106 Chapter 3 • Exploring the Sniffer Pro Interface Introduction The Sniffer Pro interface can be perceived as either a joy or a nightmare to use. The interface seems simplistic at first glance, but as we drill down into it, you will see that it is much more complex than you might think.There is a great deal of material to look at; the various options contain incredibly helpful and important tools.Within this chapter, we look at all the troubleshooting tools, options, menus, dialog boxes, and toolbars Sniffer Pro offers. As we explore the Sniffer Pro interface, keep in mind that there could be slight redundancy in what you see. For instance, the File menu might have some of the same options as the toolbar. One is viewable with graphics and the other is a simple menu, but both will get you the result you need. In learning how to use this interface, the focus is not only for you to master the navigation of the product, but to achieve two other goals as well. Knowing the interface is a large part of becoming a Sniffer Certified Professional (SCP), and knowing the interface and learning it well only make the following chapters easier to work through as we delve more deeply into Sniffer Pro and begin to use filters and capture data. Exploring the Dashboard Not too long ago, network analyzers operated using text-based interfaces. In con- trast, Sniffer Pro is a graphical user interface (GUI) network analyzer that includes a DHTML-based Dashboard.When you start Sniffer Pro LAN for the first time, the Dashboard should appear on the screen. If you close the Dashboard window, you can start it again by selecting Monitor | Dashboard or by clicking the Dashboard icon in the Sniffer Pro toolbar. Real-Time Statistics The Sniffer Pro Dashboard consists of the following elements, all of which can be used to provide real-time information: ■ Gauges that display utilization and error statistics ■ A Detail tab that displays a tabular view with detailed statistics on net- work utilization, size distribution, and errors ■ Topology-specific tabs that display tabular views with detailed statistics ■ Customizable graphs that show network utilization, errors, and size distribution www.syngress.com 219_sniffer_03.qxd 6/28/02 11:49 AM Page 106 www.syngress.com To reset Dashboard values, click the Reset button located toward the top of the Dashboard window. Utilization and Errors The Gauge tab of the Dashboard window contains three dials (see Figure 3.1). From left to right, these dials show: ■ Utilization Percentage ■ Packets per second ■ Errors per second The Utilization % dial indicates the percentage of bandwidth being used on the wire, measured as the amount of traffic on the wire divided by the maximum possible bandwidth the interface can handle. On the Sniffer Pro screen, notice that a portion of the dial is red.This red area of the dial indicates that an alarm threshold has been reached. Below the dial are two numbers, separated by a dash. The first number represents the current utilization percentage.The number after the dash is the peak utilization percentage. Monitoring network utilization is an important component of network analysis. However, network traffic is often bursty in nature, and a burst of traffic for a short period of a few seconds is not as important as traffic that remains active for a long period of time. So what is a good network utilization number? This ideal varies from network to network and depends very much on your topology. Forty-percent utilization on a hubbed Ethernet port might be considered high, whereas 80 percent might be considered high on a full-duplex switched port.This is because as network utilization increases on a hub, the number of collisions increases with it.A high number of collisions on the network can cause degradation in performance. The Packets/s dial indicates the current packets-per-second rate. Once again, the red area of the dial indicates that an alarm threshold has been reached. Similar Exploring the Sniffer Pro Interface • Chapter 3 107 Figure 3.1 The Gauge Tab of the Sniffer Pro Dashboard 219_sniffer_03.qxd 6/28/02 11:49 AM Page 107 108 Chapter 3 • Exploring the Sniffer Pro Interface to the utilization dial, the current packet-per-second rate and the peak packet- per-second rate are displayed below the dial. Packets per second can help derive valuable information about the type of traffic on your network. For example, if the network utilization is high and the packets-per-second value is relatively low, this is an indication of larger frame sizes on the network. If network utilization is high and the packets-per-second