Analyzing Network Traffic

After you set up the RMON agents and SNMP parameters for the segments and devices on which you want to analyze traffic, you are ready to begin capturing and analyzing network traffic. ZENworks for Servers 3 enables you to monitor and collect detailed real-time statistics from nodes and segments in your network. That information is displayed back to the management console in the form of tables, graphs, and other graphical displays.

This section discusses how to use the ZENworks for Servers 3 management console to monitor and analyze traffic on segments, nodes, protocols, and switches. It also covers how to capture and analyze network packets.

Analyzing Traffic on Network Segments

The most common LAN traffic analysis you will likely be doing is on network segments. You can ensure the most cost-effective, stable, and consistent network by monitoring and managing your segments with ZENworks for Servers 3 traffic analysis.

ZENworks for Servers 3 provides several different views for analyzing network traffic on segments. The management views translate the data collected by the monitoring agent into an easy-to-understand graphical and textual form. The following sections discuss how to use the List Segment Statistics, Segment Dashboard, Trend Data, Alarm Statistics, and Summary views on segments to monitor and analyze their traffic.

Viewing Network Statistics for a Segment

The List Segments Statistics view displays a list of segments in your network, as well as the following statistical information for each of them, as shown in Figure 10.3:

Segment Name. Segment name, or address if no name is available.
Type. Physical segment type (Ethernet, FDDI, WAN, and so on.)
Speed (Mbps). The raw speed of the segment, measured by the speed of the network interface card that attaches the RMON agent to the segment. Cable type is also used to determine the segment speed.
Utilization %. Average percentage of the bandwidth currently in use by the traffic on the segment.
Packets/s. Average number of packets per second currently being transmitted on the segment.
KBytes/s. Average number of kilobytes per second currently being transmitted on the segment.
Errors/s. Average number of errors per second the segment is currently incurring.
Message. Message describing the current status of the RMON agent on the segment.

Figure 10.3. List Segments Statistics view for a node in ConsoleOne.

graphics/10fig03.gif

Follow these steps from the ZENworks for Servers 3 management console to access the List Segment Statistics view:

Select a segment or a node from the ZENworks for Servers 3 namespace in the management console.
Select View List Segment from the main menu and a screen similar to the one shown in Figure 10.3 appears.

Determining Individual Segment Performance

The Segment Dashboard view is a graphical view that provides real-time statistical information about an individual monitored segment. Shown in Figure 10.4, it displays four gauges that give the following real-time statistics for that segment, as well as node activity for the top nodes on the segment:

Packets/s. The Packets gauge shows the number of packets per second that are being transmitted on the segment.
Utilization %. The Utilization gauge shows the current utilization, compared to the maximum network capacity that is currently being consumed on the segment.
Errors/s. The Errors gauge shows the number of errors per second the segment is currently incurring.
Broadcasts/s. The Broadcasts gauge shows the number of broadcast packets per second that are currently being transmitted on the segment.

Figure 10.4. Segment Dashboard view for a segment in ConsoleOne.

graphics/10fig04.jpg

Follow these steps from the ZENworks for Servers 3 management console to access the Segment Dashboard view:

Select the segment you want to monitor from the ZENworks for Servers 3 namespace in the management console.
Select View Segment Dashboard from the main menu and a screen similar to the one shown in Figure 10.4 appears.

Analyzing Segment Trends

Use the Trend Data view in conjunction with the baseline document, discussed earlier in this chapter. The Trend Data view enables you to determine trends of traffic patterns that indicate that a segment is in trouble or needs to be updated or expanded. To access the Trend Data view for a segment from the ZENworks for Servers 3 management console, follow these steps:

Select the segment you want to monitor from the ZENworks for Servers 3 namespace in the management console.
Select View Segment Trends from the main menu and a screen similar to the one shown in Figure 10.5 appears.

Figure 10.5. Trend Data view for a segment in ConsoleOne.

You can configure which statistics to monitor in the Trend Data view. Follow these steps to configure the statistics that best fit your network:

Click the Profile button in the Trend Data view.
Select a profile from the Select Profile column in the Edit Profile window.
Choose which statistics you want to view in the Select Series column. The available options depend on your network type.
Click the OK button and the Trend Data view should be updated with your new selections.

