packet Capture on Destination Station Address—allows you to start the packet capture on the destination station address. • Start Packet Capture on Station Pair—allows you to start the packet capture on station pair.
Decode and Analysis – Summary View Summary View gives summary information on the packets contained in the capture, whether it is a live capture or a .BFR file being examined. To go to the Summary view, click on the “Summary” navigation tab at the bottom of the Decode and Analysis window. Capture Attributes Size Distribution Errors Protocols Navigation tabs In Summary View, the Decode and Analysis window contains a browsable tree of Capture Attributes, Size Distribution, and Errors and Protocols.
The selection bar can be used to determine whether All, IP and its subprotocols, or IPX and its protocols will be displayed. If IP or IPX is used, the subprotocol percentage will be calculated based on that protocol, and not on total packets. Decode and Analysis Protocols – List View In Decode and Analysis Protocols – List View, the Decode and Analysis window displays a list of the protocols used in the capture. • Protocol—the name of the protocol or subprotocol used.
Decode and Analysis Protocols – List View Right-Click Menu • Expand All—allows you to expand all branches. • Close All—allows you to close all branches. • Expand Branch—allows you to open the branch. • Close Branch—allows you to close the branch. • Show Subprotocols of—not active. • Go to Higher Level Protocol—not active. • Display Properties—not active.
Data: • “Maximum items” spinbox—allows you to set the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to set the 3D depth of the displayed item. • “3D angle” spinbox—allows you to set the 3D angle of the displayed item. Decode and Analysis Protocols – Pie View Right-Click Menu 56 • Expand All—allows you to expand all branches. • Close All—allows you to close all branches. • Expand Branch—allows you to open the branch. • Close Branch—allows you to close the branch.
Decode and Analysis Protocols – Pie View Decode and Analysis Protocols – Pie View Display Properties Data: • “Maximum items” spinbox—allows you to set the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to set the 3D depth of the displayed item. • “3D angle” spinbox—allows you to set the 3D angle of the displayed item.
Decode and Analysis Protocols – Pie View Right-Click Menu • Expand All—allows you to expand all branches. • Close All—allows you to close all branches. • Expand Branch—allows you to open the branch. • Close Branch—allows you to close the branch. • Show Subprotocols of—not active. • Go to Higher Level Protocol—allows you to proceed to the higher level protocol. • Display Properties—activates the Display Properties dialog.
• Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog. Decode and Analysis Top Talkers View – MAC View Decode and Analysis Top Talkers navigation tabs • Alias—displays the alias name of the station. • IP address—displays the IP address of the station. • Address—displays the address of the station. • % Pkts—displays the total number of packets received by the station during the capture.
• Multicasts—displays the total number of multicasts. • Multicasts/s—displays the total number of multicasts per second. Decode and Analysis Top Talkers – IP View 60 • DNS Name—displays the Domain Name Server name of the station. • IP address—displays the IP address of the station. • Packets Rx—displays the total number of packets received by the station during the capture. • Bytes Rx—displays the total number of bytes received by the station during the capture.
Decode and Analysis Pairs (Matrix) Pairs (Matrix) view in Decode and Analysis is similar in appearance and function to Observer’s Pair Statistics (Matrix) mode. The difference is that the display is static, reflecting distribution of conversations in the capture buffer, rather than, as with Pair Statistics (Matrix) mode, dynamic: reflecting an ongoing, updated distribution of what is happening on the monitored segment.
Decode and Analysis Pairs (Matrix) – List View Decode and Analysis Pairs (Matrix) – List View Display Properties • “Item” dropdown—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main display item. Graph: • “Bar height” spinbox—allows you to configure the bar height in pixels. Station names: 62 • Alias option button—allows you to select to view stations by alias name.
Decode and Analysis Pairs (Matrix) – List View Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Display Properties— displays the Display Properties dialog.
Decode and Analysis Pairs (Matrix) – Dial View Right-Click Menu • Cursor—allows you to select the cursor type. You can select from the following: arrow, hand, or magnify. • Zoom—allows you to select the view mode. You can select from the following: 1x, 2x, 5x, 10x, 20x, or 40x. • Hide selected stations—hides the highlighted station. • Show all stations—shows all stations. • Show traffic only for selected stations—shows all traffic for the highlighted stations.
To view Decode and Analysis – Internet Observer View, click on the “Internet Observer” navigation tab at the bottom of the Decode and Analysis window. In Internet Observer View, the top tabs include three options for viewing capture Internet data: Internet Patrol, IP Pairs (Matrix), and IP Subprotocols.
• Total packets—displays the total number of packets in the capture sent (in either direction) between the station listed in Station (by IP) and the station listed in Talking to (by IP). • Total bytes—displays the total number of bytes in the capture sent (in either direction) between the station listed in Station (by IP) and the station listed in Talking to (by IP).
Decode and Analysis Internet Observer – IP Subprotocols View When IP Subprotocols is selected from the selection bar, a tabular display appears. When IP Subprotocols is selected on the selection bar, the following items are displayed in the bar above the main table: • Stations—gives the number of stations in IP conversations. • Displaying—describes what units are counted in the display. • Filter—describes whether or not a filter is present.
*.enc—for Ethernet captures *.trc—for Token Ring captures *.fdc—for FDDI captures *.cap—for CAP files Options for reading or writing Sniffer® formatted packet buffers are available from the Packet View Mode Commands menu.
The Statistics Menu Bandwidth Utilization Shows bandwidth usage statistics for your network. Menu Path Statistics ->Bandwidth Utilization. The mode starts immediately. Purpose Bandwidth Utilization is calculated by recording the number of bytes seen by the Observer (or Probe) station over a 1-second interval. This value is then adjusted by adding to the appropriate MAC header and footer data size information.
Graph View Graph View Display Properties To set the display properties, either: • right-click the display, • click the • select Mode Commands->Display Properties icon, or The Display Properties dialog offers configuration options for the components of the display. Only active if “Lines” was selected in “Item plot” dropdown. 70 • “Item” dropdown—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main (Bandwidth) display item.
• “Item line thickness” dropdown—allows you to select the thickness of the line (in pixels). This field is only active if “Lines” was selected in “Item plot.” • “Graph Time” option buttons—allows you to set how the “X” axis will be displayed. Clock time will show times using a 24-hour clock (i.e., the current time). Relative time will display times from the start of the activation of the mode.
Dial View 3D Column Chart View 3D Column Chart View Display Properties To set the display properties for list view, click Settings. The Data fields are: • 72 The Statistics Menu “Maximum items” spinbox—allows you to select the maximum items to be displayed.
The Graph fields are: • “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. 3D Line Chart View Related Topics • 3D Step Chart View on page 136. • Utilization History Mode on page 132. Efficiency History Provides a benchmark of network efficiency, useful for measuring the impact of administrative changes to your network. Menu Path Statistics->Efficiency History. The mode starts immediately.
Unlike most of the diagnostic modes, Efficiency History generates a small amount of network traffic: 420 packets per minute on Ethernet and 180 packets per minute on a Token Ring. Such small loads will have no effect on network performance. A common use for this mode is to judge the effectiveness, or lack of effectiveness, of changes and alterations to your network setup/configuration. Many administrators use this item as a gauge prior to a network change and then after the change is complete.
Graph View Display Properties To set display properties, click the Settings button. The Display Properties dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main display item. • “Item plot” dropdown—allows you to select the item to be displayed as lines or bars.
Dial View Display Properties There are no display properties available for this view. List View Internet Observer Mode (Internet Patrol, Pairs Matrix, IP Subprotocols) Lets you look at internet usage by users, by connection pairs, or by subprotocols. Menu Path To start Internet Observer mode, select Statistics > Internet Observer (IP Matrix) or click on the 76 icon. Click • Internet Patrol Tab • IP Pairs (Matrix) Tab • IP Subprotocols Tab The Statistics Menu to start the mode.
Purpose Internet Observer mode permits you to examine Internet traffic on your network. This can be used to monitor overall Internet usage and to focus on a specific station or stations. You can also break down Internet usage by subprotocols. For example, you can easily determine what proportion of Internet traffic involves the WWW vs. popmail. Internet Observer mode is designed to keep track of users’ Internet usage in a number of different tabs: Internet Patrol, IP Pairs (Matrix), and IP Subprotocols.
• IP Subprotocols by Station sub-mode parameters option buttons—allows you to configure the display of the port by port data: either by number of packets or by number of bytes. • Modify Network Trending and Internet Observer TCP/IP Subprotocols button— clicking this button displays the list of protocols to use for the IP Subprotocols submode tab. Twelve (12) subprotocols can be defined. Internet Patrol Tab Internet Patrol displays MAC address to layer 3 IP address traffic.
List View List View Properties Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog.
• Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog. Pair Circle View Display Properties Data: • “Item” list—allows you to select the item to be configured. • “Color” dropdown—allows you to select the color of the item listed in the “Item” list box. Station name—allows you to select from one of the following: 80 • Alias option button—allows you to select to view stations by alias name.
Talking to name: • DNS name option button—allows you to select to talk to stations by DNS name. • IP address option button—allows you to select to talk to stations by IP address. Right-Click Menu • Cursor—allows you to select the cursor type. You can select from the following: arrow, hand, or magnify. • Zoom—allows you to select the view mode. You can select from the following: 1x, 2x, 5x, 10x, 20x, or 40x. • Hide selected stations—hides the highlighted station.
3D Column Chart View You can determine how the chart collects its data by clicking on the dropdown: You can select from the following: 82 • Total packets—displays the total number of packets in the capture sent in either direction. • Total bytes—displays the total number of bytes in the capture sent in either direction. • Packets 1 -> 2—displays the total number of packets sent from the station. • Packets 1 <- 2—displays the total number of bytes in the capture sent to the station.
Display Properties Data: • “Maximum items” spinbox—allows you to select the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. 3D Pie Chart View IP Pairs (Matrix) Tab IP to IP Pairs (Matrix) displays true layer 3 IP address to true layer 3 IP address traffic.
On a local network, this view will show all Internet usage IF the IP addresses are static. If you are using DHCP on your local network, you should view your Internet traffic using the “Internet Patrol” tab described above. List View On a backbone, this view can show true user Internet usage and traffic flow, even if your users are downstream from the backbone via routers.
• Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog. Pair Circle View This display shows Internet connections in a “spider graph” as Observer senses your users accessing sites.
• “Color” dropdown—allows you to select the color of the display item. Station name: • DNS name option button—allows you to select to view stations by DNS name. • IP address option button—allows you to select to view stations by IP address. Right-Click Menu • Cursor—allows you to select the cursor type. You can select from the following: arrow, hand, or magnify. • Zoom—allows you to select the view mode. You can select from the following: 1x, 2x, 5x, 10x, 20x, or 40x.
can be created. “Other” indicates a protocol that did not match the criteria of the twelve user-defined protocols. List View Display Properties Display properties can be set by right-clicking on the display or by clicking the icon. The Display Properties dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main display item.
Graph: • “Bar height” spinbox—allows you to select the bar height. Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog.
at a glance the health of a network and can warn of impending slowdowns due to broadcast or multicast storms. The indicator lines change color for easy viewing of specific network conditions: • If an indicator line is yellow, the NAD is showing a network condition that is essentially idle (total net utilization is under 5%). In this case, the percentage of broadcast or multicast packets may be high compared to actual traffic.
Things to note: • Error thresholds can be set in the Display Settings dialog. • The gray area behind the current display is the outline of the last Network Vital Signs. • NAD information can be saved to a comma delimited file by selecting File > Save Mode in Comma Delimited Format. Display Properties Display properties can be set by right-clicking on the display or by clicking the Settings button. The Display Properties dialog offers configuration options for the components of the display.
mode. The clock counts down the number of seconds left in the “Seconds/Interval” time period until data will be written to the display. Mode clock Display Properties Display properties can be set by right-clicking on the display or by clicking the icon. The Display Properties dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select which item will be configured.
Graph horizontal scale: • “Pixels/interval” spinbox—allows you to set how many pixels each interval display will occupy. • “Seconds/interval” dropdown—allows you to set the number of seconds Observer will average before displaying interval information. Right-Click Menu Right-clicking on the graph will display the Display Properties dialog for Network Activity Display – Graph View.
Network Errors by Station Mode The Network Errors by Station mode displays network error packets broken down by the source (station) of the error and the type of error packet. Menu Path Choose Statistics->Network Errors by Station. Click the Start button to start running the mode. Purpose Network Errors by Station tracks and shows slightly different error counts depending on the access method of the network you are monitoring: Ethernet, FDDI, Token Ring, or Wireless.
• The summation header displays the number of stations and the total number of packets analyzed. • The station error list box shows each station that has sent an error packet and the number and type of errors. Additionally, error rates (value per second) are displayed and “% Errors/Total packets” statistic is displayed. The “% Errors/Total packets” statistic is the total number of error packets, divided by the total number of packets times 100.
• Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog. 3D Chart and Pie Views Observer also offers 3D bar chart and pie views of Network Errors by Station. Simply click the 3D bar or Pie icon on the left side of the window.
As with the Network Activity Display, the following colors have specific meanings: • A yellow line anywhere in the display represents an idle condition. In other words, no matter what your display is telling you, activity is so low that the errors are not statistically important. • A green line shows normal network activity and error counts. • A red line indicates error counts out of “normal” range. When a red line condition is displayed.
collisions, this means that some station on your network is not respecting the traffic of other stations. see “Collision Expert Analysis” on page 100. Available Views • Graph View • Dial • List Graph View Display Properties Display properties can be set by right-clicking on the display or by clicking the icon. The Display Properties dialog offers configuration options for the components of the display. Only active if “Lines” was selected in “Item plot” dropdown.
• “Item color” dropdown—allows you to select the color of the main display item. • “Item plot” dropdown—offers a choice of the item to be displayed as Lines, Points, or Bars. • “Item line thickness” dropdown—offers a choice of the thickness of the displayed item in pixels. This option is only available for items that have been defined as a “Line” in the “Item plot” dialog. Graph horizontal scale: • “Pixels/interval” spinbox—allows you to select how many pixels each interval display will occupy.
Summary List View Plot View The gray area behind the current display is the outline of the last Network Vital Signs Display Properties Different error thresholds can be set in the Display Properties dialog.
• “Utilization %” spinbox—allows you to select the utilization threshold number. • “CRC errors % Total Packets” spinbox—allows you to select the CRC errors threshold number. • “Alignment errors % Total Packets” spinbox—allows you to select the alignment errors threshold number. • “Too small % Total Packets” spinbox—allows you to select the too small number threshold number. • “Too big % Total Packets” spinbox—allows you to select the too big threshold number.
Setup Properties The Setup dialog for Collision Expert Analysis lets you configure thresholds for warnings about aberrant stations. Expert thresholds (times from average % collisions): • “Warning level” spinbox—sets the multiplier that Expert mode will use to warn of events. For example, if this is set to “5,” the Expert will warn when a station’s collision rate is five times the network average.
List View To start Collision Expert Analysis, click the Collision Expert Analysis tab. Display Properties Display properties can be set by right-clicking on the display or by clicking the icon. The Display Properties dialog offers configuration options for the components of the display. • “Item” list—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main display item.
Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Display Properties—displays the Display Properties dialog.
3D Chart View Pie View 104 The Statistics Menu
3D Chart and Pie Display Properties Data: • “Maximum items” spinbox—allows you to select the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. Pair Statistics (Matrix) Mode Tracks all conversation pairs on your network and allows you to examine the details of a specific conversation for analysis.
This will make watching one conversation amongst many hundreds much easier. To zoom in, highlight the pair you are interested in and it will be displayed on the top of the Pair dialog. Available Views • Graph View • Pair Circle View • List View • 3D Column Chart View • 3D Pie Chart View Setup Properties (all views) The Setup dialog is where mode specific setup information options are set. You can access the Setup dialog by clicking the icon or by selecting Mode Commands > Setup.
List View The List view of Pair Statistics shows all pairs and the latency times between conversations. To display latenc for a pair here... ...select a pair from the list. Display Properties Display properties can be set by right-clicking on the display or by clicking the Settings button. The Display Properties dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select the item to be configured.
• IP address option button—allows you to view stations by IP address. • MAC address option button—allows you to view stations by MAC address. Right-Click Menu The Pair Statistics – Graph View right-click menu offers a number of filtering options, as well as access to the Display Properties dialog. • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog.
