SurveyorUser’s Guide
xSurveyor User’s GuideExpert Diagnostic Messages... 10-15Working with the Expert
6-2Surveyor User’s GuideThis chapter contains information on data views with the exception of Expert Views and Multi-QoS Views. Refer to the Expert ch
6-3ViewsSummary View6Summary ViewSummary View is Surveyor’s global monitoring tool for network data. You can view real-time data from any local resour
6-4Surveyor User’s Guide• Protocol Distribution • Host Table • Network Layer Host Table • Application Layer Host Table • Host Matrix • Network Layer
6-5ViewsDetail View6You can have as many windows with data views as are available in Detail View. The initial data view you get of a resource is the v
6-6Surveyor User’s Guide Application Layer Host Table Host Matrix Network Layer Matrix Application Layer Matrix VLANs Address Map Duplicate
6-7ViewsCapture View6that you have of the capture buffer are still open windows within Detail View. In other words, the “view” and decode of previous
6-8Surveyor User’s Guide• Detail PaneThe Detail Pane shows the values of the protocol elements associated with each protocol. For example, for the Dat
6-9ViewsUsing the Histogram Control6Protocol Color Coding tab from the System Settings menu option. See “Appendix D” for a list of Surveyor’s default
6-10Surveyor User’s Guide• The Lower Histogram represents the entire capture. The gray area on the histo-gram corresponds to the detail area.Figure 6-
6-11ViewsUsing the Histogram Control6For the Upper Histogram, the Selected Section is changed by sliding a movable “window” over a portion of the data
xiContents (continued)TCP Retransmissions ... 10-51TCP RST Packets...
6-12Surveyor User’s Guideof the capture that are not shown in the Upper Histogram are available from the disk cache.Figure 6-2. Histogram Display Sho
6-13ViewsUsing the Histogram Control6shown in black. The gray and black colors indicate that these sections are not downloaded.Figure 6-3. Histogram
6-14Surveyor User’s GuideHistogram Button ControlsHistogram controls allow you to focus on a smaller area of the capture, change the appearance of the
6-15ViewsUsing the Histogram Control6Downloads the data currently selected in the Upper Histogram to the capture view decode. Only the data within the
6-16Surveyor User’s GuideIf you attempt to select an area smaller than 20MB, the closest sections that form 20MB of data become the Capture Selection
6-17ViewsPacket Editor6radio button and press the Range... button. Click, hold, and drag with the left mouse in the histogram to select the range you
6-18Surveyor User’s GuideUse the Undo and Redo functions from the Edit menu to remove or reapply the last packet edit.Editing in Decode ViewEditing in
6-19ViewsData Views6tables are updated approximately every 7 seconds.MAC Statistics View (Rx)From Detail View, click on the button to open a window w
6-20Surveyor User’s GuideMAC Statistics View (Tx)From Detail View, click on the button to open a window with MAC Statistics View for transmit. From S
6-21ViewsData Views6Frame Size Distribution View is available as a chart or a table. For the chart, the Bar and Pie buttons toggle the type of graphic
xiiSurveyor User’s GuideRIP Broadcasts... 10-95Router Storm...
6-22Surveyor User’s Guide:.The NET and ALL buttons shows percentage breakdowns for all packets. The IP Table 6-7. Protocol Distribution View, Chart Bu
6-23ViewsData Views6and IPX buttons show the percentages of only those packets that can be identified as containing IP or IPX information respectively
6-24Surveyor User’s GuideHost Table ViewFrom Detail View, click on the button to open a window with Host Table View. From Summary View, set the view
6-25ViewsData Views6Network Layer Host Table ViewFrom Detail View, click on the button to open a window with Network Layer Host Table View. From Summ
6-26Surveyor User’s GuideTab l eNetwork Layer Host Table View as a table shows network activity from the view of network stations. The table lists sta
6-27ViewsData Views6Application Layer Host Table ViewFrom Detail View, click on the button to open a window with Application Layer Host Table View.
6-28Surveyor User’s GuideHost Matrix ViewFrom Detail View, click on the button to open a window with Host Matrix View. From Summary View, set the vi
6-29ViewsData Views6ChartHost Matrix View as a chart shows only ten MAC conversations. The ten conversations displayed are those transmitting the larg
6-30Surveyor User’s GuideNetwork Layer Matrix ViewFrom Detail View, click on the button to open a window with Network Layer Matrix View. From Summar
6-31ViewsData Views6Application Layer Matrix ViewFrom Detail View, click on the button to open a window with Application Layer Matrix View. From Sum
xiiiContents (continued)Field Descriptions for Call Range Summaries... 11-15VQMon Metrics...
6-32Surveyor User’s GuideThe station addresses and names in the conversation are provided in the table or chart. The name and address are the same if
6-33ViewsData Views6VLAN ViewFrom Detail View, click on the button to open a window with VLAN View. From Summary View, set the view preferences to V
6-34Surveyor User’s GuideTab l eVLAN View as a table shows network activity from the view of virtual LAN traffic. The table lists statistics for all V
6-35ViewsData Views6Packet Summary ViewPacket Summary View shows a real-time protocol decode. Packets received are decoded and the result of the decod
6-36Surveyor User’s GuideExpert View (Expert plug-in only)From Detail View, click on the button to open a window with Expert View. From Summary View
6-37ViewsHints and Tips for Using Views6Multiple tables are available in Multi-QoS View. You can view all calls, subsets of calls filtered by protocol
6-38Surveyor User’s Guide• Double-click on the MAC Statistics View in Detail View to bring up Capture View.• Data in a chart will be sorted by the las
7-1Chapter 77 Capture and Display FiltersFor most data analysis operations, you’ll want to look at only a subset of all data. Filters allow you to sel
7-2Surveyor User’s Guide5. Enter an address in the Add Conversation to Filter Template area and select the Apply Conversation to Template check box. E
7-3Capture and Display FiltersCreating Filters with Filter Templates7Conversation to Filter Template area in the display provides a convenient means o
xivSurveyor User’s GuideA Implementation Profile ... A-1Buffers ...
7-4Surveyor User’s GuideA sample Filter Design window is shown below.Figure 7-1. Filter Design WindowFilter Design Toolbar Buttons (see Chapter 3 for
7-5Capture and Display FiltersCreating Filters with Filter Templates7Creating and Applying a ConversationThe Add Conversation to Template area of the
7-6Surveyor User’s GuideThere are four station address types:• MAC address – 12 hexadecimal digits.For example, 34FD34AA0001.• IP dot notation address
7-7Capture and Display FiltersCreating Filters with Filter Templates7Creating and Applying a Port NumberSurveyor provides a convenient way to add a po
7-8Surveyor User’s GuideMultiple Byte Patterns in Filter TemplatesFilter templates can be “several templates in one.” For example, HTTP, TELNET, and S
7-9Capture and Display FiltersCreating Filters with Filter Templates7You then save the template. When you save a custom template, Surveyor asks for a
7-10Surveyor User’s Guide Entering Values that Cross Byte BoundariesPort values are generally understood as decimal numbers. For example, an NFS port
7-11Capture and Display FiltersCreating Filters with Filter Templates7Bit-Level FilteringSurveyor can filter at the bit level. To set a bit pattern, p
7-12Surveyor User’s GuideFilter Creation The FILTER CREATION portion (left side) of the Filter Design window is the area that actually specifies what
7-13Capture and Display FiltersFilter Creation7a test against incoming frames. If the operation you try makes no sense in the context of creating a te
xvList of FiguresFigure Page5-1. Remote Host Connections ... 5-35-2. Host
7-14Surveyor User’s GuideActions for Capture FiltersTable 7-4 shows actions available for capture filters:An example Filter Actions dialog box for cap
7-15Capture and Display FiltersFilter Creation7Actions for Display FiltersTable 7-5 shows actions available for display filters:See Multi-State and Mu
7-16Surveyor User’s GuideGlobal Values that Affect Capture Filter ActionsTable 7-6 describes the options and settings available that have a global set
7-17Capture and Display FiltersMulti-State and Multi-Statement Filters7Frame types are shown in Table 7-7:Multi-State and Multi-Statement FiltersTo cr
7-18Surveyor User’s GuideClick on the State button in the Filter Design window to view the Filter States Design window for the filter. An example is
7-19Capture and Display FiltersMulti-State and Multi-Statement Filters7Filter StructureThe capture or display filter consists of states, each with a u
7-20Surveyor User’s GuideFilter StatesStates are used to group a set of statements. Since statement contain conditions and actions, states are a way t
7-21Capture and Display FiltersMulti-State and Multi-Statement Filters7Filter StatementsTo create statements, press the button from the Filter State
7-22Surveyor User’s GuideCapture and Display Filter DifferencesDisplay and capture filters are activated in different ways. Also, some options for cap
7-23Capture and Display FiltersFilter Examples7Filter ExamplesFilter examples are supplied with Surveyor. To see examples, open a capture filter file
xviSurveyorUser’s Guide9-10. Alarm Example, Expert and Application Response ... 9-1910-1. Expert Overview Exampl
7-24Surveyor User’s GuideThe steps used to create the filter template and load it to a resource are shown below:1. Press the Clear Template button.2.
