Transcend User Guide ® Software version 3.0 for Windows NT http://www.3com.com/ Part No. 09-1825-000 Published August 1999 Traffix Manager ® ™ ®...
Page 2
3Com Corporation. Traffix is a trademark of 3Com Corporation. 3Com Facts is a service mark of 3Com Corporation. Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated. HP and OpenView are registered trademarks of Hewlett-Packard Company. AIX and IBM are registered trademarks of International Business Machines Corporation.
ONTENTS BOUT How To Use The Traffix Manager Documentation Conventions Terminology Used in this Guide Related Documentation Documents Web Sites Documentation Comments Year 2000 Compliance ETTING TARTED WITH RAFFIX ANAGER What to Read First Features of Traffix Manager How Does Traffix Manager Work? Strategy for New Users AUNCHING RAFFIX...
Page 4
RAFFIX OLLECTING How Traffix Manager Processes Collected Data RMON Overview Remote Monitoring RMON-2 Standard How Traffix Manager Discovers Network Devices Using RMON-2 ROUPING Overview Attributes Predefined Attributes Groupings Predefined Groupings Creating and Assigning Attributes Creating Groups and Ordering Attributes UNNING RAFFIX AUNCHING Launching the Traffix Manager Server...
Page 5
ISPLAYING ETWORK Loading Network Traffic Data Working with Objects in the Main Window Displaying Object Information Searching for Objects Selecting and Deselecting Objects Locating Objects in the Map Displaying Network Traffic Data Displaying Connections Between Objects Displaying Connections To and From Objects Combining To and From and Between Removing and Hiding Traffic Protocols, Applications and Favorites...
Page 6
Deleting Events Ignoring Devices or Connections Displaying an Event in the Map Displaying an Event in the Launch Graph Dialog Box Forwarding Events as SNMP Traps Integrating Traffix Manager SNMP Traps with HP OpenView VERVIEW OF EPORTING Overview Types of Report...
Page 7
EPORT YPES Report Templates Activity Reports Top N Reports Connection Activity Report Device Activity Report Group Activity Report Segment Activity Report Top N Connections Report Top N Devices Report Top N Groups Report Top N Segments Report PPENDICES AND ROUBLESHOOTING Troubleshooting Traffix Manager Troubleshooting Reports Diagnosing Reporting Problems...
Page 8
GGREGATING EVICES Overview Default Aggregation Specifying an Aggregation Policy SING THE UBNETS Using the SubnetsDB File How Subnet Grouping Works UTOMATIC TTRIBUTE Overview Contents of the User-defined Attributes Configuration File File Format Performing Attribute Assignment Using the fileattrs Program Configuration File Format Running fileattrs How fileattrs Works Using the dblookup Program...
Page 9
ONFIGURING Downloading Firmware to 3Com Standalone Agents Setting the Operational Mode on 3Com Standalone RMON-2 Agents DHCP How Traffix Manager Monitors DHCP Devices What Effect Do DHCP Devices Have On The Map? RMON-1 A SING Monitoring Network Segments Using RMON-1 Agents RMON SNMP T SNMP Tables used by Traffix Manager...
This guide describes Transcend Windows NT. This application gathers, displays and analyzes enterprise-wide network traffic. Procedural information on how to perform all tasks using Traffix Manager, as well as context-sensitive information about each dialog box, is provided in the online help. This guide is intended for network administrators.
Page 12
BOUT UIDE Table 1 Where to find specific information (continued) If you are looking for An overview of the RMON-1 and RMON-2 standards, and an introduction to how Traffix Manager uses RMON-2 agents to collect data from your network. Information on grouping devices to create views of your network in the Map. Procedures for launching Traffix Manager after the first time.
Table 1 Where to find specific information (continued) If you are looking for Information about what’s new in this release of Traffix Manager. A list of known problems in this release of Traffix Manager. Conventions Table 2 Table 2 Notice Icons Icon Table 3 Text Conventions Convention...
BOUT UIDE Table 3 Text Conventions (continued) Convention Words in italics Terminology Used Refer to the in this Guide terms. Terms which are defined in the Glossary are italicized at their first use in the User Guide. Related The following documents and Web sites contain useful networking Documentation information.
RMON-2 Protocol Identifiers: http://www.it.kth.se/docs/rfc/rfcs/rfc2074.txt Miscellaneous List of third-party agents which are supported by Traffix Manager: http://www.3com.com/network_management/probe_interop Links to network management information: http://snmp.cs.utwente.nl Internet Engineering Task Force home page: http://www.ietf.cnri.reston.va.us Network Management Resource Database: http://www.cforc.com/cwk/net-manage.cgi Documentation Your suggestions are very important to us. They will help make our Comments documentation more useful to you.
BOUT UIDE Year 2000 For information on Year 2000 compliance and 3Com products, visit the Compliance 3Com Year 2000 Web page: http://www.3com.com/products/yr2000.html...
This chapter introduces you to Traffix It contains the following sections: What to Read First Chapters 1–5 contain a conceptual overview of the processes you need to follow in order to get to the stage where Traffix Manager is displaying network traffic data for analysis.
1: T HAPTER RAFFIX ANAGER The Traffix Manager online help contains detailed procedural information on how to perform all tasks, and information about each application dialog box. The Traffix Manager Release Notes contain installation information, and a list of known problems with this release. Features of Traffix Traffix Manager collects and displays information about the application Manager...
How Does Traffix Traffix Manager is a client/server application. The Traffix Manager server Manager Work? periodically polls RMON-1 and RMON-2 agents on your network for data about conversations between devices. See page 37 Industry standards — Traffix Manager supports the IETF RMON-2 standard, which enables information about network and application layer protocol communication patterns to be collected.
Page 22
Map, in various charts, or in one of the various reports. See for more information about the Map. VERVIEW Network management station Servers Network Workstations Printers Chapter “Using Event “About the Main Window” Printer Network Printer Rules”, for more information. page 28...
