Transcript Sniffer University 1-3

Troubleshooting with the
Sniffer Portable Analyzer
Sniffer University
1-1
TNV-101-GUI
Housekeeping
Cell Phones in
Silent Mode
Lunch
Rest Rooms
Telephones
Emergency
Information
Beepers in
Silent Mode
Questions
Sniffer University
1-2
Breaks
Student Reference CD
Contents of CD:
• Sniffer Portable trace files
– Subdirectory for each Sniffer University course containing all
of the trace files referenced in that course
Sniffer University
1-3
• Reference documents
–
–
–
–
IETF Request for Comments (RFCs)
Appendix material
ATM Forum specifications and glossary
Miscellaneous reference materials
• Sniffer analyzer product
documentation
–
–
–
–
Sniffer
Sniffer
Sniffer
Sniffer
Portable 4.7
Distributed 4.1
Watch
Reporter
Sniffer University
1-4
No Copying...
Thank You!
Curriculum Map
Sniffer University
1-5
Sniffer University's Total Network Visibility Curriculum
•
•
•
•
•
•
•
•
•
•
•
Troubleshooting with the Sniffer Portable Network Analyzer
Ethernet Network Analysis & Troubleshooting (10, 100, 1000 Mbps)
WAN Network Analysis and Troubleshooting
Sniffer Portable Switch Expert Analysis & Troubleshooting
ATM Network Analysis and Troubleshooting
Wireless LAN Analysis and Troubleshooting
TCP/IP Network Analysis and Troubleshooting
Microsoft Windows NT Network Analysis & Troubleshooting
Microsoft Windows 2000 Network Analysis & Troubleshooting
Sniffer Distributed Enterprise Management
Sniffer Watch Reports and Management
Sniffer Certified
Professional Program
Sniffer University
1-6
• The Sniffer Certified Professional Program (SCPP)
recognizes network professionals who can
demonstrate an in-depth understanding of Sniffer
Technologies software
• There are three levels of certification in the program:
1. Sniffer Certified Professional (SCP)
• The first level is designed to test the candidate’s knowledge in the
use of the Sniffer Portable Network Analyzer
2. Sniffer Certified Expert (SCE)
3. Sniffer Certified Master (SCM)
• The second and third levels evaluate the candidate’s knowledge
of various networking technologies
www.sniffer.com/education
You will find links for:
• The SCPP online resource center
1-7
– Test preparation materials
– Practice tests
– Product documentation
• Course schedule and catalog
Sniffer University
– Class listings
• Registration Information
– Register online
• Sniffer University survey
– Let us know what you think
• Sniffer University contacts
Sniffer University
1-8
Table of Contents
Course Overview
Introduction and Concepts
Starting Sniffer Portable
Monitoring Network Health and Performance
Monitor Applications
Troubleshooting the Network
Managing Alarms
Capturing Network Traffic
Expert Analysis
Using Capture Filters to Narrow the View
Triggers
3-84
Analyzing Network Issues
Decode Window
Using Display Filters to Narrow the View
Exercises
1-9
1-14
1-27
2-1
2-5
3-1
3-10
3-19
3-31
3-67
4-1
4-10
4-40
5-1
Sniffer University
1-9
Course Overview
Sniffer University
1-10
Course Objectives
At the end of this course, you will be able to:
• Effectively use the Sniffer Portable Network Analyzer
in a logical step-by-step process as a network
troubleshooting tool
• Employ effective troubleshooting techniques to quickly
resolve problems in your networks
• Partner with Sniffer Portable to proactively monitor
and baseline your networks
• Optimize your network and applications
using the information you have gained
from Sniffer Portable
Major Topics
Sniffer University
1-11
• We’ll show you how to:
– Use the Monitor functions to check the health and
performance of your networks
– Troubleshoot problems by capturing traffic and
using the Expert’s help
– Analyze the issues by viewing the frames that were
captured
– Proactively manage the network with Sniffer
Portable’s tools and reporting capabilities
• And we’ll give you troubleshooting tips along
the way
Vital Troubleshooting Skills
In addition to having a protocol analyzer, you
need to have an understanding of:
Sniffer University
1-12
• Your network
– Use Sniffer Portable to monitor segments
– Have an accurate logical drawing of your entire network
• The protocols being used on your network
– Sniffer University has a series of protocol-specific classes to
teach you the fine details of troubleshooting and maintaining
each type of network
– Learn how routers and switches are configured to keep them
where they belong
• Resources available to help you find answers quickly
Sniffer University
1-13
Additional Resources
• Industry Standards, Protocol Specifications,
and Product Documentation
• Technical Support
• Networking Professional Organizations
• Fellow Troubleshooters
• Books
Sniffer University
1-14
Introduction and Concepts
Sniffer University
1-15
Section Objectives
At the end of this section, you will be able to:
• Describe the system requirements and
supported interfaces of the Sniffer Portable
Network Analyzer suite
• Relate the OSI Reference Model to a frame on
the wire
• Start the Sniffer Portable Network Analyzer
• Configure a Sniffer Portable local agent
• Identify menu items and icons on
the Toolbar and Status bar
• Generate traffic with Packet Generator
What is a Sniffer Analyzer?
