Understanding LAN Traffic Analysis

ZENworks for Servers 3 LAN traffic analysis is made up of several components that work together to collect, store, and display information about data packets that are being sent on your network. ZENworks for Servers 3 provides tools that enable you to capture and decode the packets as they are sent from one node to another, which enables you to better analyze the traffic. The following sections describe the ZENworks for Servers 3 LAN traffic components, how they communicate, and the functionality of their agents.

Understanding LAN Traffic Components

The ZENworks for Servers 3 LAN traffic analysis system is made up of three main components: the management server, the management console, and the monitoring agent server.

Discussing the Management Server

The management server component of ZENworks for Servers 3 LAN traffic analysis is installed on the management site server. It comprises an extremely scalable Sybase database that stores static information such as network names and LAN addresses of servers, routers, switches, and other nodes on you network.

The management server components include the NetExplorer, a consolidator, and the Atlas Manager (discussed in Chapter 9, "Preparing and Using ZENworks for Servers 3 Network Discovery"). These components gather information about manageable devices on the network and store that information in the management database. The management database is a Common Information Model-2 (CIM-2) database that stores network data used to establish the network's topology. ZENworks for Servers 3 extends the CIM-2 model to enable you to organize the information in the database and create a topology map.

About the Management Console

The management console component of ZENworks for Servers 3 LAN traffic analysis is installed on the management client in the form of snap-ins to the ConsoleOne utility (discussed in Chapter 8, "Understanding ZENworks for Servers 3 Management Services"). These snap-ins provide an intuitive, graphical method to access data collected by the ZENworks for Servers 3 LAN traffic analysis agents.

Exploring the Monitoring Agent Server

The final component of the ZENworks for Servers 3 LAN traffic analysis system is the monitoring agent server. The monitoring agent server is a server with network monitoring agent software installed on it. There must be one monitoring agent server per segment.

The monitoring agent server enables you to analyze a segment by searching the network and gathering information about network traffic. You can then use that information to analyze the LAN traffic on your network.

The network monitoring agents monitor network traffic and capture frames to build a database of objects in the network. Then network monitoring agent software enables you to use the ZENworks for Servers 3 management console traffic analysis tools to maintain your network performance, monitor traffic on your network, and troubleshoot network problems.

Understanding Communication Between Components

Now that you understand what components make up the ZENworks for Servers 3 LAN traffic analysis system, you need to understand how these systems communicate with each other. The management console component communicates with the management server component by using Common Object Request Broker Architecture (CORBA) to obtain static and dynamic information about the managed nodes and devices on your network.

When the management console requests static information from the management server, the management server then communicates with the management database component by using the Java Database Connectivity (JDBC) protocol. It gathers the requested information from the database and relays it back to the management console.

When the management console requests dynamic information from the management server, the management server communicates with the network monitoring agent by using SNMP requests. It gathers the requested information dynamically and relays it back to the management console.

Understanding Agent Functionality

ZENworks for Servers 3 includes several types of monitoring agents to accommodate the various topologies and devices on your network. Network monitoring agents provide you with the functionality to remotely monitor segments and devices that are SNMP-compliant. The agents collect and store statistical and trend information as well as capture real-time data from the managed nodes and devices on your network. The following sections describe the RMON, RMON Lite, RMON Plus, RMON2, and bridge agents to help you decide which one to use, based on the size and topology of your network.

RMON Agents

ZENworks for Servers 3 RMON agents use a standard monitoring specification that enables various nodes and console systems on your network to exchange network data. That network data is used to monitor, analyze, and troubleshoot your LAN from a central site.

The RMON agents are typically used to monitor Ethernet, FDDI, and token ring segments. Table 10.1 describes the groups of monitoring elements that make up the RMON agent.

Table 10.1. RMON Agent Monitoring Groups
RMON GROUP	DESCRIPTION
Statistics	Records statistics measured by the agents for each monitored interface on the device.
History	Records periodic statistical samples from a network and stores them for later retrieval from the management console.
Alarm	Periodically takes statistical samples from parameters in the agent and compares them with previously configured thresholds. Then, if the monitored parameter crosses a threshold, an alarm event is generated.
Host	Lists the statistics associated with each host discovered on the network.
HostTopN	Prepares tables that describe the hosts that top a list ordered by one of their statistics.
Matrix	Stores statistical information for conversations between two nodes. Creates an entry in its table for each new conversation.
Filters	Enables packets to be matched to a filtered variable. The matched packets form a data stream that may be captured or used to generate events.
Packet Capture	Enables packets to be captured after they flow through a channel.
Events	Controls the generation and notification of events from the device.