Strategy for New If you have just begun using Traffix Manager to monitor your network, Users you should do the following: Keep the Traffix Manager server running at all times so that data is continuously stored and prepared for reporting. The client does not need to be kept running.
FOR THE This chapter provides information on launching Traffix first time. Information on installing Traffix Manager is documented in the Release Notes which are shipped with this product. It contains the following sections: Installing RMON Before you can launch Traffix Manager, you need to have at least one Agents on Your RMON agent installed on your network to collect traffic data.
2: L HAPTER AUNCHING RAFFIX Launching the There are two steps to launching Traffix Manager: you must launch the Traffix Manager Traffix Manager server first and then launch the Traffix Manager client. Server To launch the Traffix Manager server: 1 Select Programs from the Start menu, and open the directory in which you installed the Traffix Control Panel.
Page 27
configuration of data sources, and take you to the point where traffic data is displayed in the main window. The startup wizard first prompts you for the DNS domain(s) of those devices which you want to monitor in detail. Traffix Manager considers this specified DNS domain to be your “local network”.
2: L HAPTER AUNCHING RAFFIX Figure 2 Traffix Manager Main Window Stopping Traffix To stop a Traffix Manager client, click Exit on the File menu in the main Manager window. To stop the Traffix Manager server, click Stop Server in the Traffix Control Panel.
Also allows you to change between Traffix administrator and read-only user. Launches the standard Printer Options dialog box from which you can output the contents of the main window to a printer or file.
Page 30
2: L HAPTER AUNCHING RAFFIX Table 4 Traffix Manager Main Window Menu Options (continued) Menu Option Groupings... Reload Attributes Display Add Connections To and From Remove Connections To and From Add Connections Between Remove Connections Between Remove All Connections Show Mapped Connections Map All Objects Map Connected Objects Labels...
Page 31
Table 4 Traffix Manager Main Window Menu Options (continued) Menu Option Zoom... Graph Panel Settings... Launch Graph Collection Configure Agents... Agent Hardware Maintenance... Aggregation... Database Size... Events Event Rules... Show Rules for Current Selection... Event List (All)... Event List (Current Selection)... Reports Report Manager…...
Page 32
2: L HAPTER AUNCHING RAFFIX Table 4 Traffix Manager Main Window Menu Options (continued) Menu Option Index About detailed information on working with objects in the main window. ANAGER FOR THE IRST Function Launches online help with the Index tab selected. Launches the About Traffix Manager screen, giving the version name and numbers of the application.
This chapter describes how Traffix network. It contains the following sections: How Traffix Traffix Manager collects and correlates data from stand-alone and Manager Processes embedded RMON-1 and RMON-2 agents, from both 3Com and other Collected Data vendors. This data provides a complete picture of enterprise network traffic for performance management and trend analysis.
Page 36
The Reporter uses the same data to generate scheduled reports, which can then be distributed as HTML files for viewing by a web browser or to your printer. See information. Reporter Relational...
RMON Overview Traffix Manager supports all agents that are compliant with the Internet Engineering Task Force (IETF) Remote MONitoring Management Information Base Version 1 (RMON-1 MIB), defined in RFC 1757, and Version 2 (RMON-2 MIB), defined in RFCs 2021 and 2074. The RMON standards bring the following advantages to network monitoring: An RMON agent can be deployed as a stand-alone probe or embedded...
3: C HAPTER OLLECTING single segment. Traffix Manager uses RMON-2 functionality to build up a picture of communicating devices on the network and the traffic flowing between them, including network layer addresses and protocols seen. For further information on RMON-1 and RMON-2, refer to the 3Com RMON-1 and RMON-2 Backgrounder on the 3Com Web Site: http://www.3com.com/nsc/501305.html.
This chapter contains the following sections: Overview With Traffix your own criteria. You can view the use of your network by, for example, cost center, business unit, workgroup, business-critical connection or geographical location. You can then filter the display of traffic data further by selecting which protocols to display.
4: G HAPTER ROUPING ETWORK Attributes To understand how Traffix Manager groups devices in the Map, it helps to be familiar with the concepts of attributes and groupings. An attribute is a label for a piece of information about a device: for example, location or IP address.
Page 41
Table 5 Predefined Attributes (continued) Name Description MAC Addr Only devices which are in the same broadcast domain as the interface on an RMON-2 agent will have the MAC address attribute assigned to them. “Assigning MAC Addresses” page 42 Vendor The Vendor attribute is only assigned if the following criteria are met: The MAC Address attribute is...
4: G HAPTER ROUPING ETWORK EVICES IN THE Assigning MAC Addresses When the client is first started, it tries to locate the Traffix Manager server through the use of a broadcast message. If the system on which the client is running is not in the same broadcast domain as the server, this broadcast message will fail, and the client will not be able to connect to the server.
The Map shows a hierarchical view of the devices in your network according to the selected grouping. By selecting a Geographical grouping for example, devices will be grouped according to which country they are in. Within each country, devices may be grouped according to which city they are in.
4: G HAPTER ROUPING ETWORK a Add appropriate entries to the SubnetsDB configuration file. See b Either start a new database or use Reload Attributes... with Subnets c Create a new grouping using the following attributes (in the order d Select this grouping. Creating and You must create attributes, or select predefined attributes, to include in Assigning Attributes...
Groupings Figure 5 Attributes dialog box The Attributes dialog box displays, in rows, a list of selected devices on your network, and in columns, a list of available attributes. By default, devices currently selected in the Map are listed, with values for the attributes that apply to the selected grouping.
Page 46
4: G HAPTER ROUPING ETWORK EVICES IN THE Figure 6 Groupings dialog box...
UNNING Chapter 5 Launching Traffix Manager After the First Time Chapter 6 Configuring Agents for Data Collection Chapter 7 Displaying Network Traffic in the Main Window Chapter 8 Displaying Traffic in Graphs Chapter 9 Using Event Rules Chapter 10 Viewing Events Chapter 11 Overview of Reporting Chapter 12...
