446 Chapter 9 • Understanding and Using Triggers and Alarms Introduction Network usage patterns change over time as personnel roles and responsibilities change and as new applications are introduced; so too should the network sup- porting them. Networks are constantly being put to the test with the latest appli- cations.As the demands and level of complexity grow, so does the possibility of an unexpected network failure. Seemingly benign events are often symptoms of more ominous problems lurking just below the surface. Only by proactively monitoring the network resources can these possible issues be mitigated in time to make the difference between a minimal service outage used to tweak a net- work segment or component and a full-out crisis during peak network usage. In the previous chapters you have learned how to: ■ Monitor network utilization ■ Generate real-time logs and reports on specified activities or stations, such as utilization and error statistics ■ Capture network traffic for later analysis ■ Review the analysis generated by the Sniffer Pro Expert ■ Generate traffic to simulate network conditions www.syngress.com Preparing for Network Issues Network issues occur on even the best-managed networks. It is critical that before you begin to analyze any specific network issue, you have a clear understanding of the environment you will be working in. Here is a short list of the basic information you should have available. ■ An established baseline Before you can troubleshoot a net- work, you should have a good understanding of how it nor- mally operates under usual everyday conditions. How can you know something is not operating properly if you’ve never seen it operate any other way? One of the first steps in get- ting acquainted with Sniffer Pro should be using it to base- line the network’s performance and operations at various times of the day. This baseline will provide you a good basis for reviewing data you collect during your investigations. Configuring & Implementing… Continued 219_sniffer_09.qxd 6/28/02 12:00 PM Page 446 www.syngress.com In this chapter, we examine how to combine these activities with filters to define triggers. Triggers allow us to automate Sniffer Pro operations to look for and monitor network events, even when the program is not being operated by personnel. In addition, we take a close look at how triggers can be used to raise an alert when potential network errors are manifested or when Sniffer Pro iden- tifies a trend that is alarmed. By proactively monitoring the network day in and day out for specific conditions, we can resolve potential issues well before they become critical. Understanding and Using Triggers and Alarms • Chapter 9 447 ■ Current physical and network topology Having a road map to your network will help you identify where bottlenecks could exist and the location from which you might be able to collect the best data to help you troubleshoot or monitor your network. ■ List of network protocols in use Knowing which protocols are in use will help you identify the components that are rel- evant to the network issue being addressed. The list should also identify whether the protocols are routable or bridge- able. Having this information will help you troubleshoot and create filters, triggers, and alarms that are tailored for your environment. Should you be looking at AppleTalk if there are no Apple computers on the network? Are there restricted protocols that should not cross over DMZ boundaries? ■ Router, switch, and bridge configurations Configuration files can help simplify the resolution of application communi- cation issues. This resolution can help identify that a route that is supposed to be open isn’t operating properly, that a VLAN is not assigned to a network link, or that a segment is not bridged. ■ Contact information A list of IT equipment with the con- tact information for its owners and support groups can help resolve issues more quickly. For example, if you identify that a faulty NIC on a server is causing issues over the network, you will want to get in contact with the server’s owners so they can shut it down and replace the faulty unit. 219_sniffer_09.qxd 6/28/02 12:00 PM Page 447 448 Chapter 9 • Understanding and Using Triggers and Alarms Introducing Triggers Triggers are used to configure special conditions within Sniffer Pro to initialize an automated capture sequence.Automated captures are generally used when Sniffer Pro is to be operated in unattended mode, as in the case of network mon- itoring outside work hours.There are two types of triggers: start and stop. Start triggers are used to initiate an automated capture sequence. Stop triggers are used to end an automated capture sequence. NOTE A distinction exists between monitoring and triggered captures. Monitor sessions contain the statistical information and measurements of a cap- ture session. A