RMON Lite Agents

ZENworks for Servers 3 RMON Lite agents also use a standard monitoring specification that enables various devices on your network to exchange network data. The RMON Lite agents are typically used to monitor devices that are not dedicated for network management, such as a hub or a switch. Table 10.2 describes the groups of monitoring elements that make up the RMON Lite agents.

Table 10.2. RMON Lite Agent Monitoring Groups
RMON LITE GROUP	DESCRIPTION
Statistics	Lists statistics measured by the agents for each monitored interface on the device.
History	Records periodic statistical samples from a network and stores them for later retrieval from the management console.
Alarm	Periodically takes statistical samples from parameters in the agent and compares them with previously configured thresholds. Then, if the monitored parameter crosses a threshold, an alarm event is generated.
Events	Controls the generation and notification of events from the device.

RMON Plus Agents

ZENworks for Servers 3 RMON Plus agents are proprietary agents that extend the functionality of the RMON agent. They act exactly the same as the RMON agent and provide the same groups as those shown in Table 10.1. In addition to providing data collected from the RMON groups, they also provide data collected from the groups shown in Table 10.3.

Table 10.3. RMON Plus Agent Monitoring Groups
RMON PLUS GROUP	DESCRIPTION
Buffer	Records the number of octets (excluding framing bits but including frame check sequence octets) in packets that are captured in the buffer.
Admin	Collects information sent to the agent, such as version number.
HostMonitor	Monitors a set of nodes for a particular host table and sets traps when a host becomes active or inactive.
DuplicateIP	Records and updates lists of packets arriving that contain duplicate IP addresses.
MacToIP	Stores records of the IP addresses associated with host addresses for a host-mapping table.
BoardStatus	Records the status of each logical interface of the RMON or RMON Plus agent.

RMON2 Agents

ZENworks for Servers 3 RMON2 agents can be used to collect data from nodes and devices in the network and application layers of the network model, unlike the RMON, RMON Lite, and RMON Plus agents, which are used to collect data from nodes and devices in the physical and data link layers of the network model.

RMON2 agents can also determine network usage based on the protocol and application used by the nodes in your network. Table 10.4 describes the groups of monitoring elements that make up the RMON2 agent.

Table 10.4. RMON2 Agent Monitoring Groups
RMON2 GROUP	DESCRIPTION
Protocol Directory	Creates a table of all identifiable protocols and their descriptions.
Protocol Distribution	Collects statistics for each protocol that the agent is configured to track.
Address Map	Maps a network layer address to the corresponding MAC address.
Network-Layer Host	Collects statistics for each host by network layer address.
Network-Layer Matrix	Collects statistics for each network conversation between pairs of network layer addresses.
Application-Layer Host	Collects statistics on the traffic generated by each host for a specific Application layer protocol. The Protocol Directory group can recognize traffic that is broken down by protocols.
Application-Layer Matrix	Collects statistics on conversations between pairs of network layer addresses for a specific application layer protocol. Traffic, broken down by protocols, can be recognized by the Protocol Directory group. The Protocol Directory group can recognize traffic that is broken down by protocols.
User History	Enables the agent to save samples of RMON2 data for any MIB object at specific intervals.
Probe Configuration	Provides remote capability for configuring and querying agent parameters for example, software updates, IP address changes, resets, and trap destinations.
RMON Conformance	Provides information to the management software regarding the status of support for the group.

Bridge Agents

ZENworks for Servers 3 bridge agents monitor network bridges, enabling you to collect information about switched networks. Table 10.5 describes the groups of monitoring elements that make up the bridge agents.

Table 10.5. Bridge Agent Monitoring Groups
BRIDGE GROUP	DESCRIPTION
Base	Stores information about objects that are applicable to all types of bridges.
Spanning Tree Protocol	Stores information regarding the status of the bridge with respect to the Spanning Tree protocol.
Source Route Bridging	Collects information that describes the status of the device with respect to source route bridging.
Transparent Bridging	Collects information that describes the object's state with respect to transparent bridging.
Static	Collects information that describes the object's state with respect to destination address filtering.

Understanding LAN Traffic Components

Discussing the Management Server

About the Management Console

Exploring the Monitoring Agent Server

Understanding Communication Between Components

Understanding Agent Functionality

RMON Agents

Table 10.1. RMON Agent Monitoring Groups

RMON Lite Agents

Table 10.2. RMON Lite Agent Monitoring Groups

RMON Plus Agents

Table 10.3. RMON Plus Agent Monitoring Groups

RMON2 Agents

Table 10.4. RMON2 Agent Monitoring Groups

Bridge Agents

Table 10.5. Bridge Agent Monitoring Groups