Display Properties Display properties can be set by right-clicking on the display or by clicking the Settings button. The Display Properties dialog offers configuration options for the components of the display. • “Item” list—allows you to select the item to be configured. • “Color” dropdown—allows you to select the color of the item listed in the “Item” list box Station name—allows you to select from one of the following: • Alias option button—allows you to view stations by alias name.
• Show all stations—shows all stations. • Show traffic only for selected stations—shows all traffic for the highlighted stations. • Show all traffic—shows all traffic on the network. • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog.
• Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Settings—displays the Display Properties dialog. • Reset Column Widths—Returns the column widths to their original settings.
3D Pie Chart View 3D Chart and Pie View Display Properties Data: • “Maximum items” spinbox—allows you to select the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. Protocol Distribution Statistics Mode Displays network protocol usage statistics.
are being used and if there are any unknown or misconfigured protocols on your network. You can have a maximum number of the following for each subprotocol: 512 for UPD, 512 for TCP, and 512 for Frame. The Protocol Distribution mode displays Protocol Statistics in list, 3D chart, and pie views. The Protocol Distribution mode can be activated from the main window by selecting Statistics > Protocol Distribution.
3D Pie Chart View Settings • 114 The Statistics Menu “Use Current Filter” checkbox—Check this box if you want only packets matching the current filter criteria to be used for the Protocol Distribution display.
• “Define Protocols for Protocol Distribution Statistics”—displays a dialog that lets you define the protocols to be displayed: • Displays the Frame Name, First Port (Hex), and Last Port (Hex). • Add button—displays the Add/Edit SubProtocol dialog, where you can define the frame name and range for the protocol you are defining: RMON Tables See “Using the RMON Console” on page 415. Router Observer Shows router utilization rates.
both). By examining historical information you can tell whether this is a chronic problem, which might indicate the need for a faster connection, or an acute problem, which might indicate a failure of some sort. Observer does this passively; therefore, the Access Point is not affected. Available Views • List and Dials View • 3D Column Chart View • Pie View Settings To use the Access Points Load Monitor you must first configure the mode.
List and Dials View Dials provide a “heads-up” immediate display of packets/second, bits/second, and interface utilization. Right-Click Menu • Settings—displays the Settings dialog. • Reset Column Widths—Resets the columns to their original widths.
3D Column Chart View Pie View Chart and Pie View Display Properties Data: • “Maximum items” spinbox—allows you to select the maximum items to be displayed.
• “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. Access Points Load Monitor Shows wireless Access Points utilization rates. Available only when the current Probe (or Probe instance) is capturing packets from a wireless network interface. Note that for Observer to accurately assess utilization rates, you must enter the correct bandwidth speed (i.e., 54000000 for 801.11a/802.11g, or 11000000 for 802.
Settings To use the Access Points Load Monitor you will need to first configure the mode. This is done by clicking the Settings button, which will then display the Access Points Load Monitor Setup dialog. • Select a Router from the list (of stations). Do so by highlighting the station. This list is read from your address/alias list. • “Router speed (Baud)” textbox—this is the device’s defined throughput (in other words, enter 54000000 for 802.11a/g access points, or 11000000 for 802.11b access points.
3D Column Chart View Pie View Chart and Pie View Display Properties Access Points Load Monitor 121
Data: • “Maximum items” spinbox—allows you to select the maximum items to be displayed. Graph: • “3D depth” spinbox—allows you to select the 3D depth of the graph items. • “3D angle” spinbox—allows you to select the 3D depth of the graph items. Packet Size Distribution Statistics Mode Shows statistics about the sizes of packets on your network.
• “Source” option button • “Destination+Source” option button—in most cases, you will want to use the Destination+Source option. • “Use current filter” checkbox—when checked, Observer will use the current filter when showing mode information. When not selected, Observer will display mode information on all stations, not using any filter. Available Views • List View • 3D Column Chart View • 3D Pie View List View By default, the stations listed are all the stations on your network.
Display Properties Display properties can be set by selecting the right-click menu item or by clicking the Settings button. The Settings dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select the item to be configured. • “Item color” dropdown—lets you select the color of the item listed in the “Item” list. Graph: • “Bar height” spinbox—lets you configure the bar thickness in pixels.
• Find—displays the Find dialog. • Settings—displays the Display Properties dialog. 3D Column Chart View 3D Pie View Top Talkers Statistics Mode Shows most active stations on your network, along with broadcast/multicast statistics.
Menu Path Statistics->Top Talkers Purpose Top Talkers Statistics shows all stations on your network (subject to your filter criteria) and the Broadcast/Multicast statistics. This information provides detailed traffic flow statistics that can show a runaway station, a broadcast/multicast storm, or an unbalanced switch. If you are considering implementing a switch, this information can help divide stations effectively for your switch.
IP Properties Tab • “Remove inactive IP address after (min)” spinbox—removes inactive IP addresses (IP addresses which have no packet flow activity) after the number of minutes entered in the dialog. • “Maximum number of IP addresses” spinbox—allows you to enter the number of minutes before inactive IP addresses are removed. • “Resolve IP addresses using DNS” checkbox—if you have DNS, Observer will attempt to resolve all IP addresses using their DNS name and display this resolution in the “DNS” column.
MAC Tab The MAC view offers a display of stations by MAC address. Display Properties Display properties can be set by right-clicking on the display or by clicking the Settings button. The Settings dialog offers configuration options for the components of the display. • “Item” dropdown—allows you to select which item will be configured.7 • “Item color” dropdown—allows you to select the color of the main display item.
IP Tab The IP view offers a display of stations by IP address. To begin collecting statistics, click the Settings button. The display shows Alias, IP address, and MAC address. • The “%” field shows the percent of bandwidth utilization for that destination/source/total address. This is the percent of filtered bandwidth. If you would like to see the percent of total bandwidth that a particular address is using, you will need to set up an ANY_ADDRESS to and from ANY_ADDRESS filter, and no protocol filter.
• “Bar height” spinbox—allows you to select the bar height. Wireless Types Tab (active for wireless analysis only) This display shows the type of each station sensed in the air: whether it is a network station talking over the air to wireless stations, a wireless station, or an AP. For stations, it shows which APs they are using. For APs, it displays the Service Set Identifier (SSID) and whether WEP is enabled on that AP. It also displays Control, Data and Management totals per station.
AP Used The access point used by the system. Wireless Speeds Tab (active for wireless analysis only) This tab shows signal strength, quality, the overall rate and data rate, as well as the packet distributions for different rates. As with all of the statistical displays in Observer, you can configure the mode to display only the statistics that you are currently interested in by right-clicking on the column headers. Statistic Description Alias Alias of the Top Talker system, if one is available.
Pkt 11 The number of packets captured at 11Mbit/sec. Wireless Latest Tab (active for wireless analysis only) This tab shows the strength, quality, and speed of the wireless network, as seen at the last poll, as opposed to the other Top Talker displays, which present running averages. Utilization History Mode Displays long-term bandwidth utilization data and allows that data to be exported.
Once the Utilization History graph is displayed, it automatically begins capturing data. The display of the data will depend on how you have setup each item in the Display Properties dialog. There are three statistics that the display will keep track of: maximum, average, and minimum. Although data points are only shown for the time period set in the Display Properties dialog, data is collected and processed every second, and then averages the data over the configured time period (seconds/interval).
Display Properties Display properties can be set by right-clicking on the display or by clicking the Settings button. The Settings dialog offers configuration options for the components of the display. This dropdown is active only if “Lines” was selected in the “Item plot” dropdown. • “Item” dropdown—allows you to select which item will be configured. • “Item color” dropdown—allows you to select the color of the main display item.
3D Column Chart View 3D Line Chart View Utilization History Mode 135
Dial View The dial view of Utilization History provides a view of longer term information about your bandwidth utilization. The dial shows high, low, and average utilization over time.
Utilization Thermometer Mode The Utilization Thermometer displays the current network bandwidth utilization as a percentage of the total theoretical network speed. Additionally, the thermometer shows a running one minute and five minute average. These averages are shown on the right of the bandwidth scale as round blue (1 minute) and red (5 minute) balls. Utilization Thermometer can be activated from the main window by selecting Statistics > Utilization Thermometer.
Setup Properties To use Web Observer you will need to first configure the mode. This is done by clicking the icon, which will then display the Web Observer Setup dialog. • “Select a web server from the list” dropdown—allows you to select the server’s IP address, including alias and comment. • “Remove inactive IP address after (min)” textbox—allows you to set how long to keep IP addresses on the table before assuming they are inactive.
List View The Web Observer mode can be activated from the main window by selecting Statistics > Web Observer. The main display shows the Web server address. Should the server go down, the dial display turns into a broken connection display.
• In bytes—displays the number of bytes sent from the listed station to the specified Web server. • Out packets—displays the number of packets sent to the listed station from the specified Web server. • Out bytes—displays the number of bytes sent from the listed station to the specified Web server. • Total packets—displays the total number of packets sent between the listed station and the specified Web server.
Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Setup—displays the Setup Properties dialog. • Display Properties—displays the Display Properties dialog.
This mode is an all-purpose tool for maintaining performance and security on a WLAN that uses APs, showing you: • Wireless stations that are connected to an AP • Non-wired stations that they communicate with • Levels of signal strength, quality, data transfer rates, and non-data transfer rates on each station on the access point • AP traffic totals For example, you can immediately see if there is a station connected to the wrong AP, or if an unauthorized AP has been installed.
• Associations—The number of associations (connection sessions) that have been established with this AP. • Bytes—The total number of bytes seen. • CRC—The total number of CRC errors reported by the AP. • Retries—The total number of transmission retries reported by the AP. • Station Polls—The total number of poll requests by station; a high number means that a station cannot connect to an AP. In the 802.11b protocol, a station first polls for an AP, then associates with a responding AP.
Right-click Menu In Graph and List views, you can create a filter or start a packet capture on any listed station or AP. You can also search for stations, APs, or MAC address by choosing Find... Wireless Site Survey Scans selected wireless channels, displaying detailed activity on the WLAN by channel. Menu Path Statistics->Wireless Site Survey (only available when a supported wireless card and driver are installed.) Purpose The Wireless Site Survey displays activity by channels on your wireless network.
General Information Tab This table summarizes essential information about what access points and stations are currently visible to wireless Observer: Frame Type Tab This table summarizes frame type totals for wireless data, management, and control packets: Control Frames Tab This table details control frames analyzed, including Power Save Polls, Requests to Send (RTS), Clear to Send (CTS), acknowledge (ACK), and CF (Contention Free) End packets.
Management Frames Tab Displays detailed information about wireless management frames, including association requests and responses, reassociation requests and responses, ATIMs (Announcement Traffic Indication Message), and authentication/deauthentications. Data Frames Tab Displays detailed information about data frames on the wireless network. Speeds Tab Shows what stations are either transmitting (or receiving) wireless data at the various supported rates.
Signal Tab Displays detailed statistics on wireless signal strength and quality, as well as data rates being used by stations and APs. Channel Scan Tab • Channel—Channel being tracked in this row of data. • Avg Strength (%)—The average strength of the signal, expressed as a percentage of the optimum strength. • Avg Quality (%)—The average signal-to-noise ratio of the signal, expressed as a percentage of the optimum. • Avg Data Rate—The rate of data packets on the wireless network.
• Retries—Total number of retries reported on this channel. • Min Quality—The poorest quality signal seen, expressed as a percentage of the optimum. • Max Quality—The best quality signal seen, expressed as a percentage of the optimum. • Latest Quality—The quality of the signal as seen at the last poll. • Min Strength—The lowest strength signal seen, expressed as a percentage of the optimum. • Max Strength—The highest strength signal seen, expressed as a percentage of the optimum.
Start the Triggers and Alarms mode by clicking the Start button. The initial Triggers and Alarms display shows the event log and the current trigger and alarm settings (the number of configured triggers). The Event Log can be saved by selecting File > Save Mode in Comma Delimited Format from Observer’s main menu. The event log can also be cleared by clicking the CLEAR icon. Configuring Triggers and Alarms 1.
3. Once you have set which alarms you would like to activate, select the “Triggers” tab to configure the specific Alarm options. 4. A separate action can be defined for each alarm or a single action can be set for all alarms. The checkbox on the “Alarm List” tab defines which trigger setting options will be displayed on the “Triggers” tab. see “Trigger Settings” on page 150. 5. Click on the “Actions” tab to display the Actions Settings dialog. see “Fragmented IP Packets” on page 153.
the ten second time period, this 10 second time period is not considered as data for this trigger. This value ensures that the trigger will not be activated during a slow period of network activity when a particular device or station is broadcasting. • “Averaging period” spinbox—allows you to set the amount of time, in seconds, that data will be collected and averaged before a value is considered for the trigger. Sampling is every second. Values for the averaging period can be from 1 to 100 (seconds).
This value ensures that the trigger will not be activated during a slow period of network activity when a particular device or station is broadcasting. • “Averaging period (sec)” spinbox—the amount of time in seconds that data will be collected and averaged before a value is considered for the trigger. Sampling is every second. Values for the averaging period can be from 1 to 100 (seconds). • “Use current filter profile” checkbox—when selected, allows you to use the current protocol filter.
Ethernet Frame Errors by Station This trigger activates when there is an Ethernet frame error by station observed. • “Hardware Address” dropdown—allows you to select the hardware address (station) that you want to trigger on. These addresses are read from the address table (see Filters section). • “Percentage of error packets (0.01%)” spinbox—allows you to define the percent of errors you want to trigger on.
the trigger. For example, if you set the minimum number of packets to 1000 and the averaging period to 10 seconds, then if less than 1000 packets are seen in the ten second time period, this 10 second time period is not considered as data for the trigger. This value ensures that the trigger will not be activated during a slow period of network activity when a particular device or station may be sending only a few fragmented packets, but they constitute a high percentage of the total.
• “Use current filter profile” checkbox—when selected, allows you to use the current protocol filter. Number of Packets This trigger is for the number of packets per time period. Typically, it is used to calculate the packets/second for a particular device (e.g., router or bridge). • “Number of packets (trigger level)” textbox—allows you to set the actual number of packets that are sent/received with respect to your current filter.
Sequence of Bytes at Offset This trigger allows you to set a trigger on a user-defined event. • “Sequence (hexadecimal)” textbox—allows you to set the actual packet information to look for. This is entered as hexadecimal codes. This sequence is non-byte swapped (i.e., network byte order). For example, if you define an offset-sequencing trigger to look for telnet packets (i.e.
• “Exclude hardware addresses” combo box—allow you to select the hardware address. • “Use current protocol filter” checkbox—when selected, allows you to use the current protocol filter. Utilization The Utilization setup dialog lets you set utilization thresholds that will trigger an action. • Utilization trigger level (%) spinbox—allows you to set the percentage of network bandwidth utilization which you select as the trigger.
• “Averaging period (sec)” spinbox—Specify how long to collect packets for calculating the average. • “Use current filter profile”—When checked, causes Observer to only look at traffic that falls within the current filter profile when calculating the trigger values. Wireless Frame Errors by Station This dialog lets you set up a trigger for Wireless Frame Errors by Station: • “Hardware address” spinbox—Specify a hardware address. Until you specify a hardware address, the trigger is not activated.
• “Modify Known AP” button—Launches a dialog from which you can provide a list of known Access Points. • “Use current filter profile”—When checked, causes Observer to only look at traffic that falls within the current filter profile when looking for an unknown AP. Actions Once a trigger condition is reached, Observer allows you to configure an action to take place. A number of different actions are possible. An action is independent of the actual trigger or alarm (i.e.
• “Print to the default Windows printer” checkbox—when selected, prompts Observer to print a trouble ticket to the default Windows printer. The trigger condition will be printed on the trouble ticket. • “Disable this alarm after the first event” checkbox—when selected, stops the Trigger/Alarm mode after the first occurrence of the trigger condition. • “Write to a file” checkbox—when selected, prompts Observer to write the current trigger condition to a specified file and activates the Setup button.
• • WRITE THE WHOLE EVENT LOG option button—if selected, writes the whole event log. • “Use these settings for all alarms” checkbox—if selected, settings are used for alarms. “Send an email” checkbox—when selected, instructs Observer to send an email message as the action and activates the Setup button. You must set up the general email server information in the Options > Observer General Options > Email Notifications tab. see “Observer General Options – Email Notifications Tab” on page 79.
