═══ 1. Version Notice ═══ Second Edition (July, 1994) This document applies to Version 1, Release 2 of the DatagLANce Network Analyzer for Ethernet and Token Ring for OS/2, program number 5871-AAA. Publications are not stocked at the address given below. If you want more IBM publications, ask your IBM representative or write to the IBM branch office serving your locality, or contact your DatagLANce team directly at the address given below. A form for your comments is provided at the back of this publication. If the form has been removed, you may address comments to: Department E67 IBM Corporation PO Box 12195 Research Triangle Park, NC 27709 USA IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. ═══ 2. Notices ═══ References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only the IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of the intellectual property rights of IBM may be used instead of the IBM product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by IBM, is the responsibility of the user. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 208 Harbor Drive Stamford, CT 06904 USA The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement. This document is not intended for production use and is furnished as is without any warranty of any kind, and all warranties are hereby disclaimed including the warranties of merchantability and fitness for a particular purpose. ═══ 2.1. Trademarks ═══ The following terms, denoted by an asterisk (*) in this publication, are trademarks of IBM Corporation in the United States or other countries or both: DatagLANce PS/2 IBM SAA Micro Channel Systems Application Architecture Operating System/2 System/370 OS/2 XT Personal System/2 The following terms, denoted by a double asterisk (**) in this publication, are trademarks of other companies: AppleTalk Apple Corporation, Inc. Banyan Banyan Systems, Inc. Cornerstone Agent Protools, Inc. Foundation Manager Protools, Inc. NetWare Novell, Inc. Network Control Series Protools, Inc. Sniffer Network General Corporation SUN SUN Microsystems, Inc. VINES Banyan Systems, Inc. DECnet Digital Equipment Corporation Intel Intel Corporation IPX Novell, Inc. LANalyzer Novell, Inc. Microsoft Microsoft Corporation NFS SUN Microsystems, Inc. Novell Novell, Inc. Windows Microsoft Corporation 386 Intel Corporation 486 Intel Corporation Xerox Xerox Corporation ═══ 3. About This Book ═══ This book introduces you to the IBM* DatagLANce* Network Analyzer product, a powerful, integrated system for monitoring network status, capturing selected network traffic, and analyzing data. The intent is to help you find the right information and develop the necessary skills with the DatagLANce analyzer to do your job efficiently. ═══ 3.1. Who Should Use This Book ═══ The IBM DatagLANce Network Analyzer is intended for networking support personnel who are responsible for the development, installation, maintenance, troubleshooting and fine tuning of networks or network software applications. Because your needs and backgrounds vary greatly, as space permits, we will explain things in detail for the novice user, without getting in the way of more experienced users. Often, this book refers readers who need more help directly to related documents and tutorials instead of repeating them here. In other places, the book simply suggests that those who are familiar with the topic just move on. ═══ 3.2. How to Use This Book ═══ This book uses a symbol (|) to indicate where changes have been made to the book. This symbol is located to the left of the changed information. This book explains how to install and use your DatagLANce Network Analyzer. It includes the following chapters, appendixes, a glossary, a list of abbreviations, and an index: Introducing DatagLANce describes the functions and benefits of your DatagLANce Network Analyzer. Installing DatagLANce explains how to install your DatagLANce Network Analyzer software. Getting Started, although not a tutorial, helps you get started by demonstrating how to use the DatagLANce analyzer in several typical situations. Monitoring the Network gives a detailed description for using most DatagLANce real-time functions except the capture and traffic functions. Capturing Frames from the Network explains how to use the capture function to select and store network data. Analyzing Captured Frames describes how to understand, format, and redirect captured data. Traffic Generation and Playback describes the DatagLANce Network Analyzer's traffic generation and playback functions. Frame Formats gives information about frame formats. Protocols Decoded lists the protocols decoded by the DatagLANce analyzer. Figure "User Preferences Window" explains how to select the address format displayed and the font size for some of the windows. Symbolic Names Support describes the symbolic name support provided by the DatagLANce analyzer. Configurations explains how to save and load DatagLANce configurations. History Statistics File Formats gives the format of the binary file used to store historical statistics. Capture Data File Formats gives the format of capture data files created by the DatagLANce Network Analyzer. DatagLANce Alarms: SNMP Traps and Pager Codes describes specific information about DatagLANce alarm reporting options. ═══ 3.2.1. Highlighting Conventions ═══ The following highlighting conventions are used in this book: Bold Identifies commands, action bar choices, menu options, pull-down options, and push buttons. Italics Identifies parameters whose actual names or values are to be supplied by the user, terms that are defined in the following text and in the glossary, and titles of manuals. Monospace Identifies examples of program code, messages, or text you might see displayed. ═══ 4. Introducing DatagLANce ═══ The IBM DatagLANce Network Analyzer for Ethernet and Token-Ring for OS/2* is a network monitoring program for use with Ethernet and token-ring networks. Figure "DatagLANce Network Analyzer" shows the main screen of the DatagLANce analyzer. DatagLANce Network Analyzer This chapter summarizes the functions of the DatagLANce analyzer, describes briefly how the DatagLANce analyzer works, and lists the major benefits of the product. ═══ 4.1. What the DatagLANce Analyzer Can Do for You ═══ You can use the DatagLANce analyzer to: o Get an accurate picture of the current activity on your network. o Get an historical record of network activity over a specified period of time. o Design your own screens and save them. o Create 32 different bar charts of real-time statistics. o Launch an analysis session and call up frame summary views, protocol interpreted views, and hexadecimal views-all color coded, highlighted, and tracked simultaneously. o Switch to the Network Statistics screen to see statistics in text form, bar charts, history graphs, and network status. o Rearrange the statistics, add to them, and save them under a new name. o Use the alarms to let you know when certain statistical thresholds, like network utilization, are reached. While the DatagLANce analyzer is monitoring your network, you can even use the Personal System/2* (PS/2*) computer for other applications. With the DatagLANce analyzer, you have at your command: o Eighty-eight source and destination address pairs filtered in real time o Real-time frame capture while monitoring o Eight fast, super-powerful, programmable event detectors o Flexible, user-definable interface o Reliable, accurate information o Continuous reports of the most active stations (top talkers), ring map (token-ring only), error conditions, statistics, and selected network data o Broad data import and export support o Extensive protocol decode coverage o 10-msec time-stamp (token-ring) or 32-msec time-stamp (Ethernet) o Optional 840-nanosecond, high-resolution time-stamp o Fully windowed, graphical, multitasking user interface ═══ 4.1.1. Data Capture ═══ Use the 8 event detectors to select only the data you want to capture from your network (see Figure "DatagLANce's Powerful Capture Filter"). Use one event detector to begin tracing, another to select what to capture, and another to set the point around which the stored data will be referenced. You still have five event detectors left for simultaneous custom statistical analysis! DatagLANce's Powerful Capture Filter What can one event detector do? How about selecting 11 source/destination address pairs? If you prefer, select from any combination of the protocols offered. You say you need to search data fields? One detector permits the filtering of up to 32 consecutive bytes, defined at the bit level if you wish, including don't cares; even source-routed frames will not interfere with your search. Then, multiply this power by combining event detectors in logical expressions to control capture, gather statistics, and energize alarms. ═══ 4.1.2. Data Analysis ═══ LAN technology is growing rapidly. It is not easy to keep up with the flood of new networking protocols. That is why your DatagLANce analyzer carefully and completely decodes and interprets information (see Figure "DatagLANce's Protocol Analysis") to help you make sense out of this rather confusing environment. In addition, the DatagLANce analyzer uses color coding and logical positioning to present the data in a clear and concise manner. DatagLANce's Protocol Analysis This release of the DatagLANce analyzer supports all or portions of the following protocol suites: o FDDI Protocol Suite o Token-Ring Protocol Suite o Ethernet/802.3 Protocol Suite o IBM Protocol Suite o TCP/IP Protocol Suite o SUN** NFS** Protocol Suite o XNS Protocol Suite o Novell** NetWare** Protocol Suite o DECnet** Protocol Suite o AppleTalk** Protocol Suite o Banyan** VINES** Protocol Suite o ISO Protocol Suite o X.25 Protocol Suite See Protocols Decoded for a list of each protocol decoded. ═══ 4.1.3. Statistical History ═══ The DatagLANce analyzer can store historical views of statistics. The software permits you to record statistics over selectable time intervals. You can chart utilization, frame rate, data rate, and error rate statistics in real-time graphs or save them to a file. They can even be exported to your spreadsheet in industry-standard format. Five custom counters keep track of the logical combinations of your eight event detectors. Tailor the counters to keep tally of just about any type of data that is displayed on your network. Figure "Viewing Your Network's Past" shows some of the possible history graphs. Viewing Your Network's Past ═══ 4.1.4. Alarms ═══ The DatagLANce analyzer's alarm function monitors rates of statistical information to determine when thresholds are reached. For example, if network utilization falls outside a given range, your DatagLANce analyzer will make an entry, sound a tone, or both. All of the statistical counters serve as input to the alarm function. You can set up alarms for many different conditions. Your DatagLANce analyzer has five separate alarm priorities to notify you whenever the condition of your network matches your criteria. Messages in the alarm log are color coded by priority level to make information easy to see. Figure "DatagLANce's Alarms Help Monitor Your Network" shows an example of the alarm log. DatagLANce's Alarms Help Monitor Your Network ═══ 4.1.5. Traffic Statistics ═══ : The DatagLANce analyzer enables you to see the stations that are operating on the network and the number of bytes and frames that each station has sent during the time that traffic statistics have been tracked (see Figure "Traffic Statistics"). You can sort this information in multiple ways to help you watch the activity of the stations. Traffic Statistics ═══ 4.1.6. Network Glance ═══ Network Glance allows you to take a real-time look at frames traveling on the network (see Figure "Real-Time Network Traffic"). You can also use Network Glance to look at the frames while the DatagLANce analyzer is capturing data. Real-Time Network Traffic ═══ 4.1.7. Traffic Generation and Playback ═══ The DatagLANce analyzer's single frame traffic generation function permits you to test your network under different traffic loads to measure performance and do network tuning. The DatagLANce analyzer's playback function permits you to play back traffic into the DatagLANce Network Analyzer application or back onto the network. Playing back into the application permits you to analyze the same network traffic multiple times, using all of the functions of the application to troubleshoot your problem. Playing back onto the network permits you to simulate network traffic for use in classroom situations and DatagLANce Network Analyzer training. Simulating Network Traffic ═══ 4.2. OS/2 Tips ═══ Many good tools require a little effort to find the most effective ways to use them. As you invest the time to learn OS/2, you build skills that can help you get your job done. If you are new to OS/2, we encourage you to start by working through the online OS/2 tutorial located on the OS/2 desktop. The following sections give some OS/2 hints that you might find helpful when using your DatagLANce analyzer. ═══ 4.2.1. Auto-Starting Applications ═══ The SET RESTARTOBJECTS= statement in the CONFIG.SYS file determines whether applications that are running when the system is shut down will automatically be restarted when the system is started again. Specifying RESTARTOBJECTS=NO can save time when the system is activated because time is not spent restarting applications. ═══ 4.2.2. Conserving Diskettes ═══ If you have problems with diskettes going bad while you are using MS-DOS or OS/2, you definitely need to consider this tip. Warning: Never remove a diskette when the light emitting diode (LED) associated with it is still lit. The software message associated with drive access is often displayed on the screen well before the diskette LED is off. If you remove the diskette too soon, data on the diskette will probably be destroyed. ═══ 4.2.3. Using the Alt Key Instead of the Mouse ═══ Often, keyboard keys can be used in place of pointing and clicking with the mouse; these are usually called shortcut keys. To use the Alt key as a shortcut key: 1. Press and release the Alt key once. The first choice in the menu bar is highlighted. 2. Move the cursor down one line to open that menu. 3. Move the cursor to the right to bring the menu you want into view. 4. Move the cursor to highlight the choice you want and press Enter to select it. Instead of using the Enter key, you can also press the underlined letter key to select the choice you want directly. Some selections list key combinations next to them. These can be used to select the choice without even opening the menu. 5. Hold down the Alt key and press the underlined letter in the menu bar selection name to go directly to that selection. ═══ 4.2.4. Backing out of Menu Selections ═══ The Esc key backs you out of menu selections. ═══ 4.2.5. Determining What Applications Are Running ═══ The Ctrl-Esc key combination gives a menu of the applications running; from this menu you can select the application you want. It is easy to locate different analysis sessions because your DatagLANce analyzer software includes the file name in this list. ═══ 4.2.6. Locating Items in Drop-Down Lists ═══ Drop-down lists are identified by a push button, showing an arrow pointing down to an equal sign, to the right of the box. If you use mouse button 1 to click on the arrow push button, the list box will open. Although you can scroll through the list to find your selection, OS/2 also offers a first letter shortcut. If you know what you are looking for, this really saves time. Just repeatedly press the first letter of your selection, and move to the next choice starting with that letter in the list. ═══ 4.2.7. Using the Title Bar ═══ The title bar is displayed at the top of each window and contains the window name. You can position your mouse pointer in this area and grab the window by holding down mouse button 1 as you drag the window to a new position. You can also use the title bar to maximize and restore the window by clicking on the push button at the left of the title bar. ═══ 4.2.8. Closing Windows ═══ The system menu icon is in the upper left corner of each window. Double-click on this icon to close your window. ═══ 4.2.9. Delayed Printing ═══ Any files that are sent to the OS/2 printer begin printing only after the complete file has been received by the printer program. This permits multiple applications to access the printer simultaneously by ensuring that no one application interferes with another application's use of the printer. Therefore, if you select the printer as the device to which to write for a DatagLANce analyzer application, the data will not be printed until the writing ends. (For example, if you log alarms to the printer, alarm information will not be printed until the monitor function is stopped.) ═══ 4.3. DatagLANce Analyzer Tips ═══ This section contains techniques to help you get the most from your DatagLANce analyzer. ═══ 4.3.1. Viewing Details of a Summary Line ═══ In an analysis session, you often need to move forward from Summary, to Detail, to Hexdump displays. To see the detail of a particular summary line, simply double-click on the line. The same holds true to move from Detail to Hexdump. ═══ 4.3.2. Using Bookmarks ═══ Often, captured data contains thousands of frames. Bookmarks are useful tools for moving quickly from place to place in these files. To set a bookmark quickly, highlight the desired line and then press Alt-x where x is the bookmark number. Then, to return to that bookmark, simply press the appropriate number key on the keyboard. For more information, see Bookmarks. ═══ 4.4. Using the DatagLANce Menus ═══ This section is a quick overview of some of the things you can do from the DatagLANce Network Analyzer window. Later chapters give more detail about using the choices available from each of the menus mentioned in this section. The DatagLANce Icon View window contains icons for the Token-Ring Network Analyzer, the Ethernet Network Analyzer or both, depending on your system. We will look at the Token-Ring Network Analyzer in this introduction section. The Ethernet Network Analyzer is similar to the Token-Ring Network Analyzer. The menu bar, under the title bar of the Token-Ring DatagLANce Network Analyzer window, lists choices that you can select from the window (see Figure "Token-Ring DatagLANce Network Analyzer Window"). You select a menu choice by moving the mouse pointer to the item and clicking once with mouse button 1. This causes a menu for that item to be displayed. Token-Ring DatagLANce Network Analyzer Window ═══ 4.4.1. File Menu ═══ From this menu, you can select the address format or, under Preferences, you can adjust the font size. You can edit any symbolic names. You can also print reports and save or restore configurations of the options and screens you design. ═══ 4.4.2. Monitor Menu ═══ From this menu, you select media connection or speed, adapter options, statistics recording options, alarms, traffic statistics options, and make the choice between Network Glance or Ring Map. ═══ 4.4.3. Capture Menu ═══ Here, you specify what you want to capture, where it will be stored, and when the capture will take place. ═══ 4.4.4. Transmit Menu ═══ Here, you select whether to generate traffic, play back traffic onto the network, or playback traffic into the DatagLANce Network Analyzer. ═══ 4.4.5. Screen Menu ═══ From the Screen pull-down menu, you can bring up previously designed groups (screens) of windows that contain convenient sets of displays. Selecting Define permits you to design and store your own best arrangements. ═══ 4.4.6. Window Menu ═══ From the window pull-down menu, you can design your own screens. Then, from the Screens window, you can select the windows you created using this menu. ═══ 4.4.7. Help Choice ═══ Selecting the Help choice accesses the IBM DatagLANce Network Analyzer for Ethernet and Token Ring for OS/2 User's Guide and displays the section that relates to the current screen. To access a different section, select Contents from the Options menu in the window that is displayed. ═══ 4.4.8. Analysis! Choice ═══ Here, you select to launch a protocol analysis session to analyze frames stored in the capture buffer or a file. ═══ 4.4.9. Go! Choice ═══ Selecting this choice starts the monitoring of the network or the capturing of frames, and changes the menu choice to Stop!, which permits you to stop the monitoring or capturing. ═══ 5. Installing DatagLANce ═══ ═══ 5.1. Hardware and Software Requirements ═══ You need the following hardware and software to use the DatagLANce analyzer software: o An IBM 386, or higher, processor-based computer. An IBM 486 33 MHZ, or higher, is recommended. o A VGA, or higher, color display is recommended. o OS/2 2.0 or higher. o A minimum of 6 MB of RAM, 12 MB of RAM is recommended. o A minimum of 12 MB of free fixed disk space. o One of the following adapters: o Token-Ring DatagLANce: - IBM DatagLANce Token-Ring 16/4 ISA Adapter - IBM DatagLANce Token-Ring 16/4 MC Adapter - IBM DatagLANce Token-Ring 16/4 CC Adapter o Other IBM token-ring: - IBM Trace and Performance Token-Ring 16/4 Adapter - IBM Trace and Performance Token-Ring 16/4 Adapter/A o OEM - Network General 16/4 Token-Ring Sniffer** Network Analyzer, excluding Madge Networks, Inc., Token-Ring Adapters for AT Bus o Ethernet: - IBM LAN Adapter for Ethernet TP - IBM LAN Adapter for Ethernet CX - IBM LAN Adapter for Ethernet - IBM PS/2 Adapter/A for Ethernet Networks - IBM PS/2 Ethernet Twisted-Pair Adapter/A - Credit Card Adapter for Ethernet 10Base2 - Credit Card Adapter for Ethernet 10BaseT o If you plan to use a credit card adapter, your computer must have OS/2 2.1 or higher, plus the card and socket services drivers appropriate for your computer installation. o For a dual same-media DatagLANce Network Analyzer (such as, two token-ring or Ethernet DatagLANce analyzers in the same computer), you will need another of the above adapters for the same media. o To utilize the SNMP Trap alarm option (see Configuring Alarms: The Alarm Options), you must have IBM TCP/IP for OS/2 installed and a separate network interface for TCP/IP communication configured (i.e. another network adapter or SLIP line). o To utilize the pager alarm option (see Configuring Alarms: The Alarm Options), you must have a phone and a Hayes** compatible modem attached to one of the COM ports of your computer. ═══ 5.2. Installing the DatagLANce Network Analyzer ═══ To install the DatagLANce Network Analyzer software onto your fixed disk, follow these steps: 1. Attach the DatagLANce key to the parallel port of your computer. 2. Place installation diskette 1 in drive A and, from an OS/2 full screen command prompt, type the following command: A:INSTALL 3. Follow the installation instructions given to you by the installation program. 4. Install the supplied adapters in your system using the installation instructions supplied with the adapters. The adapters must be configured as instructed by the DatagLANce analyzer installation program. 5. Connect the network interface cable to the adapter. This will connect your DatagLANce analyzer to the network. When connecting to Ethernet coaxial cable, be sure to connect with a Coaxial T connector and, if needed, use a BNC terminator cap on any unconnected end. Some Ethernet adapters have multiple connections. Select the media to which you will connect your DatagLANce analyzer from the Monitor menu or correctly configure the adapter (by means of DIP switches on the adapter) before connecting. See Using the Monitor Menu for a description of these options. Refer to the reference book that comes with your Ethernet adapter for configuration options. 6. Restart the computer, making sure the DatagLANce key is still attached to the parallel port. 7. Review the READ.ME file that resides in the same directory as the software. This file may be viewed using any standard text file editor. Help can be accessed anytime from the help menus found on most windows. See Getting Started for a good starting point to learn how to use your DatagLANce analyzer. ═══ 5.3. DatagLANce Device Driver Options ═══ The DatagLANce analyzer installation program will automatically modify your CONFIG.SYS file to add one or more DatagLANce device driver statements. The device drivers installed can be: o The DatagLANce High-Resolution Time-Stamp Device Driver (DEVICE=DGHRT$.SYS) o The DatagLANce Token-Ring Device Driver (DEVICE=DGTR0$.SYS) o The DatagLANce Ethernet Device Driver (DEVICE=DGEN0$.SYS) The following sections explain in more detail the DatagLANce device driver parameters that you can change to customize your DatagLANce analyzer. ═══ 5.3.1. The High-Resolution Time-Stamp Option ═══ Because standard timestamp resolution is just 10-msec for token-ring and 32-msec for Ethernet, the DatagLANce analyzer offers time-stamping frames with a high-resolution time-stamp. This time-stamp is measured in 840 nanosecond clock ticks. There are limitations to interpreting this time-stamp, however. o Because the adapters being used to capture frames do not automatically time-stamp the frames as they arrive, the DatagLANce device driver must time-stamp the frame when processed. Because the speed of the processors available in computers can vary, this time-stamp value will be affected by the speed of the computer. o The time-stamp will also be affected by the amount of processing that the DatagLANce analyzer performs on the frame that arrives. Thus, enabling the filtering options can affect this time-stamp. o The high resolution time-stamp attaches a precision number to each frame processed. This number can often help in resolving networking problems by giving a good approximation of the relative arrival times of frames. The time-stamp is not guaranteed to represent a precise frame arrival time. o The DEVICE=DGHRT$.SYS device driver statement added to the CONFIG.SYS file enables the high-resolution time-stamp option to be used. This device statement will be added by the DatagLANce installation program during installation if you elect to use the high-resolution time-stamp option. To disable this option, remove this statement. ═══ 5.3.2. The BUFSIZE= Parameter ═══ The BUFSIZE= parameter on the DEVICE=DGTR0$.SYS (or DEVICE=DGEN0$.SYS) line in the CONFIG.SYS selects the size of the memory capture buffer that the DatagLANce analyzer will use to store captured frames (see Capturing Frames from the Network). This parameter is specified as: BUFSIZE=size where size is the buffer size. The value for size can range from 64K (for a 64-KB buffer) to 32M (for a 32-MB buffer). For example, for a 128-KB buffer size, you specify: BUFSIZE=128K The buffer size must be specified as a multiple of 64-KB increments. If this parameter is not specified, the default buffer size is 64 KB. By increasing the capture buffer size, you can increase the number of frames that the DatagLANce analyzer can capture to the buffer, thus giving you a larger window in which to analyze frames from the network. By increasing this buffer size, you can also improve the performance of the DatagLANce analyzer when capturing data to a file (see Capturing to the Capture Buffer Versus Capturing to File). Note: Ensure that the system has sufficient memory available to operate when you specify this parameter. The memory claimed by the device driver is not available for system use. ═══ 5.3.3. The TRAFFIFO= Parameter ═══ The TRAFFIFO= parameter on the DEVICE=DGTR0$.SYS (or DEVICE=DGEN0$.SYS) line in the CONFIG.SYS selects the size of the traffic statistics first-in first-out (FIFO) buffer that the DatagLANce analyzer will use to store frames for traffic analysis. This parameter is specified as: TRAFFIFO=size where size is the FIFO buffer size. The value for size can range from 64K (for a 64-KB buffer) to 16M (for a 16-MB buffer). For example, for a 128-KB FIFO buffer size, you specify: TRAFFIFO=128K The buffer size must be specified as a multiple of 64-KB increments. If this parameter is not specified, the default buffer size is 64 KB. For each 64 KB that is specified, approximately 512 frames will be stored for traffic statistics processing. By increasing the traffic FIFO buffer size, you can increase the number of frames that the DatagLANce analyzer can have queued for traffic analysis processing. This will improve the performance of the traffic analysis function when network traffic is occurring in bursts. Note: Ensure that the system has sufficient memory available to operate when you specify this parameter. The memory claimed by the device driver is not available for system use. ═══ 6. Getting Started ═══ Although not exactly a tutorial, this hands-on chapter helps you get started with your DatagLANce analyzer by taking you through several typical scenarios. These scenarios use the default configuration shipped with the DatagLANce analyzer. References to the DatagLANce Network Analyzer window refer to either the Token-Ring or Ethernet DatagLANce Network Analyzer window. ═══ 6.1. Ending a DatagLANce analyzer Session ═══ It might seem strange to tell you how to end a session before we tell you how to start one, but you might decide to end a session before you finish a scenario. To end a DatagLANce analyzer session: 1. Move your mouse pointer to the system menu push button located in the upper left corner of the Token-Ring or Ethernet DatagLANce Network Analyzer window and double-click mouse button 1. 2. You will be prompted to answer questions so the session can be ended. ═══ 6.2. Ending an OS/2 Session ═══ Ending an OS/2 session is slightly more complicated. OS/2 permits multiple programs to be active at the same time. This allows you to stop in the middle of one job and switch to another. Warning: This flexibility means that you can switch out of an application without saving some of your work. If you simply turn the system off, you will lose unsaved data. To prevent this from happening, get into the habit of closing open applications before switching the power off. OS/2 also prefers that you give it orderly shutdown instructions. This permits the operating system to clean up temporary files that otherwise clutter your system disk. 1. Click anywhere on the desktop with mouse button 2. In the menu that is displayed, click on Shutdown. 2. Answer any questions that OS/2 asks during the shutdown process. Shutdown ═══ 6.3. Starting Your DatagLANce Network Analyzer ═══ In this scenario, you will start your DatagLANce analyzer. 1. Turn the power on for your DatagLANce system. When OS/2 is loaded, the OS/2 Desktop will be displayed (see Figure "OS/2 Desktop"). OS/2 Desktop 2. Double-click on the DatagLANce group icon. The DatagLANce Icon View window is displayed (see Figure "DatagLANce Icon View Window"). DatagLANce Icon View Window 3. Move the mouse pointer to the Token-Ring Network Analyzer icon or the Ethernet Network Analyzer icon and double-click with mouse button 1. Wait 1 or 2 minutes until the DatagLANce analyzer software has been loaded. (The blinking LED on the disk drive indicates that the load is in progress.) After the DatagLANce software has been loaded, the DatagLANce Network Analyzer window is displayed (see Figure "DatagLANce Network Analyzer Window"). Other windows are also displayed. Because you are not monitoring the network yet, the windows do not contain statistics. DatagLANce Network Analyzer Window You are now ready to start one of the scenarios in this section. ═══ 6.4. Starting a Monitoring Session ═══ In this scenario, you will start a monitoring session, take a quick look at what you can do from the Screen choice on the DatagLANce Network Analyzer window menu bar, and learn how to silence audible alarms. 1. If you have not already started your DatagLANce system, follow the steps in Starting Your DatagLANce Network Analyzer. 2. To start monitoring the frames so you can take a look at what is happening on your network, click on Go! in the DatagLANce Network Analyzer window menu bar. For an Ethernet network, a screen showing current network statistics will now be displayed. For a token-ring network, a Verification window will be displayed. If your token-ring is operating at the speed specified in the Verification window, click on the Yes push button. If your token-ring is not operating at the speed specified in the Verification window: a. Click on the No push button. b. Click on Monitor in the Token-Ring DatagLANce Network Analyzer window menu bar. c. Select the correct speed. d. Click on Go! in the Token-Ring DatagLANce Network Analyzer window menu bar again. e. Click on the Yes push button on the Verification window, indicating that you are now at the speed specified. A screen showing current network statistics will be displayed. 3. You might be hearing periodic ringing now. Do not worry, the rings are just the audible alarms that are set in the default configuration. If you want to silence the audible alarms, perform the following steps: a. Click on Screen in the DatagLANce Network Analyzer window menu bar. b. Click on Alarm Log in the Screen menu. You should now see the Alarm Log window showing the alarms that are occurring. c. Click on Options in the Alarm Log window menu bar and click on Allow Audible Alarms in the Options menu to silence the audible alarms. You should no longer hear the alarm, but the DatagLANce analyzer is still logging the alarms. For more information about alarms, see Configuring Alarms: The Alarm Options. 4. Now, let us take a closer look at the Screen choice in the DatagLANce Network Analyzer window menu bar. Click on Screen to get the Screen menu (see Figure "Screen Menu"). Screen Menu The menu contains the following choices: o OS/2 Desktop - Click on this choice to display the OS/2 Desktop. All DatagLANce windows except the DatagLANce Network Analyzer window are hidden. o Configuration Description - Click on this choice to display a text description of the current DatagLANce configuration. See Configurations for more information about DatagLANce configurations. o Network Statistics - Click on this choice to display the screen showing current network status and statistics. o Network History - Click on this choice to display windows showing network history graphs. o Network Errors - Click on this choice to display the network error windows. o Traffic Statistics - Click on this choice to display windows with statistics about stations operating on your network. o Network Glance - Click on this choice to get the Network Glance Frame Summary window. Click on Glance! in the Network Glance Frame Summary window. A window is displayed showing a snapshot of the frames on the network. For more information about Network Glance, see Figure "Network Glance Window". o Alarm Log - Click on this choice to display the Alarm Log window. You looked at this window briefly if you silenced the audible alarms. o Capture Status/Control - Click on this choice to display the current status of the capture. You can learn more about capturing data in Capturing Frames from the Network. Click on Screen, in each case, to get back to the Screen menu. This brief look at the DatagLANce analyzer is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 6.5. Capturing All Frames and Looking at the Captured Data ═══ In this scenario, you will capture data from the network and then look at the captured data. 1. If you have not started the network analyzer, click on the Capture Frames icon in the Token-Ring DatagLANce Icon View window or Ethernet DatagLANce Icon View window. If you have already started the network analyzer, perform the following steps to stop the analyzer: a. Click on Stop! in the DatagLANce Network Analyzer window menu bar. b. Click on Screen in the DatagLANce Network Analyzer window menu bar. c. In the Screen menu, click on OS/2 Desktop. d. In the Ethernet or Token-Ring DatagLANce Icon View window, click on the Capture Frames icon. e. A Verification Window might be displayed. If so, answer the question to continue. 2. Click on Go! on the DatagLANce Network Analyzer window menu bar. For an Ethernet network, continue with step 3. For a token-ring network, a Verification window is displayed. If your token-ring is operating at the speed specified in the Verification window, click on the Yes push button. If your token-ring is not operating at the speed specified in the Verification window: a. Click on the No push button. b. Click on Monitor in the Token-Ring DatagLANce Network Analyzer window menu bar. c. Select the correct speed. d. Click on Go! in the Token-Ring DatagLANce Network Analyzer window menu bar again. e. Click on the Yes push button on the Verification window. 3. You should now see a screen with the following windows: o Captured Frames Rate History o Network Status o Current All Frames Rate o Current Captured Frames Rate o Capture Status/Control You have captured data when you see blue on the bar in the Capture Buffer Status box in the Capture/Status Control window. 4. To stop capturing data, perform the following steps: a. Click on Stop! in the DatagLANce Network Analyzer window menu bar. The Verification window is displayed. b. Click on the Yes push button in the Verification window. The network analyzer stops capturing data. For more information about capturing frames, see Capturing Frames from the Network. 5. You can now look at the captured data. Click on the Analysis push button in the Capture Status/Control window and wait while the network analyzer activates the analysis software. When the Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window is displayed, continue with the next step. 6. The Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window displays the captured frames. You can get details for any frame by following these steps: a. Double-click on the line in the Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window for which you want details. The Frame Detail window is displayed for the frame. b. If you want to maximize the Frame Detail window, double-click on the title bar of the window. Double-click again to return the window to its original size. c. Double-click on a line in the Frame Detail window to display the Frame Hexdump window. Note: If you click on another line in the Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window, details of that frame are given in the Frame Detail window and in the Frame Hexdump window. d. To close the Frame Hexdump window, double-click anywhere in the Frame Detail window. e. Click on Display in the Frame Summary window menu bar to display the Display menu. From this menu, you can select items to display, such as frames missed, time-stamps, and frame addresses. See Selecting Frame Summary Information to Be Displayed for more information about choices in the Frame Summary window Display menu. f. Press Esc to remove the Display menu from the screen. 7. If you want to save the captured data, perform the following steps: a. Click on File in the Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window. b. Click on Save in the File menu. The Save window is displayed. c. From the Save window, select the range of frames to save. d. Click on the Pathname input field in the Save window and enter the file name under which you want to save the captured data. e. Click on the OK push button. f. When the save is complete, an Information window is displayed. Click on the OK push button in the Information window. The network analyzer has now saved the captured data. 8. Double-click on the push button to the left of the title bar to close the Frame Summary: Token-Ring (or Ethernet) Capture Buffer 0 window. A Verification window is displayed. 9. Click on the Yes or No push button in the Verification window to indicate whether the current configuration should be saved or not. 10. The DatagLANce Network Analyzer window is displayed. See Analyzing Captured Frames for more information about analyzing captured frames. This scenario is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 6.6. Capturing Frames between Two Stations ═══ In this scenario, you will capture all the frames sent between two stations on your network. 1. If you have not started the network analyzer, click on the Capture Frames icon in the Token-Ring DatagLANce Icon View window or Ethernet DatagLANce Icon View window. If you have already started the network analyzer, perform the following steps to stop the analyzer: a. Click on Stop! in the DatagLANce Network Analyzer window menu bar. b. Click on Screen in the DatagLANce Network Analyzer window menu bar. c. In the Screen menu, click on OS/2 Desktop. d. In the Ethernet or Token-Ring DatagLANce Icon View window, click on the Capture Frames icon. e. You might see a Verification Window now. If you do, answer the question to continue. 2. Click on Capture in the Token-Ring or Ethernet DatagLANce analyzer, Configuration: startup window. 3. Click on Frame Capture Filter in the Capture menu. The Frame Capture Filter window is displayed. 4. Click on the Clear push button and then on the Edit push button. 5. The Edit Equation Line window is displayed. Click on To/From Selected Station. 6. Configure Event Detector 1 is displayed. Change the label edit field to Between Two Stations or whatever descriptive name you choose. 7. Click on the Configure push button. 8. The DLC Address Pairs window will be displayed. Click on the Clear push button to clear the list box labeled Address Pair List. 9. Set up the Event Detector using the following steps: a. In the Dest edit field, enter, in MSB or LSB hexadecimal form, the DLC address of the first station that you want to monitor. For example, MSB form: 10:00:5A:11:22:33 LSB form: 08-00-5A-88-66-CC Note: The use of colons or dashes indicates whether the address is in MSB or LSB form. See Figure "User Preferences Window" for more information about address forms. b. In the Source edit field, enter the DLC address of the second station you want to monitor. Note: If you want to monitor all the frames sent to the first station, regardless of the source, you can enter XX:XX:XX:XX:XX:XX in the Source edit field. c. Click on the Add push button. d. Click on the Switch push button. Click on the Add push button again. This swaps the source and destination addresses so that you will capture all frames between the stations, regardless of which station is the source. e. Click on the OK push button. f. Click on the OK push button on the Configure Event Detector 1 window. g. In the Edit Equation Line window, click on the push button to the left of the Between Two Stations push button. The word IF will be displayed on the face of that push button. h. Click on the OK push button. Event Detector 1 is now configured. See Figure "Frame Capture Filter" for more information about configuring capture filters. 10. The Frame Capture Filter is displayed. Ensure that the Enabled check box is checked. (If it is not, click on the Enabled check box.) Click on the OK push button. You are now ready to start the capture. Follow the steps in Capturing All Frames and Looking at the Captured Data, starting at step 2 to capture the frames specified by Event Detector 1 and to look at the captured data. ═══ 6.7. Point and Click Filtering: Quickly Filtering Frames After a Capture ═══ This scenario gives you a quick way to filter frames after the DatagLANce analyzer captures them so you can view only those you are interested in at that time. 1. First, you need to capture some frames. Follow steps 1 through 5 of the scenario Capturing All Frames and Looking at the Captured Data. 2. The Frame Summary: Token-Ring Capture Buffer 0 (or the Frame Summary: Ethernet Capture Buffer 0) window shows the captured frames. You are now ready to look at the frames, to and from one of the source addresses, listed in the window. 3. Click on any of the frames shown with mouse button 2. 4. Click on the OK push button on the window that is displayed. 5. Click on the OK push button on the Quick Filter menu. 6. The Frame Summary Refresh Options window is displayed. Click on the Refresh Summary from Beginning-of-File radio button and then click on the OK push button. 7. The Frame Summary window is refreshed to show only frames to and from the source address of the frame that you clicked on in step 3. See Quick Filter: The Quick Equation Writer for more information about Quick Filter. This scenario is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 6.8. Viewing the Top Talkers on Your Network ═══ In this scenario, you will monitor the network and look at the most active stations (the top talkers) on your network. 1. If you have not started the network analyzer, click on the Traffic Analysis icon in the Token-Ring DatagLANce Icon View window or Ethernet DatagLANce Icon View window. If you have already started the network analyzer, perform the following steps to stop the analyzer: a. Click on Stop! in the DatagLANce Network Analyzer window menu bar. b. Click on Screen in the DatagLANce Network Analyzer window menu bar. c. In the Screen menu, click on OS/2 Desktop. d. In the Ethernet or Token-Ring DatagLANce Icon View window, click on the Traffic Analysis icon. e. You might see a Verification Window now. If you do, answer the question to continue. 2. Click on Go! in the DatagLANce Network Analyzer window menu bar. For an Ethernet network, continue with step 3. For a token-ring network, a Verification window is displayed. If your token-ring is operating at the speed specified in the Verification window, click on the Yes push button. If your token-ring is not operating at the speed specified in the Verification window: a. Click on the No push button. b. Click on Monitor in the Token-Ring DatagLANce Network Analyzer window menu bar. c. Select the correct speed. d. Click on Go! in the Token-Ring DatagLANce Network Analyzer window menu bar again. e. Click on the Yes push button on the Verification window. 3. The Traffic Statistics window is refreshed as the DatagLANce analyzer monitors the traffic on the network. 4. To view the top talkers on your network, perform the following steps: a. Click on Display in the Traffic Statistics window menu bar. Click on Traffic from Station in the Display menu. b. Click on Sort in the Traffic Statistics window menu bar. Ensure that the Descending item is checked. (If it is not checked, click on Descending.) Click on Frames in the Sort menu. The Traffic Statistics window will now show which stations on the network are transmitting the most frames. c. Click on Sort in the Traffic Statistics window menu bar. Click on Bytes in the Sort menu. The Traffic Statistics window will now show which stations on the network are transmitting the most bytes. 5. To view the top listeners on your network, perform the following steps: a. Click on Display in the Traffic Statistics window menu bar. Click on Traffic to Station in the Display menu. b. Click on Sort in the Traffic Statistics window menu bar. Click on Frames in the Sort menu. The Traffic Statistics window will now show which stations on the network are receiving the most frames. c. Click on Sort in the Traffic Statistics window menu bar. Click on Bytes in the Sort menu. The Traffic Statistics window will now show which stations on the network are receiving the most bytes. This scenario is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 6.9. Setting an Alarm ═══ In this scenario, you will set an alarm. 