Sniffer Distributed 4.

9 Release Notes
October, 2007 Part Number: 105027

This release note provides last minute product information for the Sniffer® Distributed 4.9 release, including both New Features and Known Issues.

Table of Contents
New Features on page 1 Before You Install on page 3 Console System Requirements on page 3 Sniffer Distributed v4.9 Images on page 4 Visualizer / Administrator Interoperability on page 5 Common SniffView Console Coexistence on page 5 Known Issues on page 6 Additional Information on page 22 Available Documentation on page 23 Contacting Network General on page 23 Copyright and Trademark Attributions on page 24

New Features
The Distributed 4.9 release includes the following new features and functionality:

Console Enhancements
Installation on Microsoft 2003 Server and Vista Business/Enterprise platforms Installation on Athlon AMD platforms (certified against AMD) Installation on multi-threaded, multi-core platforms Installation in virtualized configurations.

Agent Enhancements
Real-time Packet De-duplication option for 10/100 connections. Real-time decode. Displays protocol decodes in real-time as packets arrive. You do not have to stop a capture session to see protocol decodes.

Filtering
Filter templates. Use the template as-is or make a copy of the template as a base for a new filter. Combine filters. Set up filters that combine multiple existing filters into a single filter. Define a filter based on a Decode selection. Define filters based on the packet selected from the Decode Summary view.

Release Notes

1

Add to an existing filter. Allows you to add additional criteria to the last defined or previous used display filter. Additional pre-defined filters. Most commonly used filters are packaged with the release. Filters will include current virus filters available from Network General as other Broadcast and Multicast filters. Address and port filtering enhancements. Enhancements include filtering by IP address using wild cards, filtering using CIDR masks, and support for a range of ports and multiple port entries. Fast filter searches. Where listed, filters are in alpha-numeric order to make finding and selecting existing filters easier. You can also enter the first few letters of the filter name in the Filter field and the filters that match that criteria are displayed.

Additional Features
Interface improvements. Numerous enhancements have been made to the user interface, including automatic retention of user display settings, improved colors in charts and windows, and updates to the Decode tab. Also, enhanced drag-and-drop, right-mouse menu, and mouse-over support. Support of IANA Protocol/Port List UDP and TCP Port Aggregation Bundling of Decode/Expert Pack 7 Extending support for 1000BT on RoHS platforms Complete platform support for s4x00/s6040 RoHS and non-RoHS platforms Cloning of default AppIntell policy file through Administrator Updates to the alarm logs Sniffer Distributed sends to Administrator

Software Only Enhancements
Installation on Microsoft 2003 Server and Vista Business/Enterprise platforms Installation on Athlon AMD platforms (certified against AMD) Installation on multi-threaded, multi-core platforms Expanded NIC support for monitoring (10/100/1000BT) Support for AppIntell on 1000BT on Dell hardware.

NOTE: ATMBook and Switch Expert are no longer supported by Network General.

2

Before You Install
Installation Instructions
Complete installation, authorization, and upgrade instructions can be found in the documentation accompanying your product shipment, as follows: Installation and authorization instructions can be found in the Getting Started Guide on the Documentation CD. Reimage instructions can be found in the Hardware Installation Guide on the Documentation CD.

Agent Authorization
New Sniffer Distributed Appliances are installed with the Base Configuration option permanently enabled. You use the Agent Authorization utility to add additional software options – VoIP Intelligence, Mobile Intelligence, and Application Intelligence. See the Getting Started Guide for details.

NOTE: After reimaging an Appliance with Version 4.9, all add-on options are enabled for a 30-day trial. Once the trial expires, the Appliance automatically reboots with its Base Configuration permanently enabled.

Console System Requirements
The Console software is supported on hardware that meets the requirements listed in the following table.
Table 1-1. Console System Requirements Element Operating System Description Windows Vista 32 bit Ultimate, Business, and Enterprise Windows 2000 Professional with SP 4 Windows Server 2003 SP1 Windows XP Professional with SP 1 or SP 2 • • • • • Spanish Simplified Chinese French Italian German

NOTE: Administrator level access is required to install and run this software. See the Troubleshooting appendix in the Sniffer Distributed Getting Started Guide for information on installing Sniffer Distributed products in Microsoft Active Directory environments. Browser • • Microsoft Internet Explorer 6.0 with SP1 or SP2 Microsoft Internet Explorer 7.0

NOTE: Internet Explorer 7.0 is only supported for the Sniffer Distributed 4.9 Console. It is not supported for earlier Console versions. Because of this, customers using Console Coexistence with earlier Console versions should continue to use IE 6.0 SP1/SP2.

Release Notes

3

Table 1-1. Console System Requirements Element Sun® Java® Runtime Environment Plug-in Description The versions of WebConsole and Config Console included with Sniffer Distributed use Version 1.5.0_05 of the Java Runtime Environment (JRE) plug-in. The correct version of the JRE plug-in is automatically installed the first time you use either WebConsole or Config Console. Network General strongly recommends that you use only a single version of JRE on a WebConsole/Config Console PC. Maintaining multiple JRE versions can cause error messages and/or operational issues while using WebConsole/Config Console. CPU Pentium III 800MHz or faster CPU. NOTE: The Console can also be installed on a Pentium M system. NOTE: Multiple CPUs and hyperthreading are supported in this release. System Memory Disk Space CD-ROM Monitor Mouse Adapter Card 512 MB RAM 800 MB free disk space. CD-ROM drive VGA color monitor, 1024 x 768 resolution set to 16 bit color Mouse or similar pointing device Single network adapter card configured with an IP address and connected to the network

Installing the Console on Virtual Machines
You can install the console on: VMWare Worksation 6.0 VMWare Worksation ESX Server Microsoft Virtual PC 2004 and 2007 To install and configure, see the relevant virtual machine product documentation. Make sure that you configure the virtual machine so that it meets or exceeds the system requirements for the Console. You can only install the Console on virtual machines that operate on Windows-based hosts.

Sniffer Distributed and Windows XP SP2
Sniffer Distributed supports Windows XP SP2. During installation of the Sniffer Distributed Console, Setup will automatically detect whether Windows XP SP2 is installed and prompt you to allow Setup to make some configuration changes. See the Sniffer Distributed Getting Started Guide on the Documentation CD for details on these changes.

Sniffer Distributed v4.9 Images
Operating System Patches in Sniffer Distributed Images
Network General tests and approves Microsoft patches for installation on Sniffer Distributed Appliances as they are released. Visit the following link for the latest information on patch approval from Network General. http://www.networkgeneral.com/Vulnerabilities.aspx The most recent Microsoft security patch certified by Network General and included in Sniffer Distributed 4.9 images is as follows: Latest patch: MS07-050 KB938127
4

MS06-078 KB925398 version 2 MS07-012 KB924667 version 2 Accumulative Daylight Savings patch KB933360 Version 4.9 images also include the KB928388 patch for changes made to Daylight Savings Time laws in many countries.

Decode and Expert Pack 5 Included in Sniffer Distributed 4.9
Sniffer Distributed 4.9 includes Decode and Expert Pack 5. See the Decodes and Expert Pack Release Notes for details on the Pack 5 build number as well as the protocol decodes and Expert analysis included with the pack. The Decodes and Expert Pack Release Notes are available at the following location: Start > All Programs > Network General > Sniffer Distributed > Decode and Expert Pack Release Notes

McAfee VirusScan Patches in Sniffer Distributed Images
Sniffer Distributed v4.9 Appliances include McAfee® VirusScan® 8.0i Patch 13.