7-25Capture and Display FiltersFilter Examples7Filter Example, Template CombinationThe Filter Design window in Figure 7-6 shows the capture filter wit
7-26Surveyor User’s GuideThe following steps describe how to create two filter templates, logically combine them using an OR operator, and load the re
7-27Capture and Display FiltersFilter Examples7Filter Example, Capture TCP Port TrafficThe Filter Design window in Figure 7-7 shows the capture filter
7-28Surveyor User’s GuideThe following steps describe how to create the BootPS filter template and load in to a resource.1. Press the Clear Template b
7-29Capture and Display FiltersFilter Examples7Filter Example, Advanced FilterThe Filter States Design window below shows the capture filter Example.C
7-30Surveyor User’s GuideRules of the Capture or Display Filter• There must be at least one IF and one ELSE statement per state. ELSE IF statements ar
7-31Capture and Display FiltersHints and Tips for Using Filters7Hints and Tips for Using Filters• Remember to load the Capture filter on the module be
7-32Surveyor User’s Guide• From the Detail View pane of the Capture View window, you can copy the con-tents of any field to create a Capture or Displa
8-1Chapter 88 Transmit SpecificationPacket Blaster plug-in allows you to generate packets and send them onto a net-work. This can be used to force the
xviiList of TablesTable Page1-1. Surveyor Functions ... 1-21-2.
8-2Surveyor User’s GuideTransmit Specification Dialog BoxTransmit Specifications are defined in a dialog box. The Transmit Specification dialog box co
8-3Transmit SpecificationTransmit Specifications8options available from the dialog box and click on the Add button. You can also add a capture file as
8-4Surveyor User’s Guidethe stream. The Auto CRC check box specifies if a valid CRC will be automatically generated for the stream.Stream ButtonsThe A
8-5Transmit SpecificationTransmit Specifications8Transmit Specification control buttons are described in Table 8-2:Repeating FramesThere are three way
8-6Surveyor User’s Guide CautionRepeating frames using the transmission mode feature is a function implemented in software; there is a time gap of abo
8-7Transmit SpecificationTransmit Specifications8Stream ModesAn interpacket gap for a frame can be set in three different ways; Packet Gap, Frame Rate
8-8Surveyor User’s GuideTransmission Mode You can either transmit the specification continuously or transmit it n times. Select Transmit Continuously
8-9Transmit SpecificationSpecifying Transmit Data8Table 8-5 shows the buttons that are available from within the packet editor::Editing in Decode View
8-10Surveyor User’s GuideDA and SA FieldsThe DA and SA fields define the MAC layer destination address and MAC layer source address for the stream. No
8-11Transmit SpecificationSpecifying Transmit Data8packets can be generated using Finisar analyzer cards. NDIS modules cannot generate bad CRC packets
xviiiSurveyorUser’s Guide6-5. Packet Editor Buttons ... 6-176-6. Fra
8-12Surveyor User’s GuideTransmitting Capture FilesYou can transmit the contents of a capture file as one of the streams in the Transmit Specification
8-13Transmit SpecificationTransmit Specification Examples8Transmit Specification Example, Packet GapsA Transmit Specification example in its dialog bo
8-14Surveyor User’s GuideTransmit Specification Example, BurstsA Transmit Specification dialog box is shown in Figure 8-3. The dialog box only shows v
8-15Transmit SpecificationHints and Tips for a Transmit Specification8Hints and Tips for a Transmit Specification• Take care with what you transmit. S
8-16Surveyor User’s Guide
9-1Chapter 99 AlarmsSurveyor’s alarms facility enables you to create alarms to automatically monitor network resources. Access to Surveyor’s alarms fa
9-2Surveyor User’s GuideCurrent Module AlarmsWhen you right-click on an analyzer device in the Resource Browser, a menu appears. Select Alarms... and
9-3AlarmsCurrent Module Alarms9Press New Alarm to enable new alarms for a resource. The Alarm Editor dialog box appears. Multiple alarms of any type m
9-4Surveyor User’s GuideAlarm EditorThere are six alarm groups that appear on the tabs in the Alarm Editor. The Expert tab and Application Response ta
9-5AlarmsAlarm Editor9Multi-QoS AlarmsFor Multi-QoS alarms, alarms can be created from the Multi-QoS Views interface as well as by double-clicking on
xixTables (continued)11-7. SCCP Call Field Descriptions ... 11-2111-8. H.323 Call
9-6Surveyor User’s GuideExpert AlarmsDuring transmit or receive, expert symptoms are logged as they occur. You can test for certain thresholds for the
9-7AlarmsAlarm Editor9Using Alarms with Different DevicesAlarms can be used with the following hardware analyzer devices or adapters. For analyzer car
9-8Surveyor User’s GuideThresholds and AlarmsAlarm thresholds are set by specifying the values in the Sample Type, Rising Value, Falling Value, and In
9-9AlarmsAlarm Actions9Alarm ActionsEach line in an alarm table has a unique set of actions associated with it that will occur if the alarm is trigger
9-10Surveyor User’s GuideYou can select but not configure the E-mail, Log File, Pager, or SNMP Trap action on a remote host running Surveyor. If the s
9-11AlarmsAlarm Actions9E-mail settings for Surveyor hosts and THGs hosts are slightly different. For analyzer devices in Surveyor hosts, you set the
9-12Surveyor User’s GuideTrap Settings for THGsThe stations to receive traps for a remote THGs can be established from the local host running Surveyor
9-13AlarmsAlarm Actions9Multiple IP addresses may be set for each trap. A maximum of 15 trap destinations can be assigned to each community. All alarm
9-14Surveyor User’s GuideViewing the Alarm List and the Alarm LogThere are several ways to access the list of alarms or a log of alarm events. From De
9-15AlarmsAlarm Examples9Alarm ExamplesThe following are six examples for alarms and alarm groupings. Each provides a picture of the Current Module Al
Surveyor User’s GuideiiTrademarks and CopyrightsFinisar, Surveyor, THGm, THGs, THGsE, THGnotebook, THGp, Century 12-Tap, 12-Tap, Century Tap, Packet B
xxSurveyorUser’s GuideD-8. Parser Names, IBM Suite... D-4D-9. Parser Name
9-16Surveyor User’s GuideAlarm Example, MAC Errors Figure 9-7. Alarm Example, MAC ErrorsThis example shows an alarm group consisting of five MAC Laye
9-17AlarmsAlarm Examples9Alarm Example, Frame Size” Figure 9-8. Alarm Example, Frame SizeThis example shows an alarm group consisting of four MAC Lay
9-18Surveyor User’s GuideAlarm Example, VoIP Calls” Figure 9-9. Alarm Example, Call Jitter and Call Setup TimeThis example shows an alarm group consi
9-19AlarmsAlarm Examples9Alarm Example, Expert and Application ResponseFigure 9-10. Alarm Example, Expert and Application ResponseThis example shows
9-20Surveyor User’s Guide
10-1Chapter 1010 Expert FeaturesAutomatic diagnostic analysis, expert data views, application response times, and expert alarms are referred to collec
10-2Surveyor User’s GuideExpert System ViewsThe expert views present expert information on capture files, a capture buffer, or in monitoring mode. The
10-3Expert FeaturesGetting Started with Expert View10Figure 10-1. Expert Overview Example
10-4Surveyor User’s GuideExpert Overview DetailsClick on any counter in the display to view a table listing only the events for the selected symptom.