The Management Information Base, or MIB, for Observer’s traps is NETINSTMIB.MIB and will be found in the “Observer Files” directory. While this file is not needed in order to configure Observer to send an SNMP trip, it will be needed in order to configure the SNMP device or program receiving the trap. Clicking the SETUP button displays the Setup Send Trap Action dialog. • “Destination IP Address” textbox—allows you to set the IP address of the station to which the SMTP trap is to be sent.
display shows aggregate errors for your ring. Should these aggregate errors indicate a problem, specific errors by station are available in the FDDI Errors by Station dialog, and complete SMT and MAC by station information is available in the FDDI SMT and MAC decodes found in Packet Capture and Decode. The error groups are Beacons, Error Count, Lost Count, and Not Copied. Beacons Beacons indicate that a card (or cards) cannot insert into the ring.
Purpose The Wireless Vital Signs mode shows current wireless activity mapped with current wireless error conditions on your WLAN. The Vital Signs mode displays a comprehensive snapshot of error conditions and of their criticality in the context of current WLAN activity. To pin down aggregate problems revealed by Wireless Vital Signs, go to Access Point Statistics, Top Talkers, and Errors by Station.
Dial View: In Dial View, vital signs are plotted against 4 axes, each representing one of the four protocol-defined bit rates. This allows you to see the relationships between: • Data Packets (packets with a payload) • Non-Data Packets (control, management, and beacon) • Errors of all types, broken down by type in the table to the right of the graph display. This lets you immediately see each statistic in its proper context.
Purpose The Network Summary’s browsable tree is a convenient place to find all the major statistical counts of bandwidth usage, size distribution, protocols and errors for your network. Available Views • List View (which displays the tree) List View: Saving and Replaying Saved Statistical Modes Observer allows all time-sensitive statistic displays to be saved and reloaded for later analysis.
Trending and Analysis Menu Network Trending Mode Network Trending Overview Observer’s Network Trending mode, in conjunction with the Network Trending Viewer, allows you to collect, store, view, and analyze the network traffic statistics over long periods of time. This will provide you with baseline comparison data, which is often essential in identifying and troubleshooting network performance problems. Network Trending also generates text reports about network conditions over specified time periods.
provides a more accurate statistical picture than a protocol analyzer that tries to process all incoming data. A protocol analyzer that tries to capture all incoming data will lose more packets during high traffic bursts and less in slower traffic periods. Network Trending manages these enormous amounts of data in the following ways: • First, it allows you to choose a sampling divider appropriate for your network.
Network Trending Network Trending is where Observer collects data for later viewing with the Network Trending Viewer. Dashboard display Dial display Network Trending progress bar Internet Observer progress bar Network Trending and the Dashboard The Dashboard display is combined with the Network Trending mode and Internet Observer Trending mode to supply a continuous heads-up display of the general network trends, Internet networking trends, and CPU conditions on the segment being monitored.
The Internet Observer Trending pane contains the following items: • Pairs—lists the number of station pairs on the network that have exchanged IP traffic during the present interval. • Packets—lists the number of IP packets sent on the network during the present interval. • Bytes—lists the number of bytes sent in IP packets on the network during the present interval. • Start time—displays the start time of the present interval. • End time—displays the end time of the present interval.
6. To start Network Trending, choose Trending/Analysis > Network Trending from the main Observer menu or click on the Start button on the toolbar. The Network Trending dialog will be displayed. 7. Click the Settings button to enter the Network Trending Settings dialog. See “Network Trending Setup” below. 8. Configure your collection parameters. 9. Click the Start button. Observer will begin to collect data.
• “Modify Network Trending and Internet Observer TCP/IP Subprotocols” button—click to display the List of IP SubProtocols dialog. The List of IP SubProtocols dialog displays the SubProtocols and allows you to add a new one, change an existing one, or delete an existing one. 172 1. To edit or add a protocol, click on the EDIT or ADD button. 2. The Add/Edit IP SubProtocol dialog is displayed. 3.
9. To delete the selected protocol, click on the YES button. To cancel the delete request, click on the NO button. Network Trending Setup – Data Collection Tab This setup allows you to select the days and times you wish to collect trending data. • “Run Network Trending continuously” checkbox—allows you to select to run Network Trending at all times Observer is running, even if it is not displayed.
data flowing on your network (when Network Trending uses a constant amount of disk space for each collection period). • “Week days” checkboxes—allow you to select the days trending data will be collected. Network Trending Setup – Data Transfer Tab The Data Transfer tab is only relevant when using a remote Probe to transfer data to Observer. • “Periodically transfer Trending data” checkbox—allows you to setup the Probe to transfer data according to the interval set.
• “Statistics collection interval” textbox—allows you to set the time period, in minutes, for which Network Trending will log data. Network Trending Setup – IP Trending Specific Tab The IP Trending Specific tab contains three checkboxes, permitting the user to choose which information to collect. Trending Information to Collect: • “Internet Patrol” checkbox—causes Network Trending to collect Internet Patrol information. • “IP Pairs” checkbox—causes Network Trending to collect IP Pairs information.
• View Probe data listing option button—when selected, allows you to view the Probe data listing. • Start Network Trending viewer option button—when selected, opens the Network Trending Viewer. The Network Trending Viewer is the facility where Network Trending and Internet Observer Trending data can be viewed and manipulated.
Network Trending data. Branches with a root entry ending in “(Internet)” contain Internet Observer data. Branches ending in “(Switch)” contain switch trending data. Observer data Internet data Switched data Within the branch, the calendar tree displays each Probe’s trending data in a tree-format based on first the Probe, the month, the day, and then the station.
The Statistics Toolbar contains the following buttons in order from top to bottom: Stations activity time—displays when each station was first seen on the network and when it was last seen on the network. Top Talkers—displays each station’s total packets in and out, and each station’s total bytes in and out. Packet Size Distribution—displays the packet size distribution. Bandwidth Utilization—displays the bandwidth utilization (maximum, average, and minimum) for the selected day or days.
FDDI frame errors—this displays the frame errors as collected by the NDIS MAC driver. This data is analogous to the FDDI Network Vital Signs in Observer. When a station is selected on the calendar tree, you will see aggregate errors by station displayed in Observer. Token Ring errors (by type)—displays the Token Ring errors by severity type. This data is analogous to the Token Ring Errors by Station display in Observer.
Show data by time—shows data by time. List—shows data in list format. Line graph—shows data as a 2-D line graph (not available in all modes). Alternate columns—shows data as an alternate column graph. Separate columns—shows data as a separate column graph. Pie chart—shows data as a pie chart. Go to previous day—moves to the previous day’s trending information. Go to next day—moves to the next day’s trending information. Go to current day—moves to the current day’s trending information.
Refresh—refreshes the current display, reloading data from the hard drive, if necessary. Find—displays the Find dialog, enabling the user to search trending data for a given character string. The Options Toolbar (Internet Trending) When displaying Internet trending data, the Options Toolbar contains the following buttons, in order from left to right: Display Properties—display properties can be set by right-clicking on the display or by clicking the DISPLAY PROPERTIES button.
Compress—compresses a day’s or group of days’ data for disk storage efficiency. When data has been compressed, you must first decompress it in order to view it. Decompress—decompresses a day’s or group of days’ data. This is necessary in order to view compressed data. Create report—the create report dialog lets you specify reporting options.
Network Trending Viewer – Observer List View Network Trending Viewer – Observer Alternate Columns View Network Trending Mode 183
Network Trending Viewer – Observer Separate Columns View Network Trending Viewer – Pie Chart View 184 Trending and Analysis Menu
Network Trending Viewer – Internet List Internet Patrol View Network Trending Viewer – Internet List IP to IP Pairs (Matrix) View Network Trending Mode 185
Network Trending Viewer – Internet List IP Subprotocols WAN Delay Analysis WAN Delay Analysis compares both ends of a conversation from two probes. The conversation can be between two probes or between a probe and a local probe. WAN Delay Analysis determines packet connection pairs and measures the amount of delay between the packet pairs.
When you select the Connection Dynamics button, the following items are displayed in the Header bar: • File 1—displays the number of packets and connections analyzed for File 1. • File 2—displays the number of packets and connections analyzed for File 2. • WAN IP Connections—displays the number of WAN IP connections analyzed. • Status—displays the current status of the analysis.
WAN Analysis Setup Properties Captured Buffer Files to Analyze: • “File 1” and “File 2” textboxes—displays the captured buffer file you have selected; to edit this selection, you must click on the Choose Files button. • Choose Files button—displays the Open Files dialog. • “File 1” textbox—allows you to enter the first capture file buffer name you wish to compare. • “File 2” textbox—allows you to enter the second capture file buffer name you wish to compare.
• “Time Synchronization Window (mSec)” spinbox—allows you to set the maximum number of seconds for time synchronization. • “Maximum packets to analyze per connection” spinbox—allows you to select the maximum number of packets you want to analyze; only active if the “Enable” checkbox is selected. • “Enable” checkbox—allows you to limit the number of packets to be analyzed.
• Rename button—displays the Modify Profile Name dialog. Profile IP Map Values: • IP1—displays the IP address of the first probe you are capturing packets on. • IP2—displays the IP address of the second probe you are capturing packets on. • Add button—displays the IP Map dialog. • Delete button—allows you to delete an IP address. • Modify button—allows you to modify an IP address. • Swap All button—allows you to swap all IP addresses from the IP1 column to the IP2 column.
time, matched packets, direction of packets, dropped packets (will be displayed in red type), time of first packet, and time of last packet. IP Mapping Settings Right-Click Menu • Add—displays the IP Map Dialog. • Modify—displays the current IP addresses in the IP Map Dialog. • Delete—displays the Delete Confirmation dialog. • Swap—allows you to swap the highlighted addresses; the Swap Confirmation dialog will be displayed.
“Color” dropdown—allows you to select the color of the display item you have selected. Application Analysis Menu Path Trending/Analysis->Application Analysis Purpose Application Analysis lets you view detailed information about how a server is performing, giving you an accurate picture of the user’s experience of your network application, such as response time and failed requests.
Graph View Application Analysis Graph view shows you transactions: total, completed, and failed: Note that if you have chosen to Graph Specific Request in the Application Analysis Setup dialog, only the selected type of request will be reflected in the graph. List View List view shows transactions in more detail.
Settings You can change the display properties of the graph (its colors, scale, etc.) by clicking the Graph tab on the settings dialog, which you access by clicking the Settings menu: The Application Analysis setup tab lists the servers currently under analysis, letting you add, edit, or delete them.
By checking the Graph Specific Request box, you will limit the completed, failed, and total transactions statistics being graphed to the type of transaction selected from the list box that becomes active when you check the box.
196 Trending and Analysis Menu
The Tools Menu Discover Network Names Mode Captures network addresses and assigns them aliases. Menu Path Tools->Discover Network Names Purpose Discover Network Names mode captures all network addresses on the segment, stores them in the filter table, and assigns them aliases. You can assign a name to a network address or use the IP address, DNS name, NetWare login name, or Microsoft network login name. After storing the network names, you can use the stored names in all your queries.
List View 1. To start Discover Network Names, select Tools > Discover Network Names from the main Observer menu or click on the icon on the toolbar. “Discover using” your selection 2. To start discovering network names, click on the mode toolbar. Observer will begin to collect all of the active addresses on the network. Addresses will be added immediately as each station accesses the network or as each station is contacted (depending on which discovery mode you have chosen).
Add Alias 1. To add an alias, click on the Add Entry button. The Add Alias dialog will be displayed. 2. Select an Address Type. 3. Enter your Address, Alias, IP address, and any comments, then click on the OK button. Edit Alias 1. To edit an alias, click on the Edit Alias button. The Edit Alias dialog will be displayed. 2. Select an address type. Click on the Ethernet, Token Ring, or FDDI option button or the WAN button. Delete Alias 1. To delete an alias, click on the Delete Alias button.
Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Settings—displays the Settings dialog.
Right-Click Menu • Start Packet Capture on station address(es)—activates the Filters dialog. • Start Packet Capture on pair address(es)—activates the Filters dialog. • Create Filter on station address(es)—activates the Filters dialog. • Create Filter on pair address(es)—activates the Filters dialog. • Find—displays the Find dialog. • Settings—displays the Settings dialog. • Show Alias—displays the station’s alias name. • Show IP Address—displays the station’s IP address.
Click on the IP button to display the setup options. • “Replace aliases by newly discovered name” checkbox—allows you to replace any previously entered aliases with the newly discovered names. • “Local IP address” integer textbox—allows you to enter the IP address of your station. Local net range: • “First IP address” integer textbox—allows you to enter the first IP address in a range. • “Last IP address” integer textbox—allows you to enter the last IP address in a range.
• “Replace aliases by newly discovered name” checkbox—allows you to replace existing aliases with a newly discovered name. • Forget passwords button—allows you to select if you would like Observer to forget your NetWare login password for the next time you resolve names. Msft (Microsoft) Configuration Observer is passively listening to packets in this mode and will only find the NetBIOS/NetBEUI names as they are broadcast on the network.
• an ASCII (text) file that contains line entries for each MAC Address entry (these files must have a .ali filename extension) The format of address entries in a .ali file is MACaddress, IP, alias where MACaddress is the MAC address, IP is the Internet Protocol dot address, and alias is the alias by which you want the system to be known. Note that entries are separated by commas.
LocalAddressTable.adr, is stored in the LocalAddressTable directory under the Observer installation directory. 1. You can add a new address table by selecting Tools > Select Address Table for icon on the Observer toolbar. The Select Local Observer Address Table dialog will be displayed. Local Observer or by clicking on the 2. To create a new address table, click on the NEW button. The New Local Observer Address Table dialog will be displayed. 3.
Purpose Observer’s Ping/Trace Route permits the user to see if specific stations on an IP network are active and to trace a route from the Observer (or Probe) PC to a selected station. To open Ping/Trace Route, select Tools > Ping/Trace Route. Saved Internet addresses Display window • “Internet Address” textbox—allows you to specify the Internet address to ping, or the address to which the route will be traced. • Save button—allows you to save the present Internet address.
• “Packet size” dropdown—if the Ping option button is selected, this edit box selects the number of “ping” packets, or ICMP echo requests, that will be sent. When the Trace Route option button is selected, this option will not be activated. • Display Window—displays the results of the ping or trace. Replay Packet Buffer Allows you to generate traffic on the network from a previously saved capture file.
Main pane: • “Select buffer” textbox and button—allows you to enter the name of the buffer (.BFR) file to be transmitted. Enter the name and address of the file to be transmitted or click the Select buffer button to browse to it. • “First packet” textbox—allows you to set the number of the first packet in the buffer to be transmitted. • “Last packet” textbox—allows you to select the number of the last packet in the buffer to be transmitted.
SNMP MIB Editor See “The MIB Editor” on page 352. SNMP MIB Walker Lets you walk a MIB to determine what objects it contains. Menu Path Tools->SNMP MIB Walker Purpose The MIB Walker automatically browses through the hierarchy of an SNMP Management Information Base (MIB) and displays what objects it contains. To open SNMP MIB Walker, select Tools > SNMP MIB Walker. If this is the first time you have run the mode, the setup screen is displayed, which allows you to select and configure MIB Walker profiles:.
• The “Choose existing SNMP devices...” button allows you to pick an SNMP device to create a MIB profile from a list of SNMP devices that have already been defined in or discovered by Observer. After you have a profile (or a number of profiles) defined, the SNMP MIB walker looks like this:. 1. Select a MIB Walker profile. 2. By default, the initial OID for the walk will be 1.3.6.1.4.1.
Viewing the MIB Tree Selecting the View Tree button from the Walk Agent MIB dialog displays the Walk Agent MIB Tree Viewer. The Walk Agent MIB Tree Viewer displays the structure, although not the values, of the discovered MIB tree. Setting Values One of the main uses of the MIB Walker and the Walk Agent List Viewer is to permit you to explore the SNMP agent by setting values to see what effect different values have on the actual device and to be sure that objects are writable. 1.
Purpose Select this option from the Tools menu to view the MAC addresses of devices connected to switches on the network. The Switch Station Locator uses SNMP queries to determine the MAC addresses of all the stations attached to each switch that you set up. When you start the locator, you must first choose a switch to query. A dialog appears listing the currently configured switches: If this is the first time you have used the Switch Station Locator, you must configure a switch with the New Switch...
• “Community” text box—Enter the IP community of the switch on which you want to locate stations. Note that this string is case sensitive. • “SNMP Version” dropdown box—Make sure that you match this entry to the version SNMP running on the switch. • “Use Alias List” dropdown box—Choose either “no alias list” or a local Observer (or Remote Probe) alias lookup table to display the alias in addition to the MAC address for each station found.
