Finisar Surveyor User Manual

Finisar surveyor user's guide

page of 454

/ 454
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Surveyor

User's Guide

Table of Contents

Need help?

Do you have a question about the Surveyor and is the answer not in the manual?

Questions and answers

Summary of Contents for Finisar Surveyor

Page 1 Surveyor User’s Guide...
Page 2: Trademarks And Copyrights
Software and all documentation and upgrades provided for said Software. The Software may be loaded and executed on a single host computer. Title to the Software shall at all times remain with Finisar. Licensee may not copy or sublicense such Software, documentation, or other written material, in whole or in part, without prior written consent of Finisar, except for as provided below.
Page 3: Limited Software Warranty
Finisar’s liability under or for breach of this license shall be limited to refund of the purchase price actually paid by the Licensee to Finisar for the specific item causing the damage. In no event shall Finisar be liable for...
Page 4: About This Guide
Help system contains nearly all the tutorials and instructions contained in this guide plus additional examples and tips to help you get the most from your Surveyor. Be sure to browse on-line Help. From any location in the Surveyor program, and with just a few clicks of the mouse, you will find that you can locate the answer to almost any question you might have.
Page 5: Table Of Contents
Installing Analyzer Hardware in a Notebook PC... 2-5 Installing More Than One Analyzer Card in a Notebook PC ... 2-8 Compatibility Matrix... 2-9 Getting Started ... 3-1 The Surveyor System ... 3-1 Launching Surveyor... 3-1 Basic Navigation Tips ... 3-3 Buttons and Toolbars ... 3-6 Surveyor Toolbar ...
Page 6 .CFD Extension – Capture Filters ... 3-18 .DFD Extension – Display Filters... 3-18 .TSP Extension – Transmit Specifications ... 3-18 Providing a Name Table to Surveyor ... 3-19 Establishing Links for THGm... 3-20 Configuring Surveyor ... 4-1 Configuring the Interface... 4-1 Customizing Views and Windows ...
Page 7 Advanced Configuration... 4-20 surveyor.ini Customizing Expert Diagnostic Information ... 4-20 Assigning Names to Protocols (Monitor) ... 4-21 Assigning TCP or UDP Ports to Protocol Parsers... 4-26 Resources and Modes ... 5-1 Resource Browser... 5-1 Remote Resources ... 5-2 Naming Remote IP Resources (Aliases) ... 5-4 Resource Protection ...
Page 8 Surveyor User’s Guide Network Layer Matrix View ... 6-30 Application Layer Matrix View... 6-31 VLAN View... 6-33 Address Mapping View... 6-34 Packet Summary View ... 6-35 Duplicate Address View (Expert plug-in only)... 6-35 Expert View (Expert plug-in only) ... 6-36 Application Response Time View (Expert plug-in only) ...
Page 9 Stream Modes ... 8-7 Bursts ... 8-7 Transmission Mode... 8-8 Specifying Transmit Data ... 8-8 Packet Editor ... 8-8 Changing Fields Directly in the Dialog Box... 8-9 Using Templates ... 8-11 Creating Templates ... 8-11 Transmitting Capture Files ... 8-12 Transmit Specification Examples ...
Page 10 Surveyor User’s Guide Expert Diagnostic Messages ... 10-15 Working with the Expert System... 10-16 Configuring the Expert System ... 10-16 Module Settings for the Expert System... 10-17 Setting Expert Alarms... 10-17 Customizing Expert Diagnostic Information ... 10-17 Exporting Expert Data ... 10-18 Printing Expert Data...
Page 11 Contents (continued) TCP Retransmissions ... 10-51 TCP RST Packets... 10-52 TCP SYN Attack ... 10-53 TCP Window Exceeded... 10-54 TCP Window Probe... 10-55 TCP Zero Window ... 10-56 Too Many Retransmissions ... 10-57 Network Layer ... 10-58 Duplicate Network Address ... 10-58 HSRP Coup ...
Page 12 Multi-QoS ... 11-1 Protocols Supported by Multi-QoS... 11-2 Using Multi-QoS with Analyzer Hardware... 11-2 Multi-QoS User Interface Overview... 11-3 Surveyor and RTCP Jitter Values ... 11-5 Configuring Multi-QoS... 11-6 Multi-QoS Performance Optimization ... 11-8 Call Filtering with Multi-QoS ... 11-8 All Calls Table ...
Page 13 Field Descriptions for Call Range Summaries... 11-15 VQMon Metrics... 11-16 Utilization Graph ... 11-19 Field Descriptions for Call Details ... 11-20 Channel Table Details ... 11-24 Filtering on Single Channels ... 11-29 Call Playback ... 11-29 Customizing Multi-QoS Table Displays ... 11-30 Customizing All Calls or Range Summary Tables...
Page 14 Surveyor User’s Guide Implementation Profile ... A-1 Buffers ... A-1 How Resources Use Buffers ... A-1 Hardware Dependencies ... A-3 About NDIS Mode... A-5 Captured Packets... A-5 Capture Rate / Transmit Speed ... A-5 Counters ... A-5 Rx Counter Display... A-5 Transmit Specification ...
Page 15 Figure 5-1. Remote Host Connections ... 5-3 5-2. Host Properties Dialog Box for Establishing an Alias ... 5-4 6-1. Histogram Display and Button Controls ... 6-10 6-2. Histogram Display Showing Colors ... 6-12 6-3. Histogram Display, Large Capture Example ... 6-13 6-4.
Page 16 Surveyor User’s Guide 9-10. Alarm Example, Expert and Application Response ... 9-19 10-1. Expert Overview Example ... 10-3 10-2. Expert Overview Detail Table Example ... 10-5 10-3. Expert Application Layer Example ... 10-7 10-4. Entities for the Transport Layer Example ... 10-12 10-5.
Page 17 Table 1-1. Surveyor Functions ... 1-2 1-2. Surveyor Optional Software Modules and Their Functions ... 1-3 1-3. Finisar Analyzer Devices ... 1-4 1-4. Protocols Supported in Surveyor ... 1-5 1-5. Supported Multi-Media Protocols... 1-7 2-1. System Requirements... 2-1 2-2. Supported Analyzer Cards and Network Adapter Cards ... 2-2 2-3.
Page 18 Surveyor User’s Guide 6-5. Packet Editor Buttons ... 6-17 6-6. Frame Size Distribution View, Frame Size Statistics ... 6-21 6-7. Protocol Distribution View, Chart Buttons - Protocols... 6-22 6-8. Protocol Distribution View, Chart Buttons - Packets... 6-22 6-9. Protocol Distribution View, Graph Type Buttons ... 6-23 6-10.
Page 19 Hardware Connectivity... A-4 B-1. Surveyor Filter Templates, Ethernet EV2... B-2 B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2... B-3 B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2... B-5 B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2 ... B-7 B-5.
Page 20 Surveyor User’s Guide D-8. Parser Names, IBM Suite... D-4 D-9. Parser Names, Internet Suite... D-4 D-10. Parser Names, Internet Next Generation Suite ... D-6 D-11. Parser Names, Netware Suite... D-6 D-12. Parser Names, PPP Suite ... D-7 D-13. Parser Names, XNS Suite ... D-7 D-14.
Page 21: Introduction
Finisar's Surveyor software is a Windows-based (2K, NT 4.x, XP) software analyzer-plus-monitor application for 10/100/1000 Ethernet networks. Surveyor provides users with the most robust, easy to use set of network analysis and monitoring tools in a single package. Surveyor's features include full 7-layer...
Page 22: Surveyor Functions
The basic functions of Surveyor are described in Table 1-1. Table 1-2 on the next page shows the additional functions available with the optional Surveyor software modules, called plug-ins.
Page 23: Surveyor Optional Software Modules And Their Functions
(Remote plug-in) Transmit Send data to a network. Surveyor lets you see what happens to your network under precisely controlled conditions. You can play back streams of captured (Packet Blaster data or you can transmit edited data. You can edit a stream of captured data...
Page 24: Finisar Analyzer Devices
Surveyor can decode. For a listing of protocol specifications and information, refer to Appendix C. Note that Finisar continually adds to the list of protocols it can decode. If you do not see a protocol on this list that you need, visit the Finisar web site, www.Finisar.com, or check with Customer Support for new additions.
Page 25: Protocols Supported In Surveyor
Table 1-4. Protocols Supported in Surveyor MAC Layer TCP/IP Suite IEEE 802.2 (LLC) IEEE 802.3 ASF-RMCP Ethernet II BGP (Version 4) IEEE 802.5 BOOTP Loopback CharGen MAC Control Frame DHCP IEEE SNAP Discard IEEE 802.1X Echo PPP Suite PPPCHAP Finger...
Page 26 Surveyor User’s Guide Oracle Suite IPX/SPX Suite (cont.) TNS (TCP/IP only) NetBOIS SQLNET NLSP AppleTalk Phase2 Packet Burst AARP ADSP Serialization SPX II Watchdog DECnet Phase IV AURP CTERM DDP EIGRP FOUND LAVC RTMP NICE IPV6 IpSec DHCPng ICMPng IDRPng...
Page 27: Supported Multi-Media Protocols
NetBEUI CLNP NetBIOS CONP ESIS ISIS Table 1-5. Supported Multi-Media Protocols Multi-Media ITU H.323 IETF ASN.1 H.248 / Megaco GK DISC MGCP H.225.0 RTCP H.245 H.323v4 RTSP H.450.1 SGCP Q.921 Q.931 T.120 T.38 Protocols Supported Intel MPLS MTP2 CR-LDP MTP3 RSVP-TE RTSP TCAP...
Page 28: What's New In Release 5.0
The THGsE can be controlled and configured from Surveyor similar to the THGs; the device is seen as a remote analyzer that can be started and stopped from Surveyor. Note that capture to disk at full line rate is not supported for 100Mbps or Gigabit Ethernet speeds.
Page 29: Expanded Multi-Qos Support
The SNMP agent for Surveyor has been expanded to include management fields other than alarms. The new Surveyor agent implementation uses SNMPv2. New and Enhanced Protocol Decodes The following protocol decodes are new or enhanced in version 5.0 of Surveyor: • ASF-RMCP, Alert Standard Format protocol Introduction What's New in Release 5.0...
Page 30 Surveyor User’s Guide 1-10...
Page 31: Installation
*The amount of memory and processor speed required depends on the size of a capture file opened for viewing/analysis. Surveyor contains a utility to break up large capture files if you need to view large captures and have limited system resources.
Page 32: Upgrading Surveyor
See the Readme file for the latest information on supported analyzers and adapters for Surveyor 5.0. Upgrading Surveyor If you have a previous version of Surveyor, install version 5.0 into the same directory as the previous version. Do not save older versions of the software on your system.
Page 33: Installing Surveyor
Surveyor software. Connect any local analyzer cards or Ethernet adapters to the network. For THGm, you may need to force the link. See the Launching Surveyor section in Chapter 3 for instructions. If you are going to use Surveyor to access remote resources, make sure the Surveyor 5.0 software is installed at the remote host and the remote resources are connected...
Page 34: Installing Analyzer Hardware
Installing Analyzer Hardware in a Desktop PC Finisar offers an analyzer card that can be installed in a desktop PC. For PCI bus expansion slots, Finisar offers the THGm analyzer card for 10/100/1000 Ethernets. Finisar analyzer cards or other NDIS-compatible adapters can be installed in the local PC before or after Surveyor software is installed.
Page 35: Installing Analyzer Hardware In A Notebook Pc
Click the Finish 8. The Finisar driver will be copied to the hard drive. Windows will request the Windows CDROM to install system files. Many of these system files can be found directly on the hard drive in the directory without using the CDROM.
Page 36 • Surveyor has limited support for 3rd party Token Ring cards. Please remove all Token Ring network cards before using Surveyor unless you first contact Cus- tomer Support. Surveyor will work with 3rd party Ethernet cards.
Page 37 4. Power up your system. Windows 2000 will detect the new card and display the “New Hardware Found” message. Windows 2000 will recognize the Portable Surveyor 10/100 Ethernet Analyzer Card as a Racore card and use the Racore device driver. You must update the device driver for the card to function properly.
Page 38: Installing More Than One Analyzer Card In A Notebook Pc
Installing More Than One Analyzer Card in a Notebook PC If you are installing two Portable Surveyor 10/100 Ethernet Analyzer Cards, install one card, make sure it works within Surveyor, and then install the second card. from the menu. . The Racore device driver should Local Area Connection box.
Page 39: Hardware/Software Compatibility Matrix
Compatibility Matrix Table 2-3. Hardware/Software Compatibility Matrix Portable Finisar Surveyor 10/ THGm 100 Ethernet Analyzer Card Desktop, Win NT Desktop, Win 2000 Desktop, Win XP Notebook, Win NT Notebook, Win 2000 Notebook, Win XP Ethernet, NDIS (3rd party) Installation Compatibility Matrix...
Page 40 Surveyor User’s Guide 2-10...
Page 41: Getting Started
Double-click on the you installed the Surveyor application. 2. The first time you launch Surveyor, you’ll be asked if you have any local analyzer or tap devices. If you do not have any local analyzer devices, do not check any boxes, click and skip to step 3.
Page 42: Default Account Names, Passwords And Privileges
You can also password-protect local resources. See the section called “Protecting Local Resources” in the “Resources and Modes” chapter. 4. Surveyor starts (arms) your local devices automatically the first time you start the software. For subsequent launches of Surveyor, local devices are not started automatically.
Page 43: Basic Navigation Tips
(Resource Browser), setting alarms (Alarm Browser), and viewing system mes- sages (Message window). Refer to the Surveyor Quick Start Guide for pictures of the main windows used in Surveyor. Detail View is primarily for analyzing data from a single resource. You can look at the data from Detail View in many different ways.
Page 44 This design allows you to perform all the tasks you might expect to do from any one of the major windows without having to switch to a different window. Because of Surveyor’s flexibility, you can open many different windows and subwindows within the program. To avoid confusion, close windows you are not using.
Page 45 • If you have the Expert plug-in, use the the expert views. • If you have the Multi-QoS plug-in, use the up the charts and tables for Voice over IP and Multimedia protocols. • If you are running Packet Blaster plug-in, use the up the Transmit Specification button in Detail View to bring up...
Page 46: Buttons And Toolbars
Surveyor User’s Guide Buttons and Toolbars Surveyor Toolbar Open button Opens a file, typically a capture file (.CAP). A dialog box displays showing all files with extension.CAP in the current directory. From the Summary Viewer, selecting a capture file to open will bring up Capture View.
Page 47 Getting Started Buttons and Toolbars Capture Mode button Places the currently selected resource in capture mode. This button is gray if the resource is currently active (started). Monitor Mode button Activates the monitor functions for the currently selected resource. If the resource does not support monitoring functions, the resource is put into capture mode.
Page 48: Detail View Toolbar
Surveyor User’s Guide Detail View Toolbar Save button Saves the current contents of the capture buffer to a file. A dialog box displays, allowing you to select the file name and directory. Print button Prints the contents of the current view.
Page 49 Capture Filter button Display the window. The window displays a previously Capture Filter opened filter or the default filter. Load Filter button Brings up a dialog box to select a saved capture filter (.CFD extension). If a capture filter is opened, that filter is applied to the currently selected resource.
Page 50: Data Views Toolbar
Surveyor User’s Guide Data Views Toolbar Ring Statistics View button (Token Ring Only) Brings up tables showing information about the rings and the ring stations detected on the network. This button is available for Token Ring adapters only. MAC Statistics View button Brings up MAC Statistics View for graphically viewing packet and error counters.
Page 51 Getting Started Buttons and Toolbars Host Table View button Selects Host Table View for viewing information. You can see MAC stations and their associated traffic in this view. Network Layer Host Table View button Selects Network Layer Host Table View for viewing information. You can see network (IP/IPX) stations and their associated traffic in this view.
Page 52 Surveyor User’s Guide Refresh button Update the information in all open views. Duplicate Address Button (Expert plug-in only) Brings up a table showing all duplicate IP and IPX addresses. The duplicate network and MAC addresses associated each duplicate are displayed.
Page 53: Filter Design Toolbar
Filter Design Toolbar Create Filter button Creates a new filter. The default window appears for the window. Open Filter button Opens a filter. A dialog box displays to select the file. Capture filters are designated with an extension of .CFD files and display filters with an extension of .DFD.
Page 54 Surveyor User’s Guide are designated with an extension of .CFD files and display filters with an extension of .DFD. Save Filter button Saves the current contents of the A dialog box displays to specify the file name and directory. Capture filters are saved as .CFD files and display filters as .DFD files.
Page 55: Capture View Toolbar
Getting Started Buttons and Toolbars Capture View Toolbar Open File button Opens a capture file (.CAP). A dialog box will display showing the current directory with all files with extension .CAP. Save File button Saves the current contents of this view to a file. Search Box Use the box to specify an ASCII text string for which to search.
Page 56 Surveyor User’s Guide Resume Load button Capture files are loaded to Capture View as a background process. Pressing this button resumes the background process. Go To Trigger button Pressing this button moves you to the line in the capture file that was set as the trigger position.
Page 57 Getting Started Buttons and Toolbars Host Matrix View button Selects Host Matrix View for viewing captured information. You can see all conversations between MAC stations in this view. Network Layer Matrix View button Selects Network Layer Matrix View for viewing captured information. You can see all network conversations for IP and IPX traffic in this view.
Page 58: File Formats
.CAP files are not viewed directly in this version of Surveyor, but are internal files used within .HST files. Older .CAP files opened in Surveyor are converted to the new format and are then available as .HST files.