Viewing Alarm Statistics for a Segment

The Alarm Statistics view shows a list of all alarms for the monitored segment, along with their threshold and sampling rate. Follow these steps from the ZENworks for Servers 3 management console to access the Alarm Statistics view for a segment:

Right-click the segment you want to monitor from the ZENworks for Servers 3 namespace in the management console.
Select Properties from the pop-up menu.
Select the Segment Alarms tab, as shown in Figure 10.6.

Figure 10.6. Segment Alarms tab for a segment object in ConsoleOne.

You can edit the alarms manually by highlighting the alarm and clicking the Edit button, or you can use the Default All button to set a predefined set of default values to the alarms.

Viewing a Segment Summary

The Segment Summary view is both a graphical and a textual view, which provides a quick summary of the managed segment. This view enables you to quickly assess the current state of the segment. It provides the following static information about the managed segment:

Name. Name or address of the segment
Type. Media type of the segment: Ethernet, token ring, or FDDI
IP Address. IP addresses of the segment
IPX Address. IPX addresses of the segment
Primary Agent. Name of the preferred agent, which is monitoring nodes and traffic on the segment
Agent Status. Current status of the preferred monitoring agent
Nodes. Number of nodes on the segment
IP Nodes. Number of nodes on the segment with IP addresses
IPX Nodes. Number of nodes on the segment with IPX addresses
Servers. Number of NetWare servers on the segment
Workstations. Number of nodes on the segment that are not NetWare Servers
Network Probes. Number of monitoring agents available on the segment
Switches. Number of switches on the segment
Routers. Number of routers on the segment
Hubs. Number of hubs on the segment

The Segment Summary view provides the following information about alarms that have occurred on the managed segment:

Severity. Severity level associated with the alarm
From. Network address of the device that sent the alarm to the alarm management system
Summary. Summary of the event, often including the name or address of the object affected by the alarm
Owner. Segment or device affected by the alarm
Received Time. Date and time when the alarm management system received the alarm
Type. Description of the alarm
Category. The category of the alarm, based on the MIB

The Segment Summary view provides the following charts and gauges that show you dynamically captured information about the managed segment:

Utilization %. Displays a gauge representing the current real-time usage of the network in relation to the maximum capacity.
Packets. Displays a trend graph based on data about packets that have been transmitted on the segment.
Protocol Distribution. Displays a pie chart that represents the distribution of protocols on the network.

Follow these steps from the ZENworks for Servers 3 management console to access the Segment Summary view for a segment:

Select the segment you want to monitor from the ZENworks for Servers 3 namespace in the management console
Select View Segment Summary from the main menu and a screen similar to the one in Figure 10.7 appears.

Figure 10.7. Segment Summary view for a segment in ConsoleOne.

Analyzing Traffic on Nodes Connected to a Segment

ZENworks for Servers 3 also provides several views to help you monitor and analyze traffic associated with nodes connected to a monitored segment. Monitoring at the segment level gives you a good understanding about the general trends and health of the entire segment. But if you want to analyze traffic at a more granular level, you need to analyze traffic at the node level.

The following sections describe how to use the ZENworks for Servers 3 management console to analyze statistics between nodes, and to monitor nodes for inactivity.

Analyzing Network Statistics for Stations on a Segment

The first thing that you should do when analyzing traffic of nodes on a segment is to gather information about the most active ones. Viewing the statistics for the most active nodes gives you an indication of how active nodes are on the segment and whether any nodes are exhibiting troubled behavior. ZENworks for Servers 3 provides the Stations view to enable you to view the following statistics on the most active nodes in the segment:

MAC Address. Physical address of the node
Node. Name or address of the node
Utilization %. Percentage of maximum network capacity consumed by packets sent from this node
Packets/s In. Packets per second received by this node
Packets/s Out. Packets per second sent by this node
Bytes/s In. Data in bytes per second received by this node
Bytes/s Out. Data in bytes per second sent by this node
Errors/s. Errors per second received by this node
Broadcasts/s. Broadcast packets per second received by this node
Multicasts/s. Multicasts per second received by this node
Protocols. Types of protocols used by this node
First Transmit. Date and time this node first transmitted a packet since the traffic analysis agent was loaded
Last Transmit. Date and time this node last transmitted a packet since the traffic analysis agent was loaded

Follow these steps from the ZENworks for Servers 3 management console to access the Stations view for a segment:

Select the segment on which you want to monitor nodes from the ZENworks for Servers 3 namespace in the management console.
Select View Stations from the main menu and a screen similar to the one in Figure 10.8 appears.