value is also high, this indicates the presence of smaller frame sizes.You can obtain detailed information on frame sizes by looking at size distribution statistics. N OTE Packets per second is an important statistic. Take the case of a client machine and a server machine, each sitting in a different VLAN. All traffic between them flows through a router. If the server is generating more packets per second than the router can handle, packets will be dropped. You should check for high CPU utilization and buffer misses on the router to see if packets are being dropped. The Errors/s dial is similar to the other two dials.The red zone indicates an alarm threshold has been reached.The values below the dial show the current and peak error rates. Not all errors indicate a problem on the network. Collisions, for example, are a normal part of Ethernet operation. However, too many of them can indicate a problem. When monitoring an Ethernet network, you can get detailed statistics about utilization, packets per second, and errors by clicking the Detail tab. Doing so will display a tabular view with detailed statistics (see Figure 3.2). The Network section of the Detail tab includes the following: ■ Packets The total number of packets on the wire. www.syngress.com Figure 3.2 The Detail Tab of the Sniffer Pro Dashboard 219_sniffer_03.qxd 6/28/02 11:49 AM Page 108 Exploring the Sniffer Pro Interface • Chapter 3 109 ■ Drops The number of packets Sniffer Pro dropped (possibly because the system could not keep up with the packet rate). ■ Broadcasts The number of broadcast frames seen by Sniffer Pro. Remember that all computers in a subnet or VLAN must process all broadcast packets. Excessive broadcasts can degrade the performance of all systems on the network. ■ Multicasts The number of multicast frames seen by Sniffer Pro. Although multicast frames affect a smaller group of devices on the net- work than do broadcasts, large quantities of multicast traffic can also cause throughput issues. ■ Bytes The total number of bytes seen by Sniffer Pro. Multiply this number by 8 to get the number of bits. ■ Utilization The current percentage utilization rate. ■ Errors The total number of errors. The Size Distribution section provides a breakdown of the various packet sizes (including the 4-byte CRC) seen on the network: ■ Total number of packets 64 bytes in size ■ Total number of packets from 65 to 127 bytes in size ■ Total number of packets from 128 to 255 bytes in size ■ Total number of packets from 256 to 511 bytes in size ■ Total number of packets from 512 to 1023 bytes in size ■ Total number of packets from 1024 to 1518 bytes in size Smaller packets require more processing than larger packets for the same amount of data.They also use extra bandwidth because they contain additional overhead (headers and trailers). For example, assume that a host needs to transfer 8192 bytes of data. Using 1518-byte Ethernet II packets (18 bytes are used for the header and trailer, leaving 1500 bytes for the data portion), it would take six frames to transfer this data. Using 64-byte packets (46 bytes of data in each), the same data would take 179 frames! This adds 3114 bytes of overhead, compared to using full-sized Ethernet packets (18 bytes x [179 – 6] = 3114 bytes). In addition, the routers, switches, and other devices on the network must process each packet, increasing their CPU utilization. www.syngress.com 219_sniffer_03.qxd 6/28/02 11:49 AM Page 109 110 Chapter 3 • Exploring the Sniffer Pro Interface NOTE Size distribution statistics can be used to solve many problems. For example, consider the Novell Large Internet Packets (LIPs) problem, which is very common. Before LIPs, if there was a router between a NetWare server and a client, the packet size was automatically set to 576 bytes. Now with LIPs support, newer NetWare clients and servers negotiate packet size when a client attaches to a server. This way, the packet size depends on the maximum physical packet size common to both the client and the server. Novell defaults to 802.2 on the network, but many network adminis- trators have 802.3 configured on the NetWare servers. If that is the case, LIPs does not work. In addition, the client needs to be configured to use LIPs. In older clients, this is accomplished using the net.cfg file or right in the Novell client settings within the network properties. If the clients and servers do not use LIPs, you end up doubling your the network traffic from client to server. This is a common misconception when configuring LIPs against the wrong frame type. The Detailed Errors section provides a