Page 59: Providing A Name Table To Surveyor
Providing a Name Table to Surveyor A default name table file, hosts.nam, is included with the software. Surveyor boots using this default name table. If you wish to change the start up default name table, you must edit the surveyor.ini file by following these instructions: 1.
Page 60: Establishing Links For Thgm
Surveyor User’s Guide Establishing Links for THGm The THGm is often connected to a device that cannot auto negotiate the connection, such as when monitoring/analyzing a connection through a tap device. The device will automatically go through a sequence of attempts to disable auto negotiation and establish a link with a device that cannot auto negotiate.
Page 61: Configuring Surveyor
Configuring the Interface In Surveyor, you can control the appearance of windows, the primary monitor view, the appearance of tables and charts, and the colors of decode displays. The following sections describe how to set up the interface to best meet your needs.
Page 62: Capture View Display Options
Surveyor User’s Guide completely close a docking window. If you close a docking window, use the options from the menu to get the window back. View You can extract any docking window from the stand-alone window. If you turn off docking using the right mouse functions, the window will not dock again when it is moved back over the allowing you to cascade windows.
Page 63: Configurable Capture View Columns
Capture View. Display Detail Protocol Summary check box if you wish to include expert field. Packets that trigger an expert symptom Summary Configuring Surveyor Configuring the Interface Summary box to Display Detail...
Page 64: Histogram Options
Surveyor User’s Guide Use the bottom portion of the dialog box to set the point from which Surveyor will measure time when calculating and displaying the elapsed time stamp of each packet. Set “time-zero” for capture in the Display Options starts time zero at the time the module is started.
Page 65: Setting The Monitoring View For A Module
Set this value high if you need to load and view large sections of data at one time. A greater download size will increase the time it takes to perform each download. Surveyor also has a setting for local disk cache size which will also affect the performance of downloads.
Page 66: Configuring Chart Views
You can, however, create a “top ten” chart for any field that Surveyor supports. You can also reverse the sort order to create a “bottom ten” chart for any field that Surveyor supports.
Page 67: Module Settings (Properties)
Hardware Packet Device Buffer Slice Size THGm THGs THGsE THGp Portable Surveyor 10/ 100 Ethernet Analyzer Card NDIS This option affects the display of tables for local devices only for 10/100 networks. Module Settings... Stop-and- Modes: Modes: Modes: Save Expert...
Page 68: Buffer Size
MAC Control Frame Buffer Size Portable Surveyor 10/100 Ethernet Analyzer Card and NDIS cards require that a capture buffer size be set. The buffer size is the amount of system memory that will be used to save captured data. Buffer sizes can be set between 64KB and 16MB.
Page 69: Stop-And-Save Capture Buffer
1023, since non-WKP numbers can quickly fill Application Layer Tables. Surveyor always displays the port number if the number is less than or equal to 1023. Surveyor also displays some ports above 1023 since applications associated with them are widely accepted.
Page 70: Mac Control Frame
Surveyor at any time. You can use Surveyor to set the ports on the PC to scan at any time. To set up or change port scanning, do the following 1.
Page 71: Configuring Remote Communications
2. A dialog box appears showing the ports within the local system. Check the box of only those ports you want Surveyor to scan for an analyzer card. 3. Click the button. Configuring Remote Communications The remote server protocol (RSP) is used to control the interface for connecting with remote systems.
Page 72: Protocol Color Coding
Remote polling timers control how often data is updated from remote systems. Display timers control how often displays of data are updated in the Surveyor software. All timer values are in seconds.
Page 73: Default Display Timer Settings
The default settings, in seconds, are shown in Table 4-8: Table 4-8. Default Display Timer Settings Display Timer Default Value MAC Layer Counters Protocol Distribution Host Table Views Matrix Views Expert Data View Remote Name Table Strip Chart, Local Strip Chart, Remote Configuring Surveyor System Settings 4-13...
Page 74: Disk Options
Browse to specify its maximum size. Surveyor will not allow you to specify a size greater than the available free space on your disk drive. The minimum cache size is 40MB.
Page 75: Configuring Counter Logging
Configuring Counter Logging Counter log files contain snapshots of Surveyor counter information. All MAC layer statistics can be recorded in the log file. To configure counter logging, select menu. To enable counter logging, check the capturing counter information in the...
Page 76: Alarm Actions
Surveyor User’s Guide Using E-mail with Surveyor is turned off by default. If you want to use this feature, you must reset a parameter in the Surveyor.ini file. Set Enable MAPI=1 to enable the e-mail alarms feature through Microsoft Mail Exchange.
Page 77 The Surveyor software can be used to control which LAN segment is selected by the tap or switch. To set the LAN segment: 1. In the resource browser, click on the local or remote resource connected to the switch. The current port being monitored will display under the tap or switch resource.
Page 78: Setting The Local Com Port For Taps And Switches
Setting the Local COM Port for Taps and Switches The tap or switch can be controlled from a PC running Surveyor software. The tap or switch can be directly connected to a COM port on the PC and controlled as a local resource from Surveyor.
Page 79: Updating An Analyzer Device
Connect Updating an Analyzer Device You can update the software or change address information for a Finisar analyzer device from Surveyor. Before you can reset the device with a new image, you must place the new image on a server that runs TFTP protocol.
Page 80: Advanced Configuration
.ini files. Sur- veyor always looks for the file named surveyor.ini in the directory where Sur- veyor is installed and will use that file for its configuration. If no surveyor.ini file is found in the directory, Surveyor will build another surveyor.ini file based on the factory default configuration settings.
Page 81: Assigning Names To Protocols (Monitor)
However, you may want explicit information about a protocol that does not have a well known name or is counted in Surveyor monitor screens as a “TCP OTHER” or “UDP OTHER” protocol.
Page 82 This string is used as the name for the protocol in Surveyor’s monitor tables. is an alpha numeric string that should be between 1 and 50 characters. This string is used as the name of the protocol where Surveyor displays a long name.
Page 83 Example 3 X Windows could use non-WKP TCP ports in the range 6000 to 6063. However, by default, Surveyor reports X Windows network traffic with a single entry in the Pro- tocol Distribution table. For example, if 100 X Windows packets detected on port 6000 and 200 were detected on port 6029, the Protocol Distribution table would report that 300 hundred XWIN packets were detected.
Page 84 Surveyor monitors all protocols that fall in the WKP (Well Known Port) range, ports with a value between 0 and 1023. If Surveyor detects a TCP or UDP with a port in the WKP range, information will be maintained on that port (total bytes, total packet, conversation, etc.).
Page 85: Default Names For Non-Wkp Tcp Ports
Monitoring Non Well-Known Ports Surveyor also collects information about a subset of ports that fall outside of the WKP range, port numbers greater than 1023. These ports are called non-WKP. Some of these ports are monitored by Surveyor since applications associated with them are widely accepted.
Page 86: Assigning Tcp Or Udp Ports To Protocol Parsers
1521. The entry in the ANALYSIS.INI would be: [TCP] mapping=1029,*,TNS,Oracle TNS “Oracle TNS” is the string that will be used in Surveyor’s displays to identify this decode. Example 2 Assume that the network administrator configured Sybase’s TDS protocol to use TCP port 11964.
Page 87 APPLICATION 2 Parser Names The tables in Appendix D contain the Parser Names that are built into Surveyor. Each parser is responsible for decoding a specific protocol. Parser Names are as similar as possible to protocol names. Parser Names must be entered exactly as shown in the tables to correctly reference the built-in parser.
Page 88 Surveyor User’s Guide 4-28...
Page 89: Resources And Modes
Remote systems containing resources are listed by IP address unless there is a Surveyor name table on the system. If an entry exists in the name table for the IP address of a resource, the symbolic name in the name table is used to represent the resource.
Page 90: Remote Resources
You’ll need to know the IP address of the remote host to log in to the remote resource. If the remote resource can be auto-discovered by Surveyor, the IP address or the name associated with the IP address of the host will display in the Resource Browser.
Page 91: Remote Host Connections
Local Host Local Surveyor Surveyor Segment Software Software Local Monitor/ Transmit/Capture Data Stream NDIS, Finisar Analyzer Card CMM or CMM2 or NDIS Adapter Board Network Remote Host Surveyor Software Surveyor Software Figure 5-1. Remote Host Connections Resources and Modes Remote Resources...
Page 92: Naming Remote Ip Resources (Aliases)
Figure 5-2. Host Properties Dialog Box for Establishing an Alias All characters are allowed in alias names except $, #, <, and @. When an alias is established, Surveyor window title bars change to reflect the new alias name instead of the IP Address. For example, “//192.1.68.2/THGmModule(1)”...
Page 93: Resource Protection
The guest user can be given all privileges to effectively disable resource protection. Note that there is no password protection for starting Surveyor on the local system. If you can start Surveyor from a system, you automatically have complete access to all local resources (called super-user privileges).
Page 94: Modes
The capabilities of each hardware device supported by Surveyor are described in Table 5-3. See Appendix A for more information on the implementation of Surveyor and a summary of all differences between hardware devices.
Page 95: Hardware Device Capabilities
The THGp is a portable PC system (Dolch PC) that contains up to four THGm modules. The THGm modules in THGp support all features and func- tions in Surveyor. THGm supports all capture functions at full line rate and has a monitoring capability. When two THGm modules are present, they are synchronized so you can analyze a full-duplex network segment from a single view.
Page 96: Synchronized Resources
Switches Switches are wiring devices that provide connections for analyzer devices. The switch shows as a “resource” to the Surveyor software, but is only used to select a LAN segment for monitoring and LAN analysis functions. 4, 6, or 8-port Datacom Switches for 10/100 or Gigabit Ethernet are supported.
Page 97: Hints And Tips For Resources
• When launching Surveyor, be sure to enter the password on the log-in screen so you can see remote devices. If you fail to enter a password, Surveyor will not allow you to see remote analyzer resources in your network.
Page 98 • Use the Properties… the host. Information includes host type, IP address, and the Surveyor software version. The host name must be highlighted in the Resource Browser to get a description. • If you suspect that a remote resource is not responding, go to Summary View and look at the Resource Browser.
Page 99: Views
There are numerous ways to view data from Surveyor. This section describes the primary windows you use to view data, and the actual data views you can see within each window. The primary windows for viewing information are shown in Table 6-1.
Page 100: Data Views Provided Within Summary, Detail And Capture View
Surveyor User’s Guide Table 6-2. Data Views Provided Within Summary, Detail and Capture View Metric MAC Statistics Utilization/Errors Strip Chart Frame Distribution Protocol Distribution Host Table Network Layer Host Table Application Layer Host Table Host Matrix Network Layer Matrix Application Layer Matrix...
Page 101: Module Window Tabs Within Summary View
Summary View Summary View is Surveyor’s global monitoring tool for network data. You can view real-time data from any local resource or any resource you can connect to on the network. You can filter the data before viewing by applying a capture filter.
Page 102: Detail View
The Detail View allows multiple views for a single resource module and also allows the Capture View to be opened for that same module. By contrast, Surveyor’s Summary View allows one monitoring view for multiple resource modules and the Capture View cannot be opened.
Page 103 Viewing static resources such as files or buffers will change the options available from the toolbars and menus and the data views will appear somewhat different. Surveyor is designed so that you’ll only be able to perform the functions that make sense for that resource.
Page 104: Using Capture + Monitor Mode In Detail View
Because the formatting of the data in both of these views is identical, Surveyor provides the following visual distinctions to help you distinguish between capture and monitor views: •...
Page 105: Capture View
that you have of the capture buffer are still open windows within Detail View. In other words, the “view” and decode of previous information is still available, even though the capture buffer itself is refilling with new information. If you do not need this previous view of captured information, it is recommended that you close the window and all associated capture view windows.
Page 106: Creating Filters From Capture View
Surveyor User’s Guide • Detail Pane The Detail Pane shows the values of the protocol elements associated with each protocol. For example, for the Data Link Control the values for the source address, destination address, and packet length are shown. Single-clicking on a value highlights the value in both the Detail Pane and the Hex Pane.
Page 107: Using The Histogram Control
Protocol Color Coding D” for a list of Surveyor’s default protocol color codes. If you have special decoding or display needs for non-standard protocols, see the “Advanced Configuration” section in Chapter 4 for information on assigning protocol parsers and assigning names to protocols.
Page 108: Histogram Color Coding
Capture files are now saved in a new file format with the extension of .HST. Capture files created with previous releases of Surveyor in .CAP format are automatically converted to the new format when you open and save them. Captures are now stored as one .HST file and a folder containing a series of .CAP...
Page 109 Views Using the Histogram Control For the Upper Histogram, the Selected Section is changed by sliding a movable “window” over a portion of the data. This window is called the Capture Selection Window. For the Lower Histogram, the data to display in the Upper Histogram is changed by sliding a movable “window”...
Page 110: Histogram Display Showing Colors
Surveyor User’s Guide of the capture that are not shown in the Upper Histogram are available from the disk cache. Figure 6-2. Histogram Display Showing Colors The example below shows a large capture with many sections. In the Upper Histogram, the first section shown in magenta is the Current Section. By using the mouse, the section(s) near the end of the Upper Histogram are now the Selected Section(s).
Page 111: Histogram Display, Large Capture Example
shown in black. The gray and black colors indicate that these sections are not downloaded. Figure 6-3. Histogram Display, Large Capture Example Once you press the download for the Selected Section in the Upper Histogram are loaded into the Summary area. Immediately after downloading, the histogram shows only the colors listed in the left hand column below, as the Selected Section and the Current Section will match.
Page 112: Histogram Button Controls
Surveyor User’s Guide Table 6-4. Histogram Default Colors (continued) Blue Gray Histogram Button Controls Histogram controls allow you to focus on a smaller area of the capture, change the appearance of the graph, and load sections of the capture to the decode area. These...
Page 113: Histogram Mouse Controls
Downloads the data currently selected in the Upper Histogram to the capture view decode. Only the data within the selection area (gray shaded area) is downloaded. To decrease or increase the size of the download, go to the Sections tab in the →...
Page 114: Saving Portions Of The Data
Surveyor User’s Guide If you attempt to select an area smaller than 20MB, the closest sections that form 20MB of data become the Capture Selection Window. The picture below shows double-arrow mouse icon in the Upper Histogram. The special mouse icons described above only appear when the mouse is over an area that will respond to cursor actions.
Page 115: Packet Editor Buttons
Resume Analysis You can set Surveyor to save the downloads you make from the THGsE or local disk when analyzing a histogram file. To retain the downloads of the histogram when working with the data on a remote THGsE, set the with the following Histogram file...
Page 116: Data Views
Rings are redis- covered and time stamps changed if the connection is lost and then reestablished between Surveyor and the local ring. Rings and ring stations are listed as they are discovered. Click on the Ring Order or the Ring Number columns to sort the rings in ascending or descending order.
Page 117: Mac Statistics View (Rx)
Views Data Views tables are updated approximately every 7 seconds. MAC Statistics View (Rx) From Detail View, click on the button to open a window with MAC Statistics View for capture. From Summary View, set the view preferences to MAC Statistics to see this view in the first tab.