• Port If Number—The SNMP Port Interface number for the station • Port Name—The name of the port connected to the station. • Address—The MAC address of the station. • Alias—The alias of the station, if you have chosen to use an alias list (see Setting Up and Selecting a Switch for the Locator above). You can sort the display by a particular field by clicking on the column heading for that field. You can select which fields you want to display by right-clicking on any of the column headings.
You can display the Traffic Generator dialog in Observer by selecting Tools > Traffic Generator. Header display • “Packet size” textbox—allows you to define the size of the packets that will be generated. Allowable values are from 64 (bytes) to 1514 for Ethernet and from 64 (bytes) to 4096 for Token Ring. • “Packets/sec” textbox—allows you to define the number of packets that Observer or the Probe will generate per second.
Traffic Generator Right-Click Menu • Set Destination Address—displays the Select Address dialog. • Set Source Address—displays the Select Address dialog. • Set Protocol Header—allows you to choose from one of the following: IP, IPX, or Default. • Edit Selection—allows you to edit your selection. • Load Packet From File—displays the Load Packet dialog. Enterprise Licensing Lets you activate and monitor enterprise licenses (if you have purchased such licensing).
you’ve entered the code, click Tools -> Enterprise Licensing to display the Enterprise Licensing dialog: • Identification—displays the Observer identification number. • License—displays the Observer license number. • Assigned to Probe—displays the Probe the license number and identification number are assigned to. • Add button—displays the Add/Edit Enterprise Probe License dialog. • “Identification” textbox—allows you to add an identification number.
Edit SNMP Switch Script File see “SNMP Scripts” on page 319. Define Protocols for Protocol Distribution Statistics See “Settings” on page 114. Import/Export Filters This option lets you save filters (See “Filter Setup for Selected Probe” on page 219.) that you have created with Filter Setup for Selected Probe... or load filter rules that have been sent to you by another Observer user. Each filter file can store multiple filters.
Switch Setup Dashboard see “Main Switch Dashboard – Switch Setup Tab” on page 309. Select Address Table for Local Observer see “Multiple Address Tables” on page 204. Filter Setup for Selected Probe Lets you filter which packets to capture by applying various criteria. Menu Path Tools->Filter Setup for Selected Probe Purpose Packet filtering lets you configure Observer to discard the packets you are not interested in so that you can focus on the traffic you are interested in.
The table below lists all the rule types and setup options. A setup dialog is displayed when you first create a rule; you can edit a rule by double-clicking its icon in the Filter Setup rule editor. Detailed setup descriptions follow the table. Rule Type Usage Specify a hardware or IP address or range of addresses for source and destination. You can also limit the rule to apply only to packets from particular source or destination ports.
Rule Type Usage Specify a WAN DLCI by number. Specify a WAN Port by number. Lets you filter for direction (DCE or DTE or both), and logically chain tests for forward congestion packets, backward congestion packets, and discard eligibility. Enter or select a hardware address that corresponds to the wireless Access Point you wish to capture traffic from. Select a wireless data rate, and whether you want to filter for packets traveling at, under, or over that rate.
Filtering by Address This rule lets you look at traffic by address or address pair. Setup options are described below: You can set address by MAC, IP, or IPv6 You can filter for a single address, or a range of addresses. Enter or select the desired address or a range of addresses. You can also select Any Address. You can filter for packets sent or received by Address 1 and Address 2. If selected, allows you to filter by port in addition to Address.
Filtering by Packet Length You can filter for packets that are less than, greater than, or equal to a given length in bytes (including CRC bytes). You can also filter for a range of values, entering the minimum and maximum length of packets that you want filtered.
Filtering for a Text, Hexadecimal, or Binary Pattern When defining a Pattern rule, you can enter a specific offset from the beginning of a Lets you set a protocol header as the origin for determining the offset other than the packet header Choose ASCII, Hex, or Binary search. Choose whether to limit the search to a range, and enter the offset (& range). Enter the ASCII string, hex codes or binary code strings that you want to search for.
Filtering by Port Filtering by port is useful in many different troubleshooting and security monitoring Choose IP-TCP, IP-UDP, or IPX. Select a port or range of ports to filter for. Select what direction you want to filter for. If the “other port” option is left unchecked, Observer filters for packets to or from any port to the given port. By checking the “other port” box, you can specify a second port, allowing you to filter for traffic between specific source and destination ports in both directions.
Filtering by WAN DLCI If you have deployed one of Network Instruments WAN Probes or Systems (or you are post-filtering a packet capture obtained from such a setup), you can filter by DLCI number. Filtering by WAN Port If you have deployed one of Network Instruments WAN Probes or Systems (or you are post-filtering a packet capture obtained from such a setup), you can filter by WAN Port number.
Filtering by Wireless Access Point, Data Rate, and Signal Strength Observer includes filter rules useful for 802.11a/b/g wireless analysis, letting you filter for an access point, particular data rates and ranges of data rates, and signal strength. Simple Filters (Single-rule filters) In most cases a single-rule filter is all you need. For example, suppose user Katie is having access and performance problems with the web server.
Here’s how to create a simple, one-rule filter to capture that traffic: 228 1. Choose Filter setup for selected Probe from the tools menu. The Filter Editor screen is displayed, showing a blank address rule (i.e., a rule that captures all traffic on the network): 2. Select the rule by clicking on it. Note the selection color change. Right-click the rule and choose the Edit Filter... option. In the example, we have named the filter Katie<->Web Server. 3.
4. Choose IP as the address Type, and Single address as the range for both address 1 and address 2. Select (or enter) the IP addresses of the devices you are interested in monitoring from the Address drop-down list. Set the direction arrow to capture packets going both directions. Click OK to save the rule changes and close the setup dialog. The Rule Editor should now look something like this: 5. Click OK to save the filter. Changing a Rule Type (Edit as...
view, you can right-click to set a filter or direct a filtered capture from that station. You can set a pattern filter by right clicking on the hex pane of the decode window. From the Expert TCP and UDP Events displays, Observer Expert and Suite users can auto-create a “conversation filter” (i.e. an address and port filter) by right-clicking an event.
programmed to send mail whenever the honeypot receives packets on ports 23 or 80 from a system outside of your network. To verify the operation of your IDS, you would want to capture any relevant traffic touching the honeypot, as well as any email traffic coming from the IDS. You are not interested in filtering the honeypot for email traffic, nor are you interested in filtering the IDS traffic for port numbers.
From the Multiple Filters Selection dialog, you can: • Select which filters to apply by clicking the checkboxes. • Edit and Delete filters by selecting them and using the button controls • Add a new filter, which displays the filter rule editor for the new filter. Double clicking on a filter brings you directly to the rule editor. Besides giving descriptive names to filters, you can also set the display color of each filter in the list by right-clicking and choosing Set Color...
The Options Menu Observer General Options The Observer General Options dialog allows you to select the general settings for Observer. These include general configuration options, email options, pager options, and SNMP options (if you have purchased Observer Suite). Default options are described in this manual; your views may vary based on the settings you apply. Select Options > Observer General Options. The General Tab dialog will be displayed.
• The Disable Observer features options let you choose to disable selected Observer features for bandwidth, processor, or security reasons. You can choose to: - disable the Expert Analysis portion of the Packet Capture mode. - disable the local internal Probe, i.e., make the system a remote console only. - disable DNS name resolution, in all modes that would otherwise show DNS names.
Observer General Options–Notifications Tab The Notifications tab lets you set up the page and email services that Observer uses to contact the administrator when the criteria set in Triggers and Alarms have been met (see “Triggers and Alarms Mode” on page 148). Paging Server Settings Observer’s paging interface is a complete messaging system for sending alarms to pagers and cell phones using a modem or Internet connection to a pager service carrier.
• Server IP address—IP address of the pager service provider. • Port number—port number of the pager service provider. For Protocol-Based Paging Services (TAP or UCP) • PIN (destination)—provided by your pager service provider. • Login ID, if any—provided by your pager service provider. • Password, if any—provided by your pager service provider. • Message type—alphanumeric (sends numbers and letters to a pager), numeric (generates only numbers), and tone (messages transmitted via tone).
Configuring Your Paging Service You may have to modify some settings in order to adapt to the local environment. It will be necessary to choose among the provided services or install a new paging service and substitute the local pager access number, if any, for the supplied one. 1. Select the Default pager configuration from the dropdown menu. If your pager is not on the list, click on the NEW button. The Paging Service Properties dialog will be displayed.
dialing: Observer will dial only the numbers and pause for approximately one-half second for each comma character. 5. Select a Service protocol from the dropdown list. Observer supports four different pager service protocols: TAP, UCP, SNPP, and Voice. Selecting the appropriate service protocol and clicking the CONFIGURE button enables the user to enter servicespecific configuration data. Each protocol displays a different set of options that need to be set.
Configure TAP Settings TAP (Telecator Alphanumeric Protocol) is a messaging industry standard protocol for sending message requests from automated equipment. TAP is the most common protocol used in the United States. • “PIN (destination)” textbox—enter the PIN of the page destination. Usually, this will be the recipient’s pager number, but some service providers will require you to prefix or postfix additional numbers to it. • “Password (if any)” textbox—enter the password for the paging service.
• “Use error control” checkbox—allows you to select whether or not the modem’s error control features will be enabled. • “Data bits” dropdown—allows you to select the number of data bits to be used in communicating with the modem. • “Parity” dropdown—allows you to select the parity to be used in communicating with the modem. • “Stop bits” dropdown—allows you to select the data bits to be used in communicating with the modem.
• “Modem line” dropdown—allows you to select from among the currently defined modem devices. These devices are from those defined for the system in the Windows Control Panel. The following settings depend on the configuration required by the paging service provider and should be provided by them. If in doubt, try the default settings first. • “Connection speed” dropdown—allows you to select the connection speed of the modem to the service provider.
Advanced Pager Settings 1. Check the “Apply advanced pager settings” checkbox and click on the ADVANCED button to display the Advanced Pager Settings dialog. 242 2. Right-click on a pager item to display the Advanced Pager Settings options. 3. Click on “Edit pager” or “Insert pager” to display the Edit Pager Entry dialog. 4. Select your start time from the “Start” spinbox. 5. Select your end time from the “End” spinbox. 6.
Pager Service Tray Icon When Observer is launched, the icon is displayed in the Windows tray. You can rightclick on the icon to display a menu or you can double-click on the icon to display the About Paging Server dialog. The items on the menu are not listed in the same order as in the dialog, but contain the same information. • “Disable message (page) delivery” checkbox—checking this box disables the sending of pager messages; clearing this box enables messages to be sent.
Paging Server Settings The Paging Server Setting dialog contains the following items: • “Wait for service connection” (seconds) spinbox—allows you to set the time for a service connection. • “Retry delay” (seconds) spinbox—allows you to set the interval between attempts to send a pager message. • “Number of retries” spinbox—allows you to set the number of times to retry sending a failed pager message. When the pager message is successfully sent, further retries are aborted.
• Refresh event list button—clears the event list. Send Page The primary use of Send Page is to enable the user to test the paging service without creating an error event to trigger a page. It also can be used simply as a convenient way to send a pager message from the Windows desktop. • “Select paging service” dropdown—allows you to select your paging service. • “Type message” textbox—allows you to type a test message.
Observer General Options – SNMP Tab This tab will not be active unless you have purchased a licensed copy of Observer Suite. After installation, the SNMP Management Console will generally require little, if any, configuration before it can be used. • “Compiled MIB folder” textbox—allows you to define the path to the directory where SNMP Management Console should look for compiled MIB files. The default is “C:\Observer Files\SNMP.
SNMPv1 is, in practice, by far the most commonly-used standard; very few agents support SNMPv2. • “Repeat alarm notifications” spinbox—allows you to select the number of times that Observer should send out SNMP-related alarms when the alarm has been triggered. • “Repeat trap notifications” spinbox—allows you to select how many times to repeat trap notifications.
Observer General Options – Trending Tab • “Network Trending Folder” sets the location for Observer to store Network Trending data. • “SNMP Trending Folder” sets the location for Observer Suite to store SNMP Trending data. • “Write SNMP Trending data to disk every x minutes” spinbox—allows you to set the number of minutes the system will wait before sending logs.
• which Observer console (local or remote) to direct the data to. Creating a Probe Instance To set up a Probe Instance, follow these steps: 1. Click the Adapters and Redirection tab to display the current list of instances: 2. Click New Instance... to begin the Instance wizard, which steps you through naming and setup of the new instance: 3. Select an instance ID, then name and describe the instance you are creating. Click Next... when you are finished.
The Memory Configuration dialog is displayed: 4. Select an appropriate Capture Buffer size given the local system’s available memory and how much traffic you plan on capturing from the given network. Statistical reporting uses different memory and much less of it. Although it is possible to customize the amounts of memory used by Observer’s various statistical displays (by checking the Used Advanced Statistics Memory Configuration option), for most situations the defaults will work perfectly well.
The Probe Adapters and Redirection tab will now list the new Probe instance: Configuring User Accounts for Secure Access If you wish to restrict access to packet captures and reporting provided by a Probe instance, you can define security attributes of the local Probe by clicking the Security tab: The example above shows the Security tab as it appears when the Probe Instances button in the upper left corner of the display is selected.
To display security information by user account, press the User Account button to the left of the Probe Instances button. This lets you see what permissions the currently selected user has access to on each instance of the Probe:. When displaying a user account’s permissions as above, you can use the checkboxes to fine-tune the permissions that user has on each account by clicking on the Permissions checkboxes to select or deselect the particular option.
Permission Internet Patrol Explanation User is allowed to run Internet Patrol on the Probe’s network. Creating or Editing a User Account To create a new account click New User Account; to edit an existing account, select the account and click Edit User Account. These options are also available on the right-click menu.
Check the desired options and click OK. When you grant this account access to another Probe instance, the permissions will be automatically set to match what you have selected here. You also will be able to reset this user’s permission to these values on any Probe instance by right-clicking the account or instance and choosing the Reset User Account Permissions option from the popup menu.
Right click any instance and select Edit Probe Instance... to access the memory allocation dialog: This dialog lets you select the Capture buffer size, as well as letting you pick from a number of Statistics memory “presets” (Regular, Large, and Extra Large). If you want finer control over the statistics memory allocation, check the Use Advance Statistics Memory Configuration option, which lets you select from a number of statistics memory presets that you can define and edit yourself. Clicking New...
Enter a descriptive name for the custom memory configuration and select a previous configuration as a model for the new configuration if desired. Click Next> to display the second setup dialog: By clicking on one of the Network Types buttons, you can view and change the number of entries allocated for each statistical type: An entry is a record of the given statistic; for example, a Top Talker entry consists of a station, for errors, an entry would consist of error listing.
reserves its memory from Windows upon startup so that no other applications can use it and cause the buffer to be swapped out to disk. Although the default amount of total reserved memory should work perfectly in most situations, you can change it.
Edit Probe Entry Tab • “Name” textbox—displays the name of the Probe. Note: The Local Probe title address and comment cannot be edited. • “IP address” textbox—displays the IP address of the Probe system. • “Comment” textbox—displays the view comments of the Probes area. Timing: • “Communication timeout (sec)” textbox—allows you to define how long Observer will wait for the Probe to communicate before it assumes the connection is lost. Values are from 2 to 60 seconds.
Note: When switching from Advanced to Switched mode, you must configure Observer for switched operation. Details on how this is done are found in the “Switch Configuration” section of this manual. Probe Parameters Tab • “Network type”—displays the Probe’s network topology. Possible topologies include Ethernet, Token Ring, FDDI, and Dialup. • “Network speed”—displays the network speed.
• “Maximum capture buffer (MB)”—displays the maximum capture buffer Observer will allow you to configure. Observer has no limitations on the amount of RAM that can be used for a buffer. The maximum allowable buffer size is displayed in the Options > Selected Probe or SNMP Device Properties > Probe Parameters tab. The following formulas are used to calculate the maximum allowable buffer: For Observer: Maximum Buffer Size = (Total Physical Memory—18MB) *.4. The total amount allocated cannot exceed 100 MB.
Wireless 802.11a/b Tab This tab is available if the currently selected Probe is an 802.11b wireless device. Note that if your wireless network is configured for WEP, you must activate WEP and enter the WEP key(s) in the Edit WEP Keys dialog in Observer, which is described below in this section. • “Site Profiles”—allows you to save and retrieve wireless parameters, rather than rekeying the parameters every time you change sites. • “Monitor Traffic By”—the method to monitor traffic.
