Chapter 29 Using ZENworks Server Management Traffic Analysis

ZENworks Server Management includes LAN traffic analysis tools that help you monitor your LAN traffic, capture traffic data, and collect important statistics of your monitored segments and devices. You can then use the data collected through the LAN traffic tools to understand the usage and performance of your network as well as troubleshoot network issues.

The following sections discuss the different pieces of LAN traffic analysis and how to use them to monitor your managed segments, servers, and other network devices across your multitopology networks.

Understanding LAN Traffic Analysis

ZENworks Server Management LAN traffic analysis is made up of several components that work together to collect, store, and display information about data packets being sent on your network. ZENworks Server Management provides tools that enable you to capture and decode the packets as they are sent from one node to another, giving you the ability to better analyze the traffic. The following sections describe the ZENworks Server Management LAN traffic components, how they communicate, and the functionality of their agents.

Understanding LAN Traffic Components

The ZENworks Server Management LAN traffic analysis system is made up of three main components: the management server, the management console, and the monitoring agent server.

The Management Server

The management server component of ZENworks Server Management LAN traffic analysis is installed on the management site server. It is comprised of a scalable Sybase database that stores static information such as network names and LAN addresses of servers, routers, switches, and other nodes on your network.

The management server components include the NetExplorer, a consolidator, and the Atlas Manager (discussed in Chapter 27, “Understanding ZENworks Server Management Services”). These components gather information about manageable devices on the network and store that information in the management database. The management database is a Common Information Model-2 (CIM-2) database that stores network data used to establish the topology of the network. ZENworks Server Management extends the CIM-2 model to provide the ability to organize the information in the database and create a topology map.

The Management Console

The management console component of ZENworks Server Management LAN traffic analysis is installed on the management client in the form of snap-ins to the ConsoleOne utility. These snap-ins provide an intuitive, graphical method to access data collected by the ZENworks Server Management LAN traffic analysis agents.

The Monitoring Agent Server

The final component of the ZENworks Server Management LAN traffic analysis system is the monitoring agent server. The monitoring agent server is a server with network monitoring agent software installed on it. There must be one monitoring agent server per segment.

The monitoring agent server enables you to analyze a segment by searching the network and gathering information about network traffic. You can then use that information to analyze the LAN traffic on your network.

The network monitoring agents monitor network traffic and capture frames to build a database of objects in the network. Then, network monitoring agent software enables you to use the ZENworks Server Management console traffic analysis tools to maintain your network performance, monitor traffic on your network, and troubleshoot network problems.

Understanding Communication Between Components

Now that you understand what components make up the ZENworks Server Management LAN traffic analysis system, you need to understand how these systems communicate with each other. The management console component communicates with the management server component by using Common Object Request Broker Architecture (CORBA) to obtain static and dynamic information about the managed nodes and devices on your network.

When the management console requests static information from the management server, the management server then communicates with the management database component by using the Java Database Connectivity (JDBC) protocol. It gathers the requested information from the database and relays it back to the management console.

When the management console requests dynamic information from the management server, the management server communicates with the network monitoring agent by using SNMP requests. It gathers the requested information dynamically and relays it back to the management console.

Understanding Agent Functionality

ZENworks Server Management includes several types of monitoring agents to accommodate the various topologies and devices on your network. Network monitoring agents provide the functionality to remotely monitor segments and devices that are SNMP compliant. The agents collect and store statistical and trend information as well as capture real-time data from the managed nodes and devices on your network. The following sections describe the RMON, RMON Lite, RMON Plus, RMON II, and bridge agents to help you decide which one to use based on the size and topology of your network.

RMON Agents

ZENworks Server Management RMON agents use a standard monitoring specification that enables various nodes and console systems on your network to exchange network data. That network data is used to monitor, analyze, and troubleshoot your LAN from a central site.

The RMON agents are typically used to monitor Ethernet, FDDI, and token ring segments. Table 29.1 describes the groups of monitoring elements that make up the RMON agent.

TABLE 29.1 RMON Agent Monitoring Groups

image

RMON Lite Agents

ZENworks Server Management RMON Lite agents also use a standard monitoring specification that enables various devices on your network to exchange network data. The RMON Lite agents are typically used to monitor devices not dedicated for network management, such as a hub or a switch. Table 29.2 describes the groups of monitoring elements that make up the RMON Lite agents.

TABLE 29.2 RMON Lite Agent Monitoring Groups

image

RMON Plus Agents

ZENworks Server Management RMON Plus agents are proprietary agents that extend the functionality of the RMON agent. They act exactly the same as the RMON agent and provide the same groups shown in Table 29.1. In addition to providing data collected from the RMON groups, they also provide data collected from the groups shown in Table 29.3.

TABLE 29.3 RMON Plus Agent Monitoring Groups

image

RMON II Agents

ZENworks Server Management RMON II agents can be used to collect data from nodes and devices in the network and application layers of the network model, unlike the RMON, RMON Lite, and RMON Plus agents, which are used to collect data from nodes and devices in the physical and data link layers of the network model.

RMON II agents can also determine network usage based on the protocol and application used by the nodes in your network. Table 29.4 describes the groups of monitoring elements that make up the RMON II agent.

TABLE 29.4 RMON II Agent Monitoring Groups

image

Bridge Agents

ZENworks Server Management bridge agents monitor network bridges, enabling you to collect information about switched networks. Table 29.5 describes the groups of monitoring elements that make up the bridge agents.

