|
 Free to try
 Buy Now
Tips For Capturing a Network Trace
Network traces can be helpful when attempting to solve various issues with the AccessNFS products. To capture a network trace, a common utility is used to record the conversation between one computer and any other computer or between two computers. This document will provide a brief explanation of how to capture a network trace from a Sun and SGI machine or from a Windows machine.
Whenever an issue is reported to the Shaffer Solutions support organization, an analyst may ask if some type of network trace utility is available to help resolve the problem. Often the analyst will ask about the availability of snoop or netmon utilities. Although this document attempts to provide information, the user should consult the utility’s independent documentation for the most up to date and detailed information.
Shaffer Solutions does not own nor provide any network trace utility. Many Operating System vendors provide utilities to capture network traces. When providing Shaffer Solutions with captured network data, please indicate the name of the software that was used to capture the data. We have the capability to analyze traces from the following packages:
| Company |
Company |
| Agilent |
Agilent LAN Analyser |
| Cinco (now Network Assoc.) |
NetXray® (after Rel 2.0) |
| Digitech Inc |
LAN900™ |
| Ethereal |
Ethereal |
| Fluke |
Protocol Inspector® |
| HP/Agilent Technologies |
Internet Advisor LAN™ |
| HP/Agilent Technologies |
Internet Advisor LAN™/49xx |
| IBM |
DatagLANce™ |
| Microsoft |
Network Monitor (1.2 and 2.0) |
| Network Associates |
Sniffer® (DOS version incl. compressed files) |
| Network Associates |
SnifferBasic/Pro® (through Rel. 3.5) |
| Network Instruments |
Observer® |
| Novell |
LANalyzer® for Windows |
| Precision Guesswork |
LANWatch™ |
| Shomiti |
Surveyor™ |
| Sun Microsystems |
Snoop |
| TTC |
Fireberd500™ |
| TTC |
Fireberd500™ PC |
| UNIX and Linux |
tcpdump |
| Wavetek Wandel Goltermann |
Domino™ |
| Wavetek Wandel Goltermann |
LinkView™ Pro |
| WildPackets |
EtherPeek™/TolenPeek™ |
Section 1. CAPTURING A NETWORK TRACE FROM SUN AND SGI SYSTEMS
Snoop is a utility that can capture network packets of data and display the contents of the packets. The Snoop utility, found on UNIX operating systems, is known to exist for operating systems provided by Sun and SGI.
Since the support analyst may request a copy of the captured data, it is best to have Snoop automatically save the binary captured data to a file.
The syntax to capture a network trace is:
snoop –o <FileName> [<computer1> | <computer1 computer2>]
For example:
snoop –o MyCapture mycomputer
-OR -
snoop –o networkdata myserver mycomputer
To stop the capture process, depress the Control key and the C key. The captured data will be located in the specified binary file. In the above example, the data will be located in the file named MyCapture.
When troubleshooting a network problem, send the captured binary network trace file to the support analyst. Include other necessary information, such as, IP Addresses of client and server systems, plus the steps invoked to reproduce the problem and/or error messages.
NOTES
Do not start the network capture, until the application that is experiencing problems (DiskAccess or DiskShare) has been setup and prepared to fail. This will minimize the network traffic and the captured network data.
The computer that is running snoop must be on the same network segment as the computer’s whose network data it is attempting to capture. See the snoop documentation or the network administrator if network data is not being captured.
Once the network packets have been captured and placed into a file, the Snoop utility can also be used to either directly view the data or to translate the data and place it into a file.
To translate the captured network data and place the translation into an ASCII file, the syntax would be:
snoop –i <FileName> [<snoop options>] > OutputFileName
For example:
snoop –i MyCapture –tr > MyOutput
Causes the data located in MyCapture to be translated into a summary format with all of the time information relative to the first packet. The translated data will be placed into the file named MyOutput.
The example below:
snoop –i MyCapture –v > MyOutput
Causes the data located in MyCapture to be translated into a verbose format. Each protocol layer of a packet’s data will be extracted and stored in the file named MyOutput.
Another example:
snoop –i MyCapture –v –x0 > MyOutput
Causes the data located in MyCapture to be translated into a verbose format. The data located in the last protocol layer starting with the first packet and going to the last packet will be displayed in hexadecimal in the file named MyOutput.
Section 2. CAPTURING A NETWORK TRACE FROM WINDOWS USING MICROSOFT NETMON
Microsoft’s Network Monitor (or NetMon) is a network diagnostic tool that captures and displays network packet traffic on a Windows computer. This tool comes in two versions: a basic version and the full version.
The basic version, limited to only capture data from the machine that it is installed, is available from the Windows NT or Windows 2000 Server CD.
The full version of Netmon is available on the BackOffice CD as part of Microsoft’s Systems Management Service (SMS). Netmon can be loaded to Windows 9x, Windows NT, and Windows 2000. This document explains how to capture a network trace with Netmon using the full version.
Once NetMon is installed on the machine where one wishes to capture traffic, invoking NetMon will display the main dialog as shown in Figure 1.