capture session contains a copy of the actual data packets that were collected for further analysis. It is important to note that only one trigger can be active at any one time.That is, a new triggered capture cannot be initiated until the currently active trigger is stopped.To illustrate this point, imagine that Sniffer Pro identifies a triggered event and begins an automated capture. If additional events are also identified, these will be stored within the logs until the currently active trigger is stopped by administra- tive intervention or as a result of a stop trigger.As such, it could be useful to define both start and stop triggers so that when a trigger is initiated based on an event, it stops logging information after that event has terminated. NOTE When setting up automated captures, it is important to consider the net- work traffic loads and Sniffer Pro resource allocations. If a specific event is what you are after, define a filter that will isolate the specific types of packets related to that event. Triggering on this filter will help keep disk storage of data packets to a minimum. Opting to not use filters may result in capturing gigabytes of information that is unrelated and that must be parsed before data analysis can take place. www.syngress.com 219_sniffer_09.qxd 6/28/02 12:00 PM Page 448 Understanding and Using Triggers and Alarms • Chapter 9 449 Configuring and Using Triggers To define a trigger, click the Capture menu, then select Trigger Setup.The Trigger Setup screen appears; it is divided into three main sections (see Figure 9.1): ■ Trigger graphic outline ■ Start trigger ■ Stop trigger Let’s take a look at each of these sections in more detail. The Trigger Graphic Outline The trigger graphic outline provides a graphical display of the current trigger con- figuration.This display is useful for quickly identifying the triggers that are engaged and whether the repeat mode is active.When no trigger is defined, this area is left blank to indicate that fact.When a start or stop trigger is defined, the display changes to indicate that and whether the start or stop mode will be man- ually activated.To manually activate a capture, click the Capture menu and select Start.To manually stop a capture, click the Capture menu and select Stop. When the repeat mode is selected, the display indicates this selection by adding a line from the Stop indicator back to the Stop or the Start indicator (see Figure 9.2). www.syngress.com Figure 9.1 Sniffer Pro Trigger Setup Screen Trigger Graphic Outline Trigger Repeat Mode Stop Trigger Window Start Trigger Window 219_sniffer_09.qxd 6/28/02 12:00 PM Page 449 450 Chapter 9 • Understanding and Using Triggers and Alarms The Start and Stop Trigger Screens The Start and Stop Trigger Define screens are used to identify the type of trigger to be used to start or end a capture.The Start and Stop Trigger Define screens are identical in appearance.They are different only in function. You access the Start and Stop Trigger Define screens by clicking the Define button in each of the trigger windows.You can define three types of triggers: Date/Time,Alarms, and Event Filter (see Figure 9.3). www.syngress.com Figure 9.2 Sniffer Pro Trigger Graphic Outline Display Options START TRIGGER : Defined Not Defined Defined Defined Not Defined Defined STOP TRIGGER : Not Defined Defined Defined Not Defined Defined Defined REPEAT MODE : Not Defined Not Defined Not Defined Defined Defined Defined Figure 9.3 Sniffer Pro Trigger Define Screen 219_sniffer_09.qxd 6/28/02 12:00 PM Page 450 Understanding and Using Triggers and Alarms • Chapter 9 451 To create a new trigger, click the New button located at the bottom of the Triggers window.A New Trigger window displays, prompting you to input a name for the new trigger. To modify an existing or newly created trigger, highlight the name of the trigger and choose the new options to be associated with the trigger by selecting or deselecting the check boxes to the left of the Date/Time,Alarms, and Event Filter trigger titles. Once you’ve identified the type of trigger, select the appropriate options for each.The available options are discussed in the following sections. To delete a trigger, highlight the name of the trigger from the trigger list and click Delete. NOTE When you define a new trigger, use a meaningful name that is descrip- tive of how the trigger is used. This practice helps you differentiate and identify the triggers. Triggers are extremely useful when you’re attempting to troubleshoot an event that does not always occur when a network analyst is present and ready to operate the Sniffer Pro console.As we mentioned, triggers allow for the remote, unattended operation of Sniffer Pro based on predefined operating conditions. These conditions can be based on a time event, a filter, or an alarm. A good use of a trigger is for collecting packet