Sniffer University
1-16
• A network troubleshooting tool that assists you in
finding and solving network communication problems,
analyzing and optimizing network performance, and
planning for future growth
– Monitor application provides statistics in real time
– Capture does real time Expert Analysis as frames are gated
into the capture buffer
– Profiles make loading complex filters and settings easy to save
and activate
– Post-capture packet display allows you to analyze the frames
in-depth using multiple views
– Active tools allow you to generate frames, buffers or perform
other tests
Sniffer Analysis Suites
Sniffer University
1-17
• Portable Analysis Suite
– Sniffer Portable LAN
– Sniffer Portable WAN
– Sniffer Portable HighSpeed
• Distributed Analysis
Suite
– Sniffer Distributed Agent
– Sniffer Distributed Console
No matter which Sniffer suite
you choose, the user
interface is the same
Sniffer Distributed
Sniffer Distributed Agent
on remote segment
Paris
Frame Relay
X.25
Switch/Router
Sniffer Distributed
Agent on remote
segment
Sniffer University
1-18
Tokyo
Sniffer Distributed Agents
on local segments
Sniffer
Distributed
Consoles
Router
San Francisco
Snifferbook
• Analyze T1/E1
• RS/V with LM2000
Adapter
Sniffer University
1-19
Standard Ethernet
NIC 10/100
Topology-Specific
Interface Module
WANbook
…..
….
Power
Power 1
2
3
4
5
6
7
8
TO
TO
SNIFFER SNIFFER
Snifferbook
Pod
TO
HUB
Troubleshooting Flowchart
Sniffer University
1-20
Monitor
Troubleshoot
Decode
Manage
Monitor Apps
Alarms
Display Frames
Address Book
• Dashboard
Capture Frames
• Summary
• Host Table
Expert Analysis
• Detail
Packet
Generator
• Matrix
Expert Options
• Hex
• ART
Filters
Navigation
• History
Samples
Triggers
Select Frames
• Protocol
Distribution
• Global
Statistics
Find Frames
Filters
Display Setup
User Tools
• Ping
• Trace Route
• DNS lookup
• Finger
• Who Is
• Scripts
Sniffer Portable Operation
Adapter
Tools
Ping
Alarms
Trigger
1-21
Monitor
Filters
Sniffer University
Trace Route
DNS Lookup
Finger
Monitor
Applications
Dashboard
Probe Dir
Host Table
Profiles
Matrix
Configs
ART
Addr Bk
History Samples
Database
Protocol Distribution Traces
Exported Data
Global Statistics
Display
Filters
Displays
Decode
Matrix
Host Table
Protocol Dist
Statistics
Capture
Filters
Who Is
Sniffer University
1-22
System Requirements
• Windows 98 SE, 2000, or NT 4.0
• Sniffer Portable Software (Provided by Network
Associates)
• Microsoft Internet Explorer with MS Virtual Machine
and media player
• Pentium 400 MHz CPU with minimum 128 MB RAM
(256 MB recommended) and minimum 125 MB free
disk space
• Network Interface Card with NDIS 3.0+ driver
• Enhanced NAI drivers for selected cards enhance
performance and allow error frames to be captured
and analyzed
Sniffer University
1-23
Supported Interfaces
• Ethernet 10/100
• Token Ring 4/16
• FDDI
• HSSI
• Full Duplex (supported with a pod)
• ATM
• WAN
• Gigabit Ethernet
• 802.11b Wireless LAN
Enhanced Drivers
Sniffer University
1-24
Topology
Adapter with Sniffer Enhanced Drivers
O/S
Ethernet
Adaptec PCI (ANA-21140/UC & ANA-6911/UC)
Adaptec PCI (ANA-6911A/TX/TXC)