10-5Expert FeaturesGetting Started with Expert View10Figure 10-2. Expert Overview Detail Table Example
1-1Chapter 11 IntroductionFinisar is the technology leader in providing LAN and SAN analysis tools. Finisar's fully distributed, full-line-rate p
10-6Surveyor User’s GuideExpert LayersSurveyor categorizes network problems according to the network “layer” at which they occur. During capture or mo
10-7Expert FeaturesExpert Layers10Figure 10-3. Expert Application Layer Example
10-8Surveyor User’s GuideThe interface provides a matrix of expert information views. For each layer, the symptoms, analyses, and objects can be displ
10-9Expert FeaturesExpert Layers10Table 10-1. Expert Symptoms and Analyses by LayerLayer Expert Symptoms Expert AnalysesApplication Excessive ARPExces
10-10Surveyor User’s GuideExpert Symptoms, Analyses, and Network EntitiesWhen you capture or monitor packets on a network segment, Surveyor immediatel
10-11Expert FeaturesExpert Symptoms, Analyses, and Network Entities10AnalysesHigh rates of recurrence of specific symptoms or single instances of part
10-12Surveyor User’s GuidePress the Entities tab on the Expert View window to view network objects discov-ered from the current packet analysis.The ex
10-13Expert FeaturesExpert Symptoms, Analyses, and Network Entities10Application/Session Lists for EntitiesThe list displays the number of packets and
10-14Surveyor User’s GuideData Link Lists for EntitiesThe first list displays the network traffic of the physical station. It shows how many packets a
10-15Expert FeaturesExpert Diagnostic Messages10Expert Diagnostic MessagesFrom any summary table you can double-click on any symptom or analysis to di
1-2Surveyor User’s GuideSurveyor's user interface provides both a comprehensive view of the network as well as the ability to easily drill down t
10-16Surveyor User’s GuideWorking with the Expert SystemConfiguring the Expert SystemUse the Expert Configurations dialog box to change expert setting
10-17Expert FeaturesWorking with the Expert System10The tree can be expanded or collapsed by clicking on the plus or minus icon, double-clicking on th
10-18Surveyor User’s GuideThe ExpertMsg.INI file contains Surveyor’s diagnostic information. This file can be changed using a text editor, thus giving
10-19Expert FeaturesApplication Response Time10Working with Analyzer DevicesFor THGm or NDIS resources, expert views present expert information on cap
10-20Surveyor User’s GuideApplication LayerExcessive Mailslot BroadcastsCounterExcessive Mailslot Broadcasts is a counter of Mailslot Broadcasts packe
10-21Expert FeaturesApplication Layer10FTP Login AttemptsCounterFTP Login Attempts is a counter of FTP login attempts that exceed a threshold. A count
10-22Surveyor User’s GuideMissed Browser AnnouncementCounterMissed Browser Announcement is a counter of events where the time elapsed since the last b
10-23Expert FeaturesApplication Layer10NCP File RetransmissionCounterNCP File Retransmission is a counter of all times where a portion of a file is re
10-24Surveyor User’s GuideNCP Read/Write OverlapCounterNCP Read/Write Overlap is a counter of all times where a portion of a file overlaps the transmi
10-25Expert FeaturesApplication Layer10NCP Request DeniedCounterNCP Request Denied is a counter of all times where the number of request denied replie
1-3IntroductionSurveyor Functions1Log Record counter information. Surveyor enables you to capture all byte, frame, and error counter values compiled d
10-26Surveyor User’s GuideNCP Request LoopCounterNCP Request Loop is a counter of all times where the same request occurs within an interval. A count
10-27Expert FeaturesApplication Layer10NCP Server BusyCounterNCP Server Busy is a counter of all NCP Server Busy responses that exceed a threshold for
10-28Surveyor User’s GuideNCP Too Many File RetransmissionsCounterNCP Too Many File Retransmissions is a counter of events where the ratio of file ret
10-29Expert FeaturesApplication Layer10NCP Too Many Requests DeniedCounterNCP Too Many Requests Denied is a counter of events where the ratio of file
10-30Surveyor User’s GuideNCP Too Many Request LoopsCounterNCP Too Many Request Loops is a counter of events where the ratio of file request loops to
10-31Expert FeaturesApplication Layer10NFS RetransmissionsCounterNFS Retransmissions is a counter of all NFS Retransmissions over a period of time per
10-32Surveyor User’s GuideNo HTTP POST ResponseCounterNo HTTP POST Response is a counter of all POST requests to an HTTP server that never receive a r
10-33Expert FeaturesApplication Layer10No Server ResponseCounterNo Server Response is a counter of responses to server requests that never happen or e
10-34Surveyor User’s GuideSlow HTTP GET ResponseCounterSlow HTTP GET Response is a counter of all Slow HTTP GET Responses that exceed a threshold. A c
10-35Expert FeaturesApplication Layer10Slow HTTP POST ResponseCounterSlow HTTP POST Response is a counter of all HTTP POST responses that exceed a thr
1-4Surveyor User’s GuideAnalyzer DevicesThe full power of Surveyor is realized through optional hardware analyzer cards available from Finisar. Analyz
10-36Surveyor User’s GuideSlow Server ConnectCounterSlow Server Connect is a counter of all server connect responses that exceed a threshold. A count
10-37Expert FeaturesApplication Layer10Slow Server ResponseCounterSlow Server Response is a counter of server responses that exceed a threshold. A cou
10-38Surveyor User’s GuideSMB Invalid Network NameCounterSMB Invalid Network Name is a counter of SMB sessions that could not be established because o
10-39Expert FeaturesApplication Layer10SMB Invalid PasswordCounterSMB Invalid Password is a counter of SMB sessions that could not be established beca
10-40Surveyor User’s GuideSession LayerNo WINS ResponseCounterNo WINS Response is a counter of responses to WINS server requests that never happen or
10-41Expert FeaturesSession Layer10TNS Slow Server ConnectCounterTNS Slow Server Connect is a counter of all TNS server connect responses that exceed
10-42Surveyor User’s GuideTNS Slow Server ResponseCounterTNS Slow Server Response is a counter of TNS server responses that exceed a threshold. A coun
10-43Expert FeaturesTransport Layer10Transport Layer Idle Too LongCounterThe Idle Too Long counter increments when a connection is idle for greater th
10-44Surveyor User’s GuideNon Responsive StationCounterNon Responsive Station is a counter of all non-responsive stations over a period of time per se
10-45Expert FeaturesTransport Layer10TCP Checksum ErrorsCounterTCP Checksum Errors is a counter of all incorrect TCP checksums over a period of time p
1-5IntroductionProtocols Supported1Table 1-4. Protocols Supported in SurveyorMAC Layer TCP/IP Suite TCP/IP Suite (Cont.) TCP/IP Suite (Cont.)IEEE 802.
