?_|<22lpQ/<hd  B&WordMicrosoft Word  \- Courier New-- "-Z -  "-- "- --&S - "-S k--- "-S --- "-S --&g| "--($v^G0ykvk-- "--&%v^G0yk--&&ZgP --($^v  " . 8 ? E I yJ k^k-- "--&%^v  " . 8 ? E I yJ k--&--iR@--aZH@ Arial- Z.2 Z- \Local))%%..2 - \LAN)00.d}-f.2 f- \Segment-%)<%).d}@Times New Roman-'- "-q ] R @--- "- Y o --- "- o --- "- p ` e --- "-U n ----v N X O--n F ` W- e i.+2 e i- \NDIS network adapter,00-)%4)%%)%)%.d} .2  - \CMM2 or GAM088%)408.d}- m.2 m- \Board0)%).d}@Times New Roman-'-- t -- | -  .2  - \Remote0%<)%.d}9 .2 9 - \LAN)00.d}- .2  - \Segment-%)<%).d}-'--FX-->`- .2 - \Surveyor-)%%%).d}-.2 - \Software-)4%%.d}-'--f--^@ Arial- .2  - \Local Host==88H=8!.d}@Times New Roman- '&#'- "- $-- - "- ^-- - "-  -- - "- D0-- - "- D0-- &|, "- - $''- -&&# "- -% - -&& - "-  -- - "- -- - "- d=-- - "- ,-- - "- ,-- & "- - $- -&&  "- -%- -&-- -- - .2 - \Storage-)%)%.d}-6.2 6- \Device0%%%%.d}-'- "- &-- - "-  - - - "- r- - - "- - - - "- <- - ----- ;.2 ;- \NDIS,00-.d}!.2 ! - \CMM2 or GAM088%)408.d}-t4.2 t4- \Board0)%).-'--S  --J  -  .2  - \Remote HostH8Y=!8H=8!.- '----- . 2 - \Local Monitor/))%%8))).-.#2 - \Transmit/Capture)%)%<0%))%.-'- "-  -- -- -- - .%2 - \TCP/IP Connection)0--0)))%%)).-S.&2 S- \(LAN, modem, etc.))00<))%<%%.-'-- Y-- a- a."2 a- \Remote Monitor/0%<)%8))).-a.#2 a- \Transmit/Capture)%)%<0%))%.-'&B? -s- B$j~jmKmKmHmEoCrCuC} C} C E H K } }u Ku S} Sz Qw Nu K} T} TuK}N}Q{SxSuKuK~ $huhH ${ } {P -- &- "-  -- & h --  --  (-  .2 - \Surveyor-)%%%).- .2  - \Software-)4%%.-'&|{  - "- y ~ -- - "- y ^ -- - "- m  -- - "-   -- - "-   -- &|W  "- - $[   [ - -&&b } "- -%f x - -&&&b m - "- ` e -- - "- `  -- - "- T d =-- - "-  q -- - "-  q -- &? m "- - $C h h C - -&&I d "- -%M _ - -&&- -- --  - .%2  - \TCP/IP Connection)0--0)))%%)).-m .&2 m - \(LAN, modem, etc.))00<))%<%%.-'&Kl "- -%P "-  %}qP} %r- -&--A7-- I?- I.2 I- \Data0%%.d}-.2 - \Stream-%%<.d}-'& hN--  $)D:D3)") "- % 1D^  %Xc*)c- -&& 8 --  $   "- %  . %/   - -&&D, "- -%iXis- - $Zi0IZ $Hqiq--&&:$Do "- -%IfI- - $j?I) $h(>Ihi--&-- . -- &  -  .2  - \Data0%%.d}-S .2 S - \Stream-%%<.d}-'& "- -%%- - $1< $v--&- f"- 8P-- - f"-  1-- - f"- kF-- - f"-  @-- - f"- ip-- - f"- F L-- - f"- - F-- - "- -- --q%--i-- f.2 f- \Network0%4)%.d}-'&: =- "- -%f  - - $h > h' $( 8  --&&  "- -%  - - $   --&&  "- -% 5 - - $7  7 --&&D!t "- -%IJJ "-  %v&IJvm %nJ'- -&& % "- -% "-  %  %  - -&&  j "- -% ? @ "-  %  ? b % d @  - -&-/lp ( \wpwppppppppppppppppp? |bm16E |bm17SG |bm18EM |bm19R |bm2% |bm20|bm21_|bm22WV|bm23|bm24|bm25 |bm26 |bm27}|bm28|bm29|bm3 |bm30X"|bm31'|bm32-|bm33\2|bm347|bm35)=|bm36I|bm37O|bm38k|bm39Ͽ|bm4 |bm40Z|bm41|bm42{|bm43|bm44|bm45|bm460|bm47|bm48|bm49S|bm5H |bm50|bm51`|bm52|bm53|bm54! |bm55H|bm56|bm57o|bm58|bm59s|bm6 |bm60M|bm61|bm62|bm636|bm64@|bm65%|bm66'|bm67k|bm68s-|bm69 /|bm7v |bm70G|bm71|bm72^q|bm73|bm74|bm75|bm76|bm77ܲ|bm78ճ|bm79δ|bm8 |bm80ǵ|bm81|bm82|bm83|bm84|bm85|bm86|bm87|bm88|bm9 |bm98 w lpu$ @8 )&WordMicrosoft Word  Courier New-@Times New Roman- &.  - "-  R&WordMicrosoft Word R -Times New Roman- - "- #*  "--- "- !- -`"Arial- 2 `RCapture Buffer   '- "- G- -] Y- #2 !YRReal-Time Buffer  $  ' "-  - - "- $ - -  "- `7- - "- $5o4a+WLW- -  "- *o- - "- $hlg- - qn"Arial- 2 pRNet$'Rn- 2 pRDisplay$  '[4"Arial- )2 6RSurveyor + Interface-%!%!%'%%%"%' "- -  "- Uq- - "- $imi- - -   -  "-'&'-++lpi;,YU G.&WordMicrosoft Word   RCourier New-- "-6 -  "-&0&3- "-1--- "---- "-~--- "- --- "-D--&- "---"@ Arial- 6.2 6R NDIS<<7.b-X."2 XR network adapter3.A3 ..3.3. .@Times New Roman-'--+@--"H- H.2 HR Surveyor73 ...3 .-.2 R Software73A. ..@Times New Roman-'--.)--62@ Arial- 62.2 62 R Host SystemH=8!C88!8Y.@Times New Roman- '- "- t- - z- .2  R Host System<3.7...J.-.2 R MemoryE.J3 ..-'- "- Y|-- Nq@ Arial-  $.2 $R Capture0%))%.- @.2 @R Buffer0)%.@ Arial Black- '- "- 6PH-- --+ 7m --# ?v - ?v .2 ?v R Host SystemH=8!C88!8Y.- '- "-  -- --`k--Wc- .2  R Host SystemH=8!C88!8Y.- '&wE&s- "- -- - "- Uj-- - "- p-- - "- -- - "- v-- &s "- - $www- -&&~ "- -%- -&&&>I- "- <A-- - "- <-- - "- 0_8-- - "- aM-- - "- aM-- &I "- - $DD- -&&%@ "- -%);- -&&&6 a --b t --Z | -  .2 R Surveyor73 ...3 .-\ .2 \ R Software73A. ..-'&2 | &2 |R - "- zP B -- - "- z } -- - "- n  -- - "- \ N -- - "- C 5 -- &2 Y`  "- - $6 ][ 6 6 ]- -&&= cZ ~ "- -%A gU y- -&&&  - "-   -- - "- o  -- - "-   -- - "-    -- - "-    -- &   "- - $    - -&&   "- -%  - -&&&&s--y--q- .2 R Surveyor73 ...3 .-.2 R Software73A. ..-'&o&o'- "- ~-- - "- Q-- - "- -- - "- @+-- - "- @+r-- &o' "- - $s"s"s- -&&z "- -%~- -&&&- "- -- - "- "-- - "- {Z(4-- - "- -- - "- -- &f "- - $jj- -&&p "- -%t- -&&&- "- /w-- #l-  .2  R Real-Time0%%)<%.- ;.2 ;R Buffer0)%.- '- &^ - "- ^2- -- "-n :- -- "-  - -- "-$p- -- "-"- --- b;-- jC-` ..2 ` R Gigabit Analysis ModuleA3.3<3....E333..-'- "-  & -- --|  --t  -  $ .2 $ R Capture0%))%.- S@ .2 S@ R Buffer0)%.- '& - "-  r- -- "-  z- -- "-  - -- "- d Q- -- "-\ T - -- "- Q  -- --V # --M  -   .2 R Capture0%))%.-  .2  R Buffer0)%.- '--` --X -   .2  R Real-Time0%%)<%.-  .2  R Buffer0)%.- '--p  {--h -  [.,2  [R Century Media Module 2<.33 .E.3.E333...-'- "- Q { -- &  + "- -% 5 - - $ 7  7 $  & --&&'[ "- -%AA- - $WA, $+AV--&&xW "- -%4*- - $6| 6 $(R(}--&-lp      C (T  @ @ @@@@@`@```@@@@ @ @ @ @@ @ @ ` @` ` ` @ @ @ @ @@@@@ @@ @ @ @@@@@@@@`@@`@`@`@@@@@@@@@@@@@@@@@@@@@`@``` `@ ` ` `@`@@`@`@```@```````@````@````@````@```ƀ@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@ۋ ߒےߒ ےۚےےے߃lp      C (T  @ @ @@@@@`@```@@@@ @ @ @ @@ @ @ ` @` ` ` @ @ @ @ @@@@@ @@ @ @ @@@@@@@@`@@`@`@`@@@@@@@@@@@@@@@@@@@@@`@``` `@ ` ` `@`@@`@`@```@```````@````@````@````@```ƀ@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@@ @ @@@@@`@```@@@@ۋ ߒےߒ ےۚےےے߃oflp &H  &&TNPP8Q=Pu & TNPP &&TNPP  H t "-- & & f"-f- f }UH fV'| f| f fU f f fV' fUL f f ' &`"ArialT-.  2 SHOMITIks},b- &&TNPP &--"Systemn-~ul!18Surveyor Help$Surveyor from Shomiti Systems, Inc.$Surveyor from Shomiti Systems, Inc.BCB("Glossary_Btn","&Glossary","JI(`Surveyor.hlp>Gloss',`Index')")BrowseButtons()CB("ID_EXIT","Close","Exit()")ZglossGlossary((fQZ howtosmlSurveyor Help( QZ howtolrgSurveyor HelpQ=<QZ (w95sec)Surveyor Help2Q2QQZmainz [r  ? ? EQ1QToolbars and Buttons> ' .Buttons and ToolbarseQ!- *Toolbars and their buttons are shown below. Click on a button for a description of its function.:[' &SURVEYOR TOOLBAR4!0 0 "H![' BMODULE TOOLBAR ( SUMMARY VIEW)4 0 0 "=H' ,DETAIL VIEW TOOLBAR4 |0 0 "<H' *DATA VIEWS TOOLBARH|B T""">>' .CAPTURE VIEW TOOLBAR>|9 B""H>B T "" ">|9 B"" FH' >CREATE/MODIFY FILTER TOOLBAR5}0 0 " 7H'  STATE TOOLBAR4}0 0 " F.1$. Capture Filter Button?m' 0Capture Filter Buttonw. ( Display the State window for capture filters. The window displays a previously opened filter or the default filter.FmR1$R0Display Filter Button? ' 0Display Filter ButtonwR0( Display the State window for display filters. The window displays a previously opened filter or the default filter.N~1~BTransmit Specification ButtonG 0' @Transmit Specification Button}V~B' Brings up the Transmit specification dialog box to define a transmit specification.L1-o Transmit from Buffer ButtonEB' <Transmit from Buffer Buttonuo ' Brings up a the dialog box to select a capture file and then load the capture file to the module for transmission.<  1 ' Help Button5o ' Help ButtonG ' ( >Displays the help contents.A h 1h F Open File Button:' ' &Open File Button|h F ( Opens a capture file (.CAP). A dialog box will display showing the current directory with all files with extension .CAP.A 1  Save File Button:F ' &Save File Button^6  ( lSaves the current contents of this view to a file.; Z 1*Z I Search Box4  ' Search BoxZ I ) %Use the box to specify an ASCII text string to search for. Once the string is entered, press the search button to the right of the search box.> 1t Search Button7I '  Search Button ) Start search of the capture file contents for an ASCII string. Specify the string in the search box to the left. The first instance of the string is found starting from the current position in the capture file.< 1p 9@Copy Button5.' Copy Button9@) Copies the current contents of summary pane for pasting into other documents. A window displays with the text converted to ASCII format. Use the window to select the te.9@xt you want and copy it to the clip board.= .v@1 v@APrint Button69@@' Print Buttonb:v@A( tPrint the currently selected line in the Summary Pane.= @KA1 KAAPrint Button6AA' Print Button^6KAA( lPrint the contents of the currently selected view.AA B1] BE3F' .Create Filter ButtoneEF( Creates a new filter. The default filter appears in the State or the Create/Modify Filter window.E3FG1UGHOpen a Filter Button<FAG' *Open Filter ButtonGH) WOpens a filter. A dialog box displays to select the file. Capture filters are designated with an extension of .CFD files and display filters with an extension of .DFD.CAGXH1YXHnISave Filter Button<HH' *Save Filter ButtonXHnI) cSaves the current filter to a file. A dialog box displays to specify the file name and directory. Capture filters are saved as .CFD files and display filters as .DFD files.= HI1I=JPrint Button6nII' Print Button\4I=J( hPrints the current contents of the State window.; IxJ1 xJHKCut Button4 =JJ' Cut ButtontxJHK( Cut the selected State or ELSE IF statement. The button does not work if other types of statements are selected.; JK1(KpLAdd Button4 HKK' Add ButtonKpL) !Adds a new level if an ELSE statement or ROOT statement is selected. Adds a new ELSE if statement if a State or an IF statement is selected.HKL1oLMShow\Hide Detail ButtonApLL' 4Show/Hide Detail ButtonLM) {Shows or hides the details of the current filter. Details are the number of filters used per state (maximum = 8) and the types of frames being captured for each IF or ELSE IF statement.Y(L8N18NNLoad Filter Button (Capture Filter Only)=MuN' ,Load Filter Button rJ8NN( Load the contents of the Filter window to the currently active module.[*uNBO19BO,Unload Filter Button (Capture Filter Only)@NO' 2Disable Filter Button wBO,' Disable the current capture filter. Subsequent starting of the module will capture allO,N packets (use default filter).?Ok1k=Trigger Button8,' "Trigger Buttonsk=' Move to the trigger position in the current capture file. If no trigger position exists, move to the first line.C1k Keyboard Shortcuts<=' *Keyboard Shortcuts7'  FUNCTION KEYST vSleKeySummary ViewDetail ViewF1HelpHelpF2System SettingsCapture View Display OptionsF3Module SettingsModule SettingsF4Module Monitor View PreferencesCreate Display FilterF5Connect to RemoteCreate Capture FilterF6Load Capture FilterLoad Capture FilterF7Open Capture FileExpert Summary ViewF8Save CaptureSave CaptureF9Go to Detail ViewCapture ViewF10Start/StopStart/StopF11N/AN/AF12N/AN/A=-' ,FROM ALL WINDOWS...i54 8jVA}AiAlt + F4Close WindowCtrl + OOpenCtrl + SSave >-Ԅ' .FROM SUMMARY VIEW...|HP4 8VA}AiCtrl + TStart ModuleCtrl + PStop ModuleCtrl + RGo to Detail View=Ԅ' ,FROM DETAIL VIEW..._-P2 4ZVA}AiCtrl + TStart ModuleCtrl + PStop ModuleF2' >FROM CAPTURE VIEW WINDOW....s4? LiVA}AiHomeSelect the first lineEndSelect the last linePage upScroll up one pagePage downScroll down one pageUp arrowSelect the preceding lineDown arrowSelect the next lineRight arrowMove data in Summary pane one character to the rightLeft arrow Move data in Summary pane one character to the leftK$2' HFROM THE CAPTURE FILTER WINDOW..._/O0 0^Vi~iCtrl + NBring up new default capture filterN . ,@Vi~iCtrl + PPrint capture filterR"O0 0DVi~iHomeSelect the first statement=,G \Vi~iEndSelect the last statementPage upScroll up one pagePage downScroll down one pageUp arrowSelect the preceding statementDown arrowSelect the next statementTabSelect next stateShift + Tab Select previous statePlusExpand state (Numeric pad only)Asterisk (*)Expand branch (Numeric pad only)Minus (-)Collapse branch (Numeric pad only)Ctrl + AsteriskExpand all branches (Numeric pad only)SpaceBring up dialog box to edit statementDouble-clickBring up dialog box to edit statementf̍: BVi~iRight mouseList possible actionsInsertAdd a statement or add a state.If a ROOT or ELSE statement is selected, add a state.If an IF statement is selected, add an ELSE IF statement before the ELSE statement.If an ELSE IF selected, add an ELSE IF statement after the currently selected statement.If a state is selected, add an IF statement; if an IF statement already exists for the state, add an ELSE IF statement.DeleteDelete statement or state.If an ELSE IF selected, remove the statement.If a state is selected, remove the entire state.If any other statement is selected, Delete performs no action.*,' ?̍51"5Capture Button=r' ,Capture Mode Button~5( Places the currently selected resource in capture mode. This button is gray if the resource is currently active (started).?rW1WMonitor Button=' ,Monitor Mode ButtonW) Activates the monitor functions for the currently selected resource. If the resource does not support monitoring functions, the resource is put into capture mode. This button is gray if the resource is currently active (started).@1%Transmit Button>0' .Transmit Mode Button( Places the currently selected resource in transmit mode. This button is gray if the resource is currently active (started).C01Detail View Button<V' *Detail View Buttonh@( Brings up the Detail View for the currently active resource.CV1JLoad Filter Button<=' *Load Filter Button J) Brings up a dialog box to select a capture filter (.CFD extension). If a capture filter is opened, that filter is applied to the currently selected resource. This button is gray if the resource is currently active (started).E=1 Unload Filter Button>J' .Unload Filter Button%) If a filter is loaded for the currently selected module, the filter is disabled. This button has no function if the currently selected resource is in transmit or monitor only mode. This button is gray if the resource is currently active (started).M?1!?Transmit Capture File Button9x' $Transmit ButtonJ!?) CBrings up a dialog box to select a transmit specification (.TSP extension) or a capture file (.CAP extension) for transmit. This button has no function if the currently selected resource is in capture or monitor mode. This button is gray if the resource is currently active (started).Bx1"Name Table Button;?' (Name Table Buttonz( Brings up the name table dialog box for editing the current name table or saving /loading a name table to/from a file.A?"1#"cOpen File Button:\' &Open File Button"c) Opens a file, typically a capture file (.CAP). A dialog box displays showing all files with extension .CAP in the current directory. From the Summary Viewer, selecting a capture file to open will bring up Capture View.< \1$ySave Button5c' Save Button}y( Saves the current contents of the capture buffer to a file. A dialog box displays to specify the file name and directory.= 1%Start Button6y' Start Buttonw( Starts a module. The module captures or transmits packets, depending on whether mode is set to transmit or capture.< 1&qStop Button5' Stop ButtonuMq( Stops a module. The module ceases to capture packets or transmit packets.C1p'Packet View Button=q' ,Capture View Button) Selects Capture View mode for viewing captured information. You can see protocol decodes in this view. Capture View has its own toolbar to allow you to select other views of captured information.G(1'((Host Table View Button@h' 2Host Table View Buttonx(( Selects Host Table View for viewing information. You can see MAC stations and their associated traffic in this hview.Lh`1M)`aNetwork Station View ButtonN'' NNetwork Layer Host Table View Button`a) Selects Network Layer Host Table View for viewing information. You can see network (IP/IPX) and their associated traffic in this view.P1]*Application Station View ButtonR+a' VApplication Layer Host Table View Button) %Selects Application Layer Host Table View for viewing information. You can see application stations and their associated traffic in this view.H1'+Host Matrix View ButtonAG' 4Host Matrix View Buttonv( Selects Host Matrix View for viewing information. You can see all conversations between MAC stations in this view.OG41W,4<Network Conversion View ButtonJ#~' FNetwork Layer Matrix View Button4<) +Selects Network Layer Matrix View for viewing information. You can see all network layer conversations and their associated traffic in this view.U$~1c-Application Conversation View ButtonN'<' NApplication Layer Matrix View Button) /Selects Application Layer Matrix View for viewing information. You can see all application conversations and their associated traffic in this view.R!1.(Protocol Distribution View ButtonK$<' HProtocol Distribution View Button() Selects Protocol Distribution View for viewing a chart of the distribution of major protocols. Control buttons in this view allow you to customize the way you view the protocol distribution. T#<|1/|E Frame Size Distribution View ButtonM&(' LFrame Size Distribution View Button|U|E ' Selects Frame Size Distribution View for viewing the distribution of frame sizes. A 10 d VLAN View Button:E  ' &VLAN View Buttonw d - *Brings up VLAN view for viewing network traffic on virtual LANs. Ciscos ISL protocol is the only VLAN recognized.L  1>1  Address mapping View ButtonAd  ' 4Address Map View Button  ) Brings up Address Map View for viewing associations between MAC station names and addresses and network station names and addresses.K  12 K MAC Statistics View ButtonD 1 ' :MAC Statistics View Button K ( Brings up MAC Statistics View for graphically viewing packet and error counters. This view also contains module and capture buffer status information. The view displays appropriate error counters depending on the mode, capture or transmit.X'1  1q3 Utilization/Error View Button (Capture)L%K  ' JUtilization/Error View Button (Rx) ) IBrings up a strip chart that plots utilization and number of errors over time. The table for this view contains packet counters and error counters for receive. Y( 1r4:@Utilization/Error View Button (Transmit)L%a' JUtilization/Error View Button (Tx):@) IBrings up a strip chart that plots utilization and number of errors over time. The table for this view contains packea:@t counters and error counters for transmit.Ja@1b5@AAlarm List and Log ButtonC:@@' 8Alarm List and Log Button@A) YBrings up a table showing all alarm groups assigned to this resource. It lists alarm groups by name and identifies the type of alarm group, MAC, Token Ring, or Network.?@A16AfBRefresh Button8AB' "Refresh ButtonS,AfB' XUpdate the information in all open views.IBB1E7BCDuplicate Address ButtonBfBB' 6Duplicate Address ButtonBC( %Brings up a table showing all duplicate IP and IPX addresses. Both the network and the MAC addresses detected for each duplicate are displayed.CBC18C]EExpert View Button<C*D' *Expert View Button3C]E4 6Brings up a table showing all expert symptoms detected. There are two views of the expert information. The Analysis tab shows all expert symptoms detected. The Overview tab shows the total number of expert symptoms detected in each expert category.Q *DE1u9EFApplication Response Time ButtonJ#]EE' FApplication Response Time ButtonEF) cBrings up a table showing the applications detected and their minimum, maximum, and average response times. The number of connections for each application is also displayed.@EG1:GGSettings Button9FKG' $Settings ButtonrJGG( Brings up a dialog box to select global settings for a Capture Filter.U$KGH1.;H`H]OCapture and Display Filters OverviewN'G`H' NCapture and Display Filters OverviewH&K) ;For most data analysis operations, you'll want to look at only a subset of all data. Capture filters allow you to capture a subset of the network data. Filters allow you to select and count data in just about any way you can imagine. Display filters allow you to view a subset of the data you have already captured. They can be used to refine your view of captured information. For example, you might choose to capture all packets sent/received by a specific IP network station. Later, you might decide you want to look at the data for specific types of packets that are flowing through the station. A display filter allows you to view this subset of captured data.jB`HL( Surveyor uses a layered approach to developing filters. If you want a simple filter, all filter options can be specified from a single window. However, if you need to create a very advanced filter with multiple states and tests to refine exactly what you're looking for, Surveyor supports a complete filtering language.{G&K N4 6Before trying to write your own filters, we suggest that you look at some of the example filters provided with the product. This will give you an idea of the types of filters that can be created. Once you discover all the capabilities of the interface, you'll have a powerful tool for getting exactly the data you want.2 L=N' SEE ALSO  N]Of u eHx ]6&s%Getting Started with the Filter Interface Simple Filters Advanced Filters Hints and Tips for Using FiltersStandard Filter Elements and Filter Element TemplatesZ)=NO1 <OʅGetting Started with the Filter InterfaceS,]O' XGetting Started with the Filter IO]OnterfaceOڀ+ $3For most users, filters can be created and applied from a single window. The overview below describes a simple way to get started with the interface.׃X ~OV:H" "1.Select the resource you want to filter from the Resource Browser.2.Press the Detail View button.3.Press the Create/Modify Capture Filter button to bring up the Modify/Create Filter window.4.Click on a pre-defined filter element for the Available Filters box (right side of window). Suggestion: Try WWW_HTTP to collect HTTP traffic only.5.Select a specific station within the traffic. Enter an address in the Conversation area and click the Enable button. Enter addresses by selecting their corresponding names in the name table. Suggestion: Try selecting one MAC station from the name table. You will now capture only HTTP traffic for a single station.zڀ; FV:H"6.Press the ==> button. The filter element appears in the Combination Filter box.7.Press the Load Filter button.>׃ʅ) +Once you are familiar with the basic steps and can create a subset of data within the capture buffer, you can look at the more complex features of the interface such as display filters, logic combinations, setting the capture buffer trigger position, and multi-state logic.? 1  = ASimple Filters8ʅA' "Simple Filtersn 5 8  Simple filters can be created using one interactive screen called the Create/Modify Filter window. To create a filter, you first select a resource and bring up Detail View. The Display Filter window is accessed by pressing the Create/Modify Display Filter button on the Detail View toolbar. You define the mask for a simple filter using any of the following:A݈2 2V:H Pre-defined filter elements. A pre-defined filter element looks for a specific data pattern or a collection of data patterns. The filter element is supplied by Surveyor and cannot be changed.Ud2 2V:H User-defined filter elements. A user-defined filter element also looks for a specific data pattern or a collection of data patterns. The element is created by the user in hexadecimal, decimal, or ASCII. You can base a user-deinfed filter element on a pre-defined filter element or use the filter interface to enter all data patterns.݈^2 2V:H Filter combination. A filter combination is built up from various user-defined or pre-defined filter elements. Logical operators such as AND, OR, and NOT are used to create the logic sequence.d 2 2!V:H Conversation. This is a mask specific to the source and destination addresses, including the protocol type and the direction of traffic.Y^/ , Each Display or Capture filter applies only to the currently active resource. Once you have created and saved a unique filter element, you can access it from other resources.The Create/Modify Filter window has its own toolbar from which you can save, open, and create filters. Buttons are used to load and unload filters from the resource.2 ڍ' SEE ALSO?r )SO,tV^MY%l$\j[Activating Capture and Display FiltersCreating and Applying a Conversation Creating Filter Elements Creating Filter Element Combinations Frame TypesSelecting Filter Elements U$ڍn1>nCreating and Applying a ConversationN'' NCreating and Applying a Conversationn. *; A conversation provides a convenient way to add addresses to a filter. You specify conversations for the filter by filling out the Conversation portion of the Create/Modify Filter window. The row consists of a protocol selection, frame type selection, two station addresses, a direction indicator, and an enable/disable check box. Refer to the table below for field definitions that comprise a conversation. D* $4 Defining Conversations)pp#RD$ 2$4 Conversation ElementDescriptioneI#b8DProtocolMAC, IP, or IPXpJ#bDFrame Type All, EV2 (EthernetII), SNAP, 8022 (IEEE 802.2), 8023 (IEEE 802.3) Frame type applies to IP-layer addresses only.?'I#b~D(Station Address 1Complete IP, IPX, or MAC station address.NL#fD<Traffic Direction Indicator<-> Capture/Display all traffic between Station 1 and Station 2-> Capture/Display only the traffic where Station 1 is the Source Address and Station 2 is the Destination Address<- Capture/Display only the traffic where Station 2 is the Source Address and Station 1 is the Destination Address?'II#b~D(Station Address 2Complete IP, IPX, or MAC station address.[Y#D&(Enable check boxEnable (include) or Disable the conversation as part of the filter. I) uOnce you select a valid address from the name table, the Enable box is automatically checked and the station address pattern is imported to the current pattern at the correct offset.A!' 4 Protocol and Frame TypeGM h      The protocol and the frame type are selected from pull-down boxes. Surveyor automatically restricts you from entering combinations that make no sense. If the station address is not the same type as the protocol selected, an error message appears. For example, if you set the protocol to IPX, you are not allowed to insert a MAC address. Only the frame types used with the selected protocol are allowed. For example, if the protocol is set to IP you can only select EV2 or SNAP. If the protocol is set to MAC, the frame type is set to All and no options are available.;!' ( Station Addresses.. * Station addresses can be entered directly or by double-clicking on the button after either Station Address field. Double-clicking on either button brings up the current name table to select an address. The Name Table window shows all name and address associations, including the protocol and the frame type. The name and address associations displayed are those in the currently active name table. Double-clicking on a name table entry will load that name into the currently-selected Station Address field.P)n' RThere are three station address types:SR rV:H MAC address 12 hexadecimal digits.For example, 34FD34AA0001. IP dot notation address 4 decimal numbers in the range of 0 to 255, separated by dots. For example, 12.235.96.2. IPX address 20 hexadecimal digits (without port number) or 22 hexadecimal digits (with port number). For example, 34FD34AA0001000000A1.; nN2 4v Ӏ1Note:s3 4v ҀYou will probably want to build a name table with the names and addresses of stations on your network. If you have a name tablNse for your network, be sure to load the name table so names are available in the Name Table window. 7N; DIf no value is entered for a Station Address field, all stations are captured. For example, if you set an address for Station 1, no address for Station 2, and set the direction to -> all packets having Station 1 as the Source Address are captured, regardless of the Destination Address.Use wildcards when specifying addresses to capture data on more than one station. An X used as a character for an address string means that any value will be accepted for that position; for example, 343F4AXXXXXX.Es' < Traffic Direction Indicator : BThe direction indicator allows you to select a direction between stations. You can filter for packets going from Station 1 to Station 2 (->), Station 2 to Station 1 (<-), or gather packets in either direction (<->). :D' & Enable Check Box- q. * To apply the conversation to your filter, make sure that the Enable check box is selected. A single conversation is defined. If you want to use additional conversations, you can create an advanced filter or use wildcard characters as described above.*D' Jq1  ?(y Selecting Filter ElementsC(' 8Selecting Filter ElementsCk 0 .'To select a filter element, click on the element in the window and press the ==> button, or double-click on the filter element. The filter element is added to the filter combination box.Filter elements are the primary building blocks of a filter combination. A filter element contains the patterns for creating the logical conditions that will be used as a test against incoming frames. Filter elements are always assigned a name and that name is referenced in the filter combination. Filter element templates are provided which can be used as is, or you can define your own filter elements. See "Standard Filter Elements" in Appendix B for the filter elements supplied with Surveyor. Pre-defined filter elements are shown in red. You cannot alter the pre-defined filter elements.-( 4 6Most filter elements have a defined offset and pattern within a frame. However, some elements have no specific offset and length, such as MatchAll. Some template filter elements have predefined values, such as MAC_DA_Broadcast (FFFFFFFFFFFF).7k  '   Macro FiltersF O : B The standard filter elements provide templates that can be a combination of a few conditions they can be more sophisticated than a simple byte-by-byte mask. For example, HTTP, TELNET, and SNMP are provided as single filter elements, but they consist of both source and destination ports. In other words, the element itself contains an OR condition, and will capture a value whether it appears in the offset for the source address or the offset for the destination address. The example Info window below shows the exact mask and conditions for the filter element WWW_HTTP.* y ' IO  1E@ %LCreating Filter ElementsBy ' 6Creating Filter Elements. 2. *User-defined elements allow precise control over the information captured or displayed. User-defined filter elements display in black under User_Defined_Filters in the filter elements list. Use the templates to aid in the creation of filter elements. ;B5 8The small fields define the data patterns that comprise a filter element. The offset defines the position within the packet to start comparing the packe2;By t contents with the values in the pattern. If a match occurs, then this portion of the condition is satisfied. The pattern can be specified as a decimal, hexadecimal, or ASCII value. Use the Data format pull-down box to the right to specify if the pattern is in decimal, hexadecimal, or ASCII. Use the Offset format pull-down box to specify if the column and row headers display in decimal or hexadecimal. Note that although you can display the data in different fomats, all fomats use a byte boundary. Only byte quantities can be entered or displayed.12lDL f     The Name field shows the name of the filter element. Surveyor assigns a default name such as F1.Enter a unique name for the filter element in this field. Once you create a filter element and click on the ==> button, the name will appear in the filter elements list under User_Defined_Filters and in the Filter Combination box. You must use the ==> button so the filter element name appears in the Filter Combination box for the pattern to be used in the current filter.O;BF: B+ For example, assume you want to filter the IP destination address for the value 206.250.221.1. You could select the IP_DA template filter element and then change the template filter element to your needs. If you make a change to a pre-defined filter element, Surveyor assigns a name to the new filter element, which you can change in the Name field. The new filter element can be used to create the filter combinations you require for filtering frames. Use the ==> button to use the new filter element in the current filter.IlDIL fAny specific value you create for filter elements can have "don't care" values. For example, assume you're only looking for FF34 in the first two bytes of the MAC destination address. You could specify the values in your filter as FF34XXXXXX, where X indicates you don't care about the values in the last three offsets. Note that for IP addresses using decimal values you can only use X characters for complete sub-addresses. For example, 128.XXX.2.2 is allowed, but 128.12X.2.2 is not allowed.wFJ5 8 The hex or decimal patterns display in black or magenta. The magenta color indicate the bytes are a macro pattern, such as the logical OR of two different elements, or a conversation. Displays in magenta do not provide a complete view of the filter element in the Create/Modify Filter window. The information window provides complete details about any macro pattern. !IK. *Use the Info.. button to see the exact offsets, patterns, and logical operators you have used to create the filter element. ASCII patterns display in hexadecimal in this window. Many ASCII patterns have no corresponding display character.*JK' *K%L' U$KzL1 @AzLLCreating Filter Element CombinationsN'%LL' NCreating Filter Element CombinationszLN6 :  A filter combination provides a way to create a more refined search for specific data. The filter combinations are built by selecting a combination of filter elements, operators, and custom counters. An example filter combination is shown below:MAC_SA AND (SMTP OR FTP)The Filter Combination field shows the syntax for the condition. Double-click on filters elements or single-click on operators (buttons) and they appear in the Filter Combination field. LA PY%l$If the operation you perform makes no sense to create a Filter Combination, the operation is not allowed. For example, an OR operator makes no sense after an AND operator. As another example, inserting a filter element immediately afterN%L another filter element makes no sense and the operation is not allowed.In addition to setting up a logical combination of filter elements, you can also select which frame types to include by selecting check boxes.fNv' The following table describes the buttons that are used as operators to create filter combinations.V,́* $X Operator Buttons for Filter CombinationsvWp#6N$ $ ButtonDescriptioń$J#bN ANDInsert logical AND operator. The AND operator has a higher priority than the OR operator (i.e., will be interpreted first).k"WI#bDN ORInsert logical OR operator.m$$I#bHN NOTInsert logical NOT operator.&"J#bN(Insert Open Parentheses. Along with the closed parentheses, establishes the ordering and interpretation of the operands. For example, MAC_SA AND SMTP OR FTP is interpreted differently from MAC_SA AND (SMTP OR FTP).zI#bN)Insert Closed Parentheses. Along with the open parentheses, establishes ordering and interpretation of the operands."d`#?N$Counter 1Adds a filter element for testing against a value. The most common use of Counter 1 is to increment the counter based on a condition (e.g., receiving a broadcast packet) and then begin capture once a threshold is reached. Counter 1 is a setting for capture filters only.4Y#hNClearClears the entire filter combination box.gdI#bN CEClears the Last Entry. Erases only the last operator or element added to the filter combination.}J#b%NActionSpecifies the action to take when the end of the current state is reached. See Actions in the Advanced Filters section of this chapter.*' < }10 gB6Frame Types5' Frame Typesc; D   Four types of frames can be collected and displayed. Refine your selection criteria by selecting only a subset of all frame types. If all boxes are checked, all frame types will be subjected to the other filter criteria you have specified in the Create/Modify Filter window.The frame type check boxes allow you to select the types of frames you want to capture. For example, if you want to capture only good frames, leave the Good Frames box checked and deselect all other frame types. If you want to capture only error frames, leave all frame types selected with the exception of the Good Frames box.M#* $F Capture and Display Frame Typesp#>N$ $  Frame TypeDescriptiont+I#bVNGood FramesFrames that have no errors.eI#bN&CRC Error FramesAll frames that contain CRC or Alignment errors (this will include runt frames).KHI#bNFragmentsAll fragments. All fragments are also considered CRC errors. L Y#N Other FramesAll other types of frames. For example, an oversize frame.H *H6' A w1W nCwAdvanced Filters:6' &Advanced FilterswD V! "  To create more precise Surveyor filters, you use a graphical scripting language. You'll find it intuitive and easy to use if you have experience doing simple programming or experience working with meta-languages. After you become familiar with this graphical scripting language, you'll have a powerful tool for getting exactly the data you want. It is recommended that you first have an understanding of simple filters before attempting to create advanced filters.For simple filters you use the Modify/Create Filter window to specify filter conditions. Actually, the conditions specified in this window form only one statement this is part of a filter structure which can have many different states, multiple conditions, and perform a variety of actions based on which filter criteria is satisfied. Click on the State button in the Modify/Create Filter window to view the State window for the filter}N/ , From the State window you view the entire structure of the filter. The windows show all the filter statements and the structure of the filter. Each statement is composed of conditions and actions to take if the condition is satisfied. Dialog boxes are used to create/modify the statements. You do not need to memorize specific syntax. Convenient buttons are available to save, create, open, load, and unload Capture and Display filters. You can also add/delete statements from the toolbar or from the menus. When you add or modify a statement, its associated dialog box is displayed. c5d. *k All changes and additions to the filter are made from dialog boxes. Dialog boxes appear when you double-click on the statements shown in the window; keystrokes and the right mouse button are context sensitive within the State window. You can write and attach a description to a Capture or Display Filter.s/D V_ nKeystrokes in the State window are also context sensitive. For example, pressing the Insert key when the ROOT statement is selected inserts a new State; pressing the Insert key on a State inserts an IF statement. See keyboard shortcuts for a list of keystroke actions and their results.You can expand or collapse states of the filter from the menus if you need more room to view other states in the window. Collapsed states (also called branches) are surrounded by dashed line. The currently selected statement is highlighted with a red border.2 d ' SEE ALSOjd -X?k/B2YpOActions Filter Structure Rules for Capture and Display FiltersStatements States W& .1`  D.~Capture and Display Filter DifferencesP)~' RCapture and Display Filter Differences.( Display and capture filters are activated in different ways. Also, some options for capture filters are not used in display filters. Some options available in capture filters make no sense for display and are therefore not supported:uH~- *V:HDisplay filters do not use custom counters (Counters 1, 2, or 3). @ NyV:H   The action for display filters is Display. Actions for capture filters are Capture and Trigger. Actions for capture filters include incrementing counters (Counters 1, 2, or 3).5D. *V:HDisplay filters do not have global settings. The Settings button in the Filter Display window is not active when viewing a display filter. Global settings for the capture filter include a global value yoDu can set for Counter 1 and a buffer trigger position.H* $< Activating Display FiltershDS_ "  "    Activate a display filter by pressing the button on the Create/Modify Filter or State toolbar. Unload a display filter by pressing the press the button on the State or Create/Modify Filter toolbar. If you close the window, the display filter is no longer active.You can keep the display filter loaded at all times; if you make changes, the next time you view data in Capture View the new filter will be used immediately. If you already have a Capture View window open for the capture file, select the Refresh... option from the File menu in Capture View to refresh the view using the new filter.H* $< Activating Capture FiltersSX ~"  "  The capture filter must be loaded to the hardware module. It is not active until you press the button on the State or Create/Modify Filter toolbar. It remains active for that module until you unload the filter. Unload a capture filter by pressing the press the button on the State or Create/Modify Filter toolbar. Since capture filters are associated with a hardware module, different capture filters can be loaded to different modules.A1A E4 Filter Structure:4' &Filter Structure0 .gThe capture or display filter consists of labels and a series of statements that define actions. The actions result in the subset of data that is captured or displayed by Surveyor. The statements and labels have an order, structure, and syntax. You always start and stay in State0 until an action takes you to a different state.The capture file has the following structure:Root statement (Contains settings for global variables)H4_ P nHSTATE0 identifier (Label for GoTo actions)IF statement (Specify conditions and actions)ELSE IF statement (optional - same structure as IF statement)other ELSE IF statementsELSE statement (if no conditions satisfied, take these actions)STATE1 identifier (Label for GoTo actions)IF statement (Specify conditions and actions)ELSE IF statement (optional - same structure as IF statement)other ELSE IF statementsELSE statement (if no conditions satisfied, take these actions)` K d+H.........STATE7 identifier (Label for GoTo actions)IF statement (Specify conditions and actions)ELSE IF statement (optional - same structure as IF statement)other ELSE IF statementsELSE statement (if no conditions satisfied, take these actions)7_  1nF & y@States0 & ' StatesV |< F5States are similar to labels (addresses) for a set of statements. States allow multiple sets of statements in a filter. You can specify up to 8 states. You always start and stay in State0 until an action takes you to a different state.In most instances, you will only need only one or two states in a filter. Here is example filter showing three states:STATE0IF (DA=Santosh) GoTo State1ELSE IF (DA=Yancy) GoTo State2ELSE GoTo CurrentStateSTATE1IF (DA_IP_Filter1) Counter1; Capture; GoTo CurrentStateELSE GoTo State0& y@0 .STATE2IF (DA_IP_Filter2) Counter2; Capture; GoTo CurrentStateELSE GoTo State0States are selected in the action portion of dialog boxes for statements. CurrentState means stay in the state number that contains the statement. When you select a state other than the current state, a GoTo phrase will display as part of the statement i|y@ n the Filter window. The GoTo state always displays for the ELSE statement, even if it's the current state.; |@17A 3G@@FStatements4 y@@' Statements@B( KStatements create a condition and specify actions to be taken if the condition is satisfied. Once a condition is true, the next condition is not examined. For the next frame you remain in the current state or go to a different state, depending on the GoTo action specified in the statement. If no condition is met, the actions in the ELSE statement are taken. Below is a synopsis of the logic sequence for statements: @D2 2IIF statement IF (these conditions are satisfied) THEN (take these actions, go to State x)ELSE IF statementIF (these conditions are satisfied) THEN (take these actions, go to State x)ELSE IF statement IF (these conditions are satisfied) THEN (take these actions, go to State x)ELSE statementELSE (take these actions, go to State x)There is also a ROOT statement which sets global variables for capture filters.7BF_ ""For IF or ELSE IF statements, the conditions of the statement are created using the Create/Modify Filter window. If you are adding a statement, you cannot load the filter until you return to the State window. The and buttons on the Create/Modify Filter toolbar are disabled.The dialog box for the ELSE statement specifies the actions when no conditions for previous statements are satisfied. You can only specify actions and the next state to execute. ,DF) "8F&G1=H&GWGMActions1 FWG' Actions&GH( !Actions are set in the action portion of the dialog box for IF and ELSE IF statements. Actions are all that can be set in an ELSE statement. =WGLH' ,CAPTURE FILTER ONLYT-HH' ZActions available for capture filters are:DLHJ5 8VS~Capture Capture the frame.TriggerCapture the frame and mark it as a trigger. In view mode, a trigger frame is numbered as frame zero and marked with the name TRIGGER.CounterIncrement the custom counter. Counter 1, Counter 2, Counter 3, or any combination of the custom counters can be incremented.GoTo State Go to a state. The state can be the current state or any other state defined in the capture filter. The state is like a label or routine name in a program. It's there so it can be referenced by a GoTo action.HK4 6g%If Trigger is selected as an action, Capture is automatically selected as well. The only function of trigger is to mark a frame to specify the post trigger buffer position.