242 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network Totals and Averages Before we look at each underlying section of the Dashboard, we need to quickly point out the radio button choices shown in Figure 5.5.These buttons can be found toward the top-right side of the Dashboard, in the Detail tab. Selecting either radio button changes the look on the Dashboard gauges to reflect either a whole amount (the total) or an average rate per second. Generally, it is easier to leave this setting on Show Total unless you are specifically looking for the average rate of any selectable or chartable item per second. www.syngress.com Figure 5.5 The Detail Tab Rate Selector Limitations of the Dashboard Although you might start to feel that the Dashboard is the all-powerful master of analyzing, baselining, and performance monitoring on your network, it does have some limitations. First, it is limited to the segment on which you are analyzing performance. This is very important to remember because you might need to monitor the performance of the entire enterprise network, not just the segment to which Sniffer Pro is attached. Remember the old adage, “When your only tool is a hammer, then everything becomes a nail?” You can apply that truism to net- working scenarios as well. When your only analysis tool is Sniffer Pro, you want to analyze everything with it. Unfortunately, you can’t. Although we highly recommend and praise the Sniffer Pro tool, we also know that you can’t use it to solve every problem you encounter. There is many a “unique nail” in the networked world these days, so you need an array of hammers from which to choose. To do serious enterprise-level performance monitoring, you need a combined effort of people using many different tools. One great tool is Concord Network Health, which is a package that scales higher than the Sniffer Pro tool, but the price scales as well. You can find information about this package online. We are not debating which product is better or costs more—simply understand that performance monitoring with any tool has its limitations. Be aware of these limitations, visit the Designing & Planning… Continued 219_sniffer_05.qxd 6/28/02 11:53 AM Page 242 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 243 The Network Graph The Network graph on the Dashboard is responsible for providing you, the ana- lyst, with a view of all activity based on per-second statistics.A quick look at Figure 5.6 shows you that the network utilization is measured from about 0 to 100K, and this measurement is over time within specified intervals.You can change the intervals by selecting short-term or long-term statistics.As you can see here, the time interval is on a one-day basis (the date is listed right above the network graph), and it is based on the time of your PC clock, so make sure that the clock is set correctly. It is also based on military time.You can click anywhere on the graph to move the timeline back or forward on the graph to see at what time and date the high or low points on the graph occurred. In other words, if you click a very large peak in utilization, the data immediately above the chart exactly pinpoints this time and date for you. Now that you can read the graph, let’s look at how to configure it to show what you want. First, by default, you will see only the “Utilization” check box selected. www.syngress.com vendor’s Web site, and read the specification sheets of any product you are looking to purchase. The last point to remember about Sniffer Pro’s Dashboard limita- tions is that it is obviously LAN based and will analyze only up to the router ports on your local segment. You can, of course, use add-on cards, agents, and other products to analyze your WAN links, if neces- sary. You can also visit the NAI Web site at www.sniffer.com to see some of the other Sniffer-related products such as the WANbook that are pri- marily focused on the WAN end of your network. Figure 5.6 The Network Dashboard Graph 219_sniffer_05.qxd 6/28/02 11:53 AM Page 243 244 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network NOTE Military time works on a 24-hour clock, so after 12:00 in the afternoon, 1:00 P.M. becomes 13:00 (read 13 hundred hours), and 2 P.M. becomes 14:00, all the way to midnight, which is 00:00, not 24:00. Military time is used because it can be read more accurately and does not need an A.M. or P.M. column attached to it. Each timestamp is unique. When you’re using the Network graph, it is important to note that you are monitoring in real time, seeing how many packets, errors, drops, bytes, broadcasts, and multicasts or overall utilization occurring per second throughout the speci- fied time interval, as shown in Figure 5.7. It is that easy.This information can be used for baselining purposes and historical trending, which are topics that warrant their own section within this chapter.You could see that, for