10-46Surveyor User’s GuideTCP Fast RetransmissionCounterTCP Fast Retransmission is a counter of all TCP retransmissions that are less than a threshold
10-47Expert FeaturesTransport Layer10TCP Frozen WindowCounterThe TCP Frozen Window counter increments when the TCP window is frozen for greater than a
10-48Surveyor User’s Guide__________________________________________________________________Recommended Action(s):1. Upgrade the receiver’s CPU and/or
10-49Expert FeaturesTransport Layer10TCP Long AckCounterThe TCP Long Ack counter increments when the TCP acknowledgment for a connection is not seen f
10-50Surveyor User’s GuideTCP Repeat AckCounterThe TCP Repeat Ack counter increments when the TCP acknowledgment number is less than the immediately p
10-51Expert FeaturesTransport Layer10TCP RetransmissionsCounterTCP Retransmissions is a counter of all TCP Retransmissions over a period of time per s
10-52Surveyor User’s GuideTCP RST PacketsCounterTCP RST Packets is a counter of all TCP RST Packets over a period of time per segment. This variable c
10-53Expert FeaturesTransport Layer10TCP SYN AttackCounterThe TCP SYN Attack counter increments when a change in the number of SYN requests per second
10-54Surveyor User’s GuideTCP Window ExceededCountTCP Window Exceeded is a counter of all events where the data length of a TCP packet exceeds the cur
10-55Expert FeaturesTransport Layer10TCP Window ProbeCounterTCP Window Probe is a counter of all TCP Window Probe events over a period of time per seg
1-6Surveyor User’s GuideOracle Suite IPX/SPX Suite (cont.) LOA Banyan Vines SuiteTNS (TCP/IP only) NetBOIS LOA VARPSQLNET NLSP VICPAppleTalk Phase2 Pa
10-56Surveyor User’s GuideTCP Zero WindowCounterTCP Zero Window is a counter of all TCP Zero Window events over a period of time per segment. A count
10-57Expert FeaturesTransport Layer10Too Many RetransmissionsCounterToo Many Retransmissions is a counter of events where the ratio of retransmissions
10-58Surveyor User’s GuideNetwork Layer Duplicate Network AddressA separate table showing duplicate network addresses is available. Press the button
10-59Expert FeaturesNetwork Layer10HSRP CoupCounterHSRP Coup events are counted in the HSRP Errors counter, which displays in the Overview counters of
10-60Surveyor User’s GuideHSRP ErrorsCounterSome Hot Standby Routing Protocol (HSRP) packets are counted in the HSRP Errors counter, which displays in
10-61Expert FeaturesNetwork Layer10HSRP ResignCounterHSRP Resign events are counted in the HSRP Errors counter, which displays in the Overview counter
10-62Surveyor User’s GuideICMP All ErrorsCounterICMP All Errors is a counter of all ICMP symptoms. A count of all ICMP symptoms displays in the Overvi
10-63Expert FeaturesNetwork Layer10ICMP Bad IP HeaderCounterICMP Bad IP Header events are counted in the ICMP All Errors counter. A count of all ICMP
10-64Surveyor User’s GuideICMP Destination Host Access DeniedCounterICMP Destination Host Access Denied events are counted in the ICMP All Errors and
10-65Expert FeaturesNetwork Layer10ICMP Destination Host UnknownCounterICMP Destination Host Unknown events are counted in the ICMP All Errors and the
1-7IntroductionProtocols Supported1Table 1-5. Supported Multi-Media ProtocolsIBM ISO Intel MPLSNetBEUI CLNP MTP2 CR-LDPNetBIOS CONP MTP3 RSVP-TEESIS R
10-66Surveyor User’s GuideICMP Destination Network Access DeniedCounterICMP Destination Network Access Denied events are counted in the ICMP All Error
10-67Expert FeaturesNetwork Layer10ICMP Destination Network UnknownCounterICMP Destination Network Unknown events are counted in the ICMP All Errors a
10-68Surveyor User’s GuideICMP Destination UnreachableICMP Destination Unreachable is a counter of all ICMP destination unreachable errors over a peri
10-69Expert FeaturesNetwork Layer10 __________________________________________________________________Recommended Action(s):1. Check the routing table
10-70Surveyor User’s GuideICMP Fragment Reassembly Time ExceededCounterICMP Fragment Reassembly Time Exceeded events are counted in the All ICMP Error
10-71Expert FeaturesNetwork Layer10ICMP Fragmentation Needed [D/F set]CounterICMP Fragmentation Needed [D/F set] events are counted in the ICMP All Er
10-72Surveyor User’s GuideICMP Host RedirectCounterICMP Host Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors c
10-73Expert FeaturesNetwork Layer10ICMP Host Redirect for TOSCounterICMP Host Redirect for TOS events are counted in the ICMP Redirect Errors counter
10-74Surveyor User’s GuideICMP Host UnreachableCounterICMP Host Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreach
10-75Expert FeaturesNetwork Layer10ICMP Host Unreachable for TOSCounterICMP Host Unreachable for TOS events are counted in the ICMP All Errors and the
1-8Surveyor User’s GuideWhat's New in Release 5.0A synopsis of what's new in Surveyor 5.0 is provided below.Capture to Disk and THGsE Analyz
10-76Surveyor User’s GuideICMP Inconsistent Subnet MaskCounterICMP Inconsistent Subnet Mask events are counted in the ICMP All Errors counter. A count
10-77Expert FeaturesNetwork Layer10ICMP Network RedirectCounterICMP Network Redirect events are counted in the ICMP Redirect Errors counter and the IC
10-78Surveyor User’s GuideICMP Network Redirect for TOSCounterICMP Network Redirect for TOS events are counted in the ICMP Redirect Errors counter and
10-79Expert FeaturesNetwork Layer10ICMP Network UnreachableCounterICMP Network Unreachable events are counted in the ICMP All Errors and the ICMP Dest
10-80Surveyor User’s GuideICMP Parameter ProblemCounterICMP Parameter Problem events are counted in the ICMP All Errors counter. A count of all ICMP e
10-81Expert FeaturesNetwork Layer10ICMP Port UnreachableCounterICMP Port Unreachable events are counted in the ICMP All Errors and the ICMP Destinatio
10-82Surveyor User’s GuideICMP Protocol UnreachableCounterICMP Protocol Unreachable events are counted in the ICMP All Errors and the ICMP Destination
10-83Expert FeaturesNetwork Layer10ICMP RedirectCounterICMP Redirect is a counter of all ICMP redirect errors over a period of time per segment. A cou
10-84Surveyor User’s GuideICMP Required IP Option MissingCounterICMP Required IP Option Missing events are counted in the ICMP All Errors counter. A c
10-85Expert FeaturesNetwork Layer10ICMP Source QuenchCounterICMP Source Quench events are counted in the ICMP All Errors counter. A count of all ICMP
1-9IntroductionWhat's New in Release 5.01Expanded Multi-QoS SupportThe Multi-QoS software has been expanded to recognize a broader range of VoIP
10-86Surveyor User’s GuideICMP Source Route FailedCounterICMP Source Route Failed events are counted in the ICMP All Errors and the ICMP Destination U
10-87Expert FeaturesNetwork Layer10ICMP Time ExceededCounterICMP Time Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP
10-88Surveyor User’s GuideICMP Time to Live ExceededCounterICMP Time to Live Exceeded events are counted in the ICMP All Errors counter. A count of al
10-89Expert FeaturesNetwork Layer10Illegal Network Source AddressCounterIllegal Network Source Address is a counter of all illegal network source addr
10-90Surveyor User’s GuideIP Checksum ErrorsCounterIP Checksum Errors is a counter of all incorrect IP checksums over a period of time per segment. A
10-91Expert FeaturesNetwork Layer10IP Time to Live ExpiringCounterIP Time to Live Expiring is a counter of all expiring connections over a period of t
10-92Surveyor User’s GuideISL BPDU/CDP PacketsCounterISL BPDU/CDP Packets is a counter of all Bridge Protocol Data Unit (BPDU) or Cisco Discovery Prot
10-93Expert FeaturesNetwork Layer10ISL Illegal VLAN IDCounterISL Illegal VLAN ID is a counter of all ISL illegal VLAN IDs over a period of time per se
10-94Surveyor User’s GuideOSPF BroadcastsCounterOSPF Broadcasts is a counter of all OSPF broadcasts over a period of time per segment. A count of all
10-95Expert FeaturesNetwork Layer10RIP BroadcastsCounterRIP Broadcasts is a counter of all RIP broadcasts over a period of time per segment. A count o
Surveyor User’s Guide iiiRestricted Rights LegendUse, duplication, or disclosure by the Government is subject to restrictions as set forth in subdivis
1-10Surveyor User’s Guide
10-96Surveyor User’s GuideRouter StormCounterRouter Storm is a counter of all events where the router broadcasts exceed a threshold for a single route
10-97Expert FeaturesNetwork Layer10Same Network AddressesCounterSame Network Addresses is a counter of all events where the same source and destinatio
10-98Surveyor User’s GuideSAP BroadcastsCounterSAP Broadcasts is a counter of all SAP broadcasts over a period of time per segment. A count of all SAP
10-99Expert FeaturesNetwork Layer10Total Router BroadcastsCounterTotal Router Broadcasts is a counter of all total router broadcasts over a period of
10-100Surveyor User’s GuideUnstable MSTCounterThe Unstable MST counter increments when a change in the number of MST topology changes per second excee
10-101Expert FeaturesNetwork Layer10Zero Broadcast AddressCounterZero Broadcast Address is a counter of all events where the destination network addre
10-102Surveyor User’s GuideMAC Layer Bad FramesCounterBad Frames is a counter of all bad frames over a period of time per segment. A count of all bad
10-103Expert FeaturesMAC Layer10Broadcast/Multicast StormsCounterThe Broadcast/Multicast Storms counter increments when a change in the number of tota
10-104Surveyor User’s GuideCRC Frame counterCounterThe CRC Frame counter increments when a frame has a CRC error and is greater than 63 bytes in lengt