Figure 10.8. Segment Stations Summary view for a segment in ConsoleOne.
Specify what statistic to use in determining a node's activity from the drop-down list at the top of the window.

Analyzing Traffic Between Nodes

The Conversations view is another useful ZENworks for Servers 3 view that enables you to view real-time data showing traffic between a specific node and one or more other nodes on the same segment. Use this information when you need to determine communication activity between specific nodes.

Suppose you have a database application installed on a node on the segment and you want to see how traffic from this node behaves when the database is active, as opposed to when it is shut down. You would use the Conversations view before and after activating the database and compare the data from each.

The Conversations view provides statistical data on the following characteristics of internode communication:

Node. Name or address of the destination node communicating with the selected node
% Pkt Load. Percentage of the total packet load being used between this node and the destination node
% Byte Load. Percentage of the total byte load being used between this node and the destination node
Pkts/s In. Number of packets received per second by the destination node from this node
Pkts/s Out. Number of packets sent per second from the destination node to this node
Bytes/s In. Number of bytes of data received per second by the destination node from this node
Bytes/s Out. Number of bytes of data sent per second from the destination node to this node
Pkts In. Number of packets received by the destination node from this node since the view was opened
Pkts Out. Number of packets sent by the destination node to this node since the view was opened
KBytes In. Number of kilobytes of data received by the destination node from this node since the view was opened
KBytes Out. Number of kilobytes of data sent by the destination node to this node since the view was opened
Protocols. Protocol packet types used by the destination node to communicate with this node
First Transmit. Date and time that this node first transmitted on the network since the traffic analysis agent was loaded
Last Transmit. Date and time that this node last transmitted on the network since the traffic analysis agent was loaded

Follow these steps from the ZENworks for Servers 3 management console to access the Conversations view for a node:

Select the node on which you want to monitor conversations from the ZENworks for Servers 3 namespace in the management console.
Select View Conversations from the main menu and a screen similar to the one in Figure 10.9 appears.

Figure 10.9. Conversations view for a node in ConsoleOne.

Monitoring Nodes for Inactivity

Another useful way to monitor network traffic at a node level is to monitor nodes for inactivity. ZENworks for Servers 3 enables you to monitor nodes to determine whether they become inactive and alert you if they do. This does not impact network traffic because the traffic analysis agent does not poll the node to obtain status. Follow these steps from the ZENworks for Servers 3 management console to set it to monitor inactivity of a node:

Right-click the node you want to monitor for inactivity from the ZENworks for Servers 3 namespace in the management console.
Select Monitor Nodes for Inactivity Add from the pop-up menu to enable monitoring of the node.

After you select the nodes that you want to monitor, you can view the following information about them from the Monitor Nodes for Inactivity view:

Name. Name of the node being monitored
MAC Address. Physical address of the node
Status. Current status of the node (updated every 60 seconds by default)

Follow these steps from the ZENworks for Servers 3 management console to access the Monitor Nodes for Inactivity view:

Select the segment for which you want to see a list of nodes monitored for inactivity from the ZENworks for Servers 3 namespace in the management console.
Select View Monitor Nodes for Inactivity from the main menu.

Capturing Packets from the Network

ZENworks for Servers 3 makes it possible for you to be even more detailed than LAN traffic analysis at a node level by enabling you to capture specific sequences of packets from the network. As nodes communicate on a segment, they send packet sequences to each other, which are captured by the RMON agents in a local buffer and can be accessed by the management console.

Packet captures provide much more detail to LAN traffic analysis because they provide information about requests and replies that nodes are making on the network. This can be useful in troubleshooting interserver or client-to-server communication issues.