breakdown of the errors that are shown on the errors-per-second dial.These errors include CRCs, runts, oversizes, frag- ments, jabbers, alignment errors, and collisions. (For definitions of these errors, refer to Chapter 1,“Introduction to Sniffer Pro.”) A runt packet is an undersized packet (less than 64K) with a valid CRC.A fragment is an undersized packet (less than 64K) with an invalid CRC. NOTE Remember that Sniffer Pro might not pick up a number of these errors unless you are using NAI enhanced drivers. If you are monitoring the network using a Token Ring interface, instead of seeing the Detail tab, you will have the option of selecting the LLC and MAC tabs (see Figures 3.3 and 3.4).We cover these tools in detail in Chapter 5,“Using Sniffer Pro to Monitor the Performance of a Network.” www.syngress.com 219_sniffer_03.qxd 6/28/02 11:49 AM Page 110 Exploring the Sniffer Pro Interface • Chapter 3 111 www.syngress.com Figure 3.3 The LLC Tab of the Sniffer Pro Dashboard Figure 3.4 The MAC Tab of the Sniffer Pro Dashboard Baselining a Network Baselining is the process of measuring and recording a network’s state of operation over a period of time. The goal is to document the current state of operation of the network as a basis for later comparison. Determining a network’s normal behavior helps detect and troubleshoot problems when they crop up. “Normal” behavior can vary based on a variety of factors. For example, traffic to the mail server might increase every morning as employees come to work and check their e-mail. Network activity might decrease around lunchtime, when hardly anybody is using the network. Understanding these trends and monitoring them is a fundamental part of network analysis. In the long term, as new applications are intro- duced into your network and old ones are phased out, network usage patterns will change. To keep up with these trends, you should perform baselining on a regular basis. Configuring & Implementing… Continued 219_sniffer_03.qxd 6/28/02 11:49 AM Page 111 112 Chapter 3 • Exploring the Sniffer Pro Interface Setting Thresholds Thresholds can be set for many of the network statistics reported by Sniffer Pro. If a threshold is exceeded, an entry is created in the Alarm Log. On the Dashboard, the ranges of values exceeding the configured thresholds are marked on the dials in red. Sniffer Pro comes preconfigured with default threshold values that are common to the average network size.To display or modify these values, click the Set Thresholds button located at the top of the Dashboard.You can also select the MAC Threshold tab under Tools | Options. Figure 3.5 shows Ethernet thresholds; Figure 3.6 shows Token Ring thresholds. NOTE Most functions within Sniffer Pro can be accessed in multiple ways (for example, via drop-down menus and toolbar icons). All the Monitor appli- cations are accessible under the Monitor menu as well as the toolbar. www.syngress.com The Sniffer Pro Dashboard is an excellent utility to perform an ini- tial baseline of a network. The dials can immediately give you a quick overview of network characteristics and behaviors. The configurable graphs can be used to view long-term and short-term trends. You might also find that the “normal” activity on your network is actually above certain default threshold settings in the Dashboard. You can modify these thresholds and customize them for your network. Figure 3.5 Ethernet Thresholds 219_sniffer_03.qxd 6/28/02 11:49 AM Page 112 Exploring the Sniffer Pro Interface • Chapter 3 113 The Thresholds window displays a list of parameters that can create an entry in the Alarm Log.The exact list of parameters depends on the media adapter (Ethernet,Token Ring, and so on). If you have modified a parameter but would like to set it back to the default value, first select the parameter, then click the Reset button.To reset all the parameters to their default values, click the Reset All button. Setting a temporary threshold value while troubleshooting a problem can be helpful. If you are monitoring traffic from a router, and you know that it should not multicast more than two frames per second, you can set the threshold value for Multicasts/s to 2.While Sniffer Pro is monitoring the traffic, if this value is exceeded, an entry will be logged in the Alarm Log.When you’re done, do not forget to set the Threshold back to its regular value! Configurable Dashboard Graphs The Dashboard provides configurable graphs based on the type of network adapter (Ethernet,Token Ring, or the like) selected. In the case of Ethernet, three groups of statistics are available: ■ Network Shows