This chapter provides information on how to launch Traffix after the first time. It contains the following sections: Launching the Start the Traffix server using the Traffix Control Panel. The Traffix Control Traffix Manager Panel is also used for database administration. See Server “Database Management Using Traffix Control Panel”...
5: L HAPTER AUNCHING RAFFIX To use a remote server, you must add the IP address of the machine running the server to the shortcut in the Start menu. To do so, follow these steps: 1 Select Settings from the Start menu, and then Taskbar... 2 In the Taskbar Properties dialog box, select the Start Menu Programs tab.
This chapter describes how to use Traffix enable RMON agents on your network for data collection. It contains the following sections: agents. Supported RMON Traffix Manager supports all agents which implement all the relevant Agents and groups of RMON-1 and RMON-2 standards. Interfaces Refer to RFCs 1757, 2021 and 2074 for a list of the RMON groups which are retrieved by Traffix Manager:...
6: C HAPTER ONFIGURING Finding Agents for The agents used may be devices with RMON-1 or RMON-2 embedded Data Collection within them, such as switches or hubs, or they may be dedicated stand-alone RMON probes. You can search for compatible agents from the startup wizard and from the Configure Agents dialog box.
Page 53
To enable you to manage large numbers of collection agents, agent folders can be created in the tree and the agents dragged and dropped into them. Adding and Editing Agents From the Configure Agents dialog box you can use Traffix Manager to automatically find agents on your network, or you can add agents yourself.
6: C HAPTER ONFIGURING GENTS FOR Viewing Agent Statistics You can view the statistics of a selected agent from the Agent Statistics dialog box. This dialog box displays various statistics related to SNMP communication with the agent. Refer to the online help for more detailed information about the Agent Statistics dialog box.
Page 55
Finding Agents for Data Collection Traffix Manager. See Appendix G for more information about setting the mode on 3Com standalone RMON-2 agents.
Page 56
6: C HAPTER ONFIGURING GENTS FOR OLLECTION...
This chapter contains the following sections: Before you can display traffic data, you need to use Traffix collect it from your network. To find out if there is data already collected, open the Load Traffic dialog box from the File menu. If no data has been collected, see information about collecting data from your network.
7: D HAPTER ISPLAYING ETWORK Figure 7 Load Traffic dialog box Working with Once you have loaded network traffic data, you can display information Objects in the Main about objects on your network, search for and select objects, and locate Window objects in the Map.
A selected object is colored blue. The shade of grey used to color the inside of a group is only used to make it more visible in the Map and does not denote a specific state. Group Statistics You can use the Number of Devices dialog box to find out how many devices are in a selected group, and how many of those devices are active (transmitting/receiving traffic).
7: D HAPTER ISPLAYING ETWORK Table 7 menu and from buttons in the main window. Table 7 Description of Display Buttons Button Displaying With two or more objects selected, click Add Connections Between to Connections Between display traffic going between the selected objects only. Objects With a single group selected, selecting Add Connections Between maps traffic going between objects within that group only.
Combining To and You can use the To and From and Between options in combination to From and Between turn off a subset of the traffic connections. Removing and Hiding To remove all traffic from selected objects in the Map, select Remove All Traffic Connections from the Display menu.
7: D HAPTER ISPLAYING ETWORK If you want to change the protocols in an application, create a new favorite rather than edit a predefined application grouping. The concept of having applications and favorites (collections of related protocols) also applies also to graphs, reports and events, as well as to viewing in the Map.
Page 63
You might then create a favorite called Server, containing both user-defined protocols. You could display this favorite in the Map as a single color, to show the overall use of both protocols on your network. To set up a user-defined protocol, you need: The name of the parent protocol over which it runs, for example The protocol number.
7: D HAPTER ISPLAYING ETWORK Many current implementations of RMON-2 agents do not support user-defined protocols. If in doubt, check with your agent vendor. Device Aggregation Aggregation is a way of limiting the number of devices Traffix Manager has to track. As more devices are displayed in the Map, it becomes more difficult for you to determine traffic patterns on your network.
This chapter contains the following sections: Overview You can use the graph tools in Traffix traffic. The graph panel of the main window shows summary information about the most significant items selected in the Map. In addition to this, you can open the Launch Graph dialog box to display more detailed information about selected items.
8: D HAPTER ISPLAYING RAFFIC IN Using the Graph The Graph Panel of the main window shows basic information about the Panel network activity of selected items in the Map as a number of graphs. Figure 8 Graph Panel The following graphs of objects selected in the Map are displayed in the main window: RAPHS Summary Bar —...
Use the Graph Panel Settings dialog box to configure the display of the Graph Panel. Figure 9 Graph Panel Settings dialog box The options for display are: Using the Launch Use the Launch Graph dialog box to display detailed information about Graph Dialog Box items in the Map.
Page 68
8: D HAPTER ISPLAYING RAFFIC IN Figure 10 Launch Graph dialog box The settings used to create the launched graph are those used in the Map at the time you launch the dialog box. If the data is filtered in some way, for example by protocol, that filtering is used when producing the graphs.
Top Objects — Show the busiest objects. Which objects are considered depends on the level set in the Graph Settings dialog box. Top Connections — Shows the busiest connections. Which connections are considered depends on the Level and Unit Total set in the Graph Settings dialog box.
This chapter describes how to use event rules to analyze the data collected by Traffix your network. This chapter contains the following sections: Overview Using Traffix Manager, you can set up event rules to provide you with information about the security of your network, and the level of traffic on the network.
9: U HAPTER SING VENT The event rules in Traffix Manager fall into two broad categories: The various types of event rule are discussed in more detail in the following section. Traffix Manager provides a number of predefined event rules that cover common network issues.