The following sections describe how to use the ZENworks for Servers 3 management console to set up a filter and capture packets from the network.

Setting Up a Capture Filter

The first step in capturing packets from a segment is to set up a filter to limit the number of packets captured. Without a filter, there would be far too many packets captured, making it extremely difficult to use the capture. Filtering enables you to capture only the packets that are needed. If you are troubleshooting a client-to-server communication issue on an IP application, for example, you would want to capture IP packets only between the client node and the server node.

Follow these steps from the ZENworks for Servers 3 management console to define a capture filter:

Select a node or a segment from the ZENworks for Servers 3 namespace in ConsoleOne.
Select File Actions Capture Packets from the main menu. The Packet Capture Setup window, shown in Figure 10.10, appears.

Figure 10.10. Packet Capture Setup window for filtering packet captures in ConsoleOne.
Type in a descriptive name for the buffer in the Buffer Name text box. This typically should describe the purpose of the capture.
Select the source and destination nodes from drop-down lists in the Stations box and specify whether you want to capture packets based on an IP, IPX, or hardware address. You can use Any for either the source or destination, or Both to include all nodes. If it's possible, use specific nodes to reduce the size of the capture.
Select the direction of traffic flow between nodes. You can select only source to destination, only destination to source, or both directions. This can help limit the capture greatly if you need only one direction.
Add protocols on which to filter by selecting the protocol in the Selected Protocols list and clicking the Add button. If you do not add protocols on which to filter, all protocols are captured.
Specify what kind of packets to capture. See Table 10.6 for a list of available statistics by topology.
Specify whether you want to overwrite the buffer or stop the capture when the buffer is full. Overwriting the buffer means that the oldest packets are overwritten with the newest ones. If you specify to overwrite, you must manually stop the capture.
Specify the buffer size. This depends on what you need to capture and for how long. If you are capturing all packets from all nodes, you need a very large buffer; however, if you need packets from only one node to another one, the default buffer of 32K is probably enough. Keep in mind that there must be enough free memory at the RMON server to create the buffer.
Specify the packet slice size. The Slice Size field specifies the maximum number of bytes of each packet, starting from the packet header, to store in the buffer. This also depends on what you need out of the capture. For header information, you need only 150 bytes or so. But if you need data out of the packet itself, you should select the entire packet. This parameter determines the number of packets that a buffer can hold.
Click the OK button and the filter will be set.

Table 10.6. Available Statistics on which to Filter Based on Segment Type
SEGMENT TYPE	AVAILABLE STATISTICS	DEFAULT STATISTICS
Ethernet	Only good packets, only error packets, both good and error packets	Both good and error packets
FDDI ring	All packets, LLC packets, MAC packets, SMT packets	All packets
Token ring	All packets, non-MAC packets, MAC packets	All packets

Starting a Packet Capture

After you set the filter, you are ready to start the capture. When you click the OK button from the Packet Capture Filter window, a Capture Status window similar to the one in Figure 10.11 appears. The Capture Status window displays the following information about the capture:

Segment. Name or address of the segment on which the packet capture is occurring
LANalyzer Server. Name or address of the server running the RMON agent that is collecting the captured packets
Buffer Granted. Size of the buffer used for the capture
Description. Description of the filter settings for the capture
Count. Incrementing count, shown as 8 in Figure 10.11, for every packet that is captured

Figure 10.11. Packet Capture Status window for packet captures in ConsoleOne.

graphics/10fig11.gif

From the Capture Status window, click the Start button to start the capture. If you are trying to capture a specific sequence, start the capture and then perform the sequence for example, open a database file or start an application. When you have captured enough packets, you can click the Stop button to stop the capture, or you can simply wait until the buffer fills up if you specified to stop the capture when the buffer was full.

Analyzing Captured Packets

After you set up a capture filter and capture the sequence of packets, you are ready to begin analyzing them from the management console. The packet captures reside on the server hosting the RMON agent; however, ZENworks for Servers retrieves the packet data from the RMON agent individually as you view each packet.