example, every day at about 15:00, the packets on the segment increase by about 10K. Now that you have a basic idea of how to view the graph and what you should expect to see, look at what each selectable counter actually monitors. Using the view shown in Figure 5.7, it is important to note that you are reading a book that is in grayscale and that the graph uses different colors. Be aware that the colors are important when you select multiple monitorable selections at the same time and need to differentiate between them in the graph.The only way to do so is by color-coding them.You can review what each counter does in the Network Event Selection box by reviewing Table 5.1. Table 5.1 Network Event Selection Details Detail Description Packets/s The total number of packets per second seen, as recorded by Sniffer Pro. www.syngress.com Figure 5.7 The Network Event Selection Box Continued 219_sniffer_05.qxd 6/28/02 11:53 AM Page 244 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 245 Utilization The network utilization that is currently recorded by Sniffer Pro. This setting is on by default and is one of the most com- monly used counters. You can look at the visual graph and map the time of day during which utilization is the highest. If you do this every day, you can start a baseline for your network. Errors/s The number of overall errors per second, as recorded by Sniffer Pro. In the next graph, you can start fleshing out which errors are occurring and at what time and frequency. Drops/s The number of drops that occur per second, as recorded by Sniffer Pro. By baselining, you can see the time of day at which drops are most common. Bytes/s The number of overall bytes of data seen and recorded by Sniffer Pro. Bytes are different than packets; bytes have a pre- defined length, whereas packets come in different sizes. Broadcasts/s The number of broadcast packets per second, as recorded by Sniffer Pro. Broadcasts are packets sent from a host to all other hosts on the segment. Multicasts/s The number of multicast packets per second, as recorded by Sniffer Pro. Multicasts are packets sent from a host to a spe- cific and intentional group of hosts. A nice feature of these graphs is that you can use them in tandem with each other.You don’t need to look at only how many drops you have at 13:00; you could see your utilization, packets, and broadcasts all start to climb at that time together.Another point to mention is that when monitoring performance, you need to start looking at acceptable limitations. If you notice that your network is inundated with multicasts at 9:00 every day, you might have an issue you need to tend to by analyzing which applications are being used that send out multicast packets. Broadcasts are one of the most common problems on networks today.A unicast (which is one machine communicating with another) would interfere with only that one machine.An interrupt would occur on the destination PC and would process the packet, and that would be the end of it. In a broadcast storm, all hosts on the network must interrupt and process the packet and, in most cases, discard a packet that was not intentionally meant for them.This situation causes latency issues and can be easily solved by either installing a router to separate the www.syngress.com Table 5.1 Continued Detail Description 219_sniffer_05.qxd 6/28/02 11:53 AM Page 245 246 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network network into broadcast domains or by removing the source of the broadcasts. Again, you would only do this if it were causing a problem on the network, because broadcasting can also be a necessary evil. One example is capturing the 0.FFFFFFFFFFFF destination address for Novell’s SAPs or the Microsoft Browser service.You might find that your Novell clients are set to autodetect for a frame type and they will broadcast to the servers to negotiate the frame type.This is a big deal if you have too many misconfigured services on the network, because the broadcast traffic could actually become overwhelming. Multicast problems are also common because they are unknown to the net- work administrators and engineers until picked up on a protocol analyzer.This is because many applications are configured to multicast and you might not even be aware of it. For example, on a Novell NetWare network, if you’re using the TCP/IP-based Service Location Protocol (SLP), you will find that all your NetWare clients multicast to address 224.0.1.22, which could make for a lot of unnecessary multicasting. www.syngress.com Quick Tips for Optimizing Your Network for Better Performance The following six situations show you how to cut broadcast traffic on any network: 1. On a hub-based network, your network nodes will see much more traffic than if you have a switched or bridged network. Consider implementing a single switch between the hubs, or if you can afford it, upgrade to all switches. 