• Primary Antenna Only—If you are not using the standard snap on antenna, choose this option if the antenna you are using is connected to the primary antenna port (see your NIC manual for details). • Secondary Antenna Only—If you are not using the standard snap on antenna, choose this option if the antenna you are using is connected to the secondary antenna port (see your NIC manual for details). Web Reporting Configuration See “Configuring Web Publishing Service” on page 396.
Actions Menu Redirecting Probes When using Observer with a Probe you can redirect a Probe from one Observer console to another, or from another to the local Observer console. To display the redirection dialog, from the main Observer menu select Actions > Redirect Probe. Once you connect to the selected Probe, you can choose to redirect the local Probe or to another Observer station. Probe redirection can be password protected. The password is set on the Probe, from the Options > Probe Options dialog.
RMON Probe Configuration – Edit Probe Entry Tab This section provides Observer with the basic RMON Probe connection and timing values. • “Name” textbox—allows you to specify a name that will be listed for the Probe on the list of Probes in Observer. • “IP address” textbox—allows you to enter the IP address of the RMON Probe. • “Comment” textbox—allows you to enter any comment that might help identify the Probe. This information will be displayed in the Observer list of Probes.
• “Vital signs report (refresh) period (10-600 sec)” textbox—allows you to define the number of seconds between refreshing the vital signs mode. • Connect to Probe button—allows you to connect the RMON Probe. • Reboot Probe button—allows you to reboot the RMON Probe. • Connection display—displays the connection status of the RMON Probe. • “Log SNMP packets to Trace window” checkbox—when selected, logs SNMP packets.
• “Network type” display—allows you to view the network type the Probe is monitoring. • “Network speed” display—allows you to view the speed of the network as reported by the Probe. • “Hardware address” display—allows you to view the hardware address of the Probe interface. RMON Conformance Tab 266 Actions Menu • “RMON1 Supported” display—allows you to view if RMON1 is supported by the Probe. This determination is made by querying the first 10 RMON table entries.
Trap Destinations Tab This tab lets you the define SNMP management systems that will receive traps. To add a manager to the list, click the Add... button. Both the Add and Edit let you enter the IP address of the manager you wish to define as a trap destination, as well as its community string and port number. The Refresh button causes Observer to query the RMON probe and forward any trap conditions to the management systems listed in the dialog.
268 Actions Menu
Real-Time Expert Overview Real-Time Expert incorporates all of the features of Observer and adds Observer’s Expert system to help identify problems and help determine the best course of action. With RealTime Expert you can get real-time post capture expert event identification, expert analysis, and modeling of network traffic data. Real-Time Expert has multiple views to help identify different network problems. • Expert Summary problem analysis—shows all error events in a single, concise display.
identification. Should a particular packet require further investigation, its decode is only a click away. • Server Analysis—displays a server/device's characteristics and response times charted against the number of simultaneous requests asked of that device. Response times are charted for recorded request sets and plotted for predicted response times as request loads increase.
You may also view the Expert Thresholds (OSI Model) display by clicking the button. EDIT PROFILES button SET DEFAULTS button Expert Thresholds define what parameters are used when determining if a particular event is a problem or not. Thresholds are set for all Expert events, and for some events, more than one threshold is set. For example, for TCP Bad Checksums, only the number of frames during the entire capture process is set.
1. Click the Edit Expert Profile button to begin the process. This will display the Edit Expert Profile dialog. 2. To create a new profile, click on the Create New button. The Create New Expert Profile dialog will be displayed. 3. When you create a new profile, you may base your new profile on an existing profile. This will populate the new profile with values from the “Based on” profile. 4. To rename an existing profile, highlight the profile and then click on the Rename button.
Data Link Tab • Broadcast Storm—triggers the number of broadcast frames per second. • Ethernet Alignment—frames with alignment errors per second. • Ethernet CRC—frames with CRC errors per second. • Ethernet Frame Too Long—frames with jabber errors per second. • Ethernet Frame Too Small—frames with runt errors per second. • FDDI Beacons—beacons present on the ring (total). • FDDI Error Count—error count total per minute. • FDDI Lost Count—frames reported lost per minute.
274 • Token Ring Beacons—number of beacons present on the ring. • Token Ring Burst Errors—burst error reports per minute. • Token Ring Frame Copied Errors—frame copied error reports per minute. • Token Ring Frequency Errors—frequency error reports per minute. • Token Ring Internal Errors—internal error reports per minute. • Token Ring Line Errors—line error reports per minute. • Token Ring Lost Frame Errors—lost frame error reports per minute.
Network Tab • ICMP Echo Requests—the maximum number of ICMP echo requests (pings) per workstation per second. • ICMP Problems—enables the tracking and recording of ICMP error messages. When checked, Real-Time Expert will identify ICMP error messages both in the Expert Summary and in the ICMP Events section. When not checked, ICMP events are ignored. • IP Bad Checksum—counts frames with bad IP checksums. The value is the packets per station for the entire capture or capture period.
Transport Tab 276 • IPX Busy—percentage of server busy replies. • IPX Retransmissions—percentage of IPX retransmissions. • NETBIOS Retransmissions—percentage of NETBIOS retransmissions. • TCP Bad Checksum—the count of frames with bad TCP checksum. This is a total for the entire capture or period. • TCP Retransmissions—percent of TCP retransmissions. Values are required for marginal and critical, as well as for the local network and WAN/Internet traffic. Values can be set from 0.1% to 100%.
Session Tab Session data is compiled for all data associated with a particular port-based conversation. This includes all data packets, acks, etc. This differs from the Presentation/Application Expert events where server application processing times are tracked. • DNS Session Delays—defines the session response time delay for DNS (UDP) that is considered marginal and critical. Values are required for both the local network and Internet/WAN.
the local network and Internet/WAN and for initial connection (slow connect) as well as for ongoing communications (slow response). 278 • IPX SMB Session Delays—defines the session response time delay for IPX Server Message Block packets that is considered marginal and critical.
Values are required for the local network and Internet/WAN, and for ongoing communications (slow response). • TCP SYN Requests—the number of sync frames seen per second. • Telnet Session Delays—defines the session response time delay for Telnet that is considered marginal and critical. Values are required for the local network and Internet/WAN, and for initial connection (slow connect) as well as for ongoing communications (slow response).
280 • LPD Application Processing Time—defines the application processing time delay for LPD that is considered marginal and critical. • NetBIOS Application Processing Time—defines the application processing time delay for NetBIOS that is considered marginal and critical. • NFS Application Processing Time—defines the application processing time delay for NFS that is considered marginal and critical.
Using Real-Time Expert Real-Time Expert analyzes all captured packets and each captured packet’s contents in order to identify problems. Packets processed display header Expert button bar Expert Analysis pane Functional Overview There are a number of ways to approach a network problem with Real-Time Expert. As with any network problem, you should first determine if you can reproduce the problem.
• Expert Summary—a collection of critical events from the various Expert Events sections, as well as a display of non-TCP based events (e.g., a CRC or alignment error). • Expert Events—break down the IP conversations into subprotocol groups of TCP, UDP, and ICMP. In the case of TCP and UDP, the conversations are further broken down by application. Each conversation is graded based on a user-defined threshold for a number of conditions.
If the amount of RAM available for the Observer buffer is not large or is not large enough to capture the event in question or for the amount of time required to view the conditions in question, you should set Observer to capture using a circular buffer. In this case, Observer will capture packets until the buffer is full and then add new packets to the buffer while removing the oldest packets.
Number of Expert list entries to keep: • “TCP conditions and events” textbox—defines the number of TCP items that will be tracked. An item is defined as a conversation on a particular port. Note that if you compact multi-port conversations into a single conversation (set in the TCP/IP tab), the number of items does not change. A higher value will result in more system memory usage; a lower value will use less memory usage. The default value is 1000.
Expert Global Settings – IP Range Tab These items define how Real-Time Expert identifies which conversations are local (network) and which conversations are from the WAN or Internet. • Auto-determine local IP subnets option button—when selected, Observer will (attempt to) automatically determine the local subnet. This is done by identifying your local adapter and using the configured IP address and subnet mask.
Expert Global Settings – TCP/IP Tab These items define how IP conversations will be identified. Compact multiport connections to a single connection for: • “TCP subprotocols” checkbox—when selected, multi-port conversations (for the same pair) will be shown as one conversation. In this case, each port-based Expert event for the conversation pair will be summed and displayed as a total (of all items) seen on all ports for that conversation.
would be as many separate conversations recorded for the Real-Time Expert system as there are IP addresses collected. It is possible to not have “other” (non-DNS) conversations shown separately, but to still have the DNS compacted.) Expert Global Settings – Time Interval Analysis Tab This setup dialog defines the time interval for the Time Interval Analysis.
Expert Global Settings – What-If Analysis Tab This dialog sets the default items for the What-If Analysis display. Graph Settings: • “Full Duplex Send & Half Duplex Color” dropdown—allows you to define the color of the graph line for sent data. For full duplex, this is only the “send” color. For standard networks (half duplex), this defines both “send” and “receive” colors.
• “Server” spinbox—allows you to set the default server processing time. Server processing time is the amount of time the server requires (on average) to process a request and to respond. Server Characteristics: • “Start thread time (ms)” spinbox—allows you to set the amount of time it takes to process a thread on the server. This is only taken into account when the Server Type item (selected in the What-If display) is defined as “Web.
Expert Button Bar The Expert button bar has three sections: Summary, Expert Data, and Analysis. Summary button Expert Data button Analysis button The Summary and Expert Data sections can be accessed by selecting either the SUMMARY or EXPERT DATA buttons. Within the Expert Data buttons, there are options for TCP Events, UDP Events, and ICMP Events. Additionally, you may “drill-down” from the Summary section to any of the Expert Data sections by double-clicking on the identified problem.
The Summary is typically the first place to begin using the Expert. Once a general set of metrics is identified with respect to the network or capture, the next steps in pinpointing the problem usually become obvious. The Summary displays the general problems reported and how many times the problem has been identified.
Analysis is offered for both client and server. TCP events row TCP Events Row Definitions Station Columns: • First “Station/Port->” column—displays the client in any conversation. • Second “<-Station/Port” column—displays the server in any conversation, if it can be identified. Station column ports are displayed based on the setting chosen in the “Expert Global Settings.” See “Expert Global Settings” on page 283. By default, conversations will be identified by server port and application.
marginal values are displayed for Internet/WAN data that may naturally be slower than local response time data. Each level, for critical or marginal and for Local or Internet/WAN, are setup in the “Expert Threshold (OSI Model)” setup dialog. See “Expert Thresholds (OSI Model)” on page 270. • Retrans—displays by conversation and direction. Thresholds are set in the “Expert Threshold (OSI Model)” setup dialog under “Transport” and “TCP Overall Retransmissions.
• Station1/Port <-> Local network—sends conversation data (by port) for Station1 and all other stations on the local network. The local network is defined in the “Expert Global Settings” dialog under the “IP Range” tab. See “Expert Global Settings – IP Range Tab” on page 285. • Station1/Port <-> Internet/WAN—sends conversation data (by port) for Station1 and all other stations found from the Internet/WAN. The Internet/WAN network is defined in the Expert Global Settings dialog.
The ICMP Events dialog tracks ICMP errors and reports the error, station, port, and number of occurrences of the error. For specific explanations of each ICMP error, right-click on the error in question and select “Expert Explanation.” IPX Events The IPX Events dialog tracks IPX communication errors. Columns display the protocol, status, number of packets in each direction, packet delay in each direction, and the number of retransmissions in each direction.
NetBIOS Events The NetBIOS Events dialog tracks NetBIOS communication errors. Columns display the protocol, status, number of packets in each direction, packet delay in each direction, and the number of retransmissions in each direction. Wireless Events The Wireless Events dialog tracks wireless communication errors. Columns display the station, status, number of packets in each direction, associations in each direction., as well as various error counts from each direction.
A wizard then displays a series of dialogs that let you configure what will be included in the report and the pathname under which it will be saved. Expert Analysis Time Interval Analysis The Time Interval Analysis displays TCP or UDP Event conversations in a table format showing the conversation split up by the user-defined time period. To access the Time Interval Analysis display, right-click on a conversation in either the TCP Events or the UDP Events.
Retransmissions and lost packets are flagged in red for quick identification. The packet display can contain either a brief or detailed view of each packet’s contents. To access Connection Dynamics, right-click on a conversation in either the TCP Events or the UDP Events and select CONNECTION DYNAMICS. Once a conversation has been displayed in Connection Dynamics, it can be reviewed by clicking the CONNECTION DYNAMICS button on the Expert button bar.
determine if the problem with this connection is temporary and transient, or indicates a more serious problem on the network. Connection Dynamics Right-Click Menu The Connection Dynamics right-click menu offers display options and access to a packet’s decode. • Decode—displays the decode of the selected packet. • Show Header Details—toggles the display of packet details.
The graph on the top of the Server Analysis display shows the response times for each level of simultaneous requests. An average line is shown for baselining purposes. What-If Analysis What-If live modeling and analysis offers both a predictive tool for modeling potential response times, utilizations, or packets per second at different network speeds, and also permits you to change different conversational and network metrics to predict changes in performance with the new values.
You can only do What-If modeling on conversations that have a recorded server (the second address in any conversation) delay. The top of the display will show which stations are currently being modeled. The client is on the left, the server is on the right. The X-axis of the graph will always display different network speeds. If the data collected was from Observer, a vertical reference line will be displayed showing the network speed at which the data was collected.
Server Characteristics: • “Server type” dropdown—options include Database, Ftp, Level, and Web servers. Each different server selection causes the expert to use a different formula suited for the selection. A level server offers a formula for a typical server. • “Start thread time (ms)” spinbox—taken into account when the “Server type” item is defined as “Web.” The value is the amount of time it take to process a thread on the server.
• Show Reference Lines—displays a “reference line” indicating the speed of the network/WAN from the initial capture data. This will only be displayed if the option to “Show Reference Lines” is enabled in the Expert Global Settings, under the WhatIf tab. See “Expert Global Settings – What-If Analysis Tab” on page 288. • Full Duplex—toggles off and on the interpretation of data as full-duplex. • Reset Values—resets all values to the initial settings for the analyzed pair.
The RTP timestamp units are based on the sampling rate for a particular payload type. In the case where there are multiple sources in a single RTCP packet, only the maximum reported Lost Packet % and Jitter values will be plotted at the given time point. The last display shows the current conversation’s bandwidth utilization, the total RTP/RTCP utilization in the capture, and the total network load during the capture.
Switched Observer Introduction to Switched Observer Observer provides the ability to gather statistics and capture port data for switched environments. This ability is unique in the world of protocol analysis and makes Observer the ideal tool for traffic management and troubleshooting in a switched environment.
example, if a system on port 3 of a switch has a packet destined for port 7, the switch will create a virtual segment between ports 3 and 7 for the time required to move the packet. The switch then removes the virtual segment. In this example, two things are ensured: for the period of time that port 3 communicates with port 7, the bandwidth between port 3 and 7 is not shared with any other stations; and any other port pair can communicate while port 3 and 7 are communicating.
and switches from lower-end manufacturers do not offer any management options whatsoever. If your switch does not offer any management options, Observer (or any protocol analyzer for that matter) will be of little use in your switched environment. Should your switch fall into the first category, there are typically four different types of management options available: 1. An SNMP agent to monitor different switch traffic and device-specific information. 2.
RMON and protocol analysis is not typically complementary in the way SNMP and protocol analysis can be. Rather, RMON is the “protocol analysis” side of the SNMP standard, and is an attempt to duplicate the functionality of a protocol analyzer within the standards-based world of SNMP. A full implementation of RMON2 comes close to what any high end protocol analyzer provides, if in a more cryptic format. In theory, what you lose in ease of use, you gain in multi-vendor interoperability.
• you must either write a script for Observer to control the mirroring or use one of the scripts included, and • you must enable looping or capture in the Probe setup. More information on scripting is included at the end of this section. Probe configuration options are documented in the “Using Probes” section of this manual and briefly at the end of this section.
Each switch being monitored will require a setup in the Switch Dashboard Dialog. This dialog can be displayed by selecting Tools > Switch Setup Dashboard. Button bar Edit boxes Switch ports Important Note: Each change made in this dialog must be followed by selecting the Stop button and then selecting the (RE)CONNECT AND ENABLE SWITCH MANAGEMENT icon.