=JL' ,DISPLAY FILTER ONLYT-K\L' ZActions available for display filters are:Y(LM1 0QVS~Display is the only action available in statements for display filters.GoTo State Go to a state. The state can be the current state or any other state defined in the display filter. The state is like a label or routine name in a program. It's there so it can be referenced by a GoTo action.L\LN13 INQNRules of the Capture FilterP)MQN' RRules of the Capture or Display FilterqNN- *V:HCounter 1 is the only custom counter that can be used as an element to create a filter element combination.nQNO? NV:HThere is always at least one IF and one ELSE statement per state. ELSE IF statements are optional.SN(- *V:HThe Post Trigger Buffer Position must be greater thO(Man zero and less than 100._O9 BV:HThere is always one and only one ROOT statement; you can't delete the ROOT statement.rE(2- *V:HIn the capture filter, setting trigger will always set capture.1 09V:H There are a maximum number of filters within analyzer-card hardware; there are 8 for CMM2s and 4 for GAMs. Depending on the number of states, the micro filters, and the logic combinations used, it is possible to exceed the maximum number of hardware filters. Contact Shomiti customer support if you are experiencing problems with writing complex filters that exceed the maximum number of hardware filters.Q 2P1gJPHints and Tips for Using FiltersJ#' FHints and Tips for Using Filters~QP- *V:H Remember to load the Capture filter on the module before you start capture.2. *V:H If you want to look at captured data in many different ways, use display filters rather than capture filters. Capture large blocks of unfiltered data and look at different subsets of the data by using a variety of display filters.bDž3 6V:H Use the Info button to find out the exact mask and logical operations in a filter element.d2X- *V:H Use conversations for capturing or displaying station-to-station or router-to-router activity.YDž3 6V:H Always attach a description to a filter you are saving with the Description menu.X: BV:H To see which capture filter is associated with the current resource, choose Active TSP and Capture Filter from the Module menu. The capture filter name is also displayed in the status bar in Detail view.#4 6V:H In the Create/Modify Filter window, make sure that the elements you want in the filter are displayed in the Filter Combination box. If an element is not displayed in the Combination box, it is not part of the filter to be applied. W- *V:H Be sure to check the Enable box to include a conversation as part of your filter.Dފ. *-V:H AND operations narrow the search results and are typically used between elements that define masks for different offsets and lengths. Using AND operations between filter elements that define masks for the same offsets and lengths often result in filtering out all packets.. *V:H OR operations expand the search results and are useful between filter elements that define masks for the same offsets and lengths.Oފ3 6V:H To edit a statement in the State window, double-click on the statement.. *V:HUse the right mouse button to learn about the options available for any statement in a filter. You can immediately see what options are possible depending on where you are in the filter. I< HV:H" Use the button to add states or statements to the State window.X< HV:H" Use the button to go to the State window to create a mulit-state logic filter.Q4 6V:H From the Detail View pane of the Capture View window, you can copy the contents of any field to create a Capture or Display filter. Select the field with the left mouse and then click the right mouse. Selections for copy to capture or display filter appear. Select the option you want and the Create/Modify Filter window appears.4 6UV:H Click the right mouse button on a table entry in Host Table, Network Table, Application Table, Host Matrix, Network Matrix, or Application Matrix view to bring up a menu for creating a filter. You will get a choice of creating a capture or display filter. When you make a choice from the menu, the Create/Modify Filter window opens with the address(es) from the table entry in the address fields for creating a filter.-* $V:Hf5 1X@͉K   Standard Filter Elements and Filter Element TemplatesP)p' RStandard Filter Elements and Templates/  #Ҁ^0 F  &@PFilter Element DescriptionOffsetValuep( All filter elements and templates supplied with Surveyor are described below. Templates need to be given a value and saved as a user-defined filter element before they can be used in a capture or display filter.g8 / .p6  Surveyor Filter Elements and Templates, Ethernet EV25h#,j;Q6.6 .&6 .D6 .X6 Filter ElementDescriptionOffsetValueh#2;Q(6"6 6"6 6"6AppleTalkCollect all AppleTalk packet types embedded in Ethernet Version II frames.12HEX 809B \h#2;Q(6" 6 6"6 6"6ARPCollect all ARP packet types embedded in Ethernet Version II frames.12HEX 0806F#<;Q(6"6 6(6 6&6DNS (TCP)Collect all frames with an DNS port when TCP is embedded in an Ethernet II frame.12 23 34 OR 36HEX 0800HEX 06 DEC 0.53G#a#<;Q(6"6 6(6 ڀ6&܀6LDAPCollect all frames with an LDAP port when TCP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 06DEC 389&u# #2;Q(6"6 6"6 Ā6"ƀ6MAC_DATemplate for setting a destination address. Filters for addresses at the MAC level.0HEX XXXXXXXXXXXXIa #2;Q(6"&6 f6"h6 n6"p6MAC_DA_BROADCASTCollect all broadcast frames. 0HEX FFFFFFFFFFFH z #2;Q(6"6 b6"d6 j6"l6MAC_SATemplate for setting a source address.6HEX XXXXXXXXXXXX@  #<;Q(6" 6 6(6 ڀ6&܀6NFSCollect all frames with an NFS port when UDP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 11 DEC 2049Bz  #<;Q(6"6 6(6 ހ6&6NNTPCollect all frames with an NNTP port when TCP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 06DEC 0.119e #6;Q(6"6 6$6 6$6OSPFCollect all frames where OSFP is embedded in Ethernet II frames.12 23HEX 0800 DEC 89E @#2;Q(6"6 j6"l6 t6"v6Packet_TypeTemplate for setting the packet type.12@HEX XXXXi0A#2;Q(6"46 6"6 6"6Packet_Type_Novell8023 Filter element for collecting Novell 802.3 packet types.12HEX XXXXFFFF ?@oB#<;Q(6" 6 6(6 ؀6&ڀ6POPCollect all frames with a POP port when TCP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 06DEC 0.110B0AC#<;Q(6"6 6(6 6&6Q.931Collect all frames with a Q.931 port when TCP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 06DEC 1720>oBD#<;Q(6" 6 6(6 ؀6&ڀ6RIPCollect all frames with a RIP port when UDP is embedded in Ethernet II frames.12 23 34 OR 36HEX 0800HEX 11 DEC 520eCF#6;Q(6"6 6$6 6$6RSVPCollect all frames where RSVP is embedded in Ethernet II frames.12 23HEX 0800 DEC 46EDLG#<;Q(6"6 6(6 6&6RTCPCollect all frames with an RTCP port when UDP is embedded in an Ethernet II frame.12 23 34 OR 36HEX 0800HEX 11 DEC 0.161CFH#<;Q(6"6 6(6 6&6SMTPCollect all frames with an SMTP port when TCP is embedded in an Ethernet II frame.12 23 34 OR 36HEX 0800HEX 06DEC 0.25LGJ#D;Q(6"6 6&6 ΀60Ѐ6SNMPCollect all frames with an SNMP port when UDP is embedded in Ethernet II frames.12 23 43 HEX 0800 HEX 11 DEC 200 OR DEC 201 OR DEC 202 OR DEC 203 OR DEC 204 OR DEC 205cH%K#6;Q(6" 6 6$6 6$6TCPCollect all frames where TCP is embedded in Ethernet II frames.12 23HEX 0800 HEX 06DJiL#<;Q(6"6 6(6 6&6TELNETCollect all frames with a TELNET port when UDP is embedded in Ethernet II frames.12 23 34OR 36HEX 0800 HEX 06 DEC 0.23c%KM#6;Q(6" 6 6$6 6$6UDPCollect all frames where UDP is embedded in Ethernet II frames.12 23HEX 0800 HEX 11GiLN#/ .|6  Surveyor Filter Elements and Templates, Ethernet SNAP, LLC6H#,l;Q6.6 .(6 .F6 .Z6 Filter Element DescriptionOffsetValueO#2;Q(6"6 6"6 6"6DSAP Template for setting the LLC destination address point.14HEX XXE#2;Q(6"6 f6"h6 p6"r6SNAPFilter element for collecting SNAP frames.14HEX AAAA03=̄#6;Q(6""6 Ҁ6$Ԁ6 6$6SNAP_AppleTalkFilter element for collecting AppleTalk packet types embedded in Ethernet SNAP frames.14 20HEX AAAA03 HEX 809B0}#6;Q(6"6 6$6 ̀6$΀6SNAP_ARPFilter element for collecting ARP packet types embedded in Ethernet SNAP frames.14 20HEX AAAA03 HEX 0806.{̄*#6;Q(6"6 6$6 Ȁ6$ʀ6SNAP_IPFilter element for collecting IP packet types embedded in Ethernet SNAP frames.14 20HEX AAAA03 HEX 0800Lv#61;Q(6"6 ܀6$ހ6 6$6SNAP_IP_DATemplate for setting the IP destination address, when IP is embedded in an Ethernet SNAP frame.14 38HEX AAAA03DEC XXX.XXX.XXX.XXXG*#6';Q(6"6 Ҁ6$Ԁ6 6$6SNAP_IP_SATemplate for setting the IP source address, when IP is embedded in an Ethernet SNAP frame.14 34HEX AAAA03DEC XXX.XXX.XXX.XXX/|v#6;Q(6"6 6$6 ̀6$΀6SNAP_IPXFilter element for collecting IPX packet types embedded in Ethernet SNAP frames.14 20HEX AAAA03HEX 8137oE[*#$;Q(6 6J6Aa1Hn6Aa1Jp6Aa1Hx6Aa1Jz6Aa1SSAP Template for setting the LLC source address.15HEX XXC@ P6Aa1e7[. ,n6  Standard Filter Elements and Templates, Token Ring .1+ &67#$n Q6,6 ,(6 ,F6 ,Z6 Filter Element DescriptionOffset Valuej1)#* Q&6 :66"66"6MAC_Active_Monitor_PresentCollect all Active Monitor Token Ring MAC frames. 1 17HEX 05 HEX 05Q3#* Q&6 6p6"r66"6MAC_BeaconCollect all Beacon Token Ring)3 MAC frames.1 17HEX 02 HEX 02]);#& Q&6 066 66 6MAC_Change_ParametersCollect all Change Parameters Token Ring MAC frames. 17HEX 0C[3C#* Q&6 $66"66"6MAC_Claim_TokenCollect all Claim Token Token Ring MAC frames.1 17HEX 03 HEX 03\;J#& Q&6 066 66 6MAC_Duplicate_AddressCollect all Duplicate Address Token Ring MAC frames.17HEX 07iC_#( Q&6 <66 66"6MAC_Initialize_Ring_StationCollect all Initialize Ring Station Token Ring MAC frames.17HEX 0DLJV#& Q&6 6|6 ~66 6MAC_Lobe_TestCollect all Lobe Test Token Ring MAC frames.17HEX 08N_O#& Q&6 "66 66 6MAC_Poll_ErrorCollect all Poll Error Token Ring MAC frames.17HEX 27 `VZ#& Q&6 466 66 6MAC_Remove_Ring_StationCollect all Remove Ring Station Token Ring MAC frames.17HEX 0BROW#& Q&6 &66 66 6MAC_Report_ErrorCollect all Report Error Token Ring MAC frames.17HEX 29 bZd#& Q&6 666 66 6MAC_Report_Monitor_ErrorCollect all Report Monitor Error Token Ring MAC frames.17HEX 28 ^Wm#& Q&6 266 66 6MAC_Report_NAUM_ChangeCollect all Report NAUM Change Token Ring MAC frames.17HEX 26md#( Q(6 B66 6Ȁ6 ʀ6MAC_Report_New_Active_MonitorCollect all Report New Active Monitor Token Ring MAC frames.17HEX 25qm#( Q(6 F6ƀ6 Ȁ6Ѐ6 Ҁ6MAC_Report_Ring_Station_AddressCollect all Report Ring Station Address Token Ring MAC frames.17HEX 22&z#( Q(6 P6؀6 ڀ66 6MAC_Report_Ring_Station _AttachmentsCollect all Report Ring Station Attachments Token Ring MAC frames.17HEX 24m#( Q(6 B66 6Ȁ6 ʀ6MAC_Report_Ring_Station_StateCollect all Report Ring Station State Token Ring MAC frames.17HEX 23h #& Q&6 <66 66 6MAC_Report_Transmit_ForwardCollect all Report Transmit Forward Token Ring MAC frames.17HEX 2A f#& Q&6 :66 66 6MAC_Request_InitializationCollect all Request Initialization Token Ring MAC frames.17HEX 20s <#( Q(6 H6ʀ6 ̀6Ԁ6 ր6MAC_Request_Ring_Station_AddressCollect all Request Ring Station Address Token Ring MAC frames.17HEX 0E(|d#( Q(6 R6܀6 ހ66 6MAC_Request_Ring_Station _AttachmentsCollect all Request Ring Station Attachments Token Ring MAC frames.17HEX 10o<#( Q(6 D6€6 Ā6̀6 ΀6MAC_Request_Ring_Station_StateCollect all Request Ring Station State Token Ring MAC frames.17HEX 0FJdt#& Q&6 6x6 z66 6MAC_ResponseCollect all Response Token Ring MAC frames.17HEX 00Ww#( Q&6 "66 66"6MAC_Ring_PurgeCollect all Ring Purge Token Ring MAC frames.1 17HEX 04HEX 04 st#* Q&6 <66"6Ā6"ƀ6MAC_Standby_Monitor_PresentCollect all Standby Monitor Present Token Ring MAC frames.1 17HEX 06 HEX 06Zw#& Q&6 .66 66 6MAC_Transmit_ForwardCollect all Transmit Forward Token Ring MAC frames.17HEX 09@ #V Q&66 6f6$hvs"nvs p6NON_MACCollect all non-MAC Token Ring frames.1HEX 40  # Q6&66$ vs"vs$vs"vs 6*  ' H  1J͉ L 2 KCapture Filter Examples9 2 ' $Filter Examples" T \ 1޿D2޿D,Three filter examples are described in the following help topics. Click on the example name to view the example.Capture Conversation - Filter example to collect a conversation between two stations.Filter Combination - Filter example showing a combination of filter elements.Filter TCP Port - Filter example showing a user-defined filter for a TCP Port.Advanced Filter - Filter example showing an advanced, multi-state logic filter.2 K4 6Filter examples are supplied with Surveyor. To find more examples, look in the ..\examples\filter directory. Select the Description menu item to access a description of any filter example.AT 1E  M9FFilter Example 1P)K' RFilter Example 1, Capture Conversation" AD V   The Create/Modify Filter window below shows a capture filter which captures all packets going to and coming from two MAC stations. The conversation is specified by entering the two MAC addresses, using the <-> indicato AKr to capture packets in both directions. The enable check box is selected to apply the conversation to the filter. The filter element is named in the Filter name box as Station7and8.Click on areas of the figure below for more specific information.\A1 2" The steps used to create the filter element and load it to a resource are shown below:  AD ԀV:H""1.Press the New button.2.Press the Name button for StationAddress1. Select the address from the name table and click OK.3.Press the Name button for StationAddress2. Select the address from the name table and click OK.4.Pull down the Direction box and set the indicator to bi-directional (<->).5.Be sure the Enable check box is selected in the Conversation area.6.Enter the name of the new filter element in the Filter Name box. The new filter element name will appear in the User_Defined_Filters section of the filter browser. The filter element is saved and will be available for other filtering operations.n0AF> JcV:H"7.Press the ==> button to apply the filter element. The filter element appears in the Filter Combination box. 8.Press the Load Filter button to load the filter to the resource.9.You are now ready to start capture. The capture buffer will contain only the packets that pass through the filter.*D9F' AFzF1   NzFFFilter Example 2N'9FF' NFilter Example 2, Filter Combination2zFH= H   The Create/Modify Filter window below shows the capture filter with a logical combination built in the Combination box. This filter collects all traffic from a single station that make use of the HTTP or the FTP protocols. The two template filter elements are combined with an OR statement to collect both types of protocols. The two filter elements are named HTTP_Activity_Station2 for the user-defined HTTP filter element and FTP_Activity_Station2 for the user-defined FTP filter element. yFJ/ ,The conversation is specified without a second station and uses the -> indicator. Traffic is to captured in the sending the direction for a single station, regardless of the other station in the conversation. In the example, the station address has been defined as part of each user-defined filter element.Click on areas of the figure below for more specific information.HK8 >]" The following steps describe how to create two filter elements, logically combine them using an OR operator, and load the resulting Filter Combination to a resource:qJjNr V:H"1.Select the WWW_HTTP pre-defined filter element from the Available Filters box.2.Press the Name button for StationAddress1. Select the address from the name table and click OK.3.Pull down the Direction box and set the indicator to source address (->).4.Be sure the Enable check box is selected in the Conversation area.5.Enter the name (HTTP_Activity_Station2) of the new filter element in the Filter Name box. The new filter element name will appear in the User_Defined_Filters section of the filter browser. The filter element is saved and will be available for other filtering operations.'KG \V:H6.Using the FTP pre-defined filter element as the starting point, repeat steps 1 through 5 to create a similar user-defined element for FTP.7.Highlight the HTTP_Activity_Station2 element in the User_Defined_Filters section of the filter browser. Press the ==> button to apply the filter element. The filter element appears jN9Fin the Filter Combination box.8.Press the OR operator button. The operator is appended to the filter element in the Filter Combination box. V jNJ bV:H"9.Highlight the FTP_Activity_Station2 element in the User_Defined_Filters section of the filter browser. Press the ==> button to apply the filter element. The filter element appears in the Filter Combination box. You now have two filter elements in the Combination box connected by an OR operator.10Press the Load Filter button to load the filter to the resource.11.You are now ready to start capture. The capture buffer will contain only the packets sent from Station2 that have an FTP or HTTP port address.*' R!o15  OoFilter Example 3, Filter TCP PortK$' HFilter Example 3, Filter TCP Porto2 2W The Create/Modify Filter window below shows the capture filter with a filter for a TCP Port. This filter collects all traffic that uses of the BootPS protocol. Surveyor has pre-defined filter elements for many, but not all, well-known TCP ports. For the BootPS protocol, you need to create a user-defined filter element.Create the new filter element by selecting another TCP Port filter element, such as WWW_HTTP. This will automatically give you the offsets and lengths for the values you need for the new filter element. Change the port number by editing offsets 22 through 25, changing the value to the port number for BootPS, decimal 67. Offsets 22 and 23 contain the value for the source port number and offsets 24 and 25 contain the value for the destination port number. Since you cannot change a pre-defined template, when you change the port number the interface automatically assumes you are creating a new filter element.P3 4="The example shows the byte values in decimal format. If you the display was set to hexadecimal, you would need to convert the port number in decimal (67) to hex (43) before entering the value in the proper offset.Click on areas of the figure below for more specific information. _m' The following steps describe how to create the BootPS filter element and load to a resource.u; DV:H1.Select the WWW_HTTP pre-defined filter element from the Available Filters box. This pre-defined element will serve as a starting point for creating the user-defined filter element.2.Use the Data Format pull-down box to the right of the offsets and patterns to change the display of byte data to decimal.3.Place the cursor in offset 23. Change the decimal "80" to decimal "67". This changes the port for the filter to BootPS for the source address.8mG \qV:H4.Place the cursor in offset 25. Change the decimal "80" to decimal "67". This changes the port for the filter to BootPS for the destination address.5.Be sure the Enable check box is NOT selected in the Conversation area. No specific stations are associated with the new filter element.6.Enter the name (BootPS_Activity) of the new filter element in the Filter Name box. The new filter element name will appear in the User_Defined_Filters section of the filter browser. The filter element is saved and will be available for other filtering operations.bu> JV:H"7.Press the ==> button to apply the filter element. The filter element appears in the Filter Combination box.8.Press the Load Filter button to load the filter to the resource.9.You are now ready to start capture. The capture buffer will contain only the packets that contain the BootPS port number in either the source or destination address.*' R!1=PgFilter Example 3, Advanced FilterK$g' HFilter Example 4, Advanced FilterY    The State window below shows the capture filter Example.CFD. The State window shows the structure of the filter, which has multiple states and statements. You can double-click on a statement to bring up its Create/Modify Filter window to see the details of how the statement is constructed.This filter starts collecting all packets when the first broadcast packet is encountered. Packets are tested first by the IF statement in State0. If the packet matches the broadcast mask (FFFFFFFFFFFF in the first six bytes), the packet is captured and the flow continues with State1. If the packet does not contain the Broadcast address, the packet is not captured and the next packet is filtered.5gG \"State1 is executed after the first broadcast packet is encountered. The IF statement in State1 indicates that any packet should be captured. The flow for testing packets remains in State1 until the capture process is stopped. G1 QFrame Type Check Boxes@@' 2Frame Type Check Boxes[) These check boxes allow you to select the types of frames you want to capture with this IF statement. For example, if you want to capture only good frames, leave the Good Frames box checked and deselect all other frame types. If you want to capture only error frames, leave all frame types selected with the exception of the Good Frames box.< @1qR5Info Button55' Info Button . *Q This button brinngs up an information window about the filter element.Use the Info.. button to find out the exact mask and logical operations in a filter element. *55' D y1CSyxState Window Button=5' ,State Window Buttonyx: BThe State window button brings up the State window. The State window is used to create advanced filters with multi-state logic.B1TConversation Area;x' (Conversation Area? LSelect a protocol, a frame type, and a direction for a conversation from the pull-down boxes. A station address that corresponds to the protocol can be entered in the Station 1 or Station 2 fields. Both fields may contain an address.Protocols:MAC, IP, or IPX.Frame Types:All, EV2 (EthernetII), SNAP, 8022 (IEEE 802.2), 8023 (IEEE 802.3)(Frame type applies to IP-layer addresses only)Directions:->Station 1 is Source Address, Station 2 is Destination Address<-Station 2 is Source Address, Station 1 is Destination Address<->Station 1 is either Source or Destination Address, Station 2 is either Source or Destination Address/ ,If no value is entered for a Station field, all stations are captured. For example, if you set an address for Station 1, no address for Station 2, and set the direction to -> all packets having Station 1 as the Source Address are captured, regardless of the Destination Address.If the station address is not the same type as the protocol selected, an error message appears. For example, if you set the protocol to IPX, you are not allowed to insert a MAC address in the conversation. Only the frame types used with the selected protocol are allowed. For example, if the protocol is set to IP you can only select EV2 or SNAP. If the protocol is set to MAC, the frame type is set to All and no options are available.) The conversation canx be enabled or disabled. Make sure that the conversation has the Enable check box selected to enable the conversation.An OR operation is implied when < -- > indicator is used.B1UkName Table Button;;' (Name Table ButtonA. *The Name Table button brings up the Name Table window, showing all name and address associations including the protocol and the frame type. The name and address associations displayed are those in the currently active name table. Load the correct name table before accessing Create/Modify Filter window to make sure names are available. Double-clicking on a name table entry will load the address associated with the name into the corresponding station address field.*;k' MA1 VCreate/Modify Filter ToolbarFk' >Create/Modify Filter Toolbar@M h""The toolbar contains buttons to Create, Save, and Open new filters. Load and Unload buttons permit you to load or unload filters directly from the Create/Modify Filter window. Press the State window button to bring up the State window. Press the Settings button to see special settings for capture filters.> 1WAction Button7'  Action ButtonS5 8Press the Actions button to bring up the Action dialog box. Check the actions to be taken if all conditions are satisfied. The action check boxes are used only when creating an advance multi-state logic filter. You do not need to use the Action button or dialog box when creating a simple filter.For advanced filters, specify in the pull-down box the state to go to once the actions are complete. Current means start the filtering test for next packet at the state containing this IF statement. If there is only one state in the filter, the only choice for the GoTo is the current state.D1Xl Fillter Combination< ' *Filter Combinationd5l / ,kThe Filter Combination field shows the syntax for the condition. You click on filters elements and then press the button to add elements to the Filter Combination. Single-click on operators (buttons) and they appear in the Filter Combination field. If the operation you perform makes no sense to create a Filter Combination, the operation is not allowed. For example, an OR operator makes no sense after an AND operator. As another example, inserting a filter element immediately after another filter element makes no sense and the operation is not allowed.A  1aY  @Operator Buttons:l  ' &Operator Buttons"  G \Press the Clear button to erase the contents of the Filter Combination field. Press CE to clear the last entry in the Filter Combination field.Press the AND, OR, or NOT buttons to add operators to the filter combination. The operator displays in the Filter Combination field. The addition of operators is context sensitive; you cannot add an operator where it makes no logical sense. For example, you cannot add an AND operator immediately after an OR operator.  @5 8Use the parentheses ) ( buttons to create the desired logical interpretation of elements in the Filter Combination field.Counter 1 is a special key that adds a filter element for testing the value of Counter 1. The most common use of Counter 1 is to set it to a particular value and then begin capture once this value is reached. The initial value for Counter 1 is set in the ROOT statement.  @l F R@1ZR@AAvailable Filters Box? @@' 0Available Filters BoxR@A( This box shows all available Filter Elements and Filter Element Templates in a hierarchical structure. Double-click on an element to add it to the Filter Combination field. This area is also referred to as the Filter Element browser.L@A1B[ACButtons for Filter ElementsEA6B' <Buttons for Filter ElementsvAC; DThese buttons add, modify, or delete filter elements. For example, if you want to create a new filter, press the New button. Press the button to add the Filter Element to the Filter Combination box for inclusion in a logic sequence.You can delete any user-defined Filter Element with the Delete button. You cannot delete pre-defined Filter Elements or Templates.D6B+D1\+DqEFilter Element Name5C`D' Filter Name+DqE( The Filter Name field shows the name of the Filter Element. Enter a unique name for the Filter Element in this field. Once you create a Filter Element, the name will appear in the Filter Element browser under User Defined Filters.B`DE1]EIData Pattern Area;qEE' (Data Pattern Area|SEjH) The Data Pattern box shows the masks that comprise a Filter Element. The offset defines the position within the packet. You can enter values directly into the Data Pattern box to create a filter element except for address values. Address values must be entered in the Conversation area.The pattern can be specified as a decimal, hexadecimal, or ASCII value. The Data format pull-down box to the right determines if the pattern is in decimal, hexadecimal, or ASCII. An X in any position within the pattern indicates that this is a "don't care" position and that any value will create a match.vEI' Use the Offset Format box on the right to change the display of row and column headers from hexadecimal to decimal.> jHEI1^EI|IFNOpen a Filter7I|I'  Open a FilterBEII' 6TO OPEN A CAPTURE FILTERB|I_K_ V:H"""1.From the Detail View toolbar, click the button.2.From the Create/Modify Filter toolbar, click the button. You can also use the button from the State window.3.Click on a file with an extension of .CFD.Or, use the dialog box to navigate to the location of the capture filter.4.Click the Open button.eIK6 <OYou must load a capture filter to a module before it can be used to filter incoming packets. B_KFNN' .Modify a Filter File1N\ ĺ^8c7xڀㅊ߂To modify a filter, start by opening the existing capture filter (.CFD) or display filter (.DFD) file. Once the filter appears in the Filter window, you can change statements, add/delete entire new states, or add/delete staNFNtements to existing states. Once changes are complete, change the filter description and save the filter.Open a FilterAdd/Delete Additional Statements on Existing StatesAdd/Delete Additional StatesModify Existing StatementsCND0 0&_Save a FIlterY(1`مAdd/Delete Statements to Existing States]6D' lAdd/Delete Additional Statements to Existing States|Ov- *To add/delete statements, the State window for a filter must be displayed.<' *TO ADD A STATEMENTlEv' Adding a statement to an existing state adds an ELSE IF statement.P˄] V:H""1.Select the statement that you wish to precede the statement you are adding.2.Press the Insert key or the button.3.The Create/Modify Filter window appears.4.Use the Create/Modify Filter window to create the conditions and actions for the ELSE IF statement.5.Click the State button to return to the State window.? ' 0TO DELETE A STATEMENT˄م1 0?"Select the statement and press the Delete key or click on the button. You cannot delete an IF or ELSE statement. However, you can delete an entire state.B 1taVAdd/Delete States;مV' (Add/Delete StatesxKΆ- *To add/delete states, the State window for a filter must be displayed.8V' "TO ADD A STATEΆ%P nV:H"1.Select the ROOT statement.2.Press the Insert key or the button.3.A new state is added to the filter definition. The name of the state is the next available state number. For example, if State0 and State1 already exist, the new state is State2. Double-click on the new state.4.The Create/Modify Filter window appears.5.Use the Create/Modify Filter window to create the conditions and actions for the IF statement.6.Click the State button.3 4V:H7.The dialog box for the ELSE statement appears. Use the dialog box to select the actions for the ELSE statement.8.Click the OK button.;%"' (TO DELETE A STATEwG0 0"Select the state and press the Delete key or click on the button. K"1b(Modify Existing StatementsD(' :Modify Existing StatementsT- *To modify existing statements, the State window for a filter must be displayed.(e9 @V:H1.Double-click on a statement in the State window.2.Make changes to the conditions using the Create/Modify Filter window.p<Ռ4 8xV: Use the Clear button to erase the current condition.rDeG. ,V: Use the filter elements and buttons to create a new condition.yMՌ, (V:H3.Press the Actions button.4.Make changes to Actions in the dialog box.*G' B,1Gc,g|Describe a Filter;g' (Describe a FilterwP,ގ' A text description of a saved filter makes it easier to identify its purpose.?g|S tV:H1.If the State window is displayed, choose Description from the Detail View menu bar. If the Create/Modify Filter window is displayed, choose Configuration Description from the Detail View menuގ| bar.2.The Description dialog box appears. Type a text description of the filter. 3.Click the OK button.> ގ1 dSave a Filter7|'  Save a FilterwOh( Note that filter elements are saved in the User Defined Filters section of the Filter browser and are not stored as separate files. You do not have to save filter elements to a file, as they will appear in the browser every time you start Surveyor. The save option is typically used to save advanced filters with multi-state logic. B' 6TO SAVE A CAPTURE FILTERo*hE XWV:H"1.From the State toolbar or the Create/Modify Filter toolbar, click the button2.Type the name of a capture filter in the File name box. The capture filter must have an extension of .CFD.Or, use the dialog box to navigate to the location of the capture filter.3.Click the Save button.B[' 6TO SAVE A DISPLAY FILTERp+E XYV:H"1.From the State toolbar or the Create/Modify Filter toolbar, click the button.2.Type the name of a display filter in the File name box. The display filter must have an extension of .DFD.Or, use the dialog box to navigate to the location of the display filter.3.Click the Save button.@[ 1<e NYCreate a FilterCN' 8Create an Advanced Filterq 3 6<The capture and display filter overview contains more detailed information on capture and display filters.Nd !V:H"""ĺ^1.From the Detail View toolbar, click the button to create a capture filter. Click the button to create a display filter.2.Press the button to bring up the State window to create a filter.3.A default filter displays in the State window. Open a filter if you want to base the new filter on an existing filter.4.Make changes to the filter or the default filter as required.wIZ. ,V: Double-click on statements to change there conditions and actions. ]/. ,^V: Use the Insert key to insert statements. pBZ'. ,V: Use the right mouse button to list context-specific options.. *[Once the filter is created, it can be saved to disk and/or loaded to the module. You must load the capture filter to the module before it can be used to filter packets.2 '4' SEE ALSO%Ys eƆiĺ^8c7xڀㅊ߂_Modify a FilterOpen a FilterAdd/Delete Additional Statements on Existing StatesAdd/Delete Additional StatesModify Existing StatementsSave a FIlterF41f Apply a Simple Filter?Y' 0Apply a Simple Filterq3 6<The capture and display filter overview contains more detailed information on capture and display filters. E XV:H""1.From the Detail View toolbar, click the button to create a capture filter. Click the button to create a display filter.2.Use the Create/Modify Filter window to select a filter element.h:. ,tV: Use the pre-defined elements in the Filter browser. {Mp. ,V: Create and apply user-defined filter elements from the Filter browser. > JV:H"3.Press the button to add the element to the Filter Combination box.4.Use pYthe logic buttons and other filter elements to create a more complex combination.5.Press the button to load the capture or display filter.oEp * $You must load the filter before it can be used to filter packets.HS1gSgCreate a Filter ElementB ' 6Create a Filter Element S( Filter elements are the building blocks that form conditions for selecting or rejecting packets. Filter elements have one or more offsets into the frame and a mask. Masks are specific values or "don't care" values assigned to the element, starting at the offset. If the values in the mask are matched by the contents of a packet, the packet is selected for capture or display. User-defined filter elements can be based on the filter templates supplied with Surveyor.K0R rV:H"""1.From the Detail View toolbar, click the button to create a capture filter. Click on the button to create a display filter.2.The Create/Modify Filter window appears.3.To base your user-defined element on a pre-existing element, click on a template from the Filter browser (left portion of the window). The offsets and values for the element or template appear in the fields at the bottom of the window. 4.If adding addresses to the filter element, press the button and select a name/address association. The address appears in the corresponding Station Address field.K{; D!V:H5.If needed, change or add additional values to the offset-pattern fields at the bottom of the window.6.Enter the name of new filter element in the Filter name box. 7.The new filter element will appear in the User_Defined_Filters section of the Filter browser.0g. *}Creating an element does not make it part of the filter. You must add the element so it appears in the Filter Combination box on the right (use the key) to make it part of the filter.H{1hModify a Filter ElementBg' 6Modify a Filter Element  ( Filter elements are the building blocks that form conditions for selecting or rejecting packets. Filter elements have one or more offsets into the frame and a mask. Masks are specific values or "don't care" values assigned to the element, starting at the offset. If the values in the mask are matched by the contents of a packet, the packet is selected for capture or display. You cannot modify the pre-defined filter elements supplied with Surveyor.O X ~V:H"""1.From the Detail View toolbar, click the button to create a capture filter. Click on the button to create a display filter.2.The Create/Modify Filter window appears.3.Single click on the element you want to modify in the User_Defined_Filters section of the Filter browser (left portion of the window). The offsets and values for the element or template appear in the fields at the bottom of the window. 4.If modifying addresses to the filter element, press the button and select a name/address association. The address appears in the corresponding Station Address field. h3 4_V:H5.If needed, change or add additional values in the offset-pattern fields at the bottom of the window.6.If desired, change the name of filter element in the Name box. * ' Ih1iuCShow/Hide Filter DetailsB' 6Show/Hide Filter Details}- *When the filter is displayed in the State window, it is possible to show or hide detailed information about the filter. R^@9 BV:H"^@1.To toggle Show and Hide Details, click the button in the State toolbar. J#@' FThe following details are shown:#^@A. *V:H The number of filter elements used for each state are shown. A maximum of 8 filter elements can be used per state for CMM2 devices, 4 for GAM devices. This information can let you know if you are running out of filter elements for a state.R@KC. *V:H The types of frames that will be captured if conditions are satisfied for an IF or ELSE IF statement. The types of frames to be captured is set in the Root statement; however, the types of frames can be changed in any IF or ELSE IF statement. This information will let you know if you have changed the frame types for any statement.*AuC' BKCC1IjCC HActivate a Filter;uCC' (Activate a FilterFC8D' >TO ACTIVATE A CAPTURE FILTERCVES tV:H""1.From the Detail View toolbar, click the button.2.Ensure the filter interface displays the filter you want to activate. 3.Press the button on the Create/Modify Filter or State toolbar.8DBF( The filter remains active for that resource until you unload the filter. Capture filters are associated with a hardware resource, different capture filters can be loaded to different resources.FVEF' >TO ACTIVATE A DISPLAY FILTERBFGS tV:H""1.From the Detail View toolbar, click the button.2.Ensure the filter interface displays the filter you want to activate. 3.Press the button on the Create/Modify Filter or State toolbar. c9F H* $rOnly one display filter applies for all view windows.= GGH1dkGH}HLOCapture Data6 H}H' Capture DatayGHI' If you are using a Capture Filter to filter data, the filter must be set up and loaded prior to starting the resource.?}H\I* $*FROM SUMMARY VIEW~;IJC T{V:H""1.Make sure that the resource you want is selected in Summary View. Click on its open window or click on the resource name in the Resource Browser.2.From the Module toolbar, click the button to set capture mode.3.From the Module toolbar, click the button; or, press Crtl + T.4.Do one of the following: \IKE XV:H" %a.Stop the resource manually. From the Module toolbar, click the button.b.If the post trigger buffer position is set, wait until the capture buffer fills and capture stops automatically.X1J>L' bIf desired, save the captured data to a file. >K|L* $(FROM DETAIL VIEWg&>LMA PQV:H""1.Set the mode to Capture (Receive). The current mode for the resource displays in the window name for the selected resource. From the Detail View toolbar, click the to set capture mode.2.From the Detail View toolbar, click the button; or, press Crtl + T.3.Do one of the following:|LNE XV:H" %a.Stop the resource manually. From the Detail View toolbar, click the button.b.If the post trigger buffer position is set, wait until the capture buffer fills and capture stops automatically.X1MLO' bIf desired, save the captured data to a file. V%NO1W'lO 7Disable a Capture Filter for a ModuleO(LO ' PDisable a Capture Filter for a ModuleO LOO΀( 5A capture filter that has been loaded to a resource can be disabled. Once the filter is disabled, all frames are captured when the resource is started.?  * $*FROM SUMMARY VIEW΀+A PV:H""!1.Select a resource name in the Resource Browser or click on its open window.2.Click the button from the Module toolbar to make sure the resource is in capture mode.3.From the Module toolbar, click the button.> i* $(FROM DETAIL VIEW+7K d V:H""1.From the Detail View toolbar, click the button.2.From the Create/Modify Filter or State toolbar, click the button.Fi}1dm}Load a Capture Filter?7' 0Load a Capture Filter}( AYou must load a capture filter to a resource before it can be used to filter incoming packets. The resource must be in capture mode to load a capture filter.?Ä* $*FROM SUMMARY VIEWiwK dV:H"""1.Select a resource name in the Resource Browser or click on its open window.2.Click the button from the Module toolbar to make sure the resource is in capture mode.3.From the Module toolbar, click the button.4.From the dialog box, select the name of the capture filter to load. Capture filters have an extension of .CFD.5.Click the OK button.>Ä* $(FROM DETAIL VIEWywU xV:H"""#"1.Click the button from the Detail View toolbar to make sure the resource is in capture mode.2.From the Detail View toolbar, click the button.3.Use the filter interface to create a filter. Or, click the button to open a previously-defined filter.4.Click the button to load the filter. The filter as displayed in the filter interface is loaded to the resource.W)ډ. *SFor a simple filter, the filter elements in the filter combination box in the right of the Create/Modify Filter window defined the filter that will be loaded. The hex/decimal display at the bottom of the window does not show a complete mask of what will be loaded to the resource as a filter.6 * $SEE ALSOu8ډ= Jpĺ^8#gOpen a capture filter Create a capture filterH͊1Dkn͊Transmit SpecificationsI"' DTransmit Specification OverviewC͊Y5 8The Packet Blaster plug-in allows you to generate packets and send them onto a network. This can be used to force the network to respond to known or suspected problem conditions or loads. Transmitted data can answer What If? questions about the network or particular network resources.To transmit data, you first set up a Transmit Specification. After the Transmit Specification is loaded to a module, click on the Start button to begin transmit. You can also transmit a previously captured data file (capture file).{ * "You can transmit the contents of a capture file. Data previously collected in the capture file can be loaded to a module and sent to the network.Using Shomiti analyzer cards, you can transmit packets at full network speed or faster. This allows you to set up high traffic conditions and see how the network performs. Surveyor can also transmit a variety of user-defined packet contents to see their effect on the network.With multiple modules, transmitted data can be captured by another analyzer card. You can use the capture and view features in the Surveyor System Manager software to analyze the results, all from the same PC.Y ^Y) Although you can transmit using NDIS modules, these devices are not always accurate transmit devices. The actual rate of transmission for an NDIS module is not predictable.You can specify the frames you want in any order, with any time interval between frames. Bursts of the same frame can be specified. Frames or bursts of frames can be repeated any number of times. Frames can be from 8 to 15,000 bytes in length. Packet types can be identified and station addresses can easily be inserted in the data stream. Transmitted frames can be numbered so they can be viewed more easily at the receiving end. 5 8C"KBefore writing transmit specifications, we suggest that you look at some of the example specifications provided with Surveyor. This will give you an idea of the types of specifications that can be authored. Use of Transmit Specifications requires the Packet Blaster plug-in available from Shomiti.Select one of the following subjects to learn more about transmit specifications. Use the browse buttons to page through all the subjects in the tutorial.