Viewing Captured Packets

ZENworks for Servers 3 provides an extremely useful Trace Display view to help you view and decode packet data. The Trace Display view, shown in Figure 10.12, provides summary information about the captured packets (top), a decoded view of the selected packet (middle), and a hexadecimal view of the packet (bottom).

Figure 10.12. Packet capture Trace Display view for packet captures in ConsoleOne.

graphics/10fig12.jpg

You can open the Trace Display view by clicking the View button on the Capture Status window or by Selecting Tools View Packet File from the main menu in ConsoleOne.

The following sections discuss the three different sections of the Trace Display view.

Captured Packet Summary

The summary pane in the Trace Display view displays a list of captured packets, providing you with an overview of the communications between source and destination nodes. You can highlight a packet in this pane to display the decoded and hexadecimal packet data in the panes below. The summary pane provides the following statistical information about the captured packets:

No. Numbers the packets in the order in which they were received at the RMON agent
Source. Name or MAC address of the node from which the packet was sent
Destination. Name or MAC address to which the packet was sent
Layer. Abbreviation of the highest protocol layer in the packet for example, "ncp" for NetWare Core Protocol or "ether" for Ethernet
Summary. Displays a brief description of the contents of the highest protocol layer
Error. Shows the error type, if any, that occurred in the packet
Size. Displays the number of bytes contained in the packet
Absolute Time. Displays the hardware clock time when the packet arrived
Interpacket Time. Displays the time that elapsed from the end of the preceding packet to the end of the current packet
Relative Time. Displays the time that elapsed since the arrival of the oldest packet still in the buffer

Decoded Packet Data

The decode pane in the Trace Display view displays detailed information about the contents of the selected packet. The packet data is decoded and displayed according to defined protocol fields. This is an extremely useful tool because it tells you information such as the station that sent the packet, protocol, NCP request information, reply results, and so forth. You typically use this field to understand packet sequences and why they failed.

Hexadecimal Packet Data

The hexadecimal pane in the Trace Display view displays the raw packet data in hexadecimal format. The column on the left is the hexadecimal offset from the packet header. The second column is the raw hexadecimal data of the packet. The column on the right is the ASCII form of the hexadecimal data.

You will likely use only the hexadecimal display if you know exactly what you are looking for. If, for example, you know the structure of the data that is being sent from a client application to a server, you would be able to manually decode the hexadecimal data. The text column of the hexadecimal display, however, is often useful because it shows textual data in the packet. File pathnames, for example, show up in the ASCII column.

Filtering the Display for Captured Packets

ZENworks for Servers 3 also enables you to filter out packets even after you have begun viewing the packet trace. This is extremely useful in situations where after you begin viewing a packet trace, you narrow down the problem to a specific node or even a specific request.

Suppose you originally capture all packets going between a server and all network nodes, but you need to see only the packets going to that server from a specific node. You could filter on only those packets that are going to the specific node you are troubleshooting.

Another example is if you know the structure of the exact packet type you want to view. You can filter on a value, such as a key sequence, at a specific offset, and see only those packets that match.

Follow these steps to set a display filter for captured packets from the Capture Trace view in ConsoleOne:

Select View Filter from the main menu and the Display Filter dialog box, shown in Figure 10.13, appears.

Figure 10.13. Trace Display Filter dialog box for packet captures in ConsoleOne.
Modify the stations setting to narrow your filtering down to specific stations.
Modify the packet direction, if possible, to packets going one way.
Add or remove protocols from the selected protocols list.
Set the hexadecimal Offset and the From fields if you are looking for packets containing specific data.
Specify the data value and type to search for at the specified offset.
Click the OK button and your capture display filters on the criteria you have specified.

NOTE

If your packet capture is large, you may have to wait a considerable time for the ZENworks for Servers 3 management console to transfer enough of each packet to filter on. This takes up considerable bandwidth. We recommend that you use the capture filter setting to narrow down your captures first.