• “Switch script style” dropdown—allows you to select Telnet or SNMP. See “Switch Scripts” on page 312. • “Looping mode” dropdown—allows you to select Looping or Static. • Looping is where the Probe samples each port checked in the “Switch Ports” display. • Static is where the Probe collects all data from the port or ports selected (if supported by your switch). • “Switch address” textbox—allows you to input the IP address or DNS name of the switch to be managed by this Probe.
Switch Dashboard – Switch Management Log Tab • “Log switch management communication” checkbox—when selected, all communication with the switch will be displayed in the “Switch Management Log” window. This is primarily used for debugging. • “Scroll to the last line” checkbox—allows you to set the focus of the switch communication log to the last line of the log. • “Maximum number of log lines” textbox—allows you to set the length of the switch communication log.
the switch in a timed fashion to manipulate the management properties of the switch. Observer emulates a VT100/ANSI emulator when sending sequences to your switch. Note: SNMP scripts are preferred. Specifically, in the case of Observer, the Telnet script can either loop the Probe’s listening capabilities from port to port, or focus the Probe’s capture ability to a specific port (or group of ports if your switch supports this feature).
the editor makes the task of entering tokens easier and will contribute to the overall accuracy of the script. Each line that is to be sent to the switch must begin with a token and end with a line feed or {Enter}. Additional commands are available to manipulate the switch. You can enter three types of information into an Observer Telnet switch script: • Telnet Script Commands (called Tokens)—are special commands pre-programmed into the script editor.
Script Tokens The available script tokens are: • SEND-> token—follow this token by any sequence of keystrokes to be sent. • WAITFOR-> token—this token should be followed by the string the script should wait for. The script will wait the number of seconds specified in the SETWAIT-> line. If the expected string does not arrive before the timeout is reached, the script will terminate with an error message.
• {RepeatCharacter} button—sends the character immediately after the “>” for the number of times immediately after the character. For example, {RepeatCharacter>?15} would send the ? character 15 times. Note: Any script key or token can be entered by hand using the keyboard. The buttons are provided to help script accuracy. Script Editor buttons: • Save button—saves the current script, using the name and location that it originally had when it was opened by the script editor.
# send the next password SEND->mynextpassword{Enter} # wait for the switch to respond, and wait for the # CiscoSwitch# prompt WAITFOR->CiscoSwitch# # send the “config t” command to enter # configuration mode SEND->config t{Enter} # wait for the switch to respond, and wait for the # CiscoSwitch (config) prompt WAITFOR->CiscoSwitch(config)# # send the config “int FA 0/2” command # sets the configuration interface to port 2 # (where the Probe is) SEND->int FA 0/2{Enter} # wait for the switch to respond, and wa
# turn port 1 monitoring off SEND->no port monitor FA0/1 # wait for the switch to respond, and wait for the # CiscoSwitch (config-if)# prompt to get ready for # next sequence of commands WAITFOR->CiscoSwitch(config-if)# # The next sections are repeats of the one for # port 1, with the actual port number changed.
SNMP Scripts Observer’s SNMP switch scripts are text files with the extension “.snm”. An example SNMP switch script file name might be “3COM Switch SNMP Script.snm”. Scripts have sections, which define specific parts of the switch initialization and control sequences. SNMP scripts send specific SNMP “commands” directly to the switch in a timed fashion to manipulate the management properties of the switch. Note: SNMP scripts are preferred.
the editor makes the task of entering tokens easier and will contribute to the overall accuracy of the script. Each SNMP command line that is to be sent to the switch must begin with a token. Additional commands are available to manipulate the switch. You can enter three types of information into an Observer SNMP switch script: SNMP Script Tokens, Object Types, and Script Keys. • SNMP Script Commands (called Tokens)—special commands pre-programmed into the script editor.
“SET->” is the token “OID” is the specific SNMP OID (Object Identifier). An example OID would be “1.3.6.1.4.1.343.6.10.1.7.0”. “Object Type” specifies if the OID value is an Integer or OctetString. An example Object Type would be “{Integer}” “Value” is the value that the OID should be set to. An example value would be “2”. A sample SET command would be: SET->1.3.6.1.4.1.343.6.10.1.7.
Note: Initial connection to the switch is done in the Switch Dashboard. See “Using the Switch Dashboard” on page 309. # Note 1: The script that you create MUST correspond to your particular # switch SNMP command structure. # # Note 2: It is sufficient to fill as many [PortXon] and [PortXoff] sections # as the number of ports on your switch. For example if your switch has 16 # ports you can fill only 16 [on-off] sections.
[Port2on] SET->1.3.6.1.4.1.343.6.10.2.4.1.21.1.1.2={Integer}=1 PAUSE->20 SET->1.3.6.1.4.1.343.6.10.1.7.0={Integer}=1 PAUSE->20 [Port2off] SET->1.3.6.1.4.1.343.6.10.1.7.0={Integer}=2 PAUSE->20 [Port3on] SET->1.3.6.1.4.1.343.6.10.2.4.1.21.1.1.3={Integer}=1 PAUSE->20 SET->1.3.6.1.4.1.343.6.10.1.7.0={Integer}=1 PAUSE->20 [Port3off] SET->1.3.6.1.4.1.343.6.10.1.7.0={Integer}=2 PAUSE->20 [Port4on] SET->1.3.6.1.4.1.343.6.10.2.4.1.21.1.1.4={Integer}=1 PAUSE->20 SET->1.3.6.1.4.1.343.6.10.1.7.
Switched Modes Discover Network Names – Switched Discover Network Names works in the same way for both switched and non-switched mode. In switched mode, since all broadcasts are propagated over all ports on the switch, eventually Discover Network Names will find all relevant addresses. There is no additional setup for using Discover Network Names in switched mode.
1. Click on a checkbox next to a port. You may also select one or more ports by Controlclicking and then clicking CHECK SELECTED or UNCHECK SELECTED, as desired. Some switches support multiple mirroring of ports; others only support one port at a time. If your switch supports multiple mirroring of ports, Observer will be able to initiate a capture on all ports selected. If your switch does not, Observer will only be able to capture data on one selected port. 2.
automatically scale from modem speeds of 1000 bits/second to gigabit speeds of 1000 megabits/sec. Y-axis values automatically to the current (within the viewable time frame) port or aggregate switch load.
port is attached to only one system, or may display “multiple addresses” if the port is attached to multiple system via a downstream hub. Top Talkers – Switched To view Top Talkers statistics in switched mode, you must first set your Probe (local or remote) to switched mode and then complete the switched setup for your particular switch. See “Configuration” on page 309. Switched Top Talkers mode displays all standard (non-switched) Top Talkers statistics by port.
328 Switched Observer
Observer Suite: SNMP Management Console SNMP Management Console is a part of Network Instruments’ Observer Suite, bringing the cross-platform SNMP (Simple Network Management Protocol) standard to the Observer console. SNMP is not “simple” as its name implies. On the contrary, it is a difficult concept to understand. A brief overview and description of SNMP follows; however, it is by no means a comprehensive discussion. This overview is intended to give you a very simple introduction to SNMP.
Instead of defining a large set of commands, SNMP places all operations in a GetRequest, GetNextRequest, GetBulkRequest, and SetRequest format. For example, an SNMP manager can get a value from an SNMP agent or store a value in that SNMP agent. The SNMP manager can be part of a NMS, and the SNMP agent can reside on a networking device such as a router. If SNMP is configured on a router, the SNMP agent can respond to MIB-related queries being sent by the NMS.
MIBs A Management Information Base (MIB) is a formal description of a set of network objects that can be managed using the Simple Network Management Protocol (SNMP). The unit of data collected is called the SNMP object. For each device, a set of SNMP objects and rules for addressing the objects are defined in a MIB file. MIBs are key to the logical, orderly functioning of SNMP. MIB objects (OIDs) are represented by a tree hierarchy; each object has a unique address based on its position in the tree.
(All other MIBs are extensions of this basic management information base.) MIB-I refers to the initial MIB definition; MIB-II refers to the current definition. SNMPv2 includes MIB-II and adds some new objects. Each MIB has a name, a syntax, and an encoding. • Name—identifies the object Example: SYSDESCR = the object descriptor 1.3.6.1.2.1.1.1 = the object identifier • Syntax—defines the object’s structure (e.g., octet string, integer). • Encoding—an object’s representation using the object’s syntax (e.
done by SNMP Management Console and no specific OID knowledge is required to use SNMP Management Console. SNMP Management Station The SNMP Management Station is a program designed to poll SNMP agents, collect information, and display the collected information in an easy-to-view format. Because each SNMP agent on a network can support a unique MIB, the SNMP management station must load MIB information for all the agents it intends to access.
Network Instruments designed SNMP Management Console as a highly functional, easyto-use feature of FrameMaker Suite to help you take advantage of SNMP's capabilities. SNMP Management Console includes an SNMP management plug-in for Observer, a MIB compiler, and a graphical forms editor/viewer—a complete RFC-compliant implementation of SNMP for the Microsoft Windows 2000/XP platforms.
• The MIB Compiler compiles SNMP MIBs into the binary format used by SNMP Management Console and offers a drag-and-drop interface for creating custom requests from MIB objects. • Global Event Log displays general SNMP events and traps. • Agent windows display all lists, charts, forms, tables and the local event log. • SNMP agents and SNMP agent request lists show all agents, and when an agent is selected, the set of requests that have been configured for the agent.
Check the device or server manuals for more information on installing or enabling SNMP agents. Configuring SNMP Management Console After installation, SNMP Management Console will generally require little, if any, configuration before it can be used. General SNMP Management Console options are defined in Options > Observer General Options > SNMP Tab. See “Observer General Options – SNMP Tab” on page 246.
• List of SNMP Agents pane—displays each agent as an icon. Agents are queried by request files that define five types of requests: charts, forms, lists, tables, and traps. When an agent is selected, the requests are displayed in the SNMP Agent Requests pane. • SNMP Agent Request pane—SNMP Agent Requests are shown in this pane. Selecting a chart, form, list, table, or trap will display the associated request output in the Agent Display pane.
before deciding that the request was lost and the number of times SNMP Management Console will resend the packet. When the maximum number of retries is reached and no reply has been received, SNMP Management Console considers the SNMP agent not present, out of order, or turned off, and displays a timed out message in the agent log. Configuring SNMP Agents For the SNMP Management Console to work with SNMP agents on the network, both must be configured.
only SNMP Extension is to have access to this sort of SNMP agent, set the IP address to the SNMP Extension’s console address. The procedure may be different for each agent. Refer to the device’s documentation for more information on configuring and enabling SNMP. To have the SNMP agent send trap messages to SNMP Management Console, you must add the SNMP Management Console’s IP address to the list of management stations that can receive trap messages from the agent.
Some SNMP agents will respond to a menu request only if the management station IP address exists in the agent's list and if the request contains the proper password. In SNMP, the password is called the community name. To remain accessible to any SNMP station, most SNMP agents use the default community name “public”.
Network Device Properties – Notification Tab Notify on Trap/Alarm: • “Email address” textbox—allows you to enter the email address to send notifications to (from traps or alarms for this agent). This is a different issue from the IP address (of the computer running Observer with SNMP Extension) to which the SNMP agent itself is to send traps. In this case, you are specifying the email address of the person who is to be notified when a trap message is received by SNMP Extension.
Edit an SNMP Agent To edit an agent, right-click on an existing agent entry and select the PROPERTIES menu item. Delete an SNMP Agent To delete an agent, right-click on an existing agent entry and select the DELETE NETWORK DEVICE menu item.
or cascading formats. One window per agent is opened. Select a tiling choice from the Windows menu or click the appropriate tiling choice on the button bar. The total number of agent windows you can open simultaneously is limited only by your available Windows resources. Each agent window can display any combination of lists, charts, tables, or forms. Each new list, chart, table, or form creates a new tab at the bottom of the agent window.
malfunctioning. When an agent is down, the Event Log displays a message indicating that SNMP Management Console exceeded the number of retries while attempting to poll the agent. Another type of error is reply packet parsing errors. If these errors appear, either the SNMP agent is malfunctioning or it's sending reply objects not supported by SNMP Extension.
the chart in the current agent information window if one is open, or will open a new agent information window if one is not currently running. When you select a chart request, SNMP Extension begins polling the agent. You can define the length of the request period and define chart display parameters by rightclicking on the chart and selecting Chart Properties. See “Building and Modifying Charts” on page 359. Chart information can be saved from the agent window.
Chart Properties – Chart Items Tab • Show items—displays your choice of monitored items in a chart. Chart Properties – Chart Properties Tab • “Title” textbox—displays the current chart’s title. Note: The title can be changed only from the MIB Editor.
• “Polling frequency (sec)” spinbox—allows you to set how frequently SNMP Management Console will poll an agent for data to update the chart. Show chart items: • all items (scroll) option button—allows you to display all items contained in the chart. • “Page size” spinbox—allows you to specify the number of items displayed on each page of the chart. • checked items only option button—allows you to select the items kept on the Chart Items tab to be displayed.
Lists have only one limitation regarding type of object: they cannot display tabular objects. Lists can display text, IP addresses, descriptions, and numeric variables, but not tables. Lists are best for objects that have a one-to-one relationship. For example: a statistic that does not change, such as SystemName; or a statistic that does not have a variable number of data points, such as RouteMetrics.
4. The updated list information will be displayed. Collecting Forms Information Forms are SNMP Management Console’s way of displaying SNMP data in a flexible graphical format. Forms can be groups of items that show objects in a clean, colorful formatted view; bitmaps of devices with ports that change color, depending on the value of the SNMP response; or multiple-choice dropdown writable SNMP lists for configuring a server. Any type of SNMP object can be placed on a form.
To modify the sampling behavior of a form, right-click on the form and select FORM PROPERTIES. The Form Properties dialog will be displayed: • “Title” textbox—displays the form’s title. Note: The chart title can be changed only from the MIB Editor.
to collect information row by row until it reaches the end of the table. This process is called “traversing the table” in SNMP terminology. To receive table information from an agent, select the table tree item in the SNMP Agent Request area, and double click on the table you wish to view. Tables are created and modified using the Forms Designer in the MIB Editor. List requests are created and modified using the MIB Editor. See “Using the MIB Editor” on page 354.
level of activity, or other condition. SNMP Extension collects incoming trap messages constantly. “Trap” and “trap message” are used interchangeably. To receive trap messages with SNMP Management Console, SNMP Management Console's IP address must be included in the trap configuration table of the SNMP agent. Trap configuration is usually separate from general SNMP configuration. If you configure one but not the other, you may be able to poll the SNMP agent, but receive no trap messages.
• Device Types (Requests)—a request file is the actual file sent to an SNMP agent, polling and/or setting the states of various MIB objects or OIDs. The MIB Editor displays compiled MIBs on the left pane of the window and request files on the right pane. Both compiled MIBs and requests are displayed in a familiar Windows tree format. The MIB Editor is used to compile MIBs and create/edit requests. The MIB Editor Toobar Compile MIB File—causes SNMP Extension to compile a MIB file.
Using the MIB Editor The following number of definitions may help in navigating the MIB editor dialogs. MIB MIBs are text files that the creator of an SNMP agent provides to describe the variables the particular agent keeps track of. These variables are called SNMP objects. Often, in the context of SNMP, they are simply referred to as “objects.
Compiled MIBs SNMP Management Console compiles the MIB prior to using it to create requests. This is done to save on memory when parsing request responses and to make drag-and-drop request building faster. Your path to begin building requests (lists, charts, tables, or forms) will begin by determining whether SNMP Management Console includes a suitable MIB for your device. See “Building Requests” on page 357.
how you actually encode each data item in a message is defined by the ISO 8825/ITU X.209 standard. The Compile Process 1. 356 To compile a new MIB, open the MIB Editor by selecting Tools > SNMP MIB Editor or click on the SHOW MIB EDITOR icon from the main button bar. 2. Select Mode Commands > Compile MIB File to open the Import MIB Source dialog to display files to select for compiling. 3. Select the MIB file (*.MIB) you wish to compile. The Save Compiled MIB As dialog will be displayed. 4.
6. Once the MIB is successfully compiled, it will be automatically listed in the MIB Editor with the other compiled MIBs. 7. Should the compiler have problems compiling your MIB, the compiler will exit to the MIB Editor and the log will display the errors, listing which MIB line caused the error. Click the EDIT SOURCE button to edit the MIB file and correct the error. 8. After correcting the error, simply compile the MIB again. If there are any further errors, the compiler will stop again.