TABLE 29.5 Bridge Agent Monitoring Groups

image

Setting up LAN Traffic Analysis

Now that you understand the components involved in ZENworks Server Management traffic analysis, you are ready to begin setting up traffic analysis on your network. Setting up LAN traffic analysis for ZENworks Server Management involves establishing normal activity for your LAN and then making the necessary configuration changes for the management console to be able to communicate with the management server. The following sections discuss creating a baseline document of normal LAN activity to use as a measurement, selecting the preferred RMON agent, and setting the necessary SNMP parameters for the management console to access the RMON agent.

Creating a Baseline Document

The first step in setting up ZENworks Server Management LAN traffic analysis on your network is to create a baseline document that describes the normal activity and usage of your network. The baseline document should show the normal levels of the most common statistics segments monitored by ZENworks Server Management.

After you create the baseline document, you can use it to identify parts of your network that are experiencing problems, need to be balanced, or need to be upgraded. The following is a list of the most common network statistics that should be used to create a baseline document:

Image   Bandwidth utilization—Indicates the percentage of network bandwidth used. Because the network bandwidth tends to be higher at heavy usage times, your baseline document should account for those times—for example, when users are logging on in the morning.

Image   Packets per second—Indicates the raw number of packets being transferred on the network. This gives you the best indication of how heavy your network traffic really is.

Image   Network error rates—This is also based on heavy usage, so your baseline should take into account periods of the day when heavy usage would cause errors. This helps you identify times when network errors are atypical.

Image   Kilobytes per second—Indicates the raw amount of data being transferred on the network. This gives you the best indication of how heavy your network throughput really is.

Image   Active servers—Keep track of the three most active servers on the network. This helps you understand where loads need to be balanced and where network upgrades must take place.

Selecting the Preferred RMON Agent

After you create your baseline document, you need to select which remote monitor (RMON) agent you want to monitor each managed segment. The RMON agent is set on the RMON Agent property page for the segment in ConsoleOne. The RMON property page displays the following information, shown in Figure 29.1, about the RMON agent:

Image   Preferred—Checked if this server is set as the preferred RMON agent server for the segment.

Image   Agent Name—Displays a list of all the servers on which the RMON agent is installed.

Image   Version—Displays the dynamically obtained version number of the RMON agent installed on this server. It is left blank if ZENworks Server Management cannot contact the server to get a version number.

Image   Status—Displays the current status of the RMON agent on the selected segment.

Image   MAC Address—Displays the MAC address of the server.

Image   Interface Index—Displays the number of interface indexes that a server can connect through its network card. Each interface corresponds to a segment.

Image   Available RMON Services—Displays the list of RMON services available from the selected agent (RMON, RMON Plus, or RMON II).

FIGURE 29.1 RMON Agent property page for a segment object in ConsoleOne.

image

Follow these steps to set an RMON agent as the preferred agent to monitor a segment:

1.   Right-click the segment object in ConsoleOne and select Properties from the pop-up menu.

2.   Click the RMON Agent tab, as shown in Figure 29.1.

3.   Choose a server or workstation name from the list displayed in the properties page and then choose which server acts as the RMON agent for the segment.

4.   Click the Apply button to save the settings.

This completes the selection of the RMON agent that will monitor the segment and report the statistics.

Setting Up SNMP Parameters

After you set the preferred RMON agent for each segment, you need to set up the SNMP parameters for the servers hosting your RMON agents. When you request that dynamic information be displayed at the management console, that information is obtained from the monitoring server agents by using SNMP.

Initially, the SNMP communication between the management servers and the management console is based on the default SNMP setting; however, you may want to modify the following settings, as shown in Figure 29.2:

Image   SNMP Get (also known as Secure Get)—Encrypts the packets sent by the monitoring agent to the management agent

Image   SNMP Set (also known as Secure Set)—Encrypts the packets sent by the management agent to the monitoring agent

Image   Community Strings—Community name of the node requesting dynamic data from the agent

Image   Number of Retries—Number of times you want the management server to retry connecting to the monitoring agent

Image   Timeout in ms—Maximum duration in milliseconds for which the management server should wait for a response from the monitoring agent

Image   Port Number—Port on which the management server contacts the monitoring agent

FIGURE 29.2 SNMP Settings tab for a server object in ConsoleOne.

image

Follow these steps to modify the default SNMP communication for your management servers:

1.   Right-click the server object hosting the RMON agent for the segment and select Properties from the pop-up menu.

2.   Click the SNMP Settings property page, as shown in Figure 29.2.

3.   Modify the Authentication and Communication settings.

4.   Click the Apply button to save your settings.

This completes the configuration of the SNMP parameters necessary to communicate through the system.

Analyzing Network Traffic

After you set up the RMON agents and SNMP parameters for the segments and devices to which you want to analyze traffic, you are ready to begin capturing and analyzing network traffic. ZENworks Server Management enables you to monitor and collect detailed real-time statistics from nodes and segments in your network. That information is displayed back to the management console in the form of tables, graphs, and other graphical displays.

This section discusses how to use the ZENworks Server Management console to monitor and analyze traffic on segments, nodes, protocols, and switches. It also covers how to capture and analyze network packets.