Page 118: Mac Statistics View (Tx)
Surveyor User’s Guide MAC Statistics View (Tx) From Detail View, click on the View for transmit. From Summary View, set the view preferences to to see this view in the first tab. (Tx) MAC Statistics View also shows module activity during transmit. It provides a visual reference for module activity.
Page 119: Protocol Distribution View
Frame Size Distribution View is available as a chart or a table. For the chart, the buttons toggle the type of graphic display. The Pause/Resume button allows you to pause or resume real-time update of the graph. For both the chart and the table, each range of frame sizes is expressed as a percentage of the total number of frames counted.
Page 120: Protocol Distribution View, Chart Buttons - Protocols
Surveyor User’s Guide Table 6-7. Protocol Distribution View, Chart Buttons - Protocols Chart Button Table 6-8. Protocol Distribution View, Chart Buttons - Packets Chart Button Protocol Buttons Frame/Byte Buttons Display Buttons The NET and ALL buttons shows percentage breakdowns for all packets. The IP...
Page 121: Utilization/Error View
and IPX buttons show the percentages of only those packets that can be identified as containing IP or IPX information respectively. Table 6-9. Protocol Distribution View, Graph Type Buttons Display Button Description/Action Display distributions as a bar graph. Display distributions as a pie chart. Pause the display.
Page 122: Host Table View, Table Column Descriptions
The station address and name are provided in the table or chart. If a Surveyor name table exists with an address-to-name entry for this station, the will be the station name in the name table. If no entry in a Surveyor name table exists, the name of the the last 6 bytes of the station address.
Page 123: Network Layer Host Table View
The station address and name are provided in the table or chart. The name and address will be the same if Surveyor does not have a name table with an address-to- name correspondence for this station.
Page 124: Network Layer Host Table View, Table Column Descriptions
Surveyor User’s Guide Table Network Layer Host Table View as a table shows network activity from the view of network stations. The table lists statistics for all stations found. The table can be customized to include other columns of information. Table columns listed in italics are the default Network Layer Host Table View columns.
Page 125: Application Layer Host Table View, Table Column Descriptions
The network station address and name are provided in the table or chart. The name and address will be the same if Surveyor does not have a name table with an address-to-name correspondence for this station.
Page 126: Host Matrix View
The station addresses and names are provided in the table or chart. If a Surveyor name table exists with an address-to-name entry for this station, the field will be the station name in the name table. If no entry in a Surveyor name table exists, the name of the last 6 bytes of the station address.
Page 127: Host Matrix View, Table Column Descriptions
Chart Host Matrix View as a chart shows only ten MAC conversations. The ten conversations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the “top ten” conversations based on a different information field. The display.
Page 128: Network Layer Matrix View, Table Column Descriptions
Click on the tab at the bottom of the window to select The station addresses and names in the conversation are provided in the table or chart. The name and address are the same if Surveyor does not have a name table with address-to-name correspondences.
Page 129: Application Layer Matrix View
Table 6-15. Network Layer Matrix View, Table Column Descriptions (continued) Net Station Name 2 Network layer address of a second network station Net Station Address 2 Address of a second network station in IP address format VLAN Id Decimal number of the virtual LAN. Virtual LANs using Cisco’s ISL pro- tocols are the only virtual LANs recognized at this time.
Page 130: Application Layer Matrix View, Table Column Descriptions
Surveyor User’s Guide The station addresses and names in the conversation are provided in the table or chart. The name and address are the same if Surveyor does not have a name table with address-to-name correspondences. Chart Application Layer Matrix View as a chart shows only ten applications over network conversations.
Page 131: Vlan View
Table 6-16. Application Layer Matrix View, Table Column Descriptions (continued) Rel % Frames 1<—>2 Percentage of frames sent in either direction between Network Station 1 and Network Station 2 for this application relative to the total number of frames Bytes 1—>2 Number of bytes sent from Network Station 1 to Network Station 2 for this application Average size 1—>2...
Page 132: Address Mapping View
Surveyor User’s Guide Table VLAN View as a table shows network activity from the view of virtual LAN traffic. The table lists statistics for all VLANs found. The table can be customized to include other columns of information. You can click on any VLAN ID and see a Network Layer Host Table View or a Network Conversation Matrix View for that VLAN.
Page 133: Duplicate Address View, Table Column Descriptions
Table 6-18. Address Map View, Table Column Descriptions MAC Station Address MAC station address Network Station Name Name of the network station Network Station Address Network layer address of the network station acket Summary View Packet Summary View shows a real-time protocol decode. Packets received are decoded and the result of the decode is displayed.
Page 134: Application Response Time View, Column Descriptions
However, the packet cannot be sent if the analyzer device used by Surveyor is connected through a tap device.The application response time will only work if the transmit port of the analyzer is directly connected to a switch port or device.
Page 135: Hints And Tips For Using Views
Multiple tables are available in Multi-QoS View. You can view all calls, subsets of calls filtered by protocol or by a QoS metric, single call details, and channel details. Refer to the chapter on Multi-QoS for complete information on Multi-QoS Views. Hints and Tips for Using Views •...
Page 136 Surveyor User’s Guide • Double-click on the MAC Statistics View in Detail View to bring up Capture View. • Data in a chart will be sorted by the last sorted column in the corresponding table. • Click the right mouse button on a table entry in Host Table, Network Table, Application Table, Host Matrix, Network Matrix, or Application Matrix view to bring up a menu for creating a filter.
Page 137: Capture And Display Filters
A display filter allows you to view this subset of captured data. Surveyor uses a layered approach to developing filters. If you want a simple filter, all filter options can be specified from a single window. However, if you need to create an advanced filter with multiple states and searches to refine exactly what you’re looking for, Surveyor supports a complete filtering language.
Page 138: Creating Filters With Filter Templates
• Pre-defined Filter Templates A pre-defined filter template looks for a specific data pattern or a collection of data patterns. The filter template is supplied by Surveyor and cannot be changed. • Custom Filter Templates A custom filter template also looks for a specific data pattern or a collection of data patterns.
Page 139 Conversation to Filter Template means of adding addresses to a custom filter template. • Add Port Numbers to Custom Filter Templates A port is a data pattern specific to the source and destination port numbers, including the protocol type and the direction of traffic. The area in the display provides a convenient means of adding ter Template port numbers to a custom filter template.
Page 140: Filter Design Window
Surveyor User’s Guide A sample Filter Design FILTER CREATION Area (left side of window) Template Combination Box Filter Design Toolbar Template Combination (see below) Operator Buttons View Filter Button, Set Filter Actions, Bring Up Filter States Increment Custom Design Window...
Page 141: Defining Conversations
Protocol and Frame Type The protocol and the frame type are selected from pull-down boxes. Surveyor auto- matically restricts you from entering combinations that make no sense. Surveyor will automatically set up the correct protocol and frame type when you select a station address from the name table.
Page 142 Surveyor User’s Guide There are four station address types: • MAC address – 12 hexadecimal digits. For example, 34FD34AA0001. • IP dot notation address – 4 decimal numbers in the range of 0 to 255, separated by dots. For example, 12.235.96.2.
Page 143: Creating And Applying A Port Number
Creating and Applying a Port Number Surveyor provides a convenient way to add a port number to a filter. You specify port numbers for the filter by filling out the window. This area consists of a protocol selection, frame type selection, a...
Page 144: Creating Custom Filter Templates
Surveyor User’s Guide Multiple Byte Patterns in Filter Templates Filter templates can be “several templates in one.” For example, HTTP, TELNET, and SNMP are provided as single filter templates, but they consist of both source and destination ports. In other words, the template itself contains an OR condition, and will capture a packet whether it appears in the offset for the source port or the offset for the destination port.
Page 145 You then save the template. When you save a custom template, Surveyor asks for a custom template name. Surveyor will assign a default name such as Template1 if no name is provided. Once you create a filter template, its name will appear in the Custom_Templates section of the plates can be reused again and again once added to the list of templates.
Page 146 Surveyor User’s Guide Entering Values that Cross Byte Boundaries Port values are generally understood as decimal numbers. For example, an NFS port is known as decimal 2049. Filter patterns are expressed as bytes and begin on byte boundaries. It takes two bytes to express a port number. Therefore, for port numbers you must convert the decimal number to a value that can be entered on a byte boundary.
Page 147 Bit-Level Filtering Surveyor can filter at the bit level. To set a bit pattern, place the cursor within a byte field in the Edit/Create Custom Filter Template ton.The Bit-Level Pattern the offset you are currently changing in its title bar. Enter any values for each bit that you want included in the filter.
Page 148: Filter Creation
Surveyor User’s Guide Filter Creation FILTER CREATION actually specifies what conditions are tested and what actions are taken for this filter statement. See Figure 7-1 for an example of the • Create Template Combinations A template combination is built up from various custom or pre-defined filter templates.
Page 149: Filter Actions
a test against incoming frames. If the operation you try makes no sense in the context of creating a template combi- nation, the operation is not allowed. For example, an OR operator makes no sense after an AND operator. As another example, inserting a filter template immediately after another filter template makes no sense and the operation is not allowed.
Page 150: Example Filter Actions Dialog Box
Surveyor User’s Guide Actions for Capture Filters Table 7-4 shows actions available for capture filters: Action Capture Trigger Increment Custom Counter Change Filter Operation An example Filter Actions Figure 7-3. Example Filter Actions Dialog Box The state number and the line number of the statement within the state are given in the title bar of the dialog box.
Page 151: Counter Conditions For Filters
Actions for Display Filters Table 7-5 shows actions available for display filters: Action Description Display Packet Display the resultant data. Change Filter Operation Go to a different filter state for processing the next incoming packet. The state can be the current state or any other state defined in the dis- play filter.
Page 152: Frame Types
Surveyor User’s Guide Global Values that Affect Capture Filter Actions Table 7-6 describes the options and settings available that have a global setting. If you set the value in one statement, the value will apply to all other statements. The post trigger buffer position set in the...
Page 153: Multi-State And Multi-Statement Filters
THGm. Multi-State and Multi-Statement Filters To create more complex filters, use Surveyor’s graphical scripting language. You’ll find it intuitive and easy to use if you have experience doing simple programming or experience working with “meta-languages.” After you become familiar with this graphical scripting language, you’ll have a powerful tool for getting exactly the data...
Page 154: Example Filter States Design Window
Surveyor User’s Guide Click on the State window for the filter. An example is shown below. Design Figure 7-4. Example Filter States Design Window From the Filter States Design window shows all the filter statements and the structure of the filter. Each statement is composed of conditions and actions to take if the condition is satisfied.
Page 155: Filter Structure
ELSE statement is a set of actions to take when the other statements are false. The actions result in the subset of data that is captured or displayed by Surveyor. The statements and labels have an order, structure, and syntax. You always start and stay in State0 until an action takes you to a different state.
Page 156: Filter States
Surveyor User’s Guide Filter States States are used to group a set of statements. Since statement contain conditions and actions, states are a way to create a set of conditions and actions. You can specify up to 4 states with THGm. You always start and stay in State0 until an action takes you to a different state.
Page 157: Logic Sequence For Capture And Display Filter Statements
Filter Statements To create statements, press the Use the window that appears to create a condition and to specify actions to be taken if the condition is satisfied. Once a condition is true, the next condition is not exam- ined. For the next frame you remain in the current state or go to a different state, depending on the GoTo action specified in the statement.
Page 158: Capture And Display Filter Differences
Surveyor User’s Guide Capture and Display Filter Differences Display and capture filters are activated in different ways. Also, some options for capture filters are not used in display filters. Some options available in capture fil- ters make no sense for display and are therefore not supported: •...
Page 159: Filter Examples
Filter Examples Filter examples are supplied with Surveyor. To see examples, open a capture filter file (.CFD extension) or a display filter file (.DFD extension) from the dow. From the Module filter. To find more examples, look in the ...\examples\filter directory.
Page 160 Surveyor User’s Guide The steps used to create the filter template and load it to a resource are shown below: 1. Press the Clear Template 2. Press the Name name table and click 3. Press the Name name table and click 4.
Page 161: Filter Example, Template Combination
Capture and Display Filters Filter Examples Filter Example, Template Combination window in Figure 7-6 shows the capture filter with a logical com- Filter Design bination built in the box. This filter collects all traffic to and Template Combination from a single station that make use of the HTTP or FTP protocols. The two tem- plates are combined with an OR statement to collect both types of protocols.
Page 162 Surveyor User’s Guide The following steps describe how to create two filter templates, logically combine them using an OR operator, and load the resulting Template Combination to a resource: 1. Select the HTTP box. 2. Press the Name name table and click 3.
Page 163: Filter Example, Capture Tcp Port Traffic
Capture and Display Filters Filter Examples Filter Example, Capture TCP Port Traffic window in Figure 7-7 shows the capture filter for a specific TCP Filter Design Port. This filter collects all TCP/IP traffic that uses the BootPS port number. Figure 7-7. Filter Design Window, Capture TCP Port Example 7-27...
Page 164 Surveyor User’s Guide The following steps describe how to create the BootPS filter template and load in to a resource. 1. Press the Clear Template 2. In the Apply Port to Template BootPS port, use the IP/TCP protocol. In the example, the frame type is set to EV2.
Page 165: Filter Example, Advanced Filter
Filter Example, Advanced Filter Filter States Design Filter States Design the filter has multiple states and statements. From the shown in Figure 7-8, double-click on a statement to bring up its dow to see the details of how the statement is constructed. Figure 7-8.
Page 166: Rules Of The Capture Or Display Filter
Depending on the number of states, the micro filters, and the logic combinations used, it is possible to exceed the maxi- mum number of hardware filters. Contact Finisar customer support if you are experiencing problems with writing complex filters that exceed the maximum number of hardware filters.
Page 167: Hints And Tips For Using Filters
Hints and Tips for Using Filters • Remember to load the Capture filter on the module before you start capture. • If you want to look at captured data in many different ways, use display filters rather than capture filters. Capture large blocks of unfiltered data and look at different subsets of the data by using a variety of display filters.
Page 168: Filtering Tips Unique To Thg-Class Devices
Surveyor User’s Guide • From the Detail View pane of the Capture View window, you can copy the con- tents of any field to create a Capture or Display filter. Select the field with the left mouse and then click the right mouse button. Selections for copy to capture or display filter appear.
Page 169: Transmit Specification