10-105Expert FeaturesMAC Layer10Excessive ARPCounterThe Excessive ARP counter increments when a change in the number of ARP requests per second exceed
2-1Chapter 22 InstallationSystem RequirementsThe system requirements for installing and running the Surveyor software are shown in the table below.*Th
10-106Surveyor User’s GuideExcessive BOOTPCounterThe Excessive BOOTP counter increments when a change in the number of BOOTP/DHCP requests per second
10-107Expert FeaturesMAC Layer10Excessive BroadcastsCounterExcessive Broadcasts is a counter that can be used to monitor fluctuations in the number of
10-108Surveyor User’s GuideExcessive CollisionsCounterExcessive Collisions is a counter that can be used to monitor fluctuations in the number of coll
10-109Expert FeaturesMAC Layer10Excessive MulticastsCounterExcessive Multicasts is a counter that can be used to monitor fluctuations in the number of
10-110Surveyor User’s GuideFragment FrameCounterThe Fragment Frame counter increments when a frame has a CRC error and is less than 64 bytes in length
10-111Expert FeaturesMAC Layer10Illegal MAC Source AddressCounterIllegal MAC Source Address is a counter of all illegal MAC station source addresses o
10-112Surveyor User’s GuideJabber FrameCounterThe Jabber Frame counter increments when a frame has a CRC error and is greater than 1518 bytes in lengt
10-113Expert FeaturesMAC Layer10Network OverloadCounterNetwork Overload is a counter of instances where a threshold for the percentage change in netwo
10-114Surveyor User’s GuideNew MAC StationsCounterNew MAC Stations is a counter of all the new MAC stations over a period of time per segment. A thres
10-115Expert FeaturesMAC Layer10Oversized FrameCounterThe Oversize Frame counter increments when a frame has a CRC error and is greater than 1518 byte
2-2Surveyor User’s GuideSee the Readme file for the latest information on supported analyzers and adapters for Surveyor 5.0.Upgrading SurveyorIf you h
10-116Surveyor User’s GuideOverload Frame RateCounterOverload Frame Rate counts frames over a one-second time period. A threshold for the number of fr
10-117Expert FeaturesMAC Layer10Overload Utilization PercentageCounterOverload Utilization Percentage counts bits over time and compares this value to
10-118Surveyor User’s GuidePhysical ErrorsCounterThe Physical Errors counter increments when a change in the number of total MAC physical errors per s
10-119Expert FeaturesMAC Layer10Runt FrameCounterThe Runt Frame counter increments when a frame is less than 64 bytes in length. The Runt Frame counte
10-120Surveyor User’s GuideSame MAC AddressesCounterSame MAC Addresses is a counter of all events where the same source and destination network addres
10-121Expert FeaturesMAC Layer10Total MAC StationsCounterTotal MAC Stations is a counter of all the MAC stations over a period of time per segment. A
10-122Surveyor User’s GuideHints and Tips for Expert Features• Double-click any symptom in a table to view Diagnostic information.• When looking at Ex
10-123Expert FeaturesSummary of Expert Counters and Symptoms10Summary of Expert Counters and SymptomsTable Table 10-2 on the following page provides a
10-124Surveyor User’s GuideTable 10-2. Summary of Expert FeaturesCounter, Symptom, or ApplicationExpert SymptomExpertAnalysesCounter in Expert ViewExp
10-125Expert FeaturesSummary of Expert Counters and Symptoms10Counter, Symptom, or ApplicationExpert SymptomExpertAnalysesCounter in Expert ViewExpert
2-3InstallationInstalling Surveyor2Installing SurveyorBegin by installing any local hardware analyzer cards and/or adapter cards. Hardware analyzer ca
10-126Surveyor User’s GuideCounter, Symptom, or ApplicationExpert SymptomExpert AnalysisCounter in Expert ViewExpert AlarmApplication Response Time Al
10-127Expert FeaturesSummary of Expert Counters and Symptoms10Counter, Symptom, Analyses, or ApplicationExpert SymptomExpert AnalysisCounter in Expert
10-128Surveyor User’s GuideCounter, Symptom, or ApplicationExpert SymptomExpert AnalysisCounter in Expert ViewExpert AlarmApplication Response Time Al
10-129Expert FeaturesSummary of Expert Counters and Symptoms10Counter, Symptom, or ApplicationExpert SymptomExpert AnalysisCounter in Expert ViewExper
10-130Surveyor User’s GuideCounter, Symptom, or ApplicationExpert SymptomExpert AnalysisCounter in Expert ViewExpert AlarmApplication Response Time Al
11-1Chapter 1111 Multi-QoSMulti-QoS is a software plug-in to Surveyor that analyzes multimedia traffic over Ethernet-based networks. Multi-QoS validat
11-2Surveyor User’s GuideFull decode of multimedia protocols by Multi-QoS provides users with the ability to look at any captured packet and understan
11-3Multi-QoSMulti-QoS User Interface Overview11Multi-QoS User Interface OverviewThe Surveyor Multi-QoS interface can be used with capture files, a ca
11-4Surveyor User’s GuideFigure 11-1. Multi-QoS Interface OverviewCapture ViewMulti-QoSMonitor ViewMulti-QoSAll CallsCall DetailView Channel DetailsC
11-5Multi-QoSMulti-QoS User Interface Overview11• Summary Range GraphsThe Summary Range graphs provide a percentage breakdown of calls by key QoS metr
2-4Surveyor User’s GuideInstalling Analyzer Hardware The sections below provide installation information for the Finisar analyzer cards in different h
11-6Surveyor User’s GuideAlso, the jitter calculation for Surveyor only measures network jitter. The application itself may implement a jitter buffer,
11-7Multi-QoSConfiguring Multi-QoS11The configuration performed from the Configuration tab is described below:•Refresh Options (MQoS Window Management
11-8Surveyor User’s GuideSetting this value to a high number may help in identifying a wider range of calls, but may also decrease performance. The de
11-9Multi-QoSAll Calls Table11All Calls TableThe All Calls table provides a summary table of all calls discovered. An example of the All Calls table i
11-10Surveyor User’s GuideField Descriptions for All Calls TableThe following table provides brief descriptions of all fields in the All Calls table.T
11-11Multi-QoSCall Range Graphs and Summaries11Call Range Graphs and SummariesEach tab in the interface except the utilization and configuration tabs
11-12Surveyor User’s GuideRanges for the graph can be changed. An example configuration screen for setting Call Jitter ranges is shown below. All valu
11-13Multi-QoSCall Range Graphs and Summaries11Dropped Packets, RTCP Dropped PacketsFigure 11-6 shows an example of the Dropped Packets tab in the Mul
11-14Surveyor User’s GuideAn example configuration screen for setting Dropped Packet ranges is shown below. Figure 11-7. Multi-QoS Configuration, Pac
11-15Multi-QoSCall Range Graphs and Summaries11Field Descriptions for Call Range SummariesThe following tables provide brief descriptions of all table
2-5InstallationInstalling Analyzer Hardware22. Install the THGm card in your system. This requires opening the case of your computer, inserting the ca
11-16Surveyor User’s GuideVQMon MetricsThere are a variety of objective factors that contribute to call quality. Some of these factors, such as packet
11-17Multi-QoSVQMon Metrics11If you would like more detailed information about how R-factors are calculated, please call Finisar customer support. The
11-18Surveyor User’s Guide Figure 11-9. Multi-QoS Configuration, R-factor RangesThe default ranges for Network R-factor and User R-factor are shown i
11-19Multi-QoSUtilization Graph11Utilization GraphWhen selected in Monitor mode, Multi-QoS displays the Utilization tab. The utilization graphs provid
11-20Surveyor User’s GuideField Descriptions for Call DetailsTo view all details for any call, double-click on any call summary (row) in a call summar
11-21Multi-QoSField Descriptions for Call Details11The following tables provide brief descriptions of all fields in the Call Detail win-dow for SCCP,
11-22Surveyor User’s GuideTable 11-8. H.323 Call Field DescriptionsField Name DescriptionFrame ID Frame ID of the first frame from which the conversat
11-23Multi-QoSField Descriptions for Call Details11Table 11-9. SIP Call Field DescriptionsField Name DescriptionFID Frame ID of the first frame from w
11-24Surveyor User’s GuideTable 11-10. UNKNOWN Call Field DescriptionsChannel Table DetailsYou can look at channel information for any call. Single-cl
11-25Multi-QoSChannel Table Details11Figure 11-12. Channel Table ExampleTable 11-11 and Table 11-12 describe the columns in the table for each protoc
2-6Surveyor User’s Guide• The Ethernet card uses a CardBus interface. • Separate installation instructions are provided for Windows NT. Installation o
11-26Surveyor User’s GuideTable 11-11. H.323, SIP, or UNKNOWN Channel Table Column DescriptionsTable Column DescriptionChannel Channel type, Audio, Vi
11-27Multi-QoSChannel Table Details11Max Jitter (ms) Maximum Jitter in milliseconds. The value is calculated by Surveyor. Surveyor uses the formula de
11-28Surveyor User’s GuideTable 11-12. SCCP Channel Table Column DescriptionsTable Column DescriptionChannel Channel type, Audio, Video, or Data.Min U
11-29Multi-QoSChannel Table Details11Filtering on Single ChannelsYou can filter on channels within a single call. For the Channel View table, the filt
11-30Surveyor User’s GuideCustomizing Multi-QoS Table Displays You can customize the display of table information for Multi-QoS to include or exclude
11-31Multi-QoSCustomizing Multi-QoS Table Displays11Customizing Channel TablesThe channel table is different for each call type, H.323, SIP, or SCCP.