Examples of Event There are a total of eight types of event rule, the possible uses of which Rules are discussed below. Security Event Rules These types of event rule help you to protect your network from unauthorized access or improper use. Detect Unauthorized Machine Access You use this type of event rule to help you enforce policies about access to specified machines.
9: U HAPTER SING VENT ULES Traffic Event Rules These types of event rule help you to detect significant changes in the behavior of a machine or connection. Such changes are often causes or indicators of problems on the network. They may also indicate that some part of the network is overloaded, and could give advance warning that the load on a device is increasing.
By applying the protocol filter to an event rule of this type, you can use it to monitor the usage of specific network services on the devices. For example, you can use this event rule to: Monitor Critical Connections Changes on an important link can lead to unexpected congestion. You can use an event rule of this type to monitor a list of WAN or backbone links and generate an event if the network traffic on the link changes significantly.
9: U HAPTER SING VENT ULES Figure 11 Event Rules dialog box Traffix Manager provides wizards to help you add and edit event rules. Refining Event Rules When you add or edit an event rule, you can modify it to monitor the traffic on your network and your network security, according to your own requirements.
Specifying the Time Filter With certain types of event rule, you can specify the times at which rules apply. For example, you could choose to restrict unauthorized traffic at all times, or only during certain periods. Specifying Sensitivity For most event rule types, you can specify how sensitive you want the rule to be: When you create an event rule, you can set the sensitivity of that rule approximately on a simple slider.
9: U HAPTER SING VENT ULES Maintaining Network Security You can configure Detect Network Sweep Attack and Detect New Devices event rules to generate security events. There are event rules of both types already preconfigured. However, your firewall may be a more appropriate source of information about attacks from outside the network than Traffix Manager.
Using Event Rules The Map can provide you with immediate information about which devices have been using particular servers. Detecting Unauthorized Servers You can use the Detect Network Sweep Attack rule to spot users creating unauthorized servers on the network. For example, you can detect unauthorized FTP servers by creating a rule which detects FTP traffic on the network, but which ignores traffic to and from known FTP servers.
9: U HAPTER SING VENT ULES Implementing Some organizations and network administrators have specific policies Business Policies about how the network can be used, in general or at different times of day. Detect Network Misuse and Detect Unauthorized Machine Access event rules are powerful tools for detecting behavior that does not conform to such policies.
This chapter describes use of the Event List. It contains the following sections: Overview Traffix your network and network security. When the conditions for a rule are met, an event is generated. See event rules. Events are also generated by the Collector and Reporter processes. The Event List in Traffix Manager displays events generated by all these sources, and supports various viewing options.
10: V HAPTER IEWING VENTS Viewing Events You use the Event List to display information about events. Figure 12 Event List The Event List provides the following information about each event: Acknowledged — whether the event has been acknowledged. By default only unacknowledged events are displayed.
The severity of the event. The rule that generated the event. A detailed explanation of the reason for the event. The activity of the device before and after the change that caused the event. You can sort, filter, and summarize the display of events. These last two operations are described in more detail below.
10: V HAPTER IEWING VENTS Only events generated by event rules can be displayed in this way. Summarizing Events You can manage the display of the Event List by summarizing events, so that only one entry is shown for a number of events. When events are summarized, the number of events related to the summarized entry is displayed.
Viewing and By selecting an event in the Event List, you can carry out the following Managing Selected actions. These actions do not apply to events generated by the Collector Events or the Reporter. The last three operations depend on the type of event, and are described in more detail in the remainder of this section.
This section gives an example of how to integrate Traffix Manager SNMP Manager SNMP Traps Traps forwarded from the Event List with HP OpenView. At the time of with HP OpenView writing, the Traffix Manager Event forwarding feature uses the 3Com RMON Event Trigger SNMP Trap PDU (Specific ID 82).
Page 87
2 The MIB files that define events are supplied by a number of enterprises. Select 3Com in the Enterprises field of the Event Configuration dialog box. The system object ID corresponds to the value supplied with the SNMP Trap. 3 The list in the bottom half of the Event Configuration dialog box lists events associated with the enterprise selected in the top half.
You can schedule the generation of daily, weekly and monthly reports. These reports are automatically run overnight and delivered to your Web server or printer, or stored as data files for later use. You can also generate reports on demand (ad hoc reports) at any time.
Output Traffix Manager uses the raw data to output professional reports as hard copy to a printer on the server, as HTML files, or as Comma Separated Value (CSV) files. CSV files can be read into a spreadsheet or database application for further analysis.
Page 91
Weekly Reports These reports use all data collected on the day specified and the following 6 days. The report is generated in the early hours of the day after the last day covered by the report. For example, if you select from Friday through to the following Thursday (Figure of the following week is used.
11: O HAPTER VERVIEW OF Managing Reports You use the Report Manager to add, schedule, edit and delete reports. Figure 17 Report Manager The Report Manager has three main areas: The use of these three areas in managing reports is explained in more detail in the remainder of this section.
The reporting features available depend on the client access level. A read-only user can browse existing reports, view report details, and view reports in the output queue. An administrator can also add, edit and delete reports, change report scheduling and output options, and run ad hoc reports.
11: O HAPTER VERVIEW OF You can choose to delete raw data to reclaim disk space if required. See “Setting Global Report Options” deleting raw report data. Scheduling Reports The Report Schedule dialog box is displayed automatically when you add a new report instance.
Reports can be delivered automatically only to a printer visible to the server. If you want to print a report using a printer visible to the client, you should output the report as HTML. You can then print the required pages from your Web browser.
(Report output could fail if, for Output example, a file cannot be written to, or a printer is off line. See “Troubleshooting Reports” You can show output for all reports, or only for the report currently selected in the Report Manager.
Therefore, scheduled reports are run overnight, to be delivered to your Web server or printer in the morning. Ad hoc reports can be started from the Report Manager but, according to the quantity of data being processed and the number of reports queued, they may not be output immediately.