Xircom CardBus Ethernet II 10/100 (CBE2)
Xircom Realport CardBus
Xircom Realport2 CardBus
IBM 10/100 EtherJet CardBus
Win NT, 2000, 98 SE
Token Ring
Madge PCMCIA Smart 16/4 Ringnode Mk2 (20-01)
Madge 16/4 CardBus Adapter Mk2 (20-03)
Madge Smart 16/4 PCI Ringnode Mk2/BM2 (51-02)
Madge Smart 16/4 PCI Ringnode Mk3 (51-04)
FDDI
NuCard PCI FDDI Adapter
Win NT
Full Duplex
FDX PCI Card
Win NT
WAN
HSSI PCI Adapter
LM2000 ISA Adapter
Win NT, 2000, 98 SE
ATM
Sniffer ATM SAR Adapter
Win NT, 2000, 98 SE
Gigabit
Xyratex PCI Adapter (SX, LX)
Win NT, 2000, 98 SE
Wireless
Symbol Spectrum 24 PCMCIA
Cisco Aironet 340/350PCMCIA
Lucent Orinoco Gold PCMCIA
Enterasys RoamAbout PCMCIA
Win NT, 2000
Win NT, 2000, 98 SE
Connects
processes
Moves
Data
Sniffer University
1-25
Provides
Services
OSI Reference Model
7 Application
Allows users to transfer files, send mail, etc.
Only layer that users can communicate with directly
Key features are ease of use and functionality
6 Presentation
Standardized data encoding and decoding
Data compression
Data encryption and decryption
5 Session
Manages user sessions
Reports upper-layer errors
Supports Remote Procedure Call activities
4 Transport
Connection management (e.g., TCP)
Error and flow control
Connectionless, unreliable (e.g., UDP)
3 Network
Internetwork packet routing
Minimizes subnet congestion
Resolves differences between subnets
2 Data Link
Network access control - MAC address
Packet framing
Error and flow control
1 Physical
Moves bits across a physical medium
Interface between network medium and network devices
Defines electrical and mechanical characteristics of LAN
The OSI Model and Frames
DLC RI LLC
Network Transport Session Presentation Application
Sniffer University
1-26
• Frames include headers at several layers of
the OSI model
– The number of headers in a frame is protocoldependent
– Each header has multiple fields that are also
protocol-dependent
• The Sniffer Network Analyzer reads the entire
frame and decodes each byte (and sometimes
each bit) into an English explanation of the
values
Sniffer University
1-27
Starting Sniffer Portable
Starting Sniffer Portable
Sniffer University
1-28
• Open the SNIFFER.EXE application using your favorite
Windows method
• From the File menu, go to Select Settings... and
choose the local agent (adapter) you want to use
– Adapters must be previously configured in Windows and use
NAI enhanced or NDIS 3.0+ compliant drivers
• The application automatically starts monitoring the
traffic seen on the active local agent
– Your settings are saved when you exit the application, so it
will automatically begin monitoring on the local agent you
last chose
What is a Local Agent?
Sniffer University
1-29
• A local agent is a logical reference to a
collection of settings, addresses, and profiles
associated with an adapter
– Each local agent has a unique directory under the
Sniffer Program directory
– Changes you make are saved in the directory of the
active local agent
Local Agent 1
Configurations
Thresholds
Address Book
Profiles (Filters)
Adapter
Local Agent 2
Configurations
Thresholds
Address Book
Profiles (Filters)
Select Settings...