Packets/s, Utilization/s, Errors/s, Drops/s, Bytes/s, Broadcasts/s, and Multicasts/s. ■ Detail Errors Shows Runts/s, Oversizes/s, Fragments/s, Jabbers/s, CRCs/s,Alignments/s, and Collisions/s. ■ Size Distribution Shows 64-byte packets/s, 65–127-byte packets/s, 128–255-byte packets/s, 256–511-byte packets/s, 512–1023-byte packets/s, and 1024–1518-byte packets/s. www.syngress.com Figure 3.6 Token Ring Thresholds 219_sniffer_03.qxd 6/28/02 11:49 AM Page 113 114 Chapter 3 • Exploring the Sniffer Pro Interface These graphs show statistics over a period of time.To view one of these graphs, click the check box corresponding to the group of statistics you want to see.The graph will appear at the bottom of the Dashboard. The graph includes a vertical “current” line. Clicking the scroll buttons (left and right arrows) moves the graph’s current line.The statistics shown at the right of the graph reflect the values at the position of the current line.As you move the current line, you can see the exact date and time to the right of the scroll buttons.You can modify the graph’s time scale by clicking the Long Term or Short Term buttons located at the top.The Long Term button sets the time range of the graph to 24 hours, and the Short Term button sets it to 25 minutes. Each possible statistic that can be graphed is listed on the right.You can check the boxes next to the statistics you would like to see in the graph, and uncheck the ones you do not want to see. Understanding Menus An excellent method of learning all the different functions that Sniffer Pro has to offer is to go through all the menu options. Eight drop-down menus are available in Sniffer Pro: ■ File ■ Monitor ■ Capture ■ Display ■ Tools ■ Database ■ Window ■ Help Each of these menus and the options available under them are discussed in detail below. The File Menu The File menu provides various options for opening, closing, and saving capture files: ■ Open Opens a previously saved capture file from disk. www.syngress.com 219_sniffer_03.qxd 6/28/02 11:49 AM Page 114 Exploring the Sniffer Pro Interface • Chapter 3 115 ■ Close Closes the active capture file. ■ Save Saves a capture file to disk. ■ Save As Saves a capture file to disk with a different name or file format. If more than one NIC is installed on the Sniffer Pro system, you can create an agent for each one and select the agent that Sniffer Pro will use for monitoring and capturing. An agent keeps the configuration, addresses, and profiles associated with an adapter.To select an agent or create a new one, select File | Select Settings.Agents are discussed in detail in Chapter 2,“Installing Sniffer Pro.” The Log Off option in the menu closes all windows and disconnects you from the agent. It essentially shuts off Sniffer Pro without closing the actual appli- cation.The Sniffer Pro title bar displays “Log Off mode.”To log back on, select the Log On option. The Reset All option resets all the applications in Sniffer Pro. In the case of the monitor applications, this option purges all their data and starts over. The Loopback Mode option can be used to simulate a capture from a trace file.When you enable loopback mode by selecting this option, a check is placed next to this menu item.The title bar also displays Loopback mode. Loopback mode is discussed in greater detail in the “Packet Generator and Loopback Mode” section later in this chapter. Three menu options related to printing are available in the File menu: Print, Print Setup, and Abort Print.The functions of these menu options are self- explanatory. Sniffer Pro supports Visual Basic scripts for automation and extension of its functions. Sample scripts (the *.BAS extension) can be found under the Sniffer Pro program directory.To run a script, select the Run Script option. To exit Sniffer Pro, select the Exit option from the File menu. The Monitor Menu Sniffer Pro provides monitor applications that run in promiscuous mode to gather statistical information from the network and calculate and display these statistics in real time.The monitor applications do not require data capture. The following monitor applications can be started from the Monitor menu: ■ Dashboard Provides real-time, high-level statistics on network utiliza- tion, packets per second, and error rates. ■ Host Table Collects a list of all nodes on the network and provides statistics per node. www.syngress.com 219_sniffer_03.qxd 6/28/02 11:49 AM Page 115 [...]... data stored in hexadecimal format Table 3. 