11: O HAPTER VERVIEW OF groups, rather than for your entire network. See Attributes” Generate a top N Summary Report to Determine Objects for an Activity Report You can run top N reports in two modes: To identify key network objects, generate a top N report in summary mode.
This chapter describes in detail each type of report in Traffix Report Templates For each kind of object — connections, devices, groups of devices, and segment — there are two types of report template, activity and top N. Activity Reports Each activity report consists of two sections: Top N Reports Top N reports can be run in two modes:...
12: R HAPTER EPORT YPES The different types of report are described in turn in the remainder of this chapter. Connection Activity This report contains detailed information on each specified connection. Report Traffic flowing in both directions between the selected end points is used. When selecting end points, you can select any two objects from the Map as the end points of a connection.
Table 8 Connection Activity Report Charts (continued) Report Section Chart Title Device Activity This report contains detailed information on each specified device. Report Table 9 Device Activity Report Charts Report Section Chart Title Description Report Information about the report itself. Information Description Device Activity...
12: R HAPTER EPORT YPES Group Activity This report contains detailed information on each specified group. Report There are three ways you can report on groups: Table 10 Group Activity Report Charts Report Section Chart Title External — Traffic flowing into or out of the group only Internal —...
Segment Activity This report contains detailed information on each specified segment. For Report the purposes of reporting, it is assumed that each separate segment of your network is monitored by an agent interface. Many sites (particularly in a switched environment) have large numbers of segments and it may be too expensive to instrument all of them with RMON-2 agents.
Page 104
12: R HAPTER EPORT YPES Table 11 Segment Activity Report Charts (continued) Report Section Chart Title Description Error History A baseline chart showing the actual total number of With Baseline error packets over the report period as a line. This is overlaid on bands representing normal, borderline and unusual error totals.
Top N Connections This report calculates the top N connections by total octets sent and Report received over the report period. A connection can be one of the following: You can limit the report to consider only connections between groups or devices at specified levels in the grouping, and also where each end of the connection must be within a specified parent group.
Page 106
12: R HAPTER EPORT YPES The following are examples of reports on the default Type and Network grouping. See more information about the default groupings. Table 12 Top N Connections Report Charts Report Section Chart Title (continued) “From at Country level to the U.K.
Table 12 Top N Connections Report Charts (continued) Report Section Chart Title Top N Devices This report calculates the top N devices by total octets sent and received, Report and by the number of “hits” over the report period. You can limit the report to consider only devices within a specified group.
Page 108
12: R HAPTER EPORT YPES Table 13 Top N Devices Report Charts (continued) Report Section Chart Title Description Top Devices By A stacked bar chart containing the top N devices as Hits measured by total hits, broken down by protocol. A hit is a conversation of a particular protocol between the device and another device.
Top N Groups This report calculates the top N groups by total octets sent and received Report over the report period. You can limit the report to consider only groups at a specified level in the grouping scheme within a parent group. Some examples of group reports are: The information contained in the report is shown below.
12: R HAPTER EPORT YPES Table 14 Top N Groups Report Charts (continued) Report Section Chart Title Top N Segments This report calculates the top N segments by utilization, and by Report percentage of errors. For most networks it is sufficient to allow Traffix Manager to select automatically the top N segments by selecting All Segments for the top N segments report.
Page 111
Table 15 Top N Segments Report Charts (continued) Report Section Chart Title Description Utilization A multiple line chart showing the history of the History utilization for each of the N segments over the report period. Utilization An alternative way of viewing the utilization history. Health Chart Utilization values are shown as cells with the cell color indicating the band of utilization.
Page 112
12: R HAPTER EPORT YPES Table 15 Top N Segments Report Charts (continued) Report Section Chart Title Description Utilization A baseline chart showing the actual utilization over the History With report period as a line. This is overlaid on bands Baseline representing normal, borderline and unusual utilization.
Appendix A Troubleshooting Traffix Manager Appendix B Database Management Using Traffix Control Panel Appendix C Aggregating Devices Appendix D Using the SubnetsDB File Appendix E Automatic Attribute Assignment Appendix F Supported RMON-2 Devices Appendix G Configuring 3Com Standalone RMON-2 Agents Appendix H DHCP Appendix I...
This appendix is divided into two sections: For information on reporting problems to 3Com, see “Technical Troubleshooting Table 16 Traffix Manager running Traffix Table 16 Diagnosing Traffix Manager Problems Problem Cause Client Will Not Start. Traffix server is not running. Traffix server is running in a different broadcast domain to...
A: T PPENDIX ROUBLESHOOTING Table 16 Diagnosing Traffix Manager Problems (continued) Problem Cause No Data in the Map. Event Rule does not generate any events. When you manually Agent does not enter the IP address of support RMON-1 or an agent you want to RMON-2.
Page 117
Table 17 Diagnosing Reporting Problems Problem Cause Raw report fails when Database directory is running ad hoc or full (raw report data is scheduled reports. stored in the database). HTML output fails even HTML output directory though raw data is is not writable.
Page 118
A: T PPENDIX ROUBLESHOOTING Table 17 Diagnosing Reporting Problems (continued) Problem Cause Reports take very long Reports using large time to run. amounts of data can take some time to complete. Scheduled reports do Traffix Manager not run. processes are not running.
Page 119
Table 17 Diagnosing Reporting Problems (continued) Problem Cause The reporter was “ERROR could not unable to create an open output file: <filename>” in event output file. viewer. Troubleshooting Reports Solution This is most often caused by insufficient permissions — you do not have permission to create output files where requested.
Page 120
A: T PPENDIX ROUBLESHOOTING RAFFIX ANAGER...
This appendix contains: Overview of Traffix From the Traffix Control Panel, you can manage the operation of the Control Panel Traffix Traffix Manager uses a database to store topology, trend data, collector configurations, device attributes, scheduled report templates and report data.