11-32Surveyor User’s GuideExporting Multi-QoS DataYou can export Multi-QoS tables to CSV format. Multi-QoS data in .csv format can be imported to many
11-33Multi-QoSExporting Multi-QoS Data11Exporting a Single Multi-QoS Table to CSV Format Perform these steps to export the current Multi-QoS table to
11-34Surveyor User’s Guide
12-1Chapter 1212 CountersSurveyor provides sophisticated counters to enable you to precisely monitor network activity. Surveyor features three types o
2-7InstallationInstalling Analyzer Hardware28. Insert the Surveyor CD in the CDROM drive.9. Enter the path of the Ethernet Driver directory (<CDROM
12-2Surveyor User’s GuideThe following packet counters are supported:• Total Frames• Broadcast Frames• Multicast Frames• Unicast Frames• Error Frames•
12-3CountersError Counters12Fragments The total number of packets received that were less than 64 octets and had either an FCS/CRC error or an Alignme
12-4Surveyor User’s GuideTable 12-3 contains an alphabetical list, with descriptions, of Surveyor’s Token Ring error counters.Table 12-3. Alphabetical
12-5CountersExpert Counters12Expert CountersExpert counters count the number of Export events discovered by Surveyor’s expert logic. Some counters are
12-6Surveyor User’s GuideCounter Type DescriptionICMP Destination Unreachable The number of ICMP destination unreachable errors over a period of time
12-7CountersExpert Counters12Counter Type DescriptionOverload Utilization Percent-ageCounts bits over time and compares this value to the maximum uti-
12-8Surveyor User’s GuideCounter Type DescriptionTCP/IP Repeat Ack The number of TCP/IP Repeat Ack events over a period of time per segment.TCP/IP Re
12-9CountersMulti-QoS Counters12Multi-QoS CountersMulti-QoS counters count the number of packet events discovered by Surveyor’s Multi-QoS plug-in. The
12-10Surveyor User’s GuideLog Directory StructureThe following is the directory structure for log files. The root directory is the instal-lation direc
13-1Chapter 1313 UtilitiesSurveyor includes the following utilities to enhance your ability to manage your Ethernet, Token Ring, or Fast Ethernet netw
2-8Surveyor User’s Guide5. To update the device driver, click with the right mouse on My Network Places. Select Properties from the menu.6. Double-cli
13-2Surveyor User’s GuideName Table UtilityA name table provides associations between easy-to-remember symbolic names (Mickey) and hard-to-remember ne
13-3UtilitiesName Table Utility13Figure 13-1. Example Name Table Dialog BoxThere are several options you can set for the display and recording of nam
13-4Surveyor User’s GuideName tables are limited to 5,000 entries. The Maximum Number of Entries field in the Name Table Settings dialog box must be a
13-5UtilitiesNIS-to-Name Table Conversion Utility13NIS-to-Name Table Conversion UtilityThe NIS2NAM.SH utility converts an NIS name table on a UNIX sys
13-6Surveyor User’s GuideSniffer™ Translator UtilityTranslators convert captured data back and forth between Surveyor capture file for-mat (.cap files
13-7UtilitiesConvert Capture Files to Histogram Files13• Capture memory size• Error counters supported• MAC address• Module type• Buffer size• Vendor
13-8Surveyor User’s GuideExtract Frames From a File Using a FilterThis utility allows you to extract frames from existing capture files, using a filte
13-9UtilitiesExport Utilities13To export packet decode information, do the following:1. Set the Summary Pane of the Capture View window to display the
13-10Surveyor User’s Guidenetworks. Surveyor exports data into a special .csv file format that can be easily read by the Optimal Performance product.P
13-11UtilitiesExport Utilities135. Switch to the previously opened Charts window. To change windows, pull down the Windows menu and click on Charts.6.
2-9InstallationCompatibility Matrix2Compatibility MatrixTable 2-3. Hardware/Software Compatibility Matrix FinisarTHGmPortable Surveyor 10/100 Ethernet
13-12Surveyor User’s Guide
A-1Appendix AAImplementation ProfileBuffersThree types of buffers are essential to the execution of Surveyor’s features:How Resources Use BuffersSurve
A-2SurveyorUser’s GuideTable A-2. Resource Use of BuffersResource Buffer UsageTHGm (Ten/Hundred/Gigabit module)THGm is a high speed network analyzer c
Implementation ProfileHardware DependenciesAA-3Hardware DependenciesThe tables that follow in this section list functions supported by Surveyor that h
A-4SurveyorUser’s GuideTable A-5. Hardware Capture FunctionsCapture Functions NDIS Card THGmPortable Surveyor 10/100 Ethernet Analyzer CardCapture Buf
Implementation ProfileAbout NDIS ModeAA-5About NDIS ModeSurveyor in NDIS mode uses an NDIS driver and interfaces to a variety of network adapters. All
A-6SurveyorUser’s GuideNDIS Configuration OptionsSetting the InterfaceThe Interface and Interface Mode options are grayed on the Module menu when an N
B-1Appendix BBPre-Defined Filter TemplatesFilter TemplatesAll filter templates supplied with Surveyor are described below. Templates are defined by an
B-2SurveyorUser’s GuideTable B-1. Surveyor Filter Templates, Ethernet EV2Filter Template Description Offset Value No. of Filters UsedAppleTalk Collect
Pre-Defined Filter TemplatesFilter TemplatesBB-3Table B-2. Surveyor Filter Templates, IP and IPX over Ethernet EV2Filter Template Description Offset V
Surveyor User’s GuideivAbout This GuideThis guide provides descriptions of the software components, features, and capabilities of the Surveyor product
2-10Surveyor User’s Guide
B-4SurveyorUser’s GuideFilter Template Description Offset Value No. of Filters UsedRIP (IPX) Collect all frames with a RIP port in IPX packet types em
Pre-Defined Filter TemplatesFilter TemplatesBB-5Table B-3. Surveyor Filter Templates, TCP/IP over Ethernet EV2Filter Template Description Offset Value
B-6SurveyorUser’s GuideFilter Template Description Offset Value No. of Filters UsedQ.931 Collect all frames with a Q.931 port when TCP is embedded in
Pre-Defined Filter TemplatesFilter TemplatesBB-7Table B-4. Surveyor Filter Templates, UDP/IP over Ethernet EV2Filter Template Description Offset Value
B-8SurveyorUser’s GuideFilter Template Description Offset Value No. of Filters UsedNTP Collect all frames with an NTP port when UDP is embedded in Eth
Pre-Defined Filter TemplatesFilter TemplatesBB-9Table B-5. Surveyor Filter Templates, Ethernet LLC/NovellFilter Template Description Offset Value No
B-10SurveyorUser’s GuideTable B-6. Surveyor Filter Templates, Ethernet SNAPFilter Template Description Offset Value No. of Filters UsedSNAP Collect
Pre-Defined Filter TemplatesFilter TemplatesBB-11Table B-7. Surveyor Filter Templates, Ethernet ISLFilter Template Description Offset Value No. of Fil
B-12SurveyorUser’s GuideFilter Template Description Offset Value No. of Filters UsedISL_LDAP Collect all frames with LDAP ports when TCP is embedded
Pre-Defined Filter TemplatesFilter TemplatesBB-13Filter Template Description Offset Value No. of Filters UsedISL_SMTP Collect all frames with SMTP p
3-1Chapter 33 Getting StartedThe Surveyor SystemA complete Surveyor system consists of Surveyor software and at least one Finisar distributed net QoS
B-14SurveyorUser’s GuideTable B-8. Standard Filter Templates, Token RingFilter Template Description Offset Value No. of Filters UsedMAC_Active_Monit
Pre-Defined Filter TemplatesFilter TemplatesBB-15Filter Template Description Offset Value No. of Filters UsedMAC_Report_NAUM_Change Collect all Report
B-16SurveyorUser’s GuideFilter Template Description Offset Value No. of Filters UsedMAC_Ring_Purge Collect all Ring Purge Token Ring MAC frames.117HEX
C-1Appendix CCKeyboard ShortcutsFunction KeysFunction keys perform different operations depending on the window from which they are used. A table of t
C-2SurveyorUser’s GuideStandard and Navigational KeysFunction keys perform different operations depending on the window from which they are used. Tabl
Keyboard ShortcutsStandard and Navigational KeysCC-3Table C-6. Shortcut Keys from the Capture Filter WindowKey(s) ActionCtrl + N Bring up new default
C-4SurveyorUser’s Guide
D-1Appendix DDParser NamesRecognized Parser Names The Parser Names recognized by Surveyor are organized by protocol suite in the following tables. Par