`*6 L^|zـ^IAdd Packet Templates Packet Editor \+15҉aw Hints and Tips for a Transmit SpecificationU.V' \Hints and Tips for a Transmit Specificationk:r1 0uV:H1.Be careful what you transmit. The Surveyor is capable of transmitting packets at 100% of network bandwidth or more. It is possible to flood the network and cripple performance.2.Make sure that the transmit streams you want are activated before you load the transmit specification onto the resource.3.The transmission mode is not saved as part of the transmit specification, so it should be checked before each resource is loaded.4.Transmitted packets can be sent to another resource. Use sequence numbers to aid in analyzing the packets at the receiving end.o@/ ,V:H5.Using bursts is the easiest way to simulate high traffic conditions.6.Always save your defined transmit specification. 7.An NDIS module cannot transmit bad physical layer error packets such as a bad CRC, runt packets, oversized packets, or undersized packets. Use GAM or CMM2 modules to generate error packets.*r ' P[1xx[Transmit Specification ExamplesS, ' XAccessing Transmit Specification ExamplesG[J bnЀKqЀTransmit specification examples are supplied with Surveyor. Open a transmission specification file (TRANSMIT subdirectory, .TSP extension) from the Transmit Specification dialog box to see examples. Two transmit specification examples are described in the help system. Click on the example name to view the example.Example1 -- This example shows a stream that uses packet gaps.Example2 -- This example shows a stream that uses bursts.To find more examples, look in the ..\examples directory. ^-S1ayS/Transmit Specification Example 1, Packet GapsW0' `Transmit Specification Example 1, Packet GapsP!S/ ,CA transmit specification example in its dialog box is shown below. Press on any area of the dialog box below to find out more about the buttons, fields, and values in the example. The dialog box only shows the values for one stream. Multiple streams are defined in the specification.5/0 0  "% Y(1zڌPTransmit Specification Example 2, BurstsR+/ڌ' VTransmit Specification Example 2, BurstsA/ ,%A transmit specification dialog box is shown below. Press on any area of the dialog box below to find out more about the buttons, fields, and values in the example. The dialog box only shows the values for one stream. Multiple streams are defined in the specification.5ڌP0 0  "& H1{ Active Stream IndicatorAPَ' 4Active Stream Indicator ( A check mark indicates that the stream is active. No check mark indicates that the stream is deactivated. Double-click on a stream to activate/deactivate the stream. Only active streams are loaded to a resource.َ PGَS1|SDefined Streams WindowB ' 6Defined Streams List Box^5S) kThe defined streams list box shows a synopsis of all streams defined for the transmit specification. In the example, four streams are defined and all streams are activated. The first stream in the list, highlighted in blue, is the currently selected stream. An inactive stream in the window would be highlighted in black and no check mark would appear next to the stream.The settings for the currently selected stream show in the fields of the dialog box below the Defined Streams list box. If you select a different stream, the value of the fields will change.( !The currently selected stream is highlighted in the highlight color for Windows. A deactivated stream is shown in the Windows inactive color.G1}Defined Streams WindowB4' 6Defined Streams List Boxf<* "yThe defined streams list box shows a synopsis of all streams defined for the transmit specification. In the example, two streams are defined and all streams are activated. The stream highlighted in blue is the currently selected stream.The settings for the currently selected stream show in the fields of the dialog box below the Defined Streams list box. If you select a different stream, the value of the fields will change.The currently selected stream is highlighted in the highlight color for Windows. A deactivated stream is shown in the Windows inactive color.A41e~DA and SA Fields:' &DA and SA Fields<Q) 'DA and SA fields define the MAC layer source address and MAC layer destination address for selected stream. Note that the MAC address values appear in the stream synopsis in the Defined Streams window. Use an "X" in any offset of the DA or SA fields to indicate "wild card" addresses. Surveyor will generate packets with different values in that offset. For example, set the DA field to 432FFFFFXX. When transmitting packets, values will be generated either sequentially or randomly and sent for the last 2 positions of the DA.(  The values for the wild cards can be random or sequential, as defined by the Random Access Mode buttons below the DA and SA fields.= Q<1<Names Button6r' Names Buttonh:<. *uClick on the Names... button to see the currently active name table. You can set the DA or SA from the name table and they will appear in the DA or SA fields in the Transmit Specification window. The name appears to the right of the DA or SA address if the name table contains a symbolic name for the address.< r1fPacket Type5K' Packet Typef( This field sets the packet type for the current stream. Use the pull-down box to see available options. In the example stream, the packet is an IP packet. This field can also be used to enter the packet length for IEEE 802.2 or SNAP frames.< K1Packet Size5f' Packet Size( This field sets the packet size. Use the pull-down box to view common sizes. The size must be from 8 to 15,000 bytes for CMMs. The packet size must be from 64 to 1518 bytes for NDIS modules. In the example stream, the packet size is 64 bytes.PD1AD Start and Stop Sequence Numbers:~' &Sequence Numbers4 D ( This field sets the starting number and ending numbers for packets transmitted. It also s~ ets the offset within the frame where the sequence number will be stored. In the example, frames are numbered up to 1000 and the frame number information is stored at offset 0x50. You cannot store the sequence number in the first 12 offsets of the frame. Also, you should take care not to store the sequence number in any part of the packet that contains other information that will used by the network or by the receiving station.*~ ' D , 14,  Stream Mode Buttons= i ' ,Stream Mode Buttons,  ( An interpacket gap for a frame can be sent in three different ways; Packet Gap, Frame Rate and Traffic Rate. In the example stream, Packet Gap is selected. This activates the Packet Gap Units buttons to select a unit for the packet gap. The time of the gap is specified in the Packet Gap field. In the example, a gap of .96 microseconds is inserted after the stream has finished transmitting.Di ` 14` P Stream Mode Buttons=  ' ,Stream Mode Buttons` P ( An interpacket gap for a frame can be sent in three different ways; Packet Gap, Frame Rate and Traffic Rate. In the example stream, Packet Gap is selected. This activates the Packet Gap Units buttons to select a unit for the packet gap. The time of the gap is specified in the Packet Gap field. In the example, a gap of .96 microseconds is inserted after the stream has finished transmitting.?  1  Burst Settings8P  ' "Burst Settings+  ( Check the Bursts box to send a burst of packets with the stream. If the Burst box is checked, specify the burst using the Burst Count and Burst Gap fields. Using bursts, a single stream can be sent many times. No bursts are specified in the example stream.? 1 11 Burst Settings8 i ' "Burst Settingsb91 ) sCheck the Bursts box to send a burst of packets with the stream. If the Burst box is checked, specify the burst using the Burst Count and Burst Gap fields. Using bursts, a single frame can be sent many times. In the example stream, a burst of 100 frames is sent with a gap of 1 millisecond between each frame.?i 1 ^ Stream Buttons? I ' 0Stream Action Buttonsk5 6 :kThese buttons define the transmit specification by acting on entire streams. Add - Adds a new stream after the currently selected stream in the Defined Streams window. The values displayed in the fields of the Transmit Specification window are used as the values for the new stream.Add File - Adds a new stream defined by capture file (.CAP file) in the Defined Streams window. A dialog box appears asking for the name of the capture file. The first packet in the capture file is the defined stream. All subsequent packets in the capture file are ignored.dI ^ F Z^IModify - Changes the definition of the current stream. The values displayed in the fields of the Transmit Specification window overwrite the values of the currently selected stream.Delete - Deletes the currently selected stream.Edit Data - Brings up the packet editor. You can use the packet editor to modify the currently selected stream. C  1 \A Transmission Modes;^  ' (Transmission Modet> \A 6 :}Sets the type of transmission for the entire specification, either n number of times or continuous. In the example, the sequence of streams is transmitted once. The text next to the field indicates the total number of frames that will  \A ^ be transmitted. In the example, four streams are activated and each stream transmits only one frame. Therefore, a total of four frames are transmitted.You can transmit the entire specification a number of times by setting the Time(s) field. Remember that there is a time delay when retranslating the entire Transmit Specification.C A 1A dD Transmission Modes;\A A ' (Transmission ModeTA dD 6 :Sets the type of transmission for the entire specification, either n number of times or continuous. In the example, the sequence of streams is transmitted once. The button indicates the total number of frames that will be transmitted. In the example, 2 streams are activated which transmit a total of 101 frames. The stream that defines a burst transmits 100 frames and the other stream transmits one frame.You can transmit the entire specification a number of times by setting the Time(s) field. Remember that there is a time delay when retransmitting the entire Transmit Specification.DA D 1gD F Transmission Status=dD D ' ,Transmission StatusD F ( }The Transmission Status area provides status information about the transmission. It indicates the speed of the currently active resource, the number of streams that are active, and the total memory in the buffer required to transmit the specification. The total memory increments as you add/change streams, giving you an instant reflection of how much data you are transmitting. An error message is shown if you exceed the capture buffer size.OD G 11G K Transmit Specification ButtonsH!F bG ' BTransmit Specification ButtonsJ G I ? LLoad Module - Loads the current resource with the currently defined Transmit Specification. Be sure to use the Load Module button to load the specification to the resource before you begin transmission.Open Specs... - Opens a previously saved Transmit Specification. A dialog box appears to specify the name and location of the Transmit Specification.Save Specs - Saves the currently defined Transmit Specification to a file. A dialog box appears to specify the name and location of the Transmit Specification.PbG K 8 >1Template - Shows menus that list the currently defined templates for packets. Selecting a template places the values of the template in the fields of the Transmit Specification dialog box. You can then change the values of the fields in the Transmit Specification dialog box or use the Edit Data button to create exactly the packet you wish.Cancel - Closes the Transmit Specification dialog box. Make sure you have added/modified all streams, saved new Transmit Specifications, and loaded the resource before pressing Cancel.?I ;L 1;L M Repeat Streams7K rL '  Repeat Stream:;L M ( %This field specifies how many times to repeat the current stream. In the example, the stream is only sent once. If you modified the Repeat Stream field to a value of 8, the current stream would be sent 8 times before the next stream in the transmit specification is sent.9rL M 1VM O Auto CRC2 M N ' Auto CRCM O . *{Leave this box checked to generate correct CRC values for all frames. You can uncheck this box and then use the packet editor (Edit Data button) to create frames that have CRC errors.; N =O 1=O Data Field4 O qO ' Data Field!=O ( This data field specifies the data to be sent as part of the packet. Use the pull-down box to see commqO O only used values. Any hexadecimal values can be entered in the Data Field and sent with the packet. The first 32 bytes of data can be specified.CqO 1A ߂ Random Access Mode<  ' *Random Access Mode ߂ ( 5You can use X's as wildcards within the source or destination address. Various unique source and destination addresses will be generated during transmit if wildcards are used. The random access mode sets how these addresses are generated. If Random is selected, numbers are assigned randomly to X values in addresses. If Sequential is selected, numbers are assigned in sequential order beginning with zero. P / 1/ x Create a Transmit SpecificationI"߂ x ' DCreate a Transmit Specification/ H 4 69w&The procedure below outlines the process for creating a transmit specification. See the tutorial for complete information on transmit specifications.Kx T vV:H"$EI)d1.From the Detail View toolbar, click the button.2.Open a transmit specification if you want to base the new specification on an existing specification.3.Define a stream for transmission using the dialog box.4.Click Add to add the stream to the specification.5.Repeat steps 3 and 4 to add additional streams. .H  ' TIPS ( }Once the specification is created, you can save it to disk and/or load it in the resource. You must load the transmit specification to the resource before it can be used to transmit data.P K 1K Modify a Transmit SpecificationI" ' DModify a Transmit Specificationg%K B RMV:H"$1.From the Detail View toolbar, click the button.2.Click the Open Specs.... button.3.Type the name of a transmit specification in the File Name box.Or, click on a file with an extension of .TSP.Or, type the complete path and filename in the File Name box.4.Click the OK button.I D * $>V:H5. Modify existing streams. < 9 @V:a.Click on a defined stream in the Defined Streams window.b.Make changes to the stream using the dialog box.c.Click the Modify button.d.Repeat steps above to modify other streams.J D * $@V:H6.Define additional streams:v< 2 6 <V:a.Use the dialog box to define the stream.b.Click the Add button. c.Repeat steps above to add other streams. ) EStreams are always added as the last stream in the transmit specification.Once the specification is modified, save it to disk and/or load it in the resource. N2 K 1K  Open a Transmit SpecificationG ' @Open a Transmit Specificationp(K  H ^SV:H"$1.From the Detail View toolbar, click the button.2.Click the Open Specs... button3.Type the name of a transmit specification in the File Name box. Or, click on a file with an extension of .TSP.Or, type the complete path and filename in the File Name box.4.Click the Open button.N P 1P Save a Transmit SpecificationG  ' @Save a Transmit SpecificationfP G \AV:H"$1.From the Detail View toolbar, click the button.2.Click the Save Spec... button3.The file must have an extension of .TSP. Type the name of a transmit specification in the File Name box. Or, type the complete path and filename in the File Name box.4.Click the OK button.  L X 1'X > Transmit Data from a BufferE ' <Transmit Data from a BufferX k ( MYou may transmit data from the capture buffer instead of as defined in a transmit specification. Load the resource with a capture file and then begin transmission.; ' (FROM SUMMARY VIEW"k V zV:H"'"("1.From the Module toolbar, click the button to set transmit mode.2.From the Module toolbar, click the button.3.From the dialog box, select the name of the capture file to load. Capture files have an extension of .CAP.4.Click the Open button.5.From the Module toolbar, click the button; or, press Crtl + T.6.Transmit tops automatically. Only one copy of the capture file can be sent. For continuous transmission, transmit from Detail View.:  ' &FROM DETAIL VIEW  g KV:H"'")1.From the Detail View toolbar, click the button to set transmit mode.2From the Detail View toolbar, click the button.3.Click the Capture File.. Button.4.From the dialog box, select the name of a capture file to load. Capture files have an extension of .CAP.5.Click the Open button.6Select Transmit Spec (N frames) (one time) or Transmit Continuously (loop).7.Click the Load Module button.g 5 :V:H"8.From the Detail View toolbar, click the button; or, press Crtl + T.9.Do one of the following:R ' - *V:Ha.Wait until the capture buffer is empty and transmission stops automatically.V 4 8ȆH" b.Stop the resource manually. From the Detail View toolbar, click on the button.6 ' * $SEE ALSOW' > 0 0N?WmTransmit Data (Generate Traffic) Q 1   Transmit Data (Generate Traffic)J#> ' FTransmit Data (Generate Traffic)f i * $To use a transmit specification, you must load the specification to a module before transmitting. ? * $*FROM SUMMARY VIEW"i K dV:H"'"(1.Select a resource name in the Resource Browser or click on its open window.2.Set the mode to Transmit. The current mode for the resource displays in the Window name for the selected resource. From the Module toolbar, click the button to set transmit mode.3.From the Module toolbar, click the button.4.From the dialog box, select the name of the transmit specification to load. Transmit specifications have an extension of .TSP.5.Click the Open button. 6 :/V:H"6.From the Module toolbar, click the button; or, press Crtl + T.7.Wait until the capture buffer is empty and transmission stops automatically.> * $(FROM DETAIL VIEWk ? [ %V:H"'"$1.Make sure you are in the Detail View window for the resource you want to load.2.Click the button to set transmit mode.3.From the Detail View toolbar, click the button.4.Click the Open Specs... button5.From the dialog box, select the name of a transmit specification to load. Transmit specifications have an extension of .TSP.6.Click the Open button.7.Click the Load Module button. The transmit specification must display in the Transmit Specification dialog box before it can be loaded to a resource.g 5 :V:H"8.From the Detail View toolbar, click the button; or, press Crtl + T.9.Do one of the following:R? f - *V: f > Ha.Wait until the capture buffer is empty and transmission stops automatically.V 4 8ȆH" b.Stop the resource manually. From the Detail View toolbar, click on the button.6 f & * $SEE ALSOF  = Jl}3Create a transmit specificationTransmit Data from a Buffer N&  1 >  Load a Transmit SpecificationG  > ' @Load a Transmit Specificationh  * $To use a transmit specification, you must load the specification to a resource before transmitting. ?>  * $*FROM SUMMARY VIEWz  K dV:H"'"(1.Select a resource name in the Resource Browser or click on its open window.2.Click the button from the Module toolbar to make sure the resource is in transmit mode.3.From the Module toolbar, click the button.4.From the dialog box, select the name of the transmit specification to load. Transmit specifications have an extension of .TSP.5.Click the OK button.>  * $(FROM DETAIL VIEWi  X ~V:H"'EIl1.Make sure you are in the Detail View window for the resource you want to load.2.Click the button to set transmit mode.3.Open a transmit specification or create a transmit specification. The transmit specification must display in the Transmit Specification dialog box before it can be loaded to a resource. 4.Click the Load Module button.-  * $ȆH1 1 1U1 U $ U " = 1  1_  I Summary View5U  & &Summary View{ p . *$Summary View is Surveyors global monitoring tool for network data. You can view real-time data from any local resource or any resource you can connect to on the network. You can filter the data before viewing by using a capture filter. Each resource is viewed through its own window within Summary View. You can have as many resources open as you need in Summary View. The display of each resource in Summary View is comprised of six different windows; the window is selected by the tab at the bottom of the window. You can get a single monitoring view, see transmit or receive counters, view alarms set and alarms triggered for this resource, or get a description of the resource (counters supported, etc.). The single monitoring view appears on the first tab of the window, with the name of the view on the tab. There are six tabs available for different views within Summary View: I = H9V:H Monitor Monitoring view. Refer to the list below for the choices. Each resource can have its own view The selected view will show on the tab.]p 3 6V:H Rx Receive counters. A list of MAC counters for capture and capture error counters.`I l 3 6V:H Tx Transmit counters. A list of MAC counters for transmit and transmit error counters.D < HV:HʊCAlarms Shows the alarm tables applied to this resource.[l z 3 6V:H Alarm Log Log of all real-time alarm events that have occurred for this resource.g  3 6V:H Description Provides a brief description of the board, board address, and supported counters.Gz @ : B$HSelect your monitoring view for Summary View by setting Module Monitor View Preferences in the Configuration menu. The view you select applies to what you see in the fir @ U st tab and applies to all resources. All resources will show in the first tab using this view (for example, Protocol Distribution as a bar graph).h+ B = HY$HU-" In Summary View, you get one monitoring view of many different resources. Go to the Detail View to get many different views of a single resource or to perform detailed analysis functions on captured data. Double-click on the view for the resource or press the button to get to Detail View.C@ LC ( 7$HMultiple views of information are available within Summary View. Each view can display as a table or a chart, with the exception of Mac-Network Associations which only displays as a table. Remember that in Summary View you set one of these views which will apply to all resources.Q B C 6 <6V:H泀Utilization/Error X"LC C 6 Setting the Monitoring View for a Module EH I 0 0*$NVModule Toolbar < ZI I 1EI J Detail View4I J & &Detail Viewe8I tL - (q$Detail View is the tool for performing detailed analysis of network data. You can view real-time data from the resource for which you have opened Detail View. You can view and analyze data stored in the capture buffer. You can filter the data before viewing by applying a display filter. Detail View allows multiple monitoring views for a single resource module and also allows the Capture View to be opened for that same module. By contrast, Surveyors Summary View allows one monitoring view for multiple resource modules and the Capture View cannot be opened.rJ % 3 4$You can have as many windows with data views as are available in Detail View. The initial data view you get of a resource is the view set in the Configuration menu for Summary View. Many of the table or chart views within Detail View can be customized. Within Detail View you can get monitoring views of the resource or view of the capture buffer contents.Files or buffers, such as a capture file or capture buffer, are considered resources just like physical devices that are available from the Resource Browser. If you open a file from Summary View, a Detail View window will open for that resource. Viewing static resources such as files or buffers will change the options available from the toolbars and menus and the data views will appear somewhat different. Surveyor is designed so that youll only be able to perform the functions that make setL % I nse for that resource. $tL I w [$vzC!,JI(`Surveyor.HLP',`More_Information_on_Detail_View')For example, if you open the capture buffer, it automatically puts you into Capture View. Buttons for capture, transmit, and monitor are grayed on the Detail View toolbar, since these functions make no sense for a file. If you select another view of the information in the file, it will appear in a table with a gray background indicating its a view of a static resource. Click here for more information on Detail View.K%% & K$There multiple view of information available from Detail View. You can open any view by pressing its button on the Data Views toolbar. MAC statistic and utilization/error views show counter information. For these views, the displays depends on the mode of the resource, capture or transmit.]I ? N>V:H2'D_"*MAC Statistics (Rx) ] N ? N>V:H)e"*MAC Statistics (Tx) b# ? NHV:H.="+Frame Size Distribution a"N  ? NFV:H",Protocol Distribution j+ { ? NXV:H泀"-Utilization/Error View (Capture) k, ? NZV:H泀".Utilization/Error View (Transmit) T{ : ? N,V:HϓN"/Host Table b# ? NHV:H"0Network Layer Host Table f':  ? NPV:Hъ"1Application Layer Host Table U W ? N.V:H,Ci "2Host Matrix ^ ? N@V:H;"3Network Layer Matrix b#W  ? NHV:Hcj"4Application Layer Matrix N e ? N V:H+:8"5VLAN U ? N.V:H *"6Address Map v7e 0 ? NpV:HL!Ҁ"7Duplicate Network Address View (Expert only)c$ ? NJV:Hڽ"8Expert View (Expert only)v70 ? NpV:HzN"9Application Response Time View (Expert only)* 3 ' $H2 e ' SEE ALSOT$3 0 0H$gHwHints and Tips on Using Views V&e  0 0L$䜺cMore Information on Detail View J Y 0 04$NVDetail View toolbar I 0 02$NVData Views toolbar EY 3 6$V:HvCapture ViewP 7 1, 7  More Information on Detail ViewH"  & D&More Information on Detail Viewf7 % $The sections below outline some of the things to be aware of when viewing resources in Detail View.F P ' >USING MONITOR + CAPTURE MODE" r ( $In Detail view for a resource, you can have both Monitor and Capture views of data. The use of these two modes together allows you to monitor traffic at the same time as you look at the contents of previously captured data. However, some of ways you can look at the capture or monitor data are the same. For example, you can view a host table for the monitor data and also view a host table for the contents of the capture buffer. Since the tables are formatted the same, which data are you looking at? |P : @ N$Surveyor provides some visual distinctions between capture and monitor views.r : For table information of the capture buffer data, all data in the table is grayed. For monitor data, the column and row titles are gray, but the data in the table is white. The title bar for a monitor view will say Monitor View and the title bar for a capture view will say Capture View.!r [ = H$":If you start a resource and then stop it, you can look at the capture buffer contents using the button to bring up Capture View. If you restart the resource (start a different capture operation), you will begin refilling the contents of the capture buffer and incrementing counters for monitor views. However, the previous views that you have of the capture buffer are still open windows within Detail View. In other words, the view and decode of previous information is still available, even though the capture buffer itself is refilling with new information. If you do not need this previous view of captured information, it is recommended that you close the Capture View window and all associated capture view windows. You can, of course, save this information to a file. Closing unused windows may avoid confusion when looking at similar monitor and capture views, and help you distinguish between what is happening real-time and what was saved from the previous capture operation.-: * $ȆH< [ 1q K Packet View5 & &Capture ViewA K d$^I":NVCapture View is the tool for detailed analysis and editing of packets. You can view the data in the capture buffer or view previously captured information that has been saved to a file. You can filter the data before viewing by using a display filter. Capture View contains a Packet Editor for editing packets.Click the button on the Detail View toolbar to access Capture View. Use the green arrow buttons on the Capture View toolbar to move through the listed items. Capture View also opens automatically when you open a capture file (file with .CAP extension). , &$The initial Capture View display provides a protocol decode of all packets. Other views of captured information are available from the Capture View toolbar. Although similar to the Monitoring View toolbar buttons, the graphs and charts displayed by using the Capture View Toolbar Buttons display detail information about the packets decoded from the capture buffer only. Table data in these other views is grayed to indicate that its a capture view, not a view of real-time data. h 9 @3$The initial Capture View window is divided into three parts or "panes." Capture View shows a synopsis of all captured packets, provides a breakdown of the elements of the packet by protocol, and shows the hex and ASCII values for all characters in the packet. The three panes of the window can be sized any way you like. Click and drag the bars separating the panes to resize them. Use the F11 function key to zoom in on any of the three panes. The summary pane, top, is a summary of all packets. You can change the summary pane of the packet window to display the fields you want by selecting Capture View Options Display from the Configuration menu. }  ( $Clicking on a packet selects it and displays its detailed protocol breakdown (decode) and its hex values in the remaining two panes of the window.The detail pane, middle, shows the values of the protocol elements associated with each protocol. For example, for the Data Link Control the values for the source address, destination address, and packet length are shown. Single clicking on a value highlights the value in both the detail pane and the hex pane.The hex pane, bottom, shows the hex and ASCII values for all the bytes in the packet. Single clicking on a value highlights the value in both the detail pane and thh  e hex pane.>h  E X}$A unique color can be used to display packets of each different protocol layer. Set color coding or change color associations using the Protocol Color Coding tab from the Configuration System Settings menu. This color coding is used in all three panes. You can also enable or disable Expert Analysis views from the Configuration Capture View Options menu. You can export packet decode information to another source. You can also print a range of frames in a capture file or in the capture buffer to a text file. Frames can be saved in a variety of formats.  e & G$If you have special decoding or display needs for non-standard protocols, see the topics below on assigning protocol parsers and assigning names to protocols. (Note: Support for non-standard protocols has changed from previous releases. The older method is still supported, but it strongly suggested that you convert to the new method. The newer method provides a general solution that supports any TCP or UDP port.)2   ' SEE ALSOW$e  3 6H$bCapture View Display Options C 1 0 0&$^IPacket EditorJ { 0 04$NVCapture View toolbarJ1  0 04$WǀCapture View OptionsT${  0 0H$hSetting Protocol Color Coding d4 } 0 0h$߈Setting Protocol Summary Information by Layer Q!  0 0B$b6Assigning Protocol Parsers S#} ! 0 0F$~mFAssigning Names to Protocols * K ' $F!  1  Add Packet Templates=K  & .&Add Packet Templates& < FV:H";1.Click on the button and open a capture file. Capture files supplied with Surveyor are in the ..\Surveyor\Examples\Capture directory. You can also use packets within the capture buffer that are displayed in Capture View.2.Find the packet you want to add as a transmit template. You must make this packet the first packet in the capture file or capture buffer. Either delete all packets that come before the packet you want, or filter out all other packets using a display filter.i 5 8V:H3.Select the first line (first packet) of the capture file.4.If desired, edit this line using the packet editor. The values you enter in this first packet define the new template.5.Save the new capture file (the template). Make sure you give a name you will recognize later. Place it in the ..\Surveyor\Template directory or one of its subdirectories. @ N$HTemplates display in the Template menu when using the Insert Packet option of the Edit menu. The exact placement of the new template on the menu depends on the directory location within the ..\Template directory.D 1U 1 X@ Insert a New Packet< 1 & ,&Insert a New Packet  9 @U$In the Capture View window, choose Insert Packet from the Edit menu.Choose blank for a blank packet or choose Template and select a template for the new packet..1 B ' TIPSd=  ' z$Use the packet editor to create the exact packet you want.}VB # ' $In most instances it is easier to start from a template rather than a blank packet.iB  ' $Add your own templates to make inserting a packet even easier.2 #  ' SEE ALSOK @ 0 06$|zـAdd Packet Temp @ latesC X@ 0 0&$^IPacket Editor> @ @ 1 @ @ AN Packet Editor6X@ @ &  &Packet Editor@ B 4 6$The packet editor can be used to modify packet contents. The editor provides two views of packets, a decoded view and a hex view. Edits can be made within either view. The packet editor can be accessed from the summary pane in Capture View or from the Transmit Specification dialog box. To access the editor from Capture View, the Enable Packet Edit box must be checked in the Configuration Capture View Options menu.The following buttons are available within the packet editor:p7@ YE 9 @ot!~!Auto CRC Causes the 4-byte CRC error check value to be automatically calculated and written to the frame. With this option selected, creating frames with a bad CRC is not possible. If not selected, bad CRC packets can be generated (note that bad packets can only be sent using GAM or CMM2 modules). This option is not available when using the packet editor from the Transmit Specification dialog box.Compute CRC Inserts the correct CRC error check value for the frame. You can use this option to create frames with or without correct CRC error check values. +B G A Pt!~!Set Size Sets the size of the packet. The current size of the packet is displayed for reference. Packet sizes from 8 to 5000 bytes are allowed. . This option is not available when using the packet editor from the Transmit Specification dialog box.Decode Takes the values entered in the hex view window of the packet editor, decodes the packet, and displays the resulting decode in the decode view window.Undo Undo the last editing action. Only one level of undo is supported.~FYE H 8 @t!~!OK Save edits.Cancel Leave the editor without saving changes.@G BH ' 2EDITING IN DECODE VIEWH XJ . *$Editing in decode view allows you to edit packets without remembering offsets. Click on a field and a dialog box pops up which shows the current value for the field and asks for a new value. The dialog boxes for each field are slightly different. Most dialog boxes display and allow you enter values in hexadecimal or decimal. Some contain a use little-endian bit order check box if bit order swapping is required. Changes made in decode view are automatically reflected in hex view.=BH J ' ,EDITING IN HEX VIEWL$XJ K ( I$Edits are made in hex view by placing the cursor at a location and overwriting the current values. You can also paste (Ctrl + V) the contents of the paste buffer into a location. Values are always overwritten starting at the current cursor location in hex view so offsets remain correct. J L 4 6$Press the Decode button to display edits made in hex view in the decode view. Note that changes to the decode view are not automatic. This provides the option of creating error packets that cant be decoded properly..K "M ' TIPSL N 4 6$To insert a new packet before editing, select Insert New Packet from the Edit menu of Capture View. Insert a blank packet or a packet template to begin the process of inserting a packet.*"M AN ' $LN N 1N N ̂ Add Packets in Capture ViewDAN N & <&Add Packets in Capture View&N  9 @$You must have the Packet Blaster plug-in to use templates and the packet editor.If you are inserting a packet into a capture file or capture buffer, you can use a template as the starting point for packet data. To select a template, select the N  AN Insert New Packet Template option from the Edit menu. Nested menus appear to select a template. When you select a template, the packet editor comes up with the template values. Use the packet editor to create the exact packet you want. N , &e$Templates insert the required values for commonly known packet types. For example, if you select the template for IPX, the value 0x8137 is inserted in the Packet Type field.2   ' SEE ALSOK ^ 0 06$|zـAdd Packet Templates D 0 0($^IPacket Editor *^ ̂ ' $H  1r T Search the Capture File@̂ T & 4&Search the Capture FilevQ ʃ % $You can search a capture file displayed in the Capture View for a text string.iT M hV:H" "<"<1.Open a capture file or view the contents of the capture buffer.2.Select the mode you wish for viewing. Press one of the view buttons on the Capture View toolbar.3.Type a string in the field to the left of the button.4.Press the button to find the next instance of the string. The line containing the next instance of the string is highlighted.-ʃ '  TIP k ( -$Note that the view mode you select will effect the search. For instance, you won't find the string MAC when searching in Network Conversation View.* ' $Gk ܆ 1܆  Printing Capture Views?  & 2&Printing Capture ViewsgB܆ % $You can print the table or graph information for capture views.< 8 > V:H"=1.Bring up the view that you want to print by pressing one of the view buttons in the Capture View toolbar.2.If the view supports both table and chart, make sure the view you want to print is displayed.3.Press the button from the Detail View toolbar.U$  1  ` G Setting Capture View Display OptionsM' ` & N&Setting Capture View Display Options[5 & k$When using Capture View, you can control the display of summary data for packet decoding. You can view the time as absolute, as a delta, as elapsed, or any combination of the three. You can show/hide the size and status of packets. You can also show/hide the details of the protocol values for the packets.L` e ^ V:H":1.Open the Capture View window by pressing the button or by opening a capture file.2.From the Configuration menu, select Capture View Options Display; or, press F2.3.Click on the boxes for the options you want. Specific display fields include Absolute Time, Delta Time, Elapsed Time, Frame Size, Status, Network Address, and Byte Count/Throughput.4.Check the Display Detail Protocol Summary box to view detail about all the protocols used in the packet. Leaving the Display Detail Protocol Summary box unselected gives a synopsis of all protocols in the packet. 4 + $IV:H4.Set the protocols you want to display from the pull-down menu. For example, if you want to display only the Transport layer and below, select Transport Layer.0e d 8 >V:H5.Select the Display Expert Symptoms check box if you wish to include expert symptom information in the Summary field. Packets that trigger an expert symptom and have expert symptom information will display in reverse video in Capture View.v4 = W |V:H6.Set time-zero for capture in the Elapsed Time Set Mark Optd = ion portion of the Display Options dialog box. The default option is Module Arm Time, which starts time zero at the time the module is started. Select Frame ID nnns Arrival Time and set the frame ID number in the box to start time zero when a particular frame arrives. 7.Click the OK button.*d g ' $H2 = ' SEE ALSO[+g 0 0V$߈Setting Protocol Summary Information S# G 0 0F$bCapture View Display Options ? 1 & Set Delta Time7G & "&Set Delta Timep% - K dKV:H1.Select a packet in the Capture View window.2.Choose Set Delta Time from the Edit menu. The Set Delta Time dialog box appears.3.Click the radio button for the unit of measurement you want for the time.4.Set the new delta time in the Delta Time field.5.Click the OK button. 2 ( $HThe delta time is set between the selected packet and the previous packet in the sequence. For example, changing the delta time for Packet ID -00004 effects the delta time between Packet ID -00005 and Packet ID -00004..- ` ' TIPSu2 ' $The absolute and elapsed time are also changed for all subsequent packets when a change is made to the delta time.*` & ' $@ f 1f G Select the View8& & $&Select the View?f * $*FROM SUMMARY VIEW ( $One monitoring view is available in Summary View. The first tab in the Summary View for a resource displays the view selected. A PV:H1.From the Configuration menu, choose Module, Monitor View Preferences.2.Click the radio button in the Display tab for the view you want. Only one view is allowed.3.Click the OK button.> * $(FROM DETAIL VIEW . *V:H1.Make sure you are in the Detail View window for the resource you want.2.Press one of view buttons on the Data Views toolbar.If you already have the desired view window open, click the window to make it the currently selected view.? ( * $*FROM CAPTURE VIEW  ? LqV:H":";1.Click the button on the Detail View toolbar or click the button on the Module toolbar and open a capture file.2.Press one of the view buttons on the Capture View toolbar.*( G ' $HC 1O  View Captured Data;G & *&View Captured Data\6 ! & m$You can view the contents of the capture buffer or data that has previously been stored on disk as a capture file. You open capture files from Summary View; you open capture buffer contents from Detail View. In either case, Capture View appears so you can see complete protocol decodes of the captured data.L% m ' JTO VIEW DATA IN THE CAPTURE BUFFERi1! 8 >eV:H":1.You must have data in the capture buffer to view and the capture process must be stopped.2.From the Detail View toolbar, click the button.3.Data is always viewed in Capture View initially. To open other views of captured data, use the view buttons on the far right of the Capture View toolbar.H!m  ' BTO VIEW DATA IN A CAPTURE FILE} ' $A file is considered a resource, just like a device. A separate Detail View window will appear for any file that you open.W e @ NV:H"; e G 1.From the Summary View or Capture View toolbar, click the button.2.From the dialog box, select the name of a capture file to view. Capture files have an extension of .CAP.3.Click the Open button.4.Data is always viewed in Capture View initially. To open other views, use the buttons on the far right on the Capture View toolbar.>  ' .TO REFRESH THE VIEW #e  5 8&If you have changed the display filter, you can update the Capture View display by choosing Refresh... from the File menu. Data in the capture file or capture buffer is "re-filtered" using the contents of the Display Filter window.G  1-  L H Print Frames to a File? L & 2&Print Frames to a FileB   ' 7&You can print a range of frames in a capture file or in the capture buffer to a file. Frames can be saved in a variety of formats. You are printing frames to a file from the capture buffer, you must stop Capture mode; if you are in Monitor mode only, this option is not available.^L  A P;V:H1.Choose Print to File from the File menu.2.Set the range of frames to print by entering start and stop frame numbers or select All to save all frames. Frames are numbered within the capture file or capture buffer.3.Select the radio button for the print format you want.u  A PVW~WDetail Prints complete details for each frame, including the Detail Pane and Hex Pane breakdown.Summary Prints only the Summary Pane for the range of frames. All details of the protocols used are included in the Summary field.Short Summary Prints only the Summary Pane for the range of frames. Summaries of the protocols used are included in the Summary field.   E XV:H4.Click the OK button.5.The Save As dialog box appears. Provide the name of the print file and click the OK button. Files are in text format, so files should be given a .txt extension.-  '  TIP ; DA&The .txt file can be printed. Use this option to print a range of frames. If you want to print a single frame, use the Print option from the File menu.i6  3 6nV:H"=3.Press the button from the Detail View toolbar.