1. If you have not started the network analyzer, click on the Default icon in the Token-Ring or Ethernet DatagLANce Icon View window. If you have already started the network analyzer: a. Click on Screen in the DatagLANce Network Analyzer window. The Screen menu is displayed. b. Click on OS/2 Desktop in the Screen menu. c. Double-click on the Default icon in the DatagLANce Icon View window. 2. Click on Monitor in the DatagLANce Network Analyzer window menu bar. 3. Click on Alarm Option in the Monitor menu. The Alarm Option window is displayed. 4. Click on All Frames Utilization in the Alarm Event list box. 5. The Alarm Thresholds box shows the defaults for this alarm event. Change the defaults as follows: a. Click on the Inform: MAXIMUM box and enter 1. Do not press the Enter key until you are told to do so. Note: Pressing the Enter key will cause an inform priority audible alarm to occur whenever network utilization goes over 1%. In a real situation you would probably never use the values you are using in this scenario; we want to make sure you will get some audible alarms. b. Click on the Warning: MAXIMUM box and enter 5. c. Click on the Minor: MAXIMUM box and enter 10. d. Press Enter. The alarm is now set. 6. Click on Screen in the DatagLANce Network Analyzer window menu bar. 7. Click on Alarm Log in the Screen menu. You should now see the Alarm Log window, but no alarms are occurring because you have not started the network analyzer yet. 8. If you want to silence the audible alarms, perform the following steps: a. Click on Options in the Alarm Log window menu bar. b. Click on Allow Audible Alarms in the Options menu. You will not hear any ringing when the DatagLANce analyzer is started, but the DatagLANce analyzer will still log the alarms. 9. For Ethernet, click on Go! in the DatagLANce Network Analyzer window menu bar. For token-ring, select the ring speed as follows: a. Click on Monitor in the Token-Ring DatagLANce Network Analyzer window menu bar. b. Select the correct speed. c. Click on Go! in the Token-Ring DatagLANce Network Analyzer window menu bar. d. Click on the Yes push button on the Verification window. 10. If a Verification window is displayed indicating that the capture buffer contains captured data, click on the Yes push button to allow the DatagLANce analyzer to overwrite the data. 11. The Alarm Log shows alarms as they occur. Because of the thresholds you set in step 5, when frame utilization for the network is over 1%, an inform alarm occurs. When frame utilization for the network is over 5%, a warning alarm occurs. When frame utilization for the network is over 10%, a minor alarm occurs. For more information about alarms, see Configuring Alarms: The Alarm Options. This scenario is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 6.10. Monitoring a File Server ═══ In this scenario, you will configure DatagLANce to monitor a file server (or any other network station that you prefer) on your network. Before you start this scenario you will need the network address (either DLC or network-layer address) of the file server. For example, if you will monitor a Novell NetWare file server, you should obtain either the IPX address of the server or the DLC address of the network adapter in the server. 1. If you haven't started the network analyzer, click on the File Server Template icon in the Token-Ring or Ethernet DatagLANce Icon View window. If you have already started the network analyzer: a. Click on Screen in the DatagLANce Network Analyzer window. You should see the Screen menu. b. Click on OS/2 Desktop in the Screen menu. c. Double-click on the File Server Template icon in the DatagLANce Icon View window. 2. Click on Monitor in the DatagLANce Network Analyzer window menu bar. 3. Click on Custom Events in the Monitor menu. You should see the Custom Events to be Monitored window. 4. Click on 3:Traffic To/From File Server in the Custom Events list box. 5. Type in a label specific to your file server in the Custom Event Label edit field. For example, if you will be monitoring your department's file server enter Traffic To/From Department File Server into the edit field. 6. Click on the Edit push button next to the Count a frame list box. 7. The Edit Equation Line window is displayed. Click on To/From File Server. 8. Configure Event Detector 1 is displayed. Change the label edit field to To/From Department Server or whatever descriptive name you choose. 9. Depending on whether you have the DLC address or the network address of the file server, do the following: a. If you have the DLC address of the file server: 1. Click on the arrow to the right of the Event combination box. This will drop down the list of available event detectors. 2. Select DLC Address Pairs in the Event combination box. The drop down list will disappear and DLC Address Pairs will appear in the box. 3. Click on the Configure push button. 4. The Destination/Source Pairs window will be displayed. Click on the Clear push button to clear the list box labeled Address Pair List. 5. In the Dest edit field, enter, in MSB or LSB hexadecimal form, the DLC address of the file server that you want to monitor. For example, MSB form: 10:33 LSB form: 08-00-5A-88-66-CC Note: The use of colons or dashes indicates whether the address is in MSB or LSB form. See Figure "User Preferences Window" for more information about address forms. 6. If not already selected, click on the Stations radio button to the right of the window. 7. Click on in the Symbolic Names List. 8. Click on the From <- push button. 9. Click on the Add push button. 10. Click on the Switch push button. Click on the Add push button again. This swaps the source and destination addresses so that you will monitor traffic in both directions between the file server and any other station on the network. 11. Click on the OK push button. b. If you have the network-layer address of the file server: 1. Click on the arrow to the right of the Event combination box. This will drop down the list of available event detectors. 2. Select Network Address Pairs in the Event combination box. The drop down list will disappear and Network Address Pairs will appear in the box. 3. Click on the Configure push button. 4. The Network Address Pairs window will be displayed. Click on the Clear push button to clear the list box labeled Network Address Pair List. 5. Select the network address level of the address of the file server from the Network Address Level combination box. For example, if you are going to monitor a Novell NetWare file server, select IPX (Novell) from the combination box by clicking on the arrow, then selecting this item from the list. 6. In the Dest edit field enter the network-level address of the file server that you want to monitor. 7. Click on in the Symbolic Names List. The symbol, xxxxx, will be different depending on what network address level is selected. 8. Click on the From <- push button. 9. Click on the Add push button. 10. Click on the Switch push button. Click on the Add push button again. This swaps the source and destination addresses so you can monitor traffic in both directions between the file server and any other station on the network. 11. Click on the OK push button. 10. Before exiting the Configure Event Detector 1 window, let's save this event detector as a pre-configured event detector, so that in the future you will be able to load the event detector (by clicking the Load push button, instead of Configure) without having to go through specifying the addresses: a. Click on the Save As push button. b. The Save as Pre-Configured Event Detector window is displayed. Specify a filename (i.e. DEPTSRVR) in the Event detector filename edit field. c. Click on the OK push button. 11. Click on the OK push button on the Configure Event Detector 1 window. 12. Click on the OK push button on the Edit Equation Line window. 13. Click on the OK push button on the Custom Events to Be Monitored window. 14. Click on Go! in the DatagLANce Network Analyzer window menu bar. For an Ethernet network, continue with step 15. For a token-ring network, you should see a Verification window. If your token-ring is operating at the speed specified in the Verification window, click on the Yes push button. If your token-ring is not operating at the speed specified in the Verification window: a. Click on the No push button. b. Click on Monitor in the Token-Ring DatagLANce Network Analyzer window menu bar. c. Select the correct speed. d. Click on Go! in the Token-Ring DatagLANce Network Analyzer window menu bar again. e. Click on the Yes push button on the Verification window. 15. The windows displayed on the screen will now start refreshing with statistics. 16. Let us now create a custom window to display more information about the file server: a. Click on Window in the DatagLANce Network Analyzer window menu bar. b. Click on New Window. c. A window will be displayed in the upper left corner of the screen. You may change the size of this window to change the size of the font. d. Click on this window with mouse button 2. e. A pop-up menu will be displayed in the window. Click on Event. f. Click on Custom Event 3. g. The window now displays current statistics about your file server. h. Click on Format on the pop-up menu. i. Click on Bar (Cumulative). j. Click on Display on the pop-up menu. k. Click on Percent Frame Traffic. The window now displays the cumulative total percentage of total frame traffic going to or coming from the file server. l. Click on Display on the pop-up menu. m. Click on Set Axis Limits. n. The Set Axis Limits window will be displayed. Enter 100 in the Maximum edit field and 0 in the Minimum edit field. o. Click on OK. The window now displays cumulative total percentage of total frame traffic going to or coming from the file server on a bar graph that is scaled from 0 to 100 percent. p. Click on Format on the pop-up menu. q. Click on History. The window now displays the current percentage of total frame traffic going to or coming from the file server in history format. r. Experiment with the other options in the pop-up menu. To make the menu disappear, click anywhere outside of the pop-up menu. 17. Close the All Frames Utilization window at the bottom left of the screen. To do this, double-click on the upper-left system menu push button of the window. 18. Now move this newly created custom window into the position that the window you closed occupied. 19. Click on Screen in the Token-Ring DatagLANce Network Analyzer window menu bar. 20. Click on Define. 21. The Define Screen window is displayed. Enter File Server Traffic into the Screen name edit field. 22. Click on OK. The screen is now defined. You can display it whenever you desire by selecting File Server Traffic from the Screen menu. You can also display other screens by selecting them from that menu. 23. Click on File in the Token-Ring DatagLANce Network Analyzer window menu bar. 24. Click on Save Configuration. 25. Enter MYSERVER in the Configuration pathname edit field or whatever descriptive name you choose. 26. Click OK. The configuration will now save to disk. In the future you can load this configuration by selecting Load Configuration from the File menu. 27. See Configurations for more information if you would like to create your own icon that automatically loads the MYSERVER configuration. This scenario is now complete. If you want, you can end the session or look at one of the other scenarios. ═══ 7. Monitoring the Network ═══ The performance of a network depends on many factors. Knowledge of traffic load, throughput, and errors occurring on the network is invaluable in fine-tuning a network as well as in planning network expansion. The DatagLANce Network Analyzer gives you the capability to monitor these and other statistics about your network. ═══ 7.1. Overview of DatagLANce Monitoring Capability ═══ With the DatagLANce Network Analyzer, you have the power to monitor your network by: o Displaying current network status, including: - Current ring speed (token-ring) or which media is currently attached (Ethernet) - Current state of the network - Current and historical network events for the network o Displaying global current or cumulative network statistics, including: - Time stamps: cumulative monitor active time, cumulative network active/inactive time, and cumulative network up/down time (token-ring) or first/last network activity (Ethernet) - All frames statistics: total frames, total bytes, average frame length, average frame rate, average byte rate, and average utilization - Error statistics: o Token-Ring: soft errors, ring purges, beacon frames, and oversized frames o Ethernet: CRC/alignment errors, collisions, runt frames (frames smaller than Ethernet's 64-byte minimum frame size), and oversized frames o Accumulating cumulative statistics and current event statistics for the following: - All frames appearing on the network - Five user-selectable custom event frames o Creating up to 32 user-configurable windows to display event statistics in the following formats: - Current or cumulative numeric format: displays current or cumulative statistics such as frames, bytes, and rate information in tabular form. - Current or cumulative bar format: displays current or cumulative statistics such as frames, bytes, or rate information in a bar graph form. - History format: displays statistics such as frames, bytes, or rate of an event versus time. o Recording history statistics for long-term statistics accumulation to a file at intervals from 1 second to 5 minutes. This file can be recorded in binary format, text format, or comma-separated variable text format that can be imported into most spreadsheets. o Activating five-level floor alarms, ceiling alarms, or both for events such as network down time, CRC errors, and all frames utilization. Alarms are logged to a window that is color-coded for each priority and can optionally be logged to a file for a long-term alarm record. o Displaying, with the Network Glance function, a snapshop of traffic currently traveling on your network (or into your capture buffer) with full seven-layer protocol decodes for certain protocols. o Listing, with the Ring Map function (token-ring), an ordered list of the stations on your ring and indicating when stations become disconnected or when new stations insert onto the ring. o Monitoring and displaying various traffic statistics for the stations currently on your network using the traffic analysis options. o Printing reports on network activity such as cumulative network statistics and network utilization trends. Each of these functions is discussed in detail in the following sections. ═══ 7.2. Controlling the DatagLANce Network Analyzer ═══ The DatagLANce Network Analyzer is controlled mostly from a single window, the DatagLANce Network Analyzer control window, shown in Figure "DatagLANce Network Analyzer Control Window". DatagLANce Network Analyzer Control Window Each of the selections in the menu bar give access to the options windows that allow configuration of the DatagLANce analyzer for any of the purposes for which it was designed. The DatagLANce analyzer starts monitoring the network when you select the Go! option from the DatagLANce Network Analyzer control window. The Go! option is then replaced by the Stop! option. You can select the Stop! option to stop the active monitor. When the DatagLANce analyzer is monitoring, you can display individual statistics windows to show the statistics that have accumulated. To display these statistics windows, select the desired window from the Window menu in the DatagLANce Network Analyzer control window. The following sections discuss these windows. The Screen menu contains a list of arrangements of user-defined windows. This menu makes it easy to move between different views of multiple windows. When the monitor is started, all selected configuration options take effect. Some options can be changed while monitoring; others can only be viewed. ═══ 7.2.1. Controlling the DatagLANce Network Analyzer by the Keyboard ═══ The following shortcut keys are available for use in the various DatagLANce Network Analyzer applications: F1 Offers access to online help. F2 Mark a frame in the DatagLANce Protocol Analysis Application. F3 Invoke Protocol Analysis for capture (equivalent to clicking on "Analysis..." in the Capture Status/Control Window) F5 Configure the Capture Start Options (Capture must be enabled first). F6 Configure the Frame Capture Filter (Capture must be enabled first). F7 Analyzer Applications: Configure the Trigger/Stop Capture Options (Capture must be enabled first). Protocol Analysis: Move to the previous frame. F8 Analyzer Applications: Capture Control Key (equivalent to clicking on "New...", "Start" or "Stop" in the Capture Status/Control Window). Protocol Analysis: Move to the next frame. F9 Start/stop the monitor (equivalent to clicking on the "Go!" or "Stop!" menu items on the DatagLANce Network Analyzer Control Window). TAB Moves among the Analyzer application windows displayed on the screen. Space Displays popup menu on the Network Statistics and Event Windows (equivalent to clicking the right mouse button inside the window) In addition to these keys, others are available using Alt and Ctrl key functions. The Alt and Ctrl keys available are displayed next to their corresponding menu choices in drop-down menus. ═══ 7.3. Using the Monitor Menu ═══ The Monitor option of the DatagLANce Network Analyzer control window has a number of choices that control the DatagLANce monitoring functions. The Token-Ring DatagLANce menu is shown in Figure "Token-Ring DatagLANce Monitor Menu", and the Ethernet DatagLANce menu is shown in Figure "Ethernet DatagLANce Monitor Menu". Token-Ring DatagLANce Monitor Menu At the top of the Token-Ring Network Analyzer menu are two menu choices: 4 Mbps and 16 Mbps. These choices allow selection of the ring speed for the token-ring network. Ethernet DatagLANce Monitor Menu At the top of the Ethernet Network Analyzer Monitor menu are three menu choices: o AUI (10BASE5) Connection o BNC (10BASE2) Connection o TPI (10BASE-T) Connection These menu choices allow selection of the media to which the DatagLANce analyzer will attach. Some of these menu choices might be grayed indicating that the selection does not apply for the Ethernet adapter being used. If all of these menu choices are grayed, the media connection for the Ethernet adapter being used is selectable only by the adapter (that is, either the adapter automatically senses the media connection, the DIP switches on the adapter card select the media connection, or the cable that is being used determines the media connection). The menu choices are described in the following information: Audible Clicks Selects whether to click the speaker when a frame arrives. This clicking sound can give an audible indication of the level of network traffic. Refresh Rate Selects the screen refresh rate. All current statistics throughout the DatagLANce analyzer are based on this refresh rate. Adapter Options Permits you to select adapter-specific options that can improve the performance of the DatagLANce analyzer as well as allow you to process only a subset of network traffic. These options are discussed in Improving Monitoring Performance: The Adapter Options. Custom Events Permits you to specify custom events that the DatagLANce analyzer should monitor on the network. See Selecting Custom Events to be Monitored for more information. History Statistics Options Permits you to select the history statistics interval and specify whether to record history statistics to a file. This topic is discussed in History Statistics: Network Statistics Versus Time. Alarm Options Permits you to specify various floor and ceiling alarm events at multiple priority levels and specify whether to log the alarms to a file. Alarms are discussed in Alarms: Keeping a Watchful Eye on Your Network. Traffic Analysis Options Permits you to enable and select which specific traffic analysis function will be performed to gather traffic statistics about the stations on your network and to select whether to write these statistics to a file for post-processing by another application. This is discussed in Figure "Traffic Statistics Window". Network Glance Filter Permits you to specify a subset of network traffic that you would like to watch. Network Glance is discussed in Figure "Network Glance Window". When the capture is enabled, this menu choice is labeled Glance Captured frames and permits you to glance at the frames that match the Frame Capture Filter. See Figure "Frame Capture Filter". Ring Map When the DatagLANce analyzer is not capturing frames, Ring Map permits you to use the ring map function of the DatagLANce analyzer instead of the filtered glance capability. This is discussed in Ring Map: A Logical Token-Ring Map. The Monitor menu of the DatagLANce Network Analyzer control window gives you access to all of the windows that configure the various monitoring options that the DatagLANce analyzer supports. ═══ 7.4. Using the Network Status Window to Monitor the Current State of the Network ═══ The Network Status window shows the current state of the network being monitored. You can display this window by selecting Network Status from the Window menu of the DatagLANce Network Analyzer control window. Figure "Token-Ring Network Status Window" shows the Token-Ring Network Status window, and Figure "Ethernet Network Status Window" shows the Ethernet Network Status window. Token-Ring Network Status Window ═══ 7.4.1. Token-Ring Network Status ═══ The top line of the window, Ring Speed, displays the current ring speed of the network being monitored. This can read 4 Mbps or 16 Mbps. You can select the ring speed from the Monitor menu of the Token-Ring DatagLANce Network Analyzer control window. The second line of the Token-Ring DatagLANce Network Status window, State, displays the current state of the token-ring network. The following information shows the states that can be displayed and an explanation of each: Monitor Stopped The DatagLANce analyzer is currently not monitoring; the network state is unknown. Operational The network is operational; frames are being seen by the DatagLANce analyzer. Network Inactive The network is up; no frames are being seen by the DatagLANce analyzer. Monitor Contention The network is currently in a monitor contention process; claim frames are being seen by the DatagLANce analyzer. Ring Beaconing The station upstream of the DatagLANce analyzer is beaconing; beacon frames are being seen by the DatagLANce analyzer. Adapter Beaconing The DatagLANce adapter is beaconing; the DatagLANce connection to the token-ring network should be checked. Lobe Wire Fault An open or short circuit has been detected, in the lobe data path, by the adapter. Signal Loss The network is down (or there are no stations on the network) or the DatagLANce adapter is not connected to the network (that is, if either the cable is not connected to the adapter or the cable is not connected to the network). Removed from Ring The DatagLANce analyzer has been removed from the ring because a remove frame has been received. This state will be shown only if you are using a Trace and Performance Adapter. DatagLANce Token-Ring Adapters will ignore remove frames. The Network Events indicators, at the bottom of the Token-Ring Network Status window, are colored red, blue, gray, or white to show the current and historical events for the network. Indicators for events that have not occurred are white. The indicators for current network events, current means occurring in the last second, change to blue for normal network events and change to red for network events of which you should be aware. The indicators for historical network events, events that occurred more than one second in the past, are gray. The Reset push button clears all network event indicators; only events that occur after you push this push button are displayed. The following list describes token-ring events: Frame Missed The DatagLANce analyzer was unable to process a frame. Statistics are not valid because of the missed frame. If the DatagLANce analyzer is capturing data, one or more frames were not recorded. Note: The first time a frame is missed, the DatagLANce analyzer will notify you, with a pop-up window, that data is no longer valid and ask if you want to continue. Signal Loss The network is down, or there are no stations on the network. This state can also appear if the DatagLANce adapter is not connected to the network (that is, if either the cable is not connected to the adapter or the cable is not connected to the network). Soft Error The DatagLANce analyzer detects a media access control (MAC) soft-error report frame. Ring Purge The DatagLANce analyzer detects a MAC ring purge frame. Oversized The DatagLANce analyzer detects an oversized frame. Broadcast The DatagLANce analyzer detects a frame with a broadcast address. Multicast The DatagLANce analyzer detects a frame with a multicast address. Operational The DatagLANce analyzer detects a frame indicating the network is operational. Claim The network is going through the monitor contention process to select a new, active monitor. Beacon The network is beaconing. For a more detailed explanation of token-ring states and events, refer to the IBM Token-Ring Network Architecture Reference. ═══ 7.4.2. Ethernet Network Status ═══ Ethernet Network Status Window The top line of the Ethernet DatagLANce Network Status window, Connection, displays the current media connection to the Ethernet network being monitored. This connection can be: AUI (10BASE5), BNC (10BASE2), TPI (10BASE-T), or Adapter Specific. Adapter Specific means that the adapter selects the media connection. The DatagLANce software has no control over, or cannot determine, the media connection. You can select the media connection from the Monitor pull-down menu of the Ethernet DatagLANce Network Analyzer control window. The second line of the Ethernet DatagLANce Network Status window, State, displays the current state of the Ethernet network. The following information shows the states that can be displayed and an explanation of each: Monitor Stopped The DatagLANce analyzer is currently not monitoring; the network state is unknown. Operational The DatagLANce analyzer detects frames. Network Inactive The DatagLANce analyzer does not detect any frames. The Network Events indicators, at the bottom of the Ethernet Network Status window, are colored red, blue, gray, or white to show the current and historical events for the network. Indicators for events that have not occurred are white. The indicators for current network events, current means occurring in the last second, change to blue for normal network events and change to red for network events of which you should be aware. The indicators for historical network events, events that occurred more than one second in the past, are gray. The Reset push button clears all network event indicators; only events that occur after you press the push button are displayed. The following list describes Ethernet events: Frame Missed The DatagLANce analyzer was unable to process a frame. Statistics are not valid because of the missed frame. If the DatagLANce analyzer is capturing data, one or more frames were not recorded. Note: The first time a frame is missed, the DatagLANce analyzer will notify you with a pop-up window, that data is no longer valid and ask if you want to continue. CRC Error The DatagLANce analyzer detects a frame with a cyclic redundancy check (CRC) error. Align Error The DatagLANce analyzer detects a frame with an alignment error, Runt The DatagLANce analyzer detects a runt frame. Oversized The DatagLANce analyzer detects an oversized frame. Broadcast The DatagLANce analyzer detects a frame with a broadcast address. Multicast The DatagLANce analyzer detects a frame with a multicast address. Operational The DatagLANce analyzer detects a valid frame. Collision The DatagLANce analyzer detects a collision fragment indicating that a collision has occurred. Note: This is an estimate of the actual number of collisions. Collisions that occur during the preamble of a frame and collision fragments that are less than the minimum frame size accepted by the adapter are not counted. Jabber The DatagLANce analyzer detects a jabber frame, a collision at the end of a large frame. ═══ 7.5. Network Statistics: Network Performance at A Glance ═══ The Network Statistics window contains general statistics about the network. This window can be displayed by selecting Network Statistics in the Window menu of the DatagLANce Network Analyzer control window. Figure "Token-Ring Network Statistics Window" shows the Token-Ring Network Statistics window, Figure "Ethernet Network Statistics Window" shows the Ethernet Network Statistics window. Token-Ring Network Statistics Window Ethernet Network Statistics Window The Network Statistics window is divided into three groups of information: Timestamps, Traffic Statistics, and Error Counts. ═══ 7.5.1. Time-stamps ═══ The Time-stamps group displays the following time-stamp information about the network: Current Time The date and time supplied by OS/2. The time is updated only when the DatagLANce analyzer is monitoring. Monitor Active The cumulative time that the DatagLANce analyzer has been monitoring. Network Active An approximation of how much time the network has been active, while it has been operational. Network Inactive An approximation of how much time the network has been idle, while it has been operational. Network Up (token-ring only) An approximation of how much time the token-ring network, to which the DatagLANce analyzer is attached, has been operational. Network Down (token-ring only) An approximation of how much time the token-ring network, to which the DatagLANce analyzer is attached, was not operational (for example: signal loss, beaconing). First Activity (Ethernet only) The time the first frame was seen on the Ethernet network. Last Activity (Ethernet only) The time the last frame was seen on the Ethernet network. ═══ 7.5.2. Global Statistics ═══ The Global Statistics group displays information about all frames that have been seen by the DatagLANce analyzer. This information is available in current or cumulative form. Current Traffic Statistics are statistics accumulated since the last screen refresh. Cumulative Traffic Statistics are statistics accumulated since the monitor was started. Current or Cumulative statistics can be selected by clicking anywhere on the Network Statistics window with mouse button 2. As shown in Figure "Token-Ring Network Statistics Window: Selection of Current or Cumulative Statistics", a menu is displayed that permits you to select either mode with mouse button 1. Token-Ring Network Statistics Window: Selection of Current or Cumulative Statistics The following list describes statistics displayed in the Traffic Statistics group: Total Frames The count of all frames processed during the previous screen refresh interval (current statistics) or since Monitor Active (cumulative statistics). Total Bytes The count of all bytes in total frames. For a token-ring frame, the start delimiter, end delimiter, frame status, and frame check sequence bytes, as well as the bytes in the frame, are included in the count; this better represents network utilization. For Ethernet, this count includes the frame check sequence in addition to the bytes of the frame, but the preamble or start delimiter fields are not counted, because some of the preamble can be lost as the frame travels through the network. Avg Frame Length The total bytes divided by total frames results in the average length of total frames. Avg Frame Rate The average number of frames processed per second. For current statistics, this is total frames divided by the screen refresh interval. The total frames divided by Monitor Active time results in the cumulative statistics. Avg Byte Rate The average number of bytes processed per second. The total bytes divided by the screen refresh interval results in the current statistics. The total bytes divided by Monitor Active time results in cumulative statistics. Avg Utilization The average percentage of maximum theoretical bandwidth of the network that has been utilized by all frames. This value is computed by dividing the value in Avg Byte Rate by the network speed. ═══ 7.5.3. Error Counts ═══ The Error Counts group displays counts of network errors that are monitored by the DatagLANce analyzer. Depending on whether cumulative or current statistics have been selected (see Global Statistics), this will be either Cumulative Error Counts or Current Error Counts. Cumulative Error Counts are error counts accumulated since the monitor was started. Current Error Counts are error counts accumulated since the last screen refresh. ═══ 7.5.3.1. Error Counts for the Token-Ring DatagLANce Analyzer: ═══ Soft Errors A count of all soft errors that have been reported in MAC soft error report frames. Ring Purges A count of all MAC ring purge frames that were monitored by the DatagLANce analyzer. Beacon frames A count of all beacon frames that were monitored by the DatagLANce analyzer. Oversized Frames A count of all oversized frames that were monitored by the DatagLANce analyzer. ═══ 7.5.3.2. Error Counts for the Ethernet DatagLANce analyzer: ═══ CRC/Alignment Errors A count of all frames monitored by the DatagLANce analyzer that contained either a CRC error or an alignment error (see Figure "Ethernet Network Statistics Window"). Collisions A count of all collision fragments and jabbers (late collisions) monitored by the DatagLANce analyzer. Note: The count of collision fragments is an estimate of the actual number. Collisions that occur during the preamble of a frame and collision fragments that are less than the minimum frame size accepted by the adapter are not counted. Runt frames A count of all runt frames monitored by the DatagLANce analyzer. Oversized Frames A count of all oversized frames monitored by the DatagLANce analyzer. The Network Statistics window gives general information about the network's performance including active and inactive time, traffic utilization, traffic rate, and error information. Sometimes more specific information is needed about certain conditions that occur on the network. The next section describes how to select and monitor these conditions. ═══ 7.6. Monitoring Events on the Network ═══ Although the Network Status and Network Statistics windows offer a good summary of network operations, they are limited. For example, what if you need statistics for specific events occurring on the network? The DatagLANce analyzer enables you to accumulate statistics for five custom events. Each custom event is specified by writing equations using the output of the DatagLANce event detectors. Before describing how to use the event detectors, it is important to understand the meaning of an event. ═══ 7.6.1. Understanding Events ═══ The DatagLANce Network Analyzer considers an event to be a frame that matches a set of criteria. The criteria might specify that the frame be a MAC frame (token-ring), IEEE 802.3 frame (Ethernet), a frame containing an SNA transmission header, or any other set of criteria. An event detector is a module within the DatagLANce software that identifies an event. The DatagLANce Network Analyzer has eight event detectors that can identify eight separate events in each frame that it sees. The following information describes the types of events that each event detector can be configured to identify: Frame Format/Protocols Frame formats (network specific) and various protocol headers that can be displayed in a frame (BPDU, SNA, SNAP, ARP, IP, TCP, ICMP). DLC Destination Addresses A frame's destination address. Each event detector can match up to 25 individually-specified addresses or address masks. DLC Source Addresses A frame's source address. Each event detector can match up to 25 individually specified addresses or address masks. DLC Address Pairs A frame's destination and source addresses. Each event detector can match up to 11 individually specified addresses or address mask pairs. Network Address Pairs A frame's destination and source network addresses. Each event detector can match up to 2 individually specified network addresses or network address mask pairs for various network layer protocols. Frame Data Pattern A specific string of characters within a frame. Source Routing Indicators A frame with specific routing broadcast types, source route length, source ring and destination ring numbers. MAC Frame (Token-Ring) A MAC frame that has a specific destination and source address and a data pattern within the MAC information field. LLC/IEEE 802.3 Frame An LLC frame (Token-Ring) or IEEE 802.3 Frame (Ethernet) that has a specific destination and source address and either specific LLC Protocol Data Unit fields or a data pattern within the LLC information field. Ethernet Frame (Ethernet) A frame that has a specific destination and source address an Ethernet type, and a data pattern within the information field. For information on configuring event detectors. see Configuring Event Detectors. ═══ 7.6.2. Selecting Custom Events to be Monitored ═══ Understanding Events described how the DatagLANce analyzer can accumulate statistics for five custom events. These custom event statistics supplement the statistics continuously accumulated for all frames. This section describes how to specify the five custom events. Figure "Custom Events to be Monitored Window" shows the Custom Events to be Monitored window. This window is displayed when the Custom Events choice is selected from the Monitor menu in the DatagLANce Network Analyzer control window. Custom Events to be Monitored Window The Custom Events list box is used to select the custom event (1-5) to be configured. Figure 23 shows that custom event 3 is being configured. The Custom Event label field contains the name you assigned to the custom event. Because this label is displayed with all references to this event that are in other windows, a descriptive label is recommended. The sample label displayed in Figure "Custom Events to be Monitored Window" is Traffic To/From File Server. The Count a Frame list box contains the equation that describes this custom event. The label indicates that any frame that passes the equation in the list box will be included in the count of frames for this custom event. Details about using equations are discussed in the next section. When you click on the OK push button, the definition of all custom events to be monitored will be accepted. When the DatagLANce analyzer is started, it will begin to monitor the specified custom events. ═══ 7.6.3. Understanding Event Equations ═══ An event equation combines the binary results from one or more event detectors on a frame-by-frame basis to produce a TRUE or FALSE result (see Understanding Events). Event equations are used throughout the DatagLANce software to specify events to be monitored, events to be captured, and events to be displayed after a capture has been performed. Event equations are always displayed in list-box form as shown in the sample equation in Figure "Custom Events to be Monitored Window". This sample equation reads: IF To/From: File Server A frame passes this equation if the destination or source address matches that of the file server. The result (for the Custom Events to be Monitored) is a counting of all frames to and from the station file server that is being monitored by the DatagLANce analyzer. The actual detection of the destination, or source addresses matching the File Server's address, is done by an event detector whose label is: Dest/Source: File Server. For more information on configuring event detectors, see Configuring Event Detectors. ═══ 7.6.4. Defining and Modifying Event Equations ═══ Use the push buttons, which are next to an equation list box (see Figure "Custom Events to be Monitored Window"), to edit an event equation. You can perform the following tasks: Edit Permits the current line to be edited. OR Adds another line to the equation. Clicking on this button will create a new line that can be edited and added to the equation. All lines in an equation are ORed together in determining whether the equation has a TRUE or FALSE result. If any line in an equation is TRUE, the result is TRUE. Delete Deletes the current line in the equation. Clear Clears the equation to the following setting: IF ANY COMBINATION OF EVENTS This sets the equation to TRUE for every frame. After the equation has been cleared, the Edit push button can be used to identify desired events. ═══ 7.6.5. Editing an Event Equation ═══ If you click on the Edit push button in this window, the Edit Equation Line window is displayed. (See Figure "Token-Ring DatagLANce Edit Equation Line Window" or Figure "Ethernet DatagLANce Edit Equation Line Window".) Token-Ring DatagLANce Edit Equation Line Window Use this window to combine logically different event detectors, frame status indicators, and special network events which the DatagLANce analyzer identifies. The first and third column of buttons on this window are logic toggle switches. These buttons are toggled among three states: blank, IF, and IF NOT. The blank state indicates that the event detector should not appear in the equation line. IF (or AND if not first in the list) indicates that the event detector should identify the frame being examined (in other words, the event should occur). IF NOT (or AND NOT if not first in the list) indicates that the event detector should not identify the frame being examined (in other words, the event should not occur). AND and AND NOT may also be displayed if you choose more than 1 condition. AND and AND NOT mean the same as IF and IF NOT. Note: If you need to use OR logic for your equation, you will need to add an additional line (see Defining and Modifying Event Equations). In the upper right quadrant of this window are the following frame status indicators: Address Recognized The A frame status indicator at the end of a frame Frame Copied The C frame status indicator at the end of a frame The Address Recognized and Frame Copied indicators appear at the end of each frame. The IF NOT logic toggle switch state corresponds to the indicator being reset, and the IF logic toggle switch state corresponds to the indicator being set. Ethernet DatagLANce Edit Equation Line Window For Ethernet, the upper right quadrant of this window contains the following receive status state indicators: CRC Error A frame containing a CRC error Frame Alignment Error A frame containing a frame alignment error The two lines below the status indicators of text on the Edit Equation contain the following destination-address class items: Broadcast Frame A frame that has a broadcast address Multicast Frame A frame that has a multicast address Beneath these indicators is a list box that permits one item to be selected. The items in this list are special network events that are identified by the DatagLANce analyzer. These special network events are described in the following list: Any Special Event Any of the special events listed here Soft Error Report (token-ring only) A MAC soft error report frame Ring Purge (token-ring only) A MAC ring purge frame Claim Frame (token-ring only) A MAC claim Frame Beacon Frame (token-ring only) A MAC beacon frame Oversized Frame (Both token-ring and Ethernet) A frame that is larger than the network's allowed maximum size Runt frame (Ethernet only) A frame that is smaller than Ethernet's allowed 64-byte minimum size Collision (Ethernet only) A collision fragment that is the remnants of a frame due to a collision Jabber (Ethernet only) A jabber frame These special network events are identified by the DatagLANce analyzer to permit the 8 event detectors to be used for more productive purposes. The second column from the left in the Edit Equation Line window is a series of 8 buttons. Each button has a label. These 8 buttons represent the 8 event detectors discussed earlier. An event detector is configured by clicking on its button. The topic of configuring an event detector is discussed in the next section. Clicking on the Clear radio button displayed in Figure "Token-Ring DatagLANce Edit Equation Line Window" causes all of the IF or IF NOT terms in the equation to return to blank. The following label will be displayed next to the Clear radio button: IF ANY COMBINATION OF EVENTS This label means that, regardless of whether any term is TRUE or FALSE, the equation line result will be TRUE. After a term is added to the equation, the radio button label returns to Clear. ═══ 7.7. Configuring Event Detectors ═══ To configure an event detector, click on any of the 8 event-detector buttons shown in Figure "Token-Ring DatagLANce Edit Equation Line Window". The window in Figure "Configure Event Detector Window" will be displayed. Configure Event Detector Window The Label field is displayed at the top of this window. Enter the descriptive name that you want to be displayed on the event-detector button. A simple label might be Destination: File Server for an event detector identifying a frame whose destination is station File Server. A more complex label might be: File Server <-> WkStat #2 for an event detector identifying traffic between station File Server and station WkStation #2. An event detector that identifies any frame coming from a group of source addresses might be labeled Source: WkStation Group. In the example shown in Figure "Configure Event Detector Window", the label is TCP/IP Frame. The Event combination box contains the type of event identified by this event detector. For unconfigured or disabled event detectors, the Event list box is labeled Disabled. In the following sections, we will discuss in depth the options for configuring event detectors. In the example shown in Figure "Configure Event Detector Window", the event identified is Frame Format/Protocols. The Configure push button is used to configure the event detector with the event type selected. The Cancel push button is used to cancel the configuration of an event detector. When you click on the Configure push button, an options window specific to the event type selected is displayed. The options contained in each of these windows are described in the following sections. Instead of manually configuring an event detector, you also have the option of loading a pre-configured event detector. The Load push button activates this function. When you click on this button the window in Figure "Pre-Configured Event Detectors window" will be