Analyzing Traffic on Network Segments

The most common LAN traffic analysis you will likely be doing is on network segments. You can ensure the most cost-effective, stable, and consistent network by monitoring and managing your segments by using ZENworks Server Management traffic analysis.

ZENworks Server Management provides several different views for analyzing network traffic on segments. The management views translate the data collected by the monitoring agent into an easy to understand graphical and textual form. The following sections discuss how to use the List Segment Statistics, Segment Dashboard, Trend Data, Alarm Statistics, and Summary views on segments to monitor and analyze their traffic.

Viewing Network Statistics for a Segment

The List Segments Statistics view displays a list of segments in your network as well as the following statistical information for each of them, as shown in Figure 29.3:

Image   Segment Name—Segment name or address if no name is available.

Image   Type—Physical segment type (Ethernet, FDDI, WAN, and so on).

Image   Speed (Mbps)—The raw speed of the segment, measured by the speed of the network interface card that attaches the RMON agent to the segment. Cable type is also used to determine the segment speed.

Image   Utilization %—Average percentage of the bandwidth currently in use by the traffic on the segment.

Image   Packets/s—Average number of packets per second currently being transmitted on the segment.

Image   KBytes/s—Average number of kilobytes per second currently being transmitted on the segment.

Image   Errors/s—Average number of errors per second the segment is currently incurring.

Image   Message—Message describing the current status of the RMON agent on the segment.

FIGURE 29.3 List Segments Statistics view for a node in ConsoleOne.

image

Follow these steps from the ZENworks Server Management console to access the List Segments Statistics view:

1.   Select a segment or a node from the ZENworks Server Management namespace in the management console.

2.   Select View→List Segment from the main menu, and a screen similar to the one in Figure 29.3 appears.

Determining Individual Segment Performance

The Segment Dashboard view is a graphical view that provides real-time statistical information about an individual monitored segment. Shown in Figure 29.4, it displays four gauges that give the following real-time statistics for that segment, as well as node activity for the top nodes on the segment:

Image   Packets/s—Shows the number of packets per second being transmitted on the segment

Image   Utilization %—Shows the current utilization, compared to the maximum network capacity currently being consumed on the segment

Image   Errors/s—Shows the number of errors per second the segment is currently incurring

Image   Broadcasts/s—Shows the number of broadcast packets per second currently being transmitted on the segment

FIGURE 29.4 Segment Dashboard view for a segment in ConsoleOne.

image

Follow these steps from the ZENworks Server Management console to access the Segment Dashboard view:

1.   Select the segment you want to monitor from the ZENworks Server Management namespace in the management console.

2.   Select View→Segment Dashboard from the main menu, and a screen similar to the one in Figure 29.4 appears.

Analyzing Segment Trends

Use the Trend Data view in conjunction with the baseline document, discussed earlier in this chapter. The Trend Data view enables you to determine trends of traffic patterns that indicate that a segment is in trouble or needs to be updated or expanded. To access the Trend Data view for a segment from the ZENworks Server Management console, follow these steps:

1.   Select the segment you want to monitor from the ZENworks Server Management namespace in the management console.

2.   Select View→Segment Trends from the main menu, and a screen similar to the one in Figure 29.5 appears.

FIGURE 29.5 Trend Data view for a segment in ConsoleOne.

image

You can configure which statistics to monitor in the Trend Data view. Follow these steps to configure the statistics that best fit your network:

1.   Click the Profile button in the Trend Data view.

2.   Select a profile from the Select Profile column in the Edit Profile window.

3.   Choose which statistics you want to view in the Select Series column. The available options depend on your network type.

4.   Click OK, and the Trend Data view should be updated with your new selections.

This completes how to customize the Trend Data view in a particular segment.

Viewing Alarm Statistics for a Segment

The Alarm Statistics view shows a list of all alarms for the monitored segment along with their threshold and sampling rate. Follow these steps from the ZENworks Server Management console to access the Alarm Statistics view for a segment:

1.   Right-click the segment you want to monitor from the ZENworks Server Management namespace in the management console.

2.   Select Properties from the pop-up menu.

3.   Select the Segment Alarms tab, as shown in Figure 29.6.

FIGURE 29.6 Segment Alarms tab for a segment object in ConsoleOne.

image

The alarms can be manually edited by highlighting the alarm and clicking the Edit button, or the Default All button can be used to assign a predefined set of default values to the alarms.

Viewing a Segment Summary

The Segment Summary view is both a graphical and a textual view, which provides a quick summary of the managed segment. This view enables you to quickly assess the current state of the segment. It provides the following static information about the managed segment:

Image   Name—Name or address of the segment

Image   Type—Media type of the segment: Ethernet, token ring, or FDDI

Image   IP Address—IP addresses of the segment

Image   IPX Address—IPX addresses of the segment

Image   Primary Agent—Name of the preferred agent, which is monitoring nodes and traffic on the segment

Image   Agent Status—Current status of the preferred monitoring agent

Image   Nodes—Number of nodes on the segment

Image   IP Nodes—Number of nodes on the segment with IP addresses

Image   IPX Nodes—Number of nodes on the segment with IPX addresses

Image   Servers—Number of NetWare servers on the segment

Image   Workstations—Number of nodes on the segment that are not NetWare servers

Image   Network Probes—Number of monitoring agents available on the segment

Image   Switches—Number of switches on the segment

Image   Routers—Number of routers on the segment

Image   Hubs—Number of hubs on the segment

The Segment Summary view provides the following information about alarms that have occurred on the managed segment:

Image   Severity—Severity level associated with the alarm

Image   From—Network address of the device that sent the alarm to the alarm management system

Image   Summary—Summary of the event, often including the name or address of the object affected by the alarm

Image   Owner—Segment or device affected by the alarm

Image   Received Time—Date and time when the alarm management system received the alarm

Image   Type—Description of the alarm

Image   Category—Category of the alarm based on the MIB

The Segment Summary view provides the following charts and gauges showing you dynamically captured information about the managed segment:

Image   Utilization %—Displays a gauge representing the current real-time usage of the network in relation to the maximum capacity

Image   Packets—Displays a trend graph based on data about packets that have been transmitted on the segment

Image   Protocol Distribution—Displays a pie chart that represents the distribution of protocols on the network

Follow these steps from the ZENworks Server Management console to access the Segment Summary view for a segment:

1.   Select the segment you want to monitor from the ZENworks Server Management namespace in the management console.

2.   Select View→Segment Summary from the main menu, and a screen similar to the one shown in Figure 29.7 appears.

FIGURE 29.7 Segment Summary view for a segment in ConsoleOne.

image

Analyzing Traffic on Nodes Connected to a Segment

ZENworks Server Management also provides several views to help you monitor and analyze traffic associated with nodes connected to a monitored segment. Monitoring at the segment level gives you a good understanding about the general trends and health of the entire segment. But if you want to analyze traffic at a more granular level, you need to analyze traffic at the node level.

The following sections describe how to use the ZENworks Server Management console to analyze statistics between nodes and to monitor nodes for inactivity.

Analyzing Network Statistics for Stations on a Segment

The first thing that you should do when analyzing traffic of nodes on a segment is to gather information about the most active ones. Viewing the statistics for the most active nodes gives you an indication of how active nodes are on the segment and whether any nodes are exhibiting troubled behavior. ZENworks Server Management provides the Stations view to enable you to view the following statistics on the most active nodes in the segment:

Image   MAC Address—Unique physical address of the node

Image   Node—Name or address of the node

Image   Utilization %—Percentage of maximum network capacity consumed by packets sent from this node

Image   Packets/s In—Packets per second received by this node

Image   Packets/s Out—Packets per second sent by this node

Image   Bytes/s In—Data in bytes per second received by this node

Image   Bytes/s Out—Data in bytes per second sent by this node

Image   Errors/s—Errors per second received by this node

Image   Broadcasts/s—Broadcast packets per second received by this node

Image   Multicasts/s—Multicasts per second received by this node

Image   Protocols—Types of protocols used by this node

Image   First Transmit—Date and time this node first transmitted a packet since the traffic analysis agent was loaded

Image   Last Transmit—Date and time this node last transmitted a packet since the traffic analysis agent was loaded

Follow these steps from the ZENworks Server Management console to access the Stations view for a segment:

1.   Select the segment you want to monitor nodes on from the ZENworks Server Management namespace in the management console.

2.   Select View→Stations from the main menu, and a screen similar to the one in Figure 29.8 appears.

FIGURE 29.8 Segment Stations view for a segment in ConsoleOne.

image

3.   Specify what statistic to use in determining a node’s activity from the drop-down list at the top of the window.

Analyzing Traffic Between Nodes

The Conversations view is another useful ZENworks Server Management view that allows you to view real-time data showing traffic between a specific node and one or more other nodes on the same segment. Use this information when you need to determine communication activity between specific nodes.

Suppose that you have a database application installed on a node on the segment, and you want to see how traffic from this node behaves when the database is active as opposed to when it is shut down. You would use the Conversations view before and after activating the database and compare the data from each.

The Conversations view provides statistical data on the following characteristics of internode communication:

Image   Node—Name or address of the destination node communicating with the selected node

Image   % Pkt Load—Percentage of the total packet load being used between this node and the destination node

Image   % Byte Load—Percentage of the total byte load being used between this node and the destination node

Image   Pkts/s In—Number of packets received per second by the destination node from this node

Image   Pkts/s Out—Number of packets sent per second from the destination node to this node

Image   Bytes/s In—Number of bytes of data received per second by the destination node from this node

Image   Bytes/s Out—Number of bytes of data sent per second from the destination node to this node

Image   Pkts In—Number of packets received by the destination node from this node since the view was opened

Image   Pkts Out—Number of packets sent by the destination node to this node since the view was opened

Image   KBytes In—Number of kilobytes of data received by the destination node from this node since the view was opened

Image   KBytes Out—Number of kilobytes of data sent by the destination node to this node since the view was opened

Image   Protocols—Protocol packet types used by the destination node to communicate with this node

Image   First Transmit—Date and time that this node first transmitted on the network since the traffic analysis agent was loaded

Image   Last Transmit—Date and time that this node last transmitted on the network since the traffic analysis agent was loaded

Follow these steps from the ZENworks Server Management console to access the Conversations view for a node:

1.   Select the node you want to monitor conversations on from the ZENworks Server Management namespace in the management console.