2. On a Microsoft network, the Master Browser service and NetBIOS are “hell creators.” Make sure you place WINS servers correctly, cut down all the NetBIOS traffic you don’t need by removing it from network settings and devices, plan and properly position the Master and Backup Browsers, and then remove the option to have any other workstation on the network participate in the browser elections. You can find details on all these steps on Microsoft’s TechNet site. Configuring & Implementing… Continued 219_sniffer_05.qxd 6/28/02 11:53 AM Page 246 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 247 The Detail Errors Graph The Detail Errors graph on the Dashboard (see Figure 5.8) provides a real-time view of all activity based on errors or problems your network might be experi- encing.A quick look at Figure 5.8 shows that all the graphs are identical in appearance and that they all follow the same time frame as indicated by your PC clock. Notice, however, that the Detail Errors graph follows a different scale from the other graphs; the scale climbs by twos. www.syngress.com 3. On a Novell network, three major culprits kill network band- width: if your network clients are configured to autodetect the frame type with the server, if your client is configured with IPX/SPX and SAP instead of TCP/IP, or if your NetWare servers are configured to use RIP instead of a default route. 4. If you have RIP (or IPX RIP) and/or SAP bound to any inter- faces on your network where they are unnecessary, your net- work will suffer unwanted broadcasts. 5. Routers can be used to reduce broadcasts. By default, a router will not pass a routed broadcast unless you configure it to do so. 6. Unbind protocol stacks from any device that is not using them. Doing so will speed up the machine because it will not have to go through a binding order and unneeded protocols will not broadcast on the LAN. These tips will eliminate some of your network traffic. There are many other ways to decrease traffic, but through these common methods, you could conceivably cut 25 percent to 50 percent or more of your network traffic. You should also be aware of the fact that anything above 20-percent overall traffic made up of broadcasts or multicasts should be flagged as a problem by you, the Sniffer Certified Professional. Figure 5.8 The Detail Errors Dashboard Graph 219_sniffer_05.qxd 6/28/02 11:53 AM Page 247 248 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network You can use this graph to view errors on the network segment to which Sniffer Pro is attached: runts, oversizes, fragments, jabbers, CRCs, alignment errors, and collisions per second.You can use the selection portion of the graph (see Figure 5.9) to select the errors to view in real time.This is a very helpful fea- ture, for obvious reasons. If you see high utilization and broadcasts when you view the Network graph at 9:30, and in the Detail Errors graph you view a high level of collisions per second at the same time every day, there is a good chance you have a basic Ethernet problem.We look at this phenomenon in later sections of the chapter, where you will analyze the performance of Ethernet and common problems. For now, learn how to view these graphs and use them together for a common cause: network performance analysis. When you use this view, it is important to note that you are analyzing errors. Errors can cause a serious degradation of performance on your network. If there are constant collisions, and most nodes need to retransmit data on the network, you are essentially doubling the normal saturation of your network. Most errors you encounter on your network segments listed within the Detail Errors section consist of error data that would be discarded by a switch and in some instances would cause more traffic through retransmission. Retransmission of data could be very high, causing your network devices to work twice as hard.This situation would put twice the amount of traffic on the wire at any time.Table 5.2 shows a description of the various errors. Table 5.2 Detail Errors Descriptions Error Description Runts/s The number of runts per second. A runt is a frame that is too small (less than 64 bytes) but has a valid checksum. Remember that an Ethernet frame must be at least 64 bytes, even if it needs to be padded to bring it to a minimum 64. If it is not at least 64 bytes, it will most likely be dropped. www.syngress.com Figure 5.9 The Detail Errors Event Selection Box Continued 219_sniffer_05.qxd 6/28/02 11:53 AM Page 248 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 249 Oversizes/s The number of oversized frames per second. An oversized frame is larger than the maximum transfer unit (MTU) for the media. MTU is discussed later in the chapter. Fragments/s The number of fragmented frames per second. Fragments are frames that are too small (less than 64 bytes) and have an invalid checksum. Jabbers/s