B: D PPENDIX ATABASE ANAGEMENT Figure 18 Traffix Control Panel These applications help you to manage and organize a number of databases, for example, if you want to keep extra databases for backup purposes or to provide snap shots of your network or portions of your network over time.
The amount of free disk space remaining on your PC for data collection to the database. The location of HTML reports. From this dialog box, you can launch the following operations: Create a new database to write data from the network to. Unless you want to get rid of the contents of a database entirely, you should always use the Clean Database application instead of deleting a database and creating a new one.
Page 124
B: D PPENDIX ATABASE ANAGEMENT You can carry out the following operations from the Database Maintenance dialog box: Clean databases Clean the current Traffix Manager database by selecting from the following options: When you clean a database, the agent configurations and local DNS domains are not deleted.
3Com recommends that you back up your database regularly, the frequency depending on how important your trend data is to the way you monitor your network. If you want to view and report on your weekly data, you should back up your database once a week. If viewing and storing your trend data is less important, backing up your database once a month may be adequate.
B: D PPENDIX ATABASE ANAGEMENT This dialog box also allows you to select whether Traffix Manager starts automatically every time you log on to your machine. Default DNS Domain Allows you to set a default DNS domain, if you wish to change the previously configured default.
Deinstalling Traffix To deinstall Traffix Manager 2.0 for NT: Manager 2.0 1 Close Traffix Manager and all related processes. To check which processes are running, right-click the Windows NT Taskbar and select Task Manager. The Applications and Processes tabs contain a list of any active programs. 2 From the Start menu, select Settings >...
Page 128
B: D PPENDIX ATABASE ANAGEMENT 1 To display a program group, right-click Start and select Open All Users. Double-click a program entry to display the program group. 2 Right-click the control button in the top left corner of the Traffix Manager program group title bar.
This appendix describes: Overview Aggregation reduces the amount of memory and disk resources required by Traffix a single device. For example, in sites where there is a lot of Internet traffic, some or all external devices can be aggregated together. This may be the only way to limit the resource usage to an acceptable level.
C: A PPENDIX GGREGATING Specifying an To aggregate devices on a particular network, it is necessary for the Aggregation Policy aggregator to be configured for that network. This is done by specifying an aggregation policy. Once an aggregation policy has been configured, it only affects data collected from that point on.
Page 131
Selecting the Default Aggregation Action The default aggregation action is the method of aggregation applied to network devices which have a DNS name, but which are not contained within one of the local DNS domains. There are three default aggregation actions, from which you can select and apply one to non-local DNS domains.
Page 132
C: A PPENDIX GGREGATING Setting a Maximum Device Limit You can specify a device limit of 100,000 devices. This allows you to monitor local devices in detail, but reduce the detail of data kept about non-local devices. This setting is treated as a “hint” by Traffix Manager: if new local devices are seen after this user-defined limit is reached, the setting is increased gradually, up to the maximum version limit, to allow for the new local devices to be stored.
Using the This facility allows you to group the devices on your network by subnet. SubnetsDB File Click Subnets Editor in the Traffix definition file, which contains information about subnet groupings. This file can be edited and reapplied at any time. To set up subnets: 1 Edit the SubnetsDB file using the Subnets Editor provided in the Traffix Control Panel.
Page 134
D: U PPENDIX SING THE UBNETS Subnet masks must comply with the primary internet network class types by covering at a minimum the part of the address that represents the network bits. In Table 18 Subnet Masks Class Description If a subnet mask spans more than one class A/B/C subnet then only the first entry should be used.
4 If you already have devices showing in the Map, reload the subnets attributes using the Reload Attributes dialog box, which you access from the Edit menu in the main window. 5 Create a subnets grouping. See information on how to create a site-specific subnet grouping. 6 Apply the grouping.
Page 136
D: U PPENDIX SING THE UBNETS subnet 89.0.0.0 89.0.0.0 DB F For example, if the SubnetsDB file was to contain the following entries with the same subnet address: mask name 255.0.0.0 Group1 255.255.0.0 Group2 Any device matching both of these subnets would be placed in Group 2, as this has 16 set bits in its subnet mask, whereas Group 1 has only 8 set bits.
This appendix describes: Overview Automatic attribute assignment within Traffix automatically import attribute values from various data sources to create groupings and to identify objects in the Map. The data sources could be a text file, a Microsoft Excel spreadsheet, a Microsoft Access database or a program that you write.
E: A PPENDIX UTOMATIC TTRIBUTE By editing the user-defined attributes configuration file, you select which programs are used to determine attributes for objects. You can use the standard programs supplied, or you can create your own custom programs. There are two standard programs and one example program provided: Contents of the This file can be viewed or edited by double clicking on Attribute Lookup User-defined...
File Format Lines beginning with # are comments and are ignored. All other lines take the form: <Name> <label> <filename> <arguments> <flag> <label> is used in the collector event logs to refer your attribute lookup program. Otherwise it is unused. <filename>...
E: A PPENDIX UTOMATIC TTRIBUTE Performing Attribute assignment is carried out on any newly discovered devices. In Attribute addition, you can force a refresh at any time by using the Reload Assignment Attributes dialog box. Refer to the online help for the Reload Attributes dialog box for more information.
Configuration File Example 2 To assign user and operating system information to devices based upon their address: *KEY:2 *ATT:NL Type, NL Address, User, O/S IP, 104.240.20.10, Joe Bloggs, Solaris 2.5 IP, 104.240.20.8, Joe Bloggs, Windows 95 IP, 104.240.20.13, John Smith, Solaris 2.5 IP, 104.240.20.14, General Use, AIX 4.1 If the discovered device has the NL Type IP and an NL Address of 104.240.20.13, this matches the key fields of the third entry and assigns...
