|
 Free to try
 Buy Now
Diagnoses
Javvin Packet Analyzer diagnoses your network from the captured packets and lists all diagnosis events with a severity level. From the Diagnoses view, you are not only able to see the event count by network layer, but also know event-related information such as source, destination, packet number, etc. The severity level indicates the event is an informational message, a minor error or a critical error.
The subviews in the lower section provide more and detailed information of the current row selected from the upper view, for example, when "Application Layer" is highlighted, the subview Events present all diagnosis events on the application layer. In addition to the default columns, you can reach more column information by clicking on the column bar and select "More...". Javvin Packet Analyzer also lets you open a new window to show event-related packets with double clicks on an event. The subview "References" offer a description for the current event with possible causes and solutions, which is helpful for troubleshooting your network.
According to the severity levels of diagnosis, Javvin Packet Analyzer contains four kinds of events:
- Information
The Information severity level (labeled as  ) indicates the current event is a normal message, no corrective action is required.
- Notice
The Notice severity level (labeled as  ) indicates the normal but significant conditions of the current event, it may require special handling.
- Warning
The Warning severity level (labeled as  ) indicates an error has occurred which requires your attention and should be addressed soon.
- Critical
The Critical severity level (labeled as  ) indicates the serious error conditions which requires immediate intervention by administrators.
This chapter provides a list of references information for all diagnosis events, including event description, possible causes and solutions.
Diagnosis references - application layer
Javvin Packet Analyzer offers expert diagnosis for the following application layer events.
Severity: Notice
| Event |
Description |
Threshold |
Possible causes and solutions |
Domain Name is Inexistent |
The domain name referenced in the query does not exist. |
Information |
*The requested domain doesn't exist.
*User types in an invalid domain. |
DNS Server Slow Response Time |
The average response time from the server is higher than the Slow Response Time threshold. |
|
The web server is overloaded. |
DNS Error |
The server response to the required host or domain is not implement. |
|
*Format error
*Server failure
*Refused
*Not Implemented
*Reserved |
HTTP Server Slow Response Time |
The average response time from the server is equal to or higher than the Slow Response Time threshold. |
Slow Response Time - 150 milliseconds |
The web server is overloaded. |
POP3 Server Slow Response Time |
The average response time from the server is equal to or higher than the Slow Response Time threshold. |
Slow Response Time - 150 milliseconds |
The POP3 server is overloaded. |
SMTP Server Slow Response Time |
The average response time from the server is equal to or higher than the Slow Response Time threshold. |
Slow Response Time - 150 milliseconds |
The SMTP server is overloaded. |
FTP Server Slow Response Time |
The average response time from the server is equal to or higher than the Slow Response Time threshold. |
Slow Response Time - 150 milliseconds |
The SMTP server is overloaded. |
Severity: Warning
| Event |
Description |
Possible causes and solutions |
HTTP Basic Authentication Failure |
The failure of a HTTP client’s authentication request results in the immediate denial of authentication. |
Check for invalid login username or password. |
HTTP Non-HTTP Traffic |
A HTTP 80/TCP connection contains non-HTTP traffic. |
* An application running on TCP port 80 produces non-HTTP traffic.
* Verify the traffic content of source station and destination station. |
HTTP Server Error |
HTTP server returns a 5xx error code to indicate a server error; the client’s request is usually valid. |
|
POP3 Logon Failure |
A POP3 client fails to log in to a server. |
Check for invalid login username or password. |
POP3 Non-POP3 Traffic |
A POP3 110/TCP connection contains non-POP3 traffic. |
* An application running on TCP port 110 produces non-POP3 traffic.
* Verify the traffic content of source station and destination station. |
SMTP Logon Failure |
A SMTP client fails to log in to a server. |
Check for invalid login username or password. |
SMTP Non-SMTP Traffic |
A SMTP 25/TCP connection contains non-SMTP traffic. |
* An application running on TCP port 25 produces non-SMTP traffic.
* Verify the traffic content of source station and destination station. |
SMTP Logon Failure |
A SMTP client fails to log in to a server. |
Check for invalid login username or password. |
SMTP Non-SMTP Traffic |
A SMTP 25/TCP connection contains non-SMTP traffic. |
* An application running on TCP port 25 produces non-SMTP traffic.
* Verify the traffic content of source station and destination station. |
FTP Logon Failure |
A FTP client fails to log in to a server. |
Check for invalid login username or password. |
FTP Non-FTP Traffic |
A FTP control 21/TCP connection contains non-FTP control traffic. |
* An application running on TCP port 21 produces non- FTP control traffic.