Reimaging Sniffer Distributed 4.9 Appliances
Sniffer Distributed v4.9 Appliances can only be reimaged locally at this time. Remote reimaging support for v4.9 platforms from either Administrator or the standalone Remote Reimaging Utility will be available in a patch shortly. See the Sniffer Distributed Hardware Installation Guide for reimage instructions.

Visualizer / Administrator Interoperability
Sniffer Distributed 4.9 supports the following Visualizer and Administrator releases: Visualizer 4.6, 4.5, 4.2, 4.1, and 4.0 Administrator 4.6, 4.5, 4.2, 4.1, and 4.0

Common SniffView Console Coexistence
The Common SniffView Console included with Version 4.9 can connect to Version 4.9 Sniffer Distributed Agents in their default configurations. To connect to Agents running other versions supported for coexistence, the corresponding version of the Console software must remain installed. The Common SniffView Console installed with Version 4.9 can coexist with many common Network General products, including: SniffView Console Versions 4.9, 4.8, 4.7x, 4.6x, 4.5, 4.5 SP1, 4.5 SP2, s6040 Version 1.5, 4.3.5, 4.3.5 SP1, 4.3 SP2 Sniffer Portable Versions 4.9, 4.8 SP1, 4.7.5 SP4+ Sniffer Infinistream Console Versions 2.0 SP1+, 3.0x, 3.1, 3.1 SP1, 4.0 See the Getting Started Guide on the Documentation CD for complete details on using Console Coexistence.

Console Coexistence Limitations
The Common SniffView Console has the following coexistence limitations: A single SniffView Console PC can have up to three supported Console versions.

Release Notes

5

In addition to its three Console versions, a single Console PC can have only one version of Sniffer Portable installed. In addition to its three Console versions, a single Console PC can have only one version of the Sniffer InfiniStream Console installed. Internet Explorer 7.0 is only supported for the Sniffer Distributed 4.9 Console. It is not supported for earlier Console versions. Because of this, customers using Console Coexistence with earlier Console versions should continue to use IE 6.0 SP1/SP2.

Using Console Coexistence Successfully
Be sure to install the Console versions in the correct order (oldest to newest) and always use the latest version (the Common SniffView Console) for all of your Agent connections.

Known Issues
Known issues for Sniffer Distributed 4.9 are listed below: General Issues on page 6 Model APGR Issues on page 13 WebConsole Issues on page 14 Application Intelligence Issues on page 15 Console Coexistence Issues on page 15 RMON/SNMP Issues on page 16 VoIP Intelligence Issues on page 17 Mobile Intelligence Issues on page 19 Sniffer Reporter Information and Issues on page 20

General Issues
The Security Expert is not enabled in Sniffer Distributed 4.8. When using the Media Modules included with the Model E2GR, APGR, and s6040 Appliances in Independent End Station mode, the 8192-9K Bytes counter in the Dashboard’s Size Distribution graph is not incrementing for received traffic. [CQ# 69886] When using the Media Modules included with the Model E2GR, APGR, and s6040 Appliances, capture filters configured to capture only Fragment packet types will capture Runts packet types as well. [CQ# 70046] When using Event Filter-based Start and Stop triggers with the Media Modules included with the Model E2GR, APGR, and s6040 Appliances, Expert window statistics may not appear until after the capture has stopped and packets have been uploaded from the Media Module to the application. [CQ# 70270] If a Find Frame search in the Decode window encounters a packet with a blank Detail pane, the search will stop without proceeding to further frames. [CQ# 70838] When using a Stop trigger with the Automatically re-start capture after stop option enabled, Expert window statistics will not be reset to zero for the capture started after the stop trigger event. [CQ# 68978] When using the Media Modules included with the Model E2GR, APGR, and s6040 Appliances with the Upload Entire Media Module Buffer for Expert Analysis option enabled, the Elapsed Time counter in the Capture Panel does not increment when packets are uploaded from the Media Module to the Appliance capture buffer. [CQ# 68806]

6

After authorizing the Application Intelligence module on a Group of Agents that includes both supported and unsupported Agents, SniffView will incorrectly display that the unsupported Agents have Application Intelligence enabled. For example, if you try to authorize Application Intelligence on a Group that includes three Model ETR3 Ethernet Agents (which do support Application Intelligence) and a Model ATMB ATM Agent (which does not support Application Intelligence), Application Intelligence will be successfully authorized on the ETR3 Agents. However, SniffView will incorrectly show that the Model ATMB in the Group has Application Intelligence enabled as well. [CQ# 63041] When using an s6040 Appliance, the Status shown in Windows XP's Network Connections window will read Not Connected or Network Cable Unplugged for Media Modules unless both copper/fiber GBICs are connected. If only one of the GBICs is connected, the status will be shown as Not Connected. This is expected behavior. (CQ# 60870) When using Administrator to authenticate Sniffer Distributed users, Administrator grants access to all users opening ProbeViewer locally on the Appliance, regardless of whether they are actually in the list of authorized users. [CQ# 61570] If you encounter a Configuration failed: Failed to connect to resource error when attempting to perform Clone Configuration from Administrator, stop and restart the DSAgentSrv service on the Appliance before trying to apply the Clone Configuration again. [CQ# 59299] Proxies are not supported for connections between Sniffer Distributed and Administrator. [CQ# 55198] If you change the line speed setting for a Sniffer Distributed Appliance's Ethernet monitor card (for example, from 10 Mbps to 100 Mbps), you must reboot the Appliance before the Console will reflect the change in the title bar or the Dashboard's utilization statistics. [CQ# 48506] [CQ# 53399] The first connection to a Gigabit Ethernet Media Module-based Agent after the Appliance reboots will report a short series of dropped frames in the Dashboard immediately after the connection is established. [CQ# 50666] When multiple ports in Single End Station mode on an s6040 Appliance are aggregated, the Global Statistics monitor application's GB Ethernet tab includes a column of Port B statistics, giving the incorrect impression that there will be data on Port B. [CQ# 55957] When using a Gigabit Ethernet Media Module, captures started by the Capture+Trigger autostart option will use the default filter settings. To use different filter settings with the Capture+Trigger autostart option, you must:
a b c

Connect to the Agent and modify the filter settings. Start and stop a capture manually. Connect to the Agent and enable the Capture+Trigger autostart option. The Agent will automatically reboot after making this change.

NOTE: If the Capture+Trigger autostart option was already enabled when you changed the filter settings, you must reboot the Agent manually.

After doing this, the modified filter settings will be used as the default for captures started by the Capture+Trigger autostart option. [CQ# 47716] When capturing data on a Gigabit Ethernet Media Module with the buffer settings set up to stop capture when the Media Module buffer is full, the Packets Seen counter in the Capture Panel will typically exceed the Packets Captured counter by a few frames after capture has stopped. [CQ# 47534]

