Expert Sniffer® Network Analyzers

The Network General Expert Sniffer Network Analyzer(TM) is a vital network management tool that helps maintain, troubleshoot, fine-tune, and expand multitopology, multiprotocol networks. It observes segments, learns their unique characteristics, and automatically uncovers a wide variety of problems. Once problems are discovered, the Expert SnifferNetwork Analyzer quickly pinpoints their origins to help resolve them.

FEATURES & BENEFITS

• Identifies network problems automatically in real time with Expert Analysis
• Decodes over 200 LAN and internetwork protocols
• Focuses troubleshooting efforts on real time problems with Expert Analysis
• Facilitates identification of protocol problem locations by delivering full seven-layer protocol decodes with English text interpretations

Increases Productivity of Network Professionals:

• Explains possible causes for network problems in English text
• Collects Expert Analysis data automatically based on user-specified time intervals, and data parameters

Reduces Network Operating Costs:

• Learns network configurations continuously
• Shows breakdown of network protocol activity automatically
• Delivers network errors, frame size, and station statistics for specified stations
• Enables creation and generation of management reports in spreadsheet and database programs or the Network General Reporter* application

EXPERT ANALYSIS

Using this combination of programmed and learned network knowledge, the Expert Sniffer Network Analyzer studies captured packets and alerts managers to network problems.

The analyzer performs Expert Analysis on TCP/IP, Banyan VINES, Novell NetWare, DECnet, Sun NFS, X-Window, AppleTalk, OSI, NetBIOS, OS/2 LAN Manager, 3Com 3+Open, XNS, and IBM LAN Server protocol families.

EXPERT ANALYSIS

Expert Analysis provides three types of diagnostic information: symptoms, diagnoses, and explanations.

Symptoms. A symptom is an event that a network manager might want to investigate. For example, a symptom could be a single file retransmission or a physical error.

Diagnoses. A diagnosis is a condition that, in the judgment of the system, is a network fault which the network manager should investigate and take action to remedy. A diagnosis occurs when a symptom repeats itself frequently (such as excessive file retransmissions) or where there is a single instance of a major network problem (such as a duplicate network address).

Explanations. An explanation is a network-specific definition of the condition. Based on each symptom and diagnosis, the Expert Sniffer Network Analyzer creates an explanation and suggests causes. In addition, network managers can add customized Explain text.

With one-key filtering, the Expert Sniffer Network Analyzer displays packets associated with problems, enabling more detailed analysis.

Network managers can proactively schedule the collection of Expert Analysis information. Based on specified time intervals, automated actions can be scheduled such as save in CSV format, save trace file, reset statistics, clear and load names, and load setup file.

PROTOCOL INTERPRETATION

Flexible windowing allows users to display network traffic in a variety of formats. Three formats -- Summary, Detail, and Hex -- are available simultaneously. Multiple viewports allow for up to six windows on the same screen.

The Sniffer Network Analyzer troubleshoots distributed ORACLE7 databases with the optional Oracle SQL(TM) Net protocol decode capability in the Network General Sniffer Network Analyzer Database Module(TM).

Interpretation Features
Capture Filters

• Protocol (Ethertype or 802.2 LLC SAP)
• Pattern match (eight pattern combinations)
• Good frames (Ethernet)
• Error frames (bad CRC, short frames, collisions) (Ethernet )

Display Filters

• Address level
• Destination class
• Station address
• Protocol (seven layer)
• Pattern match (eight pattern combinations)
• Good frames (Ethernet)
• Error frames (bad CRC, short frames, collisions) (Ethernet )
• Address level and destination class

Triggers

• Good frames (Ethernet)
• Error frames (bad CRC, short frames, collisions) (Ethernet)
• Pattern match (eight pattern combinations)

Load the network with:

• The same frame repeatedly
• The user-edited contents of the capture buffer gives users a wide selection of packets to test networking devices

NETWORK MONITORING

Statistics

Network Statistics

• Current network utilization %
• Average network utilization %
• Total frames monitored
• Current frames
• Total bytes
• Current bytes
• Total average frame size
• Current average frame size
• Total number stations
• Active number stations
• Ring state (token ring)
• Maximum inserted stations (token ring)
• Current inserted stations (token ring)

Error Statistics

• Number of CRC/alignment errors (Ethernet)
• Number of runt errors (Ethernet)
• Number of collisions (Ethernet)
• Total frame errors (Ethernet)
• Oversized frames (token ring)
• Ring purges (token ring)
• Soft error reports (token ring)

Protocol (Ethertype and SAP) Statistics

• Network utilization % by protocol
• Number of frames by protocol
• Number of bytes by protocol

• % of frames by frame size
• Number of frames by frame size

• Traffic received
• Traffic transmitted
• Combined transmitted and received
• Average network utilization %
• Current network utilization %
• Total frames in sample
• Start time (first frame seen)
• End time (last frame seen)
• Elapsed time
• Station status (token ring)

Traffic history is tracked for the entire network at adjustable intervals from 5 seconds to 24 hours and can be automatically logged to disk.

Parameters

• Timestamp
• Number of frames
• Number of errors
• Number of bytes
• Average frame size
• Network utilization

• Routed frame distribution by route length
• Number of frames by route length

• % and number of frames by route type
• To/from local ring
• To/from remote rings
• To/from broadcast/other addresses

Alarms can be set network-wide as well as individually for each station. Alarm actions may be any combination of logged to printer, logged to disk, or audible.

Network Alarms

• Intruder alarm
• Rate of error threshold
• Network idle time threshold
• Network utilization % threshold
• Rate of broadcast frames threshold
• Oversize frame alarm
• Collision % threshold (Ethernet)
• Broadcast source address (Ethernet)
• Ring beaconing alarm (token ring)
• Ring polls fail alarm (token ring)

• Network utilization threshold
• Number of errors threshold
• Idle time threshold
• No response time threshold

NETWORK TOPOLOGY SPECIFICATIONS

                              Ethernet                   Token Ring

Expert Analysis                  X                            X


Protocol Interpretation          X                            X


Network Monitoring               X                            X


Network Capability            IEEE 802.3                  token ring
                       10BASE5,10BASE2,10BASE-T           IEEE 802.5

Interface                 IEEE 802.3
                          DB-15 DIX or                    token ring
                  BNC for on-board tranceiver      IEEE 802.5 with DB-9 Female
                       UI, BNC and RJ-45 
                   combined on a single board


Data Rate                      10 Mbps                       16/4 Mps


Timestamp                      15 µs resolution               500 µs
                               100 µs on display