data on an event that occurs at specific intervals or that has specific signatures or characteristics that are identi- fiable via filters or alarms. Using the Date/Time Option You can use the Date/Time option to define a start or stop trigger to activate on a given day and time.To enter a time, click each of the time fields (hour, minute, AM/PM) and use the Up and Down Arrows on the keyboard or the screen to define the time.To enter a day, click the day of the week on which the trigger is to activate. Selected days appear if pressed. For example, in Figure 9.3, Sunday, Tuesday,Thursday, and Saturday have been selected. In the case of timed stop triggers, it might be useful to identify a time when Sniffer Pro will stop capturing data.To continue with the previous example, if the unidentified network problem always occurred before 2:00 A.M. but never after, you can set a stop trigger to stop the automated capture of packets at 2:05 A.M. www.syngress.com 219_sniffer_09.qxd 6/28/02 12:00 PM Page 451 452 Chapter 9 • Understanding and Using Triggers and Alarms This solution helps minimize the amount of captured data that needs to be reviewed to identify the issue. NOTE A good use of a start trigger is to collect network data resulting from an unidentified network problem that has been known to occur on certain days at certain times. In this example, you’d configure a trigger so that Sniffer Pro will begin capturing packets a few minutes before the antici- pated time window during which the network problem typically occurs. In this way, Sniffer Pro can be running and left unattended, freeing resources to work on other issues. On the return of network monitoring staff, the captured data can be analyzed and used to determine the root cause of the network problem. Using the Alarm Option You can use the Alarm option to define an alarm-based trigger.These triggers are used to start or stop a capture based on a given alarm. If we again use our example of the unidentified network problem, we might, based on the informa- tion we know, be able to glean basic information regarding some of the symp- toms that typically lead to problems. In this case, it would be possible to use one of the existing alarm filters or an alarm filter devised specifically to pick out some of the symptoms, to initiate or terminate a triggered capture.We discuss the details of how to configure alarms later in this chapter, in the “Configuring and Using Alarms” section. A good example of using alarm triggers in troubleshooting activities involves identifying the cause behind a network segment being reported as sluggish at random times and on random days. In this scenario, Sniffer Pro was used to raise a triggered alarm capture when error statistics increased dramatically.This allowed the troubleshooting personnel of the large company to identify that the source of the error was an Ethernet interface on a laptop docking station used by visitors attending meetings at the corporate head office.Typical LAN connection sessions originating from this station tended to last less than an hour. Because this was one of several stations identified for use by visitors, it was not always active.The defective docking station was replaced, and the network segment returned to normal operations. www.syngress.com 219_sniffer_09.qxd 6/28/02 12:00 PM Page 452 Understanding and Using Triggers and Alarms • Chapter 9 453 Using the Event Filter Event filters are used to activate a trigger based on a predefined filter. Filters can be defined to pick out specific network events, including transmissions to and from specific hosts, specific data patterns, and selected protocols. Chapter 8, “Using Filters,” discusses in detail how to define and use filters. Refer to that chapter for additional information on configuring individual filters. To activate an Event Filter trigger, select the Event filter check box and use the pull-down menu to list the available filters. Highlight and click the filter that is to be used. NOTE Filter-based triggers are very useful for monitoring a network for specific events, hosts, or network conditions. That is, Sniffer Pro can monitor the network unattended and trigger a capture sequence when it sees an event that matches a filter. If we return to our network problem example, once you homed in on some of the symptoms and possible causes for the problem, you could establish a filter specifically to begin and end a capture whenever the symptoms would be manifested. This would again help to minimize the amount of data that needs to be ana- lyzed in order to thoroughly understand the circumstances causing the network issue. One example of using an event filter is to identify the cause of poor throughput between hosts located at one location and servers located at another end of meshed WAN segments. In this case, we suspected one of the new WAN links to the remote