With multiple modules, transmitted data can be captured by another analyzer card. You can use the capture and view features in the Surveyor software to analyze the results, all from the same PC. Although you can transmit using Portable Surveyor 10/100 Ethernet Analyzer Card or NDIS modules, these devices are not always accurate transmit devices.
Page 170: Transmit Specification Dialog Box
Surveyor User’s Guide Transmit Specification Dialog Box Transmit Specifications are defined in a dialog box. The dialog box contains: • Defined Streams • Radio buttons and fields for defining a stream (middle) • Buttons for adding, modifying, or deleting streams, editing data •...
Page 171 options available from the dialog box and click on the a capture file as a defined stream using the appears in the Defined Streams the order in which they are defined. A defined stream may be activated or deactivated by double-clicking on the stream. An activated stream has a check mark next to it in the is highlighted with the Windows highlight color;...
Page 172: Stream Function Buttons
Surveyor User’s Guide the stream. The Auto CRC generated for the stream. Stream Buttons Add File... single stream. Stream Button Add File… Modify Delete Edit Data… Transmission Mode and Status Controls Transmission Mode transmitted once they are loaded to the module. You can transmit the entire specification n times or continuously.
Page 173: Repeating Frames
Transmit Specification control buttons are described in Table 8-2: Table 8-2. Transmit Specification Control Buttons Control Button Transmit Specification Function Load Module Loads the current resource with the currently defined Transmit Specifi- cation. Be sure to use the Load Module button to load the specifica- tion to the resource before you begin transmission.
Page 174 Surveyor User’s Guide Repeating frames using the transmission mode feature is a function implemented in software; there is a time gap of about 50ms between each transmission of the entire specification. Use Repeat Frames ‘n’ Times or Bursts where timing issues are critical when sending frames for these devices.
Page 175: Stream Modes
Stream Modes An interpacket gap for a frame can be set in three different ways; Packet Gap, Frame Rate and Traffic Rate. The stream mode defines the rate at which packets are transmitted from a module. The modes are as shown in Table 8-4 below: Stream Mode Rate Setting Packet Gap...
Page 176: Transmission Mode
Surveyor User’s Guide Transmission Mode You can either transmit the specification continuously or transmit it n times. Select Transmit Continuously module is stopped. Select Transmit Spec (N frames) times. The number of streams does not necessarily equate to the number of frames transmitted.
Page 177: Changing Fields Directly In The Dialog Box
Table 8-5 shows the buttons that are available from within the packet editor: Packet Editor Button Editing Function Compute CRC Inserts the correct CRC error check value for the frame. You can use this option to create frames with or without correct CRC error check values.
Page 178 Use an X in any offset of the Surveyor will generate packets with different values in that offset. For example, set field to 432FFFFFXX. When transmitting packets, values will be generated either sequentially or randomly and sent for the last 2 positions of the DA.
Page 179: Using Templates
5. Save the new capture file (the template). Make sure you give a name you will recognize later. Place it in the ..\template directory or one of its subdirectories. 6. You must restart Surveyor to view the new packet template in the template menus. Templates display in the Template menu when using the menu.
Page 180: Transmitting Capture Files
Transmit Specification Examples Transmit Specification examples are supplied with Surveyor. Open a transmit specification file (..\transmit subdirectory, .TSP extension) from the dialog box to see examples.
Page 181: Transmit Specification Dialog Box, Packet Gaps
Transmit Specification Transmit Specification Examples Transmit Specification Example, Packet Gaps A Transmit Specification example in its dialog box is shown in Figure 8-2. The dialog box only shows the values for the currently highlighted stream. The current stream appears highlighted within the Defined Streams window. Multiple streams are defined in the specification.
Page 182: Transmit Specification Example, Bursts
Surveyor User’s Guide Transmit Specification Example, Bursts Transmit Specification shows values for one stream, the stream that contains a burst. Multiple streams are defined in the specification. Since a burst of 100 is specified, 101 frames will be transmitted even though there are only two “streams” defined.
Page 183: Hints And Tips For A Transmit Specification
Hints and Tips for a Transmit Specification • Take care with what you transmit. Surveyor can transmit packets at more than 100% of network bandwidth. It is possible to flood the network and cripple per- formance. • Make sure to activate streams before loading the specification to the module.
Page 184 Surveyor User’s Guide 8-16...
Page 185: Alarms
SNMP trap message to a management station. Alarms only apply to Surveyor 4.1 or later versions. You cannot create alarms if the remote software ( version 4.1.
Page 186: Current Module Alarms
Surveyor User’s Guide Current Module Alarms When you right-click on an analyzer device in the Resource Browser, a menu appears. Select Alarms... list of alarms set up for the resource. If you have no alarms set for the resource, no alarms will display.
Page 187: Alarm Editor
Alarms Current Module Alarms Press to enable new alarms for a resource. The Alarm Editor dialog box New Alarm appears. Multiple alarms of any type may be added. See the following section for more information on the Alarm Editor. Figure 9-2. Alarm Editor Highlight one or more alarms in the Current Module Alarm window.
Page 188: Alarm Editor
Click on the appropriate tab to display the alarm table you want. Each alarm can be used with the default values provided by Surveyor, or you can modify them with the Alarms Editor to precisely meet your resource monitoring needs.
Page 189: Multi-Qos Alarms
Alarms Alarm Editor Multi-QoS Alarms For Multi-QoS alarms, alarms can be created from the Multi-QoS Views interface as well as by double-clicking on the host. field within the alarm editor allows you select a specific codec or to Codecs ignore the type of codec used. For example, to trigger the alarm only when a G.711 codec is used, set the field to .
Page 190: Expert Alarms, Listed By Protocol Layer
Surveyor User’s Guide Expert Alarms During transmit or receive, expert symptoms are logged as they occur. You can test for certain thresholds for these conditions by setting alarms using the Expert tab of the Alarm Editor. See the chapter on the Expert system for more information about the expert alarms listed below.
Page 191: Using Alarms With Different Devices
Surveyor 4.1 or greater. The software image for THGs analyzers must be at version 4.1 or greater. Table 9-3 shows the alarms that can be used with each Finisar analyzer device. Table 9-3. Alarms and Hardware Devices...
Page 192: Thresholds And Alarms
The sample type can be set to either field determines how Surveyor will use the threshold values set in the Type Value...
Page 193: Alarm Actions
Stop&Save stops the module when the alarm occurs. If the host is a PC running Surveyor, the buffer is saved to disk. The name auto- matically assigned to this file is based on the date and time of the alarm event.
Page 194: Log File Settings
Setting E-mail Settings... setting for the host. All alarms reported by Surveyor will go to the same set of E- mail addresses. For example, you cannot send some alarms to one set of e-mail addresses and some alarms to another set of e-mail addresses.
Page 195: Pager Settings
Alarms Alarm Actions E-mail settings for Surveyor hosts and THGs hosts are slightly different. For analyzer devices in Surveyor hosts, you set the list e-mail recipients for alarms from → → menu. All other e-mail configuration Host Alarm Setting E-mail Settings...
Page 196: Snmp Trap Settings For Thgs
Trap Settings for THGs The stations to receive traps for a remote THGs can be established from the local host running Surveyor. To set up trap destinations for a remote THGs device, select the THGs device in the Resource Browser and from the menu bar select .
Page 197 SNMP trap destinations on your Windows system. Surveyor has six different traps, one for each of the alarm groups. The number of alarm variable is the same except for Multi-QoS alarms, which contain some additional information.
Page 198: Viewing The Alarm List And The Alarm Log
Surveyor User’s Guide Viewing the Alarm List and the Alarm Log There are several ways to access the list of alarms or a log of alarm events. From Detail View, click on the Alarms List Alarm Log tab for the resource.
Page 199: Alarm Examples
This simple example shows an alarm group consisting of one MAC Layer alarm for Utilization. This alarm samples network traffic at five-second intervals. When the absolute, rising value of 50 (percent utilization) is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s message window.
Page 200: Alarm Example, Mac Errors
(two alarms), Oversize Frames, CRC/Alignment, and Fragments. Each of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these five alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s message window.
Page 201: Alarm Example, Frame Size
Oversize Frames, 256-511 Byte Frames, 512-1028 Byte Frames, and 1024-1518 Byte Frames. Each of these alarms samples network traffic at five-second intervals. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s addition, the alarms will be logged to the Log file specified.
Page 202: Alarm Example, Voip Calls
This example shows an alarm group consisting of four alarms: Call Setup Time, Call Jitter, severe Call Jitter, and User R-factor. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyor’s...
Page 203: Alarm Example, Expert And Application Response
This example shows alarms consisting of three Application Response and one Expert alarm. All of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these four alarms is exceeded, Surveyor issues an audible alarm and displays a warning message in Surveyor's message window.
Page 204 Surveyor User’s Guide 9-20...
Page 205: Expert Features
Expert plug-in. Surveyor observes the traffic on network segments, learns their unique characteris- tics, and constructs a database of network entities from the traffic it sees. Surveyor uses protocol decoding to learn about the connections, network stations, routing nodes, and subnetworks related to the frames in the buffer or capture file. From this information, Surveyor can detect potential problems on the network.
Page 206: Expert System Views
See Chapter 6, “Views” for more information on Expert Views. Getting Started with Expert View When Surveyor finds an event that could indicate a network problem, the event is logged in appropriate tables, and the appropriate counters are incremented in the overview tables.
Page 207: Expert Overview Example
Expert Features Getting Started with Expert View Figure 10-1. Expert Overview Example 10-3...
Page 208: Expert Overview Details
Surveyor User’s Guide Expert Overview Details Click on any counter in the display to view a table listing only the events for the selected symptom. The display has a summary area showing all symptoms and a detail area for the current selected symptom.
Page 209: Expert Overview Detail Table Example
Expert Features Getting Started with Expert View Figure 10-2. Expert Overview Detail Table Example 10-5...
Page 210: Expert Layers
Surveyor User’s Guide Expert Layers Surveyor categorizes network problems according to the network “layer” at which they occur. During capture or monitor, Surveyor decodes frames. The decode information embedded in each frame is used to categorize the problem. Layers are selected from the panel on the left of the Expert window. A display of symptoms can be refined by pressing one of the layer icons in the display.
Page 211: Expert Application Layer Example
Expert Features Expert Layers Figure 10-3. Expert Application Layer Example 10-7...
Page 212 Session Layer to jump to the first connection from the client to that server in the Transport Layer. Table 10-1 is a list of the general categories of symptoms and analyses discovered by Surveyor’s expert logic broken down by layer. 10-8...
Page 213: Expert Symptoms And Analyses By Layer
Table 10-1. Expert Symptoms and Analyses by Layer Layer Expert Symptoms Application Excessive ARP Excessive BOOTP Excessive Mailslot Broadcasts FTP Login Attempts Missed Browser Announcement NCP File Retransmission NCP Read/Write Overlap NCP Request Denied NCP Request Loop NCP Server Busy NFS Retransmission Slow HTTP GET Response Slow HTTP POST Response...
Page 214: Expert Symptoms, Analyses, And Network Entities
Expert Symptoms, Analyses, and Network Entities When you capture or monitor packets on a network segment, Surveyor immediately begins constructing a database of network entities from the traffic it sees. Surveyor uses protocol decoding to learn all about the connections, network stations, routing nodes, and subnetworks related to the frames in the capture buffer.
Page 215: Analyses
Entities Surveyor extracts information from the data stream to form its network entity data- base. Entities can be DLC stations (physical and logical link layers), network stations (network layer), connections (transport layer), sessions (session layer), applications (presentation, and application layers), a subnetwork, a router, or other useful data entities.
Page 216: Entities For The Transport Layer Example
Surveyor User’s Guide Press the Entities ered from the current packet analysis.The example below shows the entities discov- ered for the Transport Layer. The detail area shows details for both the conversation and the individual stations in the conversation. Figure 10-4. Entities for the Transport Layer Example...
Page 217 Application/Session Lists for Entities The list displays the number of packets and bytes of application data that are sent and received by the server. The times when the first and last packets seen by this server are noted, and the duration is the difference between the times. The maximum and minimum response times of this server are shown.
Page 218 Surveyor User’s Guide Data Link Lists for Entities The first list displays the network traffic of the physical station. It shows how many packets and bytes of data are sent and received by the station. It shows the network addresses associated to the station.
Page 219: Expert Diagnostic Messages
Expert Diagnostic Messages From any summary table you can double-click on any symptom or analysis to display an Expert Diagnostic Message. Contents of the include: • A summary of the symptom or analyses, including addresses and frame IDs • A description of the Expert symptom or analyses •...
Page 220: Configuring The Expert System
Surveyor User’s Guide Working with the Expert System Configuring the Expert System Use the Expert Configurations dialog box to change expert settings. With the Expert View visible, select configuration options. An example Expert Configurations dialog box is shown below. Settings are organized in a tree structure, with different network layers as the main branches in the tree.
Page 221: Module Settings For The Expert System
Surveyor alarms. Alarms test for thresholds at different protocol layers, such as the number of NFS retransmissions at the application layer or a specific overload utilization percentage at the MAC layer.
Page 222: Exporting Expert Data
The timestamps for analyzer devices increment from the time the device was last started. If Surveyor detects two symptoms in the same packet, Surveyor will display the symptom that it determines to be the most hazardous to network function.
Page 223: Working With Analyzer Devices
However, the packet cannot be sent if the analyzer device used by Surveyor is connected through a tap device.The application response time will only work if the transmit port of the analyzer is directly connected to a switch port or device.
Page 224: Application Layer
Surveyor User’s Guide Application Layer Excessive Mailslot Broadcasts Counter Excessive Mailslot Broadcasts is a counter of Mailslot Broadcasts packets per second that exceed a threshold. A count of all Excessive Mailslot Broadcasts events displays in the Overview Expert Analysis Excessive Mailslot Broadcasts events are automatically logged as expert symptoms.
Page 225: Ftp Login Attempts
FTP Login Attempts Counter FTP Login Attempts is a counter of FTP login attempts that exceed a threshold. A count of all FTP Login Attempt events displays in the View. Expert Symptom FTP Login Attempt events are automatically logged as expert symptoms. The field provides the number of login attempts.
Page 226: Missed Browser Announcement
Surveyor User’s Guide Missed Browser Announcement Counter Missed Browser Announcement is a counter of events where the time elapsed since the last browser announcement exceeds a threshold. A count of all Missed Browser Announcement events displays in the Expert Symptom Missed Browser Announcement events are automatically logged as expert symptoms.
Page 227: Ncp File Retransmission
NCP File Retransmission Counter NCP File Retransmission is a counter of all times where a portion of a file is retransmitted. A count of all NCP File Retransmission events displays in the counters of Expert View. Overview Expert Symptom NCP File Retransmission events are automatically logged as expert symptoms. The field provides the two addresses between which the Symptom Summary retransmission occurred.
Page 228: Ncp Read/Write Overlap
Surveyor User’s Guide NCP Read/Write Overlap Counter NCP Read/Write Overlap is a counter of all times where a portion of a file overlaps the transmission of other parts of the file. A count of all NCP Read/Write Overlap events displays in the Expert Symptom NCP Read/Write Overlap events are automatically logged as expert symptoms.