Release Notes

7

The updated single board computer (SBC) included with new Model s6040 Appliances (and available for upgrade in existing s6040 Appliances) includes a built-in 10/100 Ethernet port used as the transport card. By default, this adapter is configured to Auto Detect the speed of the link to which it is connected. However, if you use the Local Area Connection Properties > Advanced tab to force the adapter's speed to 100 Full Duplex, the adapter will actually operate in Half Duplex Mode. [CQ# 47868] When using an s6040 Agent, the Drops counter in the Dashboard will be reset to zero after a user takes over the active session from another Console PC. [CQ# 47177] If a monitor filter is in force when a user logs off in unattended mode and then reconnects to the same adapter, the Protocol Distribution view may contain additional traffic outside of the expected filter set. This additional data was introduced during the disconnect. Clear the additional data by clicking the Reset button. After doing so, the Protocol Distribution statistics will only contain data that passed the current monitor filter. [CQ# 49870] When using Config Console, although the system does not request a reboot, you must reboot the Agent for changes to any of the following pages to take effect: Configure (including the Aggregation sub-page) NetFlow SNMP [CQ# 50145] After exiting the Monitor > Select Filter dialog box by clicking OK, the entries in the monitor applications (Host Table, Matrix, and so on) are removed even when you do not enable the Apply monitor filter option. As a workaround, click the X in the upper right hand corner of the dialog box when exiting the dialog box without applying a monitor filter.[CQ# 42251] The Expert mistakenly interprets traffic on TCP port 69 as TFTP. [CQ# 43075] When monitoring Utilization History Samples with a Gigabit Ethernet Media Module, be sure to save your samples as .hst files using the File > Save command. If you simply close the sample and save it when the system prompts you, empty .hst files may occasionally result. [CQ# 50451] When using Sniffer Enterprise Administrator to authenticate Sniffer Distributed users, Administrator grants access to all users opening ProbeViewer locally on the Appliance, regardless of whether they are actually in the list of authorized users. [CQ# 61570] If you encounter a Configuration failed: Failed to connect to resource error when attempting to perform Clone Configuration from Sniffer Enterprise Administrator, stop and restart the DSAgentSrv service on the Appliance before trying to apply the Clone Configuration again. [CQ# 59299] Proxies are not supported for connections between Sniffer Distributed and Sniffer Enterprise Administrator. [CQ# 55198] If you change the line speed setting for a Sniffer Distributed Appliance's Ethernet monitor card (for example, from 10 Mbps to 100 Mbps), you must reboot the Appliance before the Console will reflect the change in the title bar or the Dashboard's utilization statistics. [CQ# 48506] [CQ# 53399] The first connection to a Gigabit Ethernet Media Module-based Agent after the Appliance reboots will report a short series of dropped frames in the Dashboard immediately after the connection is established. [CQ# 50666] When using a Gigabit Ethernet Media Module, captures started by the Capture+Trigger autostart option will use the default filter settings. To use different filter settings with the Capture+Trigger autostart option, you must:
a b

Connect to the Agent and modify the filter settings. Start and stop a capture manually.

8

c

Connect to the Agent and enable the Capture+Trigger autostart option. The Agent will automatically reboot after making this change.

NOTE: If the Capture+Trigger autostart option was already enabled when you changed the filter settings, you must reboot the Agent manually.

After doing this, the modified filter settings will be used as the default for captures started by the Capture+Trigger autostart option. [CQ# 47716] When capturing data on a Gigabit Ethernet Media Module with the buffer settings set up to stop capture when the Media Module buffer is full, the Packets Seen counter in the Capture Panel will typically exceed the Packets Captured counter by a few frames after capture has stopped. [CQ# 47534] If a monitor filter is in force when a user logs off in unattended mode and then reconnects to the same adapter, the Protocol Distribution view may contain additional traffic outside of the expected filter set. This additional data was introduced during the disconnect. Clear the additional data by clicking the Reset button. After doing so, the Protocol Distribution statistics will only contain data that passed the current monitor filter. [CQ# 49870] After exiting the Monitor > Select Filter dialog box by clicking OK, the entries in the monitor applications (Host Table, Matrix, and so on) are removed even when you do not enable the Apply monitor filter option. As a workaround, click the X in the upper right hand corner of the dialog box when exiting the dialog box without applying a monitor filter.[CQ# 42251] When monitoring Utilization History Samples with a Gigabit Ethernet Media Module, be sure to save your samples as .hst files using the File > Save command. If you simply close the sample and save it when the system prompts you, empty .hst files may occasionally result. [CQ# 50451] After authorizing the Application Intelligence module on a Group of Agents that includes both supported and unsupported Agents, SniffView will incorrectly display that the unsupported Agents have Application Intelligence enabled. For example, if you try to authorize Application Intelligence on a Group that includes three Model ET02 Ethernet Agents (which do support Application Intelligence) and a Model ATMB ATM Agent (which does not support Application Intelligence), Application Intelligence will be successfully authorized on the ET02 Agents. However, SniffView will incorrectly show that the Model ATMB in the Group has Application Intelligence enabled as well. [CQ# 63041] When using an s6040 Appliance, the Status shown in Windows XP's Network Connections window will read Not Connected or Network Cable Unplugged for Media Modules unless both copper/fiber GBICs are connected. If only one of the GBICs is connected, the status will be shown as Not Connected. This is expected behavior. (CQ# 60870) If you choose to enable Internet Explorer’s built-in Pop-up Blocker while using WebConsole, you must set its Filter Level to Low: Allow pop-ups from secure sites. Set this under Tools > Pop-up Blocker > Pop-up Blocker Settings in Internet Explorer. Setting the filter level any higher than this can result in error messages during normal WebConsole operations. For example, if you encounter error messages while attempting to save a captured trace, use this workaround. [CQ# 57069] When using Sniffer Enterprise Administrator to authenticate Sniffer Distributed users, Administrator grants access to all users opening ProbeViewer locally on the Appliance, regardless of whether they are actually in the list of authorized users. [CQ# 61570] If you encounter a Configuration failed: Failed to connect to resource error when attempting to perform Clone Configuration from Sniffer Enterprise Administrator, stop and restart the DSAgentSrv service on the Appliance before trying to apply the Clone Configuration again. [CQ# 59299]

Release Notes

9

Under certain circumstances, Port 3 on the four-port Ethernet adapter used by Model ET05 Appliances is incorrectly identifying MAC addresses. This does not affect higher layer statistics. [CQ# 50241] If Sniffer Enterprise Visualizer enables data logging for a Model ATMR Appliance in the last minute of an interval, the binary file of network data saved for Global Statistics will not include all the statistics that it should. The other binary files, however, do populate all statistics for the last minute of the interval. This happens because of the order in which the binary files are saved on the Appliance. [CQ# 53371] Proxies are not supported for connections between Sniffer Distributed and Sniffer Enterprise Administrator. [CQ# 55198] If you change the line speed setting for a Sniffer Distributed Appliance's Ethernet monitor card (for example, from 10 Mbps to 100 Mbps), you must reboot the Appliance before the Console will reflect the change in the title bar or the Dashboard's utilization statistics. [CQ# 48506] [CQ# 53399] The first connection to a Gigabit Ethernet Media Module-based Agent after the Appliance reboots will report a short series of dropped frames in the Dashboard immediately after the connection is established. [CQ# 50666] When multiple ports in Single End Station mode on an s6040 Appliance are aggregated, the Global Statistics monitor application's GB Ethernet tab includes a column of Port B statistics, giving the incorrect impression that there will be data on Port B. [CQ# 55957] Sniffer Distributed WAN Agents are including incorrect interface descriptions for Frame Relay DLCIs in SNMP Interface tables. Instead of identifying DLCIs just by number, the entries in the table are also identifying them as PVCx. [CQ# 58282] When using a Gigabit Ethernet Media Module (E2GB or s6040), captures started by the Capture+Trigger autostart option will use the default filter settings. To use different filter settings with the Capture+Trigger autostart option, you must:
a b c

Connect to the Agent and modify the filter settings. Start and stop a capture manually. Connect to the Agent and enable the Capture+Trigger autostart option. The Agent will automatically reboot after making this change.

NOTE: If the Capture+Trigger autostart option was already enabled when you changed the filter settings, you must reboot the Agent manually.