sites was faulty, but we did not have access to the routers.The network operations center had performed a quick check but was not reporting any issues.We used Sniffer Pro to trigger a capture based on a filter defined to isolate routing updates. Subsequent analysis identified that one of the links was flapping—that is, cycling up and down every couple of seconds.This activity was causing the network routing tables to update and alternate routes between both WAN links at the remote office. In turn, we also identified that network manage- ment on the new router was not properly configured.This was the reason the network operations center did not report any issues. www.syngress.com 219_sniffer_09.qxd 6/28/02 12:00 PM Page 453 454 Chapter 9 • Understanding and Using Triggers and Alarms Trigger Repeat Mode Trigger repeat mode should be selected to automatically reuse a trigger after a triggered capture has been completed.This tool is effective in monitoring an event based on a specified time, filter, or alarm that occurs more than one time over the automated-monitoring time period. This practice is very useful as a means of capturing multiple occurrences of an event, thereby simplifying the identification of an event pattern and its related cause.When activated, repeat mode reinitiates a capture every time the specified event takes place—that is, at the end of the capture period, the trigger is reset and waits to be activated again. For example, if an event always occurs at 3 A.M. on Tuesdays and Thursdays, triggering Sniffer Pro to capture this event over the course of a week or several weeks can help provide the data required to pinpoint the problem and resolve the issue. www.syngress.com Distributed Sniffer System The Distributed Sniffer System is a network management utility that can be used for monitoring, capturing, and analyzing networking informa- tion over an entire network using multiple hardware and software Sniffer components. Distributed Sniffer provides the same expert anal- ysis as is provided within Sniffer Pro. A Distributed Sniffer system consists of Distributed Sniffer Servers (DSS) that are controlled by SniffMaster Consoles (clients). A SniffMaster Console aggregates the real-time data captured by the remotely located DSS and analyzes the data for trend, alarm, and filter signatures. DSS capture network information using monitoring and expert analysis. The Distributed Sniffer utility provides the communications between SniffMaster Consoles and DSS using in-band (over a LAN con- nection) and out-of-band (over an external serial link such as a modem). TCP transport is provided over Ethernet, ring LANs and SLIP connections over asynchronous modem connections. Up to four simultaneous LAN connections, or three LAN connections and one serial modem connec- tion, can be active at any one time. Designing & Planning… 219_sniffer_09.qxd 6/28/02 12:00 PM Page 454 Understanding and Using Triggers and Alarms • Chapter 9 455 Configuring and Using Alarms Alarms are used to identify that an event threshold or network condition has occurred during a capture sequence.The alarm monitor is always active during a capture sequence and does not need special configuration to begin monitoring events.You can define and tailor alarms to trigger based on the specific require- ments of a network.They can also be defined to initiate an action such as an audible alert, an e-mail, or a pager call, among others.We cover these functions in greater detail in the “Configuring Alarm Notifications” section. www.syngress.com Sniffer Pro Network Problem-Solving Model with Triggers and Alarms Before tackling any network issue, it is best to devise a plan of action. Although at first it might appear that you’re wasting valuable time, arming yourself with the right information can help you resolve prob- lems more quickly and effectively. There are many good methodologies for addressing network issues. The following steps constitute one example that could help get you get the most out of Sniffer Pro: 1. Define the problem This step is critical in helping you orga- nize the issues into visible symptoms and likely causes. If you are told that a database is not responding to client requests in a timely manner, you might begin to suspect a network issue, a client issue, or NIC. Is this a regular occurrence or something that happens at different intervals? 2. Gather information Once you have defined the problem, you want to know how many hosts are affected, their loca- tion, if there are any similarities between them (the same NIC card, for example), whether there have been any updates to the network (router updates) or to the clients (new desktop release, firmware upgrade), and so on. 3. Reassess the problem Based on the information you col- lected in the second step, you want to verify that your initial assumptions regarding the problem still make sense. Does Designing & Planning… Continued 219_sniffer_09.qxd 6/28/02 12:00 PM Page 455 [...]