Page 229: Ncp Request Denied
NCP Request Denied Counter NCP Request Denied is a counter of all times where the number of request denied replies exceed a threshold within an interval. A count of all NCP Request Denied events displays in the Overview Expert Symptom NCP Request Denied events are automatically logged as expert symptoms.
Page 230: Ncp Request Loop
Surveyor User’s Guide NCP Request Loop Counter NCP Request Loop is a counter of all times where the same request occurs within an interval. A count of all NCP Request Loop events displays in the of Expert View. Expert Symptom NCP Request Loop events are automatically logged as expert symptoms.
Page 231: Ncp Server Busy
NCP Server Busy Counter NCP Server Busy is a counter of all NCP Server Busy responses that exceed a threshold for a single station. A count of all NCP Server Busy displays in the counters of Expert View. Overview Expert Symptom NCP Server Busy events are automatically logged as expert symptoms.
Page 232: Ncp Too Many File Retransmissions
Surveyor User’s Guide NCP Too Many File Retransmissions Counter NCP Too Many File Retransmissions is a counter of events where the ratio of file retransmissions to file requests exceeds a threshold value for a single station. A count of all NCP Too Many File Retransmission events displays in the counters of Expert View.
Page 233: Ncp Too Many Requests Denied
NCP Too Many Requests Denied Counter NCP Too Many Requests Denied is a counter of events where the ratio of file requests denied to file requests exceeds a threshold value for a single station. A count of all NCP Too Many Requests Denied events displays in the counters of Expert View.
Page 234: Ncp Too Many Request Loops
Surveyor User’s Guide NCP Too Many Request Loops Counter NCP Too Many Request Loops is a counter of events where the ratio of file request loops to file requests exceeds a threshold value for a single station. A count of all NCP Too Many Request Loops events displays in the View.
Page 235: Nfs Retransmissions
NFS Retransmissions Counter NFS Retransmissions is a counter of all NFS Retransmissions over a period of time per segment. A count of all NFS Retransmissions displays in the of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom NFS Retransmission events are automatically logged as expert symptoms.
Page 236: No Http Post Response
Surveyor User’s Guide No HTTP POST Response Counter No HTTP POST Response is a counter of all POST requests to an HTTP server that never receive a response or exceed a time out value. A count of all No HTTP POST...
Page 237: No Server Response
No Server Response Counter No Server Response is a counter of responses to server requests that never happen or exceed a time out value. A count of all No Server Responses displays in the counters of Expert View. Overview Expert Analysis No Server Response events are automatically logged as expert analyses.
Page 238: Slow Http Get Response
Surveyor User’s Guide Slow HTTP GET Response Counter Slow HTTP GET Response is a counter of all Slow HTTP GET Responses that exceed a threshold. A count of all Slow HTTP GET Responses displays in the counters of Expert View. A threshold for this counter can be set in Expert Overview Alarms.
Page 239: Slow Http Post Response
Slow HTTP POST Response Counter Slow HTTP POST Response is a counter of all HTTP POST responses that exceed a threshold. A count of all Slow HTTP POST Responses displays in the counters of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom Slow HTTP POST Response events are automatically logged as expert symptoms.
Page 240: Slow Server Connect
Surveyor User’s Guide Slow Server Connect Counter Slow Server Connect is a counter of all server connect responses that exceed a threshold. A count of all Slow Server Connects displays in the Expert View. Expert Symptom Slow Server Connect events are automatically logged as expert symptoms. The Symptom Summary the time taken for the server to connect, and the threshold value.
Page 241: Slow Server Response
Slow Server Response Counter Slow Server Response is a counter of server responses that exceed a threshold. A count of all Slow Server Responses displays in the View. Expert Symptom Slow Server Response events are automatically logged as expert symptoms. The field provides information about the type of application server, Symptom Summary the time taken for the server to respond, and the threshold value.
Page 242: Smb Invalid Network Name
Surveyor User’s Guide SMB Invalid Network Name Counter SMB Invalid Network Name is a counter of SMB sessions that could not be established because of invalid network names. A count of all SMB Invalid Network Name displays in the Expert Analysis SMB Invalid Network Name events are automatically logged as expert symptoms.
Page 243: Smb Invalid Password
SMB Invalid Password Counter SMB Invalid Password is a counter of SMB sessions that could not be established because of an invalid password. A count of all SMB Invalid Password displays in counters of Expert View. Overview Expert Analysis SMB Invalid Password events are automatically logged as expert symptoms. The field provides the following information: Symptom Summary Invalid password...
Page 244: Session Layer
Surveyor User’s Guide Session Layer No WINS Response Counter No WINS Response is a counter of responses to WINS server requests that never happen or exceed a time out value. A count of all No WINS Responses displays in counters of Expert View.
Page 245: Tns Slow Server Connect
TNS Slow Server Connect Counter TNS Slow Server Connect is a counter of all TNS server connect responses that exceed a threshold. A count of all TNS Slow Server Connects displays in the counters of Expert View. Overview Expert Symptom TNS Slow Server Connect events are automatically logged as expert symptoms.
Page 246: Tns Slow Server Response
Surveyor User’s Guide TNS Slow Server Response Counter TNS Slow Server Response is a counter of TNS server responses that exceed a threshold. A count of all TNS Slow Server Responses displays in the counters of Expert View. Expert Symptom TNS Slow Server Response events are automatically logged as expert symptoms.
Page 247: Transport Layer
Transport Layer Idle Too Long Counter The Idle Too Long counter increments when a connection is idle for greater than a threshold value, measured in seconds. A count of all Idle Too Long events displays in the counters of Expert View. Overview Expert Symptom Idle Too Long events are automatically logged as expert symptoms.
Page 248: Non Responsive Station
Surveyor User’s Guide Non Responsive Station Counter Non Responsive Station is a counter of all non-responsive stations over a period of time per segment. A non-responsive station is defined as successive TCP/IP retransmissions over the same connection that are greater than a threshold value. A count of all non-responsive stations displays in the View.
Page 249: Tcp Checksum Errors
TCP Checksum Errors Counter TCP Checksum Errors is a counter of all incorrect TCP checksums over a period of time per segment. A count of all TCP Checksum Errors events displays in the Overview counters of Expert View. Expert Symptom TCP Checksum Errors events are automatically logged as expert symptoms.
Page 250: Tcp Fast Retransmission
Surveyor User’s Guide TCP Fast Retransmission Counter TCP Fast Retransmission is a counter of all TCP retransmissions that are less than a threshold value. A count of all TCP Fast Retransmissions displays in the counters of Expert View. A threshold for this counter can be set in Expert Alarms.
Page 251: Tcp Frozen Window
TCP Frozen Window Counter The TCP Frozen Window counter increments when the TCP window is frozen for greater than a threshold value, measured in seconds. A count of all TCP Window Frozen events displays in the this counter can be set in Expert Alarms. Expert Symptom TCP Frozen Window events are automatically logged as expert symptoms.
Page 252 Surveyor User’s Guide __________________________________________________________________ Recommended Action(s): 1. Upgrade the receiver’s CPU and/or Memory. 2. Reduce the number of connections to the receiver. 3. Increase the network bandwidth. 10-48...
Page 253: Tcp Long Ack
TCP Long Ack Counter The TCP Long Ack counter increments when the TCP acknowledgment for a connection is not seen for greater than a threshold value, measured in milliseconds. A count of all TCP Long Ack events displays in the View.
Page 254: Tcp Repeat Ack
Surveyor User’s Guide TCP Repeat Ack Counter The TCP Repeat Ack counter increments when the TCP acknowledgment number is less than the immediately preceding acknowledgement. A count of all TCP Repeat Ack events displays in the Expert Symptom TCP Repeat Acks are automatically logged as expert symptoms. The field indicates that the acknowledgement numbers are out of sequence.
Page 255: Tcp Retransmissions
TCP Retransmissions Counter TCP Retransmissions is a counter of all TCP Retransmissions over a period of time per segment. This variable counts the number of retransmitted packets to measure excessive retransmission in TCP/IP. A count of all TCP Retransmissions displays in counters of Expert View.
Page 256: Tcp Rst Packets
Surveyor User’s Guide TCP RST Packets Counter TCP RST Packets is a counter of all TCP RST Packets over a period of time per segment. This variable counts the number of RST responses to monitor resets in TCP/IP. A count of all TCP RST packets displays in the Expert View.
Page 257: Tcp Syn Attack
TCP SYN Attack Counter The TCP SYN Attack counter increments when a change in the number of SYN requests per second exceeds a threshold. A count of all TCP SYN Attack events displays in the Overview be set in Expert Alarms. Expert Symptom TCP SYN Attack events are automatically logged as expert symptoms.
Page 258: Tcp Window Exceeded
Surveyor User’s Guide TCP Window Exceeded Count TCP Window Exceeded is a counter of all events where the data length of a TCP packet exceeds the current window size. A count of all TCP Window Exceeded events displays in the Expert Symptom TCP Window Exceeded events are automatically logged as expert symptoms.
Page 259: Tcp Window Probe
TCP Window Probe Counter TCP Window Probe is a counter of all TCP Window Probe events over a period of time per segment. A count of all TCP Window Probe events displays in the counters of Expert View. A threshold for this counter can be set in Expert Overview Alarms.
Page 260: Tcp Zero Window
Surveyor User’s Guide TCP Zero Window Counter TCP Zero Window is a counter of all TCP Zero Window events over a period of time per segment. A count of all TCP Zero Window events displays in the counters of Expert View. A threshold for this counter can be set in Expert Alarms.
Page 261: Too Many Retransmissions
Too Many Retransmissions Counter Too Many Retransmissions is a counter of events where the ratio of retransmissions to packets sent exceeds a threshold value for a single station. A count of all Too Many Retransmissions events displays in the Expert Analysis Too Many Retransmissions events are automatically logged as expert analyses.
Page 262: Network Layer
Surveyor User’s Guide Network Layer Duplicate Network Address A separate table showing duplicate network addresses is available. Press the button on the Data View or Capture View toolbar to see this table. Counter Duplicate Network Address is a counter of all duplicate network addresses over a period of time per segment.
Page 263: Hsrp Coup
HSRP Coup Counter HSRP Coup events are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. A Coup message indicates that the router wishes to become active. A threshold can be set in Expert Alarms for HSRP Coup/ Resign packets, which includes both Resign and Coup HSRP messages.
Page 264: Hsrp Errors
Surveyor User’s Guide HSRP Errors Counter Some Hot Standby Routing Protocol (HSRP) packets are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. Both Coup and Resign packets are counted. Coup/Resign packets in the HSRP are used to acti- vate/deactivate routers.
Page 265: Hsrp Resign
HSRP Resign Counter HSRP Resign events are counted in the HSRP Errors counter, which displays in the Overview counters of Expert View. A Resign message indicates that the router is requesting to become inactive. A threshold can be set in Expert Alarms for HSRP Coup/Resign packets, which includes both Resign and Coup HSRP messages.
Page 266: Icmp All Errors
Surveyor User’s Guide ICMP All Errors Counter ICMP All Errors is a counter of all ICMP symptoms. A count of all ICMP symptoms displays in the be set in Expert Alarms to set a threshold for all ICMP errors. The following types of ICMP errors are counted: •...
Page 267: Icmp Bad Ip Header
ICMP Bad IP Header Counter ICMP Bad IP Header events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Bad IP Header events are automatically logged as expert symptoms. The field provides information about the IP addresses involved.
Page 268: Icmp Destination Host Access Denied
Surveyor User’s Guide ICMP Destination Host Access Denied Counter ICMP Destination Host Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the counters of Expert View.
Page 269: Icmp Destination Host Unknown
ICMP Destination Host Unknown Counter ICMP Destination Host Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the of Expert View.
Page 270: Icmp Destination Network Access Denied
Surveyor User’s Guide ICMP Destination Network Access Denied Counter ICMP Destination Network Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the counters of Expert View.
Page 271: Icmp Destination Network Unknown
ICMP Destination Network Unknown Counter ICMP Destination Network Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the counters of Expert View.
Page 272: Icmp Destination Unreachable
Surveyor User’s Guide ICMP Destination Unreachable ICMP Destination Unreachable is a counter of all ICMP destination unreachable errors over a period of time per segment. A count of all destination unreachable ICMP symptoms displays in the this counter can be set in Expert Alarms for all destination unreachable ICMP errors.
Page 273 Expert Features Network Layer __________________________________________________________________ Recommended Action(s): 1. Check the routing tables of the router that this message was generated from. 2. Check the netmask configuration of the source. 3. Ignore this message if the destination is truly unreachable (no action required). 10-69...
Page 274: Icmp Fragment Reassembly Time Exceeded
Surveyor User’s Guide ICMP Fragment Reassembly Time Exceeded Counter ICMP Fragment Reassembly Time Exceeded events are counted in the All ICMP Errors counter. A count of all ICMP errors displays in the Expert View. A threshold can be set in Expert Alarms for all ICMP errors.
Page 275: Icmp Fragmentation Needed [D/F Set]
ICMP Fragmentation Needed [D/F set] Counter ICMP Fragmentation Needed [D/F set] events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the counters of Expert View.
Page 276: Icmp Host Redirect
Surveyor User’s Guide ICMP Host Redirect Counter ICMP Host Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Expert Alarms for all ICMP redirect errors or for all ICMP errors.
Page 277: Icmp Host Redirect For Tos
ICMP Host Redirect for TOS Counter ICMP Host Redirect for TOS events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.
Page 278: Icmp Host Unreachable
Surveyor User’s Guide ICMP Host Unreachable Counter ICMP Host Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Expert View.
Page 279: Icmp Host Unreachable For Tos
ICMP Host Unreachable for TOS Counter ICMP Host Unreachable for TOS events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the of Expert View.
Page 280: Icmp Inconsistent Subnet Mask
Surveyor User’s Guide ICMP Inconsistent Subnet Mask Counter ICMP Inconsistent Subnet Mask events are counted in the ICMP All Errors counter. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Expert Alarms for all ICMP errors.
Page 281: Icmp Network Redirect
ICMP Network Redirect Counter ICMP Network Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the set in Expert Alarms for all ICMP redirect errors or for all ICMP errors. Expert Symptom ICMP Network Redirect events are automatically logged as expert symptoms.
Page 282: Icmp Network Redirect For Tos
Surveyor User’s Guide ICMP Network Redirect for TOS Counter ICMP Network Redirect for TOS events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.
Page 283: Icmp Network Unreachable
ICMP Network Unreachable Counter ICMP Network Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Page 284: Icmp Parameter Problem
Surveyor User’s Guide ICMP Parameter Problem Counter ICMP Parameter Problem events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the threshold can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Parameter Problem events are automatically logged as expert symptoms.
Page 285: Icmp Port Unreachable
ICMP Port Unreachable Counter ICMP Port Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.
Page 286: Icmp Protocol Unreachable
Surveyor User’s Guide ICMP Protocol Unreachable Counter ICMP Protocol Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the of Expert View.
Page 287: Icmp Redirect
ICMP Redirect Counter ICMP Redirect is a counter of all ICMP redirect errors over a period of time per segment. A count of all redirect ICMP symptoms displays in the of Expert View. A threshold for this counter can be set in Expert Alarms. The following types of ICMP redirect errors are counted: Network Redirect, Host Redirect, Network Redirect for TOS, Host Redirect for TOS, ICMP Redirect (catches all other Redirect errors).
Page 288: Icmp Required Ip Option Missing
Surveyor User’s Guide ICMP Required IP Option Missing Counter ICMP Required IP Option Missing events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the View. A threshold can be set in Expert Alarms for all ICMP errors.
Page 289: Icmp Source Quench
ICMP Source Quench Counter ICMP Source Quench events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Source Quench events are automatically logged as expert symptoms. The field provides information about the IP addresses involved.
