Troubleshooting with the

Sniffer Portable Analyzer

TNV-101-GUI
1-1
Sniffer University
 Housekeeping

Cell Phones in
Breaks
Silent Mode

Lunch Rest Rooms

1-2

Emergency
Telephones
Sniffer University

Information

Beepers in Questions
Silent Mode
 Student Reference CD

Contents of CD:
Sniffer Portable trace files
Subdirectory for each Sniffer University course containing all
of the trace files referenced in that course
Reference documents
IETF Request for Comments (RFCs)
Appendix material
1-3

ATM Forum specifications and glossary

Miscellaneous reference materials
Sniffer University

Sniffer analyzer product

documentation
Sniffer Portable 4.7
Sniffer Distributed 4.1
Sniffer Watch
Sniffer Reporter
 No Copying...
1-4
Sniffer University

Thank You!
 Curriculum Map

Sniffer University's Total Network Visibility Curriculum

Troubleshooting with the Sniffer Portable Network Analyzer

Ethernet Network Analysis & Troubleshooting (10, 100, 1000 Mbps)
WAN Network Analysis and Troubleshooting
Sniffer Portable Switch Expert Analysis & Troubleshooting
ATM Network Analysis and Troubleshooting
1-5

Wireless LAN Analysis and Troubleshooting

TCP/IP Network Analysis and Troubleshooting
Sniffer University

Microsoft Windows NT Network Analysis & Troubleshooting

Microsoft Windows 2000 Network Analysis & Troubleshooting
Sniffer Distributed Enterprise Management
Sniffer Watch Reports and Management
 Sniffer Certified
Professional Program

The Sniffer Certified Professional Program (SCPP)

recognizes network professionals who can
demonstrate an in-depth understanding of Sniffer
Technologies software
There are three levels of certification in the program:
1-6

1. Sniffer Certified Professional (SCP)

The first level is designed to test the candidates knowledge in the
use of the Sniffer Portable Network Analyzer
Sniffer University

2. Sniffer Certified Expert (SCE)

3. Sniffer Certified Master (SCM)
The second and third levels evaluate the candidates knowledge
of various networking technologies
 www.sniffer.com/education

You will find links for:

The SCPP online resource center
Test preparation materials
Practice tests
Product documentation
1-7

Course schedule and catalog

Class listings
Registration Information
Sniffer University

Register online
Sniffer University survey
Let us know what you think
Sniffer University contacts
 Table of Contents

Course Overview 1-9

Introduction and Concepts 1-14
Starting Sniffer Portable 1-27
Monitoring Network Health and Performance 2-1
Monitor Applications 2-5
Troubleshooting the Network 3-1
Managing Alarms 3-10
1-8

Capturing Network Traffic 3-19

Expert Analysis 3-31
Using Capture Filters to Narrow the View 3-67
Sniffer University

Triggers 3-84
Analyzing Network Issues 4-1
Decode Window 4-10
Using Display Filters to Narrow the View 4-40
Exercises 5-1
Sniffer University 1-9

Course Overview
 Course Objectives

At the end of this course, you will be able to:

Effectively use the Sniffer Portable Network Analyzer
in a logical step-by-step process as a network
troubleshooting tool
Employ effective troubleshooting techniques to quickly
1-10

resolve problems in your networks

Partner with Sniffer Portable to proactively monitor
and baseline your networks
Sniffer University

Optimize your network and applications

using the information you have gained
from Sniffer Portable
 Major Topics

Well show you how to:

Use the Monitor functions to check the health and
performance of your networks
Troubleshoot problems by capturing traffic and
using the Experts help
1-11

Analyze the issues by viewing the frames that were

captured
Sniffer University

Proactively manage the network with Sniffer

Portables tools and reporting capabilities
And well give you troubleshooting tips along
the way
 Vital Troubleshooting Skills

In addition to having a protocol analyzer, you

need to have an understanding of:
Your network
Use Sniffer Portable to monitor segments
Have an accurate logical drawing of your entire network
1-12

The protocols being used on your network

Sniffer University has a series of protocol-specific classes to
Sniffer University

teach you the fine details of troubleshooting and maintaining

each type of network
Learn how routers and switches are configured to keep them
where they belong
Resources available to help you find answers quickly
 Additional Resources