1 Sniffer Pro Capture File Extensions Extension Description CAP ENC FDC SYC TRC Sniffer Sniffer Sniffer Sniffer Sniffer www .syngress. com Pro trace file Ethernet trace file FDDI trace file WAN trace file Token Ring trace file 219 _sniffer_ 03. qxd 6/28/02 11:49 AM Page 131 Exploring the Sniffer Pro Interface • Chapter 3 Sniffer Pro for Windows introduced a new file format... equivalent to a DoS attack If you put Sniffer Pro into loopback mode (File | Loopback Mode) before starting Packet Generator, the traffic will be transmitted only locally on the Sniffer Pro system and will not be placed on the network www .syngress. com 133 219 _sniffer_ 03. qxd 134 6/28/02 11:49 AM Page 134 Chapter 3 • Exploring the Sniffer Pro Interface NOTE Putting Sniffer Pro in loopback mode lets you generate... can cause poor network performance BERT is a procedure used to measure the BER for a given transmission Sniffer Pro provides the ability to act as a BERT device and can measure the BER value on an RS/V,T1, or E1 line www .syngress. com 135 219 _sniffer_ 03. qxd 136 6/28/02 11:49 AM Page 136 Chapter 3 • Exploring the Sniffer Pro Interface Reporter Sniffer Reporter is an add-on application from Network Associates... specified (the default is 30 0 milliseconds) When you click OK, the Trace Route process starts and displays the Layer 3 path and delays between the Sniffer Pro system and the destination host After the process completes,Trace Route performs a DNS lookup and displays the results www .syngress. com 137 219 _sniffer_ 03. qxd 138 6/28/02 11:49 AM Page 138 Chapter 3 • Exploring the Sniffer Pro Interface in the Trace... the Sniffer Pro Expert The Database Menu Sniffer Pro automatically saves all the real-time statistics created by the monitor applications into comma-separated value files.These database files are updated every 60 minutes by default and are saved in a subdirectory under the Sniffer Pro www .syngress. com 125 219 _sniffer_ 03. qxd 126 6/28/02 11:49 AM Page 126 Chapter 3 • Exploring the Sniffer Pro Interface program... Toolbars Sniffer Pro s user interface is based heavily on toolbars Many of the functions in the software can be accessed only using toolbar icons www .syngress. com 127 219 _sniffer_ 03. qxd 128 6/28/02 11:49 AM Page 128 Chapter 3 • Exploring the Sniffer Pro Interface NOTE The Sniffer Certified Professional (SCP) exam covers the Sniffer Pro user interface, including the toolbars, in great detail Figure 3. 16... the Display Protocols tab (see Figure 3. 7) To add custom protocols to ART, select Options from the Tools menu and define your own protocols ART supports only protocols running over TCP and UDP It does not offer support for IPX protocols Figure 3. 7 Application Response Time Options www .syngress. com 219 _sniffer_ 03. qxd 6/28/02 11:49 AM Page 117 Exploring the Sniffer Pro Interface • Chapter 3 History samples... clicking the Stop and Display icon www .syngress. com 129 219 _sniffer_ 03. qxd 130 6/28/02 11:49 AM Page 130 Chapter 3 • Exploring the Sniffer Pro Interface Defining a Wizard Creating capture and display filters is one of the most difficult aspects of learning Sniffer Pro, but once it’s mastered, this skill can save a network analyst a great deal of time.With 100Mbps and Gigabit networks common today, you will find... address, or user’s name.This tool provides information on networks and www .syngress. com 219 _sniffer_ 03. qxd 6/28/02 11:49 AM Page 139 Exploring the Sniffer Pro Interface • Chapter 3 domains, the registrant, contact information, and domain servers Detailed information on the “whois?” protocol can be found in RFC 954.The “wh is?” protocol contacts a “whois?” server over TCP port 43 to retrieve information To... it to the foreground Help Sniffer Pro provides a very complete and robust online help system.To learn more about any of the features that Sniffer Pro has to offer, you can go to Help Topics under the Help menu and use the search capabilities to find what you are looking for.To determine the version of Sniffer Pro you are running, select Help | About Sniffer NOTE Sniffer Pro provides context-sensitive . Similar Exploring the Sniffer Pro Interface • Chapter 3 107 Figure 3. 1 The Gauge Tab of the Sniffer Pro Dashboard 219 _sniffer_ 03. qxd 6/28/02 11:49 AM Page 107 108 Chapter 3 • Exploring the Sniffer Pro Interface to. alarms, select Remove All. www .syngress. com Figure 3. 13 Alarm Log 219 _sniffer_ 03. qxd 6/28/02 11:49 AM Page 122 Exploring the Sniffer Pro Interface • Chapter 3 1 23 Sniffer Pro can be configured to notify. 111 www .syngress. com Figure 3. 3 The LLC Tab of the Sniffer Pro Dashboard Figure 3. 4 The MAC Tab of the Sniffer Pro Dashboard Baselining a Network Baselining is the process of measuring and recording a network s