Packet Type: 17 NCP - Netware Core Protocol Destination Network: 0x00000000 [23-26]
Destination Node: ff:ff:ff:ff:ff:ff Ethernet Brdcast [27-32]
Destination Socket: 0x0452 Service Advertising Protocol [33-34]
Source Network: 0x00000010 [35-38]
Source Node: 00:00:1e:04:52:43 [39-44]
Source Socket: 0x4010 IPX Ephemeral [45-46]
SAP - Service Advertising Protocol
Operation: 3 NetWare Nearest Service Query [47-48]
Service Type: 4 File Server [49-50]
Extra bytes (Padding):
. ....NBU 03 c1 00 00 00 00 4e 42 55 [51-59]
Frame Check Sequence: 0x01000000
As you see from the previous packet decodes, there is a lot of information that can be found out about a given network. The key is to know what you are searching for when looking through the results of a protocol analyzer. By looking at decodes and seeing where problems might be occurring, you can resolve network failures more quickly.
Now, let’s look at the way LANWatch works.
The File menu provides options for loading, saving, and capturing packets, as well as printing options. The menu is shown in Figure 3.7.
F I G U R E 3 . 7 File menu for LANWatch32
Marker option in the Edit menu. This option is helpful for selecting packets that belong to a single session or machine. It lets you move between marked packets to see the sequence of events relating to the tagged packets. The toggle marker highlights the timestamp of the specified packet. You can move between marked packets by using the toggle options available from the Edit menu.
Finally, the Edit menu allows you to perform searches within the packet buffer. A screen shot of the Edit menu is shown in Figure 3.8.
F I G U R E 3 . 8 Edit menu for LANWatch32
Three views are available with LANWatch: Examine, Summary, and Detail. The different views are used to show all packets, an individual packet summary, and individual packet details, respectively. Figures 3.9, 3.10, and 3.11 show the differences between the three views. Each subsequent view is similar to “drilling down” into the packet’s content.
F I G U R E 3 . 1 0 Summary view for LANWatch32
The View menu also provides the options for packet capture. You can ini- tiate a normal capture that will continue to accept packets, even after the buffer is full. It continues by discarding the oldest packets captured and allowing new packets to be stored in the buffer. You also have the option to start a capture that stops once the buffer is filled.
The View menu contains access to statistical and throughput information.
Statistical information consists of detailed and summary protocol counts, detailed and summary packet size, and hardware and error counts. Figure 3.12 is a screen shot of the statistical window.
F I G U R E 3 . 1 2 Statistical window
The Filter menu allows you to create, modify, delete, copy, and list current packet filters.
When creating filters, many different criteria can be specified. Figures 3.14 through 3.17 show the filter-creation process using the Filter Wizard. If additional criteria need to be specified, you can add multiple conditions.
This is done by selecting the Next button, shown in Figure 3.17.
The filters created are input filters and not display filters. This means that only packets meeting the specified criteria will be copied into the buffer; others are discarded.
F I G U R E 3 . 1 4 Step 1 in filter creation
F I G U R E 3 . 1 6 Step 3 in filter creation
You can see the active filter displayed in the Filters window on the LANWatch front screen. If multiple filters have been created, you can use the scroll button to select the filter you wish to apply.
There are several shortcut buttons displayed underneath the main menu buttons that have just been described. If you leave the cursor on top of a button for a few seconds, the function of the button will be displayed.
Finally, the information provided by the captured frame is the same as can be found in EtherPeek. Once you select the frame by clicking it with the mouse, you can select different details by pressing Enter.
Network Management Systems (NMSs)
N
etwork management systems (NMSs) are somewhat more complex than simple network monitoring systems. NMSs are more robust because they not only provide monitoring functions for network devices, they also allow for user interaction. Some examples of third-party NMSs are HP OpenView and Sun Net Manager management packages.discover. Both of these systems draw logical topological network maps.
In addition to network discovery, the NMS monitors for device availability and reachability. If something does affect the connectivity, an alarm is tripped within the software, and it logs the event and displays an alarm.
Monitoring can also be done on a more detailed level (such as threshold monitoring). Thresholds can be defined within the software. They tell the program to trigger an alarm if a specified variable for a given machine exceeds a maximum or descends below a minimal value. These alarms can be dealt with in various ways (for example, e-mail or pages may be sent).
The previous examples are just a few examples of what NMS packages can do. Here is a list of what most management systems try to do:
Availability management This was described previously as network monitoring.
Network performance management This is done by measuring traffic loads and other bandwidth-oriented data that can be used to calculate the network’s overall performance.
Network security management This is done by making the NMS the means by which changes are made to network devices. Because the software requires the user to log in, it can also track changes made by the user. Security management can also be done via having a user database within the NMS.
When a network device is accessed or a change is attempted, the user is authenticated from the user profiles located within the NMS.
Network service simulation In today’s networks, it becomes very risky to test out configuration changes on a live production network. Simulation software that enables changes to be made off-line and tested before being implemented is a big part of network management. It gives the administra- tor the ability to see whether the changes will cause any side effects, without endangering the applications on the production network.
Policy-based management This has to do with QoS, or Quality of Service.
When an administrator knows that certain applications require more network resources, he or she can allocate resources accordingly. With policy-based management, the administrator can see where the most resources are needed and make it a higher priority that those resources are available when needed.