2.   Select View→Conversations from the main menu, and a screen similar to the one shown in Figure 29.9 appears.

FIGURE 29.9 Conversations view for a node in ConsoleOne.

image

Monitoring Nodes for Inactivity

Another useful way to monitor network traffic at a node level is to monitor nodes for inactivity. ZENworks Server Management enables you to monitor nodes to determine whether they become inactive and alert you if they do. This does not impact network traffic because the traffic analysis agent does not poll the node to obtain status. Follow these steps from the ZENworks Server Management console to set it to monitor inactivity of a node:

1.   Choose View→Monitor Nodes for Inactivity from the menu in ConsoleOne.

2.   Click the Add Nodes icon from the icon bar at the top of ConsoleOne. (The Add Nodes icon is a target with a plus sign.)

3.   Browse to and select the node you want to add to the list to monitor. Continue to add nodes until you have completed your list.

After you select the nodes that you want to monitor, you can view the following information about them from the Monitor Nodes for Inactivity view:

Image   Name—Name of the node being monitored

Image   MAC Address—Unique physical address of the node

Image   Status—Current status of the node (updated every 60 seconds by default)

Follow these steps from the ZENworks Server Management console to access the Monitor Nodes for Inactivity view:

1.   Select the segment for which you want to see a list of nodes monitored for inactivity from the ZENworks Server Management namespace in the management console.

2.   Select View→Monitor Nodes for Inactivity from the main menu.

Capturing Packets from the Network

ZENworks Server Management makes it possible for you to be even more detailed than LAN traffic analysis at a node level by enabling you to capture specific sequences of packets from the network. As nodes communicate on a segment, they send packet sequences to each other, which are captured by the RMON agents in a local buffer and can be accessed by the management console.

Packet captures provide much more detail to LAN traffic analysis because they provide information about requests and replies that nodes are making on the network. This can be useful in troubleshooting interserver or client-to-server communication issues.

The following sections describe how to use the ZENworks Server Management console to set up a filter and capture packets from the network.

Setting Up a Capture Filter

The first step in capturing packets from a segment is to set up a filter to limit the number of packets captured. Without a filter, far too many packets would be captured, making it difficult to use the capture.

Filtering enables you to capture only the packets needed. If you are troubleshooting a client-to-server communication issue on an IP application, for example, you would want to capture only IP packets between the client node and the server node.

Follow these steps from the ZENworks Server Management console to define a capture filter:

1.   Select a node or a segment from the ZENworks Server Management namespace in ConsoleOne.

2.   Select File→Actions→Capture Packets from the main menu. The Packet Capture Setup window, shown in Figure 29.10, appears.

FIGURE 29.10 Packet Capture Setup window for filtering packet captures in ConsoleOne.

image

3.   Type in a descriptive name for the buffer in the Capture Name text box. This typically should describe the purpose of the capture.

4.   Select the source and destination nodes from drop-down lists in the Stations box and specify whether you want to capture packets based on an IP, IPX, or hardware address. You can use Any for either the source or destination, or Both to include all nodes. If it’s possible, use specific nodes to reduce the size of the capture.

5.   Select the direction of traffic flow between nodes. You can select only source to destination, only destination to source, or both directions. This can help limit the capture greatly if you only need one direction.

6.   Add protocols to filter on by selecting the protocol in the Selected Protocols list and clicking the Add button. If you do not add protocols to filter on, all protocols are captured.

7.   Specify what kind of packets to capture. See Table 29.6 for a list of available statistics by topology.

TABLE 29.6 Available Statistics to Filter on Based on Segment Type

image

8.   Specify whether you want to overwrite the buffer or stop the capture when the buffer is full. Overwriting the buffer means that the oldest packets are overwritten with the newest ones. If you specify to overwrite, you must manually stop the capture.

9.   Specify the buffer size. This depends on what you need to capture and for how long. If you are capturing all packets from all nodes, you need a very large buffer; however, if you only need packets from one node to another one, the default buffer of 129KB is probably enough. Keep in mind that there must be enough free memory at the RMON server to create the buffer.

10.   Specify the packet slice size. The Slice Size field specifies the maximum number of bytes of each packet, starting from the packet header, to store in the buffer. This also depends on what you need out of the capture. For header information, you only need 150 bytes or so. But if you need data out of the packet itself, you should select the full packet. This parameter determines the number of packets that a buffer can hold.

11.   Click OK, and the filter will be set.

This completes the setup of the capture filter options of the Management and Monitoring system.

Starting a Packet Capture

After you set the filter, you are ready to start the capture. When you click OK from the Packet Capture Filter window, a Capture Status window similar to the one shown in Figure 29.11 appears. The Capture Status window displays the following information about the capture:

Image   Segment—Name or address of the segment on which the packet capture is occurring

Image   LANalyzer Server—Name or address of the server running the RMON agent collecting the captured packets

Image   Buffer Granted—Size of the buffer used for the capture

Image   Description—Description of the filter settings for the capture

Image   Count—Incrementing count, shown as 8 in Figure 29.11, for every packet captured

FIGURE 29.11 Packet Capture Status window for packet captures in ConsoleOne.

image

From the Capture Status window, click the Start button to start the capture. If you are trying to capture a specific sequence, start the capture and then perform the sequence—for example, opening a database file or starting an application. When you have captured enough packets, you can click the Stop button to stop the capture, or you can simply wait until the buffer fills up if you specified to stop the capture when the buffer is full.

Analyzing Captured Packets

After you set up a capture filter and capture the sequence of packets, you are ready to begin analyzing them from the management console. The packet captures reside on the server hosting the RMON agent; however, ZENworks Server Management retrieves the packet data from the RMON agent individually as you view each packet.