Page 290: Icmp Source Route Failed
Surveyor User’s Guide ICMP Source Route Failed Counter ICMP Source Route Failed events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Expert View.
Page 291: Icmp Time Exceeded
ICMP Time Exceeded Counter ICMP Time Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the can be set in Expert Alarms for all ICMP errors. Expert Symptom ICMP Time Exceeded events are automatically logged as expert symptoms. The field provides information about the IP addresses involved.
Page 292: Icmp Time To Live Exceeded
Surveyor User’s Guide ICMP Time to Live Exceeded Counter ICMP Time to Live Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the threshold can be set in Expert Alarms for all ICMP errors.
Page 293: Illegal Network Source Address
Illegal Network Source Address Counter Illegal Network Source Address is a counter of all illegal network source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the Overview be set in Expert Alarms. Expert Symptom Illegal network source addresses are automatically logged as expert symptoms.
Page 294: Ip Checksum Errors
Surveyor User’s Guide IP Checksum Errors Counter IP Checksum Errors is a counter of all incorrect IP checksums over a period of time per segment. A count of all IP Checksum Errors events displays in the Overview counters of Expert View.
Page 295: Ip Time To Live Expiring
IP Time to Live Expiring Counter IP Time to Live Expiring is a counter of all expiring connections over a period of time per segment. A count of all IP Time to Live Expiring events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms to generate an alarm based on a specific number of expiring connections.
Page 296: Isl Bpdu/Cdp Packets
Surveyor User’s Guide ISL BPDU/CDP Packets Counter ISL BPDU/CDP Packets is a counter of all Bridge Protocol Data Unit (BPDU) or Cisco Discovery Protocol (CDP) packets in an ISL frame over a period of time per segment. A count of BPDU/CDP packets displays in the Expert View.
Page 297: Isl Illegal Vlan Id
ISL Illegal VLAN ID Counter ISL Illegal VLAN ID is a counter of all ISL illegal VLAN IDs over a period of time per segment. A count of all ISL Illegal VLAN ID displays in the of Expert View. A threshold for this counter can be set in Expert Alarms. Expert Symptom ISL Illegal VLAN IDs are automatically logged as expert symptoms.
Page 298: Ospf Broadcasts
Surveyor User’s Guide OSPF Broadcasts Counter OSPF Broadcasts is a counter of all OSPF broadcasts over a period of time per segment. A count of all OSPF broadcasts displays in the Expert View. A threshold for this counter can be set in Expert Alarms.
Page 299: Rip Broadcasts
RIP Broadcasts Counter RIP Broadcasts is a counter of all RIP broadcasts over a period of time per segment. A count of all RIP broadcasts displays in the threshold for this counter can be set in Expert Alarms. If RIP broadcasts fall below a certain threshold, this may indicate that a RIP router is not functioning properly.
Page 300: Router Storm
Surveyor User’s Guide Router Storm Counter Router Storm is a counter of all events where the router broadcasts exceed a threshold for a single router. A count of all Router Storm events displays in the counters of Expert View. Overview Expert Symptom Router Storm events are automatically logged as expert symptoms.
Page 301: Same Network Addresses
Same Network Addresses Counter Same Network Addresses is a counter of all events where the same source and destination network addresses are seen in the same packet. A count of all Same Network Address events displays in the Expert Symptom Same Network Address events are automatically logged as expert symptoms.
Page 302: Sap Broadcasts
Surveyor User’s Guide SAP Broadcasts Counter SAP Broadcasts is a counter of all SAP broadcasts over a period of time per segment. A count of all SAP broadcasts displays in the View. A threshold for this counter can be set in Expert Alarms.
Page 303: Total Router Broadcasts
Total Router Broadcasts Counter Total Router Broadcasts is a counter of all total router broadcasts over a period of time per segment. A threshold for this counter can be set in Expert Alarms for total router broadcasts. If total router broadcasts go above a certain threshold, this may indicate that a router in the network is generating excessive broadcast messages.
Page 304: Unstable Mst
Surveyor User’s Guide Unstable MST Counter The Unstable MST counter increments when a change in the number of MST topology changes per second exceeds a threshold. The default threshold is a delta of 5 topology changes per second; however, this value can be changed from the Expert Thresholds tab in the Unstable MST events displays in the Overview counters of Expert View.
Page 305: Zero Broadcast Address
Zero Broadcast Address Counter Zero Broadcast Address is a counter of all events where the destination network addresses is all zeros. A count of all Zero Broadcast Address events displays in the counters of Expert View. Overview Expert Symptom Zero Broadcast Address events are automatically logged as expert symptoms. The field provides an indication that a zero network address has Symptom Summary been discovered.
Page 306: Mac Layer
Surveyor User’s Guide MAC Layer Bad Frames Counter Bad Frames is a counter of all bad frames over a period of time per segment. A count of all bad frames displays in the The Bad Frames counter is a total count of several MAC layer symptoms. The bad frames counter includes the following MAC layer events: •...
Page 307: Broadcast/Multicast Storms
Broadcast/Multicast Storms Counter The Broadcast/Multicast Storms counter increments when a change in the number of total Broadcast/Multicast packets per second exceeds a threshold. Broadcast/ Multicast Storms can be used to monitor extreme peaks in the number of broadcast and/or multicast messages. A count of all instances where the threshold is reached displays in the Overview counters of Expert View.
Page 308: Crc Frame Counter
Surveyor User’s Guide CRC Frame counter Counter The CRC Frame counter increments when a frame has a CRC error and is greater than 63 bytes in length. A count of all CRC Frames is included in the Bad Frames counter. The CRC Frame counter is used for Expert Alarms.
Page 309: Excessive Arp
Excessive ARP Counter The Excessive ARP counter increments when a change in the number of ARP requests per second exceeds a threshold. A count of all Excessive ARP events displays in the Overview be set in Expert Alarms. Expert Symptom Excessive ARP events are automatically logged as expert symptoms.
Page 310: Excessive Bootp
Surveyor User’s Guide Excessive BOOTP Counter The Excessive BOOTP counter increments when a change in the number of BOOTP/DHCP requests per second exceeds a threshold. A count of all Excessive BOOTP events displays in the this counter can be set in Expert Alarms.
Page 311: Excessive Broadcasts
Excessive Broadcasts Counter Excessive Broadcasts is a counter that can be used to monitor fluctuations in the number of broadcast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive broadcasts.
Page 312: Excessive Collisions
Surveyor User’s Guide Excessive Collisions Counter Excessive Collisions is a counter that can be used to monitor fluctuations in the number of collisions or the absolute number of collisions over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive collisions.
Page 313: Excessive Multicasts
Excessive Multicasts Counter Excessive Multicasts is a counter that can be used to monitor fluctuations in the number of multicast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive multicasts.
Page 314: Fragment Frame
Surveyor User’s Guide Fragment Frame Counter The Fragment Frame counter increments when a frame has a CRC error and is less than 64 bytes in length. The Fragment Frame counter is used for Expert Alarms. A count of all Fragment Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View.
Page 315: Illegal Mac Source Address
Illegal MAC Source Address Counter Illegal MAC Source Address is a counter of all illegal MAC station source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the counter can be set in Expert Alarms. Expert Symptom Illegal MAC source addresses are automatically logged as expert symptoms.
Page 316: Jabber Frame
Surveyor User’s Guide Jabber Frame Counter The Jabber Frame counter increments when a frame has a CRC error and is greater than 1518 bytes in length. A count of all Jabber Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. The Jabber counter is used for Expert Alarms.
Page 317: Network Overload
Network Overload Counter Network Overload is a counter of instances where a threshold for the percentage change in network utilization is exceeded. Network utilization is compared to the utilization for the previous time segment. The default threshold is a 40% change in network utilization.
Page 318: New Mac Stations
Surveyor User’s Guide New MAC Stations Counter New MAC Stations is a counter of all the new MAC stations over a period of time per segment. A threshold for this counter can be set in Expert Alarms. The threshold for new MAC stations is typically set to 1 as an absolute value.
Page 319: Oversized Frame
Oversized Frame Counter The Oversize Frame counter increments when a frame has a CRC error and is greater than 1518 bytes in length. A count of all Oversize Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View. The Oversize Frame counter is used for Expert Alarms.
Page 320: Overload Frame Rate
Surveyor User’s Guide Overload Frame Rate Counter Overload Frame Rate counts frames over a one-second time period. A threshold for the number of frames per second can be set in Expert Alarms. Overload Frame Rate can help catch network overloads.
Page 321: Overload Utilization Percentage
Overload Utilization Percentage Counter Overload Utilization Percentage counts bits over time and compares this value to the maximum utilization possible (bandwidth). A threshold for this percentage value can be set in Expert Alarms. Overload utilization percentage can help catch network overloads. The default for a 100MB network is 25% of maximum utilization.
Page 322: Physical Errors
Surveyor User’s Guide Physical Errors Counter The Physical Errors counter increments when a change in the number of total MAC physical errors per second exceeds a threshold. Physical errors include CRC/ alignment errors, dropped events, collisions, jabbers, oversize packets, undersize packets, and fragments.
Page 323: Runt Frame
Runt Frame Counter The Runt Frame counter increments when a frame is less than 64 bytes in length. The Runt Frame counter is used for Expert Alarms. A count of all Runt Frames is included in the Bad Frames counter that displays in the Overview counters of Expert View.
Page 324: Same Mac Addresses
Surveyor User’s Guide Same MAC Addresses Counter Same MAC Addresses is a counter of all events where the same source and destination network addresses are seen in the same packet. A count of all Same MAC Address events displays in the Expert Symptom Same MAC Address events are automatically logged as expert symptoms.
Page 325: Total Mac Stations
Total MAC Stations Counter Total MAC Stations is a counter of all the MAC stations over a period of time per segment. A count of all MAC stations displays in the View. A threshold for this counter can be set in Expert Alarms. The MAC station counter helps detect excessive MAC stations (nodes) on a LAN segment.
Page 326: Hints And Tips For Expert Features
Surveyor User’s Guide Hints and Tips for Expert Features • Double-click any symptom in a table to view Diagnostic information. • When looking at Expert View in Monitor only mode, Frame IDs are displayed for information only and you cannot examine a frame related to a symptom. If you need to look at specific frames related to Expert Symptoms, look at the frame information in the capture buffer or in a capture file.
Page 327: Summary Of Expert Counters And Symptoms
Summary of Expert Counters and Symptoms Table Table 10-2 on the following page provides a summary of expert features by symptom/counter/application name. The meanings of the column headings are listed below. Expert Symptom Expert Analysis Counter in Expert View Expert Alarm Application Response Time Alarm Expert Threshold Summary of Expert Counters and Symptoms...
Page 328: Summary Of Expert Features
Surveyor User’s Guide Counter, Symptom, Expert or Application Symptom Application Response Time Bad Frames Broadcast/Multicast Storm CRC Frames DNS Response Time Duplicate Network Address (also displays as a sepa- rate view) Excessive ARP Excessive BOOTP Excessive Broad- casts Excessive Collisions...
Page 329 Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert or Application Symptom HTTP Response Time ICMP All Errors ICMP Bad IP Header ICMP Destination Host Access Denied ICMP Destination Host Unknown ICMP Destination Network Access Denied ICMP Destination Network Unknown ICMP Destination Unreachable ICMP Fragment...
Page 330 Surveyor User’s Guide Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert or Application Symptom ICMP Network Redirect ICMP Network Redi- rect for TOS ICMP Network Unreachable for ICMP Parameter Problem ICMP Port Unreach- able ICMP Protocol Unreachable ICMP Redirect...
Page 331 Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert Analyses, or Symptom Application IP Time to Live Expiring ISL BPDU/CDP Packets ISL Illegal VLAN ID Jabber Frames Missed Browser Announcement NCP File Retransmission NCP Read/Write Overlap NCP Request Denied NCP Request Loop NCP Server Busy NCP Too Many File...
Page 332 Surveyor User’s Guide Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert or Application Symptom No HTTP POST Response No Server Response No WINS Response Non Responsive Stations OSPF Broadcasts Overload Frame Rate Overload Utilization Percentage Oversize Frames Physical Errors...
Page 333 Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert or Application Symptom Slow Server Response SMB Invalid Network Name SMB Invalid Password SMTP Response Time TCP Checksum Errors TCP Fast Retrans- missions TCP Long Ack TCP Repeat Ack Retransmissions TCP RST Packets TCP SYN Attack...
Page 334 Surveyor User’s Guide Table 10-2. Summary of Expert Features (continued) Counter, Symptom, Expert or Application Symptom TNS Slow Server Response Too Many Retransmissions Total MAC Stations Total Router Broadcasts Unstable MST Zero Broadcast Address X = present z = does not exist as a unique counter, but is counted in other categories...
Page 335: Multi-Qos
Chapter 11 Multi-QoS Multi-QoS is a software plug-in to Surveyor that analyzes multimedia traffic over Ethernet-based networks. Multi-QoS validates Quality of Service (QoS) parameters presented by PSTN/IP Gateways, IP switches, and IPBXs. Multi-QoS provides a rich set of reported and calculated data to validate IP networks that carry the multi- media data.
Page 336: Protocols Supported By Multi-Qos
Integrated Data). Multi-QoS also recognizes and decodes all major Codec protocols used for VoIP. Refer to Table 1-5 for a list of all protocols supported. Check the Finisar web site for updates on additional protocol support by Multi-QoS. Multi-QoS also organizes call information where the signaling protocol is not recognized into tables with the protocol type of UNKNOWN.
Page 337: Multi-Qos User Interface Overview
Multi-QoS User Interface Overview Multi-QoS User Interface Overview The Surveyor Multi-QoS interface can be used with capture files, a capture buffer, or in real-time monitoring mode. To view Multi-QoS graphs and tables, click on the Multi-QoS button on the Detail View toolbar or select Multi-QoS View from the Monitor or Capture menus.
Page 338: Multi-Qos Interface Overview
Surveyor User’s Guide Monitor View Multi-QoS Select Multi-QoS from Capture or Monitor View Select Range in Graph to View Associated Calls User Network All Calls R-factor R-factor Select Tab to View a Range Breakdown Graph Call Summary Range Table Single Row Summarizes a Call...
Page 339: Surveyor And Rtcp Jitter Values
RTCP packets are sent by participants in an RTP session to convey information on the quality of data delivery and session membership. Surveyor uses the formula specified in RFC 1889 for RTCP to calculate jitter, and the RTCP jitter Surveyor reads from RTCP packets should use the same formula.
Page 340: Configuring Multi-Qos
Also, the jitter calculation for Surveyor only measures network jitter. The application itself may implement a jitter buffer, which could make for further differences between the reported RTCP jitter and the jitter measured by Surveyor. The difference between the RTCP jitter and Surveyor-calculated jitter may provide some clues as to what is happening with calls where high jitter rates are disrupting network QoS.
Page 341 This timeout value sets the time that Surveyor will spend trying to determine the protocol type (H.323, SCCP, or SIP) of the call. Surveyor has several algo- rithms to identify calls that may not conform exactly to one of the specific pro- tocol types or may have incomplete call information, such as a call started or stopped outside the window of packets that Surveyor is decoding.
Page 342: Multi-Qos Performance Optimization
Surveyor User’s Guide Setting this value to a high number may help in identifying a wider range of calls, but may also decrease performance. The default settings is recommended unless you are trying to identify non-standard or partial calls as possible.
Page 343: Multi-Qos All Calls Table
All Calls Table The All Calls table provides a summary table of all calls discovered. An example of the All Calls table is shown below. The buttons to the left of the table allow you to filter the call data. You can display only the calls that use a specific protocol or those that use an unknown protocol.
Page 344: All Calls Table Field Descriptions