... of the Sniffer Pro Expert alarm thresholds, because modifications will affect the operations of the Expert network solutions provided by Sniffer Pro The Sniffer Pro Monitor obtains statistical information on the network usage, packet sizes, error rates, and other network packet data in real time for trend analysis Monitor alarms are predefined in Sniffer Pro with thresholds to monitor a typical network. .. result in massive financial losses www .syngress. com 473 219 _sniffer_ 09.qxd 474 6/ 28/ 02 12:00 PM Page 474 Chapter 9 • Understanding and Using Triggers and Alarms Summary This chapter provided detailed configuration information on Sniffer Pro triggers and alarms.Triggers can be used to automate Sniffer Pro operations to look for and capture network events, even when Sniffer Pro is left unattended.Triggers can... value of 5 www .syngress. com 469 219 _sniffer_ 09.qxd 470 6/ 28/ 02 12:00 PM Page 470 Chapter 9 • Understanding and Using Triggers and Alarms Figure 9.15 Expert Alarm Threshold Examples Monitoring Alarm Thresholds The Sniffer Pro Monitor obtains statistical information on the network usage, packet sizes, error rates, and other network packet data in real time for trend analysis Sniffer Pro s programmers have... predefined in Sniffer Pro with thresholds that determine when a symptom or diagnosis is generated ! A solid understanding of network protocols, along with a detailed analysis of your specific environment, should be available for review before you modify any of the Sniffer Pro Expert alarm thresholds, because these modifications will affect the operations of the Expert network solutions provided by Sniffer Pro. .. requirements to ensure the accurate identification of network events A solid understanding of network protocols, along with a detailed analysis of your specific environment, should be available for review before modifying any of the Sniffer Pro Expert alarm thresholds, because modifications will affect the operations of the Expert network solutions provided by Sniffer Pro To modify the Expert alarm thresholds,... Response Time Thresholds The display provides information in three columns: ■ The first column provides a listing of the application protocols that are being monitored.The application protocol list is arranged by type of protocol—that is, all TCP-based applications are grouped together and all UDP-based applications are grouped together www .syngress. com 219 _sniffer_ 09.qxd 6/ 28/ 02 12:00 PM Page 473 Understanding... to match the conditions of the network being monitored.The Description column provides a high-level description of each listed alarm Sniffer Pro can be configured to trigger external—that is, non -Sniffer Prorelated—actions based on the severity of an alarm.These notifications can be used to alert staff and third-party applications of a detected symptom or condition Sniffer Pro can notify of an alarm by... might be beneficial to modify some of the Monitor alarm thresholds in order to better represent the existing network conditions www .syngress. com 477 219 _sniffer_ 09.qxd 4 78 6/ 28/ 02 12:00 PM Page 4 78 Chapter 9 • Understanding and Using Triggers and Alarms Configuring Alarm Notifications ! Sniffer Pro can notify you of an alarm by sounding an audible alarm, sending an e-mail, calling a beeper, sending an... was properly received Defining a Pager Notification It is important to note that to use the pager notification option requires a modem with a telephone-line connection installed on the computer running Sniffer Pro www .syngress. com 465 219 _sniffer_ 09.qxd 466 6/ 28/ 02 12:00 PM Page 466 Chapter 9 • Understanding and Using Triggers and Alarms Figure 9.11 The Notification Test Screen Pager notifications provide... Ensure that the notification was properly received Modifying Alarm Threshold Levels Sniffer Pro identifies two types of alarms: Expert alarms and Monitor alarms Expert Alarm Thresholds Expert alarms are alarms that the Sniffer Pro programmers have predefined with thresholds that determine when a symptom or diagnosis is generated It is important to note that the default thresholds provided with Expert have been . statistics ■ Capture network traffic for later analysis ■ Review the analysis generated by the Sniffer Pro Expert ■ Generate traffic to simulate network conditions www .syngress. com Preparing for Network Issues Network. software Sniffer components. Distributed Sniffer provides the same expert anal- ysis as is provided within Sniffer Pro. A Distributed Sniffer system consists of Distributed Sniffer Servers (DSS) that are. Thursdays, triggering Sniffer Pro to capture this event over the course of a week or several weeks can help provide the data required to pinpoint the problem and resolve the issue. www .syngress. com Distributed Sniffer