NOVELL TECHNICAL INFORMATION DOCUMENT TITLE: Answers About LANalyzer for Windows 2.1 DOCUMENT ID: TID251128 DOCUMENT REVISION: A DATE: 15JUN95 ALERT STATUS: Yellow INFORMATION TYPE: Issue NOVELL PRODUCT and VERSION: LANalyzer for Windows 2.1 ABSTRACT: NA ----------------------------------------------------------------- DISCLAIMER THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. NOVELL MAKES EVERY EFFORT WITHIN ITS MEANS TO VERIFY THIS INFORMATION. HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION ONLY. NOVELL MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS INFORMATION. ----------------------------------------------------------------- ISSUE Answers for the most frequently asked questions about LANalyzer for Windows (LZFW) 2.1 1. Question Does LZFW work with a "True Blue" IBM 16/4 Token Ring board? 1. Answer No. These IBM boards use the TROPIC chipset and there is a limitation in the chipset that won't allow it to go into Promiscuous Mode, which is required by LZFW. 2. Question What does "Promiscuous Mode" mean? 2. Answer This is the mode in which the Network Interface Card (NIC) receives and passes on all packets on the network, regardless of which machine they are addressed to. The LZFW network analyzer monitors network traffic by configuring its NIC to receive every packet on the network. 3. Question Is it possible to configure LZFW to see through the server/router? 3. Answer No. LZFW will only see the packets on the segment that it is attached to. (If activity from another segment is transmitted onto the segment with LZFW, you will see that activity.) To see another segment, you must move LZFW to that segment. Distributed LANalyzer functionality is available in Novell's ManageWise product. 4. Question Can LZFW decode IBM NetBIOS traffic? 4. Answer No. It does not decode the IBM NetBIOS packets. It will present you with the MAC-layer header information and a hex dump of the rest of the packet. Netbios packets are included in the utilization, packet rate, and error statistics, and the Station Monitor screen. A company called Triticom sells a product called DecodesPlus which works with LZFW, NMS, and ManageWise. It provides decodes for Netbios and Netbeui, DECnet including LAT, and Banyan Vines. Triticom is located in Bloomington, MN. Their phone number is (612) 937-0772. 5. Question What is the complete list of protocols that LZFW will decode? 5. Answer NetWare TCP/IP AppleTalk SNA NFS ------- ------ --------- --- --- BCAST ARP AARP RH MOUNT DIAG DNS ADSP RU NFS IPX FTP AEP TH PORTMAP LSP ICMP AFP XID RPC NBIOS IP ASP NCP OSPF ATP NDS RARP NBP NLP RIP RTMP NLSP SNMP ZIP RIP TCP SAP TELNET SER TFTP SPX UDP WDOG 6. Question Are there any patches available on NetWire for LZFW 2.1? 6. Answer Yes, there are two different patches. LZW001.EXE - Corrects a Token Ring bug that shows all stations as BRIDGED LZW002.EXE - Corrects loss of all packets with new drivers. These patches apply only to LZFW 2.1. Users of earlier versions of LZFW should upgrade to the current version before installing either of these patches. 7. Question LZFW hangs when running on Token Ring. 7. Answer Make sure TKENH.COM has been loaded after LSL and before your Token Ring driver. TKENH was copied to the LZFW directory by the LANalyzer install program. You should also apply the LZW001.EXE and LZW002.EXE patches, and make sure you have the latest driver for your NIC from the card vendor. 8. Question Does LZFW work with OS/2? 8. Answer No. OS/2 does not support Windows virtual device drivers, which LZFW uses to receive network traffic. 9. Question APPLE.EXE be loaded? 10. Answer No, but APPLE.EXE must be loaded for Appletalk support. 11. Question Must NETX/VLM be loaded? 11. Answer No, but if NETX/VLM isn't loaded, you will not be able to gather NetWare names. 12. Question What is "Server Monitoring"? 12. Answer When LZFW is started, the server monitoring function broadcasts a "Get Nearest File Server" packet. For a file server to respond to the broadcast request, it must have the following parameter set: "SET RespondToNearestFileServer = ON" This is the default setting. A known limitation of NetWare 3.x SFT III servers is that they do not respond to this broadcast packet. All the servers that respond to this broadcast will be added to the "Server Monitor" screen. Not all servers always respond. For whatever reason, some might fail to respond every time. Novell believes that this is due to the server being busy and that responding to the packet is a low priority. This explains why some servers sometimes get in the list and others do not, and the exact list seems to change. Now, LZFW has a list of servers to poll. The idea is to go down the list of servers, one at a time, and send them a packet. If they respond, server monitoring moves on to the next server until it reaches the end of the list. Then, it starts over at the top of the list. One server from the list is polled ever 15 seconds, so the amount of network traffic generated is very minimal. If a server fails to respond to the poll, it goes into a "retry" mode. Server monitoring tries more frequently to poll the server (every 2 seconds or so) for three tries. If the server has not replied to any of the polls, server monitoring calls it down and send an alarm. Then server monitoring moves on to the next server. When it cycles around the list again, it tries the down server to see if it is back up. After several times through the list, server monitoring "rebuilds" the list. This gets rid of servers which have been down for a long time or have been moved. It also picks up new servers that came up since server monitoring started. The rebuild process restarts from scratch and creates a new list. Unfortunately, a side effect of this is that servers can tend to "come and go" from the list. There is no way to "Fix" or "Set" the list to poll. You can only determine the servers you want or do not want. The easiest way to see this algorithm in action is to set up a capture filter between "This Workstation" and "ANY." Let server monitoring run for an hour or so. Then "Post Filter" on NetWare SAPs. Do this by double clicking on the SAP layer in the decode, and it will appear as follows: =========== Service Advertising Protocol ============= Router polling is exactly the same except that NetWare RIP packets are used in place of SAP packets. 13. Question What does "Server Record Mismatch" mean? 13. Answer You had a GP Fault in LZFW and tried to start again without rebooting. You must reboot Windows after any GP Fault. 14. Question How is a "server overload" detected? 14. Answer When a workstation sends a request (say a file read) the server will normally respond in a few milliseconds or less. If it takes more than 1 or 2 seconds, the client assumes that the packet was dropped and retransmits it. The server sees the second request as a duplicate of the one it already queued and sends the "Hold on" packet. These "hold on" packets are seen by LZFW and if enough of them occur in 1 minute (15 by default) then we send an alarm. The user may start noticing a slowdown of the network at the same time. This will allow you to begin responding to the problem before the users know what's happening. See the NetWare expert help and tutorial in LZFW for more information on likely causes and solutions for this problem. 15. Question There seems to be something wrong with the name file. Not all of my names are being used. 15. Answer There are a few things known to cause problems with the name file. Check the name file and correct any of the following conditions: -- A. Names must be no longer than 20 characters. -- B. There must be no blank lines. -- C. There must be a after every line including the last. The algorithm that removes duplicate names at the end of name gathering has a limitation. The limitation is that it can only deal with 1024 names. When you do name gathering, the current name file is copied into a buffer and the new names from the current name gathering are added to it. Once you get over 512 names in the file, you really can't add to it. The solution for large name files is to merge the files by hand. Save the original name file and delete everything except for the broadcast address and name. Then rerun name gathering and merge the 2 files by hand. You can remove the duplicates manually as well, if necessary. If you use the tool on many networks and really only need a subset at any one time, consider maintaining multiple name files. That is, give each network its own name file and just remember to copy the correct one over to NAMES_ET.CSV or NAMES_TR.CSV. ----------------------------------------------------------------- Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. -----------------------------------------------------------------