Network R-factor. Jitter Maximum jitter, measured in milliseconds, for all channels within a call. The value is calculated by Surveyor. Surveyor uses the formula described in RFC 1889 to calculate jitter. Dropped Packets Maximum number of dropped packets for all channels within a single call.
Page 345: Call Range Graphs And Summaries
Call Range Graphs and Summaries Each tab in the interface except the utilization and configuration tabs brings up a range breakdown of calls using the selected metric. Call Jitter, Call RTCP Jitter, Call Setup Time Figure 11-4 shows an example of the Double-click on a section of the bar or pie graph to see a table of calls for the selected jitter range.
Page 346: Call Jitter, Call Rtcp Jitter, Call Setup Time
Surveyor User’s Guide Ranges for the graph can be changed. An example configuration screen for setting Call Jitter ranges is shown below. All values are in milliseconds. Figure 11-5. Multi-QoS Configuration, Call Jitter Ranges The default ranges for Call Jitter, Call RTCP Jitter, and Call Setup Time are shown in the table below.
Page 347: Dropped Packets, Rtcp Dropped Packets
Multi-QoS Call Range Graphs and Summaries Dropped Packets, RTCP Dropped Packets Figure 11-6 shows an example of the tab in the Dropped Packets Multi-QoS window. Click on a section of the bar or pie graph to see a table of calls Properties for the selected dropped packets range.
Page 348: Multi-Qos Configuration, Packets Dropped
Surveyor User’s Guide An example configuration screen for setting Dropped Packet ranges is shown below. Figure 11-7. Multi-QoS Configuration, Packets Dropped The default ranges for Packets Dropped, and RTCP Packets Dropped are shown in the table below. Table 11-3. Defaults for Packets Dropped Ranges...
Page 349: Call Range Summary Field Descriptions
User Voice quality measure expressed as a numeric value between 0 and 94. The R Factor value is calculated by Surveyor. Surveyor uses a formula that includes packet loss, jitter, transmission delay, and recency to determine the User R-factor. Network Voice quality measure expressed as a numeric value between 0 and 94.
Page 350: Vqmon Metrics
Surveyor User’s Guide VQMon Metrics There are a variety of objective factors that contribute to call quality. Some of these factors, such as packet loss or packet delay variation (jitter), are reported in other Multi-QoS graph summaries. However, these individual measurements do not tell a complete story and do not attempt to quantify user perceptions of voice quality.
Page 351: Multi-Qos R-Factor Example
50 - 0 If you would like more detailed information about how R-factors are calculated, please call Finisar customer support. The R-factors used in Multi-QoS extend the ITU standard E Model for estimating transmission quality. A sample display of call breakdown by Network R-factor is shown below. User R- factor display is identical to Network R-factor.
Page 352: Multi-Qos Configuration, R-Factor Ranges
Surveyor User’s Guide Figure 11-9. Multi-QoS Configuration, R-factor Ranges The default ranges for Network R-factor and User R-factor are shown in the table below. Table 11-6. Ranges for R-factors Range Network R-factor Range 5 <25 Range 4 <50 -25 Range 3 <70 - 50...
Page 353: Utilization Graph
The utilization for VoIP services is compared to total utilization and total bandwidth. An example utilization graph is shown below. Figure 11-10. Multi-QoS Utilization Graph Example The utilization is calculated after Surveyor has decoded packets. 11-19...
Page 354: Field Descriptions For Call Details
Surveyor User’s Guide Field Descriptions for Call Details To view all details for any call, double-click on any call summary (row) in a call summary table. The selected call. An example Figure 11-11. Example Call Details Window (H.323) Click on View Channel Details to filter out all packets except the packets of this call.
Page 355: Sccp Call Field Descriptions
The following tables provide brief descriptions of all fields in the dow for SCCP, H.323, or SIP calls. Table 11-7. SCCP Call Field Descriptions Table Column Description Frame ID of the first frame from which the conversation was detected. This field is useful when doing post capture analysis. If there is a need for in-depth analysis of a specific call, the first frame associated with the call can be quickly determined.
Page 356: H.323 Call Field Descriptions
Surveyor User’s Guide Field Name Frame ID Source Reference Value Source Address Source Q.931 Port Source H.245 Port Source Number Source Alias Source H.323 Ver Source Product Product Version Start Time Stop Time Setup Time (ms) Destination Reference Value Destination Address Destination Q.931 Port...
Page 357: Sip Call Field Descriptions
Table 11-9. SIP Call Field Descriptions Field Name Description Frame ID of the first frame from which the conversation was detected. The the frame ID of the first INVITE message. Caller SIP URL or other URI of the caller. The addr-spec in the “From” parameter. Caller Name Display name of the caller.
Page 358: Channel Table Details
Surveyor User’s Guide Table 11-10. UNKNOWN Call Field Descriptions Field Name Description Frame ID of the first frame from which the conversation was detected. The the frame ID of the first INVITE message. Caller Address The IP address of the initiator of the call.
Page 359: Channel Table Example
Multi-QoS Channel Table Details Figure 11-12. Channel Table Example Table 11-11 and Table 11-12 describe the columns in the table for each protocol. H.323, SIP, and UNKNOWN channel tables are the same. 11-25...
Page 360 The lowest User R-factor calculated during a sampling interval for a call. Voice quality measure expressed as a numeric value between 0 and 94. The value is calculated by Surveyor. Surveyor uses a formula that includes packet loss, jitter, transmission delay, and recency to deter- mine the User R-factor.
Page 361 Table 11-11. H.323, SIP, or UNKNOWN Channel Table Column Descriptions (continued) Max Jitter (ms) Maximum Jitter in milliseconds. The value is calculated by Surveyor. Surveyor uses the formula described in RFC 1889 to calculate jitter. Low Seq Num Lowest Sequence Number. Lowest RTP sequence number seen.
Page 362 The lowest User R-factor calculated during a sampling interval for a call. Voice quality measure expressed as a numeric value between 0 and 94. The value is calculated by Surveyor. Surveyor uses a formula that includes packet loss, jitter, transmission delay, and recency to deter- mine the User R-factor.
Page 363: Filtering On Single Channels
Table 11-12. SCCP Channel Table Column Descriptions (continued) Low Seq Num Lowest Sequence Number. Lowest RTP sequence number seen. High Seq Num Highest Sequence Number. Highest RTP sequence number seen. Filtering on Single Channels You can filter on channels within a single call. For the Channel View table, the filter menu available with the right-mouse click depends on the channel you select.
Page 364: Customizing Multi-Qos Table Displays
Surveyor User’s Guide Customizing Multi-QoS Table Displays You can customize the display of table information for Multi-QoS to include or exclude Multi-QoS fields from the All Calls, Summary Range, or Channel table displays. To change the view options, the table type you want to change must be in the foreground.
Page 365: Customizing Channel Tables
Multi-QoS Customizing Multi-QoS Table Displays Customizing Channel Tables The channel table is different for each call type, H.323, SIP, or SCCP. The channel table fields for each call type can be customized. Select for the menu. Select a Multi-QoS Views Monitor Views Capture Views single call, and from the Call Detail window select...
Page 366: Exporting All Multi-Qos Data To Csv Format
Surveyor User’s Guide Exporting Multi-QoS Data You can export Multi-QoS tables to CSV format. Multi-QoS data in .csv format can be imported to many spreadsheet and database applications like Microsoft Excel or to your own application, allowing you to display or report data. CSV is a comma- delimited text format used by many applications to import/export text data.
Page 367: Exporting A Single Multi-Qos Table To Csv Format
Exporting a Single Multi-QoS Table to CSV Format Perform these steps to export the current Multi-QoS table to CSV format. 1. Select the view you want to export. If you already have the desired view open, click the window to make it the currently selected view.The table can be a range summary table, the detail view fields for a single call, the channel table for a selected call, or the all calls table.
Page 368 Surveyor User’s Guide 11-34...
Page 369: Counters
Surveyor provides sophisticated counters to enable you to precisely monitor network activity. Surveyor features three types of counters at the MAC layer: Packet Counters, Custom Counters, and Error Counters. When the is in Capture mode, you can use all three types of counters. When the window is in Transmit mode, custom counters are not relevant and do not appear in window.
Page 370: Alphabetical List And Descriptions Of Ethernet Error Counters
During receive, error events are counted as they occur. The MAC statistics view and the table associated with the Utilization/Errors chart displays the receive error counters. Table 12-2 contains an alphabetical list, with descriptions, of Surveyor’s Ethernet error counters. Table 12-2. Alphabetical List and Descriptions of Ethernet Error Counters...
Page 371 The total number of packets received that were longer than the 1518 octets and were otherwise well formed (good FCS). Packets Dropped The number of packets missed by Surveyor. For THGm cards, this value should be zero. Undersize The total number of packets received that were shorter than 64 octets and were otherwise well formed (good FCS).
Page 372: Alphabetical List And Descriptions Of Token Ring Error Counters
Surveyor User’s Guide Table 12-3 contains an alphabetical list, with descriptions, of Surveyor’s Token Ring error counters. Table 12-3. Alphabetical List and Descriptions of Token Ring Error Counters Token Ring Counter Abort Delimiter AC Error Burst Error Frame Copy Frequency...
Page 373: Alphabetical List And Descriptions Of Expert Counters
Expert Counters Expert counters count the number of Export events discovered by Surveyor’s expert logic. Some counters are used in the Expert Alarm editor and some display in the Overview Table of Expert View. See the Expert Systems chapter for more information on expert counters.
Page 374 Surveyor User’s Guide Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) Counter Type ICMP Destination Unreachable ICMP Redirect Illegal MAC Station Address Illegal Network Source Address IP Checksum Errors IP Time to Live Expiring ISL BPDU/CDP Packets ISL Illegal VLAN ID...
Page 375 Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) Counter Type Description Overload Utilization Percent- Counts bits over time and compares this value to the maximum uti- lization possible (bandwidth). No HTTP POST Response The number of no HTTP POST responses over a period of time per segment.
Page 376 Surveyor User’s Guide Table 12-4. Alphabetical List and Descriptions of Expert Counters (continued) Counter Type TCP/IP Repeat Ack TCP/IP Retransmissions TCP/IP RST Packets TCP/IP SYN Attack TCP/IP Window Probe TCP/IP Zero Window Total MAC Stations Total Router Broadcasts Unstable MST...
Page 377: Alphabetical List And Descriptions Of Multi-Qos Counters
For Surveyor, log files are maintained by module. A log file and a set of history files are created in a unique directory for each Century Media Module and each Ethernet Adapter.
Page 378: Log Directory Structure
User’s Guide Log Directory Structure The following is the directory structure for log files. The root directory is the instal- lation directory for Surveyor. (root)\log\local\module_1 (directory for module 1) module_1.csv (log file for module 1) \history (history directory for module 1) mmddhhmm.ss (first history file for module 1)
Page 379: Utilities
Surveyor includes the following utilities to enhance your ability to manage your Ethernet, Token Ring, or Fast Ethernet network. The utilities are briefly described in the table below: Table 13-1. Ethernet and Fast Ethernet Network Management Utilities Utility Description Name Table Provides associations between symbolic names and network addresses.
Page 380: Name Table Utility
You can also change the active name table so that Surveyor will use a different name table file. You can create many name tables, but only one table is active at a time.
Page 381: Example Name Table Dialog Box
Settings To learn all addresses, select the dialog box. Surveyor will enter all new addresses. If no symbolic name is Settings associated with an address, the address is repeated in the name column for that entry in the name table.
Page 382: Building A Name Table From The Network
3. Save the name table to a file. You must save the name table before you exit Surveyor or new name table data will be lost. If you save the name table data to the default name table, hosts.nam, the new name table data will be loaded automatically whenever you restart Surveyor.
Page 383: Nis-To-Name Table Conversion Utility
Bourne shell. To use the conversion utility, copy the NIS2NAM.SH file to a UNIX system as a text file. The UNIX system must have NIS running for the utility to produce the new name table for use with Surveyor. To execute the command on the UNIX system, type: NIS2NAM <output-name-table>...
Page 384: Internet Advisor Translator Utility, Tool Menu Options
User’s Guide Sniffer™ Translator Utility Translators convert captured data back and forth between Surveyor capture file for- mat (.cap files) and Sniffer uncompressed trace format (.enc or .trc files). Capture files are stored in ‘Snoop’ format, compliant with RFC 1761. Capture files include extensions that provide additional information fields not found in RFC 1761.
Page 385: Convert Capture Files To Histogram Files
The convert capture files utility allows you to convert capture files to histogram files. Files must be in histogram format to be viewed with the histogram. All new captures made by Surveyor are automatically created as histogram files. To convert capture files, do the following: 1.
Page 386: Exporting Packets
Logging Utilities Surveyor creates log files of counter, expert, and alarm information. Log file size, log file name, and disabling or enabling log files can be configured in Surveyor. To configure log files, see the “Configuring Surveyor” chapter. To access counter log files, see the section called “Counter Log File Overview” in the “Counters”...
Page 387: Exporting Tables To Csv Format Or Graphs To A Bitmap
5. Switch to the application where you want to store the packet information. 6. Press Ctrl + V. 7. Click on a Surveyor window to return to Surveyor. If you select a portion of the current packet within the detail decode of the packet, the entire decode for this single packet is moved to the copy window for export.
Page 388: Exporting Counter Log Files To Excel
6. Click the Save Surveyor logs both a start and stop time to the .csv file. The start time is the time the table/chart window is first opened and the stop time is the last time the file is exported or saved to disk.
Page 389 5. Switch to the previously opened down the Windows menu and click on 6. Click cell Data Sheet of the worksheet. 7. Use from the menu or Ctrl + V to paste the data into the Paste Edit worksheet named Data Sheet 8.
Page 390 Surveyor User’s Guide 13-12...
Page 391: A-1. Buffer Types Used By Surveyor
Buffers Three types of buffers are essential to the execution of Surveyor’s features: Table A-1. Buffer Types Used By Surveyor Buffer Type Description Real-Time (Monitor) A real-time buffer provides the transient data storage area for on-the- Buffer fly frame analysis which, in conjunction with MAC statistics and error counters, produces real-time LAN analysis and monitoring informa- tion.
Page 392: A-2. Resource Use Of Buffers
NDIS card, all LAN traffic will be copied to Surveyor and filtered, sliced if necessary, then routed to the capture buffer, real-time buffer, or both if desired. System resource demands increase with the complexity of analysis and monitoring tasks, and very much with the number of interfaces Surveyor is controlling.
Page 393: A-3. Hardware Real-Time Functions
Hardware Dependencies The tables that follow in this section list functions supported by Surveyor that have hardware dependencies. Table A-3. Hardware Real-Time Functions Real-Time Monitoring Functions NDIS Buffer Size 64KB Network Statistics All but error rate Packet Decode Summary Alarm Thresholds...
Page 394: A-5. Hardware Capture Functions
NDIS Card Media 10/100 Ethernet, 4/16 TR Max Interfaces/ System On-Board Transceivers Portability Laptop Remote Management Portable Surveyor 10/100 THGm Ethernet Analyzer Card 128MB 64KB-16MB* Full Line Rate, 10Mbps: 10/100/1000 Mbps 5-10Mbps 100Mbps: 5-20Mbps Yes . Table A-6. Hardware Connectivity...
Page 395: About Ndis Mode
About NDIS Mode Surveyor in NDIS mode uses an NDIS driver and interfaces to a variety of network adapters. All basic capture, transmit, and monitor functions are the same in NDIS mode. However, it is not recommended that an NDIS module be used to transmit packets;...
Page 396: Ndis Configuration Options
Surveyor User’s Guide NDIS Configuration Options Setting the Interface Interface NDIS module is the currently selected module. The menu is grayed and does not function when the current module is an NDIS module. Set Capture Buffer and Packet Slicing Size The capture buffer memory size can be set in increments that double from 64K to 16MB.
Page 397: Pre-Defined Filter Templates
Pre-Defined Filter Templates Filter Templates All filter templates supplied with Surveyor are described below. Templates are defined by an offset(s) and a value(s). These templates can be used in a capture or display filter to capture or display common protocol packets.
Page 398: B-1. Surveyor Filter Templates, Ethernet Ev2
Surveyor User’s Guide Table B-1. Surveyor Filter Templates, Ethernet EV2 Filter Template AppleTalk DECNET Phase IV MAC_Destination _Address MAC_DA_BROADCAST MAC_DA_MULTICAST MAC_Source_Address Packet_Type Packet_Type_ Novell8023 VLAN Description Offset Collect all AppleTalk packet types embed- ded in Ethernet Version II frames. Collect all ARP packet...
