/TYZGRROTMGTJZXU[HRKYNUUZOTM+ZNKXTKZY_YZKSY • PCMCIA host bus adapter (HBA). These are hardware specific providing the interface between the host expansion bus (EISA, PCI, Micro Channel etc) and the standard interface to the PC card sockets 9ULZ]GXK • Socket services, which provide a standard low level software interface for programmers so that the details of the HBA do not need to be known • Card services provide a high level software interface for configuration software and a method of allocating system resources to the PC cards • PC card enablers, or PC card client drivers, read the PC card’s card information structure (CIS), which is in non-volatile memory on the card, indicating the type of device, the resources it requires, and configuration options. The enabler then configures the HBA and PC card Figure 16.3 PCMCIA software and hardware relationships After configuration, subsequent accesses to the PC card take place directly, without using the PCMCIA socket or card services, as illustrated above.  6XUZUIURGTGR_`KXY Protocol analyzers enable us to capture data going across the LAN for purposes of analysis. An analyzer inserted into a ring or connected across a bus has the capability of looking at all messages being sent. These messages can be stored in our computer-based protocol analyzer for subsequent analysis. By looking through the captured packet of data we can examine the message and protocol control information at each layer of the software. Protocol analyzers can operate in ‘promiscuous mode’ where they capture all messages from all nodes, or filters can be set so that the analyzer only captures those messages to or from specific nodes or in specific protocols. This is very useful for tracking down intermittent faults, so we can leave the analyzer running in the knowledge that it will capture the fault condition, along with all other packets from our faulty node, but will ignore the thousands of other packets from other users. 6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM Protocol analyzers range in cost and complexity from simple analyzers based on a standard LAN card which will capture valid packets, to more sophisticated units which will also analyze the pulses, and capture packet fragments.  17 :XU[HRKYNUUZOTM:)6/6  5HPKIZO\KY When you have completed study of this chapter you should be able to: • Describe how to do maintenance on TCP/IP networks • Describe three typical areas requiring troubleshooting • Describe how to troubleshoot with netstat, ping, tracert, ripquery  3GOTZKTGTIKGTJZXU[HRKYNUUZOTMULXKGR:)6/6TKZ]UXQY Obviously a pro-active approach to maintenance of the TCP/IP network is preferable to that of the troubleshooting which is really a reactive approach. Network monitoring needs to be objective and the creation of a baseline is a useful start. This comprises a set of monitoring points by which the network can be monitored and indeed be measured. It is important to distinguish between normal and peak network operation. If the network monitoring is done over a peak period such as large database backups being performed, this may result in false statistics being generated. Typical network statistics that need to be monitored are: 6KXIKTZGMK[ZORO`GZOUT This indicates how much of the total available activity on the network is used compared to the total (theoretically) available bandwidth. 6GIQKZYYKIUTJ This indicates the total number of messages on the bus. This is not the same as the utilization statistic, which indicates the total amount of data. 1ORUH_ZKYYKIUTJ This provides an indication of the actual throughput on the network.   6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM  +XXUXYYKIUTJ This gives the total number of errors on the network. This would include such as items as electrical noise on the network. Be careful of some network analyzers which report collisions as errors – these are not errors but an essential part of the operation of Ethernet using the CSMA/CD philosophy. 5\KXX[TY This indicates packets greater than 1518 bytes (1544 bytes in total length) and indicates a failing LAN driver. ;TJKXX[TY For similar causes to that of overruns, this indicates packets, which are shorter than 64 bytes. 0GHHKXY This arises due to packets longer than 1518 bytes. This arises from a faulty LAN driver or faulty LAN hardware. )8)GROMTSKTZY Packets that are not multiples of 8-bit bytes or have a CRC error may arise from noisy cables or defective components. )URROYOUTY This results from a collision between two (or more) Ethernet frames, which are greater than 64 bytes in length. Note that some network analyzers (such as Snooper and the Netboy Suite) may not be able to detect some of these statistics (such as errors/second) when operating in promiscuous mode, as the physical Ethernet card may not provide this information. Some of the important server-based baseline statistics are: )6;[ZORO`GZOUT This relates to the loading on the server CPU. This gives an indication of the capability of the network interface to maintain the performance levels. *OYQ/5 This indicates the speed of reading and writing the server/hosts file system(s). There should be some indication of the efficiency of the read and write caches. 