Industry Standards, Protocol Specifications,

and Product Documentation
Technical Support
Networking Professional Organizations
1-13

Fellow Troubleshooters
Books
Sniffer University
 Introduction and Concepts
1-14
Sniffer University
 Section Objectives

At the end of this section, you will be able to:

Describe the system requirements and
supported interfaces of the Sniffer Portable
Network Analyzer suite
Relate the OSI Reference Model to a frame on
1-15

the wire
Start the Sniffer Portable Network Analyzer
Sniffer University

Configure a Sniffer Portable local agent

Identify menu items and icons on
the Toolbar and Status bar
Generate traffic with Packet Generator
 What is a Sniffer Analyzer?

A network troubleshooting tool that assists you in

finding and solving network communication problems,
analyzing and optimizing network performance, and
planning for future growth
Monitor application provides statistics in real time
1-16

Capture does real time Expert Analysis as frames are gated

into the capture buffer
Profiles make loading complex filters and settings easy to save
Sniffer University

and activate
Post-capture packet display allows you to analyze the frames
in-depth using multiple views
Active tools allow you to generate frames, buffers or perform
other tests
 Sniffer Analysis Suites

Portable Analysis Suite Distributed Analysis

Sniffer Portable LAN Suite
Sniffer Portable WAN Sniffer Distributed Agent
Sniffer Portable High- Sniffer Distributed Console
Speed
1-17
Sniffer University

No matter which Sniffer suite

you choose, the user
interface is the same
 Sniffer Distributed

Sniffer Distributed Agent Sniffer Distributed

on remote segment Agent on remote
Frame Relay segment
X.25
Paris Switch/Router

Tokyo
Sniffer Distributed Agents
on local segments
1-18

Sniffer
Distributed
Consoles
Sniffer University

Router

San Francisco
 Snifferbook

Analyze T1/E1
RS/V with LM2000
Adapter
Standard Ethernet
NIC 10/100
1-19

Topology-Specific
Sniffer University

Interface Module
WANbook

Power
..
.
Power 1 2 3 4 5 6 7 8
TO TO TO
SNIFFER SNIFFER HUB

Snifferbook
Pod
 Troubleshooting Flowchart

Monitor Troubleshoot Decode Manage

Monitor Apps Alarms Display Frames Address Book

Dashboard Capture Frames Summary Packet
Generator
Host Table Expert Analysis Detail
1-20

User Tools
Matrix Expert Options Hex
Ping
ART Filters Navigation
Trace Route
History Triggers Select Frames
Sniffer University

Samples DNS lookup

Find Frames
Protocol Finger
Filters
Distribution
Who Is
Display Setup
Global
Scripts
Statistics
 Sniffer Portable Operation

Adapter Tools
Ping
Alarms Trace Route
Monitor Trigger DNS Lookup
Filters Finger
Who Is
Capture
1-21

Monitor Filters
Display
Applications
Filters
Dashboard Probe Dir
Sniffer University

Host Table Profiles

Displays
Matrix Configs
Decode
ART Addr Bk
Matrix
History Samples Database
Host Table
Protocol Distribution Traces Protocol Dist
Global Statistics Exported Data
Statistics
 System Requirements

Windows 98 SE, 2000, or NT 4.0

Sniffer Portable Software (Provided by Network
Associates)
Microsoft Internet Explorer with MS Virtual Machine
and media player
1-22

Pentium 400 MHz CPU with minimum 128 MB RAM

(256 MB recommended) and minimum 125 MB free
disk space
Sniffer University

Network Interface Card with NDIS 3.0+ driver

Enhanced NAI drivers for selected cards enhance
performance and allow error frames to be captured
and analyzed
 Supported Interfaces

Ethernet 10/100
Token Ring 4/16
FDDI
HSSI
1-23

Full Duplex (supported with a pod)