displayed. Pre-Configured Event Detectors window The Sort by group box allows you to sort the available event detectors by file name or by the label of the event detector. By selecting an event detector listed in the list box labeled Pre-Configured Event Detector List and clicking on the Load Selected push button, a pre-configured event detector can be loaded. The Save As push button on the Configure Event Detector window allows you to save any configured event detector that you customize as a pre-configured event detector. ═══ 7.7.1. Frame Format/Protocols Event Detector ═══ A Frame Format/Protocols Event Detector identifies frames with specific types of frame formats or protocol headers, or both, within the frame. Up to 48 different frame formats and protocol headers (at multiple layers of the protocol stack) within a frame can be identified by one event detector. Figure "Frame Format/Protocols Event Detector Options" shows the window that is displayed when you select the Frame Format/Protocols configuration option. Frame Format/Protocols Event Detector Options The list box labeled Frame Format/Protocol List contains the names of all frame format and protocol headers selected for identification by this event detector. The push buttons to the right of this list box remove individual entries (Delete button) or all entries (Clear button). Beneath the Frame Format/Protocol list box is a series of combination boxes, edit fields, and push buttons that can be used to select format/protocols to be added to the list box. The Level combination box, on the left side of the window, permits a particular protocol stack level to be selected to which a format or protocol can be added. You can select from the following list of levels: Any Permits selection of major protocols without regard to protocol stack level. That is, the answer to the following question is not needed: Is the Banyan VINES protocol on this network SAP, SNAP, or IP encapsulated?. DLC Data Link Control Layer, identifies network-specific frame formats. LLC IEEE 802.2, Logical Link Control Protocol Data Unit Header, identifies frame protocols containing specific Destination or Source Link Service Access Points (LSAPs). It permits selection of different LSAPs or specification of a custom LSAP value in hexadecimal. SNA IBM Systems Network Architecture Transmission Header relates to protocols with specific SNA transmission header types or request-and-response unit command categories. SNAP/Etype SubNetwork Access Protocol Header for token-ring or Ethertype for Ethernet, selects frame protocols containing specific Ethernet type numbers. It permits selection of specific Ethernet types or specification of a custom Ethernet type value in hexadecimal. IP Internet Protocol Header contains IP datagrams, Stream datagrams, or specific protocol headers that follow IP headers, such as those for ICMP, TCP, and UDP. You can select internet protocols from a list or by specifying a decimal number for a custom internet protocol. Note: IP Datagrams and IP-encapsulated protocols are assumed not to be encapsulated with Berkeley Trailers. If they are on the network being analyzed, use the SNAP/Etype-level Berkeley Trailers Protocols. After the protocol level has been chosen, the Format/Protocol Select combination box will be filled with a list of protocol-layer specific formats or protocols that can be selected. The Add Selected push button places the format or protocol selected from the Format/Protocol Select combination box into the Frame Format/Protocol List box. If custom format or protocol input is supported for the selected protocol level, the Add Custom push button will add whatever custom format or protocol has been entered in the Custom Edit field. This field will have a different name depending on the protocol level selected. For example, the Custom Edit field in Figure "Frame Format/Protocols Event Detector Options" is named Custom IP Protocol Edit. When you click on the OK push button, the event detector is configured to identify all frames containing any of the frame formats or protocols in the Frame Format/Protocol List. ═══ 7.7.2. DLC Destination Addresses Event Detector ═══ A DLC Destination Addresses event detector identifies frames with specific DLC destination addresses. Up to 25 individual DLC destination address masks can be contained in a single event detector. Figure "Destination Addresses Event Detector Options" shows the options window that is displayed when you select the DLC Destination Addresses Event Detector configuration option. Destination Addresses Event Detector Options The list box labeled Destination Address List displays each frame destination address selected for this event detector. Addresses are added to this list box by entering each address in the Address Mask Edit field and clicking on the Add push button. Addresses can also be deleted from this list (Delete), or the entire list can be cleared by clicking on the Clear push button. Addresses entered in the Address Mask Edit field can contain hexadecimal values, as well as wildcard characters (Xs) where the particular bits in the address are unimportant. The address can be entered in MSB or canonical form (LSB) using colons or hyphens to indicate these forms. For example, 10:00:5A:B8:99:11 and 10:00:5A:XX:XX:XX are valid MSB address masks. Represented in canonical form, these addresses would be 08-00-5A-1D-99-88 and 08-00-5A-XX-XX-XX. You can also enter an address without the colons or hyphens, and the DatagLANce analyzer will assume that the default address representation is being used. See Figure "User Preferences Window" for more information. The Symbolic Names List contains either adapter manufacturer IDs or symbolic station names. These names can be used to add addresses to the Destination Address List. By simply selecting either manufacturer IDs or symbolic station names using the Manuf ID or Stations radio buttons, you can click on a Station Name or Manuf ID in the Symbolic Names List, and its corresponding address will be displayed in the Address Mask Edit field. The Edit push button permits you to edit this list. For more information about symbolic names, see Symbolic Names Support. The Hexadecimal and Symbolic Names radio buttons below the list box labeled Destination Address List enable you to display addresses in hexadecimal or symbolic form in the list box. When you click on the OK push button, the event detector is configured to identify a frame containing any of the destination addresses in the Destination Address List. ═══ 7.7.3. DLC Source Addresses Event Detector ═══ Like a DLC Destination Addresses Event Detector, the DLC Source Addresses Event Detector identifies frames with specific source addresses. Up to 25 individual source DLC address masks can be contained in a single event detector. Figure "DLC Source Addresses Event Detector Options" illustrates the window that is displayed when you select the DLC Source Addresses Event Detector configuration option. DLC Source Addresses Event Detector Options The push buttons in this window work the same as those in the DLC Destination Addresses Event Detector Options window. See Figure "Destination Addresses Event Detector Options" for a description of the operation of that window. When you click on the OK push button, the event detector is configured to identify a frame containing any of the source addresses in the Source Address List. ═══ 7.7.4. DLC Address Pairs Event Detector ═══ Although DLC Addresses Event Detectors identify either destination or source, the DLC Address Pairs Event Detectors identify frames that match destination and source DLC address masks. A single-event detector can contain up to 11 destination and source DLC address pairs. Figure "Destination/Source Address Pairs Event Detector Options" shows the window that is displayed when you select the DLC Address Pairs Event Detector configuration option. Destination/Source Address Pairs Event Detector Options Most push buttons in this window function in the same way as those in the DLC Destination Addresses Event Detector Options window (see Figure "Destination Addresses Event Detector Options"); however, there are a few additional buttons. In the top left of this window are the Dest and Source address edit fields; these are the addresses that will be added to the Address Pair List when you press the Add button. These addresses can be entered directly in the fields or edited in the Address Mask Edit field and transferred by using the To <- and From <- push buttons. The Switch push button exchanges the contents of the Dest and Source address fields to aid in adding pairs of stations that are communicating with one another. (The address that was the source address replaces the destination address, and the address that was the destination address becomes the source address.) The Address Pair List contains all of the address pairs that this event detector will detect. They are displayed in the following form: destination address<-source address When you click on the OK push button, the event detector is configured to identify a frame containing any of the destination and source address pairs in the Address Pair List. ═══ 7.7.5. Network Address Pairs Event Detector ═══ A Network Address Pairs Event Detector identifies frames containing specific network layer addresses or address masks. Network layer addresses are addresses with a specific network layer protocol such as IP and IPX**. Up to 2 individual network address pairs can be contained in a single event detector, allowing you the ability to filter on traffic between two network stations. Figure "Network Address Pairs Event Detector Options" displays the options window that appears when you select the Network Address Pairs configuration option. Network Address Pairs Event Detector Options The Address Level combination box selects the level of addresses that will be entered into the list box entitled Network Address Pair List. The address levels within the combination box are described in Symbolic Names Support. The remainder of push buttons in this window function in the same way as those on the DLC Address Pairs Event Detector Options window (see Figure "Destination/Source Address Pairs Event Detector Options"). ═══ 7.7.6. Frame Data Pattern Event Detector ═══ A Frame Data Pattern Event Detector identifies frames containing specific data patterns. A data pattern can represent up to 32 sequential bytes of data and can be specified in binary, hexadecimal, ASCII, or EBCDIC form. Figure "Frame Data Pattern Event Detector Options" shows the options window that is displayed when you select the Frame Data Pattern Event Detector configuration option. Frame Data Pattern Event Detector Options The radio buttons in the Pattern is group box select the starting point for the data pattern search. Frame-relative means that the search will start at the beginning of the frame, and the pattern can include part of the frame control, destination, and source addresses. InfoField-relative means that the search will start at the beginning of the information field of the frame, and Source Routing indicators will be skipped. The radio buttons in the Type of Search group box select the portion of the frame that will be searched. A fixed offset search looks only for a pattern located a specific number of bytes from the search start position. A sliding search looks for the pattern anywhere after the search start position. If the From check box is selected, the sliding search will be limited to the range specified in the From and to edit fields. The Pattern group box located below the Type of Search group box displays the search pattern and contains a View/Edit push button to reveal the entire pattern. The example in Figure "Frame Data Pattern Event Detector Options" shows the search pattern 10005A. This search will occur throughout each monitored frame. Pressing the View/Edit push button will cause the window shown in Figure "Hexadecimal Pattern Edit" to be displayed. Hexadecimal Pattern Edit The pattern is entered in the field within the Pattern Edit group box. By selecting one of the formats in the Pattern Format group box, you can enter the pattern in binary, hexadecimal, ASCII, or EBCDIC form. When you select a different format, the window's appearance and data pattern change to the new format. Figure "Binary Pattern Edit" shows the same pattern as Figure "Hexadecimal Pattern Edit" but in binary format. Binary Pattern Edit As shown, the binary format window permits entry of a full 32-byte (256-bit) pattern. The two remaining supported formats are ASCII and EBCDIC. Figure "ASCII Pattern Edit" shows the ASCII format window. ASCII Pattern Edit The EBCDIC format window is similar to this window. In either format, any unprintable characters are displayed as upside-down question marks. Note: A keyboard combination of Ctrl-? permits wildcard characters to be added to ASCII and EBCDIC format patterns. For the binary and hexadecimal formats, an X represents a wildcard character. However, wildcard characters can be used only in fixed offset patterns. All four formats can be used to enter a single pattern. You can switch formats at any time, and the existing pattern will be translated into the new format. This permits maximum flexibility and power in specifying your patterns. When you click on the OK push button, the window accepts changes to the pattern and returns to the Frame Data Pattern Event Detector Options window. ═══ 7.7.7. Source Routing Indicators Event Detector ═══ A Source Routing Indicators Event Detector identifies frames with specific source routing information within the frame. Figure "Source Routing Indicators Event Detector Options" shows the window that appears when you select the Source Routing Indicators configuration option. Source Routing Indicators Event Detector Options The Routing Type group allows you to select whether to identify frames containing non-broadcast, single-route broadcast, or all-routes broadcast routing fields. The Routing Length combination box allows you to specify the length of the routing field. Any ignores the routing length when identifying source routing indicators. The Dest and Source Ring Masks allow you to specify the destination and source rings of the frame. An X can be used as a wildcard in specifying the ring mask. When you click on the OK push button, the event detector is configured to identify all frames containing the source routing indicators specified. ═══ 7.7.8. MAC Frame Event Detector ═══ The MAC Frame Event Detector (Token-Ring DatagLANce Network Analyzer) combines the Frame Format/Protocols, DLC Address Pairs, and Frame Data Pattern Event Detectors into one event detector that can detect all 3 of these events. This allows for optimum event detector utilization that without the combined format might require as many as three event detectors to identify an event. Figure "MAC Frame Event Detector Options" shows the window that is displayed when you select the MAC Frame Event Detector configuration option. MAC Frame Event Detector Options The Frame Control group box contains 6 checkboxes: Beacon, Claim, Ring Purge, AMP (Active Monitor Present), SMP (Standby Monitor Present), and Other. This Event Detector identifies a MAC frame if its frame control field matches any one of the frame controls that are checked. The Frame Addresses group box permits the destination and source address masks for the frame to be specified. The Hex and Name radio buttons allow the addresses to be displayed in either hexadecimal or symbolic name formats respectively. The Edit pushbutton in this group permits the addresses to be edited. Pressing this button will cause the panel in Figure "Frame Address Edit Window" to be displayed. Frame Address Edit Window This window permits the destination and source addresses of the frame to be edited in a fashion similar to the DLC Address Pairs Event Detector (see Figure "Destination/Source Address Pairs Event Detector Options"). Back to the MAC Frame Event Detector Options, the InfoField Pattern permits specification of a sliding search or fixed offset data pattern that is to appear within the MAC Frame information field. Editing of this pattern is similar to the Frame Data Pattern Event Detector (see Figure "Frame Data Pattern Event Detector Options"). When OK is pressed, the event detector is configured to identify a MAC frame of the types checked, matching also the destination and source address masks specified, and containing the InfoField Pattern if one is specified. ═══ 7.7.9. LLC/IEEE 802.3 Frame Event Detector ═══ The LLC Frame Event Detector (Token-Ring DatagLANce Network Analyzer) and the IEEE 802.3 Frame Event Detector (Ethernet DatagLANce Network Analyzer) also combines the Frame Format/Protocols, Destination/Source Address Pairs, and Frame Data Pattern Event Detectors into one event detector that can detect all 3 of these events. Figure "LLC/IEEE 802.3 Frame Event Detector Options" shows the window that is displayed when you select the LLC/IEEE 802.3 Frame Event Detector configuration option. LLC/IEEE 802.3 Frame Event Detector Options The Frame Addresses group box allow the destination and source address masks for the frame to be specified. Editing these addresses is discussed in MAC Frame Event Detector. The Source Routing Information group box permits selection of whether the LLC/IEEE 802.3 frame has source routing indicators. This can be specified by selecting one of the No-Routing, Has-Routing, or Either radio buttons. By selecting Sliding search or Fixed offset, you activate data pattern searching within the LLC information field. This information field includes the LLC protocol data unit (LPDU) header. Editing of this pattern is discussed in Figure "Frame Data Pattern Event Detector Options". To identify information within the LPDU header within an LLC/IEEE 802.3 frame, select Match LPDU Fields to activate the search. The specifics of the LPDU fields search can be specified by clicking on the LPDU Fields button, displaying the window in Figure "LLC Protocol Data Unit Fields Options". LLC Protocol Data Unit Fields Options This panel permits specification of the LPDU header fields of the LLC/IEEE 802.3 frame to be identified. The Service Access Points (SAP) group box permits specification of Destination and Source SAP masks within the LPDU. These masks can be specified in either binary or hexadecimal by selecting the appropriate radio button. Command and Response LPDUs can be identified by selecting the appropriate radio button in the Command/Response group box. The status of the Poll/Final bit in the various LPDU command formats of the LPDU can be specified by selecting the appropriate radio button in the Poll/Final Bit group box. The remainder of the buttons on the panel are check boxes that allow selection of the various LPDU formats that an LLC/IEEE 802.3 frame can contain. The event detector will identify an LLC/IEEE 802.3 frame that contains any of these chosen formats. If the Information Transfer Format check box is selected, all I-Format LPDUs will be identified. If the Unnumbered Format check box is selected, all checked U-Format LPDUs in the box beneath this button will be identified. If the Supervisory Format check box is selected, all checked S-Format LPDUs in the box beneath this button will be identified. When the OK pushbutton is pressed, the options selected will be accepted and you will be returned to the LLC/IEEE 802.3 Frame Event Detector Options window. ═══ 7.7.10. Ethernet Frame Event Detector ═══ The Ethernet Frame Event Detector (Ethernet DatagLANce Network Analyzer) combines the Frame Format/Protocols, DLC Address Pairs, and Frame Data Pattern Event Detectors into one event detector that can detect all three of these events. This allows for optimum event detector utilization that without the combined format might require as many as three event detectors to identify an event. Figure "Ethernet Frame Event Detector Options" shows the window that is displayed when you select the Ethernet Frame Event Detector configuration option. Ethernet Frame Event Detector Options The Frame Addresses group box allows you to specify the destination and source address masks for the frame. Editing these addresses is discussed in MAC Frame Event Detector. The Ethernet Type Field group box allows you to specify a hexadecimal mask for the type field of the Ethernet frame in the Mask edit field. The InfoField Pattern permits specification of a sliding or fixed offset data pattern search within the Ethernet Frame information field. The procedure for editing this pattern is similar to that for Frame Data Pattern Event Detector (see Figure "Frame Data Pattern Event Detector Options"). When OK is pressed, the event detector is configured to identify an Ethernet frame containing the destination and source address masks specified, matching the Ethernet type mask, and containing the InfoField Pattern if one is specified. ═══ 7.8. Displaying Monitored Events ═══ When the DatagLANce analyzer monitors the network, it accumulates data for all custom events specified and all events that the DatagLANce analyzer automatically monitors. The DatagLANce analyzer displays the statistics accumulated on these events in event windows. ═══ 7.8.1. Creating a New Event Window ═══ A new event window is created by selecting New Window from the Window menu of the DatagLANce Network Analyzer window. Figure "New Event Window" illustrates a new event window. New Event Window This window displays the current statistics in numeric form for the All Frames default event. The appearance of an event window can be changed at any time. To do this, place the pointer anywhere within the event window, and press mouse button 2. Figure "Event Window Options Menu" is displayed. Event Window Options Menu From this menu you can select an event to be displayed (Event), the format in which you want to display the statistics (Format), and the statistics to display about the event (Display). The following topics describe these options. ═══ 7.8.2. Displaying Events ═══ To display an event, click on Event (shown in Figure "Event Select Submenu") with mouse button 1. Event Select Submenu A check mark is displayed beside the current event selected. To select a different event, click mouse button 1 on the event. ═══ 7.8.3. Selecting the Event Format ═══ The Format menu in the Event window options menu contains a submenu (see Figure "Format Select Submenu") for selecting numeric, bar chart, or line graph display formats for statistics. Click on Format with mouse button 1 to display this submenu. Format Select Submenu Select the format you want with mouse button 1. The formats are: Numeric (Current) Displays, in numeric format, event statistics collected during the last refresh interval. This format permits the display of multiple statistics, such as frames, bytes, average frame size, and utilization. Figure "Numeric (Current) Format" shows this format. Numeric (Current) Format Numeric (Cumulative) Displays, in numeric format, event statistics collected since the monitor was started. Bar (Current) Displays, in bar graph format, current event statistics. Only one statistic category, such as frames, bytes, or frame rate can be displayed in this window. Figure "Bar (Current) Format" illustrates this format. Bar (Current) Format Bar (Cumulative) Displays, in bar graph format, event statistics collected since the monitor was started. Only one statistic can be displayed in this window. History Displays any event statistic in relation to time. Statistics are sampled at the interval specified in the History Statistics Options (see History Statistics: Network Statistics Versus Time) and are displayed in a history graph in the window, as shown in Figure "History (Current) Format". History (Current) Format The /2 and x2 buttons will halve or double the number of points displayed on the history graph. Up to 400 points of history statistics will be retained for display. ═══ 7.8.4. Selecting Display Options ═══ To select display options, click, with mouse button 1, on the Display menu in the Event window. (See Figure "Display Select Submenu"). Display Select Submenu The following list explains each display option: Frames Displays the number of frames counted for the event. Bytes Displays the number of bytes in all the frames counted for the event. For token-ring, this count includes the start delimiter, end delimiter, frame status, and frame check sequence bytes and the frame bytes. Including these bytes in the count results in the best approximation of frame network utilization. For Ethernet, this count includes the frame check sequence and the frame bytes. The preamble, or start delimiter fields, are not counted because some of the preamble can be lost as the frame travels through the network. Avg Frame Length Displays the average frame length of the event's frames. This is calculated by dividing the number of bytes counted for the event by the number of frames counted for the event. Frame Rate Displays the average number of event frames counted per second. For current statistics, this is the number of event frames counted divided by the screen refresh interval. For cumulative statistics, this is the number of event frames counted divided by the number of seconds the DatagLANce analyzer has been monitoring. Byte Rate The average number of bytes in all the event frames counted per second. For current statistics, this is the number of bytes counted for the event divided by the screen refresh interval. For cumulative statistics, this is the number of bytes counted for the event divided by the number of seconds that the DatagLANce analyzer has been monitoring. Utilization Displays the average utilization of maximum bandwidth in percent used by all the bytes in all the frames counted for the event. For current statistics, this is the Byte Rate value divided by the maximum network speed in megabytes per second. For cumulative statistics, this is the Byte Rate value divided by the maximum data rate. Percent Frame Traffic Displays the average percentage of all frames counted that matched the event being displayed. For current statistics, this is the number of frames counted for the event divided by the count of all frames monitored during the last screen refresh interval. For cumulative statistics, this is the number of frames counted for the event divided by the count of all frames seen since the DatagLANce analyzer started monitoring. Percent Byte Traffic Displays the average percentage of all bytes counted that have been in frames that matched the event being displayed. For current statistics, this is the number of bytes counted for the event divided by the number of bytes in all frames seen during the last screen refresh interval. For cumulative statistics, this is the number of bytes counted for the event divided by the number of bytes in all frames seen since the DatagLANce analyzer started monitoring. Soft Errors (token-ring only) A count of all soft errors reported in all MAC soft error report frames. This statistic is valid only for the All Frames event. Ring Purges (token-ring only) A count of the number of frames identified as MAC ring purge frames. This statistic is valid only for the All Frames event. Beacon Frames (token-ring only) A count of the number of frames identified as MAC beacon frames. This statistic is valid only for the All Frames event. CRC/Alignment Errors (Ethernet only) A count of the number of frames that contained CRC/Alignment errors. This statistic is valid only for the All Frames event. Collisions (Ethernet only) A count of the number of collision fragments and jabber frames (late collisions). This statistic is valid only for the All Frames event. Note: The count of collision fragments is an estimate of the actual number. Collisions that occur during the preamble of a frame and collision fragments that are less than the minimum frame size accepted by the adapter are not counted. Runt Frames (Ethernet only) A count of the number of frames that were runts. This statistic is valid only for the All Frames event. Oversized Frames A count of the number of frames that were oversized. This statistic is valid only for the All Frames event. Event Displays the name of the event in the window. The name of the event is always displayed in the window's caption. Disabling this option provides room for other information within the window. Statistic Displays the name of the statistic displayed in the bar or history graph. Disabling this option provides room for other information within the window. First Activity Displays the time of the first occurrence of the event. This statistic is available only for numeric formats. Last Activity Displays the time of the last occurrence of the event. This statistic is available only for numeric formats. Units Displays the units used to display the bar or history graph. Disabling this option provides room for other information within the window. Date/Time Displays the date and time of events on a history graph. Disabling this option provides room for other information within the window. Grid Displays a dashed grid on history graphs. Each vertical line on the graph corresponds to the Date/Time shown below it. Min Displays the minimum value of the event's history statistics on the history graph. Avg Displays the cumulative average of the event's history statistics on the history graph. Max Displays the maximum peak of the event's history statistics on the history graph. Manual Scaling Permits the axis limits of the bar and history graph to be manually manipulated. When disabled, the bar graph is automatically adjusted as the statistics exceed the bounds of the graph. (Note that the bounds of the graph do not include the minimum and maximum statistics.) When manual scaling is disabled for history graphs, the minimum and maximum will equal the historical minimum and maximum values. Set Axis Limits Displays a window, enabling you to enter the axis limits of the bar or history graph. ═══ 7.9. History Statistics: Network Statistics Versus Time ═══ Selecting the Event Format, describes how the statistics accumulated for an event can be displayed in relation to time. This information can show trends of events that are occurring on the network. Sometimes, it is useful to accumulate these statistics over longer periods of time and analyze them. In addition to accumulating and displaying these statistics in relation to time, you can record the statistics to a file for printing or further analysis by other programs, such as spreadsheets. The History Statistics Options window (see Figure "History Statistics Options") is displayed when History Statistics Options is selected from the Monitor menu. History Statistics Options The History Statistics Sample Interval combination box specifies the length of time for accumulating history statistics. This time interval can range from one second to one hour (except for a 16Mbps token-ring, which has a maximum time interval of 30 minutes). The radio buttons below the History Statistics Sample Interval combination box specify recording options: Do not Record History Statistics Causes the DatagLANce analyzer to not record statistics, but to accumulate them for displaying in event windows. When history recording stops, you can use the report function (see Figure "Print Report Options") to print the history statistics for some events. Start Recording Immediately Causes history statistics to start being written when the DatagLANce analyzer starts monitoring. Start Recording at Date/Time Causes the DatagLANce analyzer to start recording history after the date and time specified. The Number of Samples to Record combination box specifies the number of sample intervals to record. A number can be specified, or selected, from the list box. If you select Unlimited, the DatagLANce analyzer will record statistics, until monitoring stops. Note: Since the platform running your DatagLANce analyzer has finite disk space, ensure that: (1) enough storage space is available on your system for recording statistics, and (2) the DatagLANce monitor is stopped before the system drive is full. Each sample takes from 34 to 660 bytes of disk space depending on the statistics/format file you have selected to be written. Just below the Number of Samples to Record box, the DatagLANce analyzer displays the total time needed to record statistics. The device, or path name of the file to contain the statistics, can be entered in the Device or Pathname field. Device names entered in this field must end in a colon (for example, PRN:). Use the full directory path name for any file located outside the Current Path. The file extension must be omitted. The File Format group box gives the following choices for formatting the file: o If you select Text, the selected statistics are written in columnar format to a text file with an extension of HTX. o Delimited Fields, in combination with Text, causes the statistics selected to be written in comma-separated variable format. This format is suitable for importing the file into industry-standard spreadsheet programs. o If you select Binary, all accumulated statistics are written to a binary file with an extension of HRF. You can write custom programs to read and manipulate the data in this format. See History Statistics File Formats. The Select Statistics push button enables you to choose the statistics to be recorded for text format history statistics files. When you click on this push button, the window shown in Figure "Select History Statistics for Recording Window" is displayed. Select History Statistics for Recording Window Use the Event list box to select any event that the DatagLANce analyzer monitors. The statistics selected for this event are displayed in the Statistics to Record group box. All selected statistics check boxes are recorded. Grayed statistics check boxes cannot be recorded for the event. The Clear push button removes the check marks from all the check boxes for the event selected. The Clear All Events push button removes the check marks from the check boxes for all events. Clicking on the OK push button causes all statistics selected to be accepted and returns you to the History Statistics Options window. ═══ 7.10. Alarms: Keeping a Watchful Eye on Your Network ═══ The DatagLANce analyzer accumulates statistics on a variety of events, displays these statistics in current, cumulative, and historical formats, and permits you to record these statistics to a history statistics file for a record of your network activity. But what happens when something critical occurs on your network, such as All Frames Utilization exceeding 80% or too many CRC errors are degrading network performance? One way to ensure that you are alerted to this condition when it occurs, would be to continuously monitor a view of All Frames Utilization History. In most cases, however, you will be doing something more productive than watching the DatagLANce screen when your network starts experiencing problems, like these. The DatagLANce analyzer offers you the capability of configuring 5-level floor and/or ceiling audible alarms for various types of alarm events as well as recording these alarms in a file. With this function, you are free to do other work while the DatagLANce analyzer watches your network for potential problems. In addition to logging alarms to a file, the DatagLANce analyzer can be configured to send an SNMP trap to a management station on your network, beep a pager, stop a capture already in progress (see Capturing Frames from the Network), or run your own program that takes appropriate action to the alarm. Some DatagLANce configurations (see Configurations) include alarms that might be useful for your network. Since there is no defined normal activity for all networks, you will need to customize the supplied alarm values for your network. The next topic explains how to perform this customization. ═══ 7.10.1. Defining Normal Thresholds of Network Operation ═══ Before you configure the DatagLANce analyzer to look for potential problems, determine the thresholds of your network's normal operation. This can be accomplished by recording statistics for your network over at least a 24-hour period of normal network operation, such as a weekday. The interval you select for this recording should be the interval for which you want to be notified of potential problems (for example, 30 seconds). You can record events such as All Frames Utilization, soft errors (token-ring) or CRC/alignment errors (Ethernet), and other performance statistics that influence frame counts (Broadcast frames, ICMP frames). Next, examine this file to determine trends by using a spreadsheet or by printing out the information. Locate the maximum and minimum peaks of each event monitored. Find any critical events, such as traffic to-and-from a critical file server, or another device, on which your network is heavily dependent. You can use this information to determine safe performance thresholds of your network. ═══ 7.10.2. Configuring Alarms: The Alarm Options ═══ Select the Alarm Option from the Monitor menu of the DatagLANce Network Analyzer control windows to configure alarms for specific events. When this menu item is selected, the window in Figure "Alarm Options" is displayed. Alarm Options In the Alarm Events list box you can select of a number of events that support the specification of alarm thresholds. The selected event in the list contains all of the options displayed in the remainder of the window. The Interval combination box specifies the time interval, in seconds, over which measurements occur to determine whether an alarm condition exists for the event selected in the Alarm Events list box. Each alarm event can have a different interval. Select longer intervals to prevent sporadic bursts of traffic from creating unwanted alarm entries. When averaged over a longer period of time, these events will fall within normal network thresholds. In the Alarm Condition Exists When group box you can specify whether a floor alarm, ceiling alarm, or a combination floor and ceiling alarm are disabled. You can select from the following options: Disabled Disables the alarm. No thresholds for this alarm event will be monitored. Min Violated Specifies that if the value of the event falls below specified minimum thresholds, an alarm condition exists. This is a floor alarm. Max Violated Specifies that if the value of the event exceeds specified maximum thresholds, an alarm condition exists. This is a ceiling alarm. Either Violated Specifies that if any of the minimum or maximum thresholds specified are violated, an alarm condition exists. The Alarm Thresholds group specifies the thresholds of the floor and ceiling alarms. The five levels of alarm thresholds are: Inform Some event of interest has occurred. For example, the network is near its maximum normal All Frames Utilization. Warning Some event has exceeded normal network thresholds. For example, the network has exceeded its maximum normal All Frames Utilization. Minor Some event has more than exceeded normal network thresholds. For example, the network is 10% above its maximum normal All Frames Utilization. Major Some event is nearing a critical normal network threshold. For example, the network has exceeded 30% above its maximum normal All Frames Utilization. Critical Some event has reached a critical normal network threshold. Critical alarms indicate when conditions exist that severely degrade network performance. For example, the network has exceeded 80% utilization. You can enter thresholds for each alarm priority in the MINIMUM and MAXIMUM edit field boxes next to the priority. The units of the alarm threshold are shown next to the alarm event in the Alarm Event combination box. These units might be seconds (Network Inactive Time), percent (All Frames Utilization), or counts (for example, All frames counts). A blank edit field indicates that no alarm conditions exist for that priority. The alarm ACTIONS check boxes located next to the thresholds edit boxes allow you to select which actions to perform when an alarm event occurs. Log Records the alarm event in the Alarm Log. The Log selections have no effect on audible alarms. Any logged or unlogged alarm event causes the alarm to sound if the Audible Alarms check box has been checked. Stop Causes the Capture to stop. This option only takes effect if the capturing is enabled and is active. Trap Sends an SNMP Trap to a specific network management station. This option requires that IBM TCP/IP for OS/2 be installed, along with a separate network interface (network adapter or SLIP line) for TCP/IP network communication. A list of the Enterprise Specific SNMP Trap variables originated by the DatagLANce Network Analyzer is defined in SNMP Traps from the DatagLANce Network Analyzer: The MIB Definition. Page Beeps your pager. This option requires that a Hayes-compatible modem, connected to a phone, be attached to one of the COM ports of your computer. Only one page per any ten minute interval will be performed. Run Runs a program. This option permits you to write your own specific application to be executed when this alarm condition occurs. Clicking on the Run push button next to the check box will allow you to select the program to execute. Beneath the Critical alarm thresholds is the When alarm threshold violation ceases line and alarm ACTIONS check boxes. These actions are performed when the alarm condition ceases to exist (the network returns to within normal thresholds for this alarm). The Audible Alarms switch in the Options group box will cause the speaker to sound when an alarm condition occurs for this alarm event. Higher priority alarms have higher pitches as well as longer duration. The One-Time Alarms switch in the Options group box sets alarm event logging to a single unacknowledged Log entry. This prevents alarm events, which can occur again and again, from cluttering up the Alarm Log. The Log Alarms To push button permits you to specify whether the alarm log is written to a file. When you click on the Log To push button, the window in Figure "Alarm Log Options" will be displayed. Alarm Log Options If you select the Log to window only radio button, no Alarm Log file is written. Selecting both radio buttons instructs the DatagLANce analyzer to record the Alarm Log both to the Alarm Log window and to a device/file. The Alarm Log Device or Pathname edit field permits entry of the device or path name of the file. Device names should end with a colon (for example, PRN:). The extension should be omitted when specifying a file (the extension will be LOG); also, full path names must be specified for files written to a directory other than Current Path. The Append File if Exists flag enables extending an existing Log file with new data. Since system disks cannot provide an infinite amount of storage space, make sure that you shorten or delete this file regularly. The Send Traps To push button on the Alarm Options window permits you to specify where to send SNMP traps when an alarm occurs. When you click on the Send Traps To push button, the window in Figure "SNMP Traps Options" will be displayed. SNMP Traps Options The TCP/IP Address of the network management station in which to send SNMP traps should be specified in the Send Traps to IP Address edit field. The Pager Setup push button on the Alarm Options window permits you to specify the commands necessary to beep pager through your Hayes-compatible modem. When you click on the Pager Setup push button, the window in Figure "Pager Setup Window" will be displayed. Pager Setup Window The Modem Connected To combination box selects which COM port to issue the modem commands through. The Modem Initialization Commands edit fields specify what commands to send to the modem before issuing the command to beep your pager. A two second delay will be inserted between each initialization command. A blank edit field will cause no delay. The Dial Pager Modem Command specifies which command to issue to the modem to dial your pager. For Hayes-compatible modems, this command is prefixed by ATDT (for touch tone phones) or ATDP (for pulse phones). Following this prefix is the dial out sequence to beep your modem. A sample dial pager modem command can be as follows: ATDT9,234-5678,,7890,,, This sample command causes the modem to dial 9, then waits two seconds (each comma in the command instructs the modem to wait two seconds), dial 234-5678, wait four seconds, dial the pager extension 7890, then wait six seconds. Choosing the Append Dial Pager Command with Alarm Code check box causes DatagLANce to append an alarm code to the command string. In the example above the six-second delay will be followed by an alarm event and condition specific code. These codes are defined in DatagLANce Alarm Pager Codes. Each of the Run push buttons on the Alarm Options window permits you to specify a program to execute when an alarm occurs. When you click on the Run push button, the window in Figure "Execute Program on Alarm" will be displayed. Execute Program on Alarm The program to be executed, and any arguments to the program, should be specified in the edit field of this window. This program must be a valid OS/2 EXE file and the full path of the program including drive designators must be specified. OS/2 CMD files can be run by executing the OS/2 Command Processor, CMD.EXE, found with the \OS2 directory on the drive where you installed OS/2. Check the OS/2 Command Reference for the command syntax. ═══ 7.10.3. The Alarm Log Window: A View into the Network's Alarm Past ═══ When monitoring, the DatagLANce analyzer logs any alarm events that occur to the Alarm Log window and, if requested, to an alarm file. This window can be displayed by selecting Alarm Log from the Window menu of the DatagLANce Network Analyzer window (see Figure "Alarm Log Window"). Warning: When you operate more than one Datag analyzer at the same time, you should choose different file names for the alarm log (or place them in separate directories). Alarm Log Window The most recent alarm events appear at the top of the Alarm Log window. Each logged alarm has several information fields, displayed in a columnar format: Number Represents the number of the alarm event. The first alarm event is numbered 1, and so on. Priority Represents the alarm's priority. Each alarm is displayed in the color that matches its alarm priority. Timestamp Shows the date and time the alarm event occurred. Alarm Description Describes which alarm event occurred and whether a minimum or maximum threshold was breached. There are several menu options that enable you to manipulate the Alarm Log displayed in the window: Acknowledge Acknowledges an alarm. An `a' character is displayed to the left of the alarm, indicating that it has been acknowledged, and the alarm is grayed. This indicates that you have personally noted the alarm but wish to leave it displayed in the Alarm Log window. Clear Removes the