Viewing Captured Packets

ZENworks Server Management provides a useful Trace Display view to help you view and decode packet data. The Trace Display view, shown in Figure 29.12, provides summary information about the captured packets (top), a decoded view of the selected packet (middle), and a hexadecimal view of the packet (bottom).

FIGURE 29.12 Packet capture Trace Display view for packet captures in ConsoleOne.

image

You can open the Trace Display view by clicking the View button on the Capture Status window or by selecting Tools→View Packet File from the main menu in ConsoleOne and then selecting a trace file in the Open dialog box.

The following sections discuss the three different sections of the Trace Display view.

Captured Packet Summary

The summary pane in the Trace Display view displays a list of captured packets providing you with an overview of the communications between source and destination nodes. You can highlight a packet in this pane to display the decoded and hexadecimal packet data in the panes below. The summary pane provides the following statistical information about the captured packets:

Image   No.—Numbers the packets in the order in which they were received at the RMON agent

Image   Source—Name or MAC address of the node from which the packet was sent

Image   Destination—Name or MAC address to which the packet was sent

Image   Layer—Abbreviation of the highest protocol layer in the packet—for example, “ncp” for NetWare Core Protocol or “ether” for Ethernet

Image   Summary—Displays a brief description of the contents of the highest protocol layer

Image   Error—Shows the error type, if any, that occurred in the packet

Image   Size—Displays the number of bytes contained in the packet

Image   Absolute Time—Displays the hardware clock time when the packet arrived

Image   Interpacket Time—Displays the time that elapsed from the end of the preceding packet to the end of the current packet

Image   Relative Time—Displays the time that elapsed since the arrival of the oldest packet still in the buffer

Decoded Packet Data

The decode pane in the Trace Display view displays detailed information about the contents of the selected packet. The packet data is decoded and displayed according to defined protocol fields. This is a useful tool because it tells you information such as the station that sent the packet, protocol, NCP request information, reply results, and so forth. You typically use this field to understand packet sequences and why they failed.

Hexadecimal Packet Data

The hexadecimal pane in the Trace Display view displays the raw packet data in hexadecimal format. The column on the left is the hexadecimal offset from the packet header. The second column is the raw hexadecimal data of the packet. The column on the right is the ASCII form of the hexadecimal data.

You will likely use the hexadecimal display only if you know exactly what you are looking for. If, for example, you know the structure of the data being sent from a client application to a server, you would be able to manually decode the hexadecimal data. The text column of the hexadecimal display, however, is often useful because it shows textual data in the packet. File pathnames, for example, will show up in the ASCII column.

Filtering the Display for Captured Packets

ZENworks Server Management also enables you to filter out packets even after you are viewing the packet trace. This is useful in situations where after you begin viewing a packet trace, you narrow down the problem to a specific node or even a specific request.

Suppose that you originally capture all packets going between a server and all network nodes, but you need to see only the packets going to that server from a specific node. You can filter on only those packets going to the specific node you are troubleshooting.

Another example is if you know the structure of the exact packet type you want to view. You can filter on a value, such as a key sequence, at a specific offset and see only those packets that match.

Follow these steps to set a display filter for captured packets from the Capture Trace view in ConsoleOne:

1.   Select View→Filter from the main menu, and the Display Filter dialog box appears.

2.   Modify the Stations setting to narrow down to specific stations.

3.   Modify the packet direction, if possible, to packets going one way.

4.   Add or remove protocols from the selected Protocol list.

5.   Set the hexadecimal Offset and the From fields if you are looking for packets containing specific data.

6.   Specify the data value and type to search for at the specified offset.

7.   Click OK, and your capture display filters on the criteria you have specified.

NOTE

If your packet capture is large, you may have to wait a considerable time for the ZENworks Server Management console to be transferred enough of each packet to filter on. This takes up considerable bandwidth. We recommend that you use the capture filter setting to narrow down your captures first.

Highlighting Protocol Fields and Hex Bytes

One of the most valuable features of the Trace Display view is its capability to match data in the decoded pane with the hexadecimal values in the hexadecimal pane. It does this by highlighting the data areas that you select, either in the decode pane, the hexadecimal pane, or in both panes. The following is a list of examples of how you can use the highlighting tool:

Image   Highlight a protocol layer in the decode pane and view the hexadecimal bytes in the Hex view.

Image   Click a specific field in the decode pane and view the hexadecimal value associated with it.

Image   Click a hexadecimal byte in the hexadecimal pane and see which protocol field is associated with it in the decode pane.

Image   Click ASCII text in the hexadecimal pane and see the hexadecimal values and the specific decode field associated with it.

NOTE

You can save a trace file to a *.tr1 file format so that you can send it to someone else to look at, too, by selecting File→Save Unfiltered Packets or File→Save Filtered Packets.

Analyzing Protocol Traffic

The ZENworks Server Management traffic analysis agent also allows you to monitor statistics of traffic generated by protocols in your network.