Page 399: B-2. Surveyor Filter Templates, Ip And Ipx Over Ethernet Ev2
Table B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2 Filter Template Description EIGRP Collect all frames where EIGRP is embedded in Ethernet II frames. ICMP Filter template for collecting all PING activity. IGMP Filter template for col- lecting all IGMP activity.
Page 400 Surveyor User’s Guide Table B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2 (continued) Filter Template RIP (IPX) RSVP SAP (IPX) Description Offset Collect all frames with a RIP port in IPX packet types embedded in OR 42 Ethernet II frames.
Page 401: B-3. Surveyor Filter Templates, Tcp/Ip Over Ethernet Ev2
Table B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2 Filter Template Description DNS (TCP) Collect all frames with a DNS port when TCP is embedded in an Ether- net II frame. Collect all frames with an FTP port when TCP is embedded in an Ethernet II frame.
Page 402 Surveyor User’s Guide Table B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2 (continued) Filter Template Q.931 SCCP SMTP T.120 TELNET XWIN Description Offset Collect all frames with a Q.931 port when TCP is embedded in Ethernet II frames. OR 36...
Page 403: B-4. Surveyor Filter Templates, Udp/Ip Over Ethernet Ev2
Table B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2 Filter Template Description DHCP Collect all frames with a DHCP port when UDP is embedded in an Ether- net II frame. DNS (UDP) Collect all frames with a DNS port when UDP is embedded in an Ether- net II frame.
Page 404 Surveyor User’s Guide Table B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2 (continued) Filter Template RIP (UDP) RTCP SNMP Description Offset Collect all frames with an NTP port when UDP is embedded in Ethernet II frames. Collect all frames with a...
Page 405: B-5. Surveyor Filter Templates, Ethernet Llc/Novell
Table B-5. Surveyor Filter Templates, Ethernet LLC/Novell Filter Template Description DSAP Template for setting the LLC destination address point. IEEE_802.1D Template for collect- ing IEEE-802.1D packets. NetBEUI Template for collect- ing NetBEUI packets. Novell Collect Novell frames. NMPI Collect packets with NMPI ports embed- ded in Novell frames.
Page 406: B-6. Surveyor Filter Templates, Ethernet Snap
Surveyor User’s Guide Table B-6. Surveyor Filter Templates, Ethernet SNAP Filter Template SNAP SNAP_AppleTalk SNAP_ARP SNAP_CDP SNAP_IP SNAP_IP_Destination _Address SNAP_IP_Source _Address SNAP_IPX B-10 Description Offset Collect SNAP frames. Filter template for col- lecting AppleTalk packet types embedded in Ethernet SNAP frames.
Page 407: B-7. Surveyor Filter Templates, Ethernet Isl
Table B-7. Surveyor Filter Templates, Ethernet ISL Filter Template Description ISL_ARP Filter template for col- lecting ARP packet types embedded in ISL frames. ISL_DNS (TCP) Collect all frames with DNS ports when TCP is embedded in ISL frames. ISL_EIGRP Collect all frames...
Page 408 Surveyor User’s Guide Table B-7. Surveyor Filter Templates, Ethernet ISL (continued) Filter Template ISL_LDAP ISL_MAC_DA_Broadcast ISL_MAC_DA_Multicast ISL_MGCP (TCP) ISL_NB-SESSION ISL_NNTP ISL_OSPF ISL_POP ISL_Q.931 ISL_RSVP B-12 Description Offset Collect all frames with LDAP ports when TCP is embedded in ISL frames.
Page 409 Table B-7. Surveyor Filter Templates, Ethernet ISL (continued) Filter Template Description ISL_SMTP Collect all frames with SMTP ports when TCP is embedded in ISL frames. ISL_SSP Collect all frames with SSP ports when TCP is embedded in ISL frames. ISL_T.120...
Page 410: B-8. Standard Filter Templates, Token Ring
Surveyor User’s Guide Table B-8. Standard Filter Templates, Token Ring Filter Template MAC_Active_Monitor_Present MAC_Beacon MAC_Change_Parameters MAC_Claim_Token MAC_Duplicate_Address MAC_Initialize_Ring_Station MAC_Lobe_Test MAC_Poll_Error MAC_Remove_Ring_Station MAC_Report_Error MAC_Report_Monitor_Error B-14 Description Offset Collect all Active Moni- tor Token Ring MAC frames. Collect all Beacon Token Ring MAC frames.
Page 411 Table B-8. Standard Filter Templates, Token Ring (continued) Filter Template MAC_Report_NAUM_Change MAC_Report_New_Active_Monitor MAC_Report_Ring_Station_Addre MAC_Report_Ring_Station _Attachments MAC_Report_Ring_Station_State MAC_Report_Transmit_Forward MAC_Request_Initialization MAC_Request_Ring_Station_Addr MAC_Request_Ring_Station _Attachments MAC_Request_Ring_Station_State MAC_Response Pre-Defined Filter Templates Description Offset Collect all Report NAUM Change Token Ring MAC frames. Collect all Report New Active Monitor Token Ring MAC frames.
Page 412 Surveyor User’s Guide Table B-8. Standard Filter Templates, Token Ring (continued) Filter Template MAC_Ring_Purge MAC_Standby_Monitor_Present MAC_Transmit_Forward NON_MAC B-16 Description Offset Collect all Ring Purge Token Ring MAC frames. Collect all Standby Mon- itor Present Token Ring MAC frames. Collect all Transmit For- ward Token Ring MAC frames.
Page 413: C-1. Shortcut Keys From Summary And Detail View
Function Keys Function keys perform different operations depending on the window from which they are used. A table of the function keyboard shortcuts is provided below: Table C-1. Shortcut Keys from Summary and Detail View Summary View Help System Settings Module Settings Module Monitor View Preferences Connect to Remote...
Page 414: C-3. Shortcut Keys From Summary View
Surveyor User’s Guide Standard and Navigational Keys Function keys perform different operations depending on the window from which they are used. Tables of standard and navigational keyboard shortcuts are provided below: Table C-2. Shortcut Keys from All Windows Key(s) Alt + F4...
Page 415: C-6. Shortcut Keys From The Capture Filter Window
Table C-6. Shortcut Keys from the Capture Filter Window Key(s) Action Ctrl + N Bring up new default capture filter Ctrl + P Print capture filter Home Select the first statement Select the last statement Page up Scroll up one page Page down Scroll down one page Up arrow...
Page 416 Surveyor User’s Guide...
Page 417: D-2. Parser Names, Applications And Others
Recognized Parser Names The Parser Names recognized by Surveyor are organized by protocol suite in the following tables. Parser Names must be spelled exactly as shown when used in the ANALYSIS.INI file. See “Advanced Configuration” in the “Customizing Sur- veyor” chapter for information on using Parser Names.
Page 418: D-3. Parser Names, Apple Talk Suite
Surveyor User’s Guide Parser Name AARP ADSP AURP RTMP Parser Name VARP VFRP VICP VIPC VNETRPC VRTP VSSP Table D-3. Parser Names, Apple Talk Suite Protocol Name AppleTalk Address Resolution Protocol AppleTalk Data Stream Protocol AppleTalk Echo Protocol AppleTalk Filing Protocol...
Page 419: D-7. Parser Names, Fujitsu Suite
Table D-5. Parser Names, Cisco Suite Parser Name Protocol Name Cisco Discovery Protocol DISL Dynamic Inter-Switch Protocol EIGRP Enhanced Interior Gateway Routing Protocol HSRP Hot Standby Router Protocol IGRP Interior Gateway Routing Protocol iSCSI Internet Small Computer System Interface Inter-Switch Link Protocol VTPADVT VLan Trunk Protocol - Advertisement VTPSTAT...
Page 420: D-9. Parser Names, Internet Suite
Surveyor User’s Guide Parser Name 3270 NETBEUI Parser Name ASF-RMCP DVMRP EIGRP ICMP iFCP IGMP IGRP MOSPF OSPF RARP RSVP RTCP Table D-8. Parser Names, IBM Suite Protocol Name 3270 Terminal NetBIOS Extended User Interface Server Network Architecture Table D-9. Parser Names, Internet Suite...
Page 421 Table D-9. Parser Names, Internet Suite (continued) Parser Name Protocol Name BOOTP Bootstrap Protocol DHCP Dynamic Host Configuration Protocol Domain Name Server File Transfer Protocol GOPHER Gopher HTTP Hyper Text Transfer Protocol HTTPS Secure Hyper Text Transfer Protocol IMAP Internet Message Access Protocol LDAP Lightweight Directory Access Protocol Printer...
Page 422: D-10. Parser Names, Internet Next Generation Suite
Surveyor User’s Guide Table D-9. Parser Names, Internet Suite (continued) Parser Name SGCP SMTP SNMP SNMPTRAP SUNRPC TELNET TFTP TPKT XDMCP XWIN Table D-10. Parser Names, Internet Next Generation Suite Parser Name DNCPNG ICMPNG IDRPNG IPNG OSPFNG RIPNG RSVPNG Parser Name...
Page 423: D-12. Parser Names, Ppp Suite
Table D-11. Parser Names, Netware Suite (continued) Parser Name Protocol Name NBCAST Netware Broadcast Message Protocol Netware Core Protocol Netware Directory Services NLSP Netware Link State Protocol NMPI Name Management Protocol Service Advertising Protocol SERIAL Serialization Protocol Sequenced Packet Exchanged SPX2 Sequenced Packet Exchanged Version 2 (use SPX) WDOG...
Page 424: D-14. Parser Names, H.323 Suite
Surveyor User’s Guide Parser Name ASN.1 H323GD H.225.0 H245 H4501 Q921 Q931 H323RAS T120 T.38 Parser Name CELLB G711 G721 G722 G723 G728 G729 H261 H263 JPEG MPEG Table D-14. Parser Names, H.323 Suite Protocol Name Abstract Syntax Notation 1 H.323 - Gatekeeper Discovery...
Page 425: D-16. Parser Names, Cisco Ip Telephony Suite
Table D-16. Parser Names, Cisco IP Telephony Suite Parser Name Protocol Name Skinny Station Protocol SCCP Skinny Client Control Protocol RUDP Reliable UDP Table D-17. Parser Names, Other Multimedia Parser Name Protocol Name MGCP Multimedia Gateway Control Protocol (over TCP) RTCP Real-Time Transport Control Protocol Real-Time Transport Protocol...
Page 426 Surveyor User’s Guide D-10...
Page 427 Address A character or group of characters that identifies some other data source or destina- tion. Alarm A message posted to Surveyor indicating a certain condition has occurred or a threshold has been reached. Glossary Glossary-1...
Page 428: Alarm Setting
Alarm Setting A set of conditions that when satisfied will cause Surveyor to record an entry in the alarm log. Alarm Severity Type of notification to be posted to the Message window upon alarm trigger. Valid types are informational, warning, and serious.
Page 429: Capture Buffer
Token Ring physical medium. Burst Gap For transmission from Surveyor, a pause between a set of packets sent at the maxi- mum network speed and another set of packets sent at the maximum network speed.
Page 430: Capture Mode
Surveyor User’s Guide Capture Mode The mode in which Surveyor receives network data and stores it in the Capture Buffer. Capture View A window for viewing and decoding network packets saved to a file or in the cap- ture buffer.
Page 431: Else Statement
Expert Alarms Messages posted to Surveyor indicating a certain condition has occurred or a threshold has been reached. Expert alarms are based on a set of counters related to Expert Symptoms or to other conditions that can signal a network problem.
Page 432: Expert View
Surveyor User’s Guide Expert View Surveyor data view showing expert symptoms and expert counters for a time period. Fragments A counter showing the total number of packets received that were less than 64 octets and had either an FCS/CRC error or an Alignment Error.
Page 433: Link Speed
A networked computer that is running the program or resource being described. In the context of Surveyor, a local host is the computer that is(1) running the Surveyor program under discussion and (2) located on a network where at least one other computer (remote host) is also running a copy of the Surveyor program.
Page 434: Monitor Mode
(monitor), or view and receive data from a resource simultaneously (monitor + capture) Module A hardware device attached to the network that can be used by Surveyor software to perform LAN analysis and monitoring functions. Surveyor can use NDIS-compati- ble network interface cards and THGm cards as modules.
Page 435: Packet Gap
A counter showing the total number of packets received that were longer than the 1518 octets and were otherwise well formed (good FCS). Overview Table Table in Surveyor’s Expert system that lists all counters for expert events discov- ered over time. Packet A sequence of digits including data and control signals that is switched as a com- posite whole.
Page 436: Post Trigger Buffer Position
RSP to transfer data and commands. Resource Any source that provides data to Surveyor. This can be an analyzer card, an Ethernet Adapter, multiple devices synchronized to provide a single data stream, or a data file.
Page 437: Summary Pane
Root Statement The first statement in all capture filters. Specifies global variables and global val- ues. SA Source address MAC level station address of where a frame is coming from. SCCP Skinny Client Control Protocol. The Skinny Client messaging system provides a means of establishing, controlling, and clearing information between a device that resembles a PBX digital telephone and H.323 clients.
Page 438: Total Tx Collision Counter
THGp (Ten/Hundred/Gigabit portable) A Dolch PC-based portable network analyzing, troubleshooting, and monitoring system available from Finisar. THGm devices in a THGp can by accessed locally or remotely by Surveyor software which provides the tools to diagnose, troubleshoot, and monitor any full or half-duplex 10/100 Ethernet copper or Gigabit Ethernet fiber-optic network.
Page 439: Traffic Rate
When transmitting from Surveyor, a percentage of the maximum capacity of the network to carry packets. Transmit Mode One of the modes for using Surveyor. In transmit mode, data streams loaded are transmitted on the network when the resource is started. Transmit Specification A definition of packets to be transmitted on the network by Surveyor.
Page 440: Voice Over Ip (Voip)
Surveyor User’s Guide Voice over IP (VoIP) Industry term for the carrying of voice traffic over the Internet Protocol. This term is sometimes used more broadly to indicate VoIP/Multi-Media communications via the H.323 or SCCP protocols. Abbreviation for well known port, a known port address on the network.
Page 441 Symbols .CAP File Extension 3-18 .CFD File Extension 3-18 .DFD File Extension 3-18 .HST File Extension 3-18 .NAM File Extension 3-18 .TSP File Extension 3-18 Numerics 12-Tap setting the COM port 4-18 –A– Abort Delimiter Counter 12-4 Absolute Time AC Error Counter 12-4 Access privileges super-user...
Page 442 Surveyor User’s Guide –B– Bad Frames 12-5 bitmaps, exporting 13-9 Bridge Protocol Data Unit (BPDU) Broadcast/Multicast Storms Buffer size Buffer Usage Buffers Burst Error Counter 12-4 Burst timing Bursts bursts example example byte boundaries 7-10 Byte Count, Multi-QoS 12-9 –C–...
Page 443 Token Ring, list of 12-4 Excessive BOOTP 10-106 Excessive Broadcasts 10-107 Excessive Collisions 10-108 Excessive Mailslot Broadcasts 10-20 Excessive Multicasts 10-109 expert counters, list of 12-5 export Counter log file to Excel Fragment 10-110 history files 12-9 HSRP Errors 10-59 10-60 ICMP All Errors 10-62...
Page 444 Surveyor User’s Guide ICMP Fragmentation Needed DA and SA fields 8-10 DA field Data field Data views 6-18 Address Map View 6-34 Application Layer Host Table View Application Layer Matrix View Application Response Time View Duplicate Address View 6-35 Expert View...
Page 445 CRC Frame 10-104 Duplicate Network Address 10-58 Excessive ARP 10-105 Excessive BOOTP 10-106 Excessive Mailslot Broadcasts 10-20 Fragment Frame 10-110 FTP Login Attempt 10-21 HSRP Coup 10-59 HSRP Resign 10-61 ICMP Bad IP Header 10-63 ICMP Destination Host Access Denied ICMP Destination Host Unknown ICMP Destination Network Access Denied 10-66...
Page 446 Frame Copy Counter 12-4 Frame Size Distribution View frame types in conversations Frequency Counter 12-4 FTP Login Attempts 10-21 Function keys functions, Surveyor –G– Get Version Information Utility Global Values for filters 7-16 Good Frames, in filters 7-17 Goodbye Count 11-27 –H–...
Page 447 –K– Keyboard shortcuts –L– Launching layers, expert system 10-6 learn addresses 13-3 learn names 13-2 remote resources 13-4 Line Error Counter 12-4 Link Local resources Log file 4-16 directory structure 12-10 Log File Settings, alarms 9-10 Log files in alarms Logging Utility 13-8 logical operators...
Page 448 12-6 MAC layer counters 10-117 12-7 Network layer counters port numbers, display of port numbers, filters 10-4 Portable Surveyor 10/100 Ethernet Analyzer Card Portable Surveyor 10/100 Ethernet Analyzer Card, configuring Ports 4-10 scanning Scanning Ports tab Post Trigger Buffer Position...
Page 449 Set Default button 4-12 protocols in conversations protocols supported –Q– Quality of Service 11-1 –R– Range Editor, Dropped Packets Real-Time Buffer Refresh Options, Multi-QoS 11-7 Remote communications configuring 4-11 Remote resources auto-discovery 4-11 Remote Server Protocol (see RSP) Repeat Streams field Report Count 11-27 Resign, HSRP...
Page 450 Supported Applications Layer Applications List of, 10-19 Surveyor functions overview launching starting tips for using the interface surveyor.ini file 3-19 switch 4-16 Switches Symptoms 10-10 symptoms, general categories Synchronized resources System Requirements...
Page 451 Detail View button Load Filter button Monitor Mode button Start button Stop button Transmit button 3-11 Transmit Mode button 3-10 Unload Filter button Surveyor Toolbar Help button 3-11 Name Table button 3-10 Open File button Print button 3-10 Save button 3-10...
Page 452 8-10 Sequence Numbers 8-10 specifying transmit data transmission status Transmitting capture files 8-12 trap destinations 9-12 Trap Settings for Surveyor Hosts Trap Settings for THGs 9-12 Index-12 Trigger action Tx Attempt Counter 12-3 Tx Defer Counter Tx Excessive Collision Counter...
Page 453 Index (continued) resizing docking windows –X– X offsets (wildcard) 8-10 –Z– Zero Broadcast Address 10-101 Index-13...
Page 454 Surveyor User’s Guide Index-14...

Finisar Surveyor User Manual

1 Introduction

2 Installation

3 Getting Started

4 Configuring Surveyor

5 Resources and Modes

6 Views

7 Capture and Display Filters

8 Transmit Specification

9 Alarms

10 Expert Features

Quick Links

Need help?

Questions and answers

Related Manuals for Finisar Surveyor

Summary of Contents for Finisar Surveyor