After doing this, the modified filter settings will be used as the default for captures started by the Capture+Trigger autostart option. [CQ# 47716] When capturing data on a Gigabit Ethernet Media Module (E2GB or s6040) with the buffer settings set up to stop capture when the Media Module buffer is full, the Packets Seen counter in the Capture Panel will typically exceed the Packets Captured counter by a few frames after capture has stopped. [CQ# 47534] The updated single board computer (SBC) included with new Model s6040 Appliances (and available for upgrade in existing s6040 Appliances) includes a built-in 10/100 Ethernet port used as the transport card. By default, this adapter is configured to Auto Detect the speed of the link to which it is connected. However, if you use the Local Area Connection Properties > Advanced tab to force the adapter's speed to 100 Full Duplex, the adapter will actually operate in Half Duplex Mode. [CQ# 47868] When using an s6040 Agent, the Drops counter in the Dashboard will be reset to zero after a user takes over the active session from another Console PC. [CQ# 47177]

10

If a monitor filter is in force when a user logs off in unattended mode and then reconnects to the same adapter, the Protocol Distribution view may contain additional traffic outside of the expected filter set. This additional data was introduced during the disconnect. Clear the additional data by clicking the Reset button. After doing so, the Protocol Distribution statistics will only contain data that passed the current monitor filter. [CQ# 49870] When using ConfigConsole, although the system does not request a reboot, you must reboot the Agent for changes to any of the following pages to take effect: Configure (including the Aggregation sub-page) NetFlow SNMP [CQ# 50145] After exiting the Monitor > Select Filter dialog box by clicking OK, the entries in the monitor applications (Host Table, Matrix, and so on) are removed even when you do not enable the Apply monitor filter option. As a workaround, click the X in the upper right hand corner of the dialog box when exiting the dialog box without applying a monitor filter.[CQ# 42251] The Expert mistakenly interprets traffic on TCP port 69 as TFTP. [CQ# 43075] On Model ET2T Appliances, autodiscovered addresses are not being saved to the Address Book. Addresses entered manually are saved correctly. [CQ# 42914] When monitoring Utilization History Samples with a Gigabit Ethernet Media Module (E2GB or s6040), be sure to save your samples as .hst files using the File > Save command. If you simply close the sample and save it when the system prompts you, empty .hst files may occasionally result. [CQ# 50451] 83903 WQE1 Agent blue screens on applying a capture filter based on "link control protocol". 84240 Block remote update of unsupported platforms from DSPro 4.9 console 81201 File Sharing : Filters created on a DSPro 4.9 console and shared through the File sharing option , cannot be used on other consoles. 78922 TCP Segment Lost alarm does not show up in Decode->Summary view. 81779 FMR - Frame Relay tab in the Matrix does not allow to start capture , create a new filter or add to the previous filters. 84290 Can not run installers in *.msi format through software updates with CSL. <Also refer 79575>. 81822 32009-Sniffer Monitor Application Response Time does not display defined protocol AFP over TCP using port 548. 84347 In webconsole,dashboard counters were not showing the traffic for ethernet agents. 80905 <HSSI> Utilization (%) in History Samples are showing double the actual values. (Refer attachment) 81851 ATM VPI/VCI monitor based filters are not functional. 77694 The ATM interface in an Dspro Agent provides a different topology string for Visualizer and Administrator 82353 After SEA update of any lower version agent to 4.9, SEA activity log doesn't show any information/log about successful completion of remote update. 82052 In decode tab, Absolute time format is shown wrongly on winxpsp2 KoreanOS. Happening on all locales / topologies. 83225 Failed to add DSPRO 4.9 (managed by another administrator) in Unmanaged Devices. 83332 History samples created are not getting migrated after performing major update from DSPro4.7sp1amr18 to 4.90.153.

Release Notes

11

83272 Ethernet/SWO :""For save to file mode, capture panel shows buffer action as wrap"Please check the attachement 83228 Sniffview, Auto detect version tab is unchecked after upgrading the console to 4.9 from 4.7sp1a 83227 On trying to launch console session for lower version agents from 4.9 console asks for authentication instead of giving proper error message. See test case for more details. 83355 User is NOT asked for authentication on entering LogOn mode from LogOff mode.[Suppose User-1 logOff in unattended mode, and User-2 tries to LogOn and takeover the session, he should be asked for authentication] 82841 FMR:Remote Update from Sniff view->Need Activity log messages in SEA. 82505 DS3 > DLCI based exclude filters do not work. 82463 Filter xxx does not exist error accurs after creating and deleting a monitor filter. 84046 APGB: 4.7.314 MR3 version number is shown as 4.7.314 SP1 MR3 in Sniffview. See screen shot 84151 DSPro 4.9 Console installation on Vista prompts users to close other running applications like mspaint, volume control , printer etc 82006 On winXPsp2 spanishOS console, appliance Version number is displayed with commas. Happens on all i18N consoles. 81897 FMR:The Set Protocol logs should be sent to SEA. 84195 Only the user ID that was used to install the client software will be passed along to RADIUS. Dup of #83655 81843 Cannot add filters to the existing ATM/Frame Relay based Monitor filter 84288 Duplicate of 65910 : ISS22158 - State Farm - attempting to run agent_xp_sp2_package4.exe on agent, gets error. 81800 Opening Probeviewer asks for authentication instead of giving error message.(See test case for details ) 84337 Ethernet :"Warning message does'nt appear if start capture button is pressed from define filter for buffer size >120Mb" 81722 Win32console:No activity log messages for"Share Capture configurations" and "Share filters" to administrator. 81595 In Multi-channel configuration utility, the message box that pops up on changing the group number is blank. 81409 Changing to DPES mode does not gives the message to reboot at the first instant. 81406 When The capture configurations are shared the Filters are also getting shared .(Intermittent) 81316 Predictive search option for capture filters not available on Gigabit platform. 81303 Port based filters when exported from Ethenet 10/100 to E2GB/6040 are not functional 81297 Monitor filters are not retained after the users log off and log on again even though the Monitor>Select Filter is enabled. Happens on Gigabit platforms. 81054 Address book not able to discover IPX addresses on the network. This option was not available in earlier releases of DSPro. Address book >Autodiscovery is not discovering NetBios addresses also. 80975 <HSSI> There should be consistency in the format saved from Post Capture window. (Refer attachment)

12

80906 Tool tips is not displaying on host table,matrix,global statistics,protocol distribution and VLAN statisticsplease refer screen shot 84429 Password too short..... error message pops up on clicking password field to enter security handshake password.[This was working properly on earlier builds] 78958 Repeatedly sending the messages more than two times in Activity log, when the Automatic patch distribution is enabled. 84434 Need to add updated Options screenshot to Help file under Configuring agent. currently does not show SEA/SEV handshake *Configure agent --> options - SEA/SEV should read "administrator" or "visualizer" 76435 Data mismatch found between dashboard properties and network characteristics screen of dashboard. 76429 Incorrect data is displayed in Network characteristics of dashbord screen. 47289 ISS00003128: FMR: Customer does not want to see the message 'You may experience a long delay opening this file due to the large file size. Would you like to continue?' when they are only trying to display a file of size 7KB. Should pop up on 2MB+

Model APGR Issues
WebConsole is not supported for Model APGR. If you attempt to connect to the Model APGR using the Web Console, the Connect button will be disabled after you log in.
NOTE: Config Console is supported for the Model APGR.

NOTE: Correspondingly, Administrator will not launch WebConsole connections to Model APGR Agents but can launch Config Console sessions.

When using Administrator 4.0/4.1, entries in the SEA Activity Log for Model APGR Appliances will show DSPro as the Source rather than AppIntell. Some alarms generated by the Model APGR will show DSPro in the log entries in both Alarm Manager and Administrator rather than AppIntell (for example, DSPro Capture Start and DSPro Capture Stop alarms). This is due to the fact that the Model APGR and Sniffer Distributed Agents share the same MIB structure.