* H ' $HM 19 J Capture View Display OptionsEH & >&Capture View Display Options ' $When using Capture View, you can control the display of data for packet decoding. You can view the time as absolute, as a delta, as elapsed, or any combination of the three. You can show/hide most fields in the decode display. You can also show/hide protocol information about packets and set the starting point for elapsed time Use the top part of the dialog box to select the columns you want to display in Capture View. Not all columns can display on the screen without having to scroll; limiting the number of columns can make it easier to see the exact information you want. Specific display fields include Absolute Time, Delta Time, Elapsed Time, Frame Size, Status, Network Address, Cumulative Byte Count and Throughput.! @ > J$Abs Time - The absolute time of arrival for each packet taken from the system clock when the capture was performed.Delta Time - The time between each packet (interpacket gap).Elapsed Time - The time stamp of each packet measured from a relative starting point. The starting point may be either the module arm time or the arrival time of a specific packet. See below for information on setting the elapsed time starting point.Size - The frame size of the packet in bytes. @ H J VB 7 <'$Status - The Status field indicates if the frame has errors. For good frames, the Status field is blank.Display Network Address - The destination and source IP address.Cumulative Byte/Throughput - The Cumulative Byte Count is a sum of all bytes received to this point in time in a capture file. The Throughput is calculated by dividing the cumulative bytes by the elapsed time. The elapsed time is the difference is always measured between the module arm time and the time stamp of the current packet in the capture file.V @ E D V$Use the middle portion of the dialog box to set up the display of the Summary column. The Summary column will always display. However, this field can just give a very limited synopsis of protocol activity or provide complete details about the protocols used in the packet. Check the Display Detail Protocol Summary box to view detail about all the protocols used in the packet. Leaving the Display Detail Protocol Summary box unselected gives a synopsis of all protocols in the packet. If you want to display protocol summary details, set the protocols you want to display from the pull-down menu. For example, if you want to display only the Transport layer and below, select Transport Layer. If you are not displaying protocol summary details, the protocol layer you select in the pull-down menu will not affect the display of the Summary.PVB I W |$Select the Display Expert Symptoms check box if you wish to include expert symptom information in the Summary field. Packets that trigger an expert symptom and have expert symptom information will display in reverse video in Capture View.Use the bottom portion of the dialog box to set the point from which Surveyor will measure time when calculating and displaying the elapsed time stamp of each packet. Set time-zero for capture in the Elapsed Time Set Mark Option portion of the Display Options dialog box. The default option is Module Arm Time, which starts time zero at the time the module is started. Select Frame ID nnns Arrival Time and set the frame ID number in the box to start time zero when a particular frame arrives. Setting this field only effects the display of the Elapsed Time field in the protocol decode.(E I % $2 I I ' SEE ALSO[+I LJ 0 0V$WǀSetting Capture View Display Options *I vJ ' $+LJ J ( &@vJ J 1VJ K N About Resources9J K ' $About ResourcespGJ M ) Surveyor can gather statistical information and view network data from a variety of hardware sources. The information you receive from a resource depends on the hardware.Surveyor provides a single window, called the resource browser, through which you can access all local and remote resources. The resource browser works much the same as Microsoft Windows explorer, allowing you to see hosts and their associated resources in a hierarchical relationship. "Branches" can be expanded or collapsed via point and click, so you can quickly customize your view of available resources..K N ) Surveyor automatically scans the network for available resources, or you can enter the IP address of any host you can reach through a TCP/IP connection. Surveyor remembers the name of the most recent connection made so you can quickly reconnect to the host.AM N 1qN 7O ۄ Resource Browser>N 7O * $( Resource BrowserN A ) The resource browser is a single window through which you can access all local and remote resources available in the network. The resource browser works much t7O A N he same as Microsoft Windows Explorer, allowing you to see hosts and their associated resources in a hierarchical relationship. Remote systems containing resources are listed by IP address unless there is a Surveyor name table on the system. If an entry exists in the name table for the IP address of the resource, the symbolic name in the name table is used to represent the resource. Resources within remote systems are listed by module type and module number. The module number is assigned by the software from the base address of the module, which is set by jumpers during hardware installation. For NDIS modules, the modules are numbered by the order in which they are discovered within the local or remote host. It is possible to have two different modules with the same name if they are within different hosts. q7O ۄ ) The resource browser opens as a docking window when Surveyor is started and can be moved to its own window.Double-click on a resource to display a default view of the resource in Summary View. If a remote resource is protected, you are asked for a user name and password. Drag and drop resources onto alarms in the Alarm Browser to activate an alarm for a resource.KA & 1lVJ& n Remote vs. Local ResourcesHۄ n * $< Remote vs. Local Resources& ( Local resources are those within the local PC running Surveyor. Remote resources are all other resources that can be reached through a TCP/IP connection. When running Surveyor from the PC, you have complete access and privileges to any resource in the PC. You can access remote resources and establish accounts for your local resources if you have the Remote plug-in software available from Shomiti. Both the local and the remote resource must have the plug-in for remote access to function.n u ) Access to remote resources are controlled from the PC which contains the resource. For example, if your PC contains two CMM2 cards, accounts, privileges, and passwords for the CMM2 cards are established at your PC. Remote users must have access to a valid account to use the CMM2 in your PC.The remote resource can be located in any host which can be accessed via a TCP/IP connection. You'll need to know the IP address of the remote host to log in to the remote resource. If the remote resource can be auto-discovered by Surveyor, the IP address or the name associated with the IP address of the host will display in the resource browser. Typically, resources on the same LAN segment can be auto-discovered.4 0 0 ">Du 1"q . J Resource ProtectionA . * $. Resource Protectiona2 / ,eYou are in control of local resources within a PC. Use the functions on the Host menu to add and delete users for a resource, change passwords and protections, or view the users currently logged in. There is a guest account for users with no account. The guest user can be given all privileges to effectively disable resource protection.Note that there is no password protection for starting Surveyor on the local system. If you can start Surveyor from a system, you automatically have complete access to all local resources (called super-user privileges).. v ) }To access a remote resource, you must have an account and password set up on the remote system containing the resource or use the guest account.Privileges for remote users can be set to:T J bVE~EMonitor Only Allows a remote user to use the local device to monitor network activity only.Capture/Monitor Allows a remote user to use the local device to monitor activity or capture network data.Full Allows a remote user to use the local device to monitor activity, capture network data, or transmit network v data.Super User Allows a remote user the ability to transmit, capture, or monitor, plus set up, delete, and change accounts for the local PC. Be careful when granting super-user privileges to remote users. This gives remote users complete control of your local resource.*v J ' P 1C:q  Surveyor Implementation ProfileI"J ' DSurveyor Implementation Profile@  # 5 8Two types of buffers are essential to the execution of Surveyor's features:Real-Time Buffer - A real-time buffer provides the transient data storage area for on-the-fly frame analysis which, in conjunction with MAC statistics and error counters, produces real-time LAN analysis and monitoring information. Data captured from the network is copied to this area after filtering. The data is immediately available for evaluation, and optionally for streaming copy to disk, after which it is discarded from the buffer.t5 ? Lm"?Capture/Transmit Buffer - A separate capture buffer provides a durable data store of LAN traffic filtered and captured in real-time, which is kept for later analysis or to be saved to disk. The same buffer is used as storage for packets to be transmitted when performing LAN component testing.Surveyor supports GAM, CMM2, and NDIS (10/100 Ethernet or Token Ring) LAN interfaces. Buffering is implemented with these interfaces as follows. Cumulative system resource demands can limit performance of any features which require system resources, as noted._# ' 1 0VO!NDIS Both buffers are implemented in software, thus requiring system resources. To the extent that a system can keep up with traffic captured by an NDIS card, all LAN traffic will be copied to Surveyor and filtered, sliced if necessary, then routed to the capture buffer, real-time buffer, or both if desired. System resource demands increase with the complexity of analysis and monitoring configured, and very much by the number of NDIS interfaces Surveyor is controlling. All Surveyor real-time functions will be available, excluding any MAC error counters which are not implemented on the card. I p 7 <%VO!!GAMThis is a high speed network analyzer card with on-board capture/ transmit buffer and filtering for fiber-optic networks. This, along with other hardware features, guarantees full line-speed capture and transmit for Gigabit Ethernets. Due to this on-board implementation, there is no demand for system resources, regardless of the number of cards being controlled. However, because GAM does not include a real-time buffer, the real-time functionality it provides is limited to network statistics and MAC error counters. q@' 1 0VO!CMM2Version 2 of Century Media Module adds an on-board real-time buffer and data slicing to provide full real-time functionality. Simultaneous data copies to the capture and real-time buffers are an option. Real-time functions introduce some system resource dependency: the need to copy periodic real-time monitor, analysis, and/or protocol decode updates to Surveyor, and optionally to copy the real-time buffer to disk. Using real-time functions on multiple cards will increase resource demands, but much less than NDIS. All Surveyor features are supported on CMM2.p 1 0VO!Voyager Voyager is a multi-port RMON probe that gathers statistics. Data for all probe ports in the Voyager (version 1.1 and higher) device can be seen from Surveyor. Voyager can gather monitoring statistics at line rate and stores them in its local hardware. For Voyager, Surveyor merely looks at the statistics passed from the probe; there is no use of a real-time or a capture buffer. Only those Surveyor real-time functions that can make use of the RMON statistics are available. J / ; , (VO4 o 0 0 "@2 ; ' SEE ALSOd'o  = JNN-WModes Hardware Dependencies F K 1K  M Hardware Dependencies?  ' 0Hardware Dependencies]K  ' The following table lists functions supported by Surveyor that have hardware dependencies:(  #ҀP  l. l: lF lReal-Time FunctionsNDISCMM2GAM* t #T  ll2l4 l> lJ lReal-Time Buffer Size64K512KN/A\ e #  lll  lf l lPerformance10Mbps: 1-3Mbps 100Mbps: 1-5Mbps10Mbps: 5-10Mbps100Mbps: 5-20MbpsN/A`t X #  ll,l. lV l` lNetwork StatisticsAll but error rateAllUtilization, error/sec, bytes/sec, packets/sec)e  #R  ll2l4 l> lH lPacket Decode SummaryYesYesN/A}X $ #  ll(l* lv l lAlarm ThresholdsAll except errors not passed by NDISAllUtilization, errors, packets, bytes, and MAC error counters*  #T  ll6l8 l@ lJ lSync View, Full-DuplexNoYesYes"$  #D  ll$l& l0 l: lPacket SlicingYesYesN/A C #4  lll l  l* lFilterYesYesN/A& #րL  l l* l6 lB lCapture FunctionsNDISCMM2GAM7C #n  ll.l0 lD l` lCapture Buffer Size64K-16M*16MB or 32MB128MBHu #v  lll  lh lj l l l lԀ lPerformance10Mbps: 5-10Mbps 100Mbps: 5-15MbpsFull Line Rate at10 /100 MbpsFull Line Rate at1000 Mbps" #D  ll$l& l0 l: l7-Layer DecodeYesYesYes) o #R  ll4l6 l> lH lSync View, Full-DuplexNoYesYes  #4  lll l  l* lFilterYesYesYes&o  #L  ll.l0 l8 lB lError Frame CaptureNoYesYes&  #L  ll,l. l8 lB lPost Capture ViewsYesYesYes6 c@ #l  ll.l0 l c@  X lb lFrame Error Counterdepends on adapterYesYes" A #D  ll$l& l0 l: lPacket SlicingYesYesYes'c@ A #րN  l l, l8 lD lTransmit FunctionsNDISCMM2GAM1A B #b  ll&l( l< lT lTransmit Buffer64K-16M*16MB, 32MB128MBErA C #v  lll  lh lj l l l l΀ lPerformance10Mbps: 5-10Mbps 100Mbps: 5-15MbpsFull Line Rate10 and 100 MbpsFull Line Rate1000 Mbps*B D #T  ll4l6 l@ lJ lIntelligent Frame EditYesYesYesXC tE #  ll.l0 lf l lTransmit Frame Size64-1518,valid sizes only8 - 15,000 Bytes16 - 15,000 BytesCD JF #  llflh lr l| lTransmit Captured Files & User-Generated FramesYesYesYes(tE G #P  ll2l4 l< lF lTransmit Error FramesNoYesYes4JF G #h  llJlL lT l^ lSimultaneous Transmit and ReceiveNoYesYes G _H s#@  l l* l6 lConnectivityNDISCMM2GAM%G I #J  ll2l4 l: lB lMax Interfaces/System41515_H 5J #   lll l@ l lMedia10/100 Enet, 4/16 TR10/100 EthernetRJ45 or MII for FiberGigabit EthernetSwappable G-BIC, Multi-mode or Single mode+I K #V  ll2l4lBlD lL lOn-Board Transceivers NoNoYes<5J K #x  lll  l0 lT lPortabilityLaptopShomiti ExplorerShomiti Explorer%K L #J  ll*l, l6 l@ lRemote ManagementYesYesYeswNK M ) "* Limited by available PC system memory. Smaller when running Windows NT.2 L 4M ' SEE ALSO< M pM 0 0Modes V&4M M 0 0LԌSurveyor Implementation Profile *pM M ' 6M &N 1^J:&N UN Modes/M UN ' Modes&N O (  Modes are applied to resources. Each resource can be in a different mode. There are four modes available with Surveyor, as follows:_ UN n R rVi~iMonitor Provides real-time views and decodes of packets received by a device.Capture Allows packets received by a device to be stored in a buffer for analysis.CapO n M ture + Monitor Provides both real-time monitoring views and the ability to store packets for later analysis.TransmitAllows the transmission of packets from a device. You must have the Packet Blaster plug-in from Shomiti to use Transmit mode.Capture + Transmit Allows simultaneous capture and transmit from the same module (CMM2 modules only).O r ) Both the monitor and capture functions look at the same bit stream being received by a device. The difference between these modes is how the bit stream is stored and viewed. Because each class of device has different capabilities for storing and viewing the bit stream, you must understand the capabilities of the device you are using to completely understand what is possible in each mode. If you have the Packet Blaster plug-in, you can use any device in transmit mode.n S : BOV!~!CMM2 The current version of the Century Media Module fully supports all modes and all counters in Surveyor and supports the all monitor and capture functions at full line rate. The default mode for CMM2 is Capture + Monitor. In Capture + Transmit mode the buffer is split in two, half used for capture and half used for transmit.GAM GAMs support MAC counters in Surveyor and supports all capture functions at full line rate. Special views are supported for viewing the capture buffer when the device is stopped. The default mode for GAMs is Capture + Monitor. In Capture + Transmit mode the buffer is split in two, half is used for capture and half is used for transmit.dr 2 2V!~!NDIS NDIS adapters can be used to capture, transmit, or monitor, but have severe performance constraints. The effective rates at which an NDIS module can capture and monitor is limited because these functions are performed in software rather than hardware. An NDIS adapter is often used in Monitor only mode to improve performance, since NDIS adapters cannot capture at full line rate. When using an NDIS adapter, check the Information tab to see information about what counters are supported. Each manufacturer supports a different set of counters. The default mode for NDIS adapters is Capture + Monitor. a/S J 2 2_V!~!Explorer 10/100The Explorer 10/100 is a protocol analysis tool that contains its own processor and two CMM2 modules. The Explorer 10/100 fully supports all modes and all counters in Surveyor. The CMM2 modules are synchronized so you can analyze a full-duplex network segment from a single view. When viewing an Explorer resource in the Resource Browser, you will see three "devices": one for the first CMM2 card, one for the second CMM2 card, and one for the two cards synchronized as a set. The default mode for modules in Explorer is Capture + Monitor.a/ 2 2_V!~!Explorer Gigabit The Explorer Gigabit is a protocol analysis tool that contains its own processor and two GAM modules. The Explorer Gigabit fully supports all modes and all counters in Surveyor. The GAM modules are synchronized so you can analyze a full-duplex network segment from a single view. When viewing an Explorer resource in the Resource Browser, you will see three "devices": one for the first GAM card, one for the second GAM card, and one for the two cards synchronized as a set. The default mode for modules in Explorer is Capture + Monitor.KJ  4 6/V!~!Voyager The Voyager is a multi-port RMON/RMON2 probe. Surveyor can display the RMON statistics collected by Voyager (version 1.1 and higher). Icons appear under the Voyager resource in the Resource Browser to select the port or port-pair to monitor. Monitor port-pairs when connected to full-duplex links. Monitor statistics display as for any other resource. The only mode for Voyager is Monitor.Note: Voyager can mirror data from its probe ports to Explorer. You can control the Voyager ports that are mirrored from Surveyor through the E  M xplorer device. A special Multi Port Tap icon appears under the Explorer resource in the Resource Browser to control which ports of Voyager are mirrored to Explorer. See the chapter "Customizing Surveyor" for more information on port selection.3 5 2 2V!~!12-Tap Taps are fault-tolerant wiring devices that provide connections for Explorers or Century Media Modules . The tap shows as a "resource" to the Surveyor software, but is only used to select a LAN segment for monitoring and LAN analysis functions. * _ ' 2 5 ' SEE ALSOL_ 0 08N-WHardware Dependencies V& 3 0 0LԌSurveyor Implementation Profile M 0 0:TSynchronized Resources *3 ' G 1 5 Synchronized ResourcesD 5 * $4 Synchronized Resourcesc, 7 <["ASynchronized resources are multiple hardware devices that have been connected so that they use the same clock timer. Synchronized devices display in the resource browser as a unique resource. For example, the two CMM2 or two GAM boards in a full-duplex Explorer are synchronized. The resource browser shows three resources available within the Explorer; the first module, the second module, and the synchronized configuration of both modules together. Synchronized resources are recognized by the synchronized resource icon in the resource browser. 5 I ) Synchronizing resources allows single actions to start a resource pair. All statistics and all data about stations and conversations will appear as one resource to Surveyor, so you can perform all capture, transmit, and monitoring functions on a full-duplex network segment. Synchronized resources can also monitor two half-duplex segments. You cannot transmit from synchronized resources.Two CMM2 or GAM cards within the same PC can be synchronized. This requires a special cable between the two cards to synchronize their clocks. Call customer support for information on how to synchronize and use two CMM2 cards or two GAM cards within a PC.k ( Synchronized CMM2 modules within an Explorer are must be used with a Century Tap or a Century 12-Tap to provide a connection to full-duplex network segment(s). The 12-Tap provides a convenient, software-controlled means to switch between segments. Contact customer support for more information on Explorer, Century Tap, Fiber Tap, and Century 12-Tap products.AI  1q" W " Default Accounts: W ' &Default Accounts; ( 'Surveyor provides two default accounts with passwords for accessing remote resources. The account names and passwords are case sensitive. You can use the default accounts to access any remote resource until the accounts and passwords are changed. The default accounts are:QW " ? N!Account NamePasswordPrivilegesguestpublicfullsumanagersuper-userM o 1L o Hints and Tips for ResourcesO"" - *D"Hints and Tips for Resources lo c 9 BV:H To connect to a remote host, choose Connect... from the Remote menu and enter the host IP address.W 9 BV:H To set up or change accounts, choose Access Privileges... from the Host menu.lc 9 BV:H To see remote users logged on to your local resources, choose Current Users... from the Host menu.\ -- *V:H When using CMM2s, be sure you set the module port and s -" peed before using the resource. ?4 6V:H Use the Refresh button in dialog boxes to update the list of user accounts currently established. Remote users with super-user privileges may have created a new account since the dialog box was initially displayed.W-9 BV:H To prevent others from using a local resource, use Lock from the Module menu.?. *aV:H Setting the mode to transmit disables monitor and capture unless your are using an CMM2 in full-duplex mode. Setting the mode to monitor and/or capture disables transmit.4 6yV:H Monitor mode can be set in addition to capture if the resource supports monitoring functions. If the resource does not support monitoring functions, the Monitor button is disabled.j=- *zV:H Use CMM2s or GAMs for full-duplex capture and transmit. : BV:H For options to be displayed under the Host menu, you must select the local host name in the Resource Browser. Selecting a resource within the local host makes the options in the Host menu unavailable.9L: BV:H Use the Description option from the Host menu to find out information about the host. Information includes host type, IP address, and the Surveyor software version. The host name must be highlighted in the Resource Browser to get a description.Y4 6V:H If you suspect that a remote resource is not responding, go to Summary View and look at the Resource Browser. If the host for the remote resource is not there, the connection has been lost with the remote host and the resource is not available. Red Xs appearing over a host in the Resource Browser indicate that the host is disconnected.L: BKV:H To see which capture filter or transmit specification is associated with a particular resource, choose Active TSP and Capture Filter from the Module menu. -* $V:H[*@ 1@  ' Create User Name, Password, and PrivilegesT- ' ZCreate User Name, Password, and Privileges@ ^ ( ESet up accounts that control access to the resources in your local PC. Accounts can also be set up for any remote host to which you have super-user privileges.z ' O lV:H1.Select the local or remote host by clicking on the host name in the resource browser.2.From the Host menu, choose Access Privileges. 3.From the Access Privileges dialog box, click the New User button.4.Enter the new user name and new user password twice in the fields provided.5.Click the radio button for the new user privileges.6.Click the OK button.B^ i 1Z i  Delete an Account;'  ' (Delete an Accounti c ( /Deletes accounts previously established for your local PC. Accounts can also be deleted for any remote host to which you have super-user privileges.@ J bV:H1.Select the local or remote host by clicking on the host name in the resource browser.2.From the Host menu, choose Access Privileges. 3.From the Access Privileges dialog box, click the Delete user button.4.Click the OK button.*c ' I1X BChange Access PrivilegesBX' 6Change Access Privileges,@( AChange the user privileges to an established account in your local PC. Privileges can be changed for any remote host to which yX,@ou have super-user privileges.X BO lV:H1.Select the local or remote host by clicking on the host name in the resource browser.2.From the Host menu, choose Access Privileges. 3.From the Access Privileges dialog box, click on the user name whose privileges you want to change.4.Click the Modify user button.5.From the Modify User dialog box, click the radio button for the new user privileges.6.Click the OK button.V%,@_B1^ _BBCShow Host Users and Access PrivilegesO( BB' PShow Host Users and Access Privileges`9_BC' rDisplays all remote users logged in to your local PC. BC: B'V:H1.Select the local host by clicking on the host name or IP address in the resource browser. 2.From the Host menu, choose Current Users. @CD1~DTDFChange Password9CTD' $Change PasswordDE( =Change the user password for an established account. You can also change passwords for any account on a remote host to which you have super-user privilegesITDFF ZV:H1.Select the local or remote host by clicking on the host name in the resource browser. If selecting a remote host, you must be logged in.2.From the Host menu, choose Access Privileges. 3.From the Access Privileges dialog box, enter the new password.4.Enter the password again to confirm.5.Click the OK button.*EF' > FG1#GHG:ILock a Module7FHG'  Lock a ModuleGG(  Prevents remote users from accessing a module. You can also lock a module on a remote host to which you have super-user privilegesHGH: BV:H1.Select the local or remote resource by clicking on the resource name in the resource browser.2.From the Module menu, choose Lock. |UG:I' If you lock a remote resource, the lock is lost if the network connection is lost.@HzI1i~zIIKUnlock a Module9:II' $Unlock a ModuleDzIJ( 9Allows access to a previously locked local resource so it can be used again by remote users. You can also unlock a module on a remote host to which you have super-user privileges. Remote users must still have an account and proper privileges to access a module once it is unlocked.IK: B!V:H1.Select the local or remote resource by clicking on the resource name in the resource browser.2.From the Module menu, choose Unlock. *JK' MK8L18LzL8Connect to a Remote ResourceBKzL' 6Connect to a Remote Hoste8LM' Makes a connection to a remote host for the purpose of accessing remote resources within the host.zLON jV:H1.From the Remote menu, choose Connect. Or, choose Reconnect if you are reconnecting with the last host you connected to.2.From the Connect New Host dialog box, enter the host IP address. Use the Name Table... button to look up the host name. If you are reconnecting, the host IP address will already be entered in the Host: field.3.From the Connect New Host dialog box, enter your account name and your password on the remote host.MMeO1 28V:H4.Click the OK button.-OO'  TIPZeO8@ NSurveyor "remembers" hosts that you have connO8Kected to from the Connect option of the Remote menu. If you log in to a host and quit Surveyor, you'll automatically get the Connect New Host dialog box when you restart the program. Click OK to log in to the last host you connected to, or press Cancel to abort the auto-discovery process.NO1́PDisconnect from a Remote HostG 8́' @Disconnect from a Remote Host^R' Disconnects from a remote host. All remote resources in the host are no longer accessible. ́$: B1V:H1.Select the remote host by clicking on the remote host name or IP address in the resource browser.2.From the Remote menu, choose Disconnect. ,RP( ?$1ǃzStart a Module8Pǃ' "Start a Module( oStarting a module begins the process of capturing, monitoring, or transmitting data. If using a Capture Filter or a Transmit Specification, load them prior to starting the module.;ǃ' (FROM SUMMARY VIEW}Іr V:H""B"'"1.Select a module. Click on a resource in the resource browser or select the window for resource in Summary View.2.Set the mode. From the Module toolbar, use the mode buttons (capture) (monitor) (transmit); or, from the Module menu, choose Mode and select Capture and/or Monitor, or Transmit.3.From the Module toolbar, click the button; or, press Ctrl + T.: ' &FROM DETAIL VIEW{ Іp V:H""B"'"1.Set the mode. From Detail View toolbar, use the mode buttons (capture) (monitor) (transmit); or, from the Module menu, choose Mode and select Capture and/or Monitor, or Transmit.2.From the Module toolbar, click the button; or, press Ctrl + T.. ' TIPSY0 ) aSetting the mode to transmit disables monitor and capture. Setting the mode to monitor and/or capture disables transmit.Monitor mode can be set in addition to capture if the resource supports monitoring functions. If the resource does not support monitoring functions, the monitor button is disabled.2 >' SEE ALSO< z0 0Modes > >1nDStop a Module7z'  Stop a ModulekDZ' Stopping a module stops the transmit or monitor/receive process. ;' (FROM SUMMARY VIEWZ7 <V:H" 1.Select a module. Double-click on a resource in the resource browser or select the window for resource in Summary View.2.From the Module toolbar, click the button; or, press Ctrl + P.:ƌ' &FROM DETAIL VIEW~JD4 8V:H" 1.From Detail View toolbar, click the button; or, press Atl + M + P.= ƌ1O%9Set the Mode6D' Set the Mode@( 1There are four modes for using a device, capture, monitor, capture/monitor, and transmit. Only the modes allowed for the device you have selected will be available from the toolbars or menus. If you are in Detail View, you can only toggle the mode between capture and transmit.;2' (FROM SUMMARY VIEW?g V:H""B"'1.Select a resource. Double-click on a resource in the resource browser or select the window for the 2Dresource in Summary View.2.From the Module toolbar, use the mode buttons (capture) (monitor) (transmit); or, from the Module menu, choose Mode and select either Capture and/or Monitor, or Transmit.:2' &FROM DETAIL VIEW&De V:H""B"'1.From Detail View toolbar, use the mode buttons (capture) (monitor) (transmit); or, from the Module menu, choose Mode and select either Capture and/or Monitor, or Transmit..r' TIPSY0D) aSetting the mode to transmit disables monitor and capture. Setting the mode to monitor and/or capture disables transmit.Monitor mode can be set in addition to capture if the resource supports monitoring functions. If the resource does not support monitoring functions, the monitor button is disabled.2 r' SEE ALSO< 90 0Modes I19nSet the Module InterfaceB9' 6Set the Module Interfacet( There are two ports for a CMM2, RJ45 and MII. Both RJ45 and MII ports can be used at 10 or 100 Mbps and the transceiver is built in. d(< FQV:H1.The interface can be set from Summary View or Detail View. In Summary View make sure the resource you want is the currently selected resource by clicking the resource name in Resource Browser. 2.From the Module menu, choose Interface.3.Set the module interface to one of two values:btk1 2V~HRJ45Set the module interface to the RJ45 port. MIISet the module interface to the MII port. a9( rSetting the interface does not apply to NDIS modules.= k 1g% E{Set MII Mode<E' *Set Interface Mode) n( There are two speeds for using a Century Media Module, 10 Mbps and 100Mbps. For synchronized CMM2 modules, there is also the ability to set the Interface mode to full-duplex. Only synchronized CMM2 modules can be auto-selected or forced to full duplex.m1E< FcV:H1.The Interface mode can be set from Summary View or Detail View. In Summary View make sure the resource you want is the currently selected resource by clicking the resource name in Resource Browser. 2.From the Module menu, choose Interface Mode.3.Set the Interface mode to one of five values:n8 >7VS~HAuto NegotiateSet the Interface mode from the network. The module will auto-select the speed and half or full duplex from the network. 10Mbps Half DuplexSet the Interface mode to 10 Mbps, half duplex.100Mbps Half DuplexSet the Interface mode to 100 Mbps, half duplex.10Mbps Full DuplexSet the Interface mode to 10 Mbps, full duplex.100Mbps Full DuplexSet the Interface mode to 100 Mbps, full duplex.{0 .;Setting the Interface mode does not apply to NDIS modules. Full duplex options do not apply to GAM cards, or CMM2 cards that are not synchronized.11U${" @1 I}Alarms Overview9I' $Alarms Overviewp; DSurveyors alarms facility enables you to create alarms to automatically monitor network resources. Access to Surveyors alarms facility is through the Alarm Browser docking window located in Surveyors main window. The Alarm Browser window features a hierarchical directory comprising folder, file and application icons that can be manipulated using point-and-click mouse Ipcommands. Alarms are created using an Alarms Editor. The Alarms Editor window contains an alarms table. Each alarm within the alarms table contains default threshold values, notification settings, a sampling interval value, and an Enable/Disable click box. After editing and enabling a desired set of alarms, you assign a unique name to the alarm group.Iu5 8Alarm groups are applied to network resources by dragging the resources icon from the Resource Browser window to the alarm group. The network resource icon appears in the Alarm Browser directory under the alarm group upon which it was dropped. Starting the resource will automatically activate the use of the alarm group for that resource. You must have Monitor mode set for a resource to have alarms trigger and have alarm actions occur.Multiple resources can be dragged and dropped onto a single alarm group. Resources can be applied to multiple MAC Layer and Network Layer alarm groups. To stop an alarm group from monitoring a network resource, use the mouse to select the resource and press the Delete key.pS( mActions resulting from alarms are varied and extremely flexible because they are assigned to each individual alarm. When an alarm threshold is exceeded, an audible beep sounds on the host, and an alarm message appears in the Message window. Individual alarms can also be configured to log alarms to a log file, contact individuals by e-mail, dial pager numbers, restart the resource, auto save data, or stop the resource and save data.*u}'  > S1  zAlarm Browser7}'  Alarm BrowserX#J 5 8GThe Alarm Browser enables you to create/modify and use alarm groups to monitor local and remote network resources. The Alarm Browser window, through which you access and use all of the alarm browser components, appears in the Surveyor startup window. Surveyors alarm browser appears and operates much like the graphical user interface used by Microsoft Windows 95 Explorer. Alarm browsers hierarchical directory structure features folder, file, and application icons that you manipulate using point-and-click mouse commands. Additionally, the alarm browser interface provides convenient check boxes that enable you to quickly expand or collapse portions of the Alarm Browser directory. This is useful if you create numerous alarm groups or if you assign alarm groups to many network resources. / ,/The Alarm Browser contains five folders, Expert Alarms, Application Response Time Alarms, Ethernet MAC Layer Alarms, Token Ring Alarms , and Network Layer Alarms. Expert Alarms and Application Response Time Alarms are only available if you have the Expert plug-in. Each folder contains an alarms editor. These editors are used to select, modify, and create alarm groups.Multiple resources can be dragged and dropped onto a single alarm group. When an alarm is triggered for a resource, the resource flashes in the Alarm Browser window. To stop an alarm group from monitoring a network resource, use the mouse to select the resource and press the Delete key.8J H 0 0v рt#$Note - (6#The Ethernet MAC Layer alarms are the only alarms supported for GAM resources. You can only drag and drop GAM resources to MAC Layer Alarms.2 H 6' SEE ALSODz0 0(oAAlarm Example > 61KAlarm Editors7z'  Alarm Editors( -There are five Alarm Editors. The Expert Alarm Editor and Application Response Time Alarm Editor are only available if you have the Expert plug-in.,A8 >VA}AExpert Alarm EditorAllowAzs you to modify and enable any of the 35 alarm types contained in Surveyors Expert alarm table. Alarms test for discrete conditions at different protocol layers, such as NFS retransmissions at the application layer, overload utilization percentages at the MAC layer, or TCP/IP SYN packets at the transport layer. The help system contains a description of each expert symptom, which corresponds to the types of conditions you can test for using the expert alarm editor.U:DF ZVA}AApplication Response Time EditorAllows you to modify and enable any of 8 alarm types contained in Surveyors Application Response Time alarm table. Alarms test for application response times related to application protocols such as SMTP, HTTP, or NFS.Ethernet MAC Layer Alarm Editor Allows you to modify and enable any of 21 alarm types contained in Surveyors Ethernet MAC Layer alarm table. Alarms test for conditions related to Ethernet conditions such as utilization rate, packet size, errors, and frame types.=AwFF ZVA}AToken Ring Alarm Editor Allows you to modify and enable any of 29 alarm types contained in Surveyors Token Ring alarm table. Alarms test for conditions related to Token Ring conditions such as utilization rate, packet size, errors, and frame types.Network Layer Alarm Editor Allows you to modify and enable any of the 65 alarm types contained in Surveyors Network Layer alarm table. Alarms test for conditions related to Network Layer conditions such as IP/IPX/ARP packet or octet counts.:DG1 0"CClick on the appropriate icon to display the alarm table you want. Each alarm can be used with the default values provided by Surveyor, or you can modify them with the alarms editor to precisely meet your resource monitoring needs.7wFG'  ALARM GROUPS PGPI5 8You can create an unlimited number alarm groups. When you create an alarm group, the alarm table editor asks you to name the new alarm group. Surveyor will save the alarm group file in the appropriate folder. All the enabled rows in the table comprise an alarm group. Alarm groups are named and then associated with resources.AGI' 4ALARMS AND ALARM EVENTSPIJK/ ,The entire table of alarms you can set is shown in each alarm editor. Each line in the table is called an alarm or alarm row. You can enable as many alarms as you want in the table. If a threshold is exceeded for any enabled alarm row within an alarm table, an alarm event occurs. The event is reported according to the value configured in the Action field for the alarm row in the table.2 I|K' SEE ALSOFJKK0 0,#Expert Overview ; |KK1 nK 61o > /Alarm Actions7|'  Alarm Actions\.M. *]Each line in an alarm table has a unique set of actions associated with it that will occur if the alarm is triggered. You always get at least two actions when an alarm is triggered an audible alarm and a message in the Message window. You can have one of seven actions associated with the alarm:%2 2MV: Message records the message in the Message window in the Surveyor main window and sounds the audible alarm. No other actions occur if this setting is selected.M2 2?V: E-Mail sends the message to pre-configured e-mail addresses. Your e-mail application does not need to be running for alarms to generate e-mail messages.l;%b1 2vV: Pager sends alarms to pre-configured pager numbers. i8ˇ1 2pV: Log records alarms in a pre-configured log file. i8b41 2pV: Stop&Save stops the module when the alarm occurs.^ˇÈ1 2V: Restart resets all counters and begins capture from the point where the alarm occurred.Q4E1 2V: Auto Save saves data in the capture buffer at the time the event occurred.WÈˋ/ ,When sending E-mail or making a call to a pager, multiple addresses/numbers can be configured from the Configuration menu. Setting the addresses/numbers for alarm actions is a global setting. All alarms reported by Surveyor will go to the same set of E-mail addresses/Pager numbers. For example, you cannot send some alarms to one set of e-mail addresses and some alarms to another set of e-mail addresses.When storing the alarm in a log file, only one log file can be configured. However, you can change the name of the log file at any time and future alarms will be written to the new file.E0 .If the alarm causes the resource to stop, Surveyor saves the capture buffer data to a file. The name of the file is based on the current date and time.If the alarm restarts the resource, all counters are set to zero and the resource begins capture. This allows you to collect data and count it after a particular event has occurred.Note: If the threshold is set very low and the alarm action is configured for Stop&Save, Surveyor may create capture files that are completely empty.uNˋX' Note: You must set an appropriate delay time when making a call to a pager.2 ' SEE ALSO[X/J d3`T@Set Alarm E-mail Addresses Set Alarm Log File Name Set Alarm Pager Numbers Cr1In4rAlarm List and Log</' *Alarm List and LogOr;2 2"DFrom Detail View, click on the;/ button to open a window with alarm list and log. From Summary View, click on the Alarms tab.Alarm view is a table showing all alarm groups assigned to this resource. It lists alarm groups by name and identifies the type of alarm group, Expert, Application Response Time, MAC, Token Ring, or Network.2 m' SEE ALSOf);= JRlަ;Alarms Overview Alarm Browser > m1> ЅHExpert Alarms7H'  Expert AlarmsyP) During transmit or receive, expert symptoms are logged as they occur. You can test for certain thresholds for these conditions by setting alarms using the Expert Alarms Editor. Click on the expert alarm name below for more information on the associated expert symptom.Expert Alarms are only available if you have the Expert plug-in.W-H* $ZAPPLICATION, TRANSPORT LAYERNETWORK LAYER D8 P罀!gIr(Dg$ˀr[`i0 =>\{ג:U ICMP All Errors Duplicate Network Address ICMP Destination Unreachable Unstable MSTICMP Redirect SAP Broadcasts Excessive BOOTPOSPF Broadcasts Excessive ARPRIP Broadcasts NFS Retransmissions Total Router Broadcasts TCP/IP SYN Attack ISL Illegal VLAN ID Ut S N"bѹDr<-`TCP/IP RST Packets ISL BPDU/CDP Packets TCP/IP Retransmissions IP Time to Live Expiring TCP/IP Zero Window Illegal Network Source Address b88* $pDATA LINK LAYER, ETHERNETDATA LINK LAYER, TOKEN RINGFU T`Ro`RoaacqHcqHKKJZJZإ.إ.Overload Utilization Percentage Overload Utilization PercentageOverload Frame Rate Overload Frame Rate Illegal MAC Source Address Illegal MAC Source Address Total MAC Stations Total MAC Stations Total MAC StationsNew MAC Stations New MAC Stations New MAC StationsExcessive Broadcasts Excessive Broadcasts Excessive BroadcastsdM j?j$?j$AIExcessive Multicasts Excessive Multicasts Excessive MulticastsExcessive Collisions *' J"1F 4{ "e[Hints and Tips for AlarmsCe' 8Hints and Tips for AlarmsL"8 >V:H1.Assign alarms to resources by dragging and dropping resource icons into alarm icons.2.You can drag-and-drop multiple resources onto a single alarm group. You can also drag-and-drop one resource to many alarm groups.3.Remember that alarm groups are assigned to resources, not individual alarms within an alarm group. If you only want a single alarm, create an alarm group with only one alarm enabled.4.Click, hold, and drag a column border to resize columns in the alarm table. Increasing the size of the Variable column gives you a view of the complete name of the variable.regX ~5V:H6.To set more than one alarm of the same type, click on the type you want to duplicate and press the Insert key. A new alarm row appears below the current row. Fill out the settings in the new row.7.To set one alarm that has multiple actions, click on the alarm type you want to duplicate and press the Insert key. A new alarm row appears below the current row. Change the Actions field of the new row to the additional action you want. gFor example, you could have one alarm of type Packets with the action set to E-mail and one alarm of type Packets with the alarm type set to Pager. Note that if the alarm rows are identical except for the action, you will get two messages in the message window for the alarm, since a message is always posted when any alarm is triggered.x1R rV:H8.You can copy values in one alarm row to another. Click on the Alarm Type in the alarm row you want to copy. The row highlights; press Crtl + C to copy. Click on the Alarm Type in the alarm row where you want to place the copied values and press Crtl + V.9.Create custom alarms and their associated actions by double-clicking on any Create New Alarm icon.