The number of jabbers per second. A jabber is a frame that is oversized and has an invalid CRC. CRCs/s The number of CRC errors per second. A CRC, or cyclic redun- dancy check, also known as a checksum, is an error that occurs if the checksums calculated by the source node and Sniffer Pro do not match. Alignments/s The number of alignment errors per second. An alignment error occurs when the length of a frame is not a number divisible by 8, so it cannot be resolved into bytes. Collisions/s The number of collisions per second. A collision occurs when two or more network nodes try to transmit data at the same time on a shared media network. When a collision occurs, both transmitting stations need to “back off” with an algo- rithm and retransmit their data. Be aware of captures that when viewed in hexadecimal show a pattern of 55s and AAs (D0s and 43s for Fast Ethernet) relate to a collision pattern from the JAM signal being sent. NOTE You will see us repeat Table 5.2’s contents repeated in many different formats throughout the book in discussion of discussing other topics. It is important for the Sniffer Certified Professional to be very familiar with the types of problems he or she might find and how to accurately diag- nose them. By reading the Ethernet performance-monitoring section in the next few pages, you will become more intimate with these problems. www.syngress.com Table 5.2 Continued Error Description 219_sniffer_05.qxd 6/28/02 11:53 AM Page 249 250 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network The Size Distribution Graph The Size Distribution graph on the Dashboard (see Figure 5.10) provides a real- time view of all size-based activity on the network segment to which Sniffer Pro is attached.When connected to the segment, the graph immediately becomes active and provides views of data within a variety of size ranges.This tool is extremely important to performance-conscious analysts for one simple reason: More data on the network means a stronger possibility for saturation, collisions, retransmissions, and other problems that equate to poorer performance.You essen- tially want to monitor your network for data within a higher range of size because the greater the size, the less overhead you place on your network segments. NOTE By dragging the mouse and hovering the cursor over a specific section, you can cause the line within the graph to become bold so that you can see it clearly. This feature is useful when you have multiple counters selected and want to highlight one of them for viewing. When using the selection box in Figure 5.11, you can select any valid Ethernet frame size. It is important to note that you are most concerned with an overall trend of too many small packets being processed. If you see that the number of runts, fragments, and data in the 64-byte range are very high, perfor- mance could be affected.Again, don’t be shy about using all the graphs together; that’s what you want to do to draw a better conclusion about overall network performance and why it might or might not be acceptable. Note too that it is common for frames of all sizes to appear in the graph; this does not indicate a problem.An abundance of small frames inundating the network might cause devices to process more data than necessary, however.Table 5.3 shows the packet sizes seen by the Sniffer Pro analyzer in real time. www.syngress.com Figure 5.10 The Size Distribution Dashboard Graph 219_sniffer_05.qxd 6/28/02 11:53 AM Page 250 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 251 Table 5.3 Size Distribution Details Size Description 64/s The amount of data that is 64 bytes in length and seen by Sniffer Pro per second. 65-127/s The amount of data that is 65–127 bytes in length and seen by Sniffer Pro per second. 128-255/s The amount of data that is 128–255 bytes in length and seen by Sniffer Pro per second. 256-511/s The amount of data that is 256–511 bytes in length and seen by Sniffer Pro per second. 512-1023/s The amount of data that is 512–1023 bytes in length and seen by Sniffer Pro per second. 1024-1518/s The amount of data that is 1024–1518 bytes in length and seen by Sniffer Pro per second. For the Sniffer Pro exams, you must remember that when you’re working with Ethernet, the smallest allowable frame size is 64 bytes and the largest allow- able size is 1518 bytes. Don’t be confused with 1500 bytes, which is the max- imum data payload within the frame. Long- and Short-Term Analysis As you can see in Figure 5.12, the Dashboard graph views can be adjusted into short- and long-term periods.To adjust the ranges, all you need to do is select the appropriate radio button.The short-term range covers about 25 minutes, whereas the long-term range covers about 24 hours. Customizing Your View Now that you’ve been working with the interface, you should be aware of how to customize your view.When you first open the Dashboard, you will see that everything is compressed or shortened to conserve viewing space. Now that you www.syngress.com Figure 5.11 The Size Distribution Event Selection Box 219_sniffer_05.qxd 6/28/02 11:53 AM Page 251 [...]