E: A PPENDIX UTOMATIC TTRIBUTE The KEY attribute(s) for that device can be any of the attributes which are assigned automatically by Traffix Manager, for example, NL Address and NL Type. See “Predefined Attributes” on page 40 for a list of attributes which are automatically assigned by Traffix Manager.
network-type lookup tables: for example, a database containing only IP_1 and other_2 lookup-tables is valid. For specific information about Access or Excel lookup-tables, see below. Default Values Devices may be assigned default values. If no full match was found for the current device, dblookup looks for default entries defined with star (’*’) as the key attribute values, and assigns the new attributes with the values of the best match (the one with as few stars as possible).
E: A PPENDIX UTOMATIC TTRIBUTE SSIGNMENT Excel Worksheet The lookup-tables are stored in Excel named-ranges. Lookup named-ranges can be stored on separate worksheets or in the same worksheet. To create a named-range, simply select the cells containing your data, select Insert/Name/Define from the menu, supply a name for your range and click Add.
Then, when a device is discovered, dblookup does the following: 1 dblookup builds a SQL string with the device’s key attributes values and runs a query against the database to find a match. 2 If no match is found, it waits for the next device. 3 Otherwise it takes the best match, that is to say the one with as few stars as possible.
Page 146
E: A PPENDIX UTOMATIC TTRIBUTE (there is one version in Visual Basic and one in C): Figure 19 Simple attribute lookup process in C while ( GetNextLookup() ) Figure 20 Simple attribute lookup process in Visual Basic While GetNextLookup <> 0 Wend The idea behind this program is that every newly discovered IP device on the network is assigned a value of TRUE for the New Device attribute.
By replacing this simple loop with your own code, you can write a program which assigns your own attributes to devices using your own algorithm. GetAttribute returns the value of any attribute which has already been assigned, for example, NL Address and NL Type. See “Predefined Attributes”...
Page 148
E: A PPENDIX UTOMATIC TTRIBUTE Table 20 Example Programs (continued) Name country template The C examples are located in C:\Transcend Traffix Manager\TraffixServer\examples\c and the Visual Basic examples are in C:\Transcend Traffix Manager\TraffixServer\examples\vb. You should copy one of these samples to your own directory before modifying it. Attribute lookup programs must be able to find the attripc.dll file when they are running.
Table 21 Functions available to lookup programs in the attripc DLL library Function GetAttribute SetAttribute IsAttributeSet Should be called sometime after GetNextLookup. Takes an LogError, LogInfo Other points to note about user-defined attribute lookup programs: If your program exits prematurely, for example, it crashes, then the Traffix Service stops.
Page 150
E: A PPENDIX UTOMATIC TTRIBUTE SSIGNMENT attribute lookup programs which depend on the Name, NL Type, NL Address, Network or DNS attributes. Run the program AttrLooktest.exe <installdir>TraffixServer (this is not on the Windows Start Menu). The program displays a dialog box which allows you to run an attribute lookup program, providing command-line parameters if necessary.
3Com Agents The current list of 3Com agents is available from the 3Com web site: http://www.3com.com/network_management/probe_interop Using Firmware version 4.17, the agents support all RMON-1 and RMON-2 groups. Version 4.10 or later is needed on the single port and dual port agents for Y2K compatibility. Supported Interface Traffix Types...
This appendix contains the following sections: Downloading You should always run the latest version of management software Firmware to 3Com (firmware) in the agents on your network. Running the most up-to-date Standalone Agents version of agent firmware has the following benefits: Firmware files are stored on the machine where the Traffix Server is installed.
Page 154
G: C PPENDIX ONFIGURING CAUTION: Downloading firmware to an agent causes the agent to cold restart. Refer to the Firmware Upgrade documentation or your agent documentation for a description of the data lost when an agent is cold restarted. The latest version of the Firmware Upgrade documentation is available from the 3Com web site: http://www.support.3com.com/infodeli/tools/netmgt/rmonprob/ family.htm...
Page 155
Setting the Operational Mode on 3Com Standalone RMON-2 Agents Traffix Mode Sets appropriate table sizes on the device for use with Traffix Manager. Off Disables RMON-2. With RMON-2 disabled you can download SmartAgent ® software to the device. If you disable RMON-2 on an agent which supports both RMON standards, RMON-1 will still be enabled.
Page 156
G: C RMON-2 A PPENDIX ONFIGURING TANDALONE GENTS...
DHCP This appendix contains the following sections: How Traffix Traffix Manager Monitors IP address, IPX address) as the unique way to identify objects on your DHCP Devices network. However, the IP address of devices managed using the Dynamic Host Control Protocol (DHCP) can change, and therefore this is an unreliable method of identification for these devices.
Page 158
H: DHCP HAPTER (with the old MAC address) will also remain on the Map. There will therefore be two devices on the Map with the same IP address, although with different MAC addresses. Any conversation data retrieved for this IP address is subsequently assigned to the new device.
Monitoring Many sites (particularly in a switched environment) have large numbers of Network Segments network segments, and it may be too expensive to monitor all segments Using RMON-1 with RMON-2 agents. You can use any existing embedded RMON-1 only Agents devices (hubs, switches, routers etc.) instead, to produce lightweight activity reports for these segments.
RMON This appendix lists the SNMP tables retrieved by Traffix Refer to the following URLs for descriptions of RMON tables: SNMP Tables used by Traffix Manager Table 24 SNMP Tables Used By Traffix Manager Table MIBII system MIBII interfaces RMON probeConfig RMON etherStats /...
Page 162
J: RMON SNMP T PPENDIX Table 24 SNMP Tables Used By Traffix Manager (continued) Table RMON-2 protoDist RMON-2 addressMap RMON-2 alMatrixTopN / alMatrix / nlMatrixTopN / nlMatrix ABLES ETRIEVAL Mandatory At least one must be supported for RMON-2 data Comments For protocol distribution (reports only) Network Layer to MAC address mapping...
3Com variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site. Online Technical 3Com offers worldwide product support 24 hours a day, 7 days a week, Services through the following online systems: World Wide Web Site...