alarm from the Alarm Log window. The alarm will still be recorded in the Alarm Log file if one has been specified. Options Has the following menu choices: o Clear All Alarms clears all alarm log entries from the Alarm Log window. The alarms will still be recorded in the Alarm Log file if one has been specified. o Allow Audible Alarms enables audible alarms for events whose Audible Alarm switch is turned on. This item is a convenient way of temporarily or permanently disabling any alarms that might become audible. The Alarm Log window displays a maximum of 50 alarm entries. Any earlier alarm entries are discarded. These log entries give you a view into your network's previous alarms. For a complete record, though, you should send alarms to a file. Note: The DatagLANce analyzer also discards One-Time Alarms from the Alarm Log window based on the Alarm arrival time. Yet the One-Time rule remains in effect to prevent new entries to the log. For discarded entries, no other mechanism exists to clear them individually. Therefore, to permit a new occurrence of a discarded One-Time Alarm, you must use the Clear All Alarms option. ═══ 7.11. Network Glance: Viewing the Traffic on the Network ═══ While monitoring, the DatagLANce analyzer reports statistical information about events such as frames, tokens, and any custom events that it has been configured to monitor. These statistics give you information about how often events occur as well as how many events have occurred since the DatagLANce analyzer started monitoring. However, you might also want to examine the type of traffic that is currently traveling on the network. If so, you will want to use the DatagLANce Network Glance function. ═══ 7.11.1. What is Network Glance? ═══ The Network Glance function enables you to view traffic that is traveling on the network by recording for some period of time (or until the Glance buffer is full) and then displaying the frames in decoded form. The Glance function stores frames in the DatagLANce Network Analyzer's 64-KB Glance buffer. All frames on the LAN or only a subset of frames can be glanced. Only the first 176 bytes of each frame will be saved in the Glance buffer. Glance cannot time-stamp frames. If you need frame time-stamps, see Capturing Frames from the Network. The next section discusses a variety of formats available for displaying glanced frames. ═══ 7.11.2. Operating Network Glance ═══ The Network Glance window controls the Glance function as shown in Figure "Network Glance Window". You can display this window by selecting Network Glance from the Window menu of the DatagLANce Network Analyzer control window. Network Glance Window The Glance! menu choice in the menu bar of the Network Glance window initiates a glance. Clicking on this menu choice causes the DatagLANce analyzer to start recording frames. The Options menu contains the following Glance options: Glance at All Frames Causes the DatagLANce analyzer to glance at any frame on the network. Glance at Filtered Frames Only Causes the DatagLANce analyzer to glance at frames matching the Network Glance Filter. See Figure "Network Glance Filter". If you configure your DatagLANce analyzer to capture frames, this menu choice label becomes Glance at Captured Frames Only. See Capturing Frames from the Network. The DatagLANce analyzer glances at any frames that match the Frame Capture Filter as discussed in Figure "Frame Capture Filter". This function enables you to view frames being captured without stopping the capture. Glance Interval Specifies how long to listen for frames. The DatagLANce analyzer stops glancing at the end of this interval and then displays the frames that were glanced. Auto-Refresh Places the DatagLANce analyzer in auto refresh mode. The DatagLANce analyzer continuously glances and refreshes as specified by the glance interval. When a glance cycle is completed, the DatagLANce analyzer presents the frames glanced in a summary format. This format, as well as the remainder of the menu choices on the Network Glance window, functions the same as the DatagLANce protocol analysis application does. (See Analyzing Captured Frames for a discussion of these functions.) ═══ 7.11.3. The Network Glance Filter: Selecting Frames to Glance ═══ When the DatagLANce analyzer is not configured to capture frames from the network, the Monitor menu of the DatagLANce Network Analyzer control window contains a menu choice labeled Network Glance Filter. Figure "Network Glance Filter" shows the window that is displayed when you select this menu choice. Network Glance Filter The Network Glance Filter represents an event equation that selects events to glance. Event equations are discussed in Understanding Event Equations. When the Glance at Filtered Frames Only choice in the Network Glance window's Options menu is selected, only the frames passing this event equation are glanced. ═══ 7.12. Ring Map: A Logical Token-Ring Map ═══ The Token-Ring DatagLANce Network Analyzer can build and display a logical map of the token-ring. This logical map lists MAC addresses representing all of the stations on the ring. You can choose to activate the Ring Map instead of the Network Glance Filter by selecting the Ring Map menu choice from the Monitor menu in the DatagLANce Network Analyzer control window. Since this function also requires the use of one event detector, at least one event detector must be configured as disabled to use this function. (See Configuring Event Detectors.) Note: The capture function must be disabled in order to use this function (see The Capture Menu). The Ring Map window displays the token-ring map as shown in Figure "Ring Map Window". Ring Map Window The Refresh! menu choice in the menu bar of the Ring Map window produces a record of the current ring map. Selecting this menu choice causes the DatagLANce analyzer to start listening for MAC active monitor present frames and MAC standby monitor present frames that each station transmits on the ring. From this information, the DatagLANce analyzer builds a logical token-ring map. The ring map is displayed as a list of station addresses. The DatagLANce Network Analyzer should appear at the bottom of this list. If it does not, the DatagLANce analyzer has not been able to determine the address of the nearest upstream station. Stations positioned above the DatagLANce analyzer in the list are upstream from the Analyzer. Each station is listed in same order that it occurs the ring. Each line in the window represents a single station on the ring. Information about the station is displayed in a columnar format. You can display or hide optional information about the station by selecting a particular menu choice from the Display menu in this window. The items of information you can display about a station are: Status Flag (Unlabeled Field) This column has no title and is always displayed on the left side of the display. The flag field contains a status flag about the station. This flag can be one of the following flag characters: Indicates that the station is currently active on the ring. N Indicates that the station has just been inserted into the ring. D Indicates that the station has disconnected from the ring or has been isolated from the ring somehow. A station will also be considered disconnected if it stops participating in MAC standby-monitor-present notifications. Station Displays the MAC address of the station. The width of this field can be varied by selecting the Address Field Width menu choice in the Display menu. The Display menu also contains two selections, Numeric Addresses and Symbolic Names. These selections control whether the address should be displayed in hexadecimal or whether any corresponding symbolic names should be displayed for the address. NAUN Identifies the station's nearest active upstream neighbor's (NAUN's) address. The upstream neighbor should be displayed directly above the station in the ring map, but, in instances where one or more stations become disconnected or isolated, it can be displayed several entries below its upstream neighbor. This occurs because when the new ring map is built, any disconnected or isolated stations will be inserted into the ring map beneath their last known upstream neighbor. You can hide or display this field by selecting NAUN from the Display menu. Station Status Identifies the station as the active monitor, standby monitor, or as this DatagLANce analyzer. You can hide or display this field by selecting Station Status from the Display menu. The File menu contains an option to print the ring map or to write it to a text file. The Options menu contains the following menu choices that affect the ring map: Acknowledge New Stations Removes the new condition flag from each new station. Clear Disconnected Stations Removes from the ring map any disconnected or isolated stations. Refresh Interval Selects the time period that the DatagLANce analyzer will listen to the ring for MAC active-monitor-present and MAC standby-monitor-present broadcasts, at the end of which it updates and displays the ring map. Auto-Refresh Causes the DatagLANce analyzer to refresh the ring map continually as specified by the Refresh Interval menu choice. The top line of the ring map window contains the date and time of the last ring map refresh and a count of: The stations on the ring Newly inserted stations Disconnected stations. If the DatagLANce analyzer cannot determine it's NAUN, "OurNAUN=Unknown" is displayed on this line. ═══ 7.13. Analyzing the Traffic Flow on Your Network ═══ The DatagLANce analyzer can gather statistics on traffic to, from, and between stations on the network. You can display and sort these statistics to find out information, such as, the top talkers and top listeners on your network. The next two sections discuss enabling this function and viewing and sorting the statistics. ═══ 7.13.1. The Traffic Analysis Options ═══ The DatagLANce Traffic Analysis function is enabled by selecting Traffic Analysis Options from the Monitor menu of the DatagLANce Network Analyzer Control window. When you select this option, the window in Figure "Traffic Analysis Options" is displayed. Traffic Analysis Options The Enable Traffic Analysis Processing check box at the top of this window activates the traffic analysis function. If it is not checked, the DatagLANce analyzer does not perform traffic analysis. The Only for Event check box can be used to limit traffic analysis to the custom event selected in the combination box next to this check box. This permits you to perform traffic analysis on a subset of network traffic. See Monitoring Events on the Network for more information on monitoring custom events. The Processing Options group box permits you to select the traffic analysis you want, as well as specific options related to traffic analysis. The Table Entries field specifies the maximum number of table entries to create. Depending on the Analysis Type selected, the reception of a frame creates or updates one or more table entries. If you check the Notify user if table becomes full check box, you are notified when the table becomes full. The Sample Interval combination box represents the amount of time that the DatagLANce analyzer will accumulate traffic statistics. The value Until Stopped indicates that the DatagLANce analyzer will accumulate statistics until the monitor is stopped. The other options in the combination box select the time interval over which the DatagLANce analyzer will accumulate (and record, if recording is enabled) the traffic statistics. The Reset table at end of interval check box will cause all statistics in the table to be cleared at the end of this interval, effectively restarting the traffic analysis function. The Start radio-button selects when to start traffic statistics processing. The When the monitor is started radio button selects that processing should begin when the Go! menu choice is selected on the DatagLANce Network Analyzer window. The Time radio-button specifies the time within the next 24 hours that traffic statistics processing should begin. The Stop radio-button selects when to stop traffic statistics processing. The When the monitor is stopped radio button selects that processing should stop when the Stop! menu choice is selected on the DatagLANce Network Analyzer window. The Time option specifies the time that traffic statistics processing should stop. The time specified will be the time within 24 hours of the start time. The Process Priority radio-button selects the priority assigned to traffic statistics processing. Time-Critical is the highest priority and Normal is the lowest priority. Lower priorities tend to increase the chance that the DatagLANce analyzer will drop frames from traffic statistics processing if too many frames are queued for processing. The TRAFFIFO= device driver option selects the size of the traffic statistics FIFO. (See The TRAFFIFO= Parameter.) To obtain the best traffic statistics processing performance, select Time-Critical as the priority, but be aware that high network activity might cause a sluggish display. If you want only the list of active stations, you can use a lower priority and get reasonably accurate approximations of network activity. The Analysis Type combination box selects one of the following ways to accumulate data: DLC Station Analysis Causes data to be accumulated for traffic to and from each single DLC station on the network. Statistics accumulated include frames, bytes, errors (token-ring: soft error reports; Ethernet: CRC errors), last partner address, station status, and first, last, and elapsed activity time stamps. DLC Traffic Matrix Causes data to be accumulated for traffic between pairs of DLC stations on the network. Statistics accumulated include frames, bytes, and first, last, and elapsed activity time stamps. Network Station Analysis Causes data to be accumulated for traffic to and from each single network-level station on the network. Statistics accumulated include address level (for example, TCP/IP or IPX addresses), last partner network address, frames, bytes, first, last, and elapsed activity time stamps. Protocol Matrix Analysis Conversations between pairs of network addresses on the network. Statistics accumulated include: frames, bytes, network addresses, and major and minor protocols being used. Dynamic Protocol Distribution Analysis All Protocols being used on the network. Statistics accumulated include: major and minor protocols, frames and bytes. Source Routing Traffic Analysis Analysis of traffic between source-routed network segments. Statistics accumulated include: frames, bytes, and smallest, average, and largest frame lengths. Token-Ring Soft Error Analysis (Token-Ring DatagLANce Network Analyzer) Detailed analysis of soft errors reported. Soft errors are separated into types of soft errors including: Line errors, burst errors, and receiver congestion. The Recording Options group box enables you to select whether to record statistics and to specify the name of the file that will contain traffic statistics. If the Record Statistics check box is checked, statistics will be recorded on the interval specified by the Sample Interval combination box (discussed earlier in this section). If the interval is Until Stopped, the statistics gathered will be displayed or filed as soon as the monitor stops. The file name recorded will be the one specified in the Device or Pathname field. The file extension will be .CSV. The Append if Exists check box selects whether to overwrite the file, if it exists, or append to it. ═══ 7.13.2. Viewing Traffic Statistics ═══ When you enable traffic statistics processing from the Traffic Statistics Options window, and you start the monitor, the DatagLANce analyzer will begin accumulating traffic statistics. You can display these statistics by selecting Traffic Statistics from the Window menu of the DatagLANce Network Analyzer Control window. Figure "Traffic Statistics Window" shows the window that is displayed. Traffic Statistics Window The menu bar of this window controls what statistics are displayed and how they are sorted. A Display menu can be selected from this window. On the Display menu, you can choose the individual statistics fields to display in the window. Exactly which fields appear depends on the analysis type previously selected (single station, traffic matrix, or protocol matrix). The fields on the Display menu include: Address Field Width Selects the width of the address fields displayed. Numeric Addresses Selects the display of numeric addresses. Symbolic Names Selects the display of symbolic names, if available, instead of the numeric address. (See Symbolic Names Support.) Total Traffic Displays total counts of traffic to and from a station (DLC and network station analysis) or between two stations (DLC traffic matrix and protocol matrix analysis). Traffic to Station Displays traffic counts to the station (DLC and network station analysis) or traffic counts from the partner to the station (DLC traffic matrix and protocol matrix Analysis). Traffic from Station Displays traffic counts from the station (DLC and network station analysis) or traffic counts from the station to the partner (DLC traffic matrix and protocol matrix analysis). Traffic To and From Displays traffic counts both to and from the station (DLC and network station analysis). Traffic From Both Displays traffic counts from both the station and from the partner to the other station (traffic matrix and protocol matrix analysis). Station Address Displays or hides the station's DLC address (DLC station and DLC traffic analysis) or network address (network station analysis). Partner Address Displays or hides the partner's DLC address (traffic matrix and protocol matrix analysis). Last Partner Address Displays or hides the last partner's DLC address of the station (DLC and network station analysis) or network address (network station analysis). Station Status Displays or hides the station status (DLC and network station analysis). Station status can be one of the following: o Broadcast Addr Station is a broadcast address. o Multicast Addr Station is a group address. o Station Station is a station on the Ethernet network. o Trace Tool Station is a trace tool (like the DatagLANce analyzer). o Trace Tool-Disc Station is a trace tool that was disconnected from the network. o Active Monitor Station is the active monitor on the local token-ring network. o Standby Monitor Station is a standby monitor on the local token-ring network. o Remote Station Station is a station on a remote token-ring network. o Disconnected Station was on the local token-ring network at one time but has been removed or disconnected from the network. Errors Counts of the number of soft errors reported by the station (token-ring) or the number of frames received from the station containing CRC or alignment errors (Ethernet). The DatagLANce analyzer offers these statistics for DLC Station Analysis and Token-Ring Soft Error Analysis only. Frames Displays number of frames accumulated. Bytes Displays number of bytes accumulated. Avg Frame Rate Displays the average number of frames accumulated per second. This statistic will not appear until statistics have been accumulated for about 20 seconds. Avg Byte Rate Displays the average number of bytes accumulated per second. This statistic will not appear until statistics have been accumulated for about 20 seconds. Avg Frame Length Displays the average number of bytes in the accumulated frames. Smallest Frame Length Displays the smallest number of bytes seen in any frame. Largest Frame Length Displays the largest number of bytes seen in any frame. Avg Utilization Displays the average percent utilization of network bandwidth. This statistic will not appear until statistics have been accumulated for 20 seconds. Percent of Frame Traffic Displays the percentage of accumulated frames contributed to total frame traffic. Percent of Byte Traffic Displays the percentage of accumulated bytes contributed to total frame traffic. First Activity Displays the time of the first traffic statistics entry recorded for this type of traffic. Last Activity Displays the time of the last traffic statistics entry recorded for this type of traffic. Elapsed Activity Displays the amount of time that has passed since the previous activity occurred for this type of traffic. Address Level Displays the address level of the station address (network station analysis). The address levels are documented in Symbolic Names Support. Major Protocol Displays the major protocol suite being used between the partner and the station (protocol matrix analysis) or the major protocol suite containing the minor protocol (dynamic protocol distribution analysis). Minor Protocol Displays the minor protocol being used between the partner and the station (protocol matrix analysis) or the specific protocol within the protocol suite (dynamic protocol distribution analysis). Encapsulation Describes the encapsulation used for the major and minor protocols (dynamic protocol distribution analysis). The encapsulation can be DLC, LLC, Ether, 802.3, or SNAP. Station Network Address Displays the network address for the station (protocol matrix analysis). Note: The DLC address of a router that belongs to the local LAN associates with every higher level address, for example IP, that is routed to the local LAN. This produces the effect that the router appears to have multiple network addresses. This happens because the actual DLC station that corresponds to the station network address connects somewhere outside the local LAN on the other side of the router. Partner Network Address Displays the network address for the partner (protocol matrix analysis). See the note under Station Network Address. Source Routing Indicators Displays the source routing path of the communication taking place (protocol matrix analysis). The station's ring number is always displayed to the left. SRB signifies single route broadcast (SRB) and ARB signifies all routes broadcast (ARB). Source Ring Displays the source ring segment of traffic (source routing traffic analysis). This Ring is displayed if the ring number, to which the DatagLANce analyzer is attached, is not known. Local is displayed for traffic that is not source-routed. Destination Ring Displays the destination ring segment of traffic (source routing traffic analysis). SRB signifies single route broadcast (SRB) and ARB signifies all routes broadcast (ARB). NAUN Displays the next-active upstream neighbor of the token-ring station (token-ring soft error analysis). Ring Purges Displays the total number of ring purges transmitted by the station (token-ring soft error analysis). Beacons Displays the total number of MAC beacon frames transmitted by the station (token-ring soft error analysis). Monitor Contentions Displays the total number of MAC claim frames transmitted by the station (token-ring soft error analysis). Line Errors Displays the total number of line errors reported by the station (token-ring soft error analysis). Internal Errors Displays the total number of internal errors reported by the station (token-ring soft error analysis). Burst Errors Displays the total number of burst errors reported by the station (token-ring soft error analysis). A/C Errors Displays the total number of A/C errors reported by the station (token-ring soft error analysis). Abort Delimiters Transmitted Displays the total number of Abort Delimiters reported as transmitted by the station (token-ring soft error analysis). Lost Frame Errors Displays the total number of lost frames reported by the station (token-ring soft error analysis). Receiver Congestion Displays the total number of receiver congestion errors reported by the station (token-ring soft error analysis). Frame-Copied Errors Displays the total number of frame-copied errors reported by the station (token-ring soft error analysis). Frequency Errors Displays the total number of frequency errors reported by the station (token-ring soft error analysis). Token Errors Displays the total number of token errors reported by the station (token-ring soft error analysis). Note: For detailed information on token-ring specific soft errors, consult the IBM Token-Ring Network Architecture Reference. A Sort menu can be selected from the Traffic Statistics window. On the Sort menu, you can select the field on which to base the sort. The Descending and Ascending choices allow you to reverse the direction of the sorting. The Options menu permits you to select when to re-sort the window contents by selecting a time interval. If your network produces many table entries, you might want to increase this interval. The File menu has a print option that permits you to print the window contents after you have arranged it to your liking. This permits you to print reports such as top talkers, top listeners, top errors, top pairs, and any custom reports you want. The headings at the top of the window tell which statistics are being displayed. By displaying only the statistics that you need to see you can keep watch on the traffic levels and flow on your network. The statistics displayed on the Traffic Statistics window will refresh at the rate selected as the screen refresh rate. (See Using the Monitor Menu.) The statistics will re-sort at the rate selected in the Options menu of this window. ═══ 7.14. Printing Reports ═══ The DatagLANce analyzer accumulates extensive statistics about the network being monitored. If you want a hardcopy of the statistics accumulated, the Print Report choice in the File menu of the DatagLANce Network Analyzer control window permits you to print them. When you select this option, the window shown in Figure "Print Report Options" is displayed. Print Report Options The Report combination box permits you to select which report to print. From this combination box you can select to print cumulative network statistics, event distributions, network history, and other reports. The report prints to the device or file name specified in the Device or Pathname edit field. A device is specified by appending a colon to its name (for example, PRN:). If the Delimited Format check box is checked, the DatagLANce analyzer will insert commas between the statistics printed to the device or file. ═══ 7.15. Defining Screens: Window Arrangements ═══ A screen consists of one or more windows open at the same time. Because the DatagLANce analyzer offers a wide variety of windows displaying many kinds of statistics, the number of windows open on the screen at any one time can become overwhelming. The DatagLANce analyzer enables you to define arrangements of these windows which allow you to display only a few windows at a time, yet at the selection of a menu choice, display another arrangement of windows. Screens are defined by first arranging the windows on the screen. You should close any of the DatagLANce windows that you do not want on the screen, since any windows hidden behind the foreground windows might be displayed when the screen is rearranged. Then, when you select the Define menu choice from the Screen menu in the DatagLANce Network Analyzer control window, a window requesting the name of the screen to define is displayed, as shown in Figure "Define Screen Window". Define Screen Window When the Define Screen window is displayed, enter the name of the screen in the Screen name edit field. When you click on the OK push button, the location and size of all DatagLANce windows currently on the screen will be saved. The name of the screen is then displayed in the Screen menu and, when you select the name from this menu, the DatagLANce analyzer will display the windows as you arranged them. Note that the same window can appear on more than one screen. To change an existing screen, select the screen, arrange the windows as you would like, and then select a different screen name from the Screen menu. To restore a screen to the original screen arrangement, select the name of the original screen from the Screen menu. The Delete menu choice in the Screen menu of the DatagLANce Network Analyzer control window opens a window that permits you to select the window arrangement you want to delete. In summary, by defining arrangements of windows as screens, the DatagLANce analyzer makes it possible for you to flip among any of several screens of related monitoring information easily. ═══ 7.16. Quick Filter: The Quick Equation Writer ═══ The Event Equation function permits you to combine event detectors for selecting events to monitor, to start the capture, to capture, to trigger the capture, and to perform post-capture filtering (discussed in Figure "Display Filter Equation Edit Window"). It can be tedious, however, to go through all the windows necessary to write one equation. The Quick Filter function enables you to select events for monitoring, capturing, and displaying with only a few keystrokes or mouse clicks. Activate the Quick Filter function by clicking on the desired line of the window using the mouse button 2. You can also activate the Quick Filter by selecting the Quick Filter menu choice. For the DatagLANce Network Analyzer application, the Quick Filter function is active within any of the following windows: o The Network Glance Frame Summary window (see Figure "Network Glance Window") o The Network Glance Frame Detail window o The Traffic Statistics window (see Figure "Traffic Statistics Window") o The Ring Map window (see Ring Map: A Logical Token-Ring Map) For the DatagLANce Protocol Analysis Application, the Quick Filter function is active within any of the following windows: o The Frame Summary window (see The Frame Summary: A Summary of Frames Captured) o The Frame Detail window (see Frame Detail: Detailed Protocol Analysis) The Quick Filter function, when activated, checks the current selected line within the window and configures an appropriate event detector for that line. The type of event detector configured depends upon the window. See Understanding Events for a description of events and event detectors. For the Network Glance, Protocol Analysis Frame Summary, and Ring Map windows, the event will be the source address of the record selected. Quick Filter will set up an as-similar-as-possible pattern match for the address if an appropriate event detector configuration is not available. For the Network Glance and Protocol Analysis Frame Detail window, the event depends upon the bytes highlighted in the Frame Hexdump window when you click on the line. For the Traffic Statistics window, the event will be traffic to the station, from the station, either direction, or between the station and its partner. The type of traffic is determined by which statistics are being displayed. When configured, event detector options will be displayed for your final approval. Selecting the OK push button on this window accepts the Quick Filter information, and the window shown in Figure "Quick Filter Options Window" will be displayed. Quick Filter Options Window The Detector Label edit field specifies the label to give to the event detector just configured. Quick Filter will automatically assign a label appropriate to the event, but you can edit it to specify a more descriptive term. The Equation push button (for the DatagLANce Network Analyzer application only) enables you to select the equation to modify. The two radio buttons on the Quick Filter window enable you to select whether to count, capture, or display a frame if the frame matches or does not match the event. Any previous event detectors or filtering performed by the equation will be discarded. The Manually Edit Equation push button enables you to modify the existing quick filter equation (see Editing an Event Equation). When you select the OK push button, the DatagLANce analyzer adds the new event detector to the equation. Quick Filter Equation Select Window The window shown in Figure "Quick Filter Equation Select Window" permits you to select the equation to modify for the DatagLANce Network Analyzer application. The equation is displayed when you click on the Equation push button on the Quick Filter Options window. If you select the Custom Event radio button, the custom event equation by the number combination box next to it will be configured. The Label edit field will contain the name of the event assigned to the custom event. When you click on the OK push button, you will return to the previous window, where you can select how to modify the equation. To read more about the equations that Quick Filter will modify for you, see the following sections: o Selecting Custom Events to be Monitored o Figure "Network Glance Filter" o Figure "Frame Capture Filter" o Selecting When to Start Capturing: The Capture Start Event o Selecting When to Stop Capturing: The Trigger/Stop Capture Options o Figure "Display Filter Equation Edit Window" ═══ 7.17. Improving Monitoring Performance: The Adapter Options ═══ The DatagLANce Network Analyzer usually monitors all frames appearing on the network. This requires looking at each frame that arrives, determining if it passes or fails each enabled event detector, and then updating statistics based on the results. Since the DatagLANce Analyzer does real-time processing, network traffic can overburden the system processor. Adapter options allow you to limit the amount of processing done for each frame as well as the number of frames that are examined by the DatagLANce analyzer. Before discussing how to improve monitoring performance by using the adapter options, let us discuss how monitoring performance can be affected by which DatagLANce software options you enable. The DatagLANce Network Analyzer can miss frames under the following conditions: o The current network load is too heavy for DatagLANce to handle. The DatagLANce Network Analyzer must process each frame that appears on the network in order to report accurate statistics. If the buffers on the adapter card become full before the DatagLANce Network Analyzer can process the frames on the card, the DatagLANce analyzer will miss frames. o The event detectors configured are too complex for the current network load. The DatagLANce event detectors are extremely powerful and identify many different events. Some events require more examination of a frame than others, and the sum of the time spent examining frames by all event detectors is cumulative. For example, identifying a frame containing a destination DLC address requires examining six bytes of each frame that arrives. In contrast, identifying a frame containing a specific protocol may require many more bytes be examined. o Too many processing options are enabled for the current network load. If traffic analysis, capture, glance, and one or more custom events are all enabled at the same time, and the network load is heavy, the DatagLANce Network Analyzer can miss frames. o Two DatagLANce Network Analyzers are active at the same time within the same computer and the network load is heavy. The DatagLANce Network Analyzer can monitor two networks simultaneously; however, should network load on either or both networks become heavy, either DatagLANce Network Analyzer can miss frames. The following actions can be done to improve performance of the DatagLANce Network Analyzer: o Utilize adapter-specific options (see below) to improve performance. Specifically enabling first-buffer processing (Process only first xx bytes) or using available Adapter Filter Options can very much improve performance. o Disable any event equations that are not necessary. For example, if all five custom events are not required, clear the unused event equations (select Clear on the equation edit window). It is not required to disable any event detectors, since any event detectors not appearing in any event equations use no processing time. o Disable any unnecessary processing options. For example, if it is not necessary to do traffic analysis while you are capturing frames, disable traffic analysis processing. o Simplify event detectors. For example, more processing is required to filter by network-layer address pairs than by DLC address pairs. If possible (i.e. stations you are filtering by are on the local network, not on the other side of a router), substitute DLC addresses for the network-layer addresses that you want to monitor. If this is not possible, try using fixed offset pattern matches to match the network-layer addresses. o If capturing frames, slice them. If the entire frame is not needed for analysis, slice the frame (see Improving Capture Buffer and File Utilization). o Use a faster computer. For example, a 33 Mhz 486-based computer has much better performance than a 20 Mhz 386-based computer. o Use a faster network adapter or reconfigure your existing network adapter. For example, an IBM DatagLANce Token-Ring 16/4 MC Adapter has better performance than an IBM Token-Ring Network 16/4 Trace and Performance Adapter/A. For the Ethernet DatagLANce, the IBM PS/2 Adapter/A for Ethernet Networks can be configured to have 8 KB or 16 KB of shared RAM. When the adapter is configured at 16 KB of shared RAM it gets better performance. Some adapter options available are common to all adapters being used; others are available only for specific adapters. We will discuss both the common and specific options. You can access the Adapter Options window by selecting Adapter Options from the Monitor menu of the DatagLANce Network Analyzer Control window. Two Adapter Options windows are provided: o Figure "Token-Ring DatagLANce Adapter Options" shows the Adapter Options window for the Token-Ring DatagLANce analyzer. o Figure "Ethernet DatagLANce Adapter Options" shows the Adapter Options window for the Ethernet DatagLANce analyzer. Token - RingDatagLANceAdapterOptions The top two lines of the Adapter Options window (below the menu bar) contain a description of the installed adapter, followed by the universally administered DLC adapter address. The Adapter Mode group box permits you to select between Promiscuous or Normal mode. Promiscuous mode causes all frames on the network to be processed and monitored. Normal mode causes only frames to the broadcast address or the universally administered DLC address of the adapter to be monitored. The Process Options group box permits you to select whether complete frames or the beginning of frames should be processed. Since large frames can require a considerable amount of processing time, this option permits you to limit the bytes of each frame being examined by the DatagLANce analyzer. Note this option differs from slicing a frame when capturing. (See Improving Capture Buffer and File Utilization.) This option limits the processing of bytes of a frame; slicing, when capturing, limits only the storage of the bytes of a frame. The Adapter Filter Options offer choices for limiting the frames being processed to a subset of network traffic. For the Token-Ring DatagLANce analyzer, the Adapter Filter Options allow you to select the types of frames processed and whether to process frames with or without specific addresses. These options are available only when the adapter is in Promiscuous mode. The Frame Types radio buttons allow you to limit processing to both MAC and LLC frames, LLC frames only, or MAC frames only. The Frame Addresses radio buttons enable you to limit processing to frames with specific DLC addresses. Selecting the Process Frames for All Addresses radio button will process all frames regardless of address. Selecting the Process Frames Matching Addresses radio button will process all frames whose source or destination address matches one of the selected addresses. Selecting the Do not Process Frames Matching Addresses radio button will cause the DatagLANce analyzer not to process frames whose source or destination address matches one of the selected addresses. The Select Frame Addresses for Processing push button opens the window that permits you to select the addresses. This window works like the Destination Addresses Event Detector window (see Figure "Destination Addresses Event Detector Options") except for a capacity limit of 10 specified addresses. The Enable Congestion Handling check box enables you to activate a congestion handling function. With this function, the DatagLANce analyzer can discard frames if the adapter becomes congested. This option attempts to prevent the DatagLANce analyzer from locking up under extreme network load conditions. Ethernet DatagLANce Adapter Options For the Ethernet DatagLANce analyzer, the only options that differ are the adapter filter options. These options are available in either Promiscuous or Normal mode. The Process Broadcast Frames check box causes the DatagLANce analyzer to process frames going to the broadcast destination address. The Process Multicast Frames check box causes the DatagLANce analyzer to process frames that are going to group destination addresses. The Process Runts check box causes the DatagLANce analyzer to process frames that are less than 64 bytes long. The Process Frames with Errors check box causes the DatagLANce analyzer to process frames that have errors. You must also choose the Process Runts option in order to process collision fragments. ═══ 7.18. Summary ═══ This chapter described in detail the DatagLANce Monitoring functions. Using these functions, you can now monitor events and activity on your network, look for performance and network problems, and fine-tune your network. When problems occur, it might be necessary to view the messages that travel on the network in more detail. The next chapter, Capturing Frames from the Network, describes how to instruct the DatagLANce analyzer to collect these messages. Analyzing Captured Frames discusses the analysis of the collected frames. ═══ 8. Capturing Frames from the Network ═══ When network problems arise, determining the cause of the problem can be a difficult task. The DatagLANce Network Analyzer helps you by enabling you to capture frames that are being transmitted on the network. ═══ 8.1. Overview of DatagLANce Frame Capture Capability ═══ The DatagLANce Network Analyzer can: o Select the size of the memory capture buffer using the BUFSIZE= parameter on the DatagLANce Network Analyzer Device Driver statement in the CONFIG.SYS file. See The BUFSIZE= Parameter. o Capture frames to the memory capture buffer or directly to a capture file. o Select which frames are to be captured using a frame capture filter. o Slice frames that are captured to maximize capture buffer or capture file utilization. o Start capturing only when a specific condition occurs, such as time of day or a frame event. o Trigger the capture on a specific frame event, stopping the capture after a certain amount of data has been captured following the trigger event. These functions are discussed in detail in the following sections. ═══ 8.2. The Capture Menu ═══ The DatagLANce Network Analyzer control window contains a menu that permits selection of the capture options. This menu is labeled Capture and is shown in Figure "DatagLANce Capture Menu". DatagLANce Capture Menu The Capture menu contains the following items: Disabled No frames are to be captured. When selected, this option permits certain other monitoring functions to be performed that cannot be done while capturing frames. Frames Capturing functions are enabled. Capture to Buffer Selects a memory buffer as the capture destination. See Capturing to the Capture Buffer Versus Capturing to File for more information. Capture to File Selects a disk file as the capture destination. See Capturing to the Capture Buffer Versus Capturing to File for more information. Capture Full Frames Specifies the number of bytes to save from each frame captured. See Improving Capture Buffer and File Utilization for more information. Slice Frames Specifies the number of bytes to save from each frame captured. See Improving Capture Buffer and File Utilization for more information. Start Capture Determines what condition starts the capture. See Selecting When to Start Capturing: The Capture Start Event for more information. Frame Capture Filter Selects which frames to capture, once the capture has begun. See Figure "Frame Capture Filter" for more information. Trigger/Stop Capture Selects when to stop or trigger the capture. See Selecting When to Stop Capturing: The Trigger/Stop Capture Options for more information. These menu choices are discussed in more detail in the following sections. ═══ 8.3. Selecting Frames to Be Captured: The Frame Capture Filter ═══ The Frame Capture Filter enables you to request the capture of frames from a subset of network traffic. Specify this subset by logically combining the DatagLANce event detectors into a Frame Capture Filter. When you select Frame Capture Filter from the Capture menu of the DatagLANce Network Analyzer control window, the window shown in Figure "Frame Capture Filter" is displayed. Frame Capture Filter The Enable check box activates the frame capture filter. When the filter is enabled, only frames for which the frame capture filter equation in the list box is TRUE, are captured. When the filter is not enabled, all frames will be captured. See Understanding Event Equations for information about editing the equation. ═══ 8.4. Selecting When to Start Capturing: The Capture Start Event ═══ The Capture Start Event causes the DatagLANce analyzer to start capturing after monitoring has begun. To specify this event, select the Start Capture choice from the Capture menu in the DatagLANce Network Analyzer control window. When you select this menu choice, the window shown in Figure "Start Capture Options" is displayed. Start Capture Options The options for starting a capture are: Start Capture Immediately Starts the capture immediately when the DatagLANce analyzer begins monitoring. Start Capture on User Control Only Starts the capture only when the user clicks the Start push button in the Capture Status/Control window. See Figure "Capture Status/Control Window". Start Capture at Date/Time Starts the capture when the DatagLANce time clock matches the date and time specified in the edit fields next to this option. Start Capture Starts the capture when the event equation in the list box below this option is true. For more information on editing event equations, see Understanding Event Equations. If you select the After Start Date/Time check box, the capture starts on the first event specified by the event equation after the date and time specified in the edit fields above this check box. The Capture Start Event is defined as the condition on which the capture starts. It is specified by selecting one of the preceding four options. Frames are not captured until the start event occurs (or you override this start event by manually forcing the capture to start). When the capture starts, the DatagLANce analyzer captures all frames matching the Frame Capture Filter. See Figure "Frame Capture Filter". In the next section, we discuss the options for stopping the capture as well as a special function