Highlighting Protocol Fields and Hex Bytes

One of the most valuable features of the Trace Display view is its capability to match data in the decoded pane with the hexadecimal values in the hexadecimal pane. It does this by highlighting the data areas that you select in the decode pane, the hexadecimal pane, or in both panes. The following is a list of examples of how you can use the highlighting tool:

Highlight a protocol layer in the decode pane and view the hexadecimal bytes in the Hex view.
Click a specific field in the decode pane and view the hexadecimal value associated with it.
Click a hexadecimal byte in the hexadecimal pane and see which protocol field is associated with it in the decode pane.
Click ASCII text in the hexadecimal pane and see the hexadecimal values and the specific decode field associated with it.

NOTE

You can save a trace file to a *.tr1 file format so that you can send it to someone else to look at, too, by selecting File Save.

Analyzing Protocol Traffic

The ZENworks for Servers 3 traffic analysis agent also enables you to monitor statistics of traffic generated by protocols in your network.

Displaying Protocols Used on a Network

The RMON2 agent object in the eDirectory tree provides a Protocol Directory property page to view a list of supported and custom protocols used in the network. This is a hierarchical list with the protocols used in the Data Link layer at the top level. Follow these steps from within ConsoleOne to display the protocols used on your network:

Select the node object running the RMON2 agent from the ZENworks for Servers 3 namespace.
Expand the view by clicking the plus sign next to it.
Expand the view for the services object.
Right-click the RMON2 object under Services and select Properties from the pop-up menu.
Select the Protocol Directory tab.

From the Protocol Directory tab, you can also add custom protocols to the supported protocol tree by clicking the Add button. You can also click the Remove button to remove a protocol from being monitored in the tree.

Determining Segment Distribution of Protocols

ZENworks for Servers 3 also enables you to view the distribution of protocols on a segment. This gives the following statistics of the protocol communications in the Network layer, Transport layer, and Application layer that are occurring on your network:

Protocol Name. The name of the protocol
Packets/s. The average number of packets per second that are being sent with this protocol
Bytes/s. The average number of bytes of data per second that are being sent with this protocol
Packet Rate %. The percentage of packets transmitted with this protocol, relative to the total percentage of packets transmitted
Byte Rate %. The percentage of bytes of data transmitted with this protocol, relative to the total bytes of data being transmitted

Follow these steps from within the ZENworks for Servers 3 namespace in ConsoleOne to view the distribution of protocols in a segment:

Select the managed segment for which you want to view protocols.
Select View Protocol Distribution from the main menu. A window similar to the one in Figure 10.14 appears.

Figure 10.14. Protocol Distribution view for a segment object in ConsoleOne.

Analyzing Switch Traffic

The ZENworks for Servers 3 traffic analysis agent also enables you to monitor statistics of traffic generated on switches in your network. This helps you determine the load on workstation and workgroup switches in your network, enabling you to plan for future upgrades.

ZENworks for Servers 3 monitors ports and nodes connected to those ports by using an RMON agent, an external RMON agent, or a bridge agent. The following sections discuss how to use these agents to display statistics for ports on the switches on your network and to view the summarized information for a specific switch.

Viewing Port Statistics for a Switch

You can view a switch's port statistics by using the ZENworks for Servers Unified Port Traffic view. This view obtains statistical information about every port in your network. It then displays a list of nodes connected to ports on the switch and statistics for each port.

Follow these steps from within the ZENworks for Servers 3 namespace in ConsoleOne to display the Unified Port Traffic view:

Select the managed switch on which to view port statistics.
Expand the view by clicking the plus sign next to the switch.
Expand the view by clicking the plus sign next to services under the switch.
Select Switch/Bridge under services.
Select View Port Traffic from the main menu to bring up the Unified Port Traffic view.

Viewing Switch Summary Data

ZENworks for Servers 3 also provides a summary view of switch data that provides brief information about the switch. This gives you a quick look at the current status, usage, and alarms generated on the switch. The following statistical information is provided in the switch summary view:

Vendor. Name of the manufacturer of the switch
Switch Type. Type of switch: transparent or source route
Number of Ports Active. Number of ports currently active on the switch
Forwarding Table Overflow Count. Number of times the forwarding table has exceeded its capacity
Up Time. Time since the switch was last rebooted
Number of Ports Present. Number of ports that actually exist on the switch
Number of MAC Addresses Learned. Number of MAC addresses dynamically discovered by the switch