... at the total, which Sniffer Pro has recorded in packets When viewing 256 to 51 1 bytes, you are looking at the total, which Sniffer Pro has recorded in packets Multicasts Bytes Utilization Errors 18 to 64 65 to 127 128 to 255 256 to 51 1 Continued www .syngress. com 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 2 75 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 Table 5. 4 Continued Details... www .syngress. com 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 277 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 Now you should really feel comfortable monitoring your network in real time with the Sniffer Pro analyzer, regardless of the topology Never forget that Sniffer Pro is a tool—it is your honed networking skills and troubleshooting ability that will find the roots of the problems... management yourself on your network or a client’s network, regardless of size Change management is very important.You must manage your network, and baselining and trending fall under that umbrella www .syngress. com 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 259 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 Analyzing Ethernet Performance with Sniffer Pro In this section, we look... number of bytes Sniffer Pro has recorded The current network utilization Sniffer Pro has recorded The total number of packets with errors Sniffer Pro has recorded When viewing 18 to 64 bytes, you are looking at the total, which Sniffer Pro has recorded in packets When viewing 65 to 127 bytes, you are looking at the total, which Sniffer Pro has recorded in packets When viewing 128 to 255 bytes, you are... your network only after doing some serious research into which devices will serve you best Ethernet Framing Problems In analyzing your network, you need to consider that you might be having major Ethernet framing problems If the network is encountering a high count of www .syngress. com 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 263 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 Ethernet... the source node and Sniffer Pro do not match Bad NICs or drivers generally cause CRC alignment errors Generally, you can use the Sniffer Pro analyzer to find the associated MAC address of the card in question and either upgrade the drivers or replace them www .syngress. com 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 2 65 Using Sniffer Pro to Monitor the Performance of a Network • Chapter 5 NOTE CRC errors... Generator, you can use a tool that was meant to perform stress testing You can see the Packet Generator in Figure 5. 20 Figure 5. 20 The Sniffer Pro Packet Generator Continued www .syngress. com 2 65 219 _sniffer_ 05. qxd 266 6/28/02 11 :53 AM Page 266 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network When you open the Packet Generator, you can select the third button from the left on the toolbar... reason for network performance disasters Cabling with inappropriate distances, mismatched standards such as 56 8A and 56 8B, improperly made and faulty cabling, cabling running past interference-creating devices to foster EMI and/or RFI—all these can all cause major www .syngress. com 267 219 _sniffer_ 05. qxd 268 6/28/02 11 :53 AM Page 268 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network. .. thresholds with the Alarm log www .syngress. com 255 219 _sniffer_ 05. qxd 256 6/28/02 11 :53 AM Page 256 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network Baselining, Trending, and Change Management Baselining is a word that most technicians learn in school or hear frequently on the job, but honestly, how many times is it done? Who is actually baselining your network? What exactly is baselining?... into the network domain controller At 8:30 to 9:00 every morning, the entire workforce is trying to log on to the domain controller (you www .syngress. com 257 219 _sniffer_ 05. qxd 258 6/28/02 11 :53 AM Page 258 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network could only have one) and check their e-mail.This situation, then, would be the norm, and at that time in the morning, network . log to www .syngress. com Figure 5. 14 The Dashboard Properties Dialog Box 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 253 254 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network start. separate the www .syngress. com Table 5. 1 Continued Detail Description 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 2 45 246 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network network into. with these problems. www .syngress. com Table 5. 2 Continued Error Description 219 _sniffer_ 05. qxd 6/28/02 11 :53 AM Page 249 250 Chapter 5 • Using Sniffer Pro to Monitor the Performance of a Network The