called triggering the capture. ═══ 8.5. Selecting When to Stop Capturing: The Trigger/Stop Capture Options ═══ Once capturing begins, all frames matching the Frame Capture Filter are captured. Capturing continues until you tell the DatagLANce analyzer to stop capturing frames or until some event occurs that automatically causes the capture to stop. You specify the Capture Stop Event by selecting the Trigger/Stop Capture choice from the Capture menu of the DatagLANce Network Analyzer control window. When you select this menu choice, the window in Figure "Trigger/Stop Capture Options" is displayed. Trigger/Stop Capture Options The options for stopping a capture are: Stop Capture on User Control Only Stops the capture only when the user clicks on the Stop push button in the Capture Status/Control window. See Figure "Capture Status/Control Window". Stop Capture when Capture Buffer Full Stops the capture when the capture buffer (or file to which frames are being captured) is full. Stop Capture at Date/Time Stops the capture when the DatagLANce time clock matches the date and time specified in the edit fields next to this option. Trigger Instructs the DatagLANce analyzer to look for a frame that matches the event equation in the list box beneath this option and then to begin the process of stopping the capture. For more information about editing event equations, see Understanding Event Equations. Stop on Alarm See Configuring Alarms: The Alarm Options for more information. The Capture Trigger Event is defined as the first frame seen that matches this equation. When this frame is identified by the DatagLANce analyzer, it is marked as the Trigger Frame and the capture is stopped some time after this frame. All frames captured can be stored in the DatagLANce capture buffer or directly to a file. These options and the advantages of each are discussed in Capturing to the Capture Buffer Versus Capturing to File. When you capture to the capture buffer (as opposed to the capture file), you can specify the position of the Trigger Frame in the buffer by using the vertical scroll bar at the bottom left of the window labeled Trigger Position in Capture Buffer. This option permits you to specify how much data to capture before and after the Trigger Frame. When you capture to a file, the capture always stops when the trigger frame has been identified. ═══ 8.6. Capturing to the Capture Buffer Versus Capturing to File ═══ The DatagLANce analyzer has two options for storing the captured frames. Each option has particular advantages over the other in frame capture ability. These advantages are discussed in this section. The Capture menu of the DatagLANce Network Analyzer control window (see Figure "DatagLANce Capture Menu") permits you to select where captured frames are stored during a capture: Capture to Buffer Causes the frames captured to be stored in the DatagLANce capture buffer. The user defines the size of the buffer. See DatagLANce Device Driver Options. When the Stop Capture when Buffer Full stop option is not enabled the DatagLANce analyzer continuously stores frames in this buffer until the capture stops (see Selecting When to Stop Capturing: The Trigger/Stop Capture Options), When the buffer is full, the oldest entries are discarded to make space for the new entries. (The buffer wraps.) When a capture stops, a wrapped buffer is full and contains the most recently captured frames. Capture to File Causes frames to be captured directly to a capture file on one of the system's available disk drives. This option permits the capturing more data than the capture buffer can handle. Writing to the file is not as fast as writing to memory (that is, to the capture buffer) and increases the probability of missed frames. To reduce the number of frames missed due to the time required for writing data to the capture file, the capture buffer is used to store the frames temporarily. This permits the DatagLANce analyzer to handle bursts of traffic faster than it can write to the file for short periods of time without missing any frames. When the capture buffer becomes full, frames will be discarded until there is sufficient room to write the next frame to the file. When you select the Capture to File choice from the Capture menu of the DatagLANce Network Analyzer control window, the window shown in Figure "Capture to File Options" is displayed. Capture to File Options The Maximum Allowed File Size option sets a size limit for the capture file. When the capture data exceeds this limit, the DatagLANce analyzer will either stop the capture or write over the earlier frames recorded depending on the trigger/stop capture option selected. See Selecting When to Stop Capturing: The Trigger/Stop Capture Options. You can change the file size by using the scroll bars next to the Maximum Allowed File Size edit field or by entering it directly in the edit field. K stands for kilobytes, and M stands for megabytes. If you choose a file size less than the capture buffer size, the DatagLANce analyzer will use the capture buffer size for the maximum file size. Warning: The operating system requires enough disk space for its swapper file. It is your responsibility to supply sufficient disk space to accommodate a growing swapper file and a growing capture file. Refer to SWAP in the online OS/2 Command Reference. The Priority of File Writing options select the importance given to devoting processor time to writing the file. Time-Critical priority will cause the DatagLANce analyzer to write as much capture data to the file as fast as it can. Fixed High priority is lower priority than Time-Critical, but higher than normal priority. Normal priority is the standard priority given by the operating system to all system applications. The Pathname edit field permits you to select the name of the capture file. When you have completed the entries on this screen, click on the OK push button or double-click on the file name with mouse button 1. In summary: o Use of a buffer permits the use of a trigger point. o Capturing to a file permits you to capture up to the limit of the available disk space on your computer. Although not as fast as capturing to the buffer, this option permits you to gather larger amounts of capture data. ═══ 8.7. Improving Capture Buffer and File Utilization ═══ In the last section we talked about storing captured frames in the capture buffer or in a file on disk. Each destination for frame data has advantages over the other, but they also have disadvantages in capacity or performance. In this section, we discuss ways to overcome performance and capacity limitations by controlling the amount of data captured. There are two ways to improve capture buffer and disk utilization: o Capture only the frame traffic you need and ignore the rest. This was discussed in Figure "Frame Capture Filter". This technique improves capture buffer and file utilization by not capturing frames that clutter up the buffer. The frames captured will be a subset of the original traffic and only that subset needs to be analyzed. o Discard data from the end of frames. The headers at the beginning of each frame contain most of the useful information about that frame. By slicing the frame at 176 bytes, for example, the DatagLANce analyzer eliminates some of the less important frame data from the capture data. As long as the slice size is smaller than the size of the frames being captured, slicing increases both the number of frames captured and the capture speed. The Capture menu of the DatagLANce Network Analyzer has two menu choices that allow you to select the number of bytes to save from each frame captured: Capture Full Frames Causes all bytes in every captured frame to be saved. Slice Frames at xx bytes Specifies that a maximum of xx data bytes will be saved from the beginning of every captured frame. When you select this menu choice, the window shown in Figure "Slice Frames Options" is displayed. SliceFramesOptions This window lets you select to save from 88 bytes up to the full frame, in multiples of 88 bytes, from each captured frame. Select the slice size by clicking on the appropriate radio button or by specifying the slice size in the slice edit field. This number sets the maximum number of bytes saved from each captured frame. Specifying a frame capture filter and slicing frames can help minimize the amount of information you need to sort through after a capture as well as overcome the frame-storing limitations of the capture buffer and capture file. ═══ 8.8. Displaying Capture Status and Controlling the Capture ═══ After you have entered your capture options, the DatagLANce analyzer is prepared to capture frames. Each time you start the DatagLANce Monitor function, the DatagLANce analyzer will begin looking for the Capture Start Event (see Controlling the DatagLANce Network Analyzer). The Capture Status/Control window, shown in Figure "Capture Status/Control Window", provides an example of key information about your capture. To display this window, select the Capture Status/Control choice from the Window menu in the DatagLANce Network Analyzer control window. Capture Status/Control Window The Capture Status group box contains messages indicating significant capture times and events. Status displays one of the following capture status conditions: Disabled Waiting for Start Started Triggered Stopped Beneath Status is the elapsed time indicator showing the amount of time in days, hours, minutes, and seconds that the DatagLANce analyzer spent capturing data. The Buffer/File Status group box displays the current capture buffer or file status. A bar graph displays the extent to which the buffer or file is full. Displayed beneath this bar graph and to the left is the percentage full in numeric format. The percentage full indicator changes to WRAPPED when the buffer or file has reached its capacity and the capture function must overwrite the oldest data captured to accommodate the most recent entries. A vertical bar moves within the bar graph to indicate the position of the most recent data. The number of frames captured is displayed beneath the bar graph to the right. If the buffer or file has wrapped, this count is larger than the number of frames that are left in the buffer or file since the earlier frames have been overwritten. When you choose to trigger on an event and capture past the trigger, the DatagLANce analyzer performs the following steps: 1. Fills the capture buffer to the percentage full that you specified for data before the trigger 2. Overwrites the oldest capture data with the newest capture data (wraps) until the trigger condition occurs 3. Senses and captures the trigger condition 4. Completes filling the capture buffer 5. Stops the capture At the bottom of the Capture Status/Control window are three push buttons: o The left button is a capture control button that at various times will display Start, Stop or New. It permits you to start or stop a capture unconditionally, or to start a new capture while the DatagLANce analyzer continues to monitor. o The middle push button, Timestamps, displays a window indicating when the capture started, triggered, and stopped, if you click on it after a capture has occurred. o The rightmost push button, Analysis, starts a protocol analysis session for the frames just captured. After your capture has finished, click on this push button to see those frames. The DatagLANce protocol analysis software accepts data for analysis from either the capture buffer or the capture file. If you have an active protocol analysis session but are not currently analyzing frame data, the DatagLANce analyzer uses that session for analysis. Otherwise, the DatagLANce analyzer starts a new protocol analysis session for you. Initialization of the new session will take some time to complete. For efficiency, it is a good idea to keep one session of the DatagLANce protocol analysis software running in the background. ═══ 8.9. Improving Capture Performance ═══ Since the DatagLANce analyzer monitors the network and captures frames at the same time, all statistics based on network activity are available while capturing. This monitoring can take a great deal of processing time from your DatagLANce analyzer. If you do not need complete monitoring, you can reduce the amount of traffic being processed by using the adapter options available for your adapter. See Improving Monitoring Performance: The Adapter Options for a complete discussion of adapter options available. In addition, active applications - like traffic statistics, Network Glance, filters for custom events, and non-DatagLANce background applications - can reduce system performance. By limiting the size of each frame processed, limiting the number of frames, and shutting off unneeded applications, you can increase capture performance. ═══ 8.10. Summary ═══ This chapter has described in detail the DatagLANce analyzer's Capturing functions. Using these functions, you can now configure the DatagLANce analyzer to start capturing frames from the network, select only those frames that you would like captured, and stop the capture at the appropriate time. You have seen how the Capture Status/Control window displays capture status information and permits you to control the capture and start protocol analysis. Analyzing Captured Frames discusses how to use the DatagLANce protocol analysis software. ═══ 9. Analyzing Captured Frames ═══ After a capture has been completed, the next step is to view the captured frames. This chapter discusses the functions and analysis capabilities of the DatagLANce Network Analyzer's protocol analysis software. This software permits you to analyze DatagLANce token-ring, Ethernet, and FDDI (collected by an FDDI DatagLANce analyzer) capture data. The DatagLANce analyzer also lets you analyze a variety of token-ring and Ethernet capture files recorded in other formats. This chapter documents the protocol analysis functions. ═══ 9.1. Starting a DatagLANce Protocol Analysis Session ═══ After a DatagLANce capture has taken place, click on the Analysis button on the Capture Status/Control window of the DatagLANce Network Analyzer software and invoke the DatagLANce protocol analysis software to analyze the capture data stored in the capture buffer or capture file. Alternatively, the Analysis! menu choice on the DatagLANce Network Analyzer Window can be used to start a protocol analysis session to analyze the data captured. If a capture has not been performed, a protocol analysis session will be started for you to analyze a capture file. If you want to do analysis when the DatagLANce Network Analyzer software is not running, you can run the DatagLANce protocol analysis software directly from the DatagLANce Icon View window on the OS/2 Desktop (Figure "DatagLANce - Icon View Window"). DatagLANce - Icon View Window When you select the Protocol Analysis icon, the DatagLANce protocol analysis software will be started. The next step is to open the capture file to be analyzed. ═══ 9.2. Opening a Capture Data File for Analysis ═══ When first invoked, the DatagLANce protocol analysis software loads, initializes, and waits for a capture file to be opened. The Open Capture Data File choice in the File menu of the DatagLANce Protocol Analysis window permits you to open a capture file for analysis. Selecting this menu choice causes the window in Figure "Open Capture Data File" to be displayed. Open Capture Data File The Files list box displays all of the capture data files in the directory Path. This directory can be changed by selecting any of the directories in the Directories list box. The Format group box permits you to select the file format that you would like to analyze. The following file formats are supported by the DatagLANce analyzer: DGC IBM DatagLANce Network Analyzer family Older FDDI DatagLANce files were named with an .FNC file extension instead of the .DGC extension, but the format is unchanged. To analyze these frames, rename the file or enter *.FNC in the Filename edit field and select the OK push button. TR0 IBM Trace and Performance Program The Trace and Performance Program was the predecessor to the DatagLANce analyzer, The DatagLANce analyzer can analyze the trace files that it stored. This program created files with extensions (.TR0 -.TR9 and .TRA -.TRX). PDA Protools' Foundation Manager The token-ring and Ethernet capture files created by Protools' Network Control Series** (Foundation Manager** and Cornerstone Agent**) products. TRC Network General's Token-Ring Sniffer Analyze captured files created by Network General's Token-Ring Sniffer product. Note: Ensure that the file is not saved in compressed format. ENC Network General's Ethernet Sniffer Analyze captured files created by Network General's Ethernet Sniffer product. Note: Ensure that the file is not saved in compressed format. TR1 Novell LANalyzer** file format The DatagLANce analyzer will analyze the token-ring and Ethernet capture files created by Novell's LANalyzer and LANalyzer for Windows** products. When a radio button in this group is selected, the appropriate files will be displayed in the Files list box. After you select the file to be analyzed from the Files list box, click on the OK push button or double-click, with mouse button 1, on the name of the file. ═══ 9.3. The Frame Summary: A Summary of Frames Captured ═══ When the capture buffer or a capture data file is first opened, the DatagLANce analyzer displays the frames in summary form, (see Figure "Frame Summary Window"). Frame Summary Window Each frame that has been captured is summarized as a single record on a line of the frame summary window. Frame type, destination and source addresses, size, and interpretation are displayed in columns. The menu bar provides access to pull-down menus with choices that perform different analysis functions on the frame records. These functions are discussed in the following sections. A selected record is highlighted in reverse video in this window. This record is important because menu choices perform specific actions on this record. Select a record by clicking on the record with mouse button 1 or by using the cursor movement keys (up and down arrows, home, end) from the keyboard. Click on the vertical scroll bar (on the right side of this window) to move anywhere within the captured data. You can also use the PgUp and PgDn keys on the keyboard to move throughout the captured data. You can use the horizontal scroll bar to scroll left and right to display information that does not fit into the window. The Display menu (discussed in the next section) is used to hide summary fields that are not of interest. On the keyboard, the left and right arrow keys also scroll the display horizontally. ═══ 9.3.1. Selecting Frame Summary Information to Be Displayed ═══ In the Display menu on the Frame Summary window, shown in Figure "Frame Summary Display Options", you can select the information to be displayed about each frame. Frame Summary Display Options The right column of this menu contains choices that affect how the data is displayed and the format of the data. The left column lists choices you can select to display. Click on each item you want to display. When you select an item, a check mark is displayed next to it. A field can be displayed or hidden by selecting the appropriate menu choice for the field. Each of these display field options is discussed in this section. Flags Appears in the leftmost column of the summary. Displays flags concerning the frame being displayed on that line. Each flag is a single character and has the following meanings: T The Trigger Frame. See Selecting When to Stop Capturing: The Trigger/Stop Capture Options for more information. R The Reference Frame. See Frame Offset Versus Frame Record Number for more information. M The Marked Frame. See Measuring Relative Time between Frames for more information. N A Bookmark; n is a number 1-8. See Bookmarks for more information. E Error. This frame contains a CRC or CRC/alignment error. See Frame Detail: Detailed Protocol Analysis for more information. ! Missed frames. One or more frames were missed before this frame was captured. The number of frames missed before the frame was captured is displayed in the Frames Missed field. Frames Missed The column entitled Missed displays the total number of frames that were missed between this and the previous captured frames. The DatagLANce analyzer can miss frames under two conditions: (1) The capture buffer is filled before being able to write to a file. See Improving Capture Buffer and File Utilization for information about overcoming this limitation. (2) The network adapter becomes congested. In this case, the frames missed count is the approximate number of frames that were missed or dropped before or after this frame. The DatagLANce analyzer sometimes drops frames in an attempt to reduce network traffic. See Improving Monitoring Performance: The Adapter Options and Improving Capture Performance. Frame Offset/Number If Byte Offset is selected in the Display menu, this information is titled Offset and displays in hexadecimal the number of bytes from the beginning of the capture file to the beginning of this frame. If Record Number is selected in the Display menu, this information is titled Number and displays the record number of the frame relative to the reference frame. This is discussed in more detail in Frame Offset Versus Frame Record Number. Frame Control (token-ring and FDDI) The column entitled FC displays the frame control byte of the frame in hexadecimal (see Frame Control Field (Token-Ring)). Frame Type The column entitled Type displays an interpretation of the frame control (token-ring and FDDI) in terms of the type of the frame (for example, LLC or MAC). For Ethernet, this field will be displayed as either 802.3 (for IEEE 802.3 frame format) or Ether (for Ethernet DIX V2 frame format). See Frame Formats for details on these formats. Destination Address The column entitled Destination displays the destination address of the frame. The Address Field Width option in the Display menu selects the width of this field. The DLC Addresses, Network Addresses, and Highest Address Level choices in the Display menu select whether the address displayed will be the DLC address (MAC station address), the network address (specific to the network-layer protocol within the frame), or the highest address level that is encapsulated in the frame. If the Numeric Addresses choice is selected in the Display menu, this address will be displayed numerically. For DLC addresses, the address is displayed in hexadecimal with colons or hyphens between each byte in the address to distinguish between MSB and LSB (canonical) address representations, respectively. If you select the Symbolic Names choice in the Display menu, the DatagLANce analyzer will display the symbolic name for the address, if one is available. See Symbolic Names Support for more information. Source Address The column entitled Source displays the source address of the frame. The menu choices that affect Destination Address also affect this column. Frame Size The column entitled Size displays the size of the frame in bytes. The size of a frame is the number of data bytes within the frame. This differs from frame length (see Network Statistics: Network Performance at A Glance) because control information (start and end delimiters) associated with the frame is not counted. Note: For the Token-Ring DatagLANce analyzer, the frame check sequence is not available for display and is not counted in this number. Frame Status (token-ring and FDDI) The column entitled FS displays the frame status indicators. For FDDI, it is displayed in the form EAC? where E stands for Error Detected (CRC Error), A stands for Address Recognized, C stands for Frame Copied, and ? stands for user frame status. Each status indicator is displayed as an R (reset) or S (set). Reset indicates that the action has not occurred. Set indicates that the action has completed successfully. If any of these frame status indicators is missing, it is displayed as a blank. Usually FDDI frames do not have a user frame status indicator. If a frame does have one or more user frame status indicators, only the first is displayed in the summary. The remainder can be viewed in the frame's detail. (See Frame Detail: Detailed Protocol Analysis.) For token-ring, this field is displayed in the form AC, where A stands for Address Recognized and C stands for Frame Copied. Each status indicator is displayed as an R (reset) or S (set). Reset indicates that the action has not occurred. Set indicates that the action has completed successfully. Absolute Time The column entitled Time-stamp displays the arrival time of a frame. It is displayed in the form: MM/DD/YY HH:MN:SS.mmm uuu nnn where MM is month, DD is day of month, YY is year, HH is hour, MN is minutes, SS is seconds, mmm is milliseconds, uuu is microseconds, and nnn is nanoseconds. For more information on time-stamps, see The High-Resolution Time-Stamp Option. Delta Time The column entitled Delta Time (msec) displays the arrival time difference between frames in milliseconds. The first frame in the summary does not have a delta time-stamp. Relative Time The column, entitled Relative Time (sec) displays the arrival time difference between each frame and the Marked Frame. This is discussed in Measuring Relative Time between Frames. Interpretation The column entitled Interpretation displays a summary of the protocol interpretation for the frame. If the All Protocol Levels choice is selected in the Display menu, a summary of all protocol headers in the frame is displayed, from lowest level to highest level. Each level has a different color to distinguish it from the others. If the Highest Level Only choice has been selected in the Display menu, a summary of only the highest level protocol interpreted for the frame is displayed. If the Specific Protocols Only choice has been selected in the Display menu, only the specific protocols selected (see Displaying Specific Protocols in the Frame Summary) are displayed. ═══ 9.3.2. Frame Offset Versus Frame Record Number ═══ The DatagLANce analyzer has two methods of displaying the location of a frame within the capture data, byte offset, and record number. The byte offset of a frame is displayed when the Byte Offset choice is selected from the Display menu in the Frame Summary window. Figure "Frame Summary with Byte Offsets of Frames Displayed" shows the Frame Summary window when the byte offsets of frames are displayed. Frame Summary with Byte Offsets of Frames Displayed The byte offset of each frame record is displayed in the Offset column. Note that this display does not easily show how close the frames are to one another, or whether any frames occur between the frames displayed. See Figure "Display Filter Equation Edit Window" for information on how to further filter the frames to display only a subset of the captured frames. Figure "Frame Summary with Record Numbers of Frames Displayed" shows the Frame Summary Display when the record numbers of frames are displayed. Frame Summary with Record Numbers of Frames Displayed In this window it is easy to see the number of frames that occur between the frames that are shown. The record number of each frame is shown in the Number column. This record number is the number of a frame relative to the reference frame. The reference frame is a frame that the user defines as a point of reference for record numbers. This frame is defined by selecting the Define Reference Frame choice in the Analysis menu. Choosing this item causes the selected record to be defined as the reference frame. The reference frame always has a record number of zero, because the record number of a frame is calculated relative to this frame. All the frames before the reference frame have a negative record number, and all frames after the reference frame have a positive record number. Also, an R is displayed in the Flags column (if flags are displayed) identifying the reference frame. The DatagLANce analyzer supports offset and record mode. When it is analyzing those frames from the FDDI DatagLANce analyzer, it must calculate frame numbers by using sequential searches. This option is available to avoid that processing time. In summary: o In byte offset mode, the DatagLANce analyzer enables movement within the captured data with minimal processing time, but forfeits the ability to identify the number of records between the frames displayed. o Record number mode gives you relative record numbers of frames, but can require significant calculation time (for example, for FDDI DatagLANce capture data) to determine these numbers based on what frame has been defined as the reference frame. ═══ 9.3.3. Measuring Relative Time between Frames ═══ The Delta Time frame summary display option shows the difference between two adjacent frame time-stamps in the frame summary. Figure "Frame Summary with Absolute and Delta Time-Stamps" illustrates a frame summary with both absolute and delta time-stamps display options selected. Frame Summary with Absolute and Delta Time-Stamps This display shows the arrival time-stamps of each frame as well as the delta time between these time-stamps. The relative time of a frame is the difference in time between a frame's absolute time stamp and the absolute time-stamp of the marked frame. The marked frame is the frame from which relative time-stamps are calculated. You can define this frame by selecting the frame to mark and selecting the Mark Frame menu choice in the Analysis menu. Once the marked frame has been defined (or redefined, since some frame is always marked), the relative time of the frame that is marked becomes zero. All frames before the marked frame have negative relative times and all frames after the marked frame have positive relative times. An M is displayed in the Flags column indicating the marked frame. Frame Summary with Absolute and Relative Time-Stamps Observe in Figure "Frame Summary with Absolute and Relative Time-Stamps" that the difference in time between frame 258 (the frame we marked) and the frame 278 in the window is 0.07 seconds. In summary: o The delta time of a frame is the difference between the absolute time-stamps of a frame and the frame displayed above it. o The relative time of a frame is the difference between the absolute time-stamps of a frame and the marked frame. ═══ 9.3.4. Bookmarks ═══ Bookmarks are frame summary entries that have been marked so that they can be referenced and recalled easily. A bookmark is defined by selecting the entry on the Frame Summary window to mark and then selecting a number in the Define Bookmark submenu of the Analysis menu. The number of the bookmark then is displayed in the Flags column. If the frame is defined as the marked frame, its bookmark number is not displayed because bookmark numbers appear in the same column as the M for marked frame. Bookmarks are useful for the following reasons: o When moving within the captured data. By marking a frame with a bookmark, you can move back to that frame sometime in the future by selecting the bookmark number within the Jump to Bookmark submenu of the Search menu. You can also do this by pressing the numerical key on your keyboard that corresponds to the number of the bookmark you want. o When printing or saving frame data, you can use bookmarks to avoid entering the record offset or record number of the start and end frames to print or save. See Printing Frame Data and Saving Frame Data for more information about printing and saving frames. ═══ 9.3.5. Moving within the Frame Summary: Jump ═══ One method of moving within the capture data is by dragging the vertical scroll bar in the Frame Summary window to the position desired within the capture data. This gets us to the general vicinity of where we want to go, but when 1.4 GB of data is being analyzed, one notch of the scroll bar control might be 32 MB of data. To make things easier, the DatagLANce analyzer permits you to jump to specific frames within the data. This is accomplished by selecting the appropriate jump option from the Frame Summary window's Search menu. The jump options available in this menu are described in the following information: Jump to First Frame Jumps to the first frame in the capture data. Jump to Last Frame Jumps to the last frame in the capture data. Jump to Marked Frame Jumps to the marked frame. Jump to Reference frame Jumps to the reference frame. Jump to Trigger Frame Jumps to the trigger frame. If there is no trigger frame within the captured data (the user stopped the capture before the trigger was detected or the capture was not set up to trigger), this menu choice is grayed. Jump to Bookmark Jumps to any of the bookmarks that are defined. Undefined bookmark numbers are grayed. Jump to Frame Jumps to a specific frame offset (if in byte offset mode), specific frame record number (if in record number mode), or any of the above options. When the Jump to Frame menu choice in the Search menu is selected, the window in Figure "Jump to Frame Options Window" is displayed. Jump to Frame Options Window If the display is in the byte offset mode, the offset of a frame can be entered in the edit field of the list box. If not, the record number of a frame can be entered in the field. Any of the options in the list box can also be selected. The contents of the combination box vary depending on whether a trigger frame exists and whether the reference frame or any bookmarks have been defined. ═══ 9.4. Displaying Specific Protocols in the Frame Summary ═══ The Interpretation field in the Frame Summary window displays a summary of the protocol interpretation for the frame. When the Highest Level Only choice is selected from the Display menu, the Interpretation field gives a good indication of what higher protocol layer actions are occurring. Sometimes, however, you might be interested in examining only a specific protocol within the protocol stack. By selecting the Specific Protocols Only choice from the Display menu, you can select which protocols to display/hide in the Frame Summary window. When you select this choice from the menu, the window in Figure "Specific Protocols to Display in Frame Summary Options" is displayed. Specific Protocols to Display in Frame Summary Options The list box entitled, Available Protocol List, shows the available protocols that are supported for protocol decoding. Most of the protocols are displayed in the Frame Summary window, but some appear only in the Frame Detail window (see Frame Detail: Detailed Protocol Analysis). The Add push button adds the protocol selected in the list box labeled Available Protocol List to the list box labeled Protocols to Display/Hide. The Delete push button deletes the protocol selected in the Protocols to Display/Hide list box. The Clear push button will clear the Protocols to Display/Hide list box. The Display Only These Protocols radio button specifies that only the protocols in the Protocols to Display/Hide list box should be displayed in the Frame Summary Window. The Hide These Protocols radio button specifies that all protocols except the protocols in the Protocols to Display/Hide list box should be displayed in the Frame Summary Window. The OK push button accepts the options specified, refreshing the Frame Summary window to display/hide the protocols selected. Note: If you are interested in filtering the frames displayed by the protocols selected, see Figure "Display Filter Equation Edit Window". ═══ 9.5. Frame Detail: Detailed Protocol Analysis ═══ The Frame Summary presents the frames that were captured in a summarized form. Only one line per frame is used to present the information contained within that frame. If you want a breakdown of the information in a frame to protocols (detailed protocol decode), choose the Frame Detail display. This window is displayed by selecting the Frame Detail option from the Display menu in the Frame Summary window or by double-clicking on a record in the Frame Summary window with mouse button 1. Figure "Frame Detail Window" shows the Frame Detail window. Frame Detail Window The frame selected in the Frame Summary window is displayed in detail in this window. Each protocol header in the frame is decoded in detail and in a different color. The protocols supported by DatagLANce analysis are described in Protocols Decoded. Use the vertical and horizontal scroll bars, page, or cursor movement keys on the keyboard to move within this window. The Prev and Next menu selections cause the frame detail of the previous or next frame in the frame summary to be displayed. Use the Window menu or the Tab key to move between windows. The highlighted line within the window is selected by using the scroll bar, cursor keys, or by clicking on it with mouse button 1. This highlighted line is linked to the Frame Hexdump display. Bytes that are interpreted on this line (if there are any) are also highlighted in the Hexdump window. For information on the Frame Hexdump, see Frame Hexdump: Dumped Frame Data. ═══ 9.5.1. Dumping Information Fields ═══ Some fields within the detailed protocol decode of a frame contain user data or a format that can not be decoded. These information fields are presented in a form that describes the number of bytes of data in the field but does not display them. Selecting this field highlights the bytes in the Frame Hexdump display. The Dump Information Fields option is also available to place a hexadecimal and character dump of this data directly into the frame detail display. ═══ 9.5.1.1. Frame Detail Display Options ═══ The Display menu of the Frame Detail window contains the following selections: Dump Information Fields Turns on or off the dumping of the information fields within the frame's detail. The fields are dumped in hexadecimal in their respective places for frames containing large information fields. ASCII characters and EBCDIC characters Selects whether the information fields that are dumped display the character dump of the data in ASCII or EBCDIC. These menu choices also control how other header fields within the frame are interpreted. (Telnet Data can be in either ASCII or EBCDIC.) Quick Filter Sets up a quick filter. (See Quick Filter: The Quick Equation Writer.) ═══ 9.6. Frame Hexdump: Dumped Frame Data ═══ Although Frame Summary displays a summary of the frames captured and Frame Detail displays a detailed protocol decode of the frames captured, it might be useful to examine the actual bytes of a frame that was captured. This can be accomplished by using the Frame Hexdump display. This window is displayed by selecting the Frame Hexdump choice from the Display menu in the Frame Summary window or by double-clicking on any line within the Frame Detail window. Figure "Frame Hexdump Window" shows the Frame Hexdump window. Frame Hexdump Window The data bytes in the frame selected in the Frame Summary window are displayed in a dump format in this window. Each line of this window displays 16 bytes of frame data in both hexadecimal and ASCII or EBCDIC (selected from the Display menu). The data is displayed in the color corresponding to the protocol header decoded in the Frame Detail display. The offset of each line of frame data is displayed to the left in hexadecimal. Use the vertical and horizontal scroll bar, page, or the cursor movement keys on the keyboard to move within this window. The Prev and Next menu selections cause the frame hexdump of the previous or next frame in the frame summary to be displayed. The Window menu or the Tab key can be used to move between windows. As a line is selected in the Frame Detail display the interpreted bytes on that line are highlighted in the Frame Hexdump window. This is illustrated in Figure "Frame Data Highlighted in Frame Hexdump". Frame Data Highlighted in Frame Hexdump ═══ 9.7. Selecting Frames to Be Displayed: The Display Filter ═══ The Frame Capture Filter permits you to select which frames you want to capture. This enables you to maximize the capture buffer and disk utilization by capturing only the frames needed. This could be a large number of frames involving communication among many stations using many protocols. See Figure "Frame Capture Filter" for information about the Frame Capture Filter. The Display Filter permits you to further filter the captured data so only a subset of the captured frames are displayed. This filter is specified by selecting the Display Filter choice from the Analysis menu in the Frame Summary window. Figure "Display Filter Equation Edit Window" shows the Display Filter Equation Edit window. Display Filter Equation Edit Window The Enable check box activates the display filter when it is selected. A frame is displayed if it passes the event equation displayed in the list box in this window. Editing this equation is discussed in Understanding Event Equations. The DatagLANce protocol analysis software supplies 8 event detectors per analysis session. Note: The fastest way to set up the Display Filter is to use the Quick Filter function. This function is activated by selecting Quick Filter from the Search menu of the Frame Summary window. See Quick Filter: The Quick Equation Writer for a description of this function. The AND Frame Contains Protocols Selected for Display check box permits you to filter out frames that do not contain specific protocols selected for display. The Enable check box must be checked in order for this check box to take effect. The View/Select Protocols push button gives you access to the list of protocols selected for display (as does the Specific Protocols Only menu choice in the Display menu of the Frame Summary Window). The operation of the window that appears after clicking this push button is discussed in Displaying Specific Protocols in the Frame Summary. ═══ 9.8. Finding Text ═══ The Display Filter discussed in the previous section permits you to view a subset of the captured data by selecting frames to be displayed; this is done by logically combining eight event detectors. But suppose you would like to find a frame containing information that is not searched for explicitly by the event detectors, but that can be found within the Frame Summary or Frame Detail interpretation of a frame. This can be accomplished by using the Find Text option of the DatagLANce protocol analysis software. Select the Find Text choice in the Analysis menu of the Frame Summary window to begin the search. When you select this option, the window shown in Figure "Find Text Options" is displayed. Find Text Options The Find group box has two radio buttons, Previous and Next. These radio buttons select the text-search direction (backward or forward in the text) from the selected record in the Frame Summary window. The Search group box selects which text is searched. Summary Text specifies that text in the Frame Summary window is searched. Detail Text specifies that text in the Frame Detail window is searched. The Filtered Frames Only check box specifies whether only frames matching the Display Filter should be searched (see Figure "Display Filter Equation Edit Window"). When this option is unchecked, the DatagLANce analyzer searches all frames. Match and Don't Match specify whether to match the search text or find the first frame whose summary or detail text does not contain the search text. Case Sensitive and Case Insensitive specify whether the text search is case sensitive. The text you want to find is entered in the Search Text edit field. The options selected on this window determine the parameters of the search. Selecting OK causes the search to begin. When the search has been completed, you can search for the same text again by selecting Find Previous or Find Next from the Search menu in the Frame Summary window. ═══ 9.9. Printing Frame Data ═══ Sometimes it is useful to obtain a hardcopy of one or more captured frames. The DatagLANce analyzer permits you to print any or all of the captured frames in its three frames presentation forms: Summary, Detail, and Hexdump. This function is accomplished by selecting the Print choice from the File menu in the Frame Summary window. When this menu choice is selected, the window shown in Figure "Print Options" is displayed. Print Options The From and To fields allow either a frame byte offset (if in byte offset mode) or a frame record number (if in record mode) to be specified. These list boxes also allow selection of First, Last, Marked, Reference, Trigger, and any bookmarks that have been defined. The check boxes in the Formats group box specify the formats in which to print data. The Filtered Frames Only check box specifies whether only frames matching the Display Filter should be printed (see Figure "Display Filter Equation Edit Window"). The Device or Pathname edit field permits specification of the device or path name for printing. A standard device is denoted with a trailing colon (for example, PRN:). The full path name of a file must be specified or the file is printed in the directory specified by Current Path. If the file specified does not have an extension, an extension of .PRN is appended to the path name. When you click on the OK push button, the frames in the range specified are printed. ═══ 9.10. Saving Frame Data ═══ The DatagLANce analyzer permits you to save any or all of the frames that have been captured to a file stored on the system disk. This file can be archived or copied like any other OS/2 file. The save function is invoked by selecting the Save choice from the File menu in the Frame Summary window. When this menu choice is selected, the window shown in Figure "Save Options" is displayed. Save Options The From and To fields allow either a frame byte offset (if in byte offset mode) or a frame record number (if in record mode) to be specified. These list boxes also allow selection of First, Last, Marked, Reference, Trigger, and any bookmarks that have been defined. The Filtered frames only check box specifies whether only frames matching the Display Filter should be saved (see Figure "Display Filter Equation Edit Window"). The Format group box selects the format of the file from the following: DatagLANce IBM DatagLANce Network Analyzer file format. TAP IBM Trace and Performance Program file format. Found Mgr The Protools' Foundation Manager file format. Sniffer Network General's Token-Ring or Ethernet Sniffer file format. LANalyzer The Novell LANalyzer file format. ASCII text An ASCII text file format suitable for single-frame traffic generation (see Single Frame Traffic Generation). Specify the path name in the Pathname edit field at the bottom of this window. The full path name of a file must be specified, if not, the file is saved in the directory shown next to Current Path. The file should be entered without an extension because an extension, consistent with the format selected, is automatically appended to the path name. When you click on the OK push button, the frames specified are saved. ═══ 9.11. Editing