Model APGB Issues
When using WebConsole to connect to an Agent through a firewall that uses Network Address Translation (NAT), the title bar of the WebConsole window displays the Agent's internal IP address instead of the externally addressable IP address. [CQ# 48026] The response times shown in WebConsole's ART displays for Gigabit Ethernet Media Modules are occasionally displaying incorrect times. SniffView shows the response times correctly. [CQ# 55227] WebConsole limits you to a total of four simultaneous Visual Filter windows. [CQ# 63143] Under certain circumstances, WebConsole connections may experience unexpected error messages or instability. [CQ# 56634] [CQ# 56864] In most cases, you can bypass these failures with the following workaround:
a

Use the Add/Remove Programs Control Panel to remove all versions of JRE earlier than 1.5.0_05. Delete all registry keys associated with the earlier JRE versions from HKEY_LOCAL_MACHINE > Software > Java.
Release Notes 13

b

c

Within Internet Explorer, make sure the built-in pop-up blocker is either disabled or its Filter Level set to Low: Allow pop-ups from secure sites. Set this under Tools > Pop-up Blocker > Pop-up Blocker Settings. Set the Tools > Internet Options > Settings > Check for new versions of stored pages option to Every visit to the page. Restart the browser. When prompted, download and install JRE 1.5.0_05. In Control Panel > Java Advanced Security, deselect the three Warn if options. Go to the WebConsole login page. Do not type in a user name until you are asked whether you want to disregard the security warning. Then, click Always.

d

e f g h

When using Sniffer Enterprise Administrator 4.0 MR6/4.1 MR1 with the Model APGB, the Connect button in SEA is active for Model APGB Agents before the Console included with the Model APGB has been installed (v4.70.314). Because the Model APGB does not support WebConsole connections, the Connect button in SEA should only be available if the Console included with the Model APGB has been installed on the machine accessing the SEA server. [CQ# 64731] [CQ# 64732] When using Sniffer Enterprise Administrator 4.0/4.1, entries in the SEA Activity Log for Model APGB Appliances will show DSPro as the Source rather than AppIntell. Some alarms generated by the Model APGB will show DSPro in the log entries in both Alarm Manager and Sniffer Enterprise Administrator rather than AppIntell (for example, DSPro Capture Start and DSPro Capture Stop alarms). This is due to the fact that the Model APGB and Sniffer Distributed Agents share the same MIB structure.

WebConsole Issues
When using WebConsole to connect to an Agent through a firewall that uses Network Address Translation (NAT), the title bar of the WebConsole window displays the Agent's internal IP address instead of the externally addressable IP address. [CQ# 48026] The response times shown in WebConsole's ART displays for Gigabit Ethernet Media Modules are occasionally displaying incorrect times. SniffView shows the response times correctly. [CQ# 55227] WebConsole limits you to a total of four simultaneous Visual Filter windows. [CQ# 63143] Under certain circumstances, WebConsole connections may experience unexpected error messages or instability. [CQ# 56634] [CQ# 56864] In most cases, you can bypass these failures with the following workaround:
a

Use the Add/Remove Programs Control Panel to remove all versions of JRE earlier than 1.5.0_05. Delete all registry keys associated with the earlier JRE versions from HKEY_LOCAL_MACHINE > Software > Java. Within Internet Explorer, make sure the built-in pop-up blocker is either disabled or its Filter Level set to Low: Allow pop-ups from secure sites. Set this under Tools > Pop-up Blocker > Pop-up Blocker Settings. Set the Tools > Internet Options > Settings > Check for new versions of stored pages option to Every visit to the page. Restart the browser. When prompted, download and install JRE 1.5.0_05. In Control Panel > Java Advanced Security, deselect the three Warn if options.

b

c

d

e f g

14

h

Go to the WebConsole login page. Do not type in a user name until you are asked whether you want to disregard the security warning. Then, click Always.

Application Intelligence Issues
Retransmitted TCP RST (Reset) packets on an H.323 conversation may cause Sniffer Application Intelligence to count the conversation twice (once up until the first RST and once after the next RST is seen). This is because Sniffer Application Intelligence considers a RST packet as the logical conclusion of a conversation. [CQ# 37074] Retransmitted TCP RST (Reset) packets on an H.323 conversation may cause Sniffer Application Intelligence to count the conversation twice (once up until the first RST and once after the next RST is seen). This is because Sniffer Application Intelligence considers a RST packet as the logical conclusion of a conversation. [CQ# 37074] Retransmitted TCP RST (Reset) packets on an H.323 conversation may cause Sniffer Application Intelligence to count the conversation twice (once up until the first RST and once after the next RST is seen). This is because Sniffer Application Intelligence considers a RST packet as the logical conclusion of a conversation. [CQ# 37074]

Console Coexistence Issues
Uninstalling the Version 4.6 Console on a machine with coexisting Version 4.6 and Version 4.8 Consoles can cause error messages to appear when connecting to Appliances with no Adaptec Ethernet cards installed. The error messages read "An unsupported operation was attempted." [CQ# 56411] If you are experiencing this situation, run the following batch files and reboot the Console to remedy the issue: \Program Files\NAI\DSProConsoleNT 4.8\Program\SDRestore\SDUpdate.bat \Program Files\NAI\DSProConsoleNT 4.8\Program\SDRestore\System32\ocxupdate.bat If you uninstall the most recent version of the Console, the earlier coexisting version of the Console will no longer be available from the Start menu. However, you can still start the earlier version by opening Windows Explorer and double-clicking its entry in the \Program directory. For example, if you have Version 4.8 of the SniffView Console coexisting with Version 4.7 and decide to uninstall Version 4.8, you would need to do the following to use the Version 4.6 Console that remains on the PC:
a

Open Windows Explorer and navigate to C:\Program Files\NAI\DSProConsoleNT 4.7\Program\. Double-click the DSProView.exe entry.

b

You may want to create a shortcut to the DSProView.exe entry on the desktop so you do not need to return to this folder using Windows Explorer every time you want to launch the Console. [CQ# 48099] Uninstalling the Version 4.6 Console on a machine with coexisting Version 4.6 and Version 4.7 Consoles can cause error messages to appear when connecting to Appliances with no Adaptec Ethernet cards installed. The error messages read "An unsupported operation was attempted." [CQ# 56411] If you are experiencing this situation, run the following batch files and reboot the Console to remedy the issue: \Program Files\NAI\DSProConsoleNT 4.7\Program\SDRestore\SDUpdate.bat \Program Files\NAI\DSProConsoleNT 4.7\Program\SDRestore\System32\ocxupdate.bat

Release Notes

15

If you uninstall the most recent version of the Console, the earlier coexisting version of the Console will no longer be available from the Start menu. However, you can still start the earlier version by opening Windows Explorer and double-clicking its entry in the \Program directory. For example, if you have Version 4.7 of the SniffView Console coexisting with Version 4.6 and decide to uninstall Version 4.7, you would need to do the following to use the Version 4.6 Console that remains on the PC:
a

Open Windows Explorer and navigate to C:\Program Files\NAI\DSProConsoleNT 4.6\Program\. Double-click the DSProView.exe entry.