The structure of the SNMP polling process suggests that an SNMP request can be considered a single object. By combining several SNMP objects in a single request, the same requests can be used for all SNMP agents using the same MIB. The MIB Editor provides this functionality for SNMP Management Console by allowing you to design requests for each agent. When you configure a new SNMP agent, you designate its request file in the SNMP Agent Properties dialog.
Creating A Custom Request File 1. To create a custom request file, from the MIB Editor select Mode Commands > . New Request File or click on the NEW REQUEST FILE icon 2. The Add New Device Type dialog will be displayed. 3. Name the request file. 4. Leave the “Add default RFC1213 requests to the new file” checkbox selected, if desired. 5. Click the CREATE button. 6. The new request tree on the right hand side of the MIB Editor will be displayed.
1. To create a new, blank chart, right-click on Charts and select NEW CHART. A new chart, entitled “New Chart” will be created. 2. Drag-and-drop any non-table MIB object from the left-hand pane of the MIB Editor onto the chart (remember: charts cannot display tabular data). A MIB object can be copied from any available compiled MIB. New chart Drag and drop to new chart Drag and drop items displayed Only those MIB objects that have been copied to the chart can be monitored by the chart.
Object Properties Wizard Click on the YES button to display the New Item Properties dialog. • “Label” textbox—allows you to enter a label name for the chart item; the default name is from the list of Compiled MIBs you are dragging and dropping from. • “Description” textbox—allows you to enter a description of the chart item. Item Appearance: • “Fill color” dropdown—allows you to select the fill color for the chart item.
Attached MIB Object • “ID” display—allows you to view the ID label for the chart item. • “Name” display—allows you to view the MIB Object name. • “Type” display—allows you to view the MIB Object type. • “Access” display—allows you to view whether the MIB Object is read-only or readwrite. • “Enumerated values” display—allows you to view the enumerated values to be displayed by the MIB Object. • “Description” display—allows you to view the description of the chart item.
Set Triggers • “Chart item” display—allows you to view the chart item name. • “Upper threshold” checkbox—when selected, allows you to enable triggers for upper thresholds of the chart item. • “Upper threshold” textbox—when the “Upper threshold” checkbox is selected, this box will be enabled and you can set the upper threshold values. • “Lower threshold” checkbox—when selected, allows you to enable triggers for lower thresholds of the chart item.
• Page phone number • Play sound file • Execute command line • Add to event log These actions can be configured independently. It is possible to configure any, all, or none of these to be executed when a threshold is reached. • “Email message” textbox—allows you to enter an email message to be sent. Chart Items Tab When agent information is displayed in chart format, several options are available for customizing the display. To define the settings, right-click on the Chart and select PROPERTIES.
3. Right-click on the new expression to rename it, if desired. 4. Right-click on the renamed expression and select EDIT EXPRESSION to display the Modify Expression dialog. The Modify Expression dialog box is, in effect, a numeric calculator, permitting the creation and modification of mathematical expressions using selected MIB objects, constants, and mathematical operations. 5.
You may use MIB objects from two or more different compiled MIBs. 5. Once complete, select Mode Commands > Save Request File. The new list will be available for all Agents that use this request file. The same actions can be taken to build tables. Building Trap Requests A trap is an event that an SNMP Agent (the actual hardware or software agent, not SNMP Management Console’s Agent request) can be configured to automatically report to the management program, in this case SNMP Extension.
3. 4. Click on the “Set Triggers” tab to configure the trap’s alarms and to display the Set Triggers tab. Alarm actions can be set independently. It is possible to configure some, none, or all of the possible alarm actions to happen when the trap is received. Actions: • “Send email message” checkbox—if selected, a triggering event will cause an email message to be sent to a designated recipient as configured in Options > Observer General Options > Email Notifications.
• “Execute command line” checkbox—if selected, a triggering event will cause a DOS or Windows program to be run. Only one command will be executed. If you need or wish to have more than one program run, you may set up a batch file (e.g., WARNINGS.BAT) as the command line to be executed. You can then use a text editor to create WARNINGS.BAT and enter multiple commands in that batch file.
When the Form Editor is active, Mode Commands contains the following items: Form Editor Form Designer • Select Control—permits the selection of one or more controls and drawing objects. Click on one object to select it; either Control-click on several objects or draw a bounding outline to select multiple objects. • Add Text Control—permits the creation of a text control on the form. Click anywhere on the form to create a text control at that point.
• • Paste MIB Object—permits the insertion of a MIB object that has been cut or copied to the Windows Clipboard. • Clear MIB Object—permits the deletion of a MIB object. Test Form—toggles the form between Edit Mode and Preview Mode. In Preview Mode, while the form will not display any actual data, it is possible to test buttons and dropdown forms. The horizontal toolbar contains the following buttons, which correspond to their equivalent entries on the MODE COMMANDS menu.
Delete MIB Object Test Form When the Forms Designer is active, Mode Commands > Align Controls submenu contains the following items: • Undo Last Operation—reverses the action of the last operation on the form. Saving the form will clear the undo buffer. • Redo Last Operation—reverses the action of the last undo operation on the form. Saving the form will clear the redo buffer. • Show grid—toggles the display of the grid, the rectangular array of points on the form.
• Make the Selected Controls the Same Width as the Last Selected control—causes the selected controls or objects to become the same width as the last selected control.
Text Field Properties • “Wrap text (multi-line)” checkbox—allows you to break between words and wrap to multiple lines. • “Clip text to bounding rectangle” checkbox—allows you to set the text to be aligned or clipped to the bounding rectangle of the textbox. • “Transparent” checkbox—allows you to set the text box to be transparent. • “Align text” dropdown—allows the text to be aligned left, centered, or right. • “Text Color” dropdown—allows you to select the text color from a color palette.
Edit Field Properties • “Multiline” checkbox—if selected, the text will break between words and wrap to multiple lines. • “Read-only” checkbox—if selected, prevents you from being able to change the associated MIB information, even if the MIB object is writable. • “Vertical scroll bar” checkbox—if selected, adds a vertical scroll bar to the object, allowing you to scroll up or down to see hidden information.
• If the Arithmetic expression option button is selected, the bottom pane of the dialog will include a SET EXPRESSION button Set Expression button displayed if “Arithmetic Expression” selected. Arithmetic expression will be displayed, if selected. Setting an Expression 1. Click the SET EXPRESSION button. The Choose Expression dialog box will be displayed. 2. The upper pane will contain those expressions available in the present SNMP request. Select any expression and click the NEXT button.
3. The Set Expression Indexes dialog will be displayed. 4. Select the index you wish to modify and enter your chosen value in the “Assign index value” textbox. Click the FINISH button. 5. The Edit Field Properties dialog will be redisplayed. List Box Properties 376 • “Sort lines” checkbox—if selected, the items in the list box will be sorted alphabetically. • “Whole lines” checkbox—if selected, the list box will display a whole number of lines, rather than permitting fractional lines.
• “Associated MIB object” dropdown—allows you to choose among the MIB objects attached to the form. Combo Box Properties • “Sort lines” checkbox—if selected, the lines in the list box will be sorted in alphanumeric order. • “Whole lines” checkbox—if selected, the list box will display whole number of lines, rather than permitting fractional lines. • “Hidden (useful for table holders)” checkbox—if selected, the table will be hidden on the form.
Group Box Properties • “Label” textbox—allows you to add a descriptive label for the group box. • “Right aligned text” checkbox—if selected, the text in the group box will be right aligned. Bitmap Properties • “Bitmap path” display—allows you to view the bitmap path. • “Bitmap path” selection box—allows you to select the bitmap to be displayed on the form. Click on the button to select the bitmap. The Select Bitmap dialog will be displayed. See “Select Bitmap Dialog” on page 379.
• “Stretch to bounding rectangle” checkbox—if selected, the bitmap will be stretched to the limits of the rectangular boundary, even if that requires a horizontal or vertical distortion of the image. • “Clip to bounding rectangle” checkbox—if selected, the bitmap will be clipped or trimmed at its rectangular boundary.
• “Associated MIB object” dropdown—allows you to select which of the MIB objects attached to the form will be polled or set when the button is clicked. Drawing Control Properties 380 • Shape option buttons—allows you to select from one of the following shapes: rectangle, rounded rectangle, raised panel, recessed panel, oval, or diamond for the drawing object.
Enumerated Bitmap Properties Styles: • “Stretch to bounding rectangle” checkbox—if selected, the bitmap will be stretched to the limits of the rectangular boundary, even if that requires a horizontal or vertical distortion of the image. • “Clip to bounding rectangle” checkbox—if selected, the bitmap will be clipped or trimmed at its rectangular boundary.
Configure Bitmap Label Text color: • Reverse option button—if selected, the label’s text color will be the reverse of the background color. • Selected option button—if selected, you can choose a text color using the dropdown box. • “Color” dropdown—allows you to select the text color; only active if you have selected the Selected option button. Text offset: 382 • “X” textbox—allows you to set the offset, in pixels from the upper left corner of the bitmap, where the label will be placed.
Edit Ranges/Values 1. Click on the line. 2. Click on the icon to choose the default bitmap to be displayed. 3. For each value or range of values you wish to be represented by a different bitmap, click on the ADD NEW button. 4. Enter the value or range in the appropriate edit boxes, then click on the set the bitmap for that range. icon to Dial Control Properties Styles: • “Display graph” checkbox—if selected, will enable the display of a histogram graph below the dial display.
Conclusion The complexities involved in the design and building of custom forms are considerable, but are more than compensated for by the great amount of control that custom forms give to both the display of SNMP information and the control of SNMP devices. By careful form design, it is possible not only to make data more useful to experienced Observer users, but also to make it possible for users with little technical knowledge to interact effectively with SNMP devices.
SNMP MIB Walker The MIB Walker is accessed by selecting an SNMP device from the SNMP Agents pane and clicking Tools > SNMP MIB Walker. 1. To walk an agent MIB, right-click on the desired SNMP Agent in the SNMP Agent pane and select WALK NETWORK DEVICE MIB. Selected agent Initial OID 2. By default, the initial OID for the walk will be 1.3.6.1.4.1.
4. SNMP Management Console’s MIB Walker will step through all higher branches of the MIB tree (starting at the initial OID) and display the results in the Walk Network Device MIB Table Viewer. Number of discovered objects If in List view, “View Tree” will be displayed SET VALUE button The following buttons are active from the Walk Agent MIB Table Viewer after the walk has been completed: 386 • Print button—allows you to send the table to a user-chosen printer.
View MIB Tree Selecting the VIEW TREE button from the Walk Agent MIB dialog displays the Walk Agent MIB Tree Viewer. The Walk Agent MIB Tree Viewer displays the structure, although not the values, of the discovered MIB tree.
Be careful to use the proper type of value when setting the value. If you attempt to set an integer SNMP value to a character string (e.g., ”Bob”) it will be set to zero. 5. If the attempt to set the value fails, an error dialog will be displayed, and the Status line on the Set Value dialog box will read “Failed” instead of “Done.
By the end of 1991, the standard SNMP MIB specification was extended by the Remote Network Monitoring MIB (RMON). RMON provides a set of SNMP objects related to network analysis and monitoring. Information provided by RMON is somewhat different in scope from the typical SNMP information provided by network devices. Usually, a device collects information about the device itself, in connection to either operation of the device or its relationship to the network.
When the management station needs information from an SNMP agent, it sends an SNMP request. SNMP specifications allow the station to ask for more than one MIB object in a single request. When the SNMP agent receives the request, it searches its local MIB, finds the current values of the requested data, forms a response packet (PDU), and sends the PDU back to the management station.
specifications are used to describe the MIB objects: Abstract Syntax Notation One (ASN.1) and Basic Encoding Rules (BER). Abstract Syntax Notation One (ASN.1) ASN.1 describes objects in textual MIB descriptions. It describes rules for writing consistent MIBs that compile without errors, both standard and proprietary. ASN.1 includes basic types such as INTEGER, OCTET STRING, OBJECT, NULL, and SEQUENCE. For example, the following is a sample of the ASN.
ipAddrEntry OBJECT-TYPE SYNTAX IpAddrEntry ACCESS not-accessible STATUS mandatory DESCRIPTION “The addressing information for one of this entity's IP addresses.” INDEX { ipAdEntAddr } ::= { ipAddrTable 1 } IpAddrEntry ::= SEQUENCE { ipAdEntAddr IpAddress, ipAdEntIfIndex INTEGER, ipAdEntNetMask IpAddress, ipAdEntBcastAddr INTEGER } Basic Encoding Rules (BER) BER describes how to convert the values of MIB objects into a format that allows them to be transferred through a network.
The GetRequest PDU is used by the management station to retrieve the values of one or more objects from an agent. These values are usually singular, not columnar. When an agent receives a GetRequest PDU, it checks the PDU for errors, finds the values corresponding to the request packets, and sends a GetResponse PDU back to the management station. If the error in the request packet occurs, the GetResponse PDU returns an error message instead of the requested data.
• “enterpriseSpecific” trap—the SNMP agent is notifying the management station about an event defined by the vendor for the device. The specific trap type provides more information.
Observer Suite: Web Reporting Web Publishing Service is a part of Network Instruments’ Observer Suite, bringing Observer’s reporting ability to any computer with a standard Web browser. Introduction to Web Publishing Service The Observer Suite’s Web Publishing Service allows an administrator, end-user, or consultant to view network trending data monitored by Observer from any Web browser.
allows an administrator to not only define which reports and statistics should be published for outside viewing, but also allows the setting of an access password to define who can access the data.
The Set Access to Trending Information tab lets you specify which statistics will be available for viewing and whether or not SNMP trending information will be available over the Web. The statistics list can be maintained on a Probe-by-Probe basis or for all Probes. • Precedence is based on the last value set.
398 • “Network IP subprotocol distribution” checkbox—if selected, displays the major IP subprotocol distribution (e.g., TCP, UDP, ICMP, ARP, RARP, IP). • “Network IP group protocol distribution” checkbox—if selected, displays the major Network IP subprotocol distribution. • “Network IP applications distribution” checkbox—if selected, displays the IP applications distribution (e.g., Telnet, POP, HTTP). User-defined applications can be added.
Web Server Options Tab The Web Server Options tab contains the following items: • “Request password to access Web reporting” checkbox—if selected, allows you to set a password for accessing the Web Publishing Service facility. If password protection is on, each user will have to enter a password to gain access to the reporting facility.
• “Web server port” textbox—this textbox sets the port that will be used for accessing the Web server. Changes to the Web server port will take effect the next time that the Observer PC is rebooted. Using Web Publishing Service To receive maximum benefit from the Web Publishing Service, it is recommended that you run Observer’s Trending mode at all times to collect a complete view of your network/WAN’s data flow patterns.
The Web Publishing Service Welcome page will be displayed. Whether or not you have configured Web Publishing Service to require a password, the Web Publishing Service Welcome page will be displayed. If you have configured Web Publishing Service to require a password, the correct password must be entered in order to access Web Publishing Service data. If Web Publishing Service has not been configured to require a password, any or no password will work. Click on the type of trending you wish to view.
Home link Probe list Logged data dates Allows you to set the report period Allows you to set the report items Click button to generate report • Probe list—lists the Probes (including the built-in, local Probe that is part of Observer) for which trending data has been collected. • “Dates with logged data” chart—displays the dates logged data is available for. • “Report period” combo box—allows you to select the report period time. You can select either: 1 day, 1 week, 2 weeks, 1 month, or custom.
• “Network IP group protocol distribution” checkbox—if selected, the report will capture network IP group protocol distribution. You can select the data to be displayed as a chart and/or a table. • “Network IP applications distribution” checkbox—if selected, the report will capture network IP applications distribution. You can select the data to be displayed as a chart and/or a table.
• Show Report button—generates the report and displays the Trending Report page. The report has two parts: • Contents Section—contains a table of contents of the report, as configured by using the Statistic checkboxes on the Report Properties page. Each line in the contents section represents one report item. Each line in the contents section is also a hotlink to the named item; clicking on it will bring you directly to the item it represents.
Click the INTERNET TRENDING button on the Web Publishing Service Welcome page to display the Internet Trending Report Properties page. • “Dates with logged data” chart—displays the dates logged data is available for. • “Report period” combo box—allows you to select the report period time. You can select either: 1 day, 1 week, 2 weeks, 1 month, or custom.
406 • “Switch IP group protocol distribution” checkbox—if selected, the report will capture switch IP group protocol distribution. You can select the data to be displayed as a chart and/or a table. • “Switch IP applications distribution” checkbox—if selected, the report will capture switch IP applications distribution. You can select the data to be displayed as a chart and/or a table.