Displaying Protocols Used on a Network

The RMON II agent object in the eDirectory tree provides a Protocol Directory property page to view a list of supported and custom protocols used in the network. This is a hierarchical list with the protocols used in the data link layer at the top level. Follow these steps from within ConsoleOne to display the protocols used on your network:

1.   Select the node object running the RMON II agent from the ZENworks Server Management namespace.

2.   Expand the view by clicking the plus sign next to it.

3.   Expand the view for the services object.

4.   Right-click the RMON II object under Services and select Properties from the pop-up menu.

5.   Select the Protocol Directory tab.

From the Protocol Directory tab, you can also add custom protocols to the supported protocol tree by clicking the Add button. You can also click the Remove button to remove a protocol from being monitored in the tree.

Determining Segment Distribution of Protocols

ZENworks Server Management also enables you to view the distribution of protocols on a segment. This gives the following statistics of the protocol communications in the network layer, transport layer, and application layer that are occurring on your network:

Image   Protocol Name—The name of the protocol

Image   Packets/s—The average number of packets per second being sent using this protocol

Image   Bytes/s—The average number of bytes of data per second being sent using this protocol

Image   Packet Rate %—The percentage of packets transmitted using this protocol, relative to the total percentage of packets transmitted

Image   Byte Rate %—The percentage of bytes of data transmitted using this protocol, relative to the total bytes of data being transmitted

Follow these steps from within the ZENworks Server Management namespace in ConsoleOne to view the distribution of protocols in a segment:

1.   Select the managed segment for which you want to view protocols.

2.   Select View→Protocol Distribution from the main menu. A window similar to the one shown in Figure 29.13 appears.

FIGURE 29.13 Protocol Distribution view for a segment object in ConsoleOne.

image

Analyzing Switch Traffic

The ZENworks Server Management traffic analysis agent also enables you to monitor statistics of traffic generated on switches in your network. This helps you determine the load on workstation and workgroup switches in your network, enabling you to plan for future upgrades.

ZENworks Server Management monitors ports and nodes connected to those ports by using an RMON agent, external RMON agent, or bridge agent. The following sections discuss how to use these agents to display statistics for ports on the switches on your network and to view the summarized information for a specific switch.

Viewing Port Statistics for a Switch

You can view port statistics of a switch by using the ZENworks Server Management Unified Port Traffic view. This view obtains statistical information about every port in your network. It then displays a list of nodes connected to ports on the switch and statistics for each port.

Follow these steps from within the ZENworks Server Management namespace in ConsoleOne to display the Unified Port Traffic view:

1.   Select the managed switch on which to view port statistics.

2.   Expand the view by clicking the plus sign next to the switch.

3.   Expand the view by clicking the plus sign next to Services under the switch.

4.   Select Switch/Bridge under Services.

You can now select View→Port Traffic from the main menu to bring up the Unified Port Traffic view.

Viewing Switch Summary Data

ZENworks Server Management also provides a summary view of switch data that provides brief information about the switch. This gives you a quick look at the current status, usage, and alarms generated on the switch. The following statistical information is provided in the Switch Summary view:

Image   Vendor—Name of the manufacturer of the switch

Image   Switch Type—Type of switch: transparent or source route

Image   Number of Ports Active—Number of ports currently active on the switch

Image   Forwarding Table Overflow Count—Number of times the forwarding table has exceeded its capacity

Image   Up Time—Time since the switch was last rebooted

Image   Number of Ports Present—Number of ports that actually exist on the switch

Image   Number of MAC Addresses Learned—Number of MAC addresses dynamically discovered by the switch

Follow these steps from within the ZENworks Server Management namespace in ConsoleOne to display the Switch Summary view:

1.   Select the managed switch for which to view the summary.

2.   Click View→Switch Summary from the main menu to bring up the Switch Summary view.

Setting Up ZENworks Server Management Traffic Analysis Agents

ZENworks Server Management provides traffic analysis agents and RMON agents for both NetWare and Windows to enable you to monitor heterogeneous LANs. These agents collect information about activity on your network and relay that information back to the management agent, which in turn sends it to the management console for viewing.

The following sections describe how to set up and use the traffic analysis agents for both NetWare and Windows.

Setting Up the Traffic Analysis Agents for NetWare

Take some time to set up the traffic analysis agents on the NetWare servers they are installed on. This involves setting the SNMP parameters, modifying the LANZ.NCF file, and restarting the agents.

Configuring NetWare SNMP Parameters

The fist step in setting up ZENworks Server Management traffic analysis agents on NetWare servers is to configure the SNMP parameters. This involves setting the appropriate read, write, and error-handling options for your agent server.

Follow these steps to configure the SNMP parameters on NetWare servers:

1.   At the traffic analysis agent server, load the INETCFG utility.

2.   From the Internetworking Configuration screen in the INETCFG utility, select Manage Configuration→Configure SNMP Parameters→Monitor State.

3.   From Monitor Community Handling options, select Specified Community May Read, and then enter public for the community name and press Enter.

4.   Select Control State from the Control Community Handling options, select Specified Community May Write, and then enter public for the community name and press Enter.

5.   Select Trap State from the Trap Handling options, select Send Traps with Specified Community, and then enter public for the community name and press Enter.

6.   Press Esc to exit from the SNMP Parameters screen and save changes.

7.   Press Esc two more times to exit from the Internetworking Configuration screen and restart the server. These are not changes that the Reinitialize System command makes. For these changes to take place, you have to unload and reload SNMP, and that is done by restarting the server.

This completes the steps for configuring the SNMP parameters on NetWare servers.