the Capture Description ═══ You can give captured data files a description up to 127 characters in length. When the Capture Description choice is selected from the File menu in the Frame Summary window, the window shown in Figure "Edit Capture Description" is displayed. Edit Capture Description The description of the capture can be edited in the Capture description edit field. A descriptive name such as Mike Ferrell's Capture Data or Capture Displaying File Server Station Failure on May 18th, 1992 can be entered in this field. Clicking on the OK push button in this window causes the new capture description to be saved to the file being analyzed. From an OS/2 command prompt you can then issue the command: TYPE and see the capture description. To see the capture descriptions of all DatagLANce files in the directory issue the command: TYPE *.DGC. ═══ 9.12. Starting a New Capture ═══ Network troubleshooting is a multi-step process. It can take several captures of frames to isolate the problem on the network. The DatagLANce protocol analysis software makes it easy to analyze capture data and then capture new data. The Start a New Capture option in the File menu of the Frame Summary window closes the current protocol analysis session and instructs the DatagLANce Network Analyzer software to start a new capture using the last capture filter that was used. Setting up the capture filter is discussed in Figure "Frame Capture Filter". The Start a New Capture using Display Filter option in the File menu of the Frame Summary window closes the current protocol analysis session and instructs the DatagLANce Network Analyzer software to start a new capture using the current Protocol Analysis Display Filter. The capture filter is matched to the display filter to allow you to capture only the frames that you selected for displaying in this DatagLANce Protocol Analysis session. This option permits you to capture traffic, select the frames that you want to display, and then capture only those frames during the next capture. This powerful option saves you time by automatically reconfiguring the DatagLANce Network Analyzer software for you. Note: This option does not support filtering frames by protocols selected for display (see Figure "Display Filter Equation Edit Window"). All frames that are displayed with this option OFF will be captured (for example, frames matching the Display Filter event equation only). ═══ 9.13. Summary ═══ This chapter described in detail the DatagLANce protocol analysis functions. Using these functions, you can analyze frames captured by the DatagLANce analyzer and other analyzers. Looking at captured frames with detailed protocol decodes can be helpful when troubleshooting network problems and fine-tuning a network. ═══ 10. Traffic Generation and Playback ═══ The performance of a network can be affected by traffic load. The DatagLANce Traffic Generation and Playback functions allow you to: 1. Observe how other network stations respond to delays caused by background network loading 2. Allow you to test the response of individual stations, bridges, gateways, and/or routers in handling additional traffic of a specific type 3. Allow you to play back traffic into the DatagLANce Network Analyzer applications for analysis of specific network problems Warning: Adding traffic to your network might seriously degrade network performance. You should use these functions with caution; the DatagLANce Network Analyzer was designed to help you find network problems, not cause them. ═══ 10.1. Overview of DatagLANce Traffic Generation and Playback Capability ═══ With the DatagLANce Network Analyzer, you have the power to load and play back onto your network by: o Generating the same frame repeatedly, specifying: - Frame destination DLC address - Frame size - Interval between frames - Maximum number of frames to transmit - Frame contents - Whether the frame should contain errors o Playing back network traffic captured by the DatagLANce Network Analyzer onto the network. o Playing back network traffic captured by the DatagLANce Network Analyzer into the analyzer for re-analysis. o Measuring the approximate transmit wait time of a token-ring network. Each of these functions is discussed in detail in the following sections. ═══ 10.2. Single Frame Traffic Generation ═══ The traffic generation function permits you to repeatedly transmit the same frame onto the network for the purpose of loading the network or measuring the effect on the performance of a station, bridge, gateway, or router. This function can be activated when the DatagLANce Network Analyzer is not monitoring by selecting the Single Frame Traffic Generation choice from the Transmit menu on the DatagLANce Network Analyzer window. Figure "Single Frame Traffic Generation Options" shows the options window that is displayed when you select this menu choice. Single Frame Traffic Generation Options The destination address of the frame to transmit can be manually specified in the To DLC Address edit field or selected by clicking on its symbolic name in the List of Station Names list box. The Size edit field is used to select the size of the frame. For Ethernet, the actual length of the frame generated will be 4 bytes longer than the size specified to account for the frame check sequence. For token-ring, the actual length of the frame generated will be 7 bytes longer than specified to account for the start and end delimiters, the frame status indicators, and the frame check sequence. The Delay edit field is used to select the time to wait between frame transmissions. Entering zero in this field specifies to transmit as fast as the DatagLANce Network Analyzer can transmit. The Number of Frames combination box is used to select the maximum number of frames to transmit. Unlimited will cause frames to be transmitted until you stop traffic generation. The Load push button is used to select to load an ASCII text file containing the frame to transmit. Below is a sample ASCII text file that defines a frame for DatagLANce. * * Sample frame defined in an ASCII text file (extension is .TXT) * Lines starting with asterisks are comment lines * * $BEGIN_FRAME indicates start of frame data $BEGIN_FRAME * * $SIZE indicates frame size (regardless of bytes defined below) $SIZE 256 * * Here is the frame data (this is a token-ring frame) 10 40 10 00 5A 6D C9 A2 10 00 5A 6B 92 BC F0 F0 02 02 0E 00 FF EF 16 02 00 00 00 00 6E 06 FE 06 FF 53 4D 42 72 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 00 00 00 12 76 00 3A 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 58 45 4E 49 58 20 43 4F 52 45 00 * * $END_FRAME indicates end of frame data $END_FRAME If a file contains multiple frames, only the first frame in the file will be loaded. For token-ring frames, the first two bytes are the access control and frame control bytes. Because these bytes cannot be specified on the traffic generation panel, the only way to specify them is by defining them in an ASCII file and loading the file. While this permits you to specify token-ring MAC frames for transmission, the token-ring adapter does not allow some token-ring MAC frames to be transmitted. The source address of the frame within the file will always be overridden with the source address of the adapter being used for the DatagLANce function. The first 256 bytes of frame data can be specified/edited in the First 256 Bytes of Frame Data edit field. These bytes are considered to start after the source address of the frame. Only hexadecimal characters can be specified in the edit field, however spaces are allowed for clarification. Any characters exceeding the 256-byte maximum are ignored. The last four bytes of each frame transmitted will be forced to be a sequence number. Each time you start transmission, this sequence number starts with 1 and is incremented by for each frame transmitted. If the size specified in the Size edit field is less than 256 bytes, this sequence number will replace any frame data specified in the last 4 bytes. The Data Starts with RI Field check box specifies whether the frame data specified in the First 256 Bytes of Frame Data edit field starts with Source Routing Indicators. The Transmit with FCS Error check box specifies whether to transmit the frame with an FCS error. This permits you to inject errors onto the network at the rate specified in the Delay edit field. Click on OK to accept the options specified. The Traffic Generation Status/Control window, as shown in Figure "Traffic Generation Status/Control Window", is displayed. Traffic Generation Status/Control Window At the bottom of this window the left-most push button controls starting and stopping traffic generation. The Options push button returns you to the previous options panel so that you can change the traffic generation parameters. The Done push button exits traffic generation. The remainder of the window shows the status of transmission. During transmission, the two bar graphs indicate network traffic generated by the DatagLANce Network Analyzer. ═══ 10.3. Playback onto the Network ═══ The DatagLANce analyzer's play back onto the network function permits you to playback frames stored in a capture file onto the network. This function permits you to simulate network traffic to test how other stations respond to the background traffic. This function is activated by selecting the Playback onto Network choice from the Transmit menu of the DatagLANce Network Analyzer window. Figure "Playback onto Network Options" shows the options window that is displayed when you select this menu choice. Playback onto Network Options The File to Playback edit field specifies the pathname of the file to play back onto the network. The Select push button permits selection of the file name. The Continuous Playback check box will cause the entire contents of the file to be transmitted repeatedly until you stop transmission by selecting the OK push button. For the Token-Ring DatagLANce Network Analyzer, the Inhibit Transmission of Token-Ring MAC Frames check box selects not to transmit any MAC frames contained within the file (some MAC frames cannot be transmitted by the adapter; this applies to the remaining MAC frames). Unlike single frame traffic generation, which replaces the source address of each frame transmitted with the source address of the adapter being used for the DatagLANce function, playback onto the network will transmit each frame as it was received, with the source address intact. When OK is selected, the DatagLANce analyzer will display the Playback Status/Control window. This window operates similarly to the Traffic Generation Status/Control window (see Single Frame Traffic Generation). ═══ 10.4. Playback into the Network Analyzer ═══ The DatagLANce analyzer's playback into the network analyzer function permits you to play back frames stored in a capture file into the network analyzer for analysis. This function lets you re-analyze network traffic again and again using all of the available functions of the DatagLANce Network Analyzer software. This function is activated by selecting the Playback into Analyzer choice from the Transmit menu of the DatagLANce Network Analyzer window. Figure "Playback into Analyzer Options" shows the options window that is displayed when you select this menu choice. Playback into Analyzer Options The File to Playback edit field specifies the pathname of the file to play back into the analyzer. The Select push button permits selection of the file name. The Continuous Playback check box will cause the entire contents of the file to be played back repeatedly until you stop the monitor. When OK is selected, the DatagLANce analyzer will start the playback when you select the Go! choice on the DatagLANce Network Analyzer window. Play back will continue until end-of-file is reached or you stop the DatagLANce Network Analyzer by clicking Stop! on the DatagLANce Network Analyzer window. To turn off playback, select Disabled from the Transmit menu of the DatagLANce Network Analyzer window. ═══ 10.5. The Measure Transmit Wait Time Function ═══ The Measure Transmit Wait Time function of the DatagLANce Network Analyzer measures the amount of time it takes for a network station to acquire a free token for transmission on a token-ring network. As the physical size of the token-ring network grows, the longer it takes for a free token to circle the ring. Also, as the number of stations on the token-ring network grows and as each station is actively trying to transmit a frame, the longer it takes for a free token to circle the ring. Thus transmit wait time is related to the latency of a token-ring network as well as the number of active stations on the token-ring. The DatagLANce Network Analyzer measures transmit wait time by transmitting 20 small frames per second as fast as it can transmit, measuring the time between transmit initiation and transmit completion. After adjusting the time by the time it takes to transmit the frame, the DatagLANce Network Analyzer then averages all 20 times to approximate the transmit wait time. This function can be enabled by selecting the Measure Transmit Wait Time choice from the Transmit menu of the DatagLANce Network Analyzer window (You must stop the monitor first, if you are currently monitoring). The DatagLANce Network Analyzer will first insert onto the token-ring network and then display the window appearing in Figure "Transmit Wait Time Window". Transmit Wait Time Window The current transmit wait time is shown at the top of this window. If an error occurred while trying to transmit, the current transmit wait time will be displayed as TRANSMIT ERROR. Statistics on the maximum, average, and minimum wait time are displayed in the Statistics group box. The OK push button ends the measure transmit wait time function and exits this window. ═══ 11. Frame Formats ═══ This appendix serves as a reference for frame formats. Further information can be found in the respective specifications. ═══ 11.1. Token-Ring Frame Formats ═══ ═══ 11.1.1. Frame PDU Format (Token-Ring) ═══ Figure "Frame PDU Format for Token-Ring" shows the Frame PDU format for token-ring. Frame PDU Format for Token-Ring |───────── FCS Coverage ────────────| ┌────┬────┬────┬──────┬──────┬──────┬─────┬─────┬────┬────┐ │ SD │ AC │ FC │ DA │ SA │ RI │ IF │ FCS │ ED │ FS │ └────┴────┴────┴──────┴──────┴──────┴─────┴─────┴────┴────┘ SD Start delimiter (1 byte) AC Access control field (1 byte) FC Frame control (1 byte) DA Destination address (6 bytes) SA Source address (6 bytes) RI Routing information (optional, variable length) IF Information (optional, variable length) FCS Frame check sequence (8 data symbols) ED End delimiter (1 byte) FS Frame status (1 byte) ═══ 11.1.1.1. Access Control Field (Token-Ring) ═══ Figure "Access Control Field for Token-Ring" shows the Access Control field for token-ring. Access Control Field for Token-Ring ┌─┬─┬─┬─┬─┬─┬─┬─┐ Bit│0│1│2│3│4│5│6│7│ ├─┼─┼─┼─┼─┼─┼─┼─┤ │P│P│P│T│M│R│R│R│ └─┴─┴─┴─┴─┴─┴─┴─┘ P Priority bits T Token bit M Monitor bit R Reservation bit ═══ 11.1.2. Frame Control Field (Token-Ring) ═══ The Frame Control (FC) field for token-ring is a 1-byte data field that designates the frame type as well as certain MAC and information frame functions. The bit definitions in this byte are shown in Figure "Token-Ring Frame Control Byte Bit Definitions". Token-Ring Frame Control Byte Bit Definitions ┌─┬─┬─┬─┬─┬─┬─┬─┐ Bit│0│1│2│3│4│5│6│7│ ├─┼─┼─┼─┼─┼─┼─┼─┤ │F│F│r│r│Z│Z│Z│Z│ └─┴─┴─┴─┴─┴─┴─┴─┘ F Frame type bits 00 MAC frame 01 LLC frame 10 Undefined frame 11 Undefined frame rr Reserved bits ZZZZ Control bits 0000 MAC frame is normally buffered 0001 to 1111 MAC frame is express buffered An express-buffered frame must be delivered immediately. It can be copied to the ring station's express buffer when the normal frames buffers are full. ═══ 11.2. Token-Ring Addresses ═══ The token-ring address format is most significant bit (MSB). The MSB is transmitted onto the network first. ═══ 11.2.1. Token-Ring Destination Addresses ═══ Figure "Destination Address Bit Definitions" shows the bit definitions for token-ring destination addresses. Destination Address Bit Definitions |─────────────── 48 bits ──────────────────| ┌───┬───┬──────────────┬───┬─────────────────┐ │I/G│U/L│ . . . . . . │FAI│ . . . . . . . . │ └───┴───┴──────────────┴───┴─────────────────┘ |── 6 bits ──| |─── 39 bits ───| I/G Individual or group bit U/L Universal or local bit FAI Functional address indicator ═══ 11.2.2. Token-Ring Source Addresses ═══ Figure "Source Address Bit Definitions" shows the bit definitions for source addresses. Source Address Bit Definitions |───────────── 48 bits ─────────────────| ┌─────┬─────┬─────────────────────────────┐ │ RII │ U/L │ . . . . . . . . . . . . . . │ └─────┴─────┴─────────────────────────────┘ |──────── 46 bits ──────────| RII Routing information indicator The Routing Information Indicator bit specifies the presence of a routing information field within the frame. This field is used for source routing and immediately follows the source address. The format is shown in Figure "Routing Information Field Format". U/L Universal or local bit ═══ 11.3. Routing Fields ═══ ═══ 11.3.1. Routing Information Field ═══ Figure "Routing Information Field Format" shows the format of the routing information field. Routing Information Field Format |────────── RI Field ─────────| ┌───────┬───────┬───────┬───────┐ │ RC │ SN1 │ ... │ SNn │ └───────┴───────┴───────┴───────┘ RC Routing control field (2 bytes) SNn Segment number (up to eight 2-byte segments) ═══ 11.3.2. Routing Control Field (Detail) ═══ Figure "Routing Control Field (Detail)" shows the routing control field. Routing Control Field (Detail) |─── Routing Control Field ───| ┌───────────────┬───────────────┐ │ Byte 1 │ Byte 2 │ ├─┬─┬─┬─┬─┬─┬─┬─┼─┬─┬─┬─┬─┬─┬─┬─┤ Bit│0│1│2│3│4│5│6│7│0│1│2│3│4│5│6│7│ ├─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┼─┤ │B│B│B│L│L│L│L│L│D│F│F│F│r│r│r│r│ └─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┘ B Broadcast indicator bits L Length bits D Direction bit F Largest frame bits r Reserved bits ═══ 11.3.3. Routing Designator (Detail) ═══ Figure "Route Designator (Detail)" shows the routing designator. Route Designator (Detail) |──── Route Designator ────| ┌───────────────┬────────────┐ │ RN │ BN │ └───────────────┴────────────┘ |── 12 bits ──|─ 4 bits ─| RN Ring number BN Bridge number ═══ 11.4. MAC Frame Format (Token-Ring) ═══ Figure "MAC Frame Format" shows the MAC frame format. MAC Frame Format ┌────┬────┬────┬────┬────┬────┬────┬─────┬────┬────┐ │ SD │ AC │ FC │ DA │ SA │ RI │ IF │ FCS │ ED │ FS │ └────┴────┴────┴────┴────┴────┴────┴─────┴────┴────┘ SD Start delimiter (1 byte) AC Access control field (1 byte) FC Frame control (1 byte) DA Destination address (6 bytes) SA Source address (6 bytes) RI Routing information (optional, variable length) IF Information field (optional, variable length) FCS Frame check sequence (4 bytes) ED Ending delimiter (1 byte) FS Frame status (1 byte) ═══ 11.5. LLC Frame Format (Token-Ring Only) ═══ Figure "LLC Frame Format" shows the LLC Frame Format. LLC Frame Format ┌────┬────┬────┬──────┬──────┬────┬──────┬─────┬────┬────┐ │ SD │ AC │ FC │ DA │ SA │ RI │ LPDU │ FCS │ ED │ FS │ └────┴────┴────┴──────┴──────┴────┴──────┴─────┴────┴────┘ SD Start delimiter (1 byte) AC Access control field (1 byte) FC Frame control (1 byte) DA Destination address (6 bytes) SA Source address (6 bytes) RI Routing information field (optional, variable length) LPDU LLC protocol data unit (3 or more bytes) FCS Frame check sequence (4 bytes) ED End delimiter (1 byte) FS Frame status (1 byte) ═══ 11.6. Ethernet Frame Formats ═══ The following sections show Ethernet frame formats. ═══ 11.6.1. Frame PDU Format (Ethernet DIX V2) ═══ Figure "Frame PDU Format for Ethernet DIX V2" shows the frame PDU format for Ethernet DIX V2. This format is commonly known as Ethernet and was available before IEEE 802.3. Both frame types can exist on a single LAN, but two communicating stations cannot mix Ethernet DIX V2 and Ethernet 802.3 unless their hardware permits it. Frame PDU Format for Ethernet DIX V2 ┌────┬────┬──────┬──────┬───┬────┬──────┬─────┬─────┐ │ PA │ SF │ DA │ SA │ T │ RI │ INFO │ PAD │ FCS │ └────┴────┴──────┴──────┴───┴────┴──────┴─────┴─────┘ PA Preamble (62 bits of alternating 1 and 0) SF Start of frame (2 bits, 11) DA Destination address (6 bytes) SA Source address (6 bytes) T Type (2 bytes) RI Routing information field (optional, variable length) INFO Information (optional, variable length) PAD PAD characters (optional; pad characters added if necessary to make the frame 64 bytes in length) FCS Frame check sequence (4 bytes) ═══ 11.6.2. Frame PDU Format (IEEE 802.3) ═══ Figure "Frame PDU Format for IEEE 802.3" shows the frame PDU format for IEEE 802.3. Frame PDU Format for IEEE 802.3 ┌────┬────┬──────┬──────┬───┬────┬──────┬─────┬─────┐ │ PA │ SF │ DA │ SA │ L │ RI │ INFO │ PAD │ FCS │ └────┴────┴──────┴──────┴───┴────┴──────┴─────┴─────┘ PA Preamble (62 bits of alternating 1 and 0) SF Start of frame (2 bits, 11) DA Destination address (6 bytes) SA Source address (6 bytes) L Length (2 bytes) RI Routing information (optional, variable length) INFO Information (optional, variable length; if present, starts with IEEE 802.3 LLC header) PAD PAD characters (optional, pad characters added if necessary to make frame 64 bytes in length) FCS Frame check sequence (4 bytes) ═══ 11.7. Ethernet Addresses ═══ The Ethernet address format is canonical or least-significant bit (LSB) first. ═══ 11.7.1. Ethernet Destination Addresses ═══ Figure "Destination Address Bit Definitions for Ethernet" shows the bit definitions for Ethernet destination addresses. Destination Address Bit Definitions for Ethernet |───────────── 48 bits ─────────────────| ┌─────────┬───┬───┬───────────────────────┐ │ . . . . │U/L│I/G│ . . . . . . . . . . . │ └─────────┴───┴───┴───────────────────────┘ |─── 8 bits ────| U/L Universal or local bit I/G Individual or group bit ═══ 11.7.2. Ethernet Source Addresses ═══ Figure "Source Address Bit Definitions" shows the bit definitions for Ethernet source addresses. Source Address Bit Definitions |───────────── 48 bits ─────────────────| ┌─────────┬───┬───┬───────────────────────┐ │ . . . . │U/L│RII│ . . . . . . . . . . . │ └─────────┴───┴───┴───────────────────────┘ |─── 8 bits ────| U/L Universal or local bit RII Routing information indicator The Routing Information Indicator bit specifies the presence of a routing information field within the frame. This field is used for source routing and immediately follows the Length field (Ethernet 802.3) or Type field (Ethernet DIX V2) source address. The RII bit in the SA is located in the LSB, since that bit is the first bit a station must receive. ═══ 11.7.3. Routing Information Field (Ethernet) ═══ The routing information field is not usually found in an Ethernet frame. It is found only if the network is connected through a bridge to another network with source routing. For more information about the routing information field, see Routing Information Field. ═══ 11.7.4. LLC Protocol Data Unit (LPDU) ═══ Figure "LLC Protocol Data Unit (LPDU) Format" shows the format of the LPDU. LLC Protocol Data Unit (LPDU) Format |─────────── LPDU Header ──────────| ┌────────┬────────┬──────────────────┬─────────────────────┐ │ DSAP │ SSAP │ Control Field │ Information Field │ └────────┴────────┴──────────────────┴─────────────────────┘ |──────|──────|─ 1 or 2 bytes ─|─ 0 or more bytes ─| 1 byte 1 byte DSAP For the format of this field, see Figure "DSAP Field". The destination service access point. SSAP For the format of this field, see Figure "SSAP Field". The source service access point. Control field The format of the LPDU information field. Figure "Information Transfer Format Control Field" shows the Information Transfer Format control field. Information field The LPDU information ═══ 11.7.4.1. DSAP Field (Detail) ═══ The DSAP field is the destination access point for which the LPDU is intended. The field processes within the communicating node. The format of this field is shown in Figure "DSAP Field". DSAP Field DSAP Field ┌───┬───┬───┬───┬───┬───┬───┬────┐ Bit │ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ ├───┼───┼───┼───┼───┼───┼───┼────┤ │ D │ D │ D │ D │ D │ D │ U │I/G │ └───┴───┴───┴───┴───┴───┴───┴────┘ D DSAP bits U User-defined address bit I/G Individual/group bit ═══ 11.7.4.2. SSAP Field (Detail) ═══ The SSAP field is the source service access point for which the LPDU is intended. The field processes within the communicating node. The format of this field is shown in Figure "SSAP Field". SSAP Field SSAP Field ┌───┬───┬───┬───┬───┬───┬───┬────┐ Bit │ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ ├───┼───┼───┼───┼───┼───┼───┼────┤ │ S │ S │ S │ S │ S │ S │ U │C/R │ └───┴───┴───┴───┴───┴───┴───┴────┘ S SSAP bits U User-defined address bit C/R Command/response bit ═══ 11.7.4.3. Control Field (Detail) ═══ The Control field in the LPDU header defines the format of the LPDU information field. The Control field can contain an Information Transfer Format Control field, a Supervisory Format Control field, or an Unnumbered Format Control field. Figure "Information Transfer Format Control Field" shows the Information Transfer Format control field. Information Transfer Format Control Field ┌───────────────────────────────┐ ┌───────────────────────────────┐ │ Byte 1 │ │ Byte 2 │ ├───┬───┬───┬───┬───┬───┬───┬───┤ ├───┬───┬───┬───┬───┬───┬───┬───┤ Bit│ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ │ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ ├───┴───┴───┴───┴───┴───┴───┼───┤ ├───┴───┴───┴───┴───┴───┴───┼───┤ │ N(S) │ 0 │ │ N(R) │P/F│ └───────────────────────────┴───┘ └───────────────────────────┴───┘ N(S) Transmitter send sequence number N(R) Transmitter receive sequence number P/F Poll/final bit ═══ 11.7.4.3.1. Supervisory Format Control Field ═══ Figure "Supervisory Format Control Field" shows the Supervisory Format control field. Supervisory Format Control Field ┌───────────────────────────────┐ ┌───────────────────────────────┐ │ Byte 1 │ │ Byte 2 │ ├───┬───┬───┬───┬───┬───┬───┬───┤ ├───┬───┬───┬───┬───┬───┬───┬───┤ Bit│ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ │ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ ├───┼───┼───┼───┼───┴───┼───┼───┤ ├───┴───┴───┴───┴───┴───┴───┼───┤ │ 0 │ 0 │ 0 │ 0 │ S S │ 0 │ 1 │ │ N(R) │P/F│ └───┴───┴───┴───┴───────┴───┴───┘ └───────────────────────────┴───┘ S Supervisory function bits 00 Receiver Ready (RR) 01 Receiver Not Ready (RNR) 10 Reject (REJ) N(R) Transmitter receive sequence number P/F Poll/final bit ═══ 11.7.4.3.2. Unnumbered Format Control Field ═══ Figure "Unnumbered Format Control Field" shows the Unnumbered Format control field. Unnumbered Format Control Field ┌───┬───┬───┬───┬───┬───┬───┬───┐ Bit │ 0 │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ ├───┴───┴───┼───┼───┴───┼───┼───┤ │ M M M │P/F│ M M │ 1 │ 1 │ └───────────┴───┴───────┴───┴───┘ M Modifier function bits 000 00 Unnumbered information (UI) 000 11 Disconnected mode (DM) 010 00 Disconnect (DISC) 011 00 Unnumbered acknowledgment (UA) 011 11 Set Asynchronous Balance Mode Extended (SABME) 100 01 Frame Reject (FRMR) 101 11 Exchange identification (XID) 111 00 Test (TEST) P/F Poll/final bit ═══ 11.7.4.4. SNAP Header ═══ An extension to the IEEE 802.2 LLC header, known as the Sub-Network Access Protocol (SNAP), has been defined by the Internet community. The SNAP header immediately follows the LLC header. The DSAP and SSAP fields in the LLC header are both set to X'AA' and the control field is set to X'03' (Unnumbered Information). Figure "SNAP Header Format" shows the format of the SNAP header. SNAP Header Format |────────────── SNAP Header ─────────────| ┌──────────────────────────┬───────────────┬───────────────────────────┐ │Protocol ID or Org. Code │ Ethertype │ Higher Layer Information │ └──────────────────────────┴───────────────┴───────────────────────────┘ |─────── 3 bytes ────────|── 2 bytes ──| Protocol ID or Organization Code Always 3 bytes of 0s. Ethertype The next layer protocol that follows the SNAP header (2 bytes). ═══ 11.8. Frame Check Sequence ═══ The Frame check sequence is the last 4 bytes of the frame. It is a CRC checksum used to verify the information within the frame. For token-ring networks, when a station detects that a frame has been corrupted by computing a checksum different from that of the checksum specified, it sets the Error Detected (E) frame status indicator at the end of the frame. The frame check sequence is not in the captured data for token-ring. ═══ 11.9. Ending Delimiter (Token-Ring Only) ═══ The ending delimiter is a single byte. The last 2 bits represent the Intermediate Frame (I) and the Error Detected (E) bits. If the I bit is one, the frame is the first or an intermediate frame of a multiple-frame transmission using a single token. The error bit is set by a station that detects an error. ═══ 11.10. Frame Status (Token-Ring Only) ═══ The Frame Status field is a single byte following the end delimiter of a Frame PDU. The first 2 bits in each 8 bits are mandatory, indicating Address Recognized (A) and Frame Copied (C). The rest of the bits are reserved and set to 0s. ═══ 12. Protocols Decoded ═══ The DatagLANce analyzer interprets the following protocol suites: 1. FDDI Protocol Suite o MAC, SMT(6.2 & 7.2), BPDU, LLC, SNAP, LOOP, RI 2. Token-Ring Protocol Suite o MAC, BPDU, LLC, SNAP, LOOP, RI 3. Ethernet/802.3 Protocol Suite o Ethernet DIX V2, IEEE 802.3, BPDU, LLC, SNAP, LOOP, RI 4. IBM Protocol Suite o NETBIOS, SNA, RPL, SMB, IBMRT, IBMNM, MPTN 5. TCP/IP Protocol Suite o IP, TCP, UDP, ARP, RARP, ICMP, IGMP, SNMP, CMOT, TFTP, FTP, TELNET, SMTP, DNS, NetBIOS(TCP), SMB, RWHO, RLOGIN, RPRINT, REXEC, RSHELL, TRLR, BOOTP, OSPF, IGRP, RIP, GGP, BGP, EGP 6. SUN NFS Protocol Suite o RPC, NFS, PMAP, MOUNT, NIS, RSTAT, ND 7. XNS Protocol Suite o IDP, SPP, Error, RIP, Echo, PEP, NBP, SMB, 3+, Netmap TCP, Netmap XNS, U-B, PUP, PUP ARP 8. Novell NetWare Protocol Suite o IPX, SPX, RIP, Echo, Error, NetBIOS, NDIAG, NSECURE, NCP, SAP, LSP, NLP, NWDOG, NBCAST 9. DECnet Protocol Suite o DRP, NSP, SCP, FOUND, DAP, NICE, CTERM, MOP, LAT, LAVC, SCS, SMB 10. AppleTalk Protocol Suite o LAP, AARP, DDP, NBP, ATP, ZIP, RTMP, AEP, PAP, ASP, ADSP, AFP 11. Banyan VINES Protocol Suite o VLLC, VFRP, VIP, VIPC, VSPP, VARP, VRTP, VICP, VECHO, VLOOP, VRPC, VECHS, VROUTE, VPCB, VMAIL, VFTP, VFILE, VSRV, VSTRTK, VTALK, VNMGT, VANG, SMB 12. ISO Protocol Suite o ES-IS, CLNP, OSI TP, SMB 13. X.25 Protocol Suite o X.25 layer 3 ═══ 13. Selecting User Preferences ═══ The DatagLANce analyzer permits you to select the method by which addresses are displayed and the size of the fixed font that is displayed in some windows. You can make these choices by selecting Preferences from the File menu of the DatagLANce Network Analyzer control window or the Frame Summary window. When this menu choice is selected, the window shown in Figure "User Preferences Window" is displayed. User Preferences Window The Address Format group permits you to select the format in which all station addresses are displayed. MSB represents most-significant bit first format. Both token-ring and FDDI represent DLC addresses in this format. For Ethernet users or those more familiar with IEEE canonical (least-significant bit first) format, the Canonical (LSB) radio button will cause all addresses to display in LSB format. MSB addresses are represented using colons (:) between each byte of the address. Canonical addresses are represented using hyphens (-) between each byte of the address. Following are some sample addresses in MSB and Canonical formats: MSB format Canonical format 10:00:5A:11:22:33 08-00-5A-88-44-CC 00:00:55:8B:1F:D9 00-00-AA-D1-F8-9B The Address Format switches also select the default format for address entry. On windows that require an address specification such as the Destination Addresses Event Detector Configuration window, you can enter an address in one of the formats above or with the colons or hyphens omitted. If the colons or hyphens are omitted, the DatagLANce analyzer will consider the address to be in the format specified using the preferred Address Format selected in this window. The Fixed Font Size edit field permits you to select the size of the fixed font displayed in windows such as Frame Summary, and Ring Map. The size can be selected by entering a number in the edit field or by using the adjacent scroll arrows. The new font size is displayed to the right of the edit field. For windows that do not contain fixed fonts (such as the Network Statistics window), the font size can be varied by changing the size of the window. The Protocol Scanning group box represents protocol scanning options. Some frames that the DatagLANce analyzer interprets are dependant on information frames previous or ahead of the frame being interpreted. Protocol scanning is used to search for this information. This can be time consuming, if a large number of frames appear between the frame being interpreted and the frame containing the information that is needed. The Disabled button turns off protocol scanning. This option maximizes interpretation speed at the expense of some interpretation information. The Enabled button turns on protocol scanning. The number of frames scanned is limited to the number specified in the edit field. By increasing this number, you can guarantee that a frame is fully interpreted. By decreasing this number, you can limit scans for protocol information, and still get full decodes on most frames. To avoid confusion, the Protocol Scanning preference is not saved in DatagLANce configurations. It is always reset to the defaults every time you load a DatagLANce Network Analyzer application, but remain active as long as you stay within the application. When you click on the OK push button, the new user preferences take effect. ═══ 14. Symbolic Names Support ═══ The DatagLANce analyzer makes it easy to identify stations on your network by allowing you to assign symbolic names to these stations. There are two methods for assigning symbolic names to station addresses. o Symbolic Names can be learned by the DatagLANce analyzer o Symbolic Names can be manually specified ═══ 14.1. Learning Symbolic Names for Station Addresses ═══ The Look for Symbolic Names menu choice in the File menus of the Frame Summary window of the DatagLANce protocol analysis software and the Network Glance window of the DatagLANce Network Analyzer application permits the DatagLANce analyzer to learn symbolic names for station addresses. Figure "DatagLANce Protocol Analysis File Menu" shows the File menu for the Token-Ring Frame Summary window. DatagLANce Protocol Analysis File Menu When you select the Look for Symbolic Names menu choice, the DatagLANce analyzer will start searching the captured or glanced frames for symbolic names. When a name is found that the DatagLANce analyzer can relate to a station address, the DatagLANce analyzer will automatically add the symbolic name to the symbolic names list. ═══ 14.2. Manually Specifying Symbolic Names for Station Addresses ═══ Symbolic names can be manually specified by selecting Edit Symbolic Names from the File menu of windows such as the DatagLANce Network Analyzer Control and the Frame Summary windows. When this menu choice is selected, the window shown in Figure "Edit Symbolic Names Window" is displayed. Edit Symbolic Names Window With the Address Level list box, you can select the level and type of symbolic names to be edited. The address levels supported are as follows: DLC (Data Link Control) Specifies a DLC (or MAC) station address For example: 10:00:5A:11:22:33 (MSB format), 08-00-5A-88-44-CC (LSB format), or 10005A112233 (assumed to be the format selected for user preferences, see Figure "User Preferences Window") DLC Manufacturer ID Specifies the manufacturer IDs for adapter addresses For example: 10:00:5A (MSB format) or 08-00-5A (LSB format). IP (TCP/IP) Specifies TCP/IP network addresses For example: 9.67.102.37, 0.0.0.0, and 255.255.255.255 IPX (Novell) Specifies a Novell IPX network address For example: 11223344.5566778899AA and FFFFFFFF.FFFFFFFFFFFF IDP (XNS) Specifies an XNS IDP network address For example: 045C819D.10005A112233 and FFFFFFFF.FFFFFFFFFFFF DRP (DECnet) Specifies a DECnet network address For example: 9.256 and 63.1023 DDP (AppleTalk) Specifies an AppleTalk network address For example: 9.0, 63.255, and 65535.255 VIP (VINES) Specifies a Banyan VINES network address For example: 11223344.5566 and FFFFFFFF.FFFF CLNP (ISO) Specifies an ISO network address For example: 11223344 and 4700040001000108000200E10E01 In the Station Name edit field you can specify the symbolic name for the station entered in the address field. Symbolic names can be up to 32 characters long. In the Manufacturer Name edit field (displayed when the DLC Manufacturer ID address level is selected) you can specify the manufacturer name for the manufacturer ID specified in the Manufacturer ID edit field. Manufacturer names can be up to 8 characters long. Depending on what is selected in the Symbolic Name Type combination box, the List of Symbolic Names list box displays the current list of symbolic names. You can use the buttons beneath this list box to edit the list: o The Add push button adds the Symbolic Manufacture ID/Station Address specified in the edit fields to this list. A maximum 512 symbolic manufacturer IDs and a maximum of 963 symbolic stations for DLC and network addresses (together) can be entered. o The Delete push button removes a symbolic name from the list. o The Clear push button clears all symbolic names from the list. For symbolic addresses, the list is re-initialized to the default addresses stored in the file STATDEF.SYM for the selected address level. When you click on OK, the changes to the list of symbolic names are accepted. Note: All DatagLANce analyzer programs use one common set of symbolic names files. When the symbolic names are edited, they are re-read from this file in case another program has modified this list. Thus it is possible to refresh the symbolic names list in multiple analysis sessions by entering and exiting this window. ═══ 14.3. Symbolic Names File Formats ═══ The DatagLANce Analyzer creates two files from which it gets its symbolic names information for station addresses. These files are standard ASCII text files so you can edit them. The manufacturer IDs are stored in the file DGNAMANU.SYM in the \DGNA directory. Each line in this file can be specified by one of the following formats: manufid "IBM " = 10:00:5A manufid "IBM " = MSB 10005A manufid "IBM " = 08-00-5A manufid "IBM " = LSB 08005A The first parameter on the line identifies this line as a manufacturer ID specification. The second parameter specifies the manufacturer name in quotes. An equal sign follows the second parameter. The last parameter is the manufacturer ID. Colons (:) and dashes (-) are used to differentiate MSB and LSB (canonical) representations respectively. If colons and dashes are not used, you must specify MSB or LSB before the ID. The default manufacturer IDs are stored in the file MANUDEF.SYM. If you would like to restore the default manufacturer IDs, simply copy this file over DGNAMANU.SYM. Symbolic station names are stored in the file DGNASTAT.SYM in the \DGNA directory. Each line in this file can be specified by one of the following formats: stat "ENCOOK1" = DLC 10:00:5A:F8:16:56 stat "ENCOOK1" = DLC_MSB 10005AF81656 stat "ENCOOK1" = DLC 08-00-5A-1F-68-6A stat "ENCOOK1" = DLC_LSB 08005A1F686A stat "h82rs006.raleigh.ibm.com" = IP 9.67.192.244 stat "LP10512F" = IPX 01000000.0080A110512F stat "3+Open File Server" = IDP 01465837.02608C245987 stat "CHERA1" = DRP 49.157 stat "Tetris" = ATALK 8451.97 stat "VINES Server" = VINES 01000003.0001 stat "10MAN2" = ISO 5031304D414E32 The first parameter on the line identifies this line as a station names specification. The second parameter specifies the station name in quotes. An equal sign follows the second parameter. The third parameter defines the address type. The fourth parameter is the station network address. For DLC addresses, Colons (:) and dashes (-) are used to differentiate MSB and LSB (canonical) representations respectively. If colons and dashes are not used, you must specify MSB or LSB before the address. The default symbolic station names are stored in the file STATDEF.SYM. These names are restored when you select to clear the selected address level on the Edit Symbolic Names Window (see ). ═══ 15. Configurations ═══ The DatagLANce analyzer enables you to save its program configurations and recall them in the future. Any user preferences selected, window arrangements, and event detector configurations are saved in each of the configurations. You can save a configuration by selecting a menu choice in the DatagLANce analyzer software application. There are two ways to load DatagLANce analyzer configurations. We will discuss saving and loading configurations in the next sections. ═══ 15.1. Saving Configurations ═══ You can save a configuration by selecting Save Configuration from the File menu of the DatagLANce Network Analyzer control window or the DatagLANce Protocol Analysis window. Selecting the Save Configuration choice causes the window shown in Figure "Save Configuration Options Window" to be displayed. Save Configuration Options Window The configuration path name should be specified without an extension. ═══ 15.2. Loading Configurations from the Menu ═══ You can load a configuration by selecting the Load Configuration choices from the File menu of the DatagLANce Network Analyzer control window or the DatagLANce Protocol Analysis window. Selecting the Load Configuration choice causes the window shown in Figure "Load Configuration Options Window" to be displayed. Load Configuration Options Window The Files list box displays the list of configurations available in the directory specified in the Path field. You can use the Directories list box to change to another directory. The configuration, STARTUP, is the configuration that is loaded each time the program is started. This configuration can be changed by saving the desired configuration into this configuration. Also, when the program is exited, a window is shown asking whether to save the current configuration of the program as the startup configuration. Answering YES on this window also changes this configuration. ═══ 15.3. Loading Configuration from the OS/2 Workplace Shell ═══ You can load a configuration by clicking on OS/2 workplace shell icons. When the DatagLANce analyzer software is installed, the installation program will create a program-specific group of workplace shell icons for each DatagLANce analyzer media installed. The Ethernet DatagLANce group is entitled Ethernet DatagLANce and the Token-Ring DatagLANce group is entitled Token-Ring DatagLANce. This group icon can be found on your OS/2 desktop. When this group is opened, by double-clicking on it with mouse button 1, the window shown in Figure "DatagLANce analyzer Configuration Icons" will be displayed. DatagLANce analyzer Configuration Icons Each of the icons in this group will cause the DatagLANce analyzer to load the configuration that the icon describes. If the appropriate DatagLANce analyzer application is not running, it will be loaded. You can copy the Template icon for your own custom configurations. Click on this icon with mouse button 2 and a menu is displayed. Select the Copy... menu choice and a window is displayed. Enter, in the New name edit field, the name that you want to give your new configuration icon (for example, My Configuration). Also, select the folder into which you want to copy this icon (you might want to keep all DatagLANce analyzer configuration icons in the same group). Then, click on the Copy push button at the bottom of the window when you have specified the name. Once the new icon is displayed in the window, update its properties to load your configuration. Click on this icon with mouse button 2 and a menu is displayed. Click on the arrow next to the Open choice and a submenu is displayed. Click on the Settings choice. The Settings window for the icon will then be displayed. Change the /Cyourconfighere text in the Parameters edit field to /CMYCONFIG (where MYCONFIG is the name under which you saved the configuration). There should be no space between the /C and the configuration name in the Parameters edit field. Then close the window by double-clicking on the box at the top left corner of the window. You can also design your own icon for this configuration by bringing up the Settings window again for the configuration and clicking on the General tab on the right side of the window. The window will change so you can change the icon. See your OS/2 User's Guide for more information or click on the Help push button. ═══ 15.4. Configuration Files - Naming Conventions ═══ DatagLANce analyzer configurations are a collection of multiple files. The naming conventions for these files are: Application Naming Convention Token-Ring DatagLANce Network Analyzer .W?? Ethernet DatagLANce Network Analyzer .Y?? DatagLANce Protocol Analysis .P?? The ?? in the file name extension indicates that there are multiple file names that start with the extension character. To copy a configuration onto a diskette, move to the directory in which the configuration is stored (usually \DGNA). Then copy all files that begin with the configuration name and the first letter of the extension. ═══ 16. History Statistics File Formats ═══ The DatagLANce analyzer can record history statistics into a file in a binary format. The format of this binary file is defined by the IBM C/2 include file shown in the following example: /****************************************************************************** ** ** Description: DatagLANce Token-Ring/Ethernet ** History Statistics File Structure Definitions ** ** Programmers: Must use the /Zpe compiler switch to pack structures! ** *******************************************************************************/ #include #ifndef MAX_HISTORY_EVENT_STATISTICS #define MAX_HISTORY_EVENT_STATISTICS 12 struct HISTORY_STAT_FILE_HEADER_STRUCT { char description[64]; /* "Network History Statistics recorded Jan 03 08:00:00 1991.