b

You may want to create a shortcut to the DSProView.exe entry on the desktop so you do not need to return to this folder using Windows Explorer every time you want to launch the Console. [CQ# 48099] Uninstalling the Version 4.6 Console on a machine with coexisting Version 4.6 and Version 4.7 Consoles can cause error messages to appear when connecting to Appliances with no Adaptec Ethernet cards installed. The error messages read "An unsupported operation was attempted." [CQ# 56411] If you are experiencing this situation, run the following batch files and reboot the Console to remedy the issue: \Program Files\NAI\DSProConsoleNT 4.7\Program\SDRestore\SDUpdate.bat \Program Files\NAI\DSProConsoleNT 4.7\Program\SDRestore\System32\ocxupdate.bat If you uninstall the most recent version of the Console, the earlier coexisting version of the Console will no longer be available from the Start menu. However, you can still start the earlier version by opening Windows Explorer and double-clicking its entry in the \Program directory. For example, if you have Version 4.7 of the SniffView Console coexisting with Version 4.6 and decide to uninstall Version 4.7, you would need to do the following to use the Version 4.6 Console that remains on the PC:
a

Open Windows Explorer and navigate to C:\Program Files\NAI\DSProConsoleNT 4.6\Program\. Double-click the DSProView.exe entry.

b

You may want to create a shortcut to the DSProView.exe entry on the desktop so you do not need to return to this folder using Windows Explorer every time you want to launch the Console. [CQ# 48099]

RMON/SNMP Issues
Sniffer Distributed Appliances do not save changes to protDirHostConfig and protDirMatrixConfig settings across an Agent reboot. If you disable these options from a third party RMON Console, they will automatically be reenabled after the Agent restarts. [CQ# 12216] SNMP Capture and Upload operations are not supported for the Media Modules provided with Model E2GR, s6040, and APGR Sniffer Distributed Appliances. [CQ# 48172] By default, the Sniffer Distributed Agent does not populate the HostTopNTable. This happens because the HostTopNControlTable is not populated by default. To ensure that the HostTopNTable is properly updated, fill in the HostTopNControlTable manually. For example, set the hostTopNStatus and hostTopNTimeRemaining objects in the HostTopNControlTable suitably and save. After doing so, the Agent will populate the HostTopNTable correctly. [CQ# 48493]

16

When using the Media Modules provided with the Model E2GR, s6040, and APGR Appliances, nlMatrixTopN and alMatrixTopN tables will not be available for third party RMON Consoles. Because of this, these Models are not supported for use with Lucent VitalNet. [CQ# 47668] [CQ# 49268] When using the Media Modules provided with Model E2GR, s6040, and APGR Appliances, the Dashboard will report error statistics correctly However, MAC layer error packets are not being counted in the Monitor's Host Table, Matrix, or Protocol Distribution views. [CQ# 46909] Sniffer Distributed Appliances do not save changes to protDirHostConfig and protDirMatrixConfig settings across an Agent reboot. If you disable these options from a third party RMON Console, they will automatically be reenabled after the Agent restarts. [CQ# 12216] SNMP Capture and Upload operations are not supported for the Media Modules provided with Model E2GB and s6040 Sniffer Distributed Appliances. [CQ# 48172] By default, the Sniffer Distributed Agent does not populate the HostTopNTable. This happens because the HostTopNControlTable is not populated by default. To ensure that the HostTopNTable is properly updated, fill in the HostTopNControlTable manually. For example, set the hostTopNStatus and hostTopNTimeRemaining objects in the HostTopNControlTable suitably and save. After doing so, the Agent will populate the HostTopNTable correctly. [CQ# 48493] When using the Media Modules provided with the Model APGB, nlMatrixTopN and alMatrixTopN tables will not be available for third party RMON Consoles. Because of this, the Model APGB is not supported for use with Lucent VitalNet. [CQ# 47668] [CQ# 49268] When using the Media Modules provided with the Model APGB, the Dashboard will report error statistics correctly However, MAC layer error packets are not being counted in the Monitor's Host Table, Matrix, or Protocol Distribution views. [CQ# 46909] Sniffer Distributed Appliances do not save changes to protDirHostConfig and protDirMatrixConfig settings across an Agent reboot. If you disable these options from a third party RMON Console, they will automatically be reenabled after the Agent restarts. [CQ# 12216] SNMP Capture and Upload operations are not supported for the Media Modules provided with Model E2GB and s6040 Sniffer Distributed Appliances. [CQ# 48172] By default, the Sniffer Distributed Agent does not populate the HostTopNTable. This happens because the HostTopNControlTable is not populated by default. To ensure that the HostTopNTable is properly updated, fill in the HostTopNControlTable manually. For example, set the hostTopNStatus and hostTopNTimeRemaining objects in the HostTopNControlTable suitably and save. After doing so, the Agent will populate the HostTopNTable correctly. [CQ# 48493] When using the Media Modules provided with Model E2GB and s6040 Sniffer Distributed Appliances, nlMatrixTopN and alMatrixTopN tables will not be available for third party RMON Consoles. Because of this, the Model E2GB and s6040 Appliances are not supported for use with Lucent VitalNet. [CQ# 47668] [CQ# 49268] When using the Media Modules provided with Model E2GB and s6040 Sniffer Distributed Appliances, the Dashboard will report error statistics correctly However, MAC layer error packets are not being counted in the Monitor's Host Table, Matrix, or Protocol Distribution views. This is true of all Media Modules -- legacy Media Modules, updated Media Modules, and PCI Media Modules. [CQ# 46909]

VoIP Intelligence Issues
Session layer SCCP objects for stations transmitting only keepalive messages for long periods of time are not being recycled as quickly as they should be. This results in Session layer SCCP objects lasting a long time in the display. [CQ# 49759]

Release Notes

17

When a gateway is used between two communicating VoIP stations, the Expert will create two separate Application layer objects for the call (one for each side of the call). There will be an RTP object attached to whichever of these two objects was created first by the Expert. The Call Flow pane in the Expert Detail displays for some VoIP network objects cannot display information for multipoint conference calls. In addition, the statistics for the individual calls on a multipoint conference call may be combined under a single Expert object. [CQ# 30738] VoIP Intelligence capture and display filters use a variety of tests to identify traffic as belonging to a particular VoIP protocol. Occasionally, some non-VoIP protocols may match the tests used for these filters and will mistakenly be included or excluded by the filter. The Expert may not create objects properly for calls that have been put on Hold. Calls that have been forwarded may also exhibit similar issues. [CQ# 32679, 32680, 32686] The Expert creates SIP Call Flow objects at the Application layer based on call IDs. Because of this, if a SIP call is assigned a new call ID as a result of a Redirection message (for example, Multiple Choices or Moved Temporarily), the Expert will create a new object for the call's post-redirection statistics. H.245 frames are not decoded and analyzed by the Expert if VoIP Intelligence does not see the corresponding H.225 signaling frames for a call. The Expert may occasionally mistakenly identify H.245 packets as TCP. This may appear when applying filters on H.245 traffic (the filter will display H.245 packets but identify them as TCP) or saving selected H.245 packets (the H.245 packets will be saved but will be identified as TCP). [CQ# 38274, 37240] RAS decodes may be incomplete for certain frames. ASCII encoding is only supported for SDES in RTCP packets. RTP frames are not decoded if they are carried on an odd UDP port number. [CQ# 32782, 5377] RTCP frames are not decoded if they are carried on an even UDP port number. [CQ# 32786] RTP and H245 frames may be incorrectly decoded if they are carried over UDP ports assigned to other protocols. When using Sniffer Voice on a Model E2GB or s6040 Appliance, monitor and capture filters for RTP, RTCP, and H245 are not available in the Protocols tab. [CQ# 48331] Session layer SCCP objects for stations transmitting only keepalive messages for long periods of time are not being recycled as quickly as they should be. This results in Session layer SCCP objects lasting a long time in the display. [CQ# 49759] When a gateway is used between two communicating VoIP stations, the Expert will create two separate Application layer objects for the call (one for each side of the call). There will be an RTP object attached to whichever of these two objects was created first by the Expert. The Call Flow pane in the Expert Detail displays for some VoIP network objects cannot display information for multipoint conference calls. In addition, the statistics for the individual calls on a multipoint conference call may be combined under a single Expert object. [CQ# 30738] Sniffer Voice capture and display filters use a variety of tests to identify traffic as belonging to a particular VoIP protocol. Occasionally, some non-VoIP protocols may match the tests used for these filters and will mistakenly be included or excluded by the filter. The Expert may not create objects properly for calls that have been put on Hold. Calls that have been forwarded may also exhibit similar issues. [CQ# 32679, 32680, 32686] Capture filters for H.245 and RTP do not work on the Model EFD1 Appliance. [CQ# 37277]