*g[' ?11Ѕ FAlarm Examples8[' "Alarm Examplest%FO lKkǹg'oAThree examples are provided for alarms and alarm groupings. Each provides a picture of an alarm table and a description of what will occur when specific alarm rows are enabled in an alarm table.Alarm Example, Utilization Alarm Example, Packet Size Alarm Example, MAC Errors K1{  MAlarm Example, UtilizationDF' :Alarm Example, Utilizationx?M9 @"EThis simple example shows an alarm group consisting of one MAC Layer alarm for Utilization. This alarm samples network traffic at five-second intervals. When the absolute, rising value of 50 (percent utilization) is exceeded, Surveyor issues an audible alarm and displays a message in Surveyors message window.J1|  % Alarm Example, MAC ErrorsCM' 8Alarm Example, MAC Errors! E X"FThis example shows an alarm group consisting of five MAC Layer alarms: Errors, Undersize Packets, Oversize Packets, CRC/Alignment, and Fragments. Each of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these five alarms is exceeded, Surveyor issues an audible alarm and displays a message in Surveyors message window. Assume that overall error rate is of particular interest in this example. The Severity setting instructs Surveyor to include a Warning! statement with all alarm messages when the error rate is greater than 250. The Actions setting instructs Surveyor to send an e-mail message whenever the rising value (threshold) for the overall error rate exceeds 250.*% ' K p 1 !p   Alarm Example, Packet SizeD%  ' :Alarm Example, Packet Sizep  9 @)"GThis example shows an alarm group consisting of three MAC Layer alarms: Oversize Packets, 512-1028 Byte Packets, and 1024-1518 Byte Packets.. Each of these alarm counters are checked at five-second intervals. When an alarm threshold for any of these three alarms is exceeded, Surveyor issues an audible alarm, displays a message in Surveyors message window, and records the alarm in a log file.M  1(t @Apply an Alarm to a ResourceF ' >Apply an Alarm to a Resource ( wTo apply an alarm to a resource, you must have already created an alarm group. The resource must display in the Resource Browser, and the alarm group must display in the Alarm Browser.. *_V:H1.Click and hold on the resource from the Resource Browser.2.Drag and drop the resource over the name of Alarm Group. The resource should appear beneath the Alarm Group.. @' TIPS @ t@( You can drag and drop many resources to one alarm group.You can drag and drop one resource to many alarm groups.@ @@1 !@"A Create an Alarm9@"A' $Create an AlarmY@B. *Each row of an alarm table sets a unique threshold that can be triggered by events and generate an alarm. This procedure describes the process of configuring one row in the alarm table. From an alarm table, choose the alarm you want. Pick the Alarm Type (protocol/counter) you want to test for and completely specify that line in the table."ADL fV:H1.Set the Sample Type to Absolute or Delta. Absolute values will only trigger once until the counters reach there maximum capacity and are reset to zero. Then the absolute value may trigger again. Delta values mean that if a difference between samples increases (rising) or decreases (falling) more than the specified threshold, an alarm event is triggered.2.Set the Rising and/or Falling values. At least one value must be specified. BE2 2/V:H3.Set the Severity to Normal, Warning, Critical, Major, or Minor. Setting the Alarm Type only effects the type of display in the Message window. V%DE1 2JV: Normal alarms appear in black.X'E/F1 2NV: Warning alarms appear in purple.V%EF1 2JV: Critical alarms appear in red.T#/FF1 2FV: Major alarms appear in blue.V%F/G1 2JV: Minor alarms appear in maroon.F#H2 2V:H4.Set the Actions to take if an alarm event occurs. You always get a message in the message window and an audible alarm. Settings other than Default cause additional actions to take place./GH2 2CV: E-mail will send the message to pre-configured e-mail addresses. Your e-mail application does not need to running for alarms to generated e-mail messages.p?#HfI1 2~V: Pager will send alarms to pre-configured pager numbers. m<HI1 2xV: Log will record alarms in a pre-configured log file. fIJ2 2SV: Stop&Save will stop the module when the alarm occurs. A dialog box appears so you can name the capture file in which to save data currently in the capture buffer.aI@K1 2V: Restart will reset all counters and begin capture from the point where the alarm occurred.JL: BV:H5.Set the Interval for set how often the counters are sampled.6.Click the Enabled box to include this alarm in the alarm group..@K1L' TIPSLM( Remember that alarm groups are assigned to resources, not individual alarms within an alarm group. If you only want a single alarm, create a table (alarm group) with only one alarm enabled.xN1LM* $V:HClick, hold, and drag a column border to resize columns in the alarm table.MOG \]To set more than one alarm of the same type, click on the type you want to duplicate and press the Insert key. A new alarm row appears below the current row. You can copy the values in one alarm row to another alarm row. Click on the Alarm Type in an alarm row you want to copy. The row highlights; press Crtl + C to copy. Click on the Alarm Type in the alarm row where you want the copied values and press Crtl + V.2 MO' SEE ALSOIO 0 02lT̀Create Alarm Group O @BOO1,t X!OInsert Alarm Rows; ' (Insert Alarm RowsOa( _You can set more than one alarm of the same type. You must insert a new row in the table and specify its settings. You must be within an Alarm Editor to use this procedure.t 8 >V:H1.Click on the type you want to duplicate by clicking on the type in the Alarm Type column. 2.Press the Insert key. 3.A new alarm row appears below the current row. The Alarm Type field will be blank. The new row is the same Alarm Type as the one above it.4.Completely specify the values for the new row. Be sure to select the Enable box to activate the alarm.2 a?' SEE ALSOF 0 0,۬Create an Alarm @?Ń1!w!Ń|Copy Alarm Rows9' $Copy Alarm Rows[4ŃY' hYou can copy values in one alarm row to another. #|J bV:H1.Click on the Alarm Type in an alarm row you want to copy. 2.The row highlights; press Crtl + C to copy. 3.Click on the Alarm Type in the alarm row where you want the copied values.4.Press Crtl + V.FY…1u X! !…ECreate an Alarm Group?|' 0Create an Alarm Groupr…' You can create an alarm group for Expert, Application Response Time, MAC, Token Ring, or Network Layer alarms. e67 <V:H"H1.Form the Alarm Browser, click on the appropriate icon to select an Alarm Editor. Five different editors are available, each within a folder identifying the alarm group type.2.From the Alarm Editor, create the alarm you want. Pick the protocol/counter/variable in the left column you want to test for and completely specify that line in the table.N5 8V:a.Set the Sample Type to Absolute or Delta.b.Set the Rising and/or Falling values. At least one value must be specified.c.Set the Alarm Type to Warning, Serious or Informational (this step is optional).d.Set the Actions to take if an alarm event occurs. You always get a message in the message window and an audible alarm. Settings other than Message cause additional actions to take place.e.Set the the Interval for how often to check for and then report an alarm event.nB6, (V:f.Click the Enabled box to include this alarm in the alarm setN< FV:H3.Repeat step 2 for all alarms you want in this alarm group.4.In the Name: field, name the new alarm group.5.Click the OK button..' TIPSc4/ ,iOnce the alarm group is created, drag and drop a resource from the Resource Browser to assign the alarm group to that resource.To set more than one alarm of the same type, click on the protocol/counter type you want to duplicate and press the Insert key. A new alarm row appears below the current row. xN* $V:HClick, hold, and drag a column border to resize columns in the alarm table.?͎@ NYou can copy values in one alarm row to another. Click on the Alarm Type in an alarm row you want to copy. The row highlights; press Crtl + C to copy. Click on the Alarm Type in the alarm row where you want the copied values and press Crtl + V.2 ' SEE ALSOF͎E0 0,۬Create an Alarm K1-w!3!ԏSet Alarm E-mail AddressesDEԏ' :Set Alarm E-mail Addresses5 8ԏESets the addresses of users that will receive an e-mail message when an alarm event occurs. An e-mail message is generated for all alarms with the Actions field set to E-mail in Surveyor. Your e-mail application does not have to be running to configure e-mail addresses or for alarms to generate e-mail messages.The alarm E-mail feature works only with Microsoft Mail Exchange.ԏ\ uV:H1.From the Configuration menu, choose Alarms. Choose E-Mail Settings from the Alarms menu.2.From the E-Mail Settings dialog box, press the Add Recipients button. 3.Pressing the Add Recipients button brings up the mail facility of Windows 95. Use the dialog box to select/specify E-mail addresses. Press the Help button for Windows 95 help for this dialog box.4.Click the OK button to exit the Windows 95 mail facility.uT1 2V:H5.Recipients display in the E-Mail Settings dialog box. Click the OK button to return to Surveyor Summary View.,( HT1 !@! Set Alarm Pager NumbersA ' 4Set Alarm Pager Numbers4 6eSets the pager number that will receive a page when an alarm event occurs. A page is generated for all alarms configured with the Actions field set to Pager in Surveyor.> {N j}V:H1.From the Configuration menu, choose Alarms. Choose Pager Settings from the Alarms menu.2.From the Pager Settings dialog box, fill out the fields in the dialog box to specify a complete pager number. You must set an appropriate delay time for the type of pager you are calling.3.Click the OK button.*' H{13!.Set Alarm Log File NameA.' 4Set Alarm Log File Nameu' Sets the log file name which store messages when alarm events occur. The alarm log is saved as an ASCII text file.(.N jV:H1.From the Configuration menu, choose Alarms. Choose Log File Settings from the Alarms menu.2.From the Log File Settings dialog box, enter the complete path name of the log file.3.Click the OK button.*' Hd1  d0Clear Alarm Log DisplayA' 4Clear Alarm Log Display|dH' You can clear the display of alarms in the Message window. Clearing the display does not delete alarms from the log file.0 .V:H1.Select (single-click) any message or alarm in the Message window.2.Click the Right Mouse Button.3.Select the Clear Alarm Log option.*H0' 6f1fbCIndex2 0' Glossaryfb2 2cDefined StreamDetail View Device Display Filter Window DRAM Drop Events Counter Duplicate Network Address EELSE StatementELSE IF StatementExpert ViewExpert Alarms Expert Diagnosis Expert Symptoms Explorer F *  U3Ad)yj6`ր"SڀG! b_1-08Fast EthernetFilter ElementFragments CounterFrameFrame Copy Counter Frame RateFrequency Counter Frozen Window GGigabit Analysis Module (GAM) GoToGood FramesHHex PaneHost IIF Action StatementInternal Error Counter #  G&b<24Z *m%o+ΑP{%y% sz|K8}Ā,^J K L MJabbers CounterLine Error CounterLink Speed Local Host Log Files Lost Frame CounterMessage Window Mode of Operation ModuleModule SpeedModule StatusModule TypeMonitorMonitor ModeMonitor and Capture Mode $& ) ʁMK`߀@1#$)Re@ Jydbh=2+pT]7Multi-QoS NName TableNDIS NetworkNetwork Adapter NIS O POversize CounterOverview Table PacketPacket Detail Pane Packets Dropped Counter Packet Editor Packet GapPacket SizePacket Summary Packet Summary Pane  B@ -%%4iVUZ*%a~⊀ʀʀ.:zP;Packet TypePause Post Trigger Buffer PositionProtocol Q RReal-Time Buffer Remote Host Resource Resource BrowserRoot StatementRemote Server Protocol (RSP) RSP S)B@0SA StreamStart Sequence NumberState >)bB }jɀ!_T葀25%J ,`))g)*?`8,TzE۰KuStop Sequence NumberSummary PaneSummary View Synchronized Resource TThroughput Token Error Counter Total Tx Collision CounterTraffic RateTrafficTransmit SpecificationTransmit ModeTx Attempt CounterTx Defer CounterTx Excessive Collision CounteruB@C 'c0ɀmV؀.%¹h+NXT}Tx Excessive Defer CounterTx Late Collision Counter U VUndersize CounterView Very Long Event CounterVoyager Voice over IP (VoIP) W X Y ZWKP Zero Window ?bBD1DD.CAP extension8CND' ".CAP extensionP)DD' RFile extension for all capture files. ?NDD1DgE.CFD extension8DE' ".CFD extensionR+DgE' VFile extension for all capture filters. ?EE1E-F.DFD extension8gEE' ".DFD extensionO(E-F' PFile extension for all view filters. ?ElF1lFF.NAM extension8-FF' ".NAM extensionM&lFF' LFile extension for all name tables.?F0G10GG.TSP extension8FhG' ".TSP extensionY20GG' dFile extension for all transmit specifications.: hGG1GHStatement1 G,H' ActionsXGH' Events that occur as the result of testing conditions within statements in a filter. A,HH11HIActivated Stream:H&I' &Activated StreamHI( A defined packet or set of packets that is included in a transmit specification. Activated streams are loaded to a module for transmission.8&IJ1JJAddress1 IEJ' Address\JJ' A character or group of characters that identifies some other data source or destination.6EJJ1JKAlarm/J-K' AlarmlJK' A message posted to Surveyor indicating a certain condition has occurred or a threshold has been reached.> -KK1KLAlarm Browser7K5L'  Alarm BrowserY2KL' dA window used to list, select, and set alarms. F5LL1ULMAlarm Generation Type?LM' 0Alarm Generation TypeLM( QIs this a rising, falling or "rising or falling" type of alarm. Used at the time of comparing the sampled value against a corresponding rising or falling threshold.HM+N1,+NOAlarm Notification Type8McN' "Alarm Severity+NO(  Type of notification to be posted to the Message window upon alarm trigger. Valid types are informational, warning, and serious.?cNNO1NO Alarm Interval8OO' "Alarm IntervallENO ' The interval, in seconds, over which data is sampled and compared.O O: OF1F߀Alarm Log3 y' Alarm Logf?F߀' ~A list of all alarms triggered by incoming data to Surveyor.Hy'1U'4Alarm Falling ThresholdA߀h' 4Alarm Falling Threshold'4( IFalling threshold value to be compared to counter data. If the counter value or its delta value over time falls below the threshold, an alarm event is triggered.Gh{1U{Alarm Rising Threshold@4' 2Alarm Rising Threshold{( MRising threshold value to be compared to counter data. . If the counter value or its delta value over time raises above the threshold, an alarm event is triggered.B˃1P˃لAlarm Sample Type;' (Alarm Sample Type˃ل( WThe type of the alarm, Delta or Absolute. Delta alarm types measure increases or decreases over time; absolute alarm types measure only the absolute value of a counter.> 1مAlarm Setting8لO' " Alarm Settingcم' A set of conditions that when satisfied will cause Surveyor to record an entry in the alarm log.< O1Alarm Value5مJ' Alarm Value_8' pThe Alarm variable value from the last sample period.PJ1pCRC and Alignment Error CounterI"B' DCRC and Alignment Error Counter.p(  A counter that shows the total number of packets received that had a length between 64 and 1518 octets, inclusive, but had either a bad FCS with an integral number of octets (FCS/CRC Error) or a bad FCS with a non-integral number of octets (Alignment Error).= B1kBase Address6p' Base Addressak' The address of the Century Media Module or other resource within the PC system's low memory.61UBurst/kЉ' Burst^U' For transmission from Surveyor, a flood of frames sent at the maximum speed of the network.: Љ18burst gap3 UŠ' Burst Gap( GFor transmission from Surveyor, a pause between a set of packets sent at the maximum network speed and another set of packets sent at the maximum network speed.8Šŋ1ŋCapture1 ' Capturegŋ' The processing of receiving frames from the network and storing them in the Surveyor capture buffer.?Ì1jÌCapture Buffer8' "Capture BufferÌ( The DRAM memory in Century Media Module (or in an NDIS host) that stores packets captured from the network. The CMM2 buffer size can be 32Mb or 64Mb depending on the Century Media Module model in use.@.1.Captured Frames9g' $Captured FramesY2.' dFrames stored within Surveyor's capture buffer.= g1kCapture File63' Capture File,k(  File used to store frames captured from the network. A capture file must be given a name with an extension of .CAP. Captured frames are not automatically stored in3k a file - the contents of the capture buffer must be saved using the Save or Save As options.?31Capture Filter8k' "Capture Filter( A set of conditions that determine the frames to be captured and how the captured frames are counted. The capture filter consists of programming-like statements that set variables and specify conditions and actions for the capture of frames.= ;1;Capture View6q' Capture View^;' A window for viewing and decoding network packets saved to a file or in the capture buffer.= q313Capture Mode7j'   Capture ModeY3' The mode in which Surveyor receives network data and stores it in the Capture Buffer. Nj81:8$Gigabit Analysis Module (GAM)G ' @Gigabit Analysis Module (GAM)}8$( The Gigabit Analysis Module (GAM) is a hardware analyzer card that installs in a PC or in an Explorer hardware device. GAM provides data capture and transmit for fiber optic networks at one gigabit per second. The GAM card is for use with 1000BASE-SX or 1000BASE-LX networks only. The network interface for GAM is a removable single mode or multi-mode G-BIC interface connector.Nr1OrsCentury Media Module 2 (CMM2)G $' @Century Media Module 2 (CMM2)rs( %A hardware device available from Shomiti that allows the capture of network data at full line rate and supports real time monitoring functions.?1Century 12-Tap8s' "Century 12-Tap2 ( A fault-tolerant wiring device, available from Shomiti, that can be inserted into twelve, full-duplex or half-duplex, 10 or 100 Mbps Ethernet links. Century 12-Tap provides the ability to view up to twelve full-duplex segments from a single Surveyor installation.3O1ODA,{'  DArKO' Destination address. MAC level station address of where a frame is sent.C{01K08Deactivated Stream<l' *Deactivated Stream08( IA defined packet or set of packets defined in a transmit specification but not currently active. Deactivated streams are NOT loaded to a module for transmission.?lw1*wbDefined Stream88' "Defined Streamwb( In transmission mode, a sequence of bytes you specify for transmission on the network. Multiple streams can be defined for transmission.< 1wDetail View5b' Detail View}w' The primary monitoring view for a single network resource. Multiple views of each resource can display in the Detail View.71@Device0 w' Deviceb;@' vA single hardware device that provides data to Surveyor.F1Display Filter Window?@' 0Display Filter WindowP)' RA window for defining display filters.5J1JDRAM.x' DRAMG J' @Direct Random Access Memory. ?x 1N ELSE statement 8D' "ELSE Statement ( _The last statement for a level in a capture filter. If no combination of conditions in other statements for this level are met, the actions in the ELSE statement are taken.BD]1_]zELSE IF statement;' (ELSE IF Statement]z( uStatement in a capture or display filter. Always comes between an IF statement and an ELSE statement. Provides for the specification of additional conditions and actions for a state. > 1Expert Alarms7z'  Expert Alarms( Messages posted to Surveyor indicating a certain condition has occurred or a threshold has been reached. Expert alarms are based on a set of counters related to Expert Symptoms or to other conditions that can signal a network problem.AE1EExpert Diagnosis:' &Expert DiagnosisaE' Discussion of probable causes and possible solutions for Expert Symptoms detected by Surveyor.?F1CFJExpert Symptom8~' "Expert SymptomFJ. *=&A network condition that may indicate a network problem. Expert symptoms are detected by Surveyors expert logic and logged in the Expert Analysis table.9~1Explorer3 J'  Explorer>( -A Shomiti network monitoring, analyzing, or and troubleshooting system available for 10/100/1000 Mbps Ethernet segments. Explorer provides full line-rate capture and transmission for all full or half-duplex Ethernet connections. Explorer can by accessed remotely by Surveyor.> 212Fast Ethernet7i'  Fast Ethernetd2' IEEE 802.3 compliant MII (Media Independent Interface) network. Capable of speeds up to 100 Mbps.?i3 1n3 b Filter Element8k ' "Filter Element3 b 5 8&&A value or template for setting conditions in a capture filter. Filter elements are assigned a name which corresponds to an offset and length within a packet. The filter element usually has a specific hex value assigned to it as well. Filter elements are selected when building a filter combination in an IF or ELSE IF statement. Surveyor provides filter element templates which can be used as is or you can define your own filter elements.6k  1!  Frame/b  ' Frame  ( )Sequence of contiguous bits bracketed by and including beginning and ending flag sequences. A recognizable sequence of bits within a data stream.;  1 ^ Frame Rate4  ' Frame RatelE ^ ' The speed at which frames are received/transmitted on the network.5  1  GoTo.^  ' GoToC ( 7In the Filter window, "GoTo" shows jumps to levels within the capture filter. Selecting a level other than the current level in the action portion of a statement dialog box creates a GoTo phrase in the Filter window. The object of the GoTo phrase is always a state in the filter.< @1 @ @Good Frames5u' Good FramessL@ @' Frames that pass all alignment and CRC checks are counted as good frames.u @9uE@1 E@AHex Pane2 @w@' Hex Pane{E@A' Portion of the Capture View window that displays the hex values of a packet stored in a capture file or capture buffer.5w@NA11 NAJBHost.A|A' HostNAJB( MA computer upon which a particular program or resource is located. In the context of Surveyor, the host is the computer upon which the Surveyor program is running.; |AB1  BSCLink Speed4 JBB' Link SpeedsBSC' The maximum rate at which a device can transmit/receive data on the network, typically described in bits/second.; BC1C-ELocal Host4 SCC' Local HostkCC-E( A networked computer that is running the program or resource being described. In the context of Surveyor, a local host is the computer that is (1) running the Surveyor program under discussion and (2) located on a network where at least one other computer (remote host) is also running a copy of the Surveyor program. 7CdE1bdEFModule0 -EE' ModuledEF( A hardware device attached to the network that can be used by Surveyor software to perform LAN analysis and monitoring functions. Surveyor can use network interface cards and Century Media Modules as modules.?EF1FGMessage Window8FG' "Message WindowyRFG' A window that displays all alarm, log, and error messages received by Surveyor.BGG1G9IMode of Operation<GG' * Mode of Operation<G9I( )Defines the current relationship between Surveyor and a resource. Surveyor can transmit data from a resource (transmit), receive data from a resource (capture), view data from a resource (monitor), or view and receive data from a resource simultaneously (monitor + capture)= GvI1 vICJModule Speed69II' Module SpeedpvICJ' The rate at which Surveyor will capture/transmit packets on the network. The speed is either 10 or 100 Mbps. > IJ1+JnKModule Status7CJJ'  Module StatusJnK( Indicates whether or not the module is actively capturing/transmitting frames. Started indicates that the module is capturing/transmitting.< JK1KVLModule Type5nKK' Module TypewPKVL' Indicates the analyzer card model. Currently, two models exist, GAM and CMM2.8KL1LMMonitor2 VLL'  MonitorT-LM' ZView activity on the network in real time.= LQM1QMMMonitor Mode7MM'   Monitor ModemFQMM' Allows Surveyor to view in real time the data coming to a resource.IM>N1>NNMonitor and Capture ModeCMN' 8 Monitor and Capture ModerK>NN' Allows Surveyor to view and receive data from a resource simultaneously.; N.O1(.O'Name Table4 NbO' Name Table.O'( #Table containing name and address associations for stations on the network. The address can be in the format of the bO'NMAC, IP, or IPX protocol.8bO_1_ۀNetwork1 '' NetworkK$_ۀ' HAn interconnected group of nodes.= 1yIF statement6ۀN' IF Statement+y* "First statement for a level in a filter. Specifies conditions and actions. Use the IF statement dialog box to:(1) create a condition filter comprised of filter elements and operators (2) specify the actions to take if the condition filter is satisfied.7N1Packet0 y' Packet( A sequence of digits including data and control signals that is switched as a composite whole. Data, control signals, and error control information are arranged in a specific format. For Surveyor, packet and frame are used interchangeably.C>1}>xPacket Detail Pane<z' *Packet Detail Pane>x( A portion of the Capture View window that displays the detailed breakdown of a packet that is stored in a capture file or capture buffer. Packets are broken down by protocol and field value within the protocol.Dz1Drop Events Counter=x' ,Drop Events Counter#( A counter that shows the total number of events in which packets were dropped by the probe due to lack of resources. Note that this number is not necessarily the number of packets dropped; it is just the number of times this condition was detected.> Z1ZPacket Editor7'  Packet EditortMZ' A dialog box available from Capture View for changing or creating packets.; @1@Packet Gap4 t' Packet GapZ@' Time interval between packets. A packet gap can be specified when transmitting packets.< t11 1Packet Size5f' Packet Sizem1' The size of a packet sent during transmission mode. Any packet size up to 15,000 bytes can be transmitted.?f91!9Packet Summary8q' "Packet SummaryJ#9' FReal time packet decode summary.Dq1"΋Packet Summary Pane=<' ,Packet Summary Panek΋' In Capture View, the top portion of the window that provides a summary view of all the captured packets.< < 1]# +Packet Type5΋?' Packet Type +( The type of packet sent in transmission mode. Packet types are IP, IPX, ARP, and AARP, or any other type specified by the user. It can also be the packet length field for 802.2 and SNAP frames.6?a1$aPause1 +'  PausekDa' Stop the continuous update of the data when viewing any resource.FC1%CPost Trigger PositionF' >Post Trigger Buffer PositionC( Percentage of the capture buffer used to store frames after the module is triggered. For example, if the post trigger buffer position is set to 50% for a module with 4MB of memory, frames will be captured until 2MB of the module memory is full.91X&Protocol2 ' Protocolk' Set of rules, format, and timing governing the operation of functional units of a communications system.A1'4Real-Time Buffer:,' &Real-Time Buffer4( Buffer used in Century Media Modules V2 to store data received from the network. This circular buffer is continuously updated and overwritten as information is received. The Real-Time buffer supports monitoring functions.9,m1I(m}Resource3 4'  Resourcem}( kAny source that provides data to Surveyor. This can be a Century Media Module, an Ethernet Adapter, multiple devices synchronized to provide a single data stream, or a data file.A1$)Resource Browser:}' &Resource Browser( The resource browser is a single window through which you can access all local and remote resources available in the network. < 1*NRemote Host5' Remote Host<N( )A remote, networked computer that is running the particular program or resource that is being described. In the context of Surveyor discussions, a remote host is a networked computer, other than the local Surveyor host, that is also running a copy of the Surveyor program.M1+:Remote Server Protocol (RSP)G N' @ Remote Server Protocol (RSP)X0:( aRemote Server Protocol is the Shomiti proprietary protocol based on TCP/IP to transfer data or commands for Surveyor between the local station and the remote host. You can encrypt packets passed back and forth between the local station and the remote host when using RSP to transfer data and commands.?y1,y4ROOT Statement8:' "Root Statement\y4' The first statement in all capture filters. Specifies global variables and global values.Bv1-vQCollision Counter>4' .Collision IndicationvvQ' This counter is the sum of alignment errors and fragment errors, both of which are typically caused by a collision.@1@.Jabbers Counter9Q' $Jabbers Counter( ?A counter that shows the total number of packets that were received that were longer than 1518 octets and had either an FCS/CRC error or an Alignment Error.A1-/Oversize Counter: ' &Oversize Counter( A counter showing the total number of packets received that were longer than the 1518 octets and were otherwise well formed (good FCS).B 130Fragments Counter;;' (Fragments Counter( A counter showing the total number of packets received that were less than 64 octets and had either an FCS/CRC error or an Alignment Error.3;$11$SA,P'  SAtM$' Source address. MAC level station address of where a frame is coming from.BP112 Undersize Counter;A' (Undersize Counter ( A counter showing the total number of packets received that were less than 64 octets in length and were otherwise well-formed (good FCS).A 7AC13CStream0 s' StreamrKC' A continuous sequence of data elements transmitted in a defined format. Fs+1c4+HStart Sequence Number?j' 0Start Sequence Number+H( mA number assigned in the transmit specification that indicates where the transmission sequence starts. The number can be used at the receiving end to note the start of a sequence.6j~15~ State/H' StatesL~ ' A symbolic label used as an address for a set of statements in a filter. Ee1^6e~Stop Sequence Number> ' .Stop Sequence Numbere~( gA number assigned in the transmit specification that indicates where the transmission sequence stops. The number can be used at the receiving end to note the end of a sequence.= 17~Summary Pane6~' Summary Panef~' In Capture View, the top portion of the window that provides a summary of all the captured packets.= 1 8Summary View6~' Summary Viewq' The primary monitoring view for all network devices. One view of every device can display in the Summary View.F19Synchronized Resource?' 0Synchronized ResourceZ' Multiple hardware devices logically joined to provide a single data source to Surveyor.C1:Total Tx CollisionD' :Total Tx Collision Counterc' A counter showing the total number of collisions that have occurred when attempting to transmit.= 1; Traffic Rate6 ' Traffic Ratei ' When transmitting from Surveyor, a percentage of the maximum capacity of the network to carry packets.8  1< a Traffic1  ' TrafficU. a ' \Transmitted and received frames or packets.G  1= W Transmit Specification@a  ' 2Transmit SpecificationoH W ' A definition of packets to be transmitted on the network by Surveyor.>  1'> ~ Transmit Mode7W  '  Transmit Mode ~ ( One of the modes for using Surveyor. In transmit mode, data streams loaded are transmitted on the network when the resource is started.;  1? a Tx Attempt<~  ' *Tx Attempt CounterlE a ' A counter of the number of transmission attempts that have failed.9  1H@ Tx Defer:a  ' &Tx Defer Counter ( [A counter that shows the number of times the transmitter had transmit data available and was ready to transmit but had to defer transmission due to sensing other traffic.G 1ATx Excessive CollisionH!8' BTx Excessive Collision Counterf' A counter that shows the number of times packets collided 16 times without successful transmission.C8@1*B@@Tx Excessi@ve DeferDX@' :Tx Excessive Defer Counterk@@' A counter that shows the number of times the transmitter had to defer for greater than 3,036 byte times.BX@,A1$C,ABTx Late CollisionC@oA' 8Tx Late Collision Counterx,AB' A counter that shows the number of collisions that occur greater than 512 bit times after a transmission has started.5oACB1DCBBView/BrB'  ViewhACBB' Any one of many displays of network data provided by Surveyor.@rBC1EC_DVery Long EventAB[C' 4Very Long Event CounterC_D( A counter that shows the number of times the transmitter is active for greater than a maximum event length. The maximum event length is 4ms to 7ms for 10Mbps network speeds and .4 to .75ms for 100Mbps network speeds. 4[CD1FDENIS-_DD'  NISDDE' :Name Information Service. 5D9E1G9EENDIS.EgE' NDISQ*9EE' TNetwork Driver Interface Specification.@gEE1HEFNetwork Adapter9E1F' $Network AdaptermFEF' Hardware board for connecting a station or node to an Ethernet LAN.: 1FF1IFpGLog Files3 F G' Log Filese>FpG' |Files containing snapshots of Surveyor counter information.; GG1'JGHLost Frame4 pGG' Lost FrameGH( !A counter that records events where a reporting Ring Station generates a frame to a specific address and does not receive the returned frame.; GH1KHIFrame Copy4 HI' Frame CopyHI- *&A counter that records when a reporting Ring Station copies a frame containing the Ring Stations own (duplicate) address.: II1LIJFrequency3 IJ' FrequencyIJ( A counter that records events where the reporting Ring Station attempts to receive a frame containing an improper ring-clock frequency.; J K1IM KLLine Error4 J@K' Line Error KL. *Y&A counter that records events where the reporting Ring Stations checksum process detects an error in a received data frame or token that the Ring Station transmitted.< @KVL1*NVLDMBurst Error5LL' Burst ErrorVLDM( #A counter that records events where the reporting Ring Station encounters signal transition or signal error on the Token Ring physical medium 9L}M1O}MNAC Error2 DMM' AC Error%}MN. *&A counter that records events where the reporting Ring Stations nearest active upstream neighbor could not set the address recognized bits or frame copied bits in the newly transmitted frame after copying the bits on the last frame received.@MO19POAbort Delimiter9NMO' $Abort DelimiterO( 1A counter that records events where a reporting Ring Station encounters recoverable internal errors, forcing it to transmit an Abort DelimMONiter frame.< MOU1QUToken Error5' Token ErrorbU' A counter that records events where the Token Ring Active Monitor does not detect a ring token.?R1RRInternal Error8' "Internal ErrorjR' A counter that records events where the reporting Ring Station encounters a recoverable internal error.; V1SV܂CRC Errors3 ' CRC ErrorS,V܂' XA Cyclical Redundancy Check (CRC) error. 81MT)Voyager1 ܂E' Voyager)( yA network troubleshooting and monitoring system available from Shomiti. Portable and rack mountable, Voyager is designed for field service and network operations personnel. Voyager can by accessed locally or remotely by Surveyor software and provides tools to diagnose, troubleshoot and monitor any full or half-duplex 10/100 Ethernet network. Voyager is fully RMON compliant and has ports to support auto-switching between network segments.4E]1U]WKP-)'  WKPpI]' Abbreviation for well known port, a known port address on the network.?91V9Analysis Table8q' "Analysis Table[9- *&Table in Surveyors Expert system that lists all expert symptoms discovered over time.?q81 W8Overview Table8p' "Overview Tablef8- *&Table in Surveyors Expert system that lists all counters for expert events discovered over time.JpM1 XMDuplicate Network AddressC' 8Duplicate Network AddressXM' An IP or IPX address that is discovered in packets that contain the same MAC address.JY1YYApplication Response TimeC' 8Application Response TimeY( The time required to establish a session with an application protocol, measured in milliseconds. Surveyor tracks average time, the shortest time, and the longest time required for connections to a protocol over the monitored network segment.> 1ZFrozen Window7-'  Frozen Window^' Condition where the TCP/IP window size remains the same for all packets over a time period.< -1[Zero Window5#' Zero WindowZ' Condition where the TCP/IP window size remains zero for all packets over a time period < #1\Expert View5' Expert View{T' Surveyor data view showing expert symptoms and expert counters for a time period.EՍ1j]ՍVoice over IP (VoIP)>' .Voice over IP (VoIP)Ս* "{Industry term for the carrying of voice traffic over the Internet Protocol. This term is sometimes used more broadly to indicate VoIP/Multi-Media communications via the H.323 protocol.: 41&^4,Multi-QoS3 g' Multi-QoS4,* "Plug-in module available with Surveyor that decodes the H.323 protocol and provides information in tables aboug,t conversation and channels.Hgt15_taCumulative Byte CounterA,' 4Cumulative Byte Counterta* "This counter is a sum of all bytes received to this point in time in a capture file. It displays as a column in Capture View.; 1`Throughput4 a' Throughput@) /The throughput is calculated by dividing the cumulative bytes by the elapsed time. The Throughput displays as a column in Capture View. The elapsed time is the difference between the time stamp of the first packet and the time stamp of the current packet in the capture file.HX1 aX0Packets Dropped CounterA' 4Packets Dropped CounterpX0' A counter showing the number of packets missed by Surveyor. For CMM2 or GAM cards, this value should be zero.Eu1buOther Glossary Items>0' .Other Glossary Itemsu: BOther potential Glossary Items are listed here. Each may become a glossary entry.TOSTime to Liveutilization percentageBPDUCDPretransmissionsfragment assemblyredirectSYN PacketsRST PacketsVLANMSTSAPRIP OSPF11Uc%$%" @e1l;(de Expert Overview9%' $Expert Overview=e( +Automatic diagnostic analysis, expert data views, application response time, and expert alarms are referred to collectively as Surveyor's Expert Features. Expert Features are available in Surveyor menus and toolbars if you have installed the Surveyor Expert Plug-in Module.6' EXPERT VIEWSIZ. *7'The expert views can present expert information on capture files, a capture buffer, or in real-time monitoring mode. (Note: real-time display of expert views is not supported for GAM devices.) The following Expert views are available from the Data Views or Capture View toolbar:J6 <*V:H "8Expert View ]'Z6 @8- *|V:H Application Layer: NFS Retransmission, All ICMP Errors g- *V:H Transport Layer: TCP/IP Retransmission, TCP/IP Zero Window, TCP/IP Frozen Window, TCP/IP Long Ackq8j- *V:H Network Layer: Duplicate IP or IPX Address, IP TTL Expiring, IP Illegal Source Address, ISL Illegal VLAN IDrE- *V:H MAC Layer (Ethernet and Token Ring): Illegal MAC Source Addressj( %From Expert Analysis Table you can double-click on any symptom to display an Expert Diagnosis. Contents of the Expert Diagnosis window include:|O- *V:H Information on the selected Expert Symptom from the Expert Analysis tableBT- **V:H Possible CausesF- *2V:H Recommended Actions7T'  EXPERT ALARMS) Expert Alarms allows you to set thresholds related to Expert Symptoms. Alarms can be configured to perform an action such as a page or e-mail, as with all other Surveyor alarms. Alarms test for thresholds at different protocol layers, such as the number of NFS retransmissions at the application layer or a specific overload utilization percentage at the MAC layer. Some network problems are not single events, but are indicated by certain thresholds or counters being exceeded. To catch these type of problems, use Expert Alarms. Many event counters are available from the Expert Alarm Table that can be used to flag network conditions that are not single events, such as excessive multicast broadcasts.2 ' SEE ALSO e zNL!Ҁ=ڽ]w'Application Response Time View Duplicate Network Address View Expert Alarms Expert View Expert Overview Table F' 1%FF'_*e' f Expert Overview Table? f ' 0Expert Overview Table' 6 ) OThe following table provides a summary of expert features by symptom/counter/application name. The meaning of the columns in the table are described below as well.^f  K#f  "Expert SymptomLogged as an Expert Event and appears in the Analysis Tab of Expert View.6  L#f  ZCounter in the Overview Tab of Expert ViewHas a counter associated with it that displays in the Overview Tab of Expert View.G @ K#f   Expert AlarmHas an alarm you can set in the Expert Alarm editor.l  H#` DApplication Response Time AlarmHas an alarm you can set in the Application Response Time Alarm editor.Z@ u' X = present, z = does not exist as a unique counter, but is counted in other categories? #,!X X F a   J l    Counter, Symptom, or ApplicationExpert SymptomCounter in Expert ViewExpert AlarmApplication Response Time AlarmExpert Threshold<u@#VxX X F a  @ :< @ D $H (t Application Response TimeX (by application),A#JXX X F a  <> D J N R Broadcast/Multicast StormsXXX!@B#JBX X F a  *, 0 4 8 > DNS Response TimeXQAC#^X X F a  ,(    ( Duplicate Network Address(also displays as a separate view)XXX B{D#J@X X F a  "$ * 0 6 : Excessive ARPXXXX"CZE#JDX X F a  &( . 4 : > Excessive BOOTPXXXX${D;F#JHX X F a  02 6 : @ D Excessive BroadcastsX$ZEG#JHX X F a  02 6 : @ D Excessive CollisionsX$;FG#JHX X F a  02 6 : @ D Excessive MulticastsX!GH#JBX X F a  *, 0 4 8 > FTP Response TimeX$GI#JHX X F a  02 6 : > D Gopher Response TimeXHJ#J6X X F a   " ( . 2 HSRP CoupXzzImK#J8X X F a    $ * 0 4 HSRP ErrorsXXJGL#J:X X F a    & , 2 6 HSRP ResignXzz"mK&M#JDX X F a  ,. 2 6 : @ HTTP Response TimeX GLN#J@X X F a  &( , 2 8 < ICMP All ErrorsXX$&MN#JHX X F a  ,. 4 : @ D ICMP Bad IP HeaderXzz5NO#JjX X F a  NP V \ b f ICMP Destination Host Access DeniedXzz/N΀#J^X X F O΀  a  BD J P V Z ICMP Destination Host UnknownXzz8OÁ#JpX X F a  TV \ b h l ICMP Destination Network Access DeniedXzz2΀#JdX X F a  HJ P V \ ` ICMP Destination Network UnknownXzz.Á#J\X X F a  @B H N T X ICMP Destination UnreachableXXX8#JpX X F a  TV \ b h l ICMP Fragment Reassembly Time ExceededXzz5#JjX X F a  NP V \ b f ICMP Fragmentation Needed [D/F set]Xzz$e#JHX X F a  ,. 4 : @ D ICMP Host RedirectXzz,N#JXX X F a  <> D J P T ICMP Host Redirect for TOSXzz'e2#JNX X F a  24 : @ F J ICMP Host UnreachableXzz/N#J^X X F a  BD J P V Z ICMP Host Unreachable for TOSXzz'2#JNX X F a  24 : @ F J ICMP Network RedirectXzz/#J^X X F a  BD J P V Z ICMP Network Redirect for TOSXzz2݋#JdX X F a  HJ P V \ ` ICMP Network Unreachable for TOSXzz(Œ#JPX X F a  46 < B H L ICMP Parameter ProblemXzz'݋#JNX X F a  24 : @ F J ICMP Port UnreachableXzz+Œ#JVX X F a  :< B H N R ICMP Protocol UnreachableXzzj#J>X X F a  "$ * 0 6 : ICMP RedirectXXX1d#JbX X F a  FH N T jd Z ^ ICMP Required IP Option MissingXzz$jE#JHX X F a  ,. 4 : @ D ICMP Source QuenchXzz*d,#JTX X F a  8: @ F L P ICMP Source Route FailedXzz$E #JHX X F a  ,. 4 : @ D ICMP Time ExceededXzz,,#JXX X F a  <> D J P T ICMP Time to Live ExceededXzz G #XX X F a  ,(rt z    Illegal MAC Source Address(Ethernet or Token Ring)XXX0#J`X X F a  DF L R X \ Illegal Network Source AddressXXX##JFX X F a  ,. 4 : > B IP Checksum ErrorsXX*#JTX X F a  8: @ F L P IP Time to Live ExpiringXXX%#JJX X F a  02 6 < B F ISL BPDU/CDP PacketsXX%y#JJX X F a  .0 6 < B F ISL Illegal VLAN IDXXX"X#JDX X F a  (* 0 6 : > Network OverloadXXX y5#J@X X F a  (* . 2 8 < New MAC StationsX!X#JBX X F a  *, 0 4 8 > NFS Response TimeX%5#JJX X F a  .0 6 < B F NFS RetransmissionsXXX"#JDX X F a  ,. 2 6 : @ NNTP Response TimeX(#JPX X F a  46 < B F J Non Responsive StationXXX #J@X X F a  &( , 2 8 < OSPF BroadcastsXX##JFX X F a  . 0 4 8 > B Overload Frame RateX/n#J^X X F a  FH L P V Z Overload Utilization PercentageX!L#JBX X F a  &( . 4 8 < Physical ErrorsXXX!n*#JBX X F a  *, 0 4 8 > POP Response TimeXL#J>X X F a  $& * 0 6 : RIP BroadcastsXX*#J>X X F a  $& * 0 6 : SAP BroadcastsXX"#JDX X F a  ,. 2 6 : @ SMTP Response TimeX$#JHX X F a  .0 6 < @ D TCP Checksum ErrorsXX&#JLX X F a  02 8 > B F TCP/IP Frozen WindowXXX!c#JBX X F a  &( . 4 8 < TCP/IP Long AckXXX(H #JPX X F a  46 < B H L TCP/IP RetransmissionsXXX#c( #JFX X F a  ,. 2 8 > B TCP/IP RST PacketsXX$H  #JHX X F a  *, 2 8 > B TCP/IP SYN AttackXXXX$(  #JHX X F a  ,. 4 : @ D TCP/IP Zero WindowXXX$  #JHX X F a  02 6 : > D TELNET Response TimeX#  #JFX X F a  ,. 2 8 > B Total MAC StationsXX' #JNX X F a  68 < @ F J Total Router BroadcastsX k#J>X X F a   " ( . 4 8 Unstable MSTXXXX*' Jk1;(r*f.@CApplication Response TimeC.@' 8.@Application Response Time1 _@' COUNTER.@QA( The response time for various applications is measured in milliseconds (ms). A threshold can be set in the Application Response Time Alarms for all supported applications. Supported applications are:6 _@A- *V:H DNS6 QAA- *V:H FTP9 AA- *V:H Gopher7 A-B- *V:H HTTP6 AcB- *V:H NFS7 -BB- *V:H NNTP6 cBB- *V:H POP7 BC- *V:H SMTP9 B@C- *V:H TELNET2 CrC' SEE ALSOv9@CC= JrݫzNAlarm Editors Application Response Time View JrC2D1_**g2DuD^LBroadcast/Multicast StormCCuD' 8Broadcast/Multicast Storm1 2DD' COUNTER>uD*GF Z}The Broadcast/Multicast Storms counter increments when a change in the number of total Broadcast/Multicast packets per second exceeds a threshold. Broadcast/Multicast Storms can be used to monitor extreme peaks in the number of broadcast and/or multicast messages. The default threshold is a delta of 400 broadcast/multicast events per second; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all instances where the threshold is reached displays in the Overview tab of Expert View. 8DbG' "EXPERT SYMPTOM*GjH( Broadcast/Multicast Storm events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the rate of change for broadcast and multicast packets. For example:V,bGH* $XRate of change of Bcast/Mcast Packets=500:jHH' &EXPERT DIAGNOSISU)HOJ, &S__________________________________________________________________ Problem Description: The broadcast storm expert threshold has been exceeded for this segment, resulting in a MAC Broadcast Storm symptom.