3KSUX_[YGMK This gives an indication of the performance of the server/host memory. This information should be gathered continuously and then used to set up alarms for each measuring point. Typical alarm points should be set to about 10% of the averages recorded for each statistic gathered. It should be noted that baseline statistics don’t stay static but are constantly changing and as any network change is effected, the new statistics will need to be gathered.  4KZ]UXQZXU[HRKYNUUZOTM According to Dr Tim Parker (TCP/IP Unleashed) there are four attributes you require in troubleshooting TCP/IP problems (and indeed most network problems): • Some basic knowledge of the operation of networking protocols :XU[HRKYNUUZOTM:)6/6 • A clear understanding of the network’s topology and layout • The ability to utilize the troubleshooting tools (such as a Protocol Sniffer) • Some luck The greater the strength of the first three items, the less reliance will be placed on luck. A few typical areas to examine are:  /TIXKGYOTMT[SHKXULIURROYOUTYUTZNK+ZNKXTKZTKZ]UXQ As the utilization of the network increases the number of network errors will increase (although depending on the protocol analyzer and the specific Ethernet card you are using you may not directly observe these statistics). The quickest way to rectify this problem is to reduce the traffic by segmenting the network into smaller sub-networks using bridges or switches. Typical utilization figures would be 2 to 3% on an industrial Ethernet network with a maximum average of 10%. A commercial type Ethernet network (e.g. banking) where the response time may not be as critical can tolerate utilization figures up to 25% without undue problems. However if the number of errors on an Ethernet network is increasing but the utilization is staying at roughly the same level; this may be due to faulty hardware. Be careful of some network monitoring packages – they report collisions (a normal part of the CSMA/CD Ethernet system) as errors. In addition, some versions of the TCP/IP Netstat utility also report collisions as errors.  4KZ]UXQ[ZORO`GZOUTRU]H[ZKXXUXYNOMN This can invariably be traced to a faulty networking component – either hardware or software. If the packets are undersized (less than 64 bytes) and the frame check sequence (FCS) is good, it is likely that the network device driver needs to be replaced. On the other hand if the FCS is bad and the packets are undersized, this may mean that the network device driver is faulty. On the other hand if the packets are oversized (greater than 1518 bytes) and the FCS is good, this is referred to as excessive jabbering and probably means that the interface board or transceiver needs to be replaced. If the FCS is bad and the packets are greater than 1518 bytes, this probably means that the network device driver needs to be replaced.  .OMNT[SHKXULVGIQKZYH[ZRU]JGZGZXGTYLKXY As the traffic on a network increases it is expected that the number of packets increases and the total data throughput increases up to the maximum saturation amount of course. Hence the ratio of the number of packets transmitted per second and the total volume of data passed between hosts should remain roughly constant. If the number of packets increases without any corresponding increase in data throughput this could indicate potential routing problems/badly configured network applications or network components that are failing. A data capture will have to be performed to work out what is actually happening here.  :XU[HRKYNUUZOTM]OZN:)6/6;ZOROZOKY A complete list of utility programs for the TCP/IP environment is contained in the RFC 1340 and is discussed in an earlier chapter. Typical utilities useful for troubleshooting are: . expansion bus (EISA, PCI, Micro Channel etc) and the standard interface to the PC card sockets 9ULZ]GXK • Socket services, which provide a standard low level software interface for programmers. type of device, the resources it requires, and configuration options. The enabler then configures the HBA and PC card Figure 16.3 PCMCIA software and hardware relationships After configuration,. the thousands of other packets from other users. 6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM Protocol analyzers range in cost and complexity from simple analyzers based on a standard LAN