• Show Report button—generates the report and displays the Trending Report page. The Switch report is similar to the Network report, with the significant difference in that it displays trending information for the specific switch, rather than the network as a whole. Top Talkers, for example, will display the information for the top talkers on the switch, rather than the monitored network segment.
Click the INTERNET TRENDING button on the Web Publishing Service Welcome page to display the Internet Trending Report Properties page. A listing of days for which Internet trending data is available will be displayed in the date selection pane. Select the day you wish to see a report for and click on the SHOW REPORT button to display the Internet Trending Report page.
Internet Observer • Station (by MAC)—the MAC address of the first station in the conversation. • Talking to (by IP)—the IP address of the second station in the conversation. • Packets Total—total packets sent between the two stations. • Bytes Total—total bytes sent between the two stations. • Packets ->—packets sent from the first station to the second station. • Packets <-—packets sent to the first station from the second station.
It is possible to select any line or lines in the report. By clicking on either the CONNECTION DETAILS, the STATION1 DETAILS, or the STATION2 DETAILS button, you can generate a report in the lower pane, including details for the requested information. Item detail report Selecting one or more lines in either pane and clicking on that pane’s PRINTABLE REPORT button opens the report in a new browser window, ready to be printed. Click the PRINT button in the browser window to print the report.
SNMP Trending Allows you to view SNMP trending data. Click the SNMP TRENDING button on the Web Publishing Service Welcome page to display the SNMP Trending Report Properties page. • “Dates with logged data” chart—displays the dates logged data is available for. • “Report period” combo box—allows you to select the report period time. You can select either: 1 day, 1 week, 2 weeks, 1 month, or custom. • “Date” calendars—allows you to select the day or dates you would like to run the report on.
• “Average in time intervals” checkbox—if selected, the report will capture the average in time intervals you have selected in the “Averaging for tables” combo box. You can select the data to be displayed as a chart and/or a table. You may also select to display all items or only selected items using the radio buttons in the “Notes” column. • “Enter a note to include in the report” textbox—allows you to enter a note for inclusion in the report.
Creating Comparison Reports The procedure for creating comparison reports is identical to that for creating summary reports with one difference: instead of choosing one time range for summary, you choose two ranges to compare to each other.
414 Observer Suite: Web Reporting
Observer Suite: RMON Console RMON Console is a part of Network Instruments’ Observer Suite bringing the RMON (Remote Monitoring) standard to the Observer console. Introduction to the RMON Console Observer Suite’s RMON Console allows you to view any RMON1/2 Probe’s RMON data from within the Observer interface. The RMON data can be viewed in familiar Observer mode formats or in a pure RMON1/2 table format.
RMON Probe and modify the read and write community string (if necessary). Once this information is entered, click on the OK button. RMON Console Configuration Options See “Adding/Configuring an RMON Probe” on page 263. RMON Modes Once a connection to an RMON Probe is made, you can view the RMON Probe’s data in a number of familiar Observer formats.
standard). Filtering by layer 3 IP address is not supported by the RMON standard. See “Filter Setup for Selected Probe” on page 219. Packet View (Decode) • Comparative Standard Observer Mode Functionality: Identical • RMON Limitations: Live decodes are not supported. Buffer transfers will be much slower than using an Advanced Probe. RMON does not allow block packet transfers.
Web Observer Mode • Comparative Standard Observer Mode Functionality: Similar • RMON Limitations: No ping test is available in RMON.
Packet Size 1024-1518 Byte Packets Broadcast Packets Bytes Collisions CRC & Alignment Errors Fragments Jabbers Multicast Packets Occurrence of Hardware Address Oversized Packets Packets Sequence of Bytes at an Offset Undersized Packets For Token Ring Packet Size 18-63 Byte Packets Packet Size 64-127 Byte Packets Packet Size 128-255 Byte Packets Packet Size 256-511 Byte Packets Packet Size 512-1023 Byte Packets Packet Size 1024-2047 Byte Packets Packet Size 2048-4095 Byte Packets Packet Size 4096-8191 Byte P
NAUN Changes Occurrence of Hardware Address Ring Poll Events Ring Purge Events Ring Purge Packets Sequence of Bytes at an Offset Soft Error Reports Token Errors • Actions are identical to Observer’s standard actions. • RMON Limitations: Only statistics kept in the statistics group (RMON1 Group 1) are triggered upon. • Notes: The following information on each statistics group 1 item is taken directly from the RMON1 MIB. Each vendor’s RMON implementation should follow the described metric for each item.
Packet Size 1024-1518 Byte Packets The number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits, but including FCS octets). Broadcast Packets The number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets.
30% 37500000 40% 50000000 50% 62500000 60% 75000000 70% 87500000 80% 100000000 90% 112500000 100% 125000000 Note: The RMON standard does not consider an event to happen unless both Upper and Lower Thresholds have been crossed. Collisions Collisions show the best estimate of the number of collisions on this Ethernet segment. The value returned will depend on the location of the RMON Probe. Section 8.2.1.3 (10BASE-5) and section 10.3.1.3 (10BASE-2) of IEEE standard 802.
integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note: It is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits.
For example, if you define an offset-sequencing trigger to look for telnet packets (i.e., looking for TCP port 23), the offset would be 34 —14 bytes of Ethernet heading + 20 more bytes of IP header, and the sequence would be 00 17 — port 23 in hex. See the section on active highlighting (in the Packet View sections of the manual) for help on creating offsets. Note: This trigger is only available using Network Instruments’ RMON2 Probe.
Packet Size 4096-8191 Byte Packets The number of good non-MAC frames received that were between 4096 and 8191 octets in length inclusive, excluding framing bits, but including FCS octets. Packet Size 8192-18000 Byte Packets The number of good non-MAC frames received that were between 8192 and 18000 octets in length inclusive, excluding framing bits, but including FCS octets.
Claim Token Packets The number of claim token MAC packets detected by the Probe. Congestion Errors The number of receive congestion errors reported in error reporting packets detected by the Probe. Data Broadcast Packets The number of good non-MAC frames received that were directed to an LLC broadcast address (0xFFFFFFFFFFFF or 0xC000FFFFFFFF). Data Bytes The number of bytes of data in good frames received on the network (excluding framing bits but including FCS octets) in non-MAC packets.
MAC Bytes The number of octets (bytes) of data in MAC packets (excluding those that were not good frames) received on the network (excluding framing bits, but including FCS octets). MAC Packets The number of MAC packets (excluding packets that were not good frames) received. NAUN Changes The total number of NAUN changes detected by the Probe. Occurrence of Hardware Address The occurrence of a hardware address specified in the Actions dialog.
Soft Error Reports The number of soft error report frames detected by the Probe. Token Errors The number of token errors reported in error reporting packets detected by the Probe. RMON Table The RMON table is provided for viewing raw RMON data exactly as it is stored on the RMON Probe. Most tables and indices are not directly useful in this view. These values are most likely to be used for verification or troubleshooting purposes. Each of the 19 RMON1/2 groups are available.
DICOM Extension Introduction to DICOM The Informationstechnische Dienstleistung division of Siemens AG in Germany has developed, in cooperation with Network Instruments, a DICOM Extension for Observer. This Console decodes and analyzes the interaction procedures for medical/technical equipment which utilizes DICOM (Digital Imaging and Communications in Medicine standard).
• PDUs of DICOM Upper Layer Protocol—Observer’s Packet Summary window shows captured PDUs of DICOM Upper Layer Protocol in order of appearance. Selected PDUs can then be decoded and displayed. • DICOM Messages—command and data messages are sorted, and selected messages are decoded and displayed. Because the raw data and the decode are displayed simultaneously, they can be compared line by line. Decode • DICOM Upper Layer and DICOM Messages are decoded.
1. Start Observer. 2. Open the Packet Capture window by selecting Capture > Packet Capture. This view shows you whether or not all the packets have been captured, how full the capture buffer is at any given time, and whether any low-level communication errors have occurred (depending on the NIC). 3. Check, and if necessary, alter the setups (i.e., pre-filter, buffer size) by clicking on the SETUP icon. 4. To begin the capture, select Mode Commands > Start Mode or click on the START icon. 5.
2. Select Mode Commands > Select IP Address Pair to open the DICOM Address Filter Setup dialog. 3. Enter the source IP address, the destination IP address, and the ports. 4. Click the OK button. Capture in the Observer DICOM Window Only DICOM data that has already passed through the DICOM filter is displayed in this window. All the communication packets that pass through a pre-filter (assuming one is active) are acquired in the capture buffer, regardless of whether or not they contain any DICOM data.
3. Select a *.BFR file. 4. Confirm your selection with “Open.” If the IP addresses of the communication partners are unknown or if you want to derive them automatically from a TCP packet: 1. Change to the Observer Standard Decode view in Mode Commands > View. 2. Mark a TCP packet belonging to the communication you want to decode. 3. Select Mode Commands > Automatic DICOM Address Pair Filter Setup to set the addresses and ports of the communication partners for the DICOM post-filter automatically.
Evaluating Data in Observer’s DICOM Extension In order to be able to represent and evaluate a DICOM communication, the data must be captured in Observer DICOM. After you have captured the data, you will see either the DICOM Upper Layer Protocol View or the DICOM Message View. You can toggle between these two views at any time either in Mode Commands or by using the button bar on the left edge of the screen.
The ‘;’ character acts as a delimiter. • Tag—two WORDS separated by a comma Example: 0008,0016 • Description—text that is displayed when the data is decoded. Example: SOP Class UID • Value Representation (VR)—how the data field should be interpreted if it is not specified explicitly. Example: UI • Value Multiplicity (VM)—not evaluated at present. Can be omitted together with the final delimiter.
Example: Verification SOP Class Example: 1.2.840.10008.1.1;Verification SOP Class Important Things to Note: • The maximum permitted line length is 200 characters. • All UIDs that are not listed in the Uid.dic file are represented as Unknown UID. • Blank lines are not interpreted. • Lines beginning with a # (comment lines) are not interpreted. • If a UID is defined more than once, only the first UID in the list is evaluated.
Troubleshooting General Principles Although most installations of Observer will proceed without any trouble, due to the vast number of network configurations and PC hardware/software options that Observer supports, sometimes trouble arises. If you experience trouble in setting up Observer, keep a number of things in mind. • Try to simplify your setup in any way possible. This means if you have a screen saver loaded, disable it.
Specific Issues NDIS Observer is reporting that your network adapter card does not support promiscuous mode. • Contact your network card adapter manufacturer and see if they support promiscuous mode for the card and driver you own. • If you cannot get in touch with the network card manufacturer, try downloading the latest driver from the network card manufacturer’s Web page. Very often, card manufacturers do not include promiscuous mode in an initial release of a driver, but add it in later releases.
Load Driver Could Not Open VMONI1 Service Observer is telling you that you have not installed the VMON50 Service under Windows. You will need to follow the instructions for installing Observer. Problems Licensing Your Product “My license numbers do not work” • Make sure you are licensing the correct version of the product. License numbers are version specific, and will work within all equal major version numbers of a product. For example, the license number for Observer 7.0 will work with Observer 7.
440 Troubleshooting
Observer Suite Custom Decode Kit Introduction Observer Suite’s Custom Decode Kit gives an experienced C++ programmer the ability to add custom, proprietary, or additional protocols to Observer decodes. The Custom Decode Kit is provided as a Microsoft Development Studio v6.0 C++ project. This project should be used as an example and template. The Custom Decode Kit is an add-on for Observer Suite and is not available with the basic Observer or Real-Time Expert products.
The Custom Decode DLL entry point functions: CustomDecodeFrame(), CustomDecodeIP(), CustomDecodeUDP(), and CustomDecodeTCP() are called from Observer to permit a programmer to add a custom decode. For example, if you decide to write a decode for UDP port 8765, when your CustomDecodeUDP() function is called, you have to check in the UDP header whether or not the port is 8765. If it is, you do your decode, adding lines to the Tree Control in a way similar to the CustomDecode sample project.
void * pProtocolFieldStart, long nProtocolLength, long nOffsetFromBeginningOfPacket, long nBitmapLevel, DWORD dOpenTreeList, HWND hwndTree, void * pPrintStruct); //decode starting after IP protocol header extern “C” BOOL FAR PASCAL CustomDecodeIP ( void * pIpHeaderStart, void * pIpDataStart, long nIpDataLength, long nOffsetFromBeginningOfPacket, long nBitmapLevel, DWORD dOpenTreeList, HWND hwndTree, void * pPrintStruct); //decode starting after UDP protocol header extern “C” BOOL FAR PASCAL CustomDecodeUD
These are the standard Microsoft Development Studio AFX files. Only an experienced C++ programmer should modify any of the source files in the Observer Suite Custom Decode Kit. Please refer to code comments for explanations about particular functions.
Using Observer from HP OpenView Overview All Observer-family analyzers include the tools you need to integrate Observer into Hewlett-Packard’s OpenView administrative interface. This will allow you to see and control Observer-equipped PCs from the HP OpenView administrative interface. For details on how to integrate Observer products with HP OpenView, please see the HPOV_Integration_Readme.html located in the HPOV_Integration directory which is located in your Observer install directory.
446
Numerics 79327 Heading1 Efficiency History 73 A Actions 159 Active highlight 39 Add SNMP Device 339 Address Filter 222 Advanced Pager Settings 242 Advanced Probe port usage 439 aliases importing 203 importing from text file 203 Application Analysis 192 Average Packet Size 150 B Bad IP Checksum 151 Bandwidth Utilization 69 Switched 324 Bandwidth Utilization Mode 325–326 Switched ??–326 Broadcasts-Multicasts/Total Packets 151 buffer size calculations and formulas 34, 260 C capture buffer, defining maximum
Network Instruments Advanced and RMON FrameMaker uses of DICOM 429 Discover Network Names (Address Book) 197 Discover Network Names Mode 197 Displaying the List of Probes in Map Mode 29 DLCI Address Filter 226 Duplicate IP Addresses 152 E Edit Probe User Account Dialog 253 Edit Switch Scripts 217 Efficiency History 73 Email Notification Tab 245 End User License Agreement ii error filter 222 ErrorTrak drivers 7 ESSID setup for wireless operation 261 Ethernet Frame Errors 152 Ethernet Frame Errors by Station
List View 82 Internet Observer IP Pairs (Matrix) 83 Internet Observer IP Subprotocols View Internet Patrol 78 IP Discovery Setup 201 IP Subprotocols 67, 86 IP to IP Pairs (Matrix) 83 IPX discovery 169 IPX Discovery Setup 202 IPX Server Busy 154 86 J Jitter 303 L License Agreement ii license numbers 3, 16 licensing i, 3 Licensing Observer 3 Limited Warranty i–ii live modeling 300 M maximum utilization 69 MIB compiling 355 definition 331 Observer 162 MIB Compiler 355 MIB Editor 352–357, 359, 364–368 MIB
Network Instruments Advanced and RMON FrameMaker View Menu 17 Observer Toolbars Actions Toolbar 26 Mode Commands Toolbar 26 Start Modes Toolbar 24 Occurrence of Hardware Address 155 OID, definition 332 Options toolbar 179 P Packet Capture 33 saving 40 saving buffer advanced saving features 40–41 saving in Sniffer format 41 saving range 40 Setup Options 33 setup options 33 switched environments 324 Packet Decode 38 Packet Length Filter 223 packets 36 Paging Server Settings 244 paging service configuration 2
switched 326 Sniffer® format saving 41 reading, writing Sniffer® files 67 SNMP community name 338 general principles 389 history 388 technical overview 388 trap, sending from Observer 161 SNMP Console adding an SNMP agent 339 adding, modifying, and deleting SNMP agents 339 building and modifying charts 359 building expressions 364 building list and table requests 365 building trap requests 366 collecting chart information 344 collecting forms information 349 collecting information 344 collecting list infor
Network Instruments Advanced and RMON FrameMaker configuring 149 Triggers and Alarms Mode Actions 157–158 Trigger Settings 150 troubleshooting checklist 437 ODI 438 promiscuous mode 438 shared interrupts 437 setting access to trending Information 397 SNMP report 411, 413 statistics available 396 switch report 404 system requirements 396 using 400 Web server configuration options 400 WEB Extension - Configuring 396 Web Observer 137 WEP Encryption setup for wireless analysis 261 what-if analysis 288, 300 Wir