D-2SurveyorUser’s GuideTable D-3. Parser Names, Apple Talk SuiteParser Name Protocol NameAARP AppleTalk Address Resolution ProtocolADSP AppleTalk Data
Parser NamesRecognized Parser NamesDD-3Table D-5. Parser Names, Cisco SuiteParser Name Protocol NameCDP Cisco Discovery ProtocolDISL Dynamic Inter-Swi
3-2Surveyor User’s Guideeach port on which you have installed a THGm analyzer card. Do not select ports for other devices. Click OK.Use the Local Port
D-4SurveyorUser’s Guide Table D-8. Parser Names, IBM SuiteParser Name Protocol Name3270 3270 TerminalNETBEUI NetBIOS Extended User InterfaceSNA Server
Parser NamesRecognized Parser NamesDD-5BOOTP Bootstrap ProtocolDHCP Dynamic Host Configuration ProtocolDNS Domain Name ServerFTP File Transfer Protoco
D-6SurveyorUser’s Guide SGCP Simple Gateway Control ProtocolSMTP Simple Mail Transfer ProtocolSNMP Simple Network Management Protocol (versions 1, 2,
Parser NamesRecognized Parser NamesDD-7NBCAST Netware Broadcast Message Protocol NCP Netware Core ProtocolNDS Netware Directory Services NLSP Netware
D-8SurveyorUser’s GuideTable D-14. Parser Names, H.323 SuiteParser Name Protocol NameASN.1 Abstract Syntax Notation 1H323GD H.323 - Gatekeeper Discove
Parser NamesRecognized Parser NamesDD-9Table D-16. Parser Names, Cisco IP Telephony SuiteParser Name Protocol NameSSP Skinny Station ProtocolSCCP Skin
D-10SurveyorUser’s Guide
Glossary-1Glossary.CAP extensionFile extension for all capture files. .CFD extensionFile extension for all capture filters. .DFD extensionFile extensi
Glossary-2SurveyorUser’s GuideAlarm BrowserA window used to list, select, and set alarms. Alarm Falling ThresholdFalling threshold value to be compare
Glossary (continued)Glossary-3Application Response TimeThe time required to establish a session with an application protocol, measured in milliseconds
3-3Getting StartedBasic Navigation Tips35. THGm analyzer cards have two interfaces, RJ45 for 10/100 copper wire and a G-BIC for 1000 Mbps fiber optic.
Glossary-4SurveyorUser’s GuideCapture ModeThe mode in which Surveyor receives network data and stores it in the Capture Buffer. Capture ViewA window f
Glossary (continued)Glossary-5Detail ViewThe primary monitoring view for a single network resource. Multiple views of each resource can display in the
Glossary-6SurveyorUser’s GuideExpert ViewSurveyor data view showing expert symptoms and expert counters for a time period.FragmentsA counter showing t
Glossary (continued)Glossary-7HostA computer upon which a particular program or resource is located. In the context of Surveyor, the host is the compu
Glossary-8SurveyorUser’s GuideMode of OperationDefines the current relationship between Surveyor and a resource. Surveyor can transmit data from a res
Glossary (continued)Glossary-9NISName Information Service. OversizeA counter showing the total number of packets received that were longer than the 15
Glossary-10SurveyorUser’s GuidePacket TypeThe type of packet sent in transmission mode. Packet types are IP, IPX, ARP, and AARP, or any other type spe
Glossary (continued)Glossary-11Root StatementThe first statement in all capture filters. Specifies global variables and global val-ues.SA Source addre
Glossary-12SurveyorUser’s GuideTHGm (Ten/Hundred/Gigabit module)A hardware device available from Finisar that allows the capture/transmit of net-work
Glossary (continued)Glossary-13Traffic RateWhen transmitting from Surveyor, a percentage of the maximum capacity of the network to carry packets.Trans
3-4Surveyor User’s GuideYou can also access Capture View from Summary View to view a Capture file. From Summary View, click the button in the Survey
Glossary-14SurveyorUser’s GuideVoice over IP (VoIP)Industry term for the carrying of voice traffic over the Internet Protocol. This term is sometimes
Index-1IndexSymbols.CAP File Extension 3-18.CFD File Extension 3-18.DFD File Extension 3-18.HST File Extension 3-18.NAM File Extension 3-18.TSP File E
Index-2SurveyorUser’s Guide–B–Bad Frames 12-5bitmaps, exporting 13-9Bridge Protocol Data Unit (BPDU) 10-92Broadcast/Multicast Storms 10-103, 12-5Buff
Index-3Index (continued)Token Ring, list of 12-4Excessive BOOTP 10-106Excessive Broadcasts 10-107Excessive Collisions 10-108Excessive Mailslot Broadca
Index-4SurveyorUser’s GuideICMP Fragmentation Needed 10-71DA and SA fields 8-10DA field 8-3Data field 8-3Data views 6-1, 6-18Address Map View 6-34App
Index-5Index (continued)CRC Frame 10-104Duplicate Network Address 10-58Excessive ARP 10-105Excessive BOOTP 10-106Excessive Mailslot Broadcasts 10-20Fr
Index-6SurveyorUser’s Guide–F–Filter Actions 7-13Capture 7-14Counter 7-14display 7-15Filter Example, Advanced Filter 7-29Filter Example, Capture Conve
Index-7Index (continued)–K–Keyboard shortcuts C-2–L–Launching 3-1layers, expert system 10-6learn addresses 13-3learn names 13-2remote resources 13-4Li
Index-8SurveyorUser’s GuideNCP Server Busy 12-6NCP Too Many File Retransmissions 10-28NCP Too Many Request Loops 10-30NCP Too Many Requests Denied 10-
Index-9Index (continued)Set Default button 4-12protocols in conversations 7-5, 7-7protocols supported 1-4–Q–Quality of Service 11-1–R–RAM 2-1Range Ed
3-5Getting StartedBasic Navigation Tips3• If you have the Expert plug-in, use the button in Detail View to bring up the expert views.• If you have t
Index-10SurveyorUser’s GuideDelete 8-4Edit Data 8-4Modify 8-4Stream contents 8-3Stream modes 8-7Frame Rate 8-7Packet Gap 8-7Traffic Rate 8-7Stream siz
Index-11Index (continued)Capture View toolbar 3-15Address Map View button 3-17Application Layer Host Table View button 3-16Application Layer Matrix Vi
Index-12SurveyorUser’s GuideTotal MAC stations 10-121Total Router Broadcasts 12-8Total Tx Collision Counter 12-3Traffic direction indicator 7-5, 7-7T
Index-13Index (continued)resizing docking windows 4-1–X–X offsets (wildcard) 8-10–Z–Zero Broadcast Address 10-101
Index-14SurveyorUser’s Guide
3-6Surveyor User’s GuideButtons and ToolbarsSurveyor ToolbarOpen buttonOpens a file, typically a capture file (.CAP). A dialog box displays showing al
3-7Getting StartedButtons and Toolbars3Capture Mode buttonPlaces the currently selected resource in capture mode. This button is gray if the resource
3-8Surveyor User’s GuideDetail View ToolbarSave buttonSaves the current contents of the capture buffer to a file. A dialog box displays, allowing you
3-9Getting StartedButtons and Toolbars3Capture Filter buttonDisplay the Capture Filter window. The window displays a previously opened filter or the d
vTable of ContentsChapter Page1 Introduction ... 1-1Surveyor Functions
3-10Surveyor User’s GuideData Views Toolbar (Expert and Multi-QoS buttons)Ring Statistics View button (Token Ring Only)Brings up tables showing in
3-11Getting StartedButtons and Toolbars3Host Table View buttonSelects Host Table View for viewing information. You can see MAC stations and their asso
3-12Surveyor User’s GuideRefresh buttonUpdate the information in all open views.Duplicate Address Button (Expert plug-in only)Brings up a table showin
3-13Getting StartedButtons and Toolbars3Filter Design ToolbarCreate Filter buttonCreates a new filter. The default window appears for the Filter Desig
3-14Surveyor User’s Guideare designated with an extension of .CFD files and display filters with an extension of .DFD.Save Filter buttonSaves the curr
3-15Getting StartedButtons and Toolbars3Capture View Toolbar Open File buttonOpens a capture file (.CAP
3-16Surveyor User’s GuideResume Load buttonCapture files are loaded to Capture View as a background process. Pressing this button resumes the backgrou
3-17Getting StartedButtons and Toolbars3Host Matrix View buttonSelects Host Matrix View for viewing captured information. You can see all conversation
3-18Surveyor User’s GuideFile FormatsThe following file formats are supported in Surveyor:.HST Extension – Capture FilesFile extension for capture da
3-19Getting StartedProviding a Name Table to Surveyor3Providing a Name Table to Surveyor A default name table file, hosts.nam, is included with the so
viSurveyor User’s GuideDetail View Toolbar ... 3-8Data Views Toolbar ...