Figure 1. The Netmon Utility Interface
NOTE
NetMon will capture network traffic to its predefined buffer. By default the buffer size is set to 1MB. In some cases, the buffer size may need to be increased in order to capture more network data. To increase the buffer size, click Capture-Buffer Settings. Specify the new buffer size by using the pull down menu of the Buffer Size (MB) option located in the Capture Buffer Settings dialog.
By default, NetMon captures every packet that the machine can “see” on its network connection. Most often it is desirable to setup a capture “filter” to only capture traffic that is destined to go in and out of the machine where NetMon is running, this is done by selecting the Capture pull-down menu and selecting Filter, see Figure 2.
Figure 2. The Netmon Capture Menu
Once “Filter” is selected, a second dialog appears, as in Figure 3, showing the filter that is configured and the direction. You can see from this figure that default traffic is being accepted from any station in both directions.
Figure 3. Defining the Capture Filter for a Network Trace
Double-click on the highlighted “INCLUDE” line. This brings up a dialog titled “Address Expression”. As you can see Figure 4 below, there are two panes with a list of machines. There is also a direction arrow denoting the flow of traffic that will be filtered. Select the machine that will be capturing data in the left pane. In this example, the node name of the machine is “GEETEE’.
Figure 4. Specifying a machine for a network trace
Once you select okay, you should be back at the “Capture Filter” dialog showing the name of the machine to the left of the direction arrow, as shown in Figure 5.
Figure 5. Capturing a Network Trace for a Specific Machine
Once you click OK on this dialog, you are ready to start the capture. Select the Capture pull-down menu, then select “Start” (or F10) to start the network capture.
NOTE
Do not start the network capture, until the application that is experiencing problems (DiskAccess or DiskShare) has been setup and prepared to fail. This will minimize the network traffic and the captured network data.
When the machine starts to hear and filter packets, you will notice the Netmon screens collecting activity. Figure 6 is a screen shot of Netmon capturing network packets.
Figure 6. Example of the Netmon Utility Capturing a Network Trace
Once you are finished capturing the data, select the Capture pull-down menu and select Stop (or F11). You may now save the capture that you just gathered, by selecting the File pull-down menu and selecting Save As. Once the capture file is saved, you may view your captured data or exit.
When troubleshooting a network problem, send the captured binary network trace file to the support analyst. Include other necessary information, such as, IP Addresses of client and server systems, plus the steps invoked to reproduce the problem and/or error messages.
For more information on how to use NetMon and installing it on Windows 9x systems please see the Microsoft web links given below.
How to Capture Network Traffic with Network Monitor:
http://support.microsoft.com/support/kb/articles/Q148/9/42.ASP
How to Install Network Monitor in Windows 95/98:
http://support.microsoft.com/support/kb/articles/Q200/9/10.ASP
Microsoft Security Bulletin (MS00-083):
http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Section 3. CAPTURING A NETWORK TRACE FROM WINDOWS USING ETHEREAL
The Ethereal Utility is a network diagnostic tool that captures and displays network packet traffic on a Windows computer. Ethereal is dependent and relies on the WinPcap utility to assist in capturing network traffic. This section briefly explains how to capture a network trace using Ethereal.
Ethereal can be installed to Windows 2000, Windows NT and Windows 98/95. You can also install Ethereal on AIX, Tru64, Debian GNU/Linux, Red Hat Linux, FreeBSD, OpenBSD, NetBSD, HP/UX, and Sparc/Solaris 8.
NOTE
WinPcap does not work on multi-processor machines.
Follow the instructions below to capture a network trace using WinPcap and Ethereal on Windows 2000.
- Download and install WinPcap.
- Download and install Ethereal.
- Double-click the Ethereal icon on the Windows Desktop to invoke the application. The Ethereal Main dialog displays as shown in Figure 7.
Figure 7. Example of the Ethereal Utility Capturing a Network Trace
- Click ‘Capture’, then click ‘Start’. The Ethereal Capture dialog displays.
Specify the appropriate Network Interface Card from the INTERFACE field. In most cases, the proper card is already specified; however, it is recommended that the interface be confirmed before obtaining a network trace.
Key-in the <host> option and <your Windows hostname> in the FILTER field as shown below See Figure 8. This will capture network traffic sent to/from your Windows system only, eliminating any non-related information from the trace.
Figure 8. Example of the Ethereal Utility Capturing a Network Trace
- Click ‘OK’ when you are ready to start capturing network information.
NOTE
Do not start the network capture, until the application that is experiencing problems (DiskAccess or DiskShare) has been setup and prepared to fail. This will minimize the network traffic and the captured network data.
- Click ‘STOP’ on the Ethereal - Capture dialog after the application problem has been reproduced or the error message has been displayed. This will terminate the network capture and will load all information in the Ethereal Main dialog.
- Select File – Save As, the Ethereal: Save Capture File As dialog displays. Key-in an appropriate location and filename for the current network capture.
When troubleshooting a network problem, send the captured binary network trace file to the support analyst. Include other necessary information, such as, IP Addresses of client and server systems, plus the steps invoked to reproduce the problem and/or error messages.
For more information on how to use Ethereal and WinPcap, see the web links given below.
WinPcap D/L Site: http://winpcap.polito.it/install/Default.htm
Ethereal D/L Site: http://www.ethereal.com/docs/user-guide/x1061.html
|