ATM
Sniffer University

WAN
Gigabit Ethernet
802.11b Wireless LAN
 Enhanced Drivers

Topology Adapter with Sniffer Enhanced Drivers O/S

Adaptec PCI (ANA-21140/UC & ANA-6911/UC)
Adaptec PCI (ANA-6911A/TX/TXC)
Xircom CardBus Ethernet II 10/100 (CBE2)
Ethernet Win NT, 2000, 98 SE
Xircom Realport CardBus
Xircom Realport2 CardBus
IBM 10/100 EtherJet CardBus
Madge PCMCIA Smart 16/4 Ringnode Mk2 (20-01) Win NT, 2000, 98 SE
Madge 16/4 CardBus Adapter Mk2 (20-03)
Token Ring Madge Smart 16/4 PCI Ringnode Mk2/BM2 (51-02)
1-24

Madge Smart 16/4 PCI Ringnode Mk3 (51-04)

FDDI NuCard PCI FDDI Adapter Win NT

Full Duplex FDX PCI Card Win NT

Sniffer University

HSSI PCI Adapter

WAN LM2000 ISA Adapter Win NT, 2000, 98 SE

ATM Sniffer ATM SAR Adapter Win NT, 2000, 98 SE

Gigabit Xyratex PCI Adapter (SX, LX) Win NT, 2000, 98 SE

Symbol Spectrum 24 PCMCIA
Cisco Aironet 340/350PCMCIA
Wireless Lucent Orinoco Gold PCMCIA Win NT, 2000
Enterasys RoamAbout PCMCIA
 OSI Reference Model

Allows users to transfer files, send mail, etc.

7 Application Only layer that users can communicate with directly
Key features are ease of use and functionality
Provides
Services

Standardized data encoding and decoding

6 Presentation Data compression
Data encryption and decryption
Manages user sessions
5 Session Reports upper-layer errors
Supports Remote Procedure Call activities
processes
Connects
1-25

Connection management (e.g., TCP)

4 Transport Error and flow control
Connectionless, unreliable (e.g., UDP)
Internetwork packet routing
3 Network
Sniffer University

Minimizes subnet congestion

Resolves differences between subnets
Moves

Network access control - MAC address

Data

2 Data Link Packet framing

Error and flow control
Moves bits across a physical medium
1 Physical Interface between network medium and network devices
Defines electrical and mechanical characteristics of LAN
 The OSI Model and Frames

DLC RI LLC Network Transport Session Presentation Application

Frames include headers at several layers of

the OSI model
The number of headers in a frame is protocol-
1-26

dependent
Each header has multiple fields that are also
protocol-dependent
Sniffer University

The Sniffer Network Analyzer reads the entire

frame and decodes each byte (and sometimes
each bit) into an English explanation of the
values
 Starting Sniffer Portable
1-27
Sniffer University
 Starting Sniffer Portable

Open the SNIFFER.EXE application using your favorite

Windows method
From the File menu, go to Select Settings... and
choose the local agent (adapter) you want to use
Adapters must be previously configured in Windows and use
1-28

NAI enhanced or NDIS 3.0+ compliant drivers

The application automatically starts monitoring the
traffic seen on the active local agent
Sniffer University

Your settings are saved when you exit the application, so it

will automatically begin monitoring on the local agent you
last chose
 What is a Local Agent?

A local agent is a logical reference to a

collection of settings, addresses, and profiles
associated with an adapter
Each local agent has a unique directory under the
Sniffer Program directory
1-29

Changes you make are saved in the directory of the

active local agent
Sniffer University

Local Agent 1 Local Agent 2

Configurations Configurations
Thresholds Adapter Thresholds
Address Book Address Book
Profiles (Filters) Profiles (Filters)
 Select Settings...

The title bar indicates the active local agent

1-30
Sniffer University
 Select the Adapter

Settings dialog contains local agents that you

have defined
Creating a new local agent allows you to
maintain separate
settings for each
1-31

network you analyze

The settings for each
Sniffer University

will be maintained in
separate Local
directories under the
Program directory
 Create a New Local Agent

New... from previous menu shows this screen

Assign a name
Choose the
1-32

adapter
Specify the Pod
Sniffer University

Copy settings from

another agent
 User Interface

Title Bar
Menu Bar

Toolbar
Capture
Icons
1-33

Toolbar
Sniffer University

Status Bar
 The Toolbar

Abort Matrix Global Address

Print Stats Book
1-34

Print Hosts Protocol

Save Dashboard Distribution Capture
Panel
Sniffer University

File Open History Alarms

Application
Response
Time
 Status Bar

Watch the lower right corner of window for

real-time counts
1-35

Printing Frames Frames Alarms

Sniffer University

Generated Captured
 Getting Help

Three ways to get help in Sniffer Portable:

1. Use the Help on the menu bar to access the
comprehensive on-line Users Guide
1-36

2. Highlight an area on the screen and press F1

for context-sensitive help
Sniffer University

3. Click on the icon

 Major Components

NIC

Monitor Capture
Monitor Applications Real-Time
Dashboard Expert Analysis
1-37

Host Table Display

Display Tabs
Matrix
Expert Analysis
Sniffer University

Application Response Time Decode

Host Table
Protocol Matrix
Distribution
Protocol
History Distribution
Global Statistics Statistics
 Exercise 1-1

Launch Sniffer Portable

1-38
Sniffer University
 Using Packet Generator
1-39
Sniffer University
 What is Packet Generator?

The main purpose of the packet generator is

to stress test your network
You can configure it to generate:
A buffer of previously captured data
A frame from the displayed data
1-40

A new frame you configure before generating

A frame with no data
Sniffer University

Monitor and Capture while generating to view

the effect of the new data on the network
We will use it in class to generate trace files
while viewing Monitor and Capture screens
 Loopback Mode

Transmitting frames from the buffer with the

Packet Generator to replay a trace file can
be very useful to quickly show
Monitor or Capture statistics
WARNING: Make sure that
1-41

you enable Loopback Mode

before starting traffic generation
Sniffer University
 The Packet Generator

Capture or load and display a trace file

Tools > Packet Generator
Configure and Send current packet
send new packet
1-42

Stop Send current buffer

Repeat
Sniffer University
 Packet Generator Views

Animation Viewshows Detail viewdisplays

data being pumped into statistics:
the network:
1-43
Sniffer University

Counter in the lower right corner:

 Monitoring and Capturing from a File

To enable Monitor in the classroom when a

live network is not available, we must
Set the local agent to Loopback Mode
Load a trace file
1-44

Generate traffic from the trace file

Monitor will accept the data as if it came from
the network and give us statistics to view
Sniffer University

The next couple of slides show the process to

make that happen
 Generating From a File

Under Files:
Select Loopback Mode if no is visible
Open the trace file
Frames will be stored in the Capture buffer
1-45

Display the data

From the Tools pull-down menu:
Sniffer University

Choose Packet Generator

Select the Send Buffer icon
Configure the number of times to send the buffer
Note the counts in the lower right counter as
frames are generated
 Generate Buffer Configuration

Configure how often to send:

1-46
Sniffer University
 Effects on Network Performance

What happens when you transmit data into a

live network?
Dummy Multicast Broadcast Bad Good
NIC Data Data
Address (Broadcast)
1-47
Sniffer University

CPU Process Corrupt

Interrupt (discard data) Tables
 Generating Traffic

So, why would you want to generate traffic?

Test new equipment in a lab before installing it
in a live network
Test vendors claims for new equipment
performance, e.g., packets/frames per
second forwarded by a particular brand
1-48

and model of router/switch

Play back a trace file and observe its operation
Sniffer University

Induce a known load of null traffic to see how

a network will react to increased bandwidth
usage
Test a Network Interface Cards operation
Laboratory testing of suspect routers, switches,
gateways, and NICs to ensure proper performance
 Summary

In this section, you learned how to:

Describe the system requirements and
supported interfaces of the Sniffer Portable
Network Analyzer suite
Relate the OSI Reference Model to a frame on
1-49

the wire
Start Sniffer Portable
Sniffer University

Configure a Sniffer Portable local agent

Identify menu items and icons on the Toolbar
and Status bar
Generate traffic with Packet Generator
 Group Discussion

When would you create/use a local agent?

Why might there be multiple local agents for
the same NIC?
How does a frame on the wire relate to the
1-50

OSI 7 layer model?

When troubleshooting, is it
Sniffer University

better to start with the

Application layer or
the DLC layer? Why?
Sniffer University 1-51