__________________________________________________________________ Probable Cause(s): H.K2 2[VL61. The network is overloaded. 2. Variations in application traffic patterns.3. Heavy Internet usage.4. Too many broadcast/multicast packets from the switch/bridge.]OJK( __________________________________________________________________ Recommended Action(s):~.K^L- *VL61. Load balance your network.2. If you see repeated storms, your router or switch may needed upgrading or reconfiguring.JKL1cr*+hLL̈́Duplicate Network AddressC^LL' 8Duplicate Network AddressLM1 0-"7A separate table showing duplicate network addresses is available. Press the button on the Data View or Capture View toolbar to see this table. 1 LM' COUNTERM%M/O( KDuplicate Network Address is a counter of all duplicate network addresses over a period of time per segment. A count of all duplicate network addresses displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms for all duplicate network Addresses.8MgO' "EXPERT SYMPTOM%/O( Duplicate network addresses are automatically logged as either "Duplicate IP Address" or "Duplicate IPX Address"gO^L expert symptoms. The Symptom Summary field in the Analysis Table provides information about the duplicate IP or IPX address. For example:BgOڀ* $0Addr=[206.250.228.67]:' &EXPERT DIAGNOSISoBڀ- (__________________________________________________________________ Problem Description: This network address has multiple MAC station address association.This is a serious problem if the associated MAC stations are not routers. __________________________________________________________________ Probable Cause(s): l0 .sVL61. An existing network address has been assigned to a new machine withoutverification. 2. An old (discarded) machine using this address has been re-introducedinto the network. F+ $___________________________________________________________________ Recommended Action(s): Change the network address of one or more hosts so thatthere are no duplicates.2 lx' SEE ALSOU%F̈́0 0JL!ҀDuplicate Network Address View @x 1W*+i FlExcessive BOOTP9̈́F' $Excessive BOOTP1 w' COUNTERFF ZThe Excessive BOOTP counter increments when a change in the number of Bootp/Dhcp requests per second exceeds a threshold. The default threshold is a delta of 10 Bootp/Dhcp requests per second; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all Excessive BOOTP events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8wÇ' "EXPERT SYMPTOM( Excessive BOOTP events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the rate of change for Bootp/Dhcp requests. For example:V,Ç * $XRate of change of Bootp/Dhcp Requests=25 :E' &EXPERT DIAGNOSIS; , &__________________________________________________________________ Problem Description: The expert threshold for number of BOOTP/DHCP requests has been exceeded for this segment.__________________________________________________________________ Probable Cause(s): wE$- *VL61. The network has many devices that are being reset. 2. The DHCP server has many requests from floating clients.]( __________________________________________________________________ Recommended Action(s):$l0 .'VL61. Load balance your network.2. Add more DHCP servers.3. Your network may have just come up after a power down; if so, ignore this problem.> 1++jExcessive ARP7l'  Excessive ARP1 ' COUNTERF ZyThe Excessive ARP counter increments when a change in the number of ARP requests per second exceeds a threshold. The default threshold is a delta of 10 ARP requests per second; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all Excessive ARP events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8L' "EXPERT SYMPTOMA( Excessive ARP events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information abouLAlt the rate of change for ARP requests. For example:O%L* $JRate of change of ARP Requests=20 :A' &EXPERT DIAGNOSIS\0&, &a__________________________________________________________________ Problem Description: The expert threshold for ARP Broadcasts requests has been exceeded for this segment, resulting in an Excessive ARP symptom.__________________________________________________________________ Probable Cause(s): 2 2!VL61. The network is overloaded.2. Variations in application traffic patterns.3. Heavy Internet usage.4. Too many new TCP/IP connections.]&m( __________________________________________________________________ Recommended Action(s):_-2 2[VL61. Load balance your network.2. If you see repeated overloads and maybe too many retransmissions, your router or switch may need upgrading.3. Your network may have just come up after a power down; if so, ignore this problem.4. If it is due to higher Internet usage, then ignore this message.Em11+H+kOOExcessive Broadcasts>O' .Excessive Broadcasts1 ' COUNTEROO* "KExcessive Broadcasts is a counter that can be used to monitor fluctuations in the number of broadcast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive broadcasts. An alarm event can also be generated based on an absolute number of multicasts over time.The default is 400 broadcast packets per sec on a 100MB network.E11++lExcessive Multicasts>O' .Excessive Multicasts1 ' COUNTER* "KExcessive Multicasts is a counter that can be used to monitor fluctuations in the number of multicast messages over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive broadcasts. An alarm event can also be generated based on an absolute number of multicasts over time.The default is 400 multicast packets per sec on a 100MB network.E1H+h+mUExcessive Collisions>U' .Excessive Collisions1 ' COUNTER_6U) mExcessive Collisions is a counter that can be used to monitor fluctuations in the number of collisions or the absolute number of collisions over a period of time per segment. A delta threshold for this counter can be set in Expert Alarms to establish what is considered excessive collisions. An alarm event can also be generated based on an absolute number of collisions over time.The Excessive Collisions counter is incremented by counting runt packets and by counting packets with CRC errors. The Excessive Collisions counter only applies to Ethernet networks.*' : I1:+>,nI|HSRP Coup3 |' HSRP Coup1 I' COUNTERY+|. *WHSRP Coup events are counted in the HSRP Errors counter, which displays in the Overview tab of Expert View. A Coup message indicates that the router wishes to become active. A threshold can be set in Expert Alarms for HSRP Coup/Resign packets, which includes both Resign and Coup HSRP messages.8>' "EXPERT SYMPTOM.( yHSRP Coup events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the IP address of the router tryin>.g to become active. For example:T*>* $TSA=[206.250.226.11] DA=[206.250.228.69]:.' &EXPERT DIAGNOSIS , &__________________________________________________________________Problem Description:A Router has generated an HSRP Coup message.__________________________________________________________________Probable Cause(s):`5%+ &jVL61. The router wishes to become the active router.\( __________________________________________________________________Recommended Action(s):%g. *!VL61. Make sure that the router coming up is a stand by router.2. Make sure there was a router Resign message (by Master router) before coup.*' < g1 h+,oHSRP Errors5' HSRP Errors1 3' COUNTER|. *Some Hot Standby Routing Protocol (HSRP) packets are counted in the HSRP Errors counter, which displays in the Overview tab of Expert View. Both Coup and Resign packets are counted. Coup/Resign packets in the HSRP are used to activate/deactivate routers. A threshold can be set in Expert Alarms for HSRP Coup/Resign packets, which includes both Resign and Coup HSRP messages.< 31/>,<,pNL HSRP Resign5N' HSRP Resign1 ' COUNTERf8N. *qHSRP Resign events are counted in the HSRP Errors counter, which displays in the Overview tab of Expert View. A Resign message indicates that the router is requesting to become inactive. A threshold can be set in Expert Alarms for HSRP Coup/Resign packets, which includes both Resign and Coup HSRP messages.8' "EXPERT SYMPTOM ( HSRP Resign events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the IP address of the router trying to become inactive. For example:T*Y * $TSA=[206.250.226.11] DA=[206.250.228.69]:  ' &EXPERT DIAGNOSIS Y  , &__________________________________________________________________Problem Description:A router has generated an HSRP Resign message.__________________________________________________________________Probable Cause(s):f;  + &vVL61. The router no longer wishes to be the active router.\  ( __________________________________________________________________Recommended Action(s): L . *-VL61. Make sure the router is going back to stand by mode.2. Make sure you get a Coup message or Hello message from new router that has taken over.@  1,,q  WBICMP All Errors9L  ' $ICMP All Errors1  ' COUNTER. $) ICMP All Errors is a counter of all ICMP symptoms. A count of all ICMP symptoms displays in the Overview Tab of Expert View. This counter can also be set in Expert Alarms to set a threshold for all ICMP errors.The following types of ICMP errors are counted:  @2 2?V:H Destination Unreachable Network Unreachable, Host Unreachable, Protocol Unreachable, Port Unreachable, Fragmentation Needed [D/F Set], Source Route Failed, Destination Network Unknown, Destination Host Unknown, Destination Network Access Denied, Destination Host Access Denied, Network Unreachable for TOS, Host Unreachable for TOS, Destination Unreachable (catches all other Destination Unreachable Errors)$ @L D$P@0 0(V:H Source Quench @A2 2'V:H RedirectNetwork Redirect, Host Redirect, Network Redirect for TOS, Host Redirect for TOS, ICMP Redirect (catches all other Redirect errors)aP@A1 2V:H Time ExceededICMP Time Exceeded, Time To Live Exceeded, Fragment Reassembly Time ExceededAWB1 2V:H Parameter ProblemBad IP Header, Required IP Option Missing, ICMP Parameter Problem (catches all other Parameter errors)CAB1$<,,rBBJICMP Bad IP Header<WBB' *ICMP Bad IP Header1 BC' COUNTERBC( ICMP Bad IP Header events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8C4D' "EXPERT SYMPTOMCE( {ICMP Bad IP Header events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. Examples are:E4D^F, &3Sent by Destination Host [206.250.228.69] to [206.250.228.11]. Bad Octet at 14. SA=[206.250.228.11] DA=[206.250.228.69]Sent by Gateway [206.250.228.61] to [206.250.228.11] when forwarding to Destination [206.250.228.69]. Bad Octet at 14. SA=[206.250.228.11] DA=[206.250.228.69]:EF' &EXPERT DIAGNOSIS%^FG, &__________________________________________________________________ Problem Description: An ICMP Parameter Problem (IP header is bad) message has been sent. __________________________________________________________________ Probable Cause(s): 1FH1 0VL61. A host/router may send this message if the IP header parametershave problems that prevents it from processing the packet. 2. A host/router may have a bad network stack or a bad interface card. 3. There may be incorrect arguments in IP options. ]GsI( __________________________________________________________________ Recommended Action(s):V#HJ3 4GVL61. Check the ICMP Pointer field to see the octet in the IP headerwhere the error was detected.2. Verify that the source that sent this IP header has a goodnetwork interface card.3. Check if the network stack on the source that sent the badIP header parameters is working properly.T#sIK1,%-sKjKICMP Destination Host Access DeniedM&JjK' LICMP Destination Host Access Denied1 KK' COUNTERljK/M( ICMP Destination Host Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8KgM' "EXPERT SYMPTOM/M\N( ICMP Destination Host Access Denied events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:agMN* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:\N!O' &EXPERT DIAGNOSIS-NZ, &__________________________________________________________________ Problem Description: An ICMP Destination Host Administratively Prohibited message has been sent. ___________!OZJ_______________________________________________________ Probable Cause(s): !Ok0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if the destination host does not have proper access. 3. The source may have an incorrectly configured subnet mask. ]Z( __________________________________________________________________ Recommended Action(s):k0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source and/or the router.3. Ignore this message, if the host is truly prohibited (no action required).NU1,-tUICMP Destination Host UnknownG ' @ICMP Destination Host Unknown1 U̓' COUNTERf[( ICMP Destination Host Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8̓' "EXPERT SYMPTOM[( ICMP Destination Host Unknown events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:a * $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:G' &EXPERT DIAGNOSIS `, &__________________________________________________________________ Problem Description: An ICMP Destination Host Unknown message has been sent. __________________________________________________________________ Probable Cause(s): Gh0 .VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if it does not know the destination host. 3. The source may have an incorrectly configured subnet mask. ]`( __________________________________________________________________ Recommended Action(s):h0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source and/or the router.3. Ignore this message, if the host is truly unknown (no action required).W&X1%--uXHICMP Destination Network Access DeniedP)' RICMP Destination Network Access Denied1 Xً' COUNTERop( ICMP Destination Network Access Denied events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8ً' "EXPERT SYMPTOMp( ICMP Destination Network Access Denied events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:a+* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:e' &EXPERT DIAGNOSIS0+, & __________________________________________________________________ Problem Description: An ICMP Destination eNetwork Administratively Prohibited message has been sent. __________________________________________________________________ Probable Cause(s): e0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if the network does not have proper access. 3. The source may have an incorrectly configured subnet mask. ].( __________________________________________________________________ Recommended Action(s):H0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source and/or the router.3. Ignore this message, if the network is truly prohibited (no action required).Q .1--vWICMP Destination Network UnknownJ#H' FICMP Destination Network Unknown1 ' COUNTERi( ICMP Destination Network Unknown events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8' "EXPERT SYMPTOM( ICMP Destination Network Unknown events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:aZ* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:' &EXPERT DIAGNOSISZ, &__________________________________________________________________ Problem Description: An ICMP Destination Network Unknown message has been sent. __________________________________________________________________ Probable Cause(s): 0 .VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if it does not know the destination network. 3. The source may have an incorrectly configured subnet mask. ]@( __________________________________________________________________ Recommended Action(s):W0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source and/or the router.3. Ignore this message, if the network is truly unknown (no action required).M@1 -.wtICMP Destination UnreachableFW' >ICMP Destination Unreachable1 ' COUNTER4 O* "ICMP Destination Unreachable is a counter of all ICMP destination unreachable errors over a period of time per segment. A count of all destination unreachable ICMP symptoms displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms for all destination unreachable ICMP errors.The following types of destination unreachable ICMP errors are counted:Network Unreachable, Host Unreachable, Protocol Unreachable, Port Unreachable, Fragmentation Needed [D/F Set], Source Route Failed, Destination Network Unknown, Destination Host Unknown, Destination Network Access Denied, Destination Host Access Denied, Network Unreachable for TOS, Host Unreachable for TOS, Destination Unreachable (catches all other Destination Unreachable Errors)8' "EXPERT SYMPTOMO) ICMP Destination Unreachable is also an expert symptom, and has its own expert Wdiagnosis. However, this expert symptom reflects only those destination unreachable conditions which cannot be assigned to one of the other destination unreachable symptoms defined above.ICMP Destination Unreachable events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:a* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:R' &EXPERT DIAGNOSISj, &__________________________________________________________________ Problem Description: An ICMP Destination Unreachable message has been sent. __________________________________________________________________ Probable Cause(s): yFR3 4VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a destination is unreachable. 3. If the packet needs to be fragmented and yet the don't fragment flag is setthe host/router will send this message. 4. The source may have an incorrectly configured subnet mask. \jg( __________________________________________________________________Recommended Action(s): t0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the destination is truly unreachable (no action required).T#g1 -9 .xICMP Fragmentation Needed [D/F set]M&t' LICMP Fragmentation Needed [D/F set]1 F' COUNTERl( ICMP Fragmentation Needed [D/F set] events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8F ' "EXPERT SYMPTOM ( ICMP Fragmentation Needed [D/F set] events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:  + $MTU of next Hop=2 to reach [206.250.228.69]. Cannot be reached by [206.250.228.11] as D/F Set. SA=[206.250.228.11] DA=[206.250.228.69]:  ' &EXPERT DIAGNOSIS> 3 - (#__________________________________________________________________ Problem Description: An ICMP Destination (Fragmentation needed, but, D/F set)Unreachable message has been sent. __________________________________________________________________ Probable Cause(s): 4 g 1 0VL61. If a router has a routing table problem, it may send this message. 2. If the packet needs to be fragmented and yet the don't fragment flag is setthe host/router will send this message. 3. The source may have an incorrectly configured subnet mask. ]3  ( __________________________________________________________________ Recommended Action(s):g 0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the D/F is meant to be set (no action required).W& F1..yFFICMP Fragment Reassembly Time ExceededP)' RICMP Fragment Reassembly Time Exceeded1 F' COUNTER @( ICMP Fragment Re@assembly Time Exceeded events are counted in the All ICMP Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8A' "EXPERT SYMPTOM@ B( ICMP Fragment Reassembly Time Exceeded events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:iAB* $Sent by Destination Host [206.250.228.69] to [206.250.228.11]. SA=[206.250.228.11] DA=[206.250.228.69]: BB' &EXPERT DIAGNOSIS"BC, &__________________________________________________________________ Problem Description: An ICMP Fragment Reassembly Time Exceeded message has been sent. __________________________________________________________________ Probable Cause(s): ; B6E2 2VL61. A host may send this message if it cannot reassemblethe fragments (due to missing fragments) on time. 2. There may be a lot of missing IP fragments (possibly dueto NFS traffic or network overload). 3. If the routing tables are incorrect on the source. ]CE( __________________________________________________________________ Recommended Action(s):6EF2 2VL61. Check the routing tables of the source.2. Check the netmask configuration of the source.3. Check if there are missing IP fragments.4. May need to upgrade the host that sent this message.CEF19 ..zF3GNICMP Host Redirect<F3G' *ICMP Host Redirect1 FdG' COUNTER^63GH( mICMP Host Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.8dGH' "EXPERT SYMPTOMHI( yICMP Host Redirect events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:uH}J* $Use Gateway [206.250.54.61] to reach [206.250.228.69] from [206.250.228.11] SA=[206.250.228.11]DA=[206.250.228.69]:IJ' &EXPERT DIAGNOSIS}JK, &__________________________________________________________________ Problem Description: An ICMP Host Redirect message has been sent. __________________________________________________________________ Probable Cause(s): s@J8M3 4VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if according to its (proper) routingtables it finds a shorter path via a different router. 3. The source may have an incorrectly configured subnet mask. 4. The host (source) may have an old routing table. \KM( __________________________________________________________________Recommended Action(s):8MN0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the redirect message is valid (no action required).*MN' KN7O1./{7O{O@ICMP Host Redirect for TOSDN{O' :ICMP Host Redirect for TOS1 7OO' COUNTERf>{O( }ICMP Host Redirect for TOS events are countONed in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.8OV' "EXPERT SYMPTOMB( ICMP Host Redirect for TOS events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:V+ $Use Gateway [206.250.54.61] to reach [206.250.228.69] and TOS 22 from [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:B)' &EXPERT DIAGNOSISC, &__________________________________________________________________ Problem Description: An ICMP Redirect for TOS and Host message has been sent. __________________________________________________________________ Probable Cause(s): s@)3 4VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if according to its (proper) routingtables it finds a shorter path via a different router. 3. The source may have an incorrectly configured subnet mask. 4. The host (source) may have an old routing table. \C:( __________________________________________________________________Recommended Action(s):@0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the redirect message is valid (no action required).F:1v. /|Ň ICMP Host Unreachable?@Ň' 0ICMP Host Unreachable1 ' COUNTER^Ň|( ICMP Host Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8' "EXPERT SYMPTOM|( ICMP Host Unreachable events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:a&* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:`' &EXPERT DIAGNOSIS&}, &__________________________________________________________________ Problem Description: An ICMP Destination Host Unreachable message has been sent. __________________________________________________________________ Probable Cause(s): `0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a destination host is unreachable. 3. The source may have an incorrectly configured subnet mask. ]}( __________________________________________________________________ Recommended Action(s): 0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the host is truly unreachable (no action required).NX1//}XCICMP Host Unreachable for TOSG ' @ICMP Host Unreachable for TOS1 XЏ' COUNTERfj( ICMP HoЏj st Unreachable for TOS events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8Џ' "EXPERT SYMPTOMj( ICMP Host Unreachable for TOS events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:n)* $TOS=22 service on [206.250.228.69] unavailable for [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:c' &EXPERT DIAGNOSIS(), &__________________________________________________________________ Problem Description: An ICMP Destination Host is Unreachable for TOS message has been sent. __________________________________________________________________ Probable Cause(s): %c1 0VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a destination host is unreachablefor the type of service requested. 3. The source may have an incorrectly configured subnet mask. ]5( __________________________________________________________________ Recommended Action(s):C0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the host is truly unreachable for TOS (no action required).F51 //~`ICMP Network Redirect?C' 0ICMP Network Redirect1 ' COUNTERa9Z( sICMP Network Redirect events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.8' "EXPERT SYMPTOMZy( ICMP Network Redirect events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:u* $Use Gateway [206.250.54.61] to reach [206.250.228.69] from [206.250.228.11] SA=[206.250.228.11]DA=[206.250.228.69]:yR' &EXPERT DIAGNOSISc, &__________________________________________________________________ Problem Description: An ICMP Network Redirect message has been sent. __________________________________________________________________ Probable Cause(s): s@R3 4VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if according to its (proper) routingtables it finds a shorter path via a different router. 3. The source may have an incorrectly configured subnet mask. 4. The host (source) may have an old routing table. \cZ( __________________________________________________________________Recommended Action(s):`0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the redirect message is valid (no action required).NZ1/0 ICMP Network Redirect for TOSG ` ' @ICMP Network Redirect for TOS `1 =' COUNTERiA ( ICMP Network Redirect for TOS events are counted in the ICMP Redirect Errors counter and the ICMP All Errors counter. A count of ICMP redirect errors and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP redirect errors or for all ICMP errors.8=' "EXPERT SYMPTOM( ICMP Network Redirect for TOS events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:y+ $Use Gateway [206.250.54.61] to reach [206.250.228.69] and TOS 22 from [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:' &EXPERT DIAGNOSISy, &__________________________________________________________________ Problem Description: An ICMP Redirect for TOS and Network message has been sent. __________________________________________________________________ Probable Cause(s): s@C3 4VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if according to its (proper) routingtables it finds a shorter path via a different router. 3. The source may have an incorrectly configured subnet mask. 4. The host (source) may have an old routing table. \( __________________________________________________________________Recommended Action(s):C0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the redirect message is valid (no action required).I1/ 0XICMP Network UnreachableBX' 6ICMP Network Unreachable1 ' COUNTERaX ( ICMP Network Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8J ' "EXPERT SYMPTOM 4 ( ICMP Network Unreachable events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:aJ  * $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:4  ' &EXPERT DIAGNOSIS   , &__________________________________________________________________ Problem Description: An ICMP Destination Network Unreachable message has been sent. __________________________________________________________________ Probable Cause(s):  0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a destination host is unreachable. 3. The source may have an incorrectly configured subnet mask. ] ( __________________________________________________________________ Recommended Action(s):0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the host is truly unreachable (no action required).Q  @100 @V@GICMP Network Unreachable for TOS @J#V@' FICMP Network Unreachable for TOS1 @@' COUNTERiV@B( ICMP Network Unreachable for TOS events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8@PB' "EXPERT SYMPTOMBBC( ICMP Network Unreachable for TOS events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:nPBC* $TOS=22 service on [206.250.228.69] unavailable for [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:BCD' &EXPERT DIAGNOSIS+C?E, &__________________________________________________________________ Problem Description: An ICMP Destination Network is Unreachable for TOS message has been sent. __________________________________________________________________ Probable Cause(s): D[F1 0VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a network is unreachable for the typeof service requested. 3. The source may have an incorrectly configured subnet mask. ]?EF( __________________________________________________________________ Recommended Action(s):[FG0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the network is truly unreachable for TOS (no action required).GF8H1S 018HxH{ICMP Parameter Problem@GxH' 2ICMP Parameter Problem1 8HH' COUNTERxHI( ICMP Parameter Problem events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8HI' "EXPERT SYMPTOMIJ( ICMP Parameter Problem events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:iIUK* $Bad IP Header sent from [206.250.228.11] to [206.250.228.69]. SA=[206.250.228.11] DA=[206.250.228.69]JL( 5This Expert Symptom will be used to identify a parameter problem only if the problem cannot be identified as a Bad IP Header or as a Missing IP Option.:UKQL' &EXPERT DIAGNOSISLcM, &__________________________________________________________________ Problem Description: An ICMP Parameter Problem message has been sent. __________________________________________________________________ Probable Cause(s): 1QLN1 0VL61. A host/router may send this message if the IP header parametershave problems that prevents it from processing the packet. 2. A host/router may have a bad network stack or a bad interface card. 3. There may be incorrect arguments in IP options. ]cMO( __________________________________________________________________ Recommended Action(s):V#N{3 4GVL61. Check the ICMP Pointer field to see the octet in the IP headerwhere the error was detected.2. Verify that the source that sent this IP header has a goodnetwork interface cO{Gard.3. Check if the network stack on the source that sent the badIP header parameters is working properly.FO101lICMP Port Unreachable?{' 0ICMP Port Unreachable1 1' COUNTER^( ICMP Port Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.81' "EXPERT SYMPTOMփ( ICMP Port Unreachable events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:ll* $Port=22 on [206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:փ' &EXPERT DIAGNOSISlÅ, &__________________________________________________________________ Problem Description: An ICMP Destination Port Unreachable message has been sent. __________________________________________________________________ Probable Cause(s): 0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a port is unreachable. 3. The source may have an incorrectly configured subnet mask. ]Å>( __________________________________________________________________ Recommended Action(s):.l1 0VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the port is truly unreachable (no action required) for ex: SNMP port connection requests.J>111aICMP Protocol UnreachableCl' 8ICMP Protocol Unreachable1 *' COUNTERb( ICMP Protocol Unreachable events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8*' "EXPERT SYMPTOM׋( ICMP Protocol Unreachable events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:pq* $Protocol=IP on [206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:׋' &EXPERT DIAGNOSIS!q̍, &__________________________________________________________________ Problem Description: An ICMP Destination Protocol Unreachable message has been sent. __________________________________________________________________ Probable Cause(s): Ǝ0 .VL61. If a router has a routing table problem, it may send this message. 2. A host may send this message if a protocol is unreachable. 3. The source may have an incorrectly configured subnet mask. ]̍K( __________________________________________________________________ Recommended Action(s): Ǝa0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.Kal3. Ignore this message, if the protocol is truly unreachable (no action required).> K13 1A1ICMP Redirect7a'  ICMP Redirect1 ' COUNTER* "MICMP Redirect is a counter of all ICMP redirect errors over a period of time per segment. A count of all redirect ICMP symptoms displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.The following types of ICMP redirect errors are counted:Network Redirect, Host Redirect, Network Redirect for TOS, Host Redirect for TOS, ICMP Redirect (catches all other Redirect errors)8' "EXPERT SYMPTOM) +ICMP Redirect is also an expert symptom, and has its own expert diagnosis. However, this expert symptom reflects only those redirect conditions which cannot be assigned to one of the other redirect symptoms defined above.ICMP Redirect events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:ul* $Use Gateway [206.250.54.61] to reach [206.250.228.69] from [206.250.228.11] SA=[206.250.228.11]DA=[206.250.228.69]:' &EXPERT DIAGNOSIS l, &__________________________________________________________________ Problem Description: An ICMP Redirect message has been sent. __________________________________________________________________ Probable Cause(s): s@"3 4VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if according to its (proper) routingtables it finds a shorter path via a different router. 3. The source may have an incorrectly configured subnet mask. 4. The host (source) may have an old routing table. \( __________________________________________________________________Recommended Action(s):"0 .VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.3. Ignore this message, if the redirect message is valid (no action required).,( P(112(qICMP Required IP Option MissingI"q' DICMP Required IP Option Missing1 (' COUNTERq( ICMP Required IP Option Missing events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8' "EXPERT SYMPTOM( ICMP Required IP Option Missing events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:i`* $Bad IP Header sent from [206.250.228.11] to [206.250.228.69]. SA=[206.250.228.11] DA=[206.250.228.69]:' &EXPERT DIAGNOSIS6 `, &__________________________________________________________________ Problem Description: An ICMP Parameter Problem (IP Options required, but, missing) message has been sent. __________________________________________________________________ Probable Cause(s): 1 1 0VL61. A host/router may send this message if the IP header parametershave problems that prevents it from processing the packet. 2. A host/router may have a bad network stack or a bad interface card. 3. There may be incorrect arguments in IP options.  ]( __________________________________________________________________ Recommended Action(s):V# 3 4GVL61. Check the ICMP Pointer field to see the octet in the IP headerwhere the error was detected.2. Verify that the source that sent this IP header has a goodnetwork interface card.3. Check if the network stack on the source that sent the badIP header parameters is working properly.*' I[16A12[ ICMP Source Route FailedB' 6ICMP Source Route Failed1 [' COUNTERaW( ICMP Source Route Failed events are counted in the ICMP All Errors and the ICMP Destination Unreachable counters. A count of all destination unreachable ICMP symptoms and a count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all destination unreachable ICMP errors or for all ICMP errors.8' "EXPERT SYMPTOMWy( ICMP Source Route Failed events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:a* $[206.250.228.69] cannot be reached by [206.250.228.11] SA=[206.250.228.11] DA=[206.250.228.69]:y>' &EXPERT DIAGNOSIS.l, &__________________________________________________________________ Problem Description: An ICMP Destination Unreachable (Source Route Failed) message has been sent. __________________________________________________________________ Probable Cause(s): >i0 .VL61. If a router has a routing table problem, it may send this message. 2. A router may send this message if it cannot route the packet. 3. The source may have an incorrectly configured subnet mask. ]l( __________________________________________________________________ Recommended Action(s):i . * VL61. Check the routing tables of the router that this message was generated from.2. Check the netmask configuration of the source.C 12?2 ! AICMP Source Quench< ! ' *ICMP Source Quench1 R ' COUNTER! G ( ICMP Source Quench events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8R  ' "EXPERT SYMPTOMG d ( {ICMP Source Quench events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. Examples are:(  , &Sent by Destination Host [206.250.228.69] to [206.250.228.11]. SA=[206.250.228.11] DA=[206.250.228.69]Sent by Gateway Host [206.250.228.61] to [206.250.228.11] when forwarding to Destination [206.250.228.69]. SA=[206.250.228.11] DA=[206.250.228.69]:d  ' &EXPERT DIAGNOSIS , &__________________________________________________________________ Problem Description: An ICMP Source Quench message has been sent. __________________________________________________________________ Probable Cause(s):  1 0VL61. If a router has a buffer space problem, it may send this message. 2. A host may send this message if it can't keep up withprocessing of packets and is reaching its limits. 3. The network may be overloaded. ]p@( p@ __________________________________________________________________ Recommended Action(s):r?A3 4VL61. Check the routing table buffer statistics and upgradethe router if problem persists.2. If the message is from a host, you may need to upgrade it's resources.3. Increase the bandwidth of your network to reduce network overload.4. Ignore this message, if it is infrequent as the problem will rectify itself.Kp@-B12E2-BqB$IICMP Time to Live ExceededDAqB' :ICMP Time to Live Exceeded1 -BB' COUNTERqBC( ICMP Time to Live Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8BC' "EXPERT SYMPTOMCD( ICMP Time to Live Exceeded events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:C}E+ $Sent by Gateway [206.250.228.61] to [206.250.228.11] when forwarding to Destination [206.250.228.69] SA=[206.250.228.11] DA=[206.250.228.69]:DE' &EXPERT DIAGNOSIS}EF, &__________________________________________________________________ Problem Description: An ICMP Time To Live Exceeded message has been sent. __________________________________________________________________ Probable Cause(s): EG2 2VL61. A router may send this message if it encounters an IP packet with aTTL value of 0. 2. The source may have an incorrectly configured subnet mask, causinglonger hops. 3. If the routing tables are incorrect on the source. ]FlH( __________________________________________________________________ Recommended Action(s):aGH- *VL61. Check the routing tables of the source.2. Check the netmask configuration of the source.*lH$I' CHgI1 ?23gIIICMP Time Exceeded<$II' *ICMP Time Exceeded1 gII' COUNTERIJ( ICMP Time Exceeded events are counted in the ICMP All Errors counter. A count of all ICMP errors displays in the Overview Tab of Expert View. A threshold can be set in Expert Alarms for all ICMP errors.8IK' "EXPERT SYMPTOMJK( yICMP Time Exceeded events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the IP addresses involved. For example:KL+ $Sent by Gateway [206.250.228.61] to [206.250.228.11] when forwarding to Destination [206.250.228.69] SA=[206.250.228.11] DA=[206.250.228.69]:KL' &EXPERT DIAGNOSISLM, &__________________________________________________________________ Problem Description: An ICMP Time Exceeded message has been sent. __________________________________________________________________ Probable Cause(s): TLpO5 8VL61. A router may send this message if it encounters an IP packet with aTTL value of 0. 2. The source may have an incorrectly configured subnet mask, causinglonger hops. 3. If the routing tables are incorrect on the source. 4. A host may send this message if it cannot reassemblethe fragments (due to missing fragments) on time. \M ( __________________________________________________________________Recommended Action(s):pO $IpO2 2wVL61. Check the routing tables of the source.2. Check the netmask configuration of the source.3. Check if there are missing IP fragments.4. May need to upgrade your router or host.D =1E2o3=zTCP Checksum Errors=z' ,TCP Checksum ErrorsP)=ʁ' RThis symptom is turned OFF by default.1 z' COUNTERʁ. *TCP Checksum Errors is a counter of all incorrect TCP checksums over a period of time per segment. A count of all TCP Checksum Errors events displays in the Overview tab of Expert View. 8 ' "EXPERT SYMPTOM( TCP Checksum Errors events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the IP source and destination address for the checksum error. For example:U+ k* $VSA=[206.250.228.69] DA=[206.250.228.11]:' &EXPERT DIAGNOSIS5 kڅ, &__________________________________________________________________ Problem Description: An TCP/IP packet has a checksum value that is in error. The packet may be discarded.__________________________________________________________________ Probable Cause(s): . *VL61. The station that sent this packet may have a faulty network stack. 2. The router that forwarded this packet may have a faulty stack.]څ( __________________________________________________________________ Recommended Action(s):. *9VL61. Identify the station that sent this packet (source addresses).2. Verify the network layer stack for this station. The station may need to be reset.K/13 3/sPIllegal MAC Source AddressDs' :Illegal MAC Source Address1 /' COUNTER4 s؉( Illegal MAC Source Address is a counter of all illegal MAC station source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8' "EXPERT SYMPTOM؉( {Illegal MAC source addresses are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the number of illegal address encountered. For example:X.M* $\Number of illegal sources (since last)=[22]-( qThis symptom can help catch malfunctioning NIC cards or bad addresses generated due to collisions. Illegal MAC source addresses may be discovered on Ethernet or Token Ring networks.:Mg' &EXPERT DIAGNOSISe8-̍- (q__________________________________________________________________ Problem Description: A broadcast Ethernet (or Token Ring) address has appeared as a source address.This is problem associated with a bad adapter card. __________________________________________________________________ Probable Cause(s): sgl- *VL61. Someone is transmitting illegal frames using a traffic generator. 2. There may be a faulty adapter card. ̍P+ $s__________________________________________________________________ Recommended Action(s): Filter on the Network address and determine which host hasthe faulty card and replace it.Ol1o3Ʉ3 oIllegal Network Source AddressH!P ' BIllegal Network Source Address P1 =' COUNTER4  q( Illegal Network Source Address is a counter of all illegal network source addresses over a period of time per segment. A count of all illegal MAC source addresses displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8=' "EXPERT SYMPTOMq( Illegal network source addresses are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the number of illegal address encountered. For example:X.* $\Number of illegal sources (since last)=[22]ct' This symptom can help catch malfunctioning routers or bad addresses generated due to collisions.:' &EXPERT DIAGNOSISLt- (?__________________________________________________________________ Problem Description: A broadcast network address has appeared as a source address.This is problem associated with a bad host. __________________________________________________________________ Probable Cause(s): x- *VL61. Someone is transmitting illegal frames using a traffic generator. 2. There may be a faulty adapter card/host. o* "M__________________________________________________________________ Recommended Action(s): Filter on the MAC address and determine the faulty card and replace it.C1C 3K3IP Checksum Errors<o' *IP Checksum Errors1 ' COUNTER . *yIP Checksum Errors is a counter of all incorrect IP checksums over a period of time per segment. A count of all IP Checksum Errors events displays in the Overview tab of Expert View. 8A' "EXPERT SYMPTOM 6( IP Checksum Errors events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the IP source and destination address for the checksum error. For example:U+A* $VSA=[206.250.228.69] DA=[206.250.228.11]:6' &EXPERT DIAGNOSIS1, & __________________________________________________________________ Problem Description: An IP packet has a checksum value that is in error. The packet may be discarded.