\z*/ int version; /* Version of software that created this file */ int reserved[31]; /* Reserved words */ }; struct HISTORY_STATISTICS_STRUCT { time_t timestamp; /* timestamp (in secs since 01/01/70) */ unsigned long unused; unsigned long error[4]; /* error[0] = Soft Errors or CRC/Align Errs */ /* error[1] = Ring Purges or Collisions */ /* error[2] = Beacon Frames or Runts */ /* error[3] = Oversized Frames */ unsigned long reserved[2]; /* reserved */ struct { unsigned long frames; /* total event frames seen over interval */ unsigned long bytes; /* Bytes in the frames counted */ } event_statistics[MAX_HISTORY_EVENT_STATISTICS]; /* 0 = unused 1 = unused 2 = unused 3 = any frame 4 = captured frame 5 = unused 6 = unused 7-11 = custom events 0-4 */ }; #endif The HISTORY_STAT_FILE_HEADER_STRUCT structure defines the file header. Following the file header are one or more records defined by the HISTORY_STATISTICS_STRUCT structure. By using this C include file, you can write a custom program to manipulate the data contained in DatagLANce binary format history statistics files. ═══ 17. Capture Data File Formats ═══ This appendix describes the format of the capture data files created by the Token-Ring and Ethernet DatagLANce Network Analyzers. The following information is supplied to help you read capture data files written by the Token-Ring and Ethernet DatagLANce analyzers. The format of these binary files is defined by the IBM C/2 include file shown in the following example: , /****************************************************************************** ** ** Description: DatagLANce Token-Ring/Ethernet ** Capture Data File Structure Definitions ** ** Programmers: Must use the /Zpe compiler switch to pack structures! ** *******************************************************************************/ /* DatagLANce file header (exactly 512 Bytes) */ struct dataglance_file_header_struct { char description[128] ; /* Description of Capture in ASCII - Terminated by ctrl-Z */ unsigned short version; /* Version of Software that created the file (i.e. 0x0100 = 1.00) */ unsigned char type; /* Type of data contained in file (2=Token-Ring, 3=Ethernet) */ unsigned char flags; /* Flags field */ /* .... ...1 = File wrapped */ /* .... .1.. = Timestamp is in local time (not GMT) */ /* 0000 0.0. = Reserved */ unsigned char reserved[12]; /* Reserved bytes */ unsigned long start_timestamp_sec; /* Capture start timestamp (in secs since 1970) */ unsigned long start_timestamp_nsec; /* Capture start timestamp (in nanoseconds) */ unsigned char reserved2[8]; /* Reserved bytes */ unsigned long first_data_block; /* First data block if wrapped (1 block=512 Bytes) not including */ /* this header */ unsigned long last_data_block; /* Last data block if wrapped not including this header */ unsigned long wrapped_size; /* Data size if wrapped - exact number of bytes valid in file */ /* starting with byte at first data block (i.e. not including */ /* this file header). */ unsigned char reserved3[340]; /* Reserved - pads header to 512 bytes exactly */ }; /* file records */ /* */ /* Each 128 bytes of the file following the file header are fixed format records. */ /* These records were designed to be compatible with the buffers found on the */ /* Token-Ring Adapter so that no reformatting would need to be done when */ /* capturing to the buffer or the disk. */ /* */ struct dataglance_frame_record_header { unsigned char marker; /* Record marker */ /* 1... .... = Start of frame record */ /* .1.. .... = Frames missed field valid */ /* ..1. .... = High resolution timestamp used */ /* .... .1.. = Frame Status Indicators Valid (Token-Ring Only) */ /* .... .0.. = Frame Status Indicators Not Valid (Token-Ring Only)*/ /* .... 1... = Frame is the trigger frame for the capture */ /* ..00 ..00 = Reserved */ unsigned char receive_status; /* Receive status */ /* Token-Ring: Receive Frame Status */ /* x... x... = Address recognized indicator */ /* .x.. .x.. = Frame copied indicator */ /* Ethernet: Receive Status */ /* ..1. .... = Broadcast or Multicast Frame */ /* ..0. .... = Non-broadcast/Non-multicast frame */ /* .... .00. = No error in frame */ /* .... .01. = FCS error in frame */ /* .... .11. = Frame Alignment and FCS error in frame */ unsigned short frame_size; /* Frame size (after slicing if slicing was active) */ unsigned short original_frame_size; /* Original frame length (before slicing) - if zero, is unknown */ unsigned short timestamp[3]; /* Frame Timestamp - tick timestamps should be added to */ /* capture start timestamp found in the header */ /* Token-Ring: */ /* NOT high resolution timestamp format: */ /* USHORT 10 millisecond ticks since last second */ /* ULONG Timestamp in seconds since 1970 */ /* High resolution timestamp format (units in 840 nanosec ticks)*/ /* USHORT Timestamp high */ /* USHORT Timestamp low */ /* USHORT Timestamp middle */ /* Ethernet: */ /* NOT high resolution timestamp format (units in 32 msec ticks)*/ /* USHORT 1 Timestamp high */ /* USHORT 1 Timestamp low */ /* USHORT 1 Timestamp middle */ /* High resolution timestamp format (units in 840 nanosec ticks)*/ /* USHORT 1 Timestamp high */ /* USHORT 1 Timestamp low */ /* USHORT 1 Timestamp middle */ unsigned long frame_number; /* Capture frame number (unique for each frame in file) */ unsigned short frames_missed; /* Number of Frames missed before or after this frame */ /* (valid only if marker bit set) */ unsigned char reserved[22]; /* Reserved */ unsigned char data[88]; /* First 88 bytes of frame data */ }; struct dataglance_frame_continuation_record { unsigned char marker; /* Record marker */ /* 0000 0000 = Frame record continuation */ unsigned char reserved[39] /* Reserved */ unsigned char data[88]; /* Subsequent 88 bytes of frame data */ }; /* NOTE: DatagLANce capture data files should ALWAYS be an even multiple of 128 bytes */ ═══ 18. DatagLANce Alarms: SNMP Traps and Pager Codes ═══ This chapter discusses details on the SNMP MIB variables that the DatagLANce Network Analyzer will send to a network management station when an alarm occurs, and pager codes that DatagLANce will send to your pager. For details on these alarm options see Configuring Alarms: The Alarm Options. ═══ 18.1. SNMP Traps from the DatagLANce Network Analyzer: The MIB Definition ═══ The following information defines the SNMP MIB variables that the DatagLANce analyzer will send as traps to a network management station. DATAGLANCE-MIB DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI Counter FROM RFC1155-SMI ; -- IBM MIB ibm OBJECT IDENTIFIER ::= { enterprises 2 } -- IBM Products MIB ibmProd OBJECT IDENTIFIER ::= { ibm 6 } -- DatagLANce Network Analyzer MIB datagLANce OBJECT IDENTIFIER ::= { ibmProd 56 } -- Ethernet DatagLANce Traps Group traps OBJECT IDENTIFIER ::= { datagLANce 1 } -- Ethernet DatagLANce Network Analyzer Traps -- The following traps can be issued by a Ethernet DatagLANce -- Network Analyzer ethernetTraps OBJECT IDENTIFIER ::= { traps 1 } customEvent1Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 1 counts" ::= { ethernetTraps 1 } customEvent2Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 2 counts" ::= { ethernetTraps 2 } customEvent3Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 3 counts" ::= { ethernetTraps 3 } customEvent4Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 4 counts" ::= { ethernetTraps 4 } customEvent5Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 5 counts" ::= { ethernetTraps 5 } networkInactiveTime OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "network inactive time in seconds" ::= { ethernetTraps 6 } allFramesUtilization OBJECT-TYPE SYNTAX INTEGER (0 .. 100) ACCESS not-accessible STATUS mandatory DESCRIPTION "all frames utilization (percent)" ::= { ethernetTraps 7 } allFramesCounts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "all frames counts" ::= { ethernetTraps 8 } crcAlignmentErrors OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of CRC/Alignment errors" ::= { ethernetTraps 9 } collisions OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of collisions, where collisions = collision fragments + jabbers" ::= { ethernetTraps 10 } runtFrames OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of runt frames" ::= { ethernetTraps 11 } oversizedFrames OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of oversized frames" ::= { ethernetTraps 12 } -- Token-Ring DatagLANce Network Analyzer Traps -- The following traps can be issued by a Token-Ring DatagLANce -- Network Analyzer tokenRingTraps OBJECT IDENTIFIER ::= { traps 2 } customEvent1Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 1 counts" ::= { tokenRingTraps 1 } customEvent2Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 2 counts" ::= { tokenRingTraps 2 } customEvent3Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 3 counts" ::= { tokenRingTraps 3 } customEvent4Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 4 counts" ::= { tokenRingTraps 4 } customEvent5Counts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "DatagLANce custom event 5 counts" ::= { tokenRingTraps 5 } networkDownTime OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "network down time in seconds" ::= { tokenRingTraps 6 } networkInactiveTime OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "network inactive time in seconds" ::= { tokenRingTraps 7 } allFramesUtilization OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "all frames utilization (percent)" ::= { tokenRingTraps 8 } allFramesCounts OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "all frames counts" ::= { tokenRingTraps 9 } softErrors OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of soft errors" ::= { tokenRingTraps 10 } ringPurges OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of ring purges" ::= { tokenRingTraps 11 } beaconFrames OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of beacon frames" ::= { tokenRingTraps 12 } oversizedFrames OBJECT-TYPE SYNTAX Counter ACCESS not-accessible STATUS mandatory DESCRIPTION "count of oversized frames" ::= { tokenRingTraps 13 } END ═══ 18.2. DatagLANce Alarm Pager Codes ═══ The option to append an alarm code to the command sent to your modem (see Configuring Alarms: The Alarm Options) permits you to have the alarm code appear on your pager when it is beeped by the DatagLANce Network Analyzer. The alarm code has the following format: This alarm code indicates the priority of the alarm, the media to which the alarm applies, and the alarm that occurred. When specifying the dial pager modem command in a multi-DatagLANce Network Analyzer environment, we recommend that you append a network segment indicator code (i.e. 0001 for segment 1) to the end of the command specified to identify the network segment from which the alarm originated. The specifics of the alarm code fields are listed below. can be 0 - returned to normal thresholds 1 - inform 2 - warning 3 - minor 4 - major 5 - critical can be 1 - ethernet 2 - token-ring is specific to media type: Ethernet: 01 - Custom Event 1 Counts 02 - Custom Event 2 Counts 03 - Custom Event 3 Counts 04 - Custom Event 4 Counts 05 - Custom Event 5 Counts 06 - Network Inactive Time 07 - All Frames Utilization 08 - All Frames Counts 09 - CRC/Alignment Errors 10 - Collisions 11 - Runt Frames 12 - Oversized Frames Token-Ring 01 - Custom Event 1 Counts 02 - Custom Event 2 Counts 03 - Custom Event 3 Counts 04 - Custom Event 4 Counts 05 - Custom Event 5 Counts 06 - Network Down Time 07 - Network Inactive Time 08 - All Frames Utilization 09 - All Frames Counts 10 - Soft Errors 11 - Ring Purges 12 - Beacon Frames 13 - Oversized Frames Some example alarm codes are shown below: 5110 (Critical collision rate on an ethernet segment) 5208 (Critical Network Utilization occurring on a token-ring segment) 0208 (Network Utilization has returned to normal on a token-ring segment) ═══ 18.2.1. Alarm Pager Codes `Card' ═══ The following is the same alarm pager code information, in a convenient `card' format. Feel free to copy it and put it in your pocket for your convenience. The alarm code has the following format: can be 0 - returned to normal thresholds 1 - inform 2 - warning 3 - minor 4 - major 5 - critical can be 1 - ethernet 2 - token-ring is specific to media type: Ethernet: 01 - Custom Event 1 Counts 02 - Custom Event 2 Counts 03 - Custom Event 3 Counts 04 - Custom Event 4 Counts 05 - Custom Event 5 Counts 06 - Network Inactive Time 07 - All Frames Utilization 08 - All Frames Counts 09 - CRC/Alignment Errors 10 - Collisions 11 - Runt Frames 12 - Oversized Frames Token-Ring: 01 - Custom Event 1 Counts 02 - Custom Event 2 Counts 03 - Custom Event 3 Counts 04 - Custom Event 4 Counts 05 - Custom Event 5 Counts 06 - Network Down Time 07 - Network Inactive Time 08 - All Frames Utilization 09 - All Frames Counts 10 - Soft Errors 11 - Ring Purges 12 - Beacon Frames 13 - Oversized Frames ═══ 19. Command Line Interface to the DatagLANce Network Analyzer ═══ This chapter discusses details on the DatagLANce Command Line Interface. ═══ 19.1. DatagLANce Network Analyzer Application Command Line Options ═══ The following sections discuss the command-line options to all of the DatagLANce Applications. ═══ 19.1.1. DatagLANce Application Launcher ═══ DGLAUNCH [application options] The DatagLANce Application Launcher checks to see if a DatagLANce application is running. If it is not running (or not being used), the application is started with the application options specified. If it is running, DGLAUNCH communicates with the application via DDE (Dynamic Data Exchange) to send the options. DGLAUNCH should be used to invoke all DatagLANce Network Analyzer applications (i.e. TRMON and ENMON) since multiple instances of DatagLANce Network Analyzer applications cannot be executed for the same network interface. This program should be executed from the directory where you installed the DatagLANce Network Analyzer software. may be DGPA, TRMON or ENMON ═══ 19.1.2. DatagLANce Protocol Analysis ═══ DGPA [/SMALLCFG] [/Wdirectory] [/Cconfigname] [/TYPE:filetype] [/T] [/DLC:type] [/Ffile or /Bbuffer] /SMALLCFG Save compressed configurations. These configurations take less disk space but require more time to load. /Wdirectory The working directory for this application. The application expects to find the configuration that it will load in this directory. /Cconfigname The name of the application configuration to load. If this option is not specified "startup" will be assumed as the configuration name. This configuration is loaded ONLY if the protocol analysis session is not already running. /TYPE:filetype This option selects the default format of data to be analyzed. can be DGC (DatagLANce), TAP (Trace and Performance), PDA (Protools* Foundation Manager*), TRC (Sniffer* Token-Ring), ENC (Sniffer* Ethernet) or LZ (Novell* LANalyzer*). This option can be used with /F to indicate the type of data stored in the file specified. DGC is assumed if this option is omitted. /T Causes the DatagLANce Protocol Analysis software to jump to the trigger frame in the capture data when it is opened. /F or /B must be specified. /DLC:type Specifies the default network type to assume when loading the configuration. can be TR (Token-Ring), EN (Ethernet) or FDDI. This option will cause the application to avoid having to re-load the event detectors after it determines what type of data is contained in the file. /Ffile Specifies the file source to analyze. should be the full pathname of the file if is not in the application's working directory. /Bbuffer Specifies the capture buffer source to analyze. can be DGTRx$ (Token-Ring Capture Buffer) or DGENx$ (Ethernet Capture Buffer). x represents the network interface number (0 = single interface), Examples: DGPA /FENDEMO.DGC DGPA /TYPE:TRC /FTRDEMO5.TRC DGPA /CMYCONFIG /BDGTR0$ DGPA /T /BDGEN0$ ═══ 19.1.3. Ethernet/Token-Ring DatagLANce Network Analyzer ═══ ENMON [/SMALLCFG] [/Wdirectory] [/Cconfigname] [/NOMSG] [/GO] [/NC] [/I:x] [/STOP] [/EXIT] TRMON [/SMALLCFG] [/Wdirectory] [/Cconfigname] [/NOMSG] [/GO] [/NC] [/I:x] [/STOP] [/EXIT] /SMALLCFG Save compressed configurations. These configurations take less disk space but require more time to load. /Wdirectory The working directory for this application. The application expects to find the configuration that it will load in this directory. /Cconfigname The name of the application configuration to load. /NOMSG Assume YES, OK, or RETRY when all message boxes appear. This option enables non-interactive mode invocations of the software (see below). WARNING: For the Token-Ring DatagLANce Network Analyzer this option causes the ring speed verification message box to be suppressed. Make sure the ring speed is set correctly (manually or in the configuration). /GO Start the monitor immediately when the program is launched. /NOMSG should be used to suppress any message boxes that might pop up. /NC Start a new capture. The application must be running. /I:x Selects the network interface to use. Zero (single adapter interface) is assumed if omitted. /STOP Stop the monitor. /NOMSG should be used to suppress any message boxes that might pop up. /EXIT Exit the application. Application must not be monitoring/capturing. /NOMSG should be used to suppress any message boxes that might pop up. Examples: Note we recommend that you use DGLAUNCH to run these applications. Two copies of these applications cannot be started, and DGLAUNCH ensures that only one copy will be started. DGLAUNCH TRMON /CCAPTURE DGLAUNCH ENMON /CSTARTUP /NOMSG /GO ═══ 19.2. Controlling the DatagLANce Network Analyzer from a Remote Location ═══ There are at least two methods to access the DatagLANce Network Analyzer remotely: 1. IBM's Distributed Console Access Facility, Version 1.1 or later. This IBM Program Product allows you to control DatagLANce remotely over a modem, LAN, or WAN connection using the OS/2 interface. It is like sitting in front of the DatagLANce Network Analyzer, but at a remote location. All DatagLANce graphics functions are supported and the system is under your complete control. Contact your local IBM dealer for ordering information. 2. TCP/IP Telnet (or any other remote-login software product) IBM's TCP/IP for OS/2 product, if installed on the remote DatagLANce Network Analyzer, will allow you to telnet to the machine and issue commands at an OS/2 prompt. This interface is text-based only, but allows you to start and stop the DatagLANce Network Analyzer. See "DatagLANce Utilities" for a description of the DGCMD utility. ═══ 19.3. DatagLANce Utilities ═══ A number of utilities are included with the DatagLANce Network Analyzer software: o Modification of configurations from the command line This utility allows you to change one or more DatagLANce configurations using one command. The video scheme and address format (MSB or LSB) can be changed as well as the ring speed for Token-Ring DatagLANce configurations. This utility can be found in the directory where you installed the DatagLANce Network Analyzer software (usually \DGNA). Utility Command Syntax: ----------------------- DGCFGMOD - DatagLANce Configuration Options Modifier Utility Syntax: DGCFGMOD appname configname [RINGSPEED:x] [ADDRESSES:y] [COLOR or MONO] [VGA2XGA or XGA2VGA] where x is 4 or 16 where y is MSB or LSB appname can be TRMON, ENMON, or DGPA configname may contain wildcards Examples: DGCFGMOD TRMON STARTUP RINGSPEED:16 ADDRESSES:MSB DGCFGMOD TRMON * RINGSPEED:4 DGCFGMOD ENMON STARTUP ADDRESSES:LSB DGCFGMOD DGPA STARTUP ADDRESSES:LSB DGCFGMOD DGPA * COLOR DGCFGMOD TRMON * VGA2XGA Description of options: RINGSPEED:x - Sets the ring speed for Token-Ring DatagLANce configurations ADDRESSES:y - Selects the preference for address formats. LSB selects canonical addresses. MONO - Selects that the configuration will be used on monochrome video COLOR - Selects that the configuration will be used on color video VGA2XGA - Converts TRMON and ENMON configurations to support XGA video resolution from a configuration that has VGA resolution XGA2VGA - Converts TRMON and ENMON configurations to support VGA video resolution from a configuration that has XGA resolution o Conversion of configurations This utility allows you copy Ethernet DatagLANce configurations to Token-Ring DatagLANce configurations and vice-versa. Even though this utility can assist you in the conversion process, you must make sure that media-specific events (such as beacon frames for token-ring, collisions for Ethernet) and alarms are applicable to both networks. Event detectors configured for pattern matches should also be examined after conversion to make sure the pattern will match the media's frame formats. This utility can be found in the directory where you installed the DatagLANce Network Analyzer software (usually \DGNA). Utility Command Syntax: ----------------------- DGCFGCPY - DatagLANce Configuration Copy/Conversion Utility DGCFGCPY sourceapp configname targetapp [OVERWRITE] sourceapp can be TRMON or ENMON targetapp should be opposite (i.e. sourceapp=TRMON, targetapp=ENMON) configname may contain wildcards Examples: DGCFGCPY TRMON CAPTURE ENMON DGCFGCPY ENMON * TRMON o Command line invocation of the DatagLANce Network Analyzer Applications (supporting TELNET) This utility lets you start and stop the DatagLANce Network Analyzer applications from an OS/2 command file as well as a TELNET session (if OS/2 TCP/IP and another network adapter is installed). This utility uses the DGLAUNCH program and options described in "DatagLANce Network Analyzer Command Line Options" in this file to make a simple interface to allow you to control the DatagLANce Network Analyzer from the command line. Before using this utility you must create configurations to use when invoking DatagLANce. You can use any of the supplied DatagLANce configuration or create your own. This utility should be run from the directory where you installed the DatagLANce Network Analyzer software. Note: All verfication message boxes are disabled by this utility. Therefore be aware that associated current data and data files will be overwritten without notice. Warning: For Token-Ring, you must guarrantee that the ring speed is set correctly! If DatagLANce enters the ring at the wrong ring speed the ring will go down and stay down until you stop the analyzer. Use the DGCFGMOD command to make sure the ring speed is correct (see above) BEFORE starting the TRMON application using the LAUNCH command. If the application has already been started, use the EXIT command first before using DGCFGMOD to set the ring speed. Utility Command Syntax: ----------------------- DGCMD appname command [options] where appname is TRMON or ENMON (or TRMON1/TRMON2 ENMON1/ENMON2 if dual interfaces installed) command and [options] are: LAUNCH [configname] START STOP PRINT [ REPORT reportcode [outputfile [/CSV]] or TRAFFIC #entries [outputfile [/CSV]] ] SORT [ TOTAL or TO or FROM or TOANDFROM or BOTH or ASCENDING or DESCENDING or sortcode ] EXIT Description of options: LAUNCH [configname] - starts the application (if it is not already started) and causes the application to load the configuration configname. STARTUP will be loaded if configname is omitted. START - Causes DatagLANce to start monitoring/capturing. STOP - Causes DatagLANce to stop monitoring/capturing. PRINT REPORT reportcode [outputfile [/CSV]] - Prints a DatagLANce report. Output will be to PRN: if outputfile is omitted. /CSV can be used to output comma-separated-variable format to the file specified. reportcode can be one of the following: 0 Cumulative Network Statistics 1 Cumulative Event Statistics 2 Event Distribution (% of Frames) 3 Event Distribution (% of Bytes) 4 Event Distribution (% of Utilization) 5 Event Distribution (All) 6 All Frames History (Peaks Only) 7 All Frames History 8 Captured Frames History 9 Custom Event 1 History 10 Custom Event 2 History 11 Custom Event 3 History 12 Custom Event 4 History 13 Custom Event 5 History If traffic analysis is enabled the following reportcodes print the reports below, depending on which traffic analysis was performed: DLC Station Analysis: 128 Top 10 Talkers (DLC Addresses) 129 Top 10 Listeners (DLC Addresses) 130 Busiest 10 Stations (DLC Addresses) 131 Top 10 Errors 132 Station List (DLC Addresses) DLC Traffic Matrix Analysis: 128 Top 10 DLC Station Pairs (Frames) 129 Top 10 DLC Station Pairs (Bytes) Network Station Analysis: 128 Top 10 Talkers (Network Addresses) 129 Top 10 Listeners (Network Addresses) 130 Busiest 10 Stations (Network Addresses) 131 Station List (Network Addresses) Protocol Matrix Analysis: 128 Top 10 Protocol Pairs (Frames) 129 Top 10 Protocol Pairs (Bytes) Dynamic Protocol Distribution Analysis: 128 Frame Length Distribution 129 Top 10 Protocols (Frames) 130 Top 10 Protocols (Bytes) 131 Major Protocol Distribution (Frames) 132 Major Protocol Distribution (Bytes) 133 All Protocols (Frames) 134 All Protocols (Bytes) Source Routing Traffic Analysis: 128 Top 10 Routes (Frames) 129 Top 10 Routes (Bytes) 130 All Routes (Frames) 131 All Routes (Bytes) 132 Source Routing Length Distribution 133 Source Routing Type Distribution Token-Ring Soft Error Analysis: 128 Top 10 Soft Errors (Breakdown) 129 All Soft Errors (Breakdown) PRINT TRAFFIC #entries [outputfile [/CSV]] - Prints the traffic statistics accumulated. The fields printed are those selected for display in the traffic statistics window, so make sure your configuration is setup to display all the information you want printed. #entries is the maximum number of traffic statistics entries to print (starting with first). Output will be to PRN: if outputfile is omitted. /CSV can be used to output comma-separated-variable format to the file specified. Using the SORT command (see below) you can cause the traffic statistics to be sorted in a special way before printing. SORT [ TOTAL or TO or FROM or TOANDFROM or BOTH or ASCENDING or DESCENDING or sortcode ] - Re-sorts the traffic statistics accumulated using the option specified. sortcode is a number from 0 to 31. All sort codes don't apply to all traffic analysis options. The following are some common sort codes: 0 station address 1 partner address 2 status (DLC station analysis) 3 frames 4 bytes 5 avg frame rate 6 avg byte rate 7 avg size 8 avg utilization 9 percent frame traffic 10 percent byte traffic 12 first activity 13 last activity 14 elapsed activity 16 errors (DLC station analysis) 17 largest frame size 18 smallest frame size 20 station DLC address (protocol matrix analysis) 21 partner DLC address (protocol matrix analysis) 22 major protocol 23 minor protocol 24 source routing length (protocol matrix analysis) 25 source ring number (protocol matrix analysis) 26 destination ring number (protocol matrix analysis) EXIT - closes and exits the application. Any changes to the configuration will automatically be saved (including SORT options for traffic statistics). You must issue a STOP command before EXIT to insure that the program is exits when you issue this command. Usage notes: - Use CALL before DGCMD in OS/2 command files. - Use the DGSLEEP utility to allow for sufficient time between commands (especially large print jobs). The syntax is: DGSLEEP HH:MM where HH is hour (0-23) and MM is minute (0-59) or DGSLEEP seconds ═══ 19.4. Example Scenarios for the DatagLANce Command Line Interface ═══ 1. Setting up the DatagLANce Network Analyzer to startup automatically, monitor a network daily, print daily reports, and copy those reports to a central file server. This scenario requires another adapter for network communication and file-sharing software (such as NFS, OS/2 LAN Requester, etc.). For this example we created a Token-Ring DatagLANce configuration called MONITOR with DLC Station Traffic Analysis enabled. a. Create/modify STARTUP.CMD in C:\OS2: rem Change to the DatagLANce directory C: CD \DGNA rem Make sure the ring speed is set correctly CALL DGCFGMOD TRMON MONITOR RINGSPEED:16 rem Load MONITOR configuration (customized by user) CALL DGCMD TRMON LAUNCH MONITOR rem This label will cause us to loop forever (when we go to it later) :LOOP rem Start monitoring the network CALL DGCMD TRMON START rem Go to sleep until 11:45 PM at night using DGSLEEP utility DGSLEEP 23:45 rem When we wake up, let's stop the monitor CALL DGCMD TRMON STOP rem Print desired reports CALL DGCMD TRMON PRINT REPORT 0 NETSTAT.PRN DGSLEEP 30 CALL DGCMD TRMON PRINT REPORT 7 HISTORY.PRN DGSLEEP 30 CALL DGCMD TRMON PRINT REPORT 131 TOPERRS.PRN DGSLEEP 30 rem Print desired traffic statistics (top 100 talkers, listeners) rem sort by frames CALL DGCMD TRMON SORT 0 DGSLEEP 30 rem sort by top talkers CALL DGCMD TRMON SORT FROM DGSLEEP 30 rem print top 100 talkers CALL DGCMD TRMON PRINT TRAFFIC 100 TALKERS.PRN DGSLEEP 30 rem sort by top listeners CALL DGCMD TRMON SORT TO DGSLEEP 30 rem print top 100 listeners CALL DGCMD PRINT TRAFFIC 100 LISTENRS.PRN DGSLEEP 30 rem Backup reports in this DatagLANce's directory on the file server rem These commands make sure only last 10 days reports are saved IF EXIST P:\REPORTS\DG_1\*.10 DEL P:\REPORTS\DG_1\*.10 IF EXIST P:\REPORTS\DG_1\*.9 RENAME P:\REPORTS\DG_1\*.9 *.10 IF EXIST P:\REPORTS\DG_1\*.8 RENAME P:\REPORTS\DG_1\*.8 *.9 IF EXIST P:\REPORTS\DG_1\*.7 RENAME P:\REPORTS\DG_1\*.7 *.8 IF EXIST P:\REPORTS\DG_1\*.6 RENAME P:\REPORTS\DG_1\*.6 *.7 IF EXIST P:\REPORTS\DG_1\*.5 RENAME P:\REPORTS\DG_1\*.5 *.6 IF EXIST P:\REPORTS\DG_1\*.4 RENAME P:\REPORTS\DG_1\*.4 *.5 IF EXIST P:\REPORTS\DG_1\*.3 RENAME P:\REPORTS\DG_1\*.3 *.4 IF EXIST P:\REPORTS\DG_1\*.2 RENAME P:\REPORTS\DG_1\*.2 *.3 IF EXIST P:\REPORTS\DG_1\*.1 RENAME P:\REPORTS\DG_1\*.1 *.2 IF EXIST P:\REPORTS\DG_1\*.PRN RENAME P:\DGNA\REPORTS\DG_1\*.PRN *.1 rem Now copy the reports to appropriate directory COPY *.PRN P:\REPORTS\DG_1 rem Start the monitoring/report process again GOTO LOOP b. Run STARTUP or reboot OS/2 (STARTUP will automatically run when the system is started). 2. Using TELNET and FTP to do remote captures on DatagLANce from another DatagLANce network analyzer. For this scenario we have two Ethernet DatagLANce Network Analyzers, with two network adapters in each (one for DatagLANce one for network communication). One DatagLANce (remotely located) is configured to accept TELNET sessions and FTP requests. Each DatagLANce Network Analyzer has OS/2 TCP/IP installed. a. Configure the local DatagLANce to capture the desired traffic on the remote DatagLANce. Make sure that you select Capture to File. For this example we will assume that your configuration will be named CAPTURE and that you will capture to the file ETHERNET.DGC. b. FTP all files of the configuration (see Appendix E of the User's Guide concerning configuration files) to the remote DatagLANce. Make sure that you place the configuration files in the same directory as the DatagLANce Network Analyzer software is installed (use the FTP CD command to change to the correct directory). Use the FTP MPUT command to MPUT CAPTURE.Y?? (all files for the Ethernet DatagLANce CAPTURE configuration) to the remote DatagLANce. c. TELNET to the remote DatagLANce. Move to the directory where the DatagLANce Network Analyzer software is installed. d. Issue the following commands: DGCMD ENMON LAUNCH CAPTURE DGCMD ENMON START DGCMD ENMON STOP e. FTP ETHERNET.DGC to the local DatagLANce and analyze it with the DatagLANce Protocol Analysis software. 3. Monitoring a network's statistics and history using DatagLANce and TELNET. This scenario will use a TELNET session to keep watch on a network monitored by a remote DatagLANce Network Analyzer. The remote DatagLANce Network Analyzer has two network adapters (one for the DatagLANce function and one for TCP/IP communication). OS/2 TCP/IP is also installed on the remote DatagLANce. For this scenario we assume that the remote DatagLANce is a Token-Ring DatagLANce and that DatagLANce is already monitoring on the remote LAN (the commands are not displayed in this scenario for launching and starting the application, see the previous scenarios). a. Create SHOWSTAT.CMD on the remote DatagLANce Network Analyzer: CALL DGCMD PRINT REPORT 0 NETSTAT.PRN DGSLEEP 30 TYPE NETSTAT.PRN b. Create SHOWHIST.CMD on the remote DatagLANce Network Analyzer: CALL DGCMD PRINT REPORT 7 HISTORY.PRN DGSLEEP 30 TYPE HISTORY.PRN c. TELNET into the remote DatagLANce and move to the directory that the DatagLANce Network Analyzer software is installed. d. Type SHOWSTAT or SHOWHIST as desired. Note you could modify the command files to continuously loop displaying statistics as they refresh. ═══ 20. List of Abbreviations ═══ ARP Address Control Message Protocol ANSI American National Standards Institute ASCII American National Standard Code for Information Exchange BPDU Bride Protocol Data Unit CRC Cyclic redundancy check DA Destination Address DARPA Defense Advanced Research Projects Agency DDN Defense Data Network DISC Disconnect DLC Data link control DM Disconnected Mode DOS Disk Operating System DSAP Destination service access point. EBCDIC Extended binary-coded decimal interchange code FCS Frame check sequence FDDI Fiber Distributed Data Interface FIFO First-in first-out FRMR Frame Reject FS Frame Status GB Gigabyte ICMP Internet Control Message Protocol ID Identifier IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol ISA Industry Standard Architecture ISO International Organization for Standardization I/O Input/output LSB Least significant bit KB Kilobyte MB Megabyte LAN Local area network LED Light emitting diode LLC Logical Link Control LPDU Logical Link Control Protocol Data Unit LSAP Link service access point MAC Media access control Mbps Megabits per second MBps Megabytes per second MHz Megahertz MSB Most significant bit msec Milliseconds NAUN Nearest active upstream neighbor NetBIOS Network Basic Input/Output System NFS Network File System OEM Original equipment manufacturer OSI Open Systems Interconnection OS/2 Operating System/2* PC Personal computer PDU Protocol Data Unit PS/2 Personal System/2 RAM Random access memory REJ Reject RNR Receiver Not Ready RR Receiver Ready SA Source address SAA* Systems Application Architecture* SABME Set Asynchronous Balance Mode Extended SAP Service access point SCSI Small Computer System Interface SNA Systems Network Architecture SNAP Sub-Network Access Protocol SSAP Source service access point TAP Trace and performance TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TTL Transistor-transistor logic UA Unnumbered Acknowledgment UDP User Datagram Protocol UI Unnumbered Information XID Exchange Identification XNS Xerox** networking systems X.25 Packet-switched networks цsec microsecond ═══ 21. Glossary ═══ This glossary defines the terms and abbreviations used in this book. It includes terms and definitions from the IBM Dictionary of Computing (Information Processing, Personal Computing, Telecommunications, Office Systems, IBM-Specific Terms), SC20-1699. o The symbol (A) identifies definitions from the American National Dictionary for Information Processing Systems, copyright 1982 by the Computer and Business Equipment Manufacturers Association (CBEMA). o The symbol (I) identifies definitions from the ISO Vocabulary-Information Processing and ISO Vocabulary-Office Machines, developed by the International Organization for Standardization, Technical Committee 97, Subcommittee 1. o The symbol (T) identifies definitions from draft international standards, draft proposals, and working papers in development by the International Organization for Standardization, Technical Committee 97, Subcommittee 1. ═══ 21.1. absolute time ═══ absolute time In DatagLANce Protocol Analysis, the arrival time-stamp of a frame that has been captured. This time-stamp is to a resolution of 80 nanoseconds. ═══ 21.2. active ═══ active 1. Able to communicate on the network. A token-ring network adapter is active if it is able to transmit and receive on the network. 2. Operational. 3. Pertaining to a node or device that is connected or is available for connection to another node or device. 4. Currently transmitting or receiving. ═══ 21.3. active monitor ═══ active monitor A function in a single adapter on a token-ring network that initiates the transmission of tokens and provides token error recovery facilities. Any active adapter on the ring has the ability to provide the active monitor function if the current active monitor fails. ═══ 21.4. adapter ═══ adapter In a LAN, within a communicating device, a circuit card that, with its associated software and/or microcode, enables the device to communicate over the network. ═══ 21.5. address ═══ address 1. In data communication, the IEEE-assigned unique code or the unique locally administered code assigned to each device or workstation connected to a network. 2. A character, group of characters, or a value that identifies a register, a particular part of storage, a data source, or a data sink. The value is represented by one or more characters. (T) 3. To refer to a device or an item of data by its address. (A) 4. The location in the storage of a computer where data is stored. 5. In word processing, the location, identified by the address code, of a specific section of the recording medium or storage. (T) ═══ 21.6. analog ═══ analog Pertaining to data consisting of continuously variable physical quantities. (A) Contrast with digital. ═══ 21.7. architecture ═══ architecture A logical structure that encompasses operating principles including services, functions, and protocols. See computer architecture, network architecture, Systems Application Architecture (SAA), Systems Network Architecture (SNA). ═══ 21.8. asynchronous ═══ asynchronous 1. Pertaining to two or more processes that do not depend upon the occurrence of a specific event such as a common timing signal. (T) 2. In Fiber Distributed Data Interface (FDDI) rings, a type of data traffic that does not need bounded access delay to the medium and guaranteed throughput. ═══ 21.9. attach ═══ attach To make a device a part of a network logically. Note Not to be confused with connect, which implies physically connecting a device to a network. ═══ 21.10. attaching device ═══ attaching device Any device that is physically connected to a network and can communicate over the network. ═══ 21.11. automatic single-route broadcast ═══ automatic single-route broadcast A function used by some IBM bridge programs to determine the correct settings for, and set the bridge single-route broadcast configuration parameters dynamically, without operator intervention. As bridges enter and leave the network, the parameter settings may need to change to maintain a single path between any two LAN segments for single-route broadcast messages. See also single-route broadcast. ═══ 21.12. bandwidth ═══ bandwidth 1. The difference, expressed in hertz, between the highest and the lowest frequencies of a range of frequencies. For example, analog transmission by recognizable voice telephone requires a bandwidth of about 3000 hertz (3 kHz). 2. The bandwidth of an optical link designates the information-carrying capacity of the link and is related to the maximum bit rate that a fiber link can support. ═══ 21.13. beacon ═══ beacon 1. A frame sent by an adapter on a ring network indicating a serious ring problem, such as a broken cable. It contains the addresses of the beaconing station and its nearest active upstream neighbor (NAUN). 2. To send beacon frames continuously. An adapter is beaconing if it is sending such a frame. ═══ 21.14. beaconing ═══ beaconing An error-indicating function of token-ring adapters that assists in locating a problem causing a hard error on a token-ring network. ═══ 21.15. binary ═══ binary 1. Pertaining to a system of numbers to the base two; the binary digits are 0 and 1. (A) 2. Pertaining to a selection, choice, or condition that has two possible different values or states. (I) (A) ═══ 21.16. bit ═══ bit Either of the binary digits: a 0 or 1. ═══ 21.17. bridge ═══ bridge 1. An attaching device that connects two LAN segments to allow the transfer of information from one LAN segment to the other. A bridge may connect the LAN segments directly by network adapters and software in a single device, or may connect network adapters in two separate devices through software and use of a telecommunications link between the two adapters. 2. A functional unit that connects two LANs that use the same logical link control (LLC) procedures but may use the same or different medium access control (MAC) procedures. (T) Contrast with gateway and router. ═══ 21.18. bridge number ═══ bridge number The bridge identifier that the user specifies in the bridge program configuration file. The bridge number distinguishes among parallel bridges. Parallel bridges connect the same two LAN segments. ═══ 21.19. broadband local area network (LAN) ═══ broadband local area network (LAN) A local area network (LAN) in which information is encoded, multiplexed, and transmitted through modulation of a carrier. (T) ═══ 21.20. broadcast ═══ broadcast Simultaneous transmission of data to more than one destination. ═══ 21.21. broadcast frame ═══ broadcast frame A frame that is simultaneously transmitted to more than one destination. A broadcast frame is forwarded by all bridges, unless otherwise restricted. ═══ 21.22. buffer ═══ buffer 1. A portion of storage used to hold input or output data temporarily. 2. A routine or storage used to compensate for a difference in data rate or time of occurrence of events, when transferring data from one device to another. (A) ═══ 21.23. bus ═══ bus 1. In a processor, a physical facility on which data is transferred to all destinations, but from which only addressed destinations may read in accordance with appropriate conventions. (I) 2. A network configuration in which nodes are interconnected through a bidirectional transmission medium. 3. One or more conductors used for transmitting signals or power. (A) ═══ 21.24. byte ═══ byte 1. A string that consists of a number of bits, treated as a unit, and representing a character. (T) 2. A binary character operated upon as a unit and usually shorter than a computer word. (A) 3. A string that consists of a particular number of bits, usually 8, that is treated as a unit, and that represents a character. 4. A group of 8 adjacent binary digits that represent one extended binary-coded decimal interchange code (EBCDIC) character. 5. See n-bit byte. ═══ 21.25. cable loss (optical) ═══ cable loss (optical) The loss in an optical cable equals the attenuation coefficient for the cabled fiber times the cable length. ═══ 21.26. cable segment ═══ cable segment A section of cable between components or devices on a network. A segment may consist of a single patch cable, multiple patch cables connected together, or a combination of building cable and patch cables connected together. See LAN segment, ring segment. ═══ 21.27. checksum ═══ checksum 1. The sum of a group of data associated with the group and used for checking purposes. (T) 2. On a diskette, data written in a sector for error-detection purposes; a calculated checksum that does not match the checksum of data written in the sector indicates a bad sector. Note: The data is either numeric or other character strings regarded as numeric for the purpose of calculating the checksum. ═══ 21.28. circuit ═══ circuit 1. A logic device. 2. One or more conductors through which an electric current can flow. ═══ 21.29. collision ═══ collision An attempt by two units to send a message at one time on a single channel. In some networks, the detection of a collision causes all senders to stop transmissions, while in others the collision is noticed when the receiving station fails to acknowledge the data. ═══ 21.30. command ═══ command 1. A request for performance of an operation or execution of a program. 2. A character string from a source external to a system that represents a request for system action. ═══ 21.31. computer architecture ═══ computer architecture The organizational structure of a computer system, including hardware and software. (A) ═══ 21.32. configuration ═══ configuration 1. The arrangement of a computer system or network as defined by the nature, number, and chief characteristics of its functional units. More specifically, the term may refer to a hardware configuration or a software configuration. (I) (A) 2. The devices and programs that make up a system, subsystem, or network. 3. See also system configuration. ═══ 21.33. configuration file ═══ configuration file The collective set of definitions that describes a configuration. ═══ 21.34. connect ═══ connect In a LAN, to physically join a cable from a station to an access unit or network connection point. Contrast with attach. ═══ 21.35. contention ═══ contention In a LAN, a situation in which two or more data stations are allowed by the protocol to start transmitting concurrently and thus risk collision. (T) ═══ 21.36. cumulative statistics ═══ cumulative statistics Statistics that have been collected by the DatagLANce analyzer since the beginning of a monitoring session. ═══ 21.37. current statistics ═══ current statistics Statistics that have been collected by the DatagLANce analyzer during the last screen refresh interval. ═══ 21.38. custom event ═══ custom event A user-specified event equation that will cause all frames passing the equation to be counted. ═══ 21.39. cyclic redundancy check (CRC) ═══ cyclic redundancy check (CRC) Synonym for frame check sequence (FCS). ═══ 21.40. data ═══ data 1. A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automatic means. (I) (A) 2. Any representations such as characters or analog quantities to which meaning is or might be assigned. (A) ═══ 21.41. data link ═══ data link 1. Any physical link, such as a wire or a telephone circuit, that connects one or more remote terminals to a communication control unit, or connects one communication control unit with another. 2. The assembly of parts of two data terminal equipment (DTE) devices that are controlled by a link protocol, and the interconnecting data circuit, that enable data to be transferred from a data source to a data sink. (I) 3. In SNA, see also link. Note: A telecommunication line is only the physical medium of transmission. A data link includes the physical medium of transmission, the protocol, and associated devices and programs; it is both physical and logical. ═══ 21.42. data link control (DLC) layer ═══ data link control (DLC) layer 1. In SNA or Open Systems Interconnection (OSI), the layer that schedules data transfer over a link between two nodes and performs error control for the link. Examples of DLC are synchronous data link control (SDLC) for serial-by-bit connection and DLC for the System/370* channel. 2. See Systems Network Architecture (SNA). 3. See also logical link control (LLC) sublayer, medium access control (MAC) sublayer. Note: The DLC layer is usually independent of the physical transport mechanism and ensures the integrity of data that reach the higher layers. ═══ 21.43. data network ═══ data network An arrangement of data circuits and switching facilities for establishing connections between data terminal equipment. (I) ═══ 21.44. data rate ═══ data rate See data transfer rate, line data rate. ═══ 21.45. data transfer rate ═══ data transfer rate The average number of bits, characters, or blocks per unit of time passing between equipment in a data-transmission session. (I) The rate is expressed in bits, characters, or blocks per second, minute, or hour. ═══ 21.46. default ═══ default Pertaining to an attribute, value, or option that is assumed when none is explicitly specified. ═══ 21.47. datagram ═══ datagram A particular type of information encapsulation at the network layer of the adapter protocol. No explicit acknowledgment for the information is sent by the receiver. Instead, transmission relies on the "best effort" of the link layer. ═══ 21.48. delimiter ═══ delimiter 1. A character used to indicate the beginning or end of a character string. (T) 2. A bit pattern that defines the beginning or end of a frame or token on a LAN. ═══ 21.49. destination ═══ destination Any point or location, such as a node, station, or particular terminal, to which information is to be sent. ═══ 21.50. destination address ═══ destination address A field in the medium access control (MAC) frame that identifies the physical location to which information is to be sent. Contrast with source address. ═══ 21.51. destination service access point (DSAP) ═══ destination service access point (DSAP) The service access point for which a logical link control protocol data unit (LPDU) is intended. ═══ 21.52. device ═══ device 1. A mechanical, electrical, or electronic contrivance with a specific purpose. 