18

The Expert creates SIP Call Flow objects at the Application layer based on call IDs. Because of this, if a SIP call is assigned a new call ID as a result of a Redirection message (for example, Multiple Choices or Moved Temporarily), the Expert will create a new object for the call's post-redirection statistics. H.245 frames are not decoded and analyzed by the Expert if Sniffer Voice does not see the corresponding H.225 signaling frames for a call. The Expert may occasionally mistakenly identify H.245 packets as TCP. This may appear when applying filters on H.245 traffic (the filter will display H.245 packets but identify them as TCP) or saving selected H.245 packets (the H.245 packets will be saved but will be identified as TCP). [CQ# 38274, 37240] RAS decodes may be incomplete for certain frames. ASCII encoding is only supported for SDES in RTCP packets. RTP frames are not decoded if they are carried on an odd UDP port number. [CQ# 32782, 5377] RTCP frames are not decoded if they are carried on an even UDP port number. [CQ# 32786] RTP and H245 frames may be incorrectly decoded if they are carried over UDP ports assigned to other protocols.

Mobile Intelligence Issues
Various forms of tunneling are used in Mobile Wireless Data Networks. Mobile Intelligence Release 1.0 defines many new mobile related protocols for Monitoring and Post Analysis statistics, and for Display and Capture/Monitor filters. Mobile Intelligence 1.0 statistics and filters do not support the occurrence of these protocols inside tunnels, with the exception of "PPP inside GRE" filters. ACCM handling for APPP: APPP is being supported specifically for Mobile Intelligence. This decode can be used by other protocols, but there are limiting issues (such as ACCM) that require explanation. 3GPP2 has defined its usage of PPP to require ACCM be set to zero. Because ACCM is negotiated via LCP, Mobile Intelligence, Service Pack 1 may be unable to decode protocols correctly without access to these negotiations. In order to decode PPP negotiations, Sniffer will assume the default ACCM value per RFC 1662 of 0xFFFFFFFF for all traffic other than IP. This may lead to incorrect decodes for other traffic where a different ACCM is used. Novell NDS Decode: Erroneous Novell NDS decode when traffic is load-balanced between IP endpoints. Various forms of tunneling are used in Mobile Wireless Data Networks. Sniffer Mobile Release 1.0 defines many new mobile related protocols for Monitoring and Post Analysis statistics, and for Display and Capture/Monitor filters. Sniffer Mobile 1.0 statistics and filters do not support the occurrence of these protocols inside tunnels, with the exception of "PPP inside GRE" filters. ACCM handling for APPP: APPP is being supported specifically for Sniffer Mobile. This decode can be used by other protocols, but there are limiting issues (such as ACCM) that require explanation. 3GPP2 has defined its usage of PPP to require ACCM be set to zero. Because ACCM is negotiated via LCP, Sniffer Mobile, Service Pack 1 may be unable to decode protocols correctly without access to these negotiations. In order to decode PPP negotiations, Sniffer will assume the default ACCM value per RFC 1662 of 0xFFFFFFFF for all traffic other than IP. This may lead to incorrect decodes for other traffic where a different ACCM is used. N-layer SAR Disabled: Due to the unique properties of "HDLC-like" PPP, reassembly of protocols above the PPP layer are disabled when "HDLC-like" PPP frames have been reassembled. Novell NDS Decode: Erroneous Novell NDS decode when traffic is load-balanced between IP endpoints.

Release Notes

19

Sniffer Reporter Information and Issues
Misleading values may be displayed on a report if you run a report with a start time that falls between the specified data collection interval. For example, if the data collection interval is set for every five minutes (1:00 PM, 1:05 PM… 11:00 PM) and you want to run a report from 1:02 PM to 2:00 PM, the report will display data from 1:00 PM to 2:00 PM. All of the values from 1:02 PM to 2:00 PM will display correctly, but the value attributed to 1:00 PM will be zero, even though data is available for this time. To avoid this, refrain from running a report with a start time that falls between the specified data collection interval. Sniffer Reporter can only provide reports for topologies supported by the collecting instrumentation. So, even though Sniffer Reporter’s documentation describes its ability to produce WAN/ATM reports, you will not see any in Sniffer Distributed 4.8 because this release does not support WAN/ATM topologies.

Sniffer Reporter Information and Issues
The following matrix lists the versions of Sniffer Reporter compatible with different Sniffer monitoring and analysis products. Note that Sniffer Reporter is not supported on s6040 Appliances. (CQ# 46513) Sniffer Distributed 4.5 SP2 > Reporter Version: 4.50.62 Sniffer Distributed 4.6 > Reporter Version: 4.60.3 Sniffer Distributed 4.7 /4.7SP1a > Reporter Version: 4.70.3 Sniffer Portable 4.80.135 > Reporter Version: 4.50.26 Sniffer Infinistream > Not supported. When using a Model E2GB Appliance, Sniffer Reporter is supported for use with the 10/100 Ethernet monitor adapter but not for use with the Gigabit Ethernet Media Modules. The data shown in DLCI Utilization reports occasionally does not match up with the data shown in the Host Table from which the report was created. [CQ# 43014] Some ATM reports in the Sniffer Reporter may occasionally show negative values on the Y-axis. Affected reports include ATM Link and ATM Top Channels. [CQ# 42693] Misleading values may be displayed on a report if you run a report with a start time that falls between the specified data collection interval. For example, if the data collection interval is set for every five minutes (1:00 PM, 1:05 PMÖ 11:00 PM) and you want to run a report from 1:02 PM to 2:00 PM, the report will display data from 1:00 PM to 2:00 PM. All of the values from 1:02 PM to 2:00 PM will display correctly, but the value attributed to 1:00 PM will be zero, even though data is available for this time. To avoid this, refrain from running a report with a start time that falls between the specified data collection interval. Sniffer Reporter only supports the United States locale setting in Windows XP.

Remote Update\Version Migration Issues
The Migrate Software Settings option (also known as "Version Migration") is supported when using Remote Update to update Model ATMB Agents from Version 4.6 onwards. The statement in the online help/documentation stating that it is never supported is incorrect. [CQ# 47794] Remote Update resets the Agent's DsSnifferSerialIfSvc service's Startup type to Automatic once the update has concluded, causing existing Matrix Switches set up on the Agent not to work. To fix this, reset the service's Startup type to Disabled (Manage Computer > Services > DsSnifferSerialIfSvc > Properties). [CQ# 63138]

20

Remote Update's Version Migration feature successfully migrates all Mode settings for s6040 Media Modules. However, Link Aggregation settings are not migrated and will need to be recreated. Sniffer Distributed 4.7 SP1a supports Version Migration for Appliances from Version 4.3 onwards. If you are using Version Migration to port settings from an Agent version earlier than 4.5 (for example, Version 4.3 or 4.3.5) to Version 4.7, the following settings will NOT be migrated automatically: Tools > Options Settings (all tabs) Tools > Expert Options Settings (all tabs) [CQ# 41492, 41515] WebConsole Settings SNMP Settings made in ProbViewer [CQ# 47951]
NOTE: The Version Migration utility does not migrate the Sniffer Reporter Agent or Sniffer Reporter Console settings and files. Please see the Sniffer Distributed Reporter User's Guide if you want to change Sniffer Reporter's configuration from the default settings.