__________________________________________________________________ Probable Cause(s): . *VL61. The station that sent this packet may have a faulty network stack. 2. The router that forwarded this packet may have a faulty stack.]6( __________________________________________________________________ Recommended Action(s):. *9VL61. Identify the station that sent this packet (source addresses).2. Verify the network layer stack for this station. The station may need to be reset.I6I1Ʉ3P4IIP Time to Live ExpiringB' 6IP Time to Live Expiring1 I' COUNTERmE)( IP Time to Live Expiring is a counter of all expiring connections over a period of time per segment. A count of all IP Time to Live Expiring events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms to generate an alarm based on a specific number of expiring connections.8a' "EXPERT SYMPTOM)( IP Time to Live Expiring events are automatically logged as expert symptoms. The Symptom Summary field in the Analysisa Table provides information about the "time-to-live" (TTL) and the source and destination addresses. For example:^4a* $hTTL=1 SA=[206.250.228.69] and DA=[206.250.228.11]:' &EXPERT DIAGNOSIS>U- (#__________________________________________________________________ Problem Description: An IP packet has a time to live value that is going to expire.The packet may be discarded. __________________________________________________________________ Probable Cause(s): yL- *VL61. The network is overloaded. 2. Router tables may be misconfigured. ^UT( __________________________________________________________________ Recommended Action(s): xK- *VL61. Increase the network bandwidth.2. Check your router configuration.*T' E;1K34;yDISL BPDU/CDP Packets>y' .ISL BPDU/CDP Packets1 ;' COUNTERqyD) ISL BPDU/CDP Packets is a counter of all Bridge Protocol Data Unit (BPDU) or Cisco Discovery Protocol (CDP) packets in an ISL frame over a period of time per segment. A count of BPDU/CDP packets displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms to generate an alarm based on a specific number of BPDU/CDP packets.D1P44 ISL Illegal VLAN ID=D' ,ISL Illegal VLAN ID1 ' COUNTER ( ISL Illegal VLAN ID is a counter of all ISL illegal VLAN IDs over a period of time per segment. A count of all ISL Illegal VLAN ID displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms. 8C' "EXPERT SYMPTOM  ( [ISL Illegal VLAN IDs are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the number of the illegal VLAN ID. For example:;CS * $"VLAN ID=[1036]:  ' &EXPERT DIAGNOSIS5S  - (__________________________________________________________________ Problem Description: The VLAN ID in the ISL protocol is illegal. The allowable range is from1 to 1024. __________________________________________________________________ Probable Cause(s): ~ n . ,VL61. An error made in the VLAN configuration for the Switch may haveintroduced an illegal VLAN ID. 2. A faulty Switch. ^  ( __________________________________________________________________ Recommended Action(s): en  - *VL61. Reconfigure your Switch's VLAN configuration to use valid ID's.2. Replace the faulty Switch.A  14ʂ4  DNetwork Overload:  ' &Network Overload1 2 ' COUNTER6 hF ZNetwork Overload is a counter of instances where a threshold for the percentage change in network utilization is exceeded. Network utilization is compared to the utilization for the previous time segment. The default threshold is a 40% change in network utilization; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all instances where the threshold is reached displays in the Overview tab of Expert View.82 ' "EXPERT SYMPTOMh@( uNetwork Overload events are automatically logged as exp@ ert symptoms. The Symptom Summary field in the Analysis Table provides information about the change in utilization. For example:<@* $$%Utilization=42:@A' &EXPERT DIAGNOSISJ@NB, &=__________________________________________________________________ Problem Description: The utilization expert threshold has been exceeded for this segment, resulting in a LAN Overload symptom.__________________________________________________________________ Probable Cause(s): AC2 2/VL61. The network is overloaded. 2. Variations in application traffic patterns.3. Heavy Internet usage.4. Too many broadcast/multicast packets. ]NBC( __________________________________________________________________ Recommended Action(s):CZD. *!VL61. Load balance your network.2. If you see repeated overloads and/or too many retransmissions, your router or switch may needed upgrading.*CD' AZDD1;44DD GNew MAC Stations:DD' &New MAC Stations1 D0E' COUNTERD G) aNew MAC Stations is a counter of all the new MAC stations over a period of time per segment. A threshold for this counter can be set in Expert Alarms. The threshold for new MAC stations is typically set to 1 as an absolute value.The new MAC station counter detects new MAC stations (nodes) on a LAN segment. After a segment is stabilized with a specific number of stations, this counter can indicate possible intruder stations.D0EMG1?ʂ44MGGNNFS Retransmissions= GG' ,NFS Retransmissions1 MGG' COUNTERGH( NFS Retransmissions is a counter of all NFS Retransmissions over a period of time per segment. A count of all NFS Retransmissions displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8GI' "EXPERT SYMPTOMHJ( NFS retransmission events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the addresses of the client and server involved. For example:nDInJ* $Client [206.250.228.69] retransmitting to Server [206.250.228.14]:JJ' &EXPERT DIAGNOSISP#nJK- (G__________________________________________________________________ Problem Description: There is a retransmission of an NFS request packet as the RPCidentifier for this connection has been reused. __________________________________________________________________ Probable Cause(s): RJJM3 4?VL61. An NFS data maybe transmitted over several fragmented IP packets.If any of the IP fragments are missing, it will result in a retransmission. 2. The network is overloaded. 3. The path to the receiving station has long delays. 4. There may be an overloaded switch or router. \KM( __________________________________________________________________Recommended Action(s):JMN/ ,7VL61. Check if there are any missing IP fragments.2. If you see repeated delays and too many retransmissions, your router or switch may need upgrading.GMN1N 45NONon Responsive Station@NO' 2Non Responsive Station1 NPO' COUNTER)O@ NNon Responsive Station is a counter of all non-responsive stations over a period of time per segment. A non-resPONponsive station is defined as successive TCP/IP retransmissions over the same connection that are greater than a threshold value. The default threshold is 3 successive retransmissions; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu ICMP Protocol Unreachable events are counted in the ICMP All Errors8PO' "EXPERT SYMPTOM( Non Responsive Station events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides the IP address of the non-responsive station. For example:U+* $VStation [206.250.228.11] not responding :5' &EXPERT DIAGNOSISR&, &M__________________________________________________________________ Problem Description: The successive retransmissions expert threshold has been exceeded, resulting in a Non Responsive Station symptom.__________________________________________________________________ Probable Cause(s): '54 6VL61. The ACK sent by the receiver was lost. 2. The network is overloaded.3. The path to the receiving station has long delays. 4. There may be a problem with the receiver's TCP/IP stack.5. There may be an overloaded switch or router.]3( __________________________________________________________________ Recommended Action(s):. *VL61. Load balance your network.2. If you see repeated delays and too many retransmissions, then your router or switch may need upgrading.*3' @X145X?OSPF Broadcasts9' $OSPF Broadcasts1 X‡' COUNTER}T?) OSPF Broadcasts is a counter of all OSPF broadcasts over a period of time per segment. A count of all OSPF broadcasts displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.If OSPF broadcasts fall below a certain threshold, this may indicate that a OSPF router is not functioning properly.P‡155؉|Overload Utilization PercentageI"?؉' DOverload Utilization Percentage1  ' COUNTERsH؉|+ $Overload Utilization Percentage counts bits over time and compares this value to the maximum utilization possible (bandwidth). A threshold for this percentage value can be set in Expert Alarms.Overload utilization percentage can help catch network overloads. The default for a 100MB network is 25% of maximum utilization.D 15[5Overload Frame Rate=|' ,Overload Frame Rate1 .' COUNTERlA+ $Overload Frame Rate counts frames over a one-second time period. A threshold for the number of frame per second can be set in Expert Alarms.Overload Frame Rate can help catch network overloads. Values for the threshold can range from 1 to 148,800 frames/sec for a 100 MB network. The default is 37,200 frames/sec.@.ڍ15$5ڍFPhysical Errors9' $Physical Errors1 ڍD' COUNTER~8F ZqThe Physical Errors counter increments when a change in the number of total MAC physical errors per second exceeds a threshold. Physical errors include CRC/alignment errors, dropped events, collisions, jabbers, oversize packets, undersize packets, and fragments. The default threshold is a delta of 400 physical error packets per second; however, this value can be changed Dfrom the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all instances where the threshold is reached displays in the Overview tab of Expert View. 8D' "EXPERT SYMPTOM( Physical Error events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the rate of change for total MAC physical errors. For example:IF* $>Rate of change of Errors=450:' &EXPERT DIAGNOSISEF, &3__________________________________________________________________ Problem Description: The errors threshold has been exceeded for this segment, resulting in a MAC Physical Errors symptom.__________________________________________________________________ Probable Cause(s): !2 2VL61. The network is overloaded. 2. A faulty hub/switch/router device.3. A hub may have been incorrectly used. For example, an uplink port may have been used as a data port.4. An end station may have a faulty network interface card.]k( __________________________________________________________________ Recommended Action(s):F. *[VL61. Restart capture after setting up a filter to capture error packets (only). 2. Based on the capture results, isolate the device that is in error and fix the problem.?k1[55fRIP Broadcasts8F' "RIP Broadcasts1 ' COUNTERxOf) RIP Broadcasts is a counter of all RIP broadcasts over a period of time per segment. A count of all RIP broadcasts displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.If RIP broadcasts fall below a certain threshold, this may indicate that a RIP router is not functioning properly.?1$55SAP Broadcasts8f' "SAP Broadcasts1 ' COUNTERxO) SAP Broadcasts is a counter of all SAP broadcasts over a period of time per segment. A count of all SAP broadcasts displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.If SAP broadcasts fall below a certain threshold, this may indicate that a SAP router is not functioning properly.@1c 566TCP/IP Long Ack9' $TCP/IP Long Ack1 0' COUNTER7gF ZThe TCP/IP Long Ack counter increments when the TCP/IP acknowledgement for a connection is not seen for greater than a threshold value, measured in milliseconds. The default threshold is no acknowledgement for 200 milliseconds; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all TCP/IP Long Ack events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.80' "EXPERT SYMPTOM/g( TCP/IP Long Acks are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the acknowledgement time and the well-known ports(WKP) involved, including the port number and the IP address. For example:\T* $Ack Time= [300 ms] between [206.250.228.69]/[TCP/IP WKP:1988] and [206.250.228.11]/[SMTP]!( 3The time required to acknowledge a TCP/IP packet is calculated for every packet. When a value exceeds 200ms, the event is logged asT! an Expert Symptom.:T[' &EXPERT DIAGNOSIS8 !- (__________________________________________________________________ Problem Description: A TCP/IP ACK (Acknowledgment) has taken longer than 200 msecto arrive to the sender. __________________________________________________________________ Probable Cause(s): I[4 6+VL61. The receiver which generated the ACK was very busy. 2. The network is overloaded. 3. The path to the sender from the receiver has long delays. 4. There may be a problem with the receiver's TCP/IP stack. 5. There may be an overloaded switch or router in the path.\`( __________________________________________________________________Recommended Action(s):~ . ,VL61. Load balance your network.2. If you see repeated delays and long acknowledgements, your receiver may need upgrading.*`6' G }15 6}& TCP/IP Retransmissions@6' 2TCP/IP Retransmissions1 }' COUNTER ) TCP/IP Retransmissions is a counter of all TCP/IP Retransmissions over a period of time per segment. This variable counts the number of retransmitted packets to measure excessive retransmission in TCP/IP. A count of all TCP/IP Retransmissions displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms. Retransmissions are determined by sweeping the capture data periodically to catch connections that retransmitted within an interval.81' "EXPERT SYMPTOMI( TCP/IP Retransmissions are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the well-known ports(WKP) involved, including the port number and the IP address. For example:}S1* $Between [206.250.228.69]/[TCP/IP WKP:1988] and [206.250.228.11]/[TCP/IP WKP:197]:I ' &EXPERT DIAGNOSISj . *__________________________________________________________________ Problem Description: A TCP/IP packet has been retransmitted as the sequence numberis being repeated. There was no ACK (acknowledgement),from the receiver, causing the sender to retransmit the packet. __________________________________________________________________ Probable Cause(s): (  4 6VL61. An ACK sent by the receiver was lost. 2. The network is overloaded. 3. The path to the receiving station has long delays. 4. There may be a problem with the receiver's TCP/IP stack. 5. There may be an overloaded switch or router.\ D ( __________________________________________________________________Recommended Action(s):  / ,VL61. Load balance your network.2. If you see repeated delays and too many retransmissions, your router or switch may need upgrading.*D & ' C i 16 6i  6TCP/IP RST Packets<&  ' *TCP/IP RST Packets1 i  ' COUNTER`7 6) oTCP/IP RST Packets is a counter of all TCP/IP RST Packets over a period of time per segment. This variable counts the number of RST responses to monitor resets in TCP/IP. A count of all TCP/IP RST packets displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.B x1 6=6xGTCP/IP SYN Attack;6' (TCP/IP SYN Attack1 x @' COUNTER @6 BF ZThe TCP/IP SYN Attack counter increments when a change in the number of SYN requests per second exceeds a threshold. The default threshold is a delta of 100 SYN requests per second; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all TCP/IP SYN Attack events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8 @OB' "EXPERT SYMPTOMBGjH' .TCP/IP Window Frozen1 ,HH' COUNTERjHJF ZThe TCP/IP Window Frozen counter increments when the TCP/IP window is frozen for greater than a threshold value, measured in seconds. The default threshold is a frozen window of 5 seconds; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all TCP/IP Window Frozen events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.8HJ' "EXPERT SYMPTOMCJ+L( 7TCP/IP Window Frozen events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the frozen window size, duration, and the well-known ports(WKP) involved, including the port number and the IP address. For example:eJL* $Frozen at 29909 for [19 ms] between [206.250.228.69]/[TCP/IP WKP:1988] and [206.250.228.11]/[SMTP]u+LWN( A frozen window event is defined as the TCP/IP window size remaining the same for all packets over a 5 second period for one connection in one direction. If only one packet is detected over the 5 second interval, this is also logged as a TCP/IP frozen window event. Events of this type can indicate when a problem with the TCP/IP connection or excessive network traffic.:LN' &EXPERT DIAGNOSISWNM. *__________________________________________________________________ Problem Description: A TCP/IP packet has the window size stuckfor longer than 5 secs. If the window size is less than the maximum,then the flow of data is restricted as the sender will not exceed the receiver's window size. ________________________NMG__________________________________________ Probable Cause(s): Nb3 4VL61. The receiver is overloaded. 2. The receiver has run out of buffer space. 3. There may be a problem with the receiver's TCP/IP stack. 4. There may too many connections to the receiver causingreduced buffer space. \M( __________________________________________________________________Recommended Action(s):b0 .VL61. Upgrade the receiver's CPU and or Memory.2. Reduce the number of connections to the receiver.3. Increase the network bandwidth.C1% =6 7TCP/IP Zero Window<' *TCP/IP Zero Window1 P' COUNTERg>) }TCP/IP Zero Window is a counter of all TCP/IP Zero Window events over a period of time per segment. A count of all TCP/IP Zero Window events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.All TCP/IP zero window events are also counted as frozen window events.8P' "EXPERT SYMPTOM3 "( TCP/IP Zero Window events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the time, location, and the well-known ports(WKP) involved, including the port number and the IP address. For example:`* $Stuck at 0 for [14 ms] between [206.250.228.69]/[TCP/IP WKP:1988] and [206.250.228.11]/[SMTP]"( kThe TCP window size is examined for every packet to check against a window size of zero. If the window size remains zero for 5 seconds for one connection in one direction, the event is logged. If only one packet with a zero window size is detected over the 5 second interval, this is also logged as a TCP/IP zero window event. Events of this type indicate when a receiver's buffer is full which can indicate problems with the network.:È' &EXPERT DIAGNOSIS}O@. *__________________________________________________________________ Problem Description: A TCP/IP packet has zero window sizefor longer than 5 secs. The receiver is shutting downcommunication and will accept no more data from the other end. __________________________________________________________________ Probable Cause(s): c.È5 8]VL61. The receiver is overloaded. 2. The receiver has run out of buffer space. 3. The non-responsive receiver intends the sender to close the connection. 4. There may be a problem with the receiver's TCP/IP stack. 5. There may too many connections to the receiver causingreduced buffer space.\@'( __________________________________________________________________Recommended Action(s):0 .%VL61. Upgrade the receiver's CPU and or Memory.2. Reduce the number of connections to the receiver.3. Increase the bandwidth of your network.*'' CV1V7 7VTotal MAC Stations<' *Total MAC Stations1 VÍ' COUNTER* "Total MAC Stations is a counter of all the MAC stations over a period of time per segment. A count of all MAC stations displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.The MAC station counter helps detect excessive MAC stations (nodes) on a LAN segment. This helps indicate possible intruder stations as well as help the network manager limit and control the number of stations allowed on a segment.HÍ 1 7w7 MTotal Router Broadcasts AM' 4Total Router Broadcasts1 ~' COUNTER|SM) Total Router Broadcasts is a counter of all total router broadcasts over a period of time per segment. A threshold for this counter can be set in Expert Alarms for total router broadcasts.If total router broadcasts go above a certain threshold, this may indicate that a router in the network is generating excessive broadcast messages.= ~71 7u77m>Unstable MST6m' Unstable MST1 7' COUNTER mF ZThe Unstable MST counter increments when a change in the number of MST topology changes per second exceeds a threshold. The default threshold is a delta of 5 topology changes per second; however, this value can be changed from the Expert Thresholds tab in the Configuration Module Settings... menu. A count of all Unstable MST events displays in the Overview Tab of Expert View. A threshold for this counter can be set in Expert Alarms.( qMST topology changes are topology changes required to support IEEE 802.1d (Minimum Spanning Tree). Excessive topology changes infer that the Minimum Spanning Tree (MST) is unstable.8' "EXPERT SYMPTOM( Unstable MST events are automatically logged as expert symptoms. The Symptom Summary field in the Analysis Table provides information about the rate of change for the MST topology. For example:J * $@Rate of change of Topology=10:1' &EXPERT DIAGNOSIStH, &__________________________________________________________________ Problem Description: The threshold for the number of IEEE 802.1D packets with topology change bit has been exceeded for this segment. The Spanning tree may be unstable.__________________________________________________________________ Probable Cause(s): 1S. *VL61. There may be too many configuration changes for the bridge or switch. 2. There may be a temporary loss of connectivity.]( __________________________________________________________________ Recommended Action(s):f;S>+ &vVL61. Identify the device causing this message and fix it.S"1 w7Hints and Tips for Expert FeaturesL%>' JHints and Tips for Expert FeaturesT\+ &V:H1.Double-click any symptom in the Analysis Table to view Diagnostic information.a4 6VL62.You can jump directly to the frame in Capture View that is associated with the expert symptom. Select (single-click) the expert symptom from the Analysis Tab using the Right Mouse Button. Select the Go To Frame option. The frame associated with the expert symptom displays in Capture View. 3.When looking at Expert View in Monitor only mode, no Frame ID displays for Expert Symptoms detected and you cannot examine a frame related to a symptom. If you think you'll need to look at specific frames related to Expert Symptoms, look at the frame information in the capture buffer or in a capture file.\6 :V:H4.Click, hold, and drag a column border to resize columns in any Expert View Table. Increasing the size of the Symptom column gives you a view of the complete name of the symptom.5.Click, hold, and drag a column border to remove columns in any Expert View Table. Double-click on the same column border to bring back the display of a column.6.Duplicate addresses appear both in the Duplicate Network Address Table and as a symptom in the Analysis Table of Expert Vie>w.BRL fV:H)7.You can directly access statistics about a particular host associated with an expert event. From the Expert Overview table, click on any of the counters underlined in blue to see the symptoms broken down by host or conversation. You can then click on the host for more in-depth statistics.8.Thresholds can be set for Expert Symptoms. Select Module Settings from the Configuration menu and choose the Expert Thresholds Tab. Change the threshold value for any of the listed symptoms.jd V:H9.Expert Symptoms can be selectively disabled. Select Module Settings from the Configuration menu and choose the Expert Symptoms tab. Remove the check from the Expert Symptoms you wish to disable.10.Expert Symptoms can be displayed in the Summary field of Capture View. From the Configuration menu, select Capture View Options Display and select the Display Expert Symptom check box. Packets that trigger an expert symptom and have expert symptom information will display in reverse video. RK dV:H11.Expert Views can be disabled on a per module basis. Select Module Settings from the Configuration menu and choose the Modes Tab. Remove the check from the Expert Views box.< 19Go To Frame59' Go To FrameX( From the Analysis Tab within Expert View, you can jump directly to the frame in Capture View that is associated with the expert symptom. The go to frame option works only in Capture mode. In Monitor mode, the frame selection option is disabled.9"4 6-V:H1.Select (single-click) the expert symptom from the Analysis Tab of Expert View using the Right Mouse Button.2.Select the Go To Frame option.pIX' The frame associated with the expert symptom displays in Capture View.-"* $VL611U $ " > R 1.R  KWhat's New...6  &  &What's New...qFR  + &$A brief synopsis of whats new in Surveyor 3.0 is provided below.H" A & D&Gigabit Analysis Module Support O - (&Surveyor supports Shomitis Gigabit Analysis Module (GAM) analyzer card and the Explorer Gigabit analyzer module. The GAM is a high-speed network analyzer card with an on-board capture/ transmit buffer and filtering for fiber-optic networks. The GAM provides full line-speed capture and transmit for Gigabit Ethernets. GAM analyzer cards install in a PC or in the Gigabit Explorer analyzer. GAM also supports real-time monitoring for network statistics and MAC error counters.2 A  & &Multi-QoSO , &$The optional Multi-QoS plug-in module for Surveyor decodes H.323 packets in an Ethernet environment and presents call and channel information in an easy-to-read table format. Surveyors Multi-QoS plug-in provides important statistics similar to CDR (Call Detail Records) in telephone PBXs that describe conversations carried by the H.323 group of protocols. The table information provides a means to validate QoS parameters of PSTN/IP Gateways, IP switches, and IPBXs.u .@& $Full decode of H.323 provides users with the ability to look at any packet of the previously captured data and understand its contents. Leveraging the existing full-line rate capture of Shomiti hardware and the graphical tools already in Surveyor, the Voice over In plug-in turns a general-purpose protocol analyzer into an effective tool.@  to measure Quality of Service. Bp@& 8&New Filter User Interface.@KA& k$Surveyor provides a new filtering user interface. The new interface is easier to use, and has additional features to create filters. Some of the highlights of the new interface:cp@A- *tȚ:H A single window which contains virtually everything you need to create a basic set of filtersi<KADB- *xtȚ:H Organized filter templates in a browser-type interfaceT'AB- *NtȚ:H Greatly improved logic capabilitytGDB C- *tȚ:H Macro filters -- single filter elements can contain OR conditions[BC- *tȚ:H Separation of template files and exported files makes user-defined templates reusableZ CD- *tȚ:H More format selections for data and offset display (hexadecimal, decimal, and ASCII)RCD- *tȚ:H Ability to correct entry errors without having to clear all previous entriesDLE. * tȚ:H The preservation of the multi-state logic generation feature for advanced filters, while not being required for simple filters<DE( (&HProtocol Decoding~QLEF- *tȚ:H New protocol decodes may be added to Surveyor by inclusion of a .DLL file. \/EbF- *^tȚ:H Many protocol decodes have been enhanced.Z2FF( d&HDisplay of Cumulative Byte Count and ThroughputabFDG' $HCumulative Byte Count and Throughput in bytes per second can now be displayed in Capture View.FI( I$HThe Cumulative Byte Count is a sum of all bytes received to this point in time in a capture file. It displays as a column in Capture View. The Throughput is calculated by dividing the cumulative bytes by the elapsed time. The Throughput also displays as a column in Capture View. The elapsed time is the difference between the module arm time (start time) and the time stamp of the current packet in the capture file.DGJ@ Nk$HThese Capture View counters can be turned on and off in the Capture View Display Options dialog box accessed from the Configuration Capture View Options Display menu.AIFJ( 2&HOther Helpful Features`JJ- *tȚ:H Support for Datacom switches for complex Explorer configurations in switched environments.uHFJHK- *tȚ:H New Expert symptoms are displayed for TCP and IP header checksums.IJK- *8tȚ:H Enhanced NDIS support.?HKK1 KLAbout Surveyor7KL& "&About SurveyorKN> Jy$=n"SڀSurveyor is an intuitive, graphical Windows 95/98/NT application for managing and troubleshooting Ethernet, Fast Ethernet, Gigabit Ethernet, and Token Ring Networks. Surveyor typically interfaces to one or more hardware devices called Century Media Modules (CMM2) or Gigabit Analysis Modules (GAM) to achieve line-rate performance. Surveyor can simultaneously capture, monitor, and analyze multiple devices and analyze captured data.eLO' &Surveyor is an integrated analyzer + monitor for local area networks. Features such as real-time network statistics, 7-layer packet decode and analysis, expert diagnostic analysis, advanced alarm setting and actions, multi-layer filtering, packet slicing, and automatic name table updating provide you with a robust network analysis and monitoring tool.0 Nɀ& $Surveyor incorporates comprehensive real-time monitoring capabilities with tOɀKhe powerful troubleshooting capabilities of a protocol analyzer. These capabilities can function simultaneously, enabling a user to maintain the network using a single multi-purpose tool.Oz' $An optional Expert plug-in includes expert features for automatic and very detailed problem diagnosis. Expert logic internal to Surveyor reports significant symptoms as well as any information related to the symptom. No configuration is required to use Expert. You can also set alarms to be informed of any events detected by Expert.Upon startup, Surveyor automatically begins monitoring all of the network segments locally attached to the PC. An optional Remote plug-in software module gives Surveyor the capability to monitor any remote 10/100/1000 Ethernet or 4/16 Token Ring segment that has Surveyor or Shomiti analysis hardware installed. ɀB6 :%$*Surveyors two-tier GUI provides both an extensive view of a network as well as the ability to drill down to a specific network segment. Surveyors main window provides a view of all of the segments being monitored. You can define what information to view for each segment such as network utilization, protocol distribution, MAC stations, etc. In this same window, Surveyor allows you to create alarms that monitor multiple segments simultaneously. To focus on a particular segment, double-click on a remote device in that segment. You can simultaneously set capture filters, view full 7-layer decodes of captured packets and display multiple real-time MAC, network and application layer statistics to understand the status and performance characteristics of the network segment. VLAN breakdowns, network conversations, and real-time protocol decode summaries provide an extra layer of intelligence. {z% $Optional plug-ins are available to decode and analyze H.323 traffic and to transmit packets over the local area network.@B"1 "ZAbout NDIS Mode8Z& $&About NDIS Modey"& $Surveyor in NDIS mode uses an NDIS driver and interfaces to a variety of network adapters. All basic capture, transmit, and monitor functions are the same in NDIS mode. However, it is not recommended that an NDIS module be used to transmit packets; the transmit rate is likely to fall below the specified transmission rate and transmission of error packets is not supported.ZF Z$The limitations and unique interface capabilities in the software interface when using an NDIS driver are described below: Captured Packets - Since the NDIS interface filters out frames with errors, only good Ethernet frames are captured. In addition, Surveyor in NDIS mode captures both frames received by the Ethernet adapter as well as frames transmitted by the Ethernet adapter.Counters - The error counters supported through the NDIS interface are those counters supported by the network adapter. Some vendors do not support any error counters. Only supported error counters are incremented and shown within data views.r\* $$Rx Counter Display - Counters not supported by the NDIS module will display with an "N/A" next to the counter.G* $:$Transmit Specification - b5\- *jV:H Transmission of error packets is not supported.W3 6V:H The minimum and maximum values for the Packet Size field are 64 and 1518 bytes.{7- *V:H The radio button for setting the packet gap in microseconds is grayed. Packet gaps in microseconds are not supported.Q3 6V:H Entering a zero in the Packet Gap field forces the shortest gap possible.7+ $O$HCapture Rate / Transmit Speed - Capture/transmit rates depend on the network adapter and the CPU. Typically, the rate will fall below the line rate of the network.E( :&HNDIS Configuration OptionsgEI `=$HInterface and Module References - The Interface and Interface Mode options are grayed on the Module menu when an NDIS module is the currently selected module. The Identify option on the Module menu is grayed and does not function when the current module is an NDIS module.K + $A$HSet Capture Buffer and Packet Slicing Size - The capture buffer memory size can be set in increments that double from 64K to 16MB. The buffer size uses physical memory and the size settings are automatically updated by Surveyor depending on the system resource to an appropriate size./E, (tA}AY(1iSurveyor Help System Version InformationQ+i& V&Surveyor Help System Version Informationt>6 <~$"bSurveyor Help System, Version 3.0Shomiti Systems, Inc.Li)1)m Contacting Customer SupportDm& <&Contacting Customer SupportnI)% $There are several ways to contact Shomiti Systems if you need support.m8 >tA}ACustomer Support Phone(408) 437-4059Customer Support FAX(408) 437-4041Internet Addresssupport@shomiti.comWorld-Wide Webhttp://www.shomiti.comMailing AddressShomiti Systems, Inc.1800 Bering DriveSan Jose, CA 95112+ ( $A1Q1UQu$ u" MQ1qĈ9dFrame Size Distribution ViewEu& >&Frame Size Distribution View 9 @$"+Frame size distribution is available as a table or a chart. From Detail View, click on the button to open a window with frame size distribution view. From Summary View, set the view preferences to Frame Size Distribution to see this view in the first tab.NOTES: When using CMM2 or GAM modules, frame sizes of less than 64 bytes are not counted or displayed in Frame Size Distribution view.When using an NDIS module, the byte count in Frame Size Distribution view includes the 4 bytes of the Frame Check Sequence; however, for other views, these 4 bytes are not counted for each packet. Therefore, the total-byte counters in other views will be different than total-byte counters in Frame Size Distribution view./C' CHART ( =$Each range of frame sizes is expressed as a percentage of the total number of frames counted. The chart can be toggled between a pie chart and a bar graph./C8' TABLE ( $Frame size distribution view as a table shows a range of frame sizes expressed as a percentage of the total number of frames counted. %8q J$C!,PI(`Surveyor.hlp',`Columns_for_Frame_Size_Distribution_View') Click here to see table columns.2 ' SEE ALSOT$0 0H$gHwHints and Tips on Using Views _/d0 0^$>Setting the Monitoring View for a Module K1"9:gProtocol Distribution ViewCd& :&Protocol Distribution View7 Setting the Monitoring View for a Module @1Ĉ9: Host Table View8g& $&Host Table View 7 <$"/From Detail View, click on the button to open a window with Host Table View. From Summary View, set the view preferences to Host Table to see this view in the first tab.Host Table View is available as a chart showing the ten MAC stations with the most traffic or as table showing all MAC stations. Click on the tab at the bottom of the window to select table or chart.The station address and name are provided in the table or chart. If a Surveyor name table exists with an address-to-name entry for this station, the Station Name field will be the station name in the name table. If no entry in a Surveyor name table exists, the name of the Station Name field will be the vendor's ID followed by the last 6 bytes of the station address.]8\% p$GAM devices do not support this view in monitor mode./' CHART*\ ( $Host Table View as a chart shows only ten MAC stations. The ten stations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" stations based on a different station information field./ ' TABLE  ( $Host Table View as a table shows network activity from the view of MAC stations. The table lists statistics for all stations found. The table can be customized to include other columns of information, or to delete columns you don't want to see.%  d J$rC!,PI(`Surveyor.hlp',`Columns_for_Host_Table_View') Click here to see table columns._  ' $Press the right mouse on any table entry to create a filter using the selected MAC station. 2 D ' SEE ALSOT$  0 0H$gHwHints and Tips on Using Views ND  0 0<$2&]Customizing Chart Views N 4 0 0<$㶣Customizing Table Views _/  0 0^$>Setting the Monitoring View for a Module N4  1q :b: 'FNetwork Layer Host Table ViewF '& @&Network Layer Host Table Viewt @7 <$"0From Detail View, click on the button to open a window with Network Layer Host Table View. From Summary View, set the view preferences to Network Layer Host Table to see this view in the first tab.Network layer host table view is available as a chart showing the ten network stations with the most traffic or as a table showing all network stations. Click on the tab at the bottom of the window to select table o'@ r chart.The station address and name are provided in the table or chart. The name and address will be the same if Surveyor does not have a name table with an address-to-name correspondence for this station. ]8';A% p$GAM devices do not support this view in monitor mode./@jA' CHART<;AB( )$Network Layer Host Table View as a chart shows only ten network stations. The ten stations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" stations based on a different station information field./jAB' TABLEBC( $Network Layer Host Table View as a table shows network activity from the view of network stations. The table lists statistics for all stations found. The table can be customized to include other columns of information. %BrDr J$Cx!,PI(`Surveyor.hlp',`Columns_for_Network_Layer_Host_Table_View') Click here to see table columns.cCD' $Press the right mouse on any table entry to create a filter using the selected network station. 2 rD.E' SEE ALSOT$DE0 0H$gHwHints and Tips on Using Views N.EE0 0<$2&]Customizing Chart Views NEF0 0<$㶣Customizing Table Views _/E}F0 0^$>Setting the Monitoring View for a Module *FF' $*}FF' $R!F#G1 :5;#GmGƀApplication Layer Host Table ViewJ$FmG& H&Application Layer Host Table ViewzC#GI7 <$"1From Detail View, click on the button to open a window with Application Layer Host Table View. From Summary View, set the view preferences to Application Layer Host Table to see this view in the first tab.Application Layer Host Table View is available as a chart showing the ten network stations with the most traffic or as a table showing all network stations.The network station address and name are provided in the table or chart. The name and address will be the same if Surveyor does not have a name table with an address-to-name correspondence for this station. ]8mGDJ% p$GAM devices do not support this view in monitor mode./IsJ' CHARTR*DJK( U$Application Layer Host Table View as a chart shows only ten applications over network stations. The ten stations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" stations based on a different station information field./sJK' TABLEKM( I$Application Layer Host Table View as a table shows network activity from the view of application protocols running on network stations. The table lists all application protocols found on each network station. Each network station may have many application protocols in use. The table lists statistics of all applications within the stations found. The table can be customized to include other columns of information.%K[Nv J$C^!,PI(`Surveyor.hlp',`Columns_for_Application_Layer_Host_Table_View') Click here to see table columns.cMN' $Press the right mouse on any table entry to create a filter using the selected network station. 2 [NO' SEE ALSOT$NkO0 0H$gHwHints and Tips on Using Views NOO0 0<$2&]Customizing Chart Views NkO0 0<$㶣Customizing Table VieOFws _/Or0 0^$>Setting the Monitoring View for a Module *' $*rƀ' $A1b:;@Host Matrix View9ƀ@& &&Host Matrix View2r7 <$"2From Detail View, click on the button to open a window with Host Matrix View. From Summary View, set the view preferences to Host Matrix to see this view in the first tab.Host Matrix View is available as a chart showing the ten MAC conversations with the most traffic or as a table showing all MAC conversations. Click on the tab at the bottom of the window to select table or chart.The station addresses and names are provided in the table or chart. If a Surveyor name table exists with an address-to-name entry for this station, the Station Name field will be the station name in the name table. If no entry in a Surveyor name table exists, the name of the Station Name field will be the vendor name followed by the last 6 bytes of the station address.]8@τ% p$GAM devices do not support this view in monitor mode./r' CHART3 τ1( $Host Matrix View as a chart shows only ten MAC conversations. The ten conversations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" conversations based on a different information field. /`' TABLE1V( $Host Matrix View as a table shows network activity from the view of MAC station pairs. The table lists statistics for all pairs found. The table can be customized to include other columns of information.%`e J$tCŨ!,PI(`Surveyor.hlp',`Columns_for_Host_Matrix_View') Click here to see table columns.dVk' $Press the right mouse on any table entry to create a filter using the selected MAC conversation. 2 ' SEE ALSOT$k0 0H$gHwHints and Tips on Using Views N?0 0<$2&]Customizing Chart Views N0 0<$㶣Customizing Table Views _/?0 0^$>Setting the Monitoring View for a Module J61|5;';6xNetwork Layer Matrix ViewBx& 8&Network Layer Matrix Viewq6 7 <$"3From Detail View, click on the button to open a window with Network Layer Matrix View. From Summary View, set the view preferences to Network Layer Matrix to see this view in the first tab.Network Layer Matrix View is available as a chart showing the ten network conversations with the most traffic or as a table showing all network conversations. Click on the tab at the bottom of the window to select table or chart.The station addresses and names in the conversation are provided in the table or chart. The name and address are the same if Surveyor does not have a name table with address-to-name correspondences.]8x}% p$GAM devices do not support this view in monitor mode./ ' CHART>}( -$Network Layer Matrix View as a chart shows only ten network conversations The ten conversations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" conversations based on a different information field./' TABLE(( $Network Layer Matrix View as a table shows network activity from the view of network station pairs. The table lists statistics for all pairs found. The table can be customized to include oth(er columns of information.%n J$CΨ!,PI(`Surveyor.hlp',`Columns_for_Network_Layer_Matrix_View') Click here to see table columns.h(J' $Press the right mouse on any table entry to create a filter using the selected network conversation. 