2. An input/output unit such as a terminal, display, or printer. See also attaching device. ═══ 21.53. device driver ═══ device driver The code needed to attach and use a device on a computer or a network. ═══ 21.54. digital ═══ digital 1. Pertaining to data in the form of digits. (A) Contrast with analog. 2. Pertaining to data consisting of numerical values or discrete units. ═══ 21.55. disabled ═══ disabled 1. Pertaining to a state of a processing unit that prevents the occurrence of certain types of interruptions. 2. Pertaining to the state in which a transmission control unit or audio response unit cannot accept incoming calls on a line. ═══ 21.56. disconnected mode ═══ disconnected mode 1. In synchronous data link control (SDLC), a response from a secondary station indicating that it is disconnected and wants to be online. 2. Synonym for disconnected phase. ═══ 21.57. disconnected phase ═══ disconnected phase A phase entered by data circuit-terminating equipment (DCE) when it detects error conditions, recovers from a temporary internal malfunction, or receives a disconnect (DISC) command from data terminal equipment (DTE). In the disconnected phase, the DCE may initiate link setup but can transmit only disconnected-mode responses to received frames. Synonymous with disconnected mode (2). ═══ 21.58. Disk Operating System ═══ Disk Operating System An operating system for computer systems that use disks and diskettes for auxiliary storage of programs and data. ═══ 21.59. downstream ═══ downstream 1. On an IBM Token-Ring Network, the direction of data flow. 2. In the direction of data flow or toward the destination of transmission. Contrast with upstream. ═══ 21.60. drop ═══ drop A cable that leads from a faceplate to the distribution panel in a wiring closet. When the IBM Cabling System is used with the IBM Token-Ring Network, a drop may form part of a lobe. See also lobe. ═══ 21.61. dump ═══ dump 1. To write at a particular instant the contents of storage, or part of storage, onto another data medium for the purpose of safeguarding or debugging the data. (T) 2. Data that has been dumped. (I) (A) ═══ 21.62. EBCDIC ═══ EBCDIC Extended binary-coded decimal interchange code. A coded character set consisting of 8-bit coded characters. (A) ═══ 21.63. enabled ═══ enabled 1. On a LAN, pertaining to an adapter or device that is active, operational, and able to receive frames from the network. 2. Pertaining to a state of a processing unit that allows the occurrence of certain types of interruptions. 3. Pertaining to the state in which a transmission control unit or an audio response unit can accept incoming calls on a line. ═══ 21.64. end delimiter ═══ end delimiter The last byte of a token or frame, consisting of a special, recognizable bit pattern. ═══ 21.65. Ethernet network ═══ Ethernet network A baseband LAN with a bus topology in which messages are broadcast on a coaxial cable using a carrier sense multiple access/collision detection (CSMA/CD) transmission method. ═══ 21.66. event ═══ event A frame that matches some set of criteria. Example events include a TCP/IP frame, frame containing a specific source address, or an SMT SRF frame containing a specific source and destination address. ═══ 21.67. event detector ═══ event detector A hardware or software module that identifies a frame as matching or not matching a particular event's criteria. Event detectors are used in event equations to select frames for monitoring, capturing, or displaying (see event equation). ═══ 21.68. event equation ═══ event equation An equation describing one or more events whose result is TRUE or FALSE for every frame that is examined by the DatagLANce analyzer. Event Equations are used to select events to monitor (Custom Event Equation), capture a frame (Frame Capture Filter Equation), or display a frame in the protocol analysis software (Display Filter Equation). ═══ 21.69. extended binary-coded decimal interchange code (EBCDIC) ═══ extended binary-coded decimal interchange code (EBCDIC) A coded character set consisting of 8-bit coded characters. ═══ 21.70. fault ═══ fault An accidental condition that causes a functional unit to fail to perform its required function. (I) (A) ═══ 21.71. function ═══ function A part of an IBM product that may be ordered separately by the customer. ═══ 21.72. Fiber Distributed Data Interface (FDDI) ═══ Fiber Distributed Data Interface (FDDI) A high-performance, general-purpose, multi-station network designed for efficient operation with a peak data transfer rate of 100 Mbps. It uses token-ring architecture with optical fiber as the transmission medium over distances of several kilometers. ═══ 21.73. field ═══ field On a data medium or a storage medium, a specified area used for a particular category of data; for example, a group of character positions used to enter or display wage rates on a panel. (T) ═══ 21.74. file ═══ file A named set of records stored or processed as a unit. (T) ═══ 21.75. file name ═══ file name 1. A name assigned or declared for a file. 2. The name used by a program to identify a file. ═══ 21.76. file server ═══ file server A high-capacity disk storage device or a computer that each computer on a network can access to retrieve files that can be shared among the attached computers. ═══ 21.77. filter ═══ filter A device or program that separates data, signals, or material in accordance with specified criteria. (A) ═══ 21.78. filtered frames ═══ filtered frames Frames that arrive at a bridge adapter but are not forwarded across the bridge, because of criteria specified in a filter program used with the bridge program. ═══ 21.79. first-in first-out (FIFO) ═══ first-in first-out (FIFO) A queuing technique in which the next item to be retrieved is the item that has been in the queue for the longest time. (A) ═══ 21.80. flag ═══ flag A character or indicator that signals the occurrence of some condition, such as the setting of a switch, or the end of a word. (A) ═══ 21.81. fixed disk drive ═══ fixed disk drive In a personal computer system unit, a disk storage device that reads and writes on rigid magnetic disks. It is faster and has a larger storage capacity than a diskette and is permanently installed. ═══ 21.82. frame ═══ frame 1. The unit of transmission in some LANs, including the IBM Token-Ring Network and the IBM PC Network. It includes delimiters, control characters, information, and checking characters. On a token-ring network, a frame is created from a token when the token has data appended to it. On a token bus network (IBM PC Network), all frames including the token frame contain a preamble, start delimiter, control address, optional data and checking characters, end delimiter, and are followed by a minimum silence period. 2. A housing for machine elements. 3. In synchronous data link control (SDLC), the vehicle for every command, every response, and all information that is transmitted using SDLC procedures. Each frame begins and ends with a flag. ═══ 21.83. frame alignment error ═══ frame alignment error An error in a frame, indicated by a frame check sequence (FCS) indicator. When excessive or missing bits occur during the reception of a frame, the frame is misaligned. ═══ 21.84. frame check sequence (FCS) ═══ frame check sequence (FCS) 1. A system of error checking performed at both the sending and receiving station after a block check character has been accumulated. 2. A numeric value derived from the bits in a message that is used to check for any bit errors in transmission. 3. A redundancy check in which the check key is generated by a cyclic algorithm. (T) Synonymous with cyclic redundancy check (CRC). ═══ 21.85. frame detail ═══ frame detail In DatagLANce Protocol Analysis, a detail view of the frame selected in the frame summary window. ═══ 21.86. frame hexdump ═══ frame hexdump In DatagLANce Protocol Analysis, a hexadecimal view of the frame selected in the frame summary window. ═══ 21.87. frame summary ═══ frame summary In DatagLANce Protocol Analysis, a summary view of frames captured in which the frame type, destination and source addresses, size, and interpretation of each frame can be displayed. ═══ 21.88. function ═══ function 1. A specific purpose of an entity, or its characteristic action. (A) 2. In data communications, a machine action such as carriage return or line feed. ═══ 21.89. functional address ═══ functional address In IBM network adapters, a special kind of group address in which the address is bit-significant, each "on" bit representing a function performed by the station (such as "Active Monitor," "Ring Error Monitor," "LAN Error Monitor," or "Configuration Report Server"). ═══ 21.90. gateway ═══ gateway A device and its associated software that interconnect networks or systems of different architectures. The connection is usually made above the reference model network layer. For example, a gateway allows LANs access to System/370 host computers. Contrast with bridge and router. ═══ 21.91. Glance ═══ Glance A function of the DatagLANce analyzer that allows you to view traffic traveling on your LAN without setting up to capture frames. Glance listens for frames for the period of time selected or until its buffer is full and displays the frames that were glanced in summary, detail and hexdump formats. ═══ 21.92. group ═══ group 1. A set of related records that have the same value for a particular field in all records. 2. A collection of users who can share access authorities for protected resources. 3. A list of names that are known together by a single name. ═══ 21.93. group address ═══ group address In a LAN, a locally administered address assigned to two or more adapters to allow the adapters to copy the same frame. Contrast locally administered address with universally administered address. ═══ 21.94. hard error ═══ hard error An error condition on a network that requires that the source of the error be removed or that the network be reconfigured before the network can resume reliable operation. See also beaconing. Contrast with soft error. ═══ 21.95. hardware ═══ hardware Physical equipment as opposed to programs, procedures, rules, and associated documentation. (I) (A) ═══ 21.96. header ═══ header The portion of a message that contains control information for the message such as one or more destination fields, name of the originating station, input sequence number, character string indicating the type of message, and priority level for the message. ═══ 21.97. history statistics ═══ history statistics Statistics collected versus time by the DatagLANce analyzer. ═══ 21.98. IBM Personal Computer Disk Operating System (DOS) ═══ IBM Personal Computer Disk Operating System (DOS) A disk operating system based on MS-DOS. ═══ 21.99. inactive ═══ inactive 1. Not operational. 2. Pertaining to a node or device not connected or not available for connection to another node or device. 3. Pertaining to a station that is only repeating frames or tokens, or both. ═══ 21.100. initialize ═══ initialize In a LAN, to prepare the adapter (and adapter support code, if used) for use by an application program. ═══ 21.101. insert ═══ insert To make an attaching device an active part of a LAN. ═══ 21.102. interface ═══ interface 1. A shared boundary between two functional units, defined by functional characteristics, common physical interconnection characteristics, signal characteristics, and other characteristics as appropriate. (I) 2. A shared boundary. An interface may be a hardware component to link two devices or a portion of storage or registers accessed by two or more computer programs. (A) 3. Hardware, software, or both, that links systems, programs, or devices. ═══ 21.103. interference ═══ interference 1. The prevention of clear reception of broadcast signals. 2. The distorted portion of a received signal. ═══ 21.104. jabber ═══ jabber Transmission by a data station beyond the time interval allowed by the protocol. (T) ═══ 21.105. jadder frame ═══ jadder frame An Enternet frame composed of a portion of an original frame appended by another. ═══ 21.106. LAN adapter ═══ LAN adapter The circuit card within a communicating device (such as a personal computer) that, together with its associated software, enables the device to be attached to a LAN. ═══ 21.107. LAN multicast ═══ LAN multicast The sending of a transmission frame intended to be accepted by a group of selected data stations on the same LAN. ═══ 21.108. LAN segment ═══ LAN segment 1. Any portion of a LAN (for example, a single bus or ring) that can operate independently but is connected to other parts of the establishment network via bridges. 2. An entire ring or bus network without bridges. See cable segment, ring segment. ═══ 21.109. layer ═══ layer 1. One of the seven levels of the Open Systems Interconnection reference model. 2. In open systems architecture, a collection of related functions that comprise one level of hierarchy of functions. Each layer specifies its own functions and assumes that lower level functions are provided. 3. In SNA, a grouping of related functions that are logically separate from the functions of other layers. Implementation of the functions in one layer can be changed without affecting functions in other layers. ═══ 21.110. limited broadcast ═══ limited broadcast Synonym for single-route broadcast. ═══ 21.111. line data rate ═══ line data rate The rate of data transmission over a telecommunications link. ═══ 21.112. link ═══ link 1. The logical connection between nodes including the end-to-end link control procedures. 2. The combination of physical media, protocols, and programming that connects devices on a network. 3. In computer programming, the part of a program, in some cases a single instruction or an address, that passes control and parameters between separate portions of the computer program. (I) (A) 4. To interconnect items of data or portions of one or more computer programs. 5. In SNA, the combination of the link connection and link stations joining network nodes. ═══ 21.113. lobe ═══ lobe In the IBM Token-Ring Network, the section of cable (which may consist of several cable segments) that connects an attaching device to an access unit. ═══ 21.114. local area network (LAN) ═══ local area network (LAN) A computer network located on a user's premises within a limited geographical area. Note: Communication within a local area network is not subject to external regulations; however, communication across the LAN boundary may be subject to some form of regulation. (T) ═══ 21.115. locally administered address ═══ locally administered address An adapter address that the user can assign to override the universally administered address. Contrast with universally administered address. ═══ 21.116. logical link control protocol (LLC protocol) ═══ logical link control protocol (LLC protocol) In a local area network, the protocol that governs the exchange of frames between data stations independently of how the transmission medium is shared. (T) ═══ 21.117. logical link control protocol data unit (LPDU) ═══ logical link control protocol data unit (LPDU) The unit of information exchanged between network layer entities in different nodes. The LPDU consists of the destination service access point (DSAP) and source service access point (SSAP) address fields, the control field, and the information field (if present). ═══ 21.118. logical link control (LLC) sublayer ═══ logical link control (LLC) sublayer One of two sublayers of the ISO Open Systems Interconnection data link layer (which corresponds to the SNA data link control layer), proposed for LANs by the IEEE Project 802 Committee on Local Area Networks and the European Computer Manufacturers Association (ECMA). It includes those functions unique to the particular link control procedures that are associated with the attached node and are independent of the medium; this allows different logical link protocols to coexist on the same network without interfering with each other. The LLC sublayer uses services provided by the medium access control (MAC) sublayer and provides services to the network layer. ═══ 21.119. loop ═══ loop A closed unidirectional signal path connecting input/output devices to a network. ═══ 21.120. MAC frame ═══ MAC frame Frames used to carry information to maintain the ring protocol and for exchange of management information. ═══ 21.121. marked frame ═══ marked frame In DatagLANce Protocol Analysis, the frame whose time-stamp is used in calculating the relative time-stamp of a frame. See relative time. ═══ 21.122. medium access control (MAC) protocol ═══ medium access control (MAC) protocol In a local area network, the part of the protocol that governs communication on the transmission medium without concern for the physical characteristics of the medium, but taking into account the topological aspects of the network, in order to enable the exchange of data between data stations. (T) ═══ 21.123. medium access control sublayer (MAC sublayer) ═══ medium access control sublayer (MAC sublayer) In a local area network, the part of the data link layer that applies medium access control and supports topology-dependent functions. The MAC sublayer uses the services of the physical layer to provide services to the logical link control sublayer and all higher layers. (T) ═══ 21.124. megabit (Mb) ═══ megabit (Mb) 1 megabit = 1048576 bits. ═══ 21.125. megabyte (MB) ═══ megabyte (MB) 1 megabyte = 1048576 bytes. ═══ 21.126. message ═══ message 1. A logical partition of the user device's data stream to and from the adapter. 2. A group of characters and control bits transferred as an entity. ═══ 21.127. Micro Channel* ═══ Micro Channel* The architecture used by IBM Personal System/2 computers, Models 50 and above. This term is used to distinguish these computers from personal computers using a PC I/O channel, such as an IBM PC, XT*, or an IBM Personal System/2 computer, Model 25 or 30. ═══ 21.128. monitor ═══ monitor 1. A functional unit that observes and records selected activities for analysis within a data processing system. Possible uses are to show significant departures from the norm, or to determine levels of utilization of particular functional units. (I) (A) 2. Software or hardware that observes, supervises, controls, or verifies operations of a system. (A) ═══ 21.129. Multicast address ═══ Multicast address See LAN multicast. ═══ 21.130. multitasking ═══ multitasking 1. Pertaining to the concurrent execution of two or more tasks by a computer. 2. Multiprogramming that provides for the concurrent performance, or interleaved execution, of two or more tasks. ═══ 21.131. name ═══ name An alphanumeric term that identifies a data set, statement, program, or cataloged procedure. ═══ 21.132. nanosecond (ns) ═══ nanosecond (ns) One thousand millionth of a second. ═══ 21.133. n-bit byte ═══ n-bit byte A string that consists of n bits. (T) ═══ 21.134. nearest active upstream neighbor (NAUN) ═══ nearest active upstream neighbor (NAUN) For any given attaching device on an IBM Token-Ring Network, the attaching device that is sending frames or tokens directly to it. ═══ 21.135. network ═══ network 1. A configuration of data processing devices and software connected for information interchange. 2. An arrangement of nodes and connecting branches. Connections are made between data stations. (T) ═══ 21.136. network architecture ═══ network architecture The logical structure and operating principles of a computer network. (T) See also systems network architecture (SNA) and Open Systems Interconnection (OSI) architecture. Note: The operating principles of a network include those of services, functions, and protocols. ═══ 21.137. network layer ═══ network layer 1. In the Open Systems Interconnection reference model, the layer that provides for the entities in the transport layer the means for routing and switching blocks of data through the network between the open systems in which those entities reside. (T) 2. The layer that provides services to establish a path between systems with a predictable quality of service. See Open Systems Interconnection (OSI). ═══ 21.138. network status ═══ network status The condition of the network. ═══ 21.139. node ═══ node 1. Any device, attached to a network, that transmits and/or receives data. 2. An endpoint of a link, or a junction common to two or more links in a network. 3. In a network, a point where one or more functional units interconnect transmission lines. ═══ 21.140. noise ═══ noise 1. A disturbance that affects a signal and that can distort the information carried by the signal. (T) 2. Random variations of one or more characteristics of any entity, such as voltage, current, or data. (A) 3. Loosely, any disturbance tending to interfere with normal operation of a device or system. (A) ═══ 21.141. open ═══ open 1. To make an adapter ready for use. 2. A break in an electrical circuit. 3. To make a file ready for use. ═══ 21.142. Open Systems Interconnection (OSI) ═══ Open Systems Interconnection (OSI) 1. The interconnection of open systems in accordance with specific ISO standards. (T) 2. The use of standardized procedures to enable the interconnection of data processing systems. Note: OSI architecture establishes a framework for coordinating the development of current and future standards for the interconnection of computer systems. Network functions are divided into seven layers. Each layer represents a group of related data processing and communication functions that can be carried out in a standard way to support different applications. ═══ 21.143. Open Systems Interconnection (OSI) architecture ═══ Open Systems Interconnection (OSI) architecture Network architecture that adheres to a particular set of ISO standards that relates to Open Systems Interconnection. (T) ═══ 21.144. Open Systems Interconnection (OSI) reference model ═══ Open Systems Interconnection (OSI) reference model A model that represents the hierarchical arrangement of the seven layers described by the Open Systems Interconnection architecture. ═══ 21.145. operating system ═══ operating system Software that controls the execution of programs. An operating system may provide services such as resource allocation, scheduling, input/output control, and data management. (A) Examples are IBM PC DOS and IBM OS/2. ═══ 21.146. Operating System/2 (OS/2) ═══ Operating System/2 (OS/2) A set of programs that control the operation of high-speed large-memory IBM personal computers (such as the IBM Personal System/2 computer, Models 50 and above), providing multitasking and the ability to address up to 16 MB of memory. Contrast with Disk Operating System (DOS). ═══ 21.147. operation ═══ operation 1. A defined action, namely, the act of obtaining a result from one or more operands in accordance with a rule that completely specifies the result for any permissible combination of operands. (A) 2. A program step undertaken or executed by a computer. 3. An action performed on one or more data items, such as adding, multiplying, comparing, or moving. ═══ 21.148. option ═══ option 1. A specification in a statement, a selection from a menu, or a setting of a switch, that may be used to influence the execution of a program. 2. A hardware or software function that may be selected or enabled as part of a configuration process. 3. A piece of hardware (such as a network adapter) that can be installed in a device to modify or enhance device function. ═══ 21.149. page ═══ page 1. The portion of a panel that is shown on a display surface at one time. 2. To move back and forth among the pages of a multiple-page panel. See also scroll. 3. In a virtual storage system, a fixed-length block that has a virtual address and is transferred as a unit between real storage and virtual storage. ═══ 21.150. panel ═══ panel The complete set of formatted information that appears in a single display on a visual display unit. ═══ 21.151. parallel port ═══ parallel port A port that transmits the bits of a byte in parallel along the lines of the bus, 1 byte at a time, to an I/O device. On a personal computer, it is used to connect a device that uses a parallel interface, such as a dot matrix printer, to the computer. Contrast with serial port. ═══ 21.152. parameter ═══ parameter 1. A variable that is given a constant value for a specified application and that may denote the application. (I) (A) 2. An item in a menu or for which the user specifies a value or for which the system provides a value when the menu is interpreted. 3. Data passed between programs or procedures. ═══ 21.153. path ═══ path 1. In a network, any route between any two nodes. (T) 2. The route traversed by the information exchanged between two attaching devices in a network. 3. A command in IBM Personal Computer Disk Operating System (PC DOS) and IBM Operating System/2 (OS/2) that specifies directories to be searched for commands or batch files that are not found by a search of the current directory. ═══ 21.154. personal computer (PC) ═══ personal computer (PC) A desk-top, free-standing, or portable microcomputer that usually consists of a system unit, a display, a monitor, a keyboard, one or more diskette drives, internal fixed-disk storage, and an optional printer. PCs are designed primarily to give independent computing power to a single user and are inexpensively priced for purchase by individuals or small businesses. Examples include the various models of the IBM Personal Computers, and the IBM Personal System/2 computer. ═══ 21.155. phase ═══ phase The relative timing (position) of periodic electrical signals. ═══ 21.156. pointer ═══ pointer 1. An identifier that indicates the location of an item of data. (A) 2. A data element that indicates the location of another data element. (T) 3. A physical or symbolic identifier of a unique target. ═══ 21.157. port ═══ port 1. An access point for data entry or exit. 2. A connector on a device to which cables for other devices such as display stations and printers are attached. Synonymous with socket. ═══ 21.158. post ═══ post 1. To affix to a usual place. 2. To provide items such as return code at the end of a command or function. 3. To define an appendage routine. 4. To note the occurrence of an event. ═══ 21.159. Power-On Self Test (POST) ═══ Power-On Self Test (POST) A series of diagnostic tests that are run automatically each time the computer's power is turned on. ═══ 21.160. PROCEDURE ═══ PROCEDURE A set of instructions that gives a service representative a step-by-step procedure for tracing a symptom to the cause of failure. ═══ 21.161. processor ═══ processor In a computer, a functional unit that interprets and executes instructions. (I) (A) ═══ 21.162. protocol ═══ protocol 1. A set of semantic and syntactic rules that determines the behavior of functional units in achieving communication. (I) 2. In SNA, the meanings of and the sequencing rules for requests and responses used for managing the network, transferring data, and synchronizing the states of network components. 3. A specification for the format and relative timing of information exchanged between communicating parties. ═══ 21.163. random access memory (RAM) ═══ random access memory (RAM) A computer's or adapter's volatile storage area into which data may be entered and retrieved in a nonsequential manner. ═══ 21.164. receive ═══ receive To obtain and store information transmitted from a device. ═══ 21.165. Reference Diskette ═══ Reference Diskette A diskette shipped with the IBM Personal System/2 computers with Micro Channel architecture. The diskette contains code and files used for configuration of options and for hardware diagnostic testing. ═══ 21.166. reference frame ═══ reference frame In DatagLANce Protocol Analysis, the frame whose frame number is used in calculating the relative frame number of all other frames. The reference frame is always frame 0. ═══ 21.167. relative time ═══ relative time In DatagLANce Protocol Analysis, the difference in time between the arrival (absolute) time-stamps of a frame and the marked frame. Relative time is displayed in the frame summary. See marked frame, absolute time. ═══ 21.168. remote program load ═══ remote program load A function provided by adapter hardware components and software that enables one computer to load programs and operating systems into the memory of another computer, without requiring the use of a diskette or fixed disk at the receiving computer. ═══ 21.169. remove ═══ remove 1. To take an attaching device off a network. 2. To stop an adapter from participating in data passing on a network. ═══ 21.170. ring network ═══ ring network A network configuration in which a series of attaching devices is connected by unidirectional transmission links to form a closed path. A ring of an IBM Token-Ring Network is referred to as a LAN segment or as a Token-Ring Network segment. ═══ 21.171. ring segment ═══ ring segment A ring segment is any section of a ring that can be isolated (by unplugging connectors) from the rest of the ring. A segment can consist of a single lobe, the cable between access units, or a combination of cables, lobes, and/or access units. See cable segment, LAN segment. ═══ 21.172. ring station ═══ ring station A station that supports the functions necessary for connecting to the LAN and for operating with the token-ring protocols. These include token handling, transferring copied frames from the ring to the using node's storage, maintaining error counters, observing medium access control (MAC) sublayer protocols (for address acquisition, error reporting, or other duties), and (in the full-function native mode) directing frames to the correct data link control (DLC) link station. ═══ 21.173. router ═══ router An attaching device that connects two LAN segments, which use similar or different architectures, at the reference model network layer. Contrast with bridge and gateway. ═══ 21.174. routing ═══ routing 1. The assignment of the path by which a message will reach its destination. 2. The forwarding of a message unit along a particular path through a network, as determined by the parameters carried in the message unit, such as the destination network address in a transmission header. ═══ 21.175. runt frame ═══ runt frame An Ethernet frame that violates the 64-byte minimum specification. ═══ 21.176. scroll ═══ scroll To move all or part of the display image vertically or horizontally to display data that cannot be observed within a single display image. See also page (2). ═══ 21.177. segment ═══ segment See cable segment, LAN segment, ring segment. ═══ 21.178. serial port ═══ serial port On personal computers, a port used to attach devices such as display devices, letter-quality printers, modems, plotters, and pointing devices such as light pens and mice; it transmits data 1 bit at a time. Contrast with parallel port. ═══ 21.179. server ═══ server 1. A device, program, or code module on a network dedicated to providing a specific service to a network. 2. On a LAN, a data station that provides facilities to other data stations. Examples are a file server, print server, and mail server. ═══ 21.180. service access point (SAP) ═══ service access point (SAP) 1. A logical point made available by an adapter where information can be received and transmitted. A single SAP can have many links terminating in it. 2. In Open Systems Interconnection (OSI) architecture, the logical point at which an n + 1-layer entity acquires the services of the n-layer. For LANs, the n-layer is assumed to be data link control (DLC). A single SAP can have many links terminating in it. These link "end-points" are represented in DLC by link stations. ═══ 21.181. session ═══ session 1. A connection between two application programs that allows them to communicate. 2. In SNA, a logical connection between two network addressable units that can be activated, tailored to provide various protocols, and deactivated as requested. 3. The data transport connection resulting from a call or link between two devices. 4. The period of time during which a user of a node can communicate with an interactive system, usually the elapsed time between log on and log off. 5. In network architecture, an association of facilities necessary for establishing, maintaining, and releasing connections for communication between stations. (T) ═══ 21.182. signal ═══ signal 1. A time-dependent value attached to a physical phenomenon for conveying data. 2. A variation of a physical quantity, used to convey data. ═══ 21.183. single-route broadcast ═══ single-route broadcast The forwarding of specially designated broadcast frames only by bridges which have single-route broadcast enabled. If the network is configured correctly, a single-route broadcast frame will have exactly one copy delivered to every LAN segment in the network. Synonymous with limited broadcast. See also automatic single-route broadcast. ═══ 21.184. socket ═══ socket Synonym for port (2). ═══ 21.185. soft error ═══ soft error An intermittent error on a network that causes data to have to be transmitted more than once to be received. A soft error affects the network's performance but does not, by itself, affect the network's overall reliability. If the number of soft errors becomes excessive, reliability is affected. Contrast with hard error. ═══ 21.186. source address ═══ source address A field in the medium access control (MAC) frame that identifies the location from which information is sent. Contrast with destination address. ═══ 21.187. source service access point (SSAP) ═══ source service access point (SSAP) The service access point (SAP) from which a logical link control protocol data unit (LPDU) is originated. ═══ 21.188. splitter ═══ splitter A passive device used at a node to connect two or more branches. The device is coupled inline to a main trunk or branch for splitting the power and information signal two or more ways. A splitter does not amplify or regenerate data signals. ═══ 21.189. start delimiter ═══ start delimiter The first byte of a token or frame, consisting of a special, recognizable bit pattern. ═══ 21.190. station ═══ station 1. A communication device attached to a network. The term used most often in LANs is an attaching device or workstation. 2. An input or output point of a system that uses telecommunication facilities; for example, one or more systems, computers, terminals, devices, and associated programs at a particular location that can send or receive data over a telecommunication line. See also attaching device, workstation. ═══ 21.191. switch ═══ switch On an adapter, a mechanism used to select a value for, enable, or disable a configurable option or function. ═══ 21.192. symbolic name ═══ symbolic name In a LAN, a name that may be used instead of an adapter or bridge address to identify an adapter location. ═══ 21.193. system ═══ system In data processing, a collection of people, machines, and methods organized to accomplish a set of specific functions. (I) (A) ═══ 21.194. system configuration ═══ system configuration A process that specifies the devices and programs that form a particular data processing system. ═══ 21.195. system disk(ette) ═══ system disk(ette) A personal computer fixed disk or diskette that has been formatted with the Personal Computer Disk Operating System (PC DOS) or Operating System/2 (OS/2) by using the FORMAT command with the /S option. ═══ 21.196. Systems Application Architecture (SAA) ═══ Systems Application Architecture (SAA) An architecture developed by IBM that consists of a set of selected software interfaces, conventions, and protocols, and that serves as a common framework for application development, portability, and use across different IBM hardware systems. ═══ 21.197. Systems Network Architecture (SNA) ═══ Systems Network Architecture (SNA) The description of the logical structure, formats, protocols, and operational sequences for transmitting information units through, and controlling the configuration and operation of, networks. Note: The layered structure of SNA allows the ultimate origins and destinations of information, that is, the end users, to be independent of and unaffected by the specific SNA network services and facilities used for information exchange. ═══ 21.198. threshold ═══ threshold 1. A level, point, or value above which something is true or will take place and below which it is not true or will not take place. 2. In IBM bridge programs, a value set for the maximum number of frames that are not forwarded across a bridge due to errors, before a "threshold exceeded" occurrence is counted and indicated to network management programs. 3. An initial value from which a counter is decremented to zero, or a value to which a counter is incremented or decremented from an initial value. When the counter reaches zero or the threshold value, a decision is made and/or an event occurs. ═══ 21.199. throughput ═══ throughput 1. A measure of the amount of work performed by a computer system over a given period of time, for example, number of jobs per day. (I) (A) 2. A measure of the amount of information transmitted over a network in a given period of time. For example, a network's data transfer rate is usually measured in bits per second. ═══ 21.200. token ═══ token A sequence of bits passed from one device to another on the token-ring network that signifies permission to transmit over the network. It consists of a starting delimiter, an access control field, and an end delimiter. The access control field contains a bit that indicates to a receiving device that the token is ready to accept information. If a device has data to send along the network, it appends the data to the token. When data is appended, the token then becomes a frame. See frame. ═══ 21.201. token-ring ═══ token-ring A network with a ring topology that passes tokens from one attaching device (node) to another. A node that is ready to send can capture a token and insert data for transmission. ═══ 21.202. token-ring network ═══ token-ring network 1. A ring network that allows unidirectional data transmission between data stations by a token-passing procedure over one transmission medium so that the transmitted data returns to and is removed by the transmitting station. (T) The IBM Token-Ring Network is a baseband LAN with a star-wired ring topology that passes tokens from network adapter to network adapter. 2. A network that uses a ring topology, in which tokens are passed in a sequence from node to node. A node that is ready to send can capture the token and insert data for transmission. 3. A group of interconnected token-rings. ═══ 21.203. trace ═══ trace 1. A record of the execution of a computer program. It exhibits the sequences in which the instructions were executed. 2. A record of the frames and bytes transmitted on a network. ═══ 21.204. transmit ═══ transmit To send information from one place for reception elsewhere. ═══ 21.205. transmitter ═══ transmitter 1. A circuit used in data communication applications to send information from one place for reception elsewhere. 2. The device in which the transmission circuits are housed. ═══ 21.206. trigger frame ═══ trigger frame The frame which triggered the capture. This frame matched the trigger equation specified on the Trigger/Stop Capture Options panel. ═══ 21.207. twisted pair ═══ twisted pair A transmission medium that consists of two insulated conductors twisted together to reduce noise. (T) ═══ 21.208. universally administered address ═══ universally administered address The address permanently encoded in an adapter at the time of manufacture. All universally administered addresses are unique. Contrast with locally administered address. ═══ 21.209. unnumbered acknowledgment ═══ unnumbered acknowledgment A data link control (DLC) command used in establishing a link and in answering receipt of logical link control (LLC) frames. ═══ 21.210. upstream ═══ upstream On an IBM Token-Ring Network, the direction opposite that of data flow. Contrast with downstream. ═══ 21.211. variable ═══ variable 1. In computer programming, a character or group of characters that refers to a value and, in the execution of a computer program, corresponds to an address. 2. A quantity that can assume any of a given set of values. (A) ═══ 21.212. version ═══ version A separate IBM-licensed program, based on an existing IBM-licensed program, that usually has significant new code or new function. ═══ 21.213. wire fault ═══ wire fault An error condition caused by a break in the wires or a short between the wires (or shield) in a segment of cable. ═══ 21.214. work area ═══ work area An area in which terminal devices (such as displays, keyboards, and printers) are located. Access units may also be located in work areas. ═══ 21.215. workstation ═══ workstation 1. An I/O device that allows either transmission of data or the reception of data (or both) from a host system, as needed to perform a job: for example, a display station or printer. 2. A configuration of I/O equipment at which an operator works. (T) 3. A terminal or microcomputer, usually one connected to a mainframe or network, at which a user can perform tasks. ═══ 22. Bibliography ═══ ═══ 22.1. Related Publications ═══ Consult the following publications for additional information about the IBM Token-Ring and IBM Local Area Networks. To obtain these publications, contact your IBM representative or your local IBM branch office. o IBM Token-Ring Network Architecture Reference, SC30-3374 o IBM Local Area Network Technical Reference IEEE 802.2 and NETBIOS APIs, SC30-3587 o IBM Token-Ring Network Remote Program Load User's Guide, SK2T-0333 o IBM Systems Network Architecture Formats, GA27-3136 o TCP/IP Tutorial and Technical Overview, GG24-3376 o Netware from IBM: Network Protocols and Standards, GG24-3890 o Multiprotocol Transport Networking (MPTN) Architecture: Formats, GC31-7074 o Systems Network Architecture Technical Overview, GC30-3073 o Systems Network Architecture Formats, GA27-3136 o Systems Network Architecture Network Product Formats, LY43-0081 o Systems Network Architecture Advanced Peer-To-Peer Networking, Architecture Reference, SC30-3422 In addition to the publications listed above, the following publications are available to support the product: o Token-Ring Troubleshooting Handbook, Dan Nassar o Logical Link Control, ISO 8802-2, ANSI/IEEE Std. 802.2. 1989 This specification is available for purchase from: Institute of Electrical and Electronics Engineers Piscataway, NJ o DDN Protocol Handbook Volume 1: DOD Military Standard Protocols, NIC-5004 Volume 2: DARPA Internet Protocols, NIC-5005 Volume 3: Supplement, NIC-5006 These publications are available for purchase from: DDN Network Information Center SRI International Menlo Park, CA These publications are also available for purchase from: Defense Technical Information Center Cameron Station Alexandria, VA 22314 o Internetworking with TCP/IP: Principles, Protocols, and Architecture Volumes I and II., Douglas E. Comer This publication is available for purchase from: Prentice-Hall, Inc. Englewood Cliffs, NJ o LAN Troubleshooting Handbook, Mark A. Miller, P.E. o LAN Protocol Handbook, Mark A. Miller, P.E. o Internetworking: A Guide to Network Communications. LAN to LAN; LAN to WAN, Mark A. Miller, P.E. o Troubleshooting Internetworks, Mark A. Miller, P.E. o Troubleshooting TCP/IP: Analyzing the Protocols of the Internet, Mark A. Miller, P.E. These publications are available for purchase from: M&T Books Redwood City, CA o Inside AppleTalk, Second Edition, Gursharan S. Sidhu, Richard F. Andrews, Alan B. Oppenheimer This publication is available for purchase from: Apple Computer, Inc. Cupertino, CA o Analyzing Novell Networks, Carl Malamud o Analyzing DECnet/OSI Phase V, Carl Malamud These publications are available for purchase from: Van Nostrand Reinhold New York, NY o NetWare System Interface Technical Overview, Novell, Inc. This publication is available for purchase from: Addison Wesley Publishing Company, Inc. Menlo Park, CA o Novell's Guide to NetWare LAN Analysis, Laura Chappell This publication is available for purchase from: Novell Press San Jose, CA o Xerox Network Systems Architecture, General Information Manual, XNSG 068504, Xerox Corporation o Internet Transport Protocols, XNSS 029101, Xerox Corporation These publications are available for purchase from: Xerox Corporation Sunnyvale, CA o DECnet Digital Network Architecture (Phase IV) General Description, Order No. AA-N149A-TC o DECnet Data Access Protocol Functional Specification, Order No. AA-K177A-TK o DECnet Phase IV Network Management Functional Specification, Order No. AA-X437A-TK o DECnet Phase IV Maintenance Operations Functional Specification, Order No. AA-X436A-TK o DECnet Phase IV Routing Layer Functional Specification, Order No. AA-X435A-TK o DECnet Phase IV NSP Functional Specification, Order No. AA-X439A-TK o DECnet Session Control Functional Specification, Order No. AA-K182A-TK These publications are available for purchase from: Digital Equipment Corporation Phone 1-800-DIGITAL o Vines Architecture Definition o Vines Protocol Definition These publications are available for purchase from: Banyan Systems, Inc. Boston, MA In addition, the following Journal Articles and Documents are available to support the product: o IBM PC Network SMB Protocol, IBM Personal Computer Seminar Proceedings, Volume 2, Number 8-1, May 1985 o SMB File Sharing Protocol, Intel Part Number 138446, Document Version 2.0, Microsoft Corporation, November 7, 1988 o SMB File Sharing Protocol Extensions Version 2.0, Document Version 3.3, Microsoft Corporation, November 7, 1988 o SMB File Sharing Protocol Extensions Version 3.0, Document Version 1.11, Microsoft Corporation, June 19, 1990 o A Digital Network Architecture Overview, Anthony G. Lauck, David R. Oran, Radia J. Perlman, Digital Technical Journal, No. 3, September 1986 o Terminal Servers on Ethernet Local Area Networks, Bruce E. Mann, Colin Strutt, Mark F. Kempf, Digital Technical Journal, No. 3, September 1986 o An Introduction to Novell's Burst Mode Protocol, NetWare Application Notes, March 1992