Sniffer University
1-30
The title bar indicates the active local agent
Sniffer University
1-31
Select the Adapter
• Settings dialog contains local agents that you
have defined
• Creating a new local agent allows you to
maintain separate
settings for each
network you analyze
– The settings for each
will be maintained in
separate “Local”
directories under the
Program directory
Create a New Local Agent
Sniffer University
1-32
New... from previous menu shows this screen
Assign a name
Choose the
adapter
Specify the Pod
Copy settings from
another agent
User Interface
Title Bar
1-33
Menu Bar
Toolbar
Capture
Icons
Sniffer University
Toolbar
Status Bar
Sniffer University
1-34
The Toolbar
Address
Global
Stats
Book
Protocol
Distribution Capture
Panel
History
Alarms
Application
Response
Time
Abort
Matrix
Print
Hosts
Print
Dashboard
Save
File Open
Status Bar
Sniffer University
1-35
Watch the lower right corner of window for
real-time counts
Printing
Frames
Generated
Frames
Captured
Alarms
Getting Help
Sniffer University
1-36
Three ways to get help in Sniffer Portable:
1. Use the Help on the menu bar to access the
comprehensive on-line User’s Guide
2. Highlight an area on the screen and press F1
for context-sensitive help
3. Click on the
icon
Major Components
1-37
NIC
Monitor
Capture
Monitor Applications
Dashboard
Real-Time
Expert Analysis
Host Table
Sniffer University
Matrix
Application Response Time
Protocol
Distribution
History
Global Statistics
Display
Display Tabs
Expert Analysis
Decode
Host Table
Matrix
Protocol
Distribution
Statistics
Exercise 1-1
Sniffer University
1-38
Launch Sniffer Portable
Sniffer University
1-39
Using Packet Generator
What is Packet Generator?
Sniffer University
1-40
• The main purpose of the packet generator is
to stress test your network
• You can configure it to generate:
–A
–A
–A
–A
buffer of previously captured data
frame from the displayed data
new frame you configure before generating
frame with no data
• Monitor and Capture while generating to view
the effect of the new data on the network
• We will use it in class to generate trace files
while viewing Monitor and Capture screens
Sniffer University
1-41
Loopback Mode
• Transmitting frames from the buffer with the
Packet Generator to “replay” a trace file can
be very useful to quickly show
Monitor or Capture statistics
• WARNING: Make sure that
you enable Loopback Mode
before starting traffic generation
The Packet Generator
Sniffer University
1-42
• Capture or load and display a trace file
• Tools > Packet Generator
Configure and
send new packet
Send current packet
Stop
Send current buffer
Repeat
Packet Generator Views
Detail view—displays
statistics:
Sniffer University
1-43
Animation View—shows
data being “pumped” into
the network:
Counter in the lower right corner:
Monitoring and Capturing from a File
Sniffer University
1-44
• To enable Monitor in the classroom when a
live network is not available, we must
– Set the local agent to Loopback Mode
– Load a trace file
– Generate traffic from the trace file
• Monitor will accept the data as if it came from
the network and give us statistics to view
• The next couple of slides show the process to
make that happen…
Generating From a File
• Under Files:
Sniffer University
1-45
– Select Loopback Mode if no  is visible
– Open the trace file
• Frames will be stored in the Capture buffer
• Display the data
• From the Tools pull-down menu:
– Choose Packet Generator
– Select the Send Buffer icon
– Configure the number of times to send the buffer
– Note the counts in the lower right counter as
frames are generated
Generate Buffer Configuration
Sniffer University
1-46
Configure how often to send:
Effects on Network Performance
What happens when you transmit data into a
live network?
Multicast
Broadcast
Bad Good
Data Data
(Broadcast)
Sniffer University
1-47
Dummy
NIC
Address
CPU
Interrupt
Process
Corrupt
(discard data) Tables
Sniffer University
1-48
Generating Traffic
So, why would you want to generate traffic?
• Test new equipment in a lab before installing it
in a live network
• Test vendor’s claims for new equipment
performance, e.g., packets/frames per
second forwarded by a particular brand
and model of router/switch
• Play back a trace file and observe its operation
• Induce a known load of null traffic to see how
a network will react to increased bandwidth
usage
• Test a Network Interface Card’s operation
• Laboratory testing of suspect routers, switches,
gateways, and NICs to ensure proper performance
Sniffer University
1-49
Summary
In this section, you learned how to:
• Describe the system requirements and
supported interfaces of the Sniffer Portable
Network Analyzer suite
• Relate the OSI Reference Model to a frame on
the wire
• Start Sniffer Portable
• Configure a Sniffer Portable local agent
• Identify menu items and icons on the Toolbar
and Status bar
• Generate traffic with Packet Generator
Sniffer University
1-50
Group Discussion
• When would you create/use a local agent?
• Why might there be multiple local agents for
the same NIC?
• How does a frame on the wire relate to the
OSI 7 layer model?
• When troubleshooting, is it
better to start with the
Application layer or
the DLC layer? Why?
Sniffer University
1-51