Model EFD1 Issues
The FDX 10/100 Ethernet PCI Adapter included with Model EFD1 Sniffer Distributed Appliances incorrectly reports maximum sized 802.1Q-tagged frames as oversize errors in the Dashboard. [CQ# 40370] To apply monitor filters on Application layer protocols with the Model EFD1 Appliance, use Filtered RMON mode and set up the filters in the Capture > Define Filter dialog box. Filtered RMON populates the Monitor applications with data captured using hardware capture filters. See the User's Guide for details on using Filtered RMON mode.
NOTE: If you do not use Filtered RMON mode, normal monitor filters (Monitor > Define Filter) are not working correctly for Application layer protocols on the Model EFD1 Appliance. [CQ# 50428]

Model ATMB/ATMR Issues
After using Remote Update to upgrade a Model ATMB Appliance to Version 4.7 SP1a, you must manually enable the sniffer.sys driver for the Adaptec ANA-620XX Ethernet adapter in the Appliance before you will be able to connect to the updated Appliance. You can do this in the Network Properties dialog box for the adapter. (CQ# 53532) Additionally, you will also need to manually update the ATM LT2 driver used by the Model ATMB. Use the following procedure to uninstall and reinstall the ATMLT2 driver (CQ# 60877) (CQ# 63361):
a b c d e

Remove the traffic source from the ATMbook. Uninstall the ATM LT2 intermediate driver. Reboot the Appliance. Reboot the ATMbook by unplugging the power. Use the instructions in the ATMbook User's Guide to insdtall the ATM LT2 driver on the Network Associates ANA620XX card. Reboot the Appliance.

f

Release Notes

21

When using a Model ATMB or ATMR Appliance in a WAN SONET environment, be aware that the hardware used in these Appliances does not correctly adjust for SDH Pointer Justification events. These events add 3 bytes of data to a SONET frame and result in a momentary loss of cell delineation and a burst of AAL5 CRC errors reported by the Appliances. You can avoid this by ensuring that SONET/SDH clock synchronization is strictly maintained. [CQ# 28363] Model ATMR Agents occasionally show incorrect CRC counts in the Host Table and Dashboard. [CQ# 54677] When using a Model ATMR Agent, Capture and Monitor filters set up on the Advanced tab to capture PNNI Routing messages are not working correctly. As a workaround, you can use the ATM VPI.VCI tab in the Define Filter dialog box to include the VPI.VCI where PNNI Routing messages are seen and set the Proto Type to PNNI Routing. In addition, make sure that you have enabled the PNNI Routing option in ProbViewer’s Config > ATM Cnx Setup tab [CQ# 47111]. When using a Model ATMR Appliance, the Host Table and ATM Smart Screens will occasionally identify PNNI Signaling traffic incorrectly as Q2931. [CQ# 47053] Under certain circumstances when using a Model ATMR Appliance, setting Expert display filters on Session layer objects may result in a different set of frames than expected. [CQ# 41873]

Additional Information
When authorizing a Group of Agents, the maximum supported Group size is 20 Agents. (CQ# 62692) Appliances with at least one interface generating .bin files for Visualizer that also have the Sniffer Application Intelligence module enabled must use the 15 minute collection interval in ProbeViewer’s AppIntell > System sub-tab. The 5 minute collection interval is not supported for any interface in the Appliance when at least one interface is generating .bin files for Visualizer. This is true for all interfaces in the Appliance – if any interface in the Appliance is generating .bin files for Visualizer, then all AppIntell-enabled interfaces in the Appliance must use the 15 minute collection interval. Appliances with at least one interface generating .bin files for Visualizer should have the following RMON tables selected for autostart in ProbeViewer’s Config > Start sub-tab: RMON I (MAC) Stats+Alarm Hosts Matrix VLAN (if available) Protocol Dist Leave the Capture+Trigger and Database options unselected. RMON II (IP, IPX) Hosts Matrix ART (if available) Leave the alMatrixTopN and nlMatrixTopN options unselected.

22

IMPORTANT: Enable these tables for autostart for all interfaces in the Appliance – not just those generating .bin files for Visualizer.

Before executing a software update on a Sniffer Distributed Appliance from Administrator, be sure to log out all Console sessions and close any configuration sessions (ProbViewer or Config Console) on the Appliance. A modification to the Application Intelligence policy file is required if the drop counter on the Dashboard displays numerous dropped packets on s6040 agents. Add the "sbdTcpMaxnumSavedInfo" parameter to the [PCApolicies] section of the ADP.ini file as follows: sbdTcpMaxnumSavedInfo=xxx xxx is any value between 200 and 5000 (the default is 2500). After you update the file, reboot the Appliance to apply the change. Rebooting causes all of the collected Application Intelligence data to be deleted.

Available Documentation
Network General provides each of its customers with an extensive set of documentation, usually consisting of one or more product guides saved in Adobe Acrobat Portable Document Format (.PDF), and an online help system in HTML format. Acrobat Reader is needed to open .PDF documents on the Network General Documentation CD. A free copy of Acrobat Reader is available from the Adobe website at: http://www.adobe.com/prodindex/acrobat/readstep.html.

Contacting Network General
Get help with license entitlement, registrations, grant number inquiries, tech support validation and more by contacting the Network General Customer Service department as follows:
Customer Service North America phone: (800) 764-3337 (800-SNIFFER) Email: customerservice@networkgeneral.com Web: http://www.networkgeneral.com/ContactUs.aspx The department's hours of operation are 7:00 AM to 7:00 PM Central time, Monday through Friday. International phone numbers: http://www.networkgeneral.com/ContactUs.aspx Mail: Network General Corporation Customer Service Department 6504 International Pkwy Suite 2000 Plano TX 75093-8240 USA Technical Support Technical Publications Visit Network General Technical Support at: http://www.networkgeneral.com/TechnicalSupport.aspx Send questions or comments on the documentation set to: techpubs.feedback@networkgeneral.com

Release Notes

23

Sniffer University

Sniffer University is a comprehensive educational resource for building and enhancing all network professionals' skills in fault and performance management. Sniffer University has trained over 100,000 network professionals worldwide. The Sniffer Certified Professional Program provides network professionals industry-recognized accreditation as experts in their field. For more information: • • • Toll-free: 866-764-3337 Email: education@networkgeneral.com Web: http://www.networkgeneral.com/SnifferUniversity.aspx

Consulting Services

Our consultants provide an expert supplemental resource and independent perspective to resolve your problems. They are ready to assist you during all stages of network growth, from planning and design, through implementation, and with ongoing management. They will help integrate our products into your environment and troubleshoot or baseline network performance. Our consultants also develop and deliver custom solutions to help accomplish your project goals. Currently, custom and product consulting are available. For more information: • http://www.networkgeneral.com/Consulting.aspx

Copyright and Trademark Attributions
© 2005 - 2007 Network General Corporation. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network General Corporation or its suppliers or affiliate companies.

Trademarks
Sniffer; InfiniStream; Network General; Empower, Simplify, Protect; and the Network General logo are registered trademarks or trademarks of Network General Corporation and/or its affiliates in the United States and other countries. Only Network General Corporation makes Sniffer® brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

24

Release Notes

25