* Verify the traffic content of source station and destination station. |
FTP Data Connection Failure |
An initiated FTP data connection fails to be created. |
* A firewall blocks the FTP data connection.
* The FTP server does not accept PASV FTP data connections. |
Telnet Logon Failure |
A Telnet client fails to log in to a server. |
Check for invalid login username or password. |
Severity: Information
| Event |
Description |
Possible causes and solutions |
HTTP Request Not Found |
HTTP server returns this error when the requested URL was not found. |
* User types in an invalid Uniform Resource Location (URL).
* The connection to the web server is broken. |
HTTP Client Error |
HTTP server returns a 4xx error code other than 404 (Request Not Found) to indicate a client error. |
|
Severity: Critical
| Event |
Description |
Possible causes and solutions |
POP3 Server Returned Error |
A POP3 connection or request is rejected by a POP3 server after a TCP connection has already been established. |
* The client issues an invalid command.
* The server is busy. |
SMTP Server Returned Error |
A SMTP connection or request is rejected by a SMTP server after a TCP connection has already been established. |
* The client issues an invalid command.
* The server is busy. |
FTP Server Returned Error |
A FTP connection or request is rejected by a FTP server after a TCP connection has already been established. |
* The client issues an invalid command.
* The server is busy. |
Diagnosis references - transport layer
Javvin Packet Analyzer offers expert diagnosis for the following transport layer events.
Severity: Notice
| Event |
Description |
Threshold |
Possible causes and solutions |
TCP Reset Inactive Connection |
An established TCP connection has been reset by one end of the connection after the Reset Inactive Connection threshold is reached. |
Reset Inactive Connection - 15 seconds |
* A TCP Server resets a client connection if the client has been idle for too long.
* Many older Web browsers use Reset Connection to shut down their HTTP connections; however, newer browsers are better at complying with the TCP disconnection procedures. Due to the fact that many older browsers are still in use, TCP Reset Connection events are very common in many of today's LANs. |
TCP Retransmission |
The sender does not receive an acknowledgment (ACK) from the receiver, and therefore retransmits the packet. |
|
* The acknowledgment packets are being transmitted via a slower path.
* The network load is very high.
* The receiver or router is overloaded. |
Severity: Warning
| Event |
Description |
Threshold |
Possible causes and solutions |
TCP Repeated Connect Attempt |
A client is attempting multiple times to establish a TCP connection. |
|
A firewall may be blocking the SYN packet sent from the client to the server, or ACK packet sent from the server to the client. |
TCP Connection Refused |
A client’s initial TCP connection attempt has been rejected by the target host. |
|
* A client is requesting a service that the host does not offer.
* There are no more available resources on the server to accept new connections. |
TCP Too Many Retransmissions |
The percentage of retransmissions on a connection is equal to or higher than the Too Many Retransmissions threshold. |
Too Many Retransmissions – 10% |
* The acknowledgment packets are being transmitted via a slower path.
* The network load is very high.
* The receiver or router is overloaded. |
TCP Fast Retransmission |
A TCP sender retransmits a packet before Fast Retransmission threshold is reached. |
Fast Retransmission – 150 milliseconds |
* The acknowledgment packets are being transmitted via a slower path.
* The network load is very high.
* The receiver or router is overloaded. |
TCP Invalid Checksum |
The checksum of a TCP header and/or data is in error. The checksum value is calculated by the sender and written to the packet, and then recalculated from the received packet by the receiver. It indicates an error if the two values are different. |
|
* There is a faulty device on the network.
* If the checksum of all local packets are showed as invalid, it may be the checksum offload feature has been enabled; in this case, the adapter performs the cycle-intensive process of calculating CRC, the Windows TCP/IP stack does not calculate the IP and TCP checksums and leaves them as 0x0000. Javvin Packet Analyzer collects the copy of each outgoing packet before it goes to the adapter. To fix this issue, you need to disable the adapter's Offload Transmit IP Checksum and Offload Transmit TCP Checksum feature in the advanced setting dialog. |
TCP Zero Window Too Long |
The window size of one end of a TCP connection being zero is longer than the time specified by the Zero Window Time threshold. |
Zero Window Time – 500 milliseconds |
* The receiver is very busy.
* There are insufficient network buffers in the receiving station.
* This is an indirect result of an application program's behavior. For example, the application may be waiting for some other events happening, or the application may not be releasing the frame buffer.
* An application is very slow. |
TCP Slow ACK |
The time a connection has taken to acknowledge data exceeds the average acknowledgment time of the connection plus the Slow ACK Time threshold. |
Slow ACK Time – 250 milliseconds |
* The acknowledgment packets are being transmitted via a slower path.
* The network load is very high.