Modifying the LANZ.NCF File

The LANZ.NCF file is a script used to launch the traffic analysis agent on NetWare servers. You can modify the LANZ.NCF file to customize agent loading. Use a text editor to modify the commands in Table 29.7 to customize your LANZ.NCF file.

TABLE 29.7 LANZ.NCF File Commands for the Traffic Analysis Agents

image
image

Starting/Stopping the Agent

The ZENworks Server Management LAN traffic agents for NetWare are comprised of several modules. The following two script files are included with ZENworks Server Management and should be used to start and stop the LAN traffic agents:

Image   LANZ.NCFScript file that loads the LAN traffic agent NLMs

Image   ULANZ.NCFScript file that unloads the LAN traffic agent NLMs

Using the NetWare LANZCON Utility

The LANZCON utility provided with ZENworks Server Management enables you to configure and view the traffic analysis agents. The LANZCON utility is an NLM installed into the <ZENworks_Volume>:FS_AGNT LANZ directory on the servers in which the traffic analysis agents were installed.

Load the LANZCON utility on your NetWare server with the traffic analysis agents running to view and configure the following items:

Image   Network Adapter Information—Types of items currently being monitored by the adapter. You can also enable or disable an adapter from monitoring the network.

Image   Agent Status—Status of the selected agent and items related to the agent monitoring the segment.

Image   Statistics Information—Packet and event statistics for the selected network adapter.

Image   History Information—Provides sampling information collected at intervals for the networks being monitored by this agent—for example, data source, buckets requested, and buckets granted.

Image   Hosts Information—Statistics about specific host or nodes on the monitored network.

Image   Matrix Information—Consists of three tables that record information about conversations between pairs of nodes on the monitored segment.

Setting Up the Traffic Analysis Agents for Windows NT/2000/2003

After you set up the traffic analysis agent on your NetWare servers, take some time to set up the traffic analysis agents on your Windows NT/2000/2003 servers as well. Once again, this involves setting the SNMP parameters and then restarting the agents.

Configuring NT SNMP Parameters

The first step in setting up ZENworks Server Management traffic analysis agents on NT/2000/2003 servers is to configure the SNMP parameters. This involves setting the appropriate read, write, and error-handling options for your agent server. Follow these steps to configure the SNMP parameters on your Windows NT/2000/2003 servers:

1.   Open the Windows Services Manager dialog box. In Windows NT, double-click on Network in the Control Panel and select the Services tab. In Windows 2000/2003, select Start→Program Files→Administrative Services→Services.

2.   Select SNMP Services from the list of services.

3.   Click the Properties button.

4.   Click the Traps tab.

5.   From the Accepted Community Names box, click the Add button.

6.   Enter public in the Service Configuration dialog box.

7.   Click the Add button.

8.   Enter the DNS names or IP addresses of workstations or servers that should receive traps.

9.   Click the Add button.

10.   Click the Security tab.

11.   From the Accepted Community Names, click the Add button.

12.   Enter public in the Service Configuration dialog box.

13.   Set the rights according to your needs.

14.   Click the Add button.

15.   Select Accept SNMP Packets from Any Host.

16.   Click OK to return to the Network window.

NOTE

If SNMP is not already installed on the NT Server, after you install it from the NT Server CD, you have to reboot and get some SNMP errors. To correct this, reapply the NT support pack (whichever one you were on or newer).

Starting/Stopping the SNMP Service

Whenever you make changes to the settings for the SNMP service, you should stop and restart the agent. Follow these steps to stop and restart the traffic analysis agent on a Windows NT/2000/2003 server:

1.   Open the Services manager.

2.   Select SNMP Services.

3.   Click the Stop button.

4.   When the agent is stopped, click the Start button.

Using the NT LANZCON Utility

The Windows LANZCON utility provided with ZENworks Server Management enables you to configure and view the traffic analysis agents. The Windows LANZCON utility is an executable installed on the desktop of Windows NT/2000/2003 servers that the traffic analysis agents were installed to. Load the LANZCON utility on your Windows NT/2000/2003 server with the traffic analysis agents running to view and configure the following items:

Image   Configure LANalyzer Agent—Takes the place of editing the LANZ.NCF file on NetWare servers by letting you enable or disable packet capture and enable/disable station monitoring, and set memory bounds and age (how long to retain packet data before it is too old), concurrent sorting, and duplicate IP address alarms.

Image   Network Adapter—Displays a list of network adapters discovered by the agent. You can enable or disable a network adapter from monitoring the network.

Image   Agent Log—Displays a list of significant events and errors that occurred during a session.

Image   Agent Status—Displays the current status and description of all agents installed on the server.

Image   RMON Tables—Displays the statistics, history control, history data, host control, host entry, host topN control, host topN entry, matrix control, matrix SD entry, filter, channel, and buffer RMON tables for the network adapter. Also displays the alarm, event, and log RMON tables.

Image   SNMP Traps—Displays a list of traps that occurred on the managed segment, including the received time and a summary of the trap.

NOTE

The ZENworks Server Management traffic analysis agent does not have to be installed on every NetWare and Windows NT/2000/2003 server. You need it installed on only one server (NT/2000/2003 or NetWare) per segment that you want to monitor. This also helps with the discovery process.

Summary

This chapter focused on the different pieces of LAN traffic analysis that exist. It looked at how to use them to monitor your managed segments, servers, and other network devices across your multitopology networks.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.15.94