K: T PPENDIX ECHNICAL UPPORT 3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the 3Com public FTP site. This service is available 24 hours a day, 7 days a week. To connect to the 3Com FTP site, enter the following information into your FTP client: You do not need a user name and password with Web browser software such as Netscape Navigator and Internet Explorer.
Access by Digital Modem ISDN users can dial in to the 3Com BBS using a digital modem for fast access up to 64 Kbps. To access the 3Com BBS using ISDN, call the following number: 1 847 262 6000 3Com Facts The 3Com Facts automated fax service provides technical articles, Automated Fax diagrams, and troubleshooting instructions on 3Com products 24 hours a...
Page 166
K: T PPENDIX ECHNICAL UPPORT When you contact 3Com for assistance, have the following information ready: Here is a list of worldwide technical telephone support numbers: Country Telephone Number Asia, Pacific Rim Australia 1 800 678 515 Hong Kong 800 933 486 India +61 2 9937 5085 Indonesia...
Returning Products Before you send a product directly to 3Com for repair, you must first for Repair obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender’s expense. To obtain an authorization number, call or fax: Country Asia, Pacific Rim Europe, South Africa, and...
LOSSARY agent A standalone or embedded source of RMON-1 or RMON-2 data. aggregation The process of adding the data from multiple devices in the same domain, and representing those devices as a simple “aggregated” device. Used to limit database growth. ™...
Page 170
LOSSARY Either of the digits 0 or 1 when used in the binary numeration system. Eight bits equals a single byte. broadcast All good frames destined for the broadcast address, in other words sent out to all stations on the network. Some broadcasts are limited to the local network, and some broadcasts may cross onto other networks.
Page 171
LOSSARY of the destination IP address, the station sends the message to the destination station. Due to the static nature of DNS, it can only be used when network stations have static IP addresses obtained through manual configuration, BOOTP or DHCP in static mode. domain Part of the naming hierarchy used on the Internet and represented by a series of names separated by dots.
Page 172
LOSSARY IP (network) address Internet Protocol address. A unique identifier for a device attached to a network using TCP/IP. The address is written as four octets separated with full-stops (periods), and is made up of a network part, identifying which network the device resides on, and a host part, identifying individual devices on a given network.
Page 173
Open Systems Interconnection, a body of standards set by the International Standards Organization to define the activities that must occur when computers communicate. The OSI Reference Model is a 7-layer framework within which communications protocols and standards have been defined. packet A unit of information that contains data, origin information and destination information, which is switched as a whole through a...
Page 174
LOSSARY separated by periods. Devices and routers use the mask to identify the subnet on which a device resides. switch A device which filters, forwards and floods packets based on the packet’s destination address. The switch learns the addresses associated with each switch port and builds tables based on this information to be used for the switching decision.
Page 175
NDEX Numbers 3Com Bulletin Board Service (3Com BBS) 164 3Com Knowledgebase Web Services 163 3Com URL 163 3ComFacts 165 Access tables dblookup program 143 acknowledging events 85 activity reports 89, 99 ad hoc reports 90, 94 Add Agents dialog box 53 adding agents 53 connections between objects 60...
Page 176
NDEX Bulletin Board Service 164 client access levels 50 administrator access 50 description 37 launching after the first time 49 launching for the first time 26 read-only user 50 running multiple clients against a single server 50 cold restart losing data 154 collecting data adding agents 53 disabling agents 52...
Page 177
network sweep attacks 73 new devices on your network 73 unauthorized machine access 73 device activity report contents 101 device aggregation default aggregation action 131 local domain specification 130 local domains 130 overview 23, 64 setting maximum device limit 132 specifying aggregation policy 130 device limit setting 132...
Page 178
NDEX excepting devices or connections from rules 85 filtering 83 forwarding as SNMP traps 86 generating 20, 36 ignoring devices or connections 85 modifying 85 monitoring critical connections 75 monitoring critical devices 74 monitoring long term trends 77 monitoring network resource usage 74 monitoring network trends 75 monitoring protocol usage 78 monitoring server devices 78...
Page 179
HTML can’t find HTML files? 117 index file 94, 95 lifetime of files 96 report directory, moving and linking to 94, 95 serving directory to Web server 94, 95 troubleshooting 117 viewing report output 95 interface types supported 51, 151 invalid IP addresses 53 IP addresses default gateway device 170...
Page 181
report directory linking to HTML reports 94, 95 report formats 96 report instances overview 93 Report Manager 92 displaying information about output status 92 displaying information about raw data 92 displaying information about report instances 92 interpreting raw data and HTML output 94 interpreting summary information 94 regenerating output 92 report instances 93...
Page 182
NDEX RMON-2 Standard mode description 154 setting 54 RMON-2 Traffix mode description 154 setting 54 rules. See events running multiple clients against a single server 50 scenarios reporting 97 scheduling reports 90, 92, 94 searching for objects in the main window 59 security configuring events 71 detecting network misuse 73, 79...
Page 183
Traffix Manager assigning attributes automatically 137 database management 121 to 126 features 20 getting started 19, 23 how it works 21 how to use the documentation 11 launching after the first time 49 launching for the first time 25 launching with no data collected 52 main window 27, 28 menu options 29 monitoring DHCP devices 157...
Page 185
3Com Corporation L IMITED ® ™ Transcend Traffix Manager 3.0 for Windows NT OFTWARE 2000 W ARRANTY BTAINING ARRANTY ERVICE ARRANTIES XCLUSIVE ARRANTY ® 3Com warrants that each software program licensed from it will perform in substantial conformance to its program specifications, for a period of ninety (90) days from the date of purchase from 3Com or its authorized reseller.
Page 186
IMITATION OF IABILITY ISCLAIMER OVERNING THE ALLEGED DEFECT OR MALFUNCTION IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY CUSTOMER’S OR ANY THIRD PERSON’S MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO OPEN, REPAIR OR MODIFY THE PRODUCT, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING, OTHER HAZARDS, OR ACTS OF GOD.