* The receiver or router is overloaded. |
TCP Port Scan |
A local or remote station is scanning the network for opening TCP ports. |
|
Port Scanning is an intrusion indicator. |
UDP Invalid Checksum |
The checksum of a UDP header and/or data is in error. The checksum value is calculated by the sender and written to the packet, and then recalculated from the received packet by the receiver. It indicates an error if the two values are different. |
|
There is a faulty device on the network. |
Severity: Information
| Event |
Description |
Threshold |
Possible causes and solutions |
TCP Reset Connection |
An established TCP connection has been reset by one end of the connection, this results in an abnormal termination of the TCP connection. |
|
* A server drops the connection because of improperly configured resources or router problems.
* A user aborts the Web connection due to slow response from a server.
* Many older Web browsers use Reset Connection to shut down their HTTP connections; however, newer browsers are better at complying with the TCP disconnection procedures. Due to the fact that many older browsers are still in use, TCP Reset Connection events are very common in many of today's LANs. |
TCP Window Frozen |
The TCP window size has been stuck for three or more consecutive packets and has dropped below a percentage of the maximum observed window for this conversation. |
Window Frozen – 50% |
Check the source station for insufficient network application. |
TCP Low Window |
The TCP window size has dropped below a percentage of the maximum observed window for this conversation. |
Low Window – 10% |
Check the source station for insufficient network application. |
Diagnosis references - network layer
Javvin Packet Analyzer offers expert diagnosis for the following network layer events.
Severity: Notice
| Event |
Description |
Possible causes and solutions |
IP Time-To-Live Too Low |
An IP packet with a time-to-live field set to 0 or 1 indicates that the packet is about to expire. |
* There is a routing table error somewhere in the network.
* The packet is looping.
* The originating IP host transmitted the packet with a low TTL to begin with.
* Try to locate the source of the original packet. |
IP Fragment Missing |
An IP packet has been fragmented and one of the fragments is missing. This will usually result in a retransmission. |
* A fragment has been dropped by a switch or router.
* The traffic on the LAN is heavy. |
IP Zero Broadcast Address |
An IP packet is being sent with the old IP broadcast address of 0.0.0.0. |
* This is an obsolete form of TCP/IP broadcast address.
* Check the source endpoint for applications that may be sending this packet. |
Severity: Warning
| Event |
Description |
Possible causes and solutions |
ICMP Destination Unreachable |
A station receives an ICMP destination unreachable message. |
The destination network does not exist. |
ICMP Host Unreachable |
A station receives an ICMP host unreachable message. |
The destination host does not exist. |
ICMP Net Unreachable |
A station receives an ICMP network unreachable message. |
The destination network does not exist. |
ICMP Parameter Problem |
A station sends an ICMP message indicating a parameter problem. |
|
ICMP Port Unreachable |
A station receives an ICMP port unreachable message. |
The destination port is not active on the station that sent the message. |
ICMP Redirect for Host |
A station receives an ICMP redirect message with the Code value set to 1 (redirect datagrams for the host). |
A router may have sent the message to inform this station that a better route exists to its intended destination. |
ICMP Redirect for Network |
A station receives an ICMP redirect message with the Code value set to 0 (redirect datagrams for the network). |
A router may have sent the message to inform this station that a better route exists to its intended destination. |
ICMP Source Quench |
A station receives an ICMP source quench message. |
The station that sent the message may be down or rebooting. |
IP Invalid Header Checksum |
The checksum of an IP header is in error. The checksum value is calculated by the sender and written to the packet, and then recalculated from the received packet by the receiver. It indicates an error if the two values are different. |
There is a faulty device on the network. |
IP Duplicate Address |
There is more than one MAC Address associated with the same IP address. |
* The newly assigned network address is not unique in the network and conflicts with the existing network addresses.
* The dynamically allocated network address is not proper.
* If the MAC addresses are routers, this is not a problem. |
Diagnosis references - data link layer
Javvin Packet Analyzer offers expert diagnosis for the following data link layer events.
Severity: Warning
| Event |
Description |
Threshold |
Possible causes and solutions |
ARP Too Many Unrequested Response |
The percentage of unrequested ARP response of a physical node is equal to or higher than the Unrequested Responses threshold. |
Unrequested Responses - 50% |
Check the source and target physical node for possible ARP spoofing. |
ARP Request Storm |
The number of ARP request packets per second exceeds the ARP requests/sec threshold, indicating that an ARP request storm has been detected. |
* Sample Time - second
* ARP requests/sec - 10 |
Check the source station for the application that sent the ARP requests. |
ARP Scan |
A station is scanning the network address via ARP requests. |
|
Check the source station for the application that performs the scanning. |
|