3-20Surveyor User’s GuideEstablishing Links for THGm The THGm is often connected to a device that cannot auto negotiate the connection, such as when m
4-1Chapter 44 Configuring SurveyorConfiguring the InterfaceIn Surveyor, you can control the appearance of windows, the primary monitor view, the appea
4-2Surveyor User’s Guidecompletely close a docking window. If you close a docking window, use the options from the View menu to get the window back.Yo
4-3Configuring SurveyorConfiguring the Interface4Use the middle portion of the dialog box to set up the display of the Summary column. The Summary col
4-4Surveyor User’s GuideUse the bottom portion of the dialog box to set the point from which Surveyor will measure time when calculating and displayin
4-5Configuring SurveyorConfiguring the Interface4Setting Histogram Zoom FactorSet the Zoom Factor changes the number of data points that remain in the
4-6Surveyor User’s GuideConfiguring Chart ViewsProtocol distribution view and frame size distribution view can be customized using buttons within the
4-7Configuring SurveyorModule Settings (Properties)4Module Settings (Properties)Module settings configure options for the capture, monitor, and transm
4-8Surveyor User’s GuideModule settings are described in the subsections below. Default values for Module Settings are shown in Table 4-4:Buffer SizeP
4-9Configuring SurveyorModule Settings (Properties)4For THGm modules, the default is no packet slicing (full packet length). For THGm, the slicing siz
viiContents (continued)Advanced Configuration... 4-20surveyor.ini File...
4-10Surveyor User’s Guidewill be listed in the Application Tables as in the following example: UDP non-WKP:4620This feature only affects the tables or
4-11Configuring SurveyorSystem Settings42. A dialog box appears showing the ports within the local system. Check the box of only those ports you want
4-12Surveyor User’s GuideProtocol Color CodingSurveyor provides a real-time protocol decode called Packet Summary View and protocol decodes in Capture
4-13Configuring SurveyorSystem Settings4:Table 4-7. Strip Chart Display TimersThe values for polling timers must be between 1 and 214783647 seconds. T
4-14Surveyor User’s GuideDisk Options Surveyor supports saving and examining very large capture files. Two disk options are available to support large
4-15Configuring SurveyorConfiguring Alarms4Configuring Counter LoggingCounter log files contain snapshots of Surveyor counter information. All MAC lay
4-16Surveyor User’s GuideUsing E-mail with Surveyor is turned off by default. If you want to use this feature, you must reset a parameter in the Surve
4-17Configuring SurveyorConfiguring a Multi-Port Tap or Switch4The Surveyor software can be used to control which LAN segment is selected by the tap o
4-18Surveyor User’s Guide4. Use the Bypass check boxes to set any network segments that you want to restrict from being used with the analyzer. Any se
4-19Configuring SurveyorSettings for Analyzer Devices42. Click on the icon for the remote analyzer device in the Resource Browser.3. Choose Properties
viiiSurveyor User’s GuideNetwork Layer Matrix View ... 6-30Application Layer Matrix View...
4-20Surveyor User’s Guide8. Enter the IP address of a server that runs BOOTP and/or TFTP protocols in the IP Boot Server field.9. If you are updating
4-21Configuring SurveyorAdvanced Configuration4directory and will use that file for its diagnostic information. If no EXPERT-MSG.INI file is found in
4-22Surveyor User’s Guide<port num> is a two-byte value that appears in a port fields of a TCP or UPD packet header. It identifies the protocol
4-23Configuring SurveyorAdvanced Configuration4Example 2Assume that a company is using a proprietary protocol named “Company X Proto-col” that uses UP
4-24Surveyor User’s GuideHow Surveyor Assigns Protocol NamesSurveyor explicitly monitors a predefined set of protocols/applications that use TCP or UD
4-25Configuring SurveyorAdvanced Configuration4Monitoring Non Well-Known PortsSurveyor also collects information about a subset of ports that fall out
4-26Surveyor User’s GuideAssigning TCP or UDP Ports to Protocol ParsersUse the ANALYSIS.INI file to assign any built-in Surveyor parser to a TCP or UD
4-27Configuring SurveyorAdvanced Configuration4thermore suppose the network administrator only wants to decode TCP port 11964 when associated with IP
4-28Surveyor User’s Guide
5-1Chapter 55 Resources and ModesSurveyor can gather statistical information and view network data from a variety of hardware sources. The types of in
ixContents (continued)Stream Modes ... 8-7Bursts ...
5-2Surveyor User’s GuideDouble-click on a resource to display a default view of the resource in Summary View. If a remote resource is protected, you a
5-3Resources and ModesRemote Resources5 Figure 5-1. Remote Host ConnectionsLocalLANSegmentNDIS network adapter,CMM or CMM2BoardRemoteLANSegmentSurvey
5-4Surveyor User’s GuideNaming Remote IP Resources (Aliases)The Resource Browser initially displays all nodes on a subnet using the IP Address. Users
5-5Resources and ModesRemote Resources5Hovering the mouse over a top-level node which has an alias displays the name with the IP Address in parenthesi
5-6Surveyor User’s GuideModesModes are applied to resources. Each resource can be in a different mode. The modes available with Surveyor depend on the
5-7Resources and ModesHardware Devices5.Table 5-3. Hardware Device CapabilitiesDevice Hardware Device CapabilitiesTHGm (Ten/Hun-dred/Thousand module)T
5-8Surveyor User’s GuideSynchronized ResourcesSynchronized resources are multiple hardware devices (two THGm) that have been connected so that they us
5-9Resources and ModesHints and Tips for Resources5resources are recognized by the synchronized resource icon in the Resource Browser. Synchronizing r
5-10Surveyor User’s Guide• Use synchronized THGm modules for full-duplex capture.• For options to be displayed under the Host menu, you must select th
6-1Chapter 66 ViewsThere are numerous ways to view data from Surveyor. This section describes the primary windows you use to view data, and the actual
Commentaires sur ces manuels