2 |' SEE ALSOT$J0 0H$gHwHints and Tips on Using Views N|0 0<$2&]Customizing Chart Views Nl0 0<$㶣Customizing Table Views _/0 0^$>Setting the Monitoring View for a Module Nl1o ;ڇ;_Application Layer Matrix ViewF _& @&Application Layer Matrix Views 7 <$"4From Detail View, click on the button to open a window with Application Layer Matrix View. From Summary View, set the view preferences to Application Layer Matrix to see this view in the first tab.Application Layer Matrix View is available as a chart showing the top ten application conversations or as a table showing all application conversations. Click on the tab at the bottom of the window to select table or chart.The station addresses and names in the conversation are provided in the table or chart. The name and address are the same if Surveyor does not have a name table with address-to-name correspondences._' $From Application Layer Matrix View you can save the data in Optimal CSV format.GAM devices do not support this view in monitor mode./ ' CHARTS+:( W$Application Layer Matrix View as a chart shows only ten application over network conversations The ten conversations displayed are those transmitting the largest relative percentage of frames. The chart can be customized to show the "top ten" conversations based on a different information field./i' TABLE5 :( $Application Layer Matrix View as a table shows network activity from the view of applications over network station pairs. The table lists statistics for applications within all station pairs found. The table can be customized to include other columns of information.%i5r J$Ce!,PI(`Surveyor.hlp',`Columns_for_Application_Layer_Matrix_View') Click here to see table columns.h' $Press the right mouse on any table entry to create a filter using the selected network conversation. 2 5' SEE ALSOT$J0 0H$gHwHints and Tips on Using Views N0 0<$2&]Customizing Chart Views NJ0 0<$㶣Customizing Table Views _/E0 0^$>Setting the Monitoring View for a Module X(0 0P$$IExport Data to Optimal CSV Format : E1';< VLAN View2  & &VLAN View%7 <$"5From Detail View, click on the button to open a window with VLAN View. From Summary View, set the view preferences to VLAN to see this view in the first tab.VLAN View is available as table showing statistics or as a chart showing the ten virtual LANs with the most traffic. Click on the tab at the bottom of the window to select table or chart. The only virtual LAN protocol recognized at this time is Cisco's ISL protocol.GAM devices do not support this view in monitor mode./ T' CHART%r( $VLAN View as a chart shows only ten VLANs. The ten stations displayed are those with the largest relative percentage of frames. TheTr chart can be customized to show the "top ten" conversations based on a different information field./T' TABLErJr( $VLAN View as a table shows network activity from the view of virtual LAN traffic. The table lists statistics for all VLANs found. The table can be customized to include other columns of information. You can double-click on any VLAN ID and see a network layer host table view or a network conversation matrix view for that VLAN.%^ J$fC!,PI(`Surveyor.hlp',`Columns_for_VLAN_View') Click here to see table columns.2 ' SEE ALSOT$0 0H$gHwHints and Tips on Using Views Nj0 0<$㶣Customizing Table Views _/0 0^$>Setting the Monitoring View for a Module Ej1ڇ;<GAddress Mapping View9G& &&Address Map View#j6 :$"6From Detail View, click on the button to open a window with Address Map View. From Summary View, set the view preferences to Address Map View to see this view in the first tab.GAM devices do not support this view in monitor mode./G' TABLE^6j( m$Address Mapping View is available as table showing all associations between MAC station names and addresses and network station names and addresses. MAC-Network association view is not available as a chart. Use this table if you need to determine what MAC stations are associated with what network stations.%i J$|Cť!,PI(`Surveyor.hlp',`Columns_for_Address_Mapping_View') Click here to see table columns.2 ' SEE ALSOT$ 0 0H$gHwHints and Tips on Using Views NY0 0<$㶣Customizing Table Views _/ 0 0^$>Setting the Monitoring View for a Module *Y' $G) 1;<Z<) h rDuplicate Address View?h & 2&Duplicate Address ViewI)  7 <'$"7From Detail View, click on the button to open a window with Duplicate Address View. To see Duplicate Address View in Summary View, set the view preferences to Duplicate Address View to this view in the first tab.GAM devices do not support this view in monitor mode./h  ' TABLEQ) 1 ( S$Duplicate Address View is available as table showing all duplicate network addresses. MAC station names and addresses and network station names and addresses. Duplicate Address View is not available as a chart. Use this table if you need to determine what stations may have duplicate addresses.  ( I$If you are monitoring a remote device, you must open one of the host tables for that remote device for new duplicate addresses to show in Duplicate Address View.%1  k J$Cǥ!,PI(`Surveyor.hlp',`Columns_for_Duplicate_Address_View') Click here to see table columns.2  ' SEE ALSOT$ 0 0H$gHwHints and Tips on Using Views _/ r0 0^$>Setting the Monitoring View for a Module < 1<8=XExpert View4r& &Expert ViewdRAt $"8jC!,PI(`Surveyor.hlp',`Columns_for_Expert_View')From Detail View, click on the button to open a window with Expert View. From Summary View, set the view preferences to Expert View to see this view in the first tabRAr.Two tables are available in Expert View, an Overview Table and an Analysis Table. Click on the tabs at the bottom of the window to switch tables. Expert view is not available as a chart. GAM devices do not support this view in monitor mode. Click here to see table columns for both the Overview and the Analysis Table.8A' "ANALYSIS TABLEL$RAC( I$The Analysis table shows each expert symptom found by Surveyor's expert software. When Surveyor finds an event that could indicate a network problem, the event is logged in the table. Frame ID (Capture View only), source address, destination address, VLAN ID, and the timestamp are provided for each entry in the table. Each table entry also shows a summary that provides more information about the symptom. Double-click on any table entry to view complete expert information about the symptom, including suggestions for correcting the problem.qIAGF( $The timestamps when viewing a capture file in the Analysis table will contain the current system time and date, not the time and date when the information was captured. Frames are processed for inclusion in the Analysis table in batches of 100, so it is possible for two frames to have exactly the same timestamp in the Analysis table. The order in which symptoms are displayed is always the same order in which they were encountered in the capture file or buffer. The timestamps for Explorers and Voyagers in the Analysis table increment from the time the device was last started. 8CF' "OVERVIEW TABLEFGFG( =$The Overview table shows a count of all expert symptoms found, displayed by category. The categories for the expert events give you a general picture of the types of expert events that are being discovered. The overview counters are listed below. Click on a counter to find out more.@FI $P罀!gIr(Dg$ˀr[`i0 =>\{ג NICMP All Errors Duplicate Network Address ICMP Destination Unreachable Unstable MST ICMP Redirect SAP Broadcasts Excessive BOOTP OSPF Broadcasts Excessive ARP RIP Broadcasts NFS RetransmissionsISL Illegal VLAN IDTCP/IP SYN AttackISL BPDU/CDP PacketsPsG0L $ o"bѹDr<-` cqH^K㮨*G lTCP/IP RST PacketsIP Checksum Errors TCP/IP RetransmissionsIP Time to Live ExpiringTCP/IP Zero WindowIllegal Network Source AddressTCP/IP Long Acks Illegal MAC Source Address TCP/IP Window Frozen Total MAC Stations Network Overload Broadcast/Multicast Storm Non Responsive Stations Physical Errors q.ILC V\$Osq4XHSRP Errors TCP Checksum Errors ~O0LO/ ,$)More detail is provided for the counters that are underlined in blue in the Overview table. Click on any underlined counter to bring up another table, the Expert Overview Detail table. This table lists the source address, destination address, count, and VLAN ID for all errors of this type. The Expert Overview Detail table allows you to see immediately which stations are responsible for generating the most occurrences for a particular symptom. You can then click on any of the host pairs in the Expert Overview Detail table to bring up a window showing statistics for the host pair. L ) a$Note: When viewing the statistics for a host pair from a remote resource, you must have the Application Layer Matrix View table open for that resource to see the statistics.O r^O( $Only the last 2,001 occurrences of an expert symptom are listed in the Expert Detail table.| se $jCؿ!,PI(`Surveyor.hlp',`Columns_for_Expert_View') Click here to see the table columns for the Expert Overivew Detail table available from symptoms in the Overview tab.2 ' SEE ALSOT$s0 0H$gHwHints and Tips on Using Views _/X0 0^$>Setting the Monitoring View for a Module O1sZ<=0Application Response Time ViewG!X& B&Application Response Time View? -6 :$"9From Detail View, click on the button to open a window with Application Response Time View. From Summary View, set the view preferences to Application Response Time View to see this view in the first tab.GAM devices do not support this view in monitor mode./\' TABLEW/-( _$Application Response Time View is available as table showing connection time and connection number information about application protocols. Application response time view is not available as a chart. Use this table if you want to find out which applications are responding very slowly in the network.%\Ks J$Cϥ!,PI(`Surveyor.hlp',`Columns_for_Application_Response_Time_View') Click here to see table columns.2 }' SEE ALSOT$Kц0 0H$gHwHints and Tips on Using Views _/}00 0^$>Setting the Monitoring View for a Module Gцw1d8==wUtilization/Error View?0& 2&Utilization/Error Viewm4w#9 @m$"-".Utilization/Error view is a simple strip chart that plots network utilization over time. The scale for network utilization changes on-the-fly when a new peak percentage is reached. The time scale also scales automatically as the resource is monitored over time. The graph has an optional watermark showing the highest utilization point. The errors plotted on the graph are the total number of CRC and Alignment errors.From Summary View, set the view preferences to utilization/error to see this view in the first tab. From Detail View, click on the capture button or the transmit button to open a window with the utilization strip chart. From Detail View, the utilization/error chart is presented with the tables of transmit or receive counters. Press the Table tab to see the counter information from this view.7\ n$^C!,JI(`Surveyor.HLP',`Error_CountersTop') Click here to see information on error counters.2 #' SEE ALSOT$<0 0H$gHwHints and Tips on Using Views N0 0<$㶣Customizing Table Views _/<0 0^$>Setting the Monitoring View for a Module D-1=K>-iPacket Summary View<i& ,&Packet Summary Viewf-9 @$Packet summary view shows a real-time protocol decode. Packets received are decoded and the result of the decode is displayed. The packets scroll down the screen as they are decoded. A unique color can be used to display packets of each different protocol layer. Set color coding or change color associations using the Protocol Color Coding tab from the Configuration System Settings menu.From Summary View, set the view preferences to packet summary to see this view in the first tab. From Detail View, select Packet Summary from the Monitor Views menu to open a window with the packet summary viiew. i& G$If you have special decoding or display needs for non-standard protocols, see the topics below on assigning protocol parsers and assigning names to protocols. (Note: Support for non-standard protocols has changed from previous releases. The older method is still supported, but it strongly suggested that you convert to the new method. The newer method provides a general solution that supports any TCP or UDP port.)2 ' SEE ALSOT$c0 0H$gHwHints and Tips on Using Views _/0 0^$>Setting the Monitoring View for a Module T$c0 0H$hSetting Protocol Color Coding Z*p0 0T$b6Assigning Ports to Protocol Parsers S#0 0F$~mFAssigning Names to Protocols Ip 18 HOMAC Statistics (Capture)<H& ,&MAC Statistics (Rx) . *O$MAC Statistics View in capture mode shows module activity and counters during reception of data. It provides a visual reference for what a resource is doing. Counters are incremented as the resource captures packets. This view also provides general information about the resource within the Detail View.The MAC Statistics view in capture mode is shown below. Click on areas of the graphic below for more information.2HO. , $"cJ1 MAC Statistics (Transmit)<O& ,&MAC Statistics (Tx)|. *$MAC Statistics View shows module activity during transmit. It provides a visual reference for what the module is doing. The module identifier and the current mode display in the window title. Counters are incremented as the module performs transmit functions.The MAC Statistics View in transmit mode is shown below. Click on areas of the graphic below for more information.2. , $"d= 1OStatus Graph5#& &ȀStatus Graph' m$The graph area provides a graphic representation of module status. When the module is stopped, the graph area is red. When the module is active, the graph area is a solid green. [*#[1[Top Portion of the Capture/Transmit Window4& &ȀStatus Area'[' $The top portion of the window shows module status information, including the selected port and the link status.If the Interface field shows "No Link" it is likely that the transceiver is not plugged into the selected port or the wrong port is selected.= 1Status Graph5(& &ȀStatus Graph' $The graph area provides a graphic representation of module status. When the module is stopped, the graph area is red and when the module is active, the graph area is a circle surrounded by green.A circular graph of the capture buffer displays during capture mode. The full circle represents the entire capture buffer (4Mb or 16 Mb). The circular graph becomes a solid blue color as the capture buffer is filled. After the module has started collecting packets, if a trigger point set in the capture filter is triggered, a line with a "T" will display showing the relative point in the buffer where the trigger point was set during capture.J(1Graphs and Frame CountersB^& 8&ȀGraphs and Frame CountersuN' $The middle portion of the window shows counters for the number of packets captured/transmitted and displays activity with ^bar graphs. The gray graphs show peak activity. The colored graphs show current activity in frames per second. The totals to the left of the graphs are the totals for frames or bytes received since the module was started. The scale for the number of frames captured/transmitted changes "on-the-fly" when the number of frames per second becomes greater than the current scale. For example, assume a module is in capture mode. When the module begins to capture frames, the scale for number of total frames starts at 100. If the module begins to capture packets at 600 frames per second, the scale and the bar graphs will start to show current activity and peak activity on a scale of 1000 instead of 100 frames per second.@^1gFCustom Counters8W& $&ȀCustom CountersF( $Custom counters are defined in capture filters. When a certain condition in the filter is satisfied, counter 1, 2, or 3 can be incremented as one of the actions taken by the capture filter. Counters are incremented in the Capture/Transmit window as packets are captured. By setting counters, you can visually see in the Capture/Transmit window how many frames of a certain type have been captured. Custom counters are available in capture mode only. ?W1DError Counters7F& "&ȀError CountersaD' $The bottom portion of the window shows error counters. Counters are incremented as packets are captured/transmitted. Counters are different depending on which mode is selected, capture or transmit. Individual error counters do not necessarily add up to the total number of error frames. Single errors may be counted as two or three different types. O1=PHHints and Tips for Using ViewsG!D& B&Hints and Tips for Using ViewsB - (+V:H1.When viewing a table, single click on columns to sort the table data. Click on a column header to list rows in descending order of the values for that column. Click again on a column header and rows will be sorted this time in ascending order. Click on another column header and rows will be sorted by the values in that column. Every click on a column header toggles the sort between ascending and descending order for that column.2.The Summary View allows you to have a single, unique monitor view for each resource module.P l G \V:H㶣3.The fields shown in some tables can be customized. Choose View Options from the View menu in Detail View to change the columns that display for a table. See Customizing Table Views. for more information.4.There are many view windows you can open. You may want to keep the number of open windows to a reasonable level to avoid confusion and conserve system resources.5.The Summary View allows only one type of monitoring view per resource. Go to Detail View to multiple view per resource simultaneously.`  = HV:H6.When viewing charts, hold down both the right and left mouse button and move the mouse to rotate the 3D graphic view.7.Double-click with the left mouse button on the monitor view displayed within Summary View to bring up the Detail View for that resource.8.Use Print from the File menu to print the graph or chart in the currently selected window.9.Cells within a table or entire tables can be exported to an Excel spreadsheet. Go to the table view and select the Export option from the File menu to export the entire table. Information is saved in .CSV format which can be opened from Excel.6l KB/ ,V:H10.Double-click on the MAC Statistics view in Detail View to bring up Capture View.11.Data in a chart will be sorted by the last sorted column in the corresponding table.12.Click the right mouse KBD on a table entry in Host Table, Network Table, Application Table, Host Matrix, Network Matrix, or Application Matrix view to bring up a menu for creating a quick filter. You'll get a choice of creating a capture or display filter unless you are in Capture View. In Capture View, you can only create a display filter. When you make a choice from the menu, the quick filter dialog box opens with the address(es) from the table entry in the address fields for creating a filter. (Quick filters can also be created from the address tables available from Expert View counters.)q> D3 4}V:H13.Click the right mouse button on a table entry in Host Table, Network Table, Application Table, Host Matrix, Network Matrix, or Application Matrix view to bring up a menu for creating a filter. You will get a choice of creating a capture or display filter. When you make a choice from the menu, the Create/Modify Filter window opens with the address(es) from the table entry in the address fields for creating a filter.14.In Capture View, press the F11 key to zoom in on any of the three panes in the window. Press F11 again to restore the view to all three panes. KBF? LV:H)15.To see which capture filter or transmit specification is associated with a particular resource, choose Active TSP and Capture Filter from the Module menu. 16.You can directly access statistics about a particular host associated with an expert event. From the Expert Overview table, click on any of the counters underlined in blue to see the symptoms broken down by host or conversation. You can then click on the host for more in-depth statistics.TDPH3 4V:H17.From the Detail View pane of the Capture View window, you can copy the contents of any field to create a Capture or Display filter. Select the field with the left mouse and then click the right mouse. Selections for copy to capture or display filter appear. Select the option you want and the Create/Modify Filter window appears.LFH1H Columns for Host Table ViewDPHH& <&ȀColumns for Host Table View?HI% 4$Defaults are in italic.IHhI. ,6VS~Table ColumnDescriptionIKk _tS~MAC Station NameName of the MAC stationMAC Station AddressNetwork address of the MAC stationFrames InNumber of frames received by the MAC stationRel % Frames InPercentage of frames received by this MAC station relative to the total number of frames Frames OutNumber of frames sent by the MAC stationRel % Frames OutPercentage of frames sent by this MAC station relative to the total number of frames yhIMb /tS~Bytes InNumber of bytes received by the MAC stationRel % Bytes InPercentage of bytes received by this MAC station relative to the total number of bytes Abs % Bytes InPercentage of bytes received by this MAC station relative to the total network capacity (measured in bytes) Avg. Size InAverage number of bytes contained within frames received by the MAC stationBytes OutNumber of bytes sent by the MAC stationRel % Bytes OutPercentage of bytes sent by this MAC station relative to the total number of bytes TKOO ltS~+Abs % Bytes OutPercentage of bytes sent by this MAC station relative to the total network capacity (measured in bytes)Errors OutNumber of transmittal errors generated by the MAC stationBroadcast OutNumber of broadcast frames generated by the MAC stationMulticast OutNumber of multicast frames generated by the MAC station+MO( $+O ( $O PHZ)Of1qf_Columns for Network Layer Host Table ViewR, & X&ȀColumns for Network Layer Host Table View?f% 4$Defaults are in italic.I@. ,6VS~Table ColumnDescriptionQ] itS~Network Station NameName of the network stationNetwork Station AddressNetwork-layer address of a network stationVLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Frames InNumber of frames received by the network stationRel % Frames InPercentage of frames received by this network station relative to the total number of frames 2@] tS~Frames OutNumber of frames sent by the network stationRel % Frames OutPercentage of frames sent by this network station relative to the total number of frames Bytes InNumber of bytes received by the network stationRel % Bytes InPercentage of bytes received by this network station relative to the total number of bytes Abs % Bytes InPercentage of bytes received by this network station relative to the total network capacity (measured in bytes)(QT vtS~Avg. Size InAverage number of bytes contained within frames received by the network stationBytes OutNumber of bytes sent by the network stationRel % Bytes OutPercentage of bytes sent by this network station relative to the total number of bytes Abs % Bytes OutPercentage of bytes sent by this network station relative to the total network capacity (measured in bytes) Avg. Size OutAverage number of bytes in the frames sent by the network stationS46 <tS~+Non-Unicast OutNumber of non-unicast frames generated by the network station+_( $^-41 QColumns for Application Layer Host Table ViewY0_) "`&ȂColumns for Application Layer Host Table ViewBX( 4$Defaults are in italic.I. ,6VS~Table ColumnDescriptionvXh tS~Network Station NameName of the network stationNetwork Station AddressNetwork-layer address of a network stationApplicationName of the application protocolVLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Frames InNumber of frames received by the network station for this applicationRel % Frames InPercentage of frames received by this network station for this application relative to the total number of frames >] }tS~Frames OutNumber of frames sent by the network station for this applicationRel % Frames OutPercentage of frames sent by this network station for this application relative to the total number of framesBytes InNumber of bytes received by the network station for this applicationRel % Bytes InPercentage of bytes received by this network station for this application relative to the total number of bytes Abs % Bytes InPercentage of bytes received by this network station for this application relative to the total network capacity (measured in bytes) &O ltS~Avg. Size InAverage number of bytes contained within frames received by the network station for this applicationBytes OutNumber of bytes sent by the network station for this applicationRel % Bytes OutPercentage of bytes sent by this network st_ation for this application relative to the total number of bytes Abs % Bytes OutPercentage of bytes sent by this network station for this application relative to the total network capacity (measured in bytes) ? LtS~+Average Size OutAverage number of bytes contained in frames sent by the network station for this applicationNon-Unicast OutNumber of non-unicast frames generated by the network station for this application+&( $+Q( $M&1e Columns for Host Matrix ViewEQ& >&ȀColumns for Host Matrix View?"% 4$Defaults are in italic.Ik. ,6VS~Table ColumnDescriptionU"s tS~,,MAC Station Name 1Name of a MAC stationMAC Station Address 1MAC station addressMAC Station Name 2Name of a second MAC stationMAC Station Address 2Address of a second MAC stationVLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Frames 1>2Number of frames sent from MAC Station 1 to MAC Station 2Frames 2>1Number of frames sent from MAC Station 2 to MAC Station 1Zku tS~--,,,Frames 1<>2Number of frames sent in either direction between MAC Station 1 and MAC Station 2Rel % Frames 1<>2Percentage of frames sent in either direction between MAC Station 1 and MAC Station 2 relative to the total number of frames Bytes 1>2Number of bytes sent from MAC Station 1 to MAC Station 2Average size 1>2Average size of the frames sent from MAC Station 1 to MAC Station 2Bytes 2>1Number of bytes sent from MAC Station 2 to MAC Station 1\vg tS~,-,,Average Size 2>1Average size of the frames sent from MAC Station 2 to MAC Station 1Bytes 1<>2Number of bytes sent in either direction between MAC Station 1 and MAC Station 2Rel % Bytes 1<>2Percentage of bytes sent in either direction between MAC Station 1 and MAC Station 2 relative to the total number of bytesAbs % Bytes 1<>2Percentage of bytes sent in either direction between MAC Station 1 and MAC Station 2 relative to the total network capacity (measured in bytes)a ]tS~,,,,Average Size 1<>2Average size of the frames sent in either direction between MAC Station 2 and MAC Station 1Errors 1>2Number of errors that occurred while MAC Station 1 transmitted data to MAC Station 2Errors 2>1Number of errors that occurred while MAC Station 2 transmitted data to MAC Station 1Errors 1<>2Number of errors that occurred during MAC conversation between MAC Station 1 and MAC Station 21v- *tS~V% 1  b Columns for Network Layer Matrix ViewU(a- *PvS~Columns for Network Layer Matrix ViewB ( 4$Defaults are in italic.Ia. ,6VS~Table ColumnDescription/' e tS~,Net Station Name 1Name of a network stationNet Station Address 1Network-layer address of a network stationNet Station Name 2Name of a second network stationNet Station Address 2Network-layer address of a network stationVLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Frames 1>2Number of frames sent from Network Stati' on 1 to Network Station 2: g YtS~,--,Frames 2>1Number of frames sent from Network Station 2 to Network Station 1Frames 1<>2Number of frames sent in either direction between Network Station 1 and Network Station 2Rel % Frames 1<>2Percentage of frames sent in either direction between Network Station 1 and Network Station 2 relative to the total number of framesBytes 1>2Number of bytes sent from Network Station 1 to Network Station 2'  u 3tS~,,,-,Average size 1>2Average size of the frames sent from Network Station 1 to Network Station 2Bytes 2>1Number of bytes sent from Network Station 2 to Network Station 1Average Size 2>1Average size of the frames sent from Network Station 2 to Network Station 1Bytes 1<>2Number of bytes sent in either direction between Network Station 1 and Network Station 2Rel % Bytes 1<>2Percentage of bytes sent in either direction between Network Station 1 and Network Station 2 relative to the total number of byteso*: 7 E XUtS~,,Abs % Bytes 1<>2Percentage of bytes sent in either direction between Network Station 1 and Network Station 2 relative to the total network capacity (measured in bytes)Average Size 1<>2Average size of the frames sent in either direction between Network Station 2 and Network Station 1+ b ( $Z)7  1  A Columns for Application Layer Matrix ViewR,b  & X&ȀColumns for Application Layer Matrix View? M % 4$Defaults are in italic.I  . ,6VS~Table ColumnDescription'M b tS~Net Station Name 1Name of a network stationNet Station Address 1Network-layer address of a network stationNet Station Name 2Name of a second network stationNet Station Address 2Network-layer address of a network stationApplicationName of the application running over the network station pairVLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. n + j tS~,,--Frames 1>2Number of frames sent from Network Station 1 to Network Station 2 for this applicationFrames 2>1Number of frames sent from Network Station 2 to Network Station 1 for this applicationFrames 1<>2Number of frames sent in either direction between Network Station 1 and Network Station 2 for this applicationRel % Frames 1<>2Percentage of frames sent in either direction between Network Station 1 and Network Station 2 for this application relative to the total number of frames 0 [ a tS~,,,,Bytes 1>2Number of bytes sent from Network Station 1 to Network Station 2 for this applicationAverage size 1>2Average size of the frames (in bytes) sent from Network Station 1 to Network Station 2 for this applicationBytes 2>1Number of bytes sent from Network Station 2 to Network Station 1 for this applicationAverage Size 2>1Average size of the frames (in bytes) sent from Network Station 2 to Network Station 1 for this applicationL+ @ Y tS~-,,Bytes 1<>2Number of bytes sent in either direction between Network Station 1 and Network Station 2 for this applicationRel % Bytes 1<>2Percentage of bytes sent in either direction between Network Station 1 and Network Station 2 for this application relative to the total number of bytes Abs % Bytes 1<>2Percenta[ @ b ge of bytes sent in either direction between Network Station 1 and Network Station 2 for this application relative to the total network capacity (measured in bytes)[ A 7 <9tS~,Average Size 1<>2Average size (in bytes) of the frames sent in either direction between Network Station 1 and Network Station 2 for this application+@ A ( $Y(A B 1 B PD Columns for Frame Size Distribution ViewQ+A [B & V&ȀColumns for Frame Size Distribution View? B B % 4$Defaults are in italic.I B . ,6VS~Chart OptionDescriptionB C J btS~Frame Size (Bytes)Size of captured frames, in bytes No. of FramesNumber of captured frames that are of this frame sizePercentagePercentage of all captured frames that are of this frame size+B %D ( $+C PD ( $W&%D D 1D DH Columns for Protocol Distribution ViewO)PD D & R&ȀColumns for Protocol Distribution View?D 5E % 4$Defaults are in italic.ID ~E . ,6VS~Table ColumnDescriptionp5E G _ #tS~Protocol NameName of a network protocol (e.g., IP, IPX)Total FramesTotal number of captured frames that are associated with a particular protocolRel % FramesPercentage of all frames captured that are associated with a particular protocolTotal BytesTotal number of captured bytes that are associated with a particular protocolRel % BytesPercentage of all bytes captured that are associated with a protocolAbs % BytesPercentage of network capacity (measured in bytes) that are associated with a protocol+~E H ( $+G DH ( $FH H 1GH L Columns for VLAN View>DH H & 0&ȀColumns for VLAN View?H I % 4$Defaults are in italic.IH PI . ,6VS~Table ColumnDescriptionTI K T vtS~VLAN IdDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Click on the VLAN ID to see a network station or network conversation view of that VLAN.FramesTotal frames captured that are associated with a VLANRel % FramesPercentage of all frames captured that are associated with a VLANBytesTotal bytes captured that are associated with a VLANRel % BytesPercentage of all bytes captured that are associated with a VLANaPI 5L 0 0tS~Abs % BytesPercentage of the total network capacity in bytes that are associated with a VLAN+K `L ( $+5L L ( $Q `L L 1L !O Columns for Address Mapping ViewEL !M & >&ȀColumns for Address Map View?L `M % 4$Defaults are in italic.I!M M . ,6VS~Table ColumnDescription"`M N O ltS~MAC Station NameName of the MAC stationMAC Station AddressMAC station addressNetwork Station NameName of the network stationNetwork Station AddressNetwork-layer address of the network station +M N ( $+N !O ( $S"N tO 1tO  Columns for Duplicate Address ViewK%!O O & J&ȀColumns for Duplicate Address View?tO % 4$Defaults are in italic.O !O IO U . ,6VS~Table ColumnDescription\  T vtS~Network Station NameName of the network stationNetwork Station AddressNetwork-layer address of the network station MAC Station NameName of the MAC stationMAC Station AddressMAC station addressVLAN IDDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. HU M 1p M u Columns for Expert View@ & 4&ȀColumns for Expert ViewWM > J3$)Defaults are in italic. The Overview table contains a summary of symptoms detected, by category. The Analysis table contains detailed information about a each symptom. The Expert Detail table is available by clicking on symptoms underlined in blue in the Overview table.]+ A 2 4VVS~.Overview TableTable ColumnDescriptionu 8 @tS~Expert CategoryCategory of symptom discovered by SurveyorValueNumber of symptoms discovered in each category]+A K 2 4VVS~.Analysis TableTable ColumnDescriptionE T vtS~Expert SymptomSymptom discovered by Surveyor's expert analyzerTimestampTimestamp in the frame that caused the expert symptomExpert SummaryMore detailed information about the symptom. Double click on the row to see full information and suggested actions.Frame IDFrame number in the capture buffer or file that caused the expert symptom. This is only displayed if the Analysis Table is opened from Capture View.Address1Source address in the frame that caused the expert symptoml3K 9 @gtS~Address2Destination address in the frame that caused the expert symptomVLAN IDNumber (in decimal) of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. Click on the VLAN ID to see a network station or network conversation view of that VLAN.vD r 2 4VS~.Expert Detail Table from Overview TableTable ColumnDescription F J btS~Station Name 1Name of the station.Station Name 2Name of the other station in the conversation. This field only has a value for symptoms that involve conversations.ValueNumber of times the symptom has occurred for this address or address pair. VLAN IDDecimal number of the virtual LAN. Virtual LANs using Cisco's ISL protocols are the only virtual LANs recognized at this time. /r u , (tS~[*F Ћ 1Ћ Columns for Application Response Time ViewS-u # & Z&ȀColumns for Application Response Time View?Ћ b % 4$Defaults are in italic.J# / .6vS~Table ColumnDescription~b ] tS~ProtocolName of the application protocol discoveredMinimum TimeShortest time taken for the application to make a connection Maximum TimeLongest time taken for the application to make a connectionAverage TimeAverage time taken for the application to make a connectionConnnectionsNumber of connections processed for this application to derive connection timesW& ގ 1 ގ i Buttons for Protocol Distribution ViewO) - & R&ȀButtons for Protocol Distribution Viewގ  1 0[V:H Protocol Buttons - selects the types of protocol distribution you want to see. There are four protocol buttons that change the protocols you are viewing in t-  he graph:]- 1 2V: NET - Shows percentages of all packets by network-layer protocol type (e.g., IP, IPX).N $ 1 2V: IP - Shows percentages of other protocols used within IP packets only. O 1 2V: IPX - Shows percentages of other protocols used within IPX packets only.n=$  1 2zV: All - Shows percentages of all packets by application. ) 4ȚHThe NET and ALL buttons shows percentage breakdowns for all packets. The IP and IPX buttons show the percentages of only those packets that can be identified as containing IP or IPX information respectively./ < 1 0V:H Frame/Byte Buttons - selects to view the distribution by byte count or frame count, or can be used to select distribution relative to network capacity. There are three buttons that control how the protocols are counted when displayed in the graph:e 1 2V: Frm - Counts by frame and displays percentages relative to the total number of frames counted.a< d 1 2V: Abs Bts - Counts by byte and displays percentages compared to the total network capacity. g 1 2V: Rel Bts - Counts by byte and displays percentages relative to the total number of bytes counted.td 0 0V:H Display Buttons - controls the display of information. There are three buttons that control the display only:c2  1 2dV: BAR - Display distributions as a bar graph.c2 f 1 2dV: PIE - Display distributions as a pie chart.T 1 2V: II - Pause the display. When pressed again, counters resume real-time update.*f  ' $* ? ' $* i ' $1? 1U $i " N 19  R .!Customizing Views and WindowsF R & @&Customizing Views and Windows & #$The Surveyor windows interface is extremely flexible. It takes advantage of the features of Windows to allow you to customize your interface. X1R a ' bMULTIPLE WINDOWS WITHIN SUMMARY OR DETAIL VIEW ) ( A$Multiple windows can be opened within both Summary View and Detail View. These sub-windows can be minimized, maximized, expanded, reduced, and tiled within the area of the Summary or Detail View. You can open as many windows as you have resources in Summary View. You can have all available views of a single resource in Detail View. You can have many views windows open within Detail View, one for each resource.9a b ' $DOCKING WINDOWS) 1 ( O$The Summary View Window opens when Surveyor is started. The Summary View window is composed of Summary View area and three docking windows. The docking windows are:@b q - *&V:H Alarm BrowserC1 - *,V:H Resource Browser?q - *$V:H Message Viewl . *$HYou can size the docking windows by moving (click the left mouse and hold) the borders separating the windows. You can move the borders all the way to the edge of the Summary View window, thus hiding the docking windows. You can also completely close a docking window. If you close a docking window, use the options from the View menu to get the windows back. v!( k$HYou can extract any docking window from the Summary View window and make i v! t a stand-alone window. If you turn off docking using the right mouse functions, the window will not redock when moved back over the Summary View window, allowing you to cascade windows. You can also "float" a docking window within the main window. In effect, you can create your own customized view of all the windows available within the Summary View window. .!( !$HDocking windows are a standard Windows 95/98 feature. Refer to the Windows 95/98 documentation for a complete description of docking windows.Ov!}!1}!!!Setting Capture Buffer OptionsG!.!!& B&Setting Capture Buffer Options}!!, &O$All devices support a save-to-disk function for the capture buffer. Check the Enable Full Buffer Auto Save box to enable the save-to-disk feature. When using the save-to-disk feature, capture is stopped when the buffer is full and the contents are written to disk. Capture is restarted as soon as the data is written to the file. When the capture buffers fills again, the new contents are appended to the file. If you start a new capture, the file is overwritten. If capture is stopped before the capture buffer contents are full, the buffer contents are not automatically written to disk; you must manually save the file to disk. This feature applies to local modules only.!!R r$Select the Capture Buffer tab from the Configuration Module Settings menu to set capture buffer options.WARNING: If you intend to use this feature, make sure you have the disk space required to store the data you want to save to disk. You can limit the size of the file by entering a value in the Max File Size field and prevent continuous capture from using all your disk space.The default is to disable the save-to-disk function.M!!1!B! !Setting Expert Analysis ModeE!B!& >&Setting Expert Analysis Mode! !: B$Expert Views and Alarms can be disabled. If disabled, no Expert Views or Alarms will display in Surveyor software. Uncheck the Enable Expert Analysis Mode box to disable Expert Views and Alarms. The default is to enable Expert Analysis. If you do not have the Expert plug-in module, you will not be allowed to enable Expert Analysis Mode.The default value is to enable expert analysis. JB!S !1sS ! ! @!Configuring Alarm ActionsB ! !& 8&Configuring Alarm ActionsS ! !? L$Events that trigger alarms can generate e-mail messages, generate pager messages, or be logged to a log file. Addresses of e-mail recipients and the name of the log file are set. E-mail recipients and log files are global parameters. All alarms are sent to one set of e-mail addresses and one log file.To configure alarm actions, select Alarms from the Configuration menu and then select either E-Mail Settings, Pager Settings, or Log File Settings from the submenu.@ !!9 @tW~WE-mail Settings The set of e-mail addresses that will receive mail if an event triggers an alarm with the alarm action set to "e-mail". When you click on the Add Recipients button in the menu you can set up e-mail addresses using Microsoft Mail's address book.Pager Settings The pager number that will receive mail if an event triggers an alarm with the alarm action set to "pager". The other settings for the pager depend on the type of pager. For pager settings, you must set the delay to at least 3 seconds. !!1 0tW~WLog File Settings The name of the log file that will have an entry if an event triggers an alarm with the alarm action set to "log".+! @!( $W! @! !L!X@!1 X@!@!tG!Configuring Counter LoggingD @!@!& <&Configuring Counter LoggingnX@!\C!R r$Counter log files contain snapshots of Surveyor counter information. All byte, frame, and error counter values are recorded in the log file. To configure counter logging, select Log File Settings from the Configuration menu.To enable counter logging, check the Enable Logging field. Set the time interval for capturing counter information in the Time Interval field. Set the number of rows (line entries) in the log file in the Log File Maximum Rows field. For example, setting Log File Maximum Rows to 4,000 and Time Interval to 5 will record the counter information 4,000 times, once every 5 seconds.@!E!, &$Keep the Keep History Log box selected to create history files of counter information. The history file is written when all lines in the log file are full. When a history file is created, the module log file is erased and new counter information is recorded starting with the first line of the file. History files are named by date and time. The format for the name of history files is:I\C!E!D X$mmddhhmm.ssmm(month) dd(day) hh(hour) mm(minute) ss(second)7E!F!( $The minimum time between creation of unique history files is one second. If you disable the creation of history files and the log file for the module is full, a new log entry causes the module log file to be erased and no history of counters is saved.Default values:nE!tG!3 6tw~Enabling LoggingNot selectedTime Interval5 secondsLog File Maximum Rows4,000Keep History LogSelectedHF!G!1_G!G!*J!Customizing Table Views@tG!G!& 4&Customizing Table ViewsqG!H!% $The type of information in some table views can be customized. You can add or subtract columns from the table.OG!*J!I `V:H1.In Detail View, make sure the view you want to customize is the currently active window. 2.Choose View Options from the Views menu. If the View Options selection is gray, no customization can be performed for this table.3.Click the check box for each column you want to display in the table.4.Click the OK button.HH!rJ!1rJ!J!!Customizing Chart Views@*J!J!& 4&Customizing Chart ViewsrJ!M!' $Protocol distribution view and frame size distribution view can be customized using buttons within the chart. The type of information in some chart views can be customized using the procedures below.Charts graph the "top ten" stations or conversations based on a byte count. The count is the absolute percentage of the number of bytes out for stations, or the absolute number of bytes passed between stations for conversations. The count therefore provides a view of the stations or conversations with the most traffic, which is what users typically want to view. You can, however, create a "top ten" chart for any field that Surveyor supports. You can also reverse the sort order to create a "bottom ten" chart for any field that Surveyor supports.J! !A PV:H㶣1.In Detail View, make sure the view you want to customize is the currently active window. 2.Choose Table from the tab at the bottom of the view. 3.The data view appears as a table. Click on the column you want to use to create a "top ten" list. Note that the information in the table sorts in descending order for the column you selected. If the column you want is not there, see Customizing Table Views for information on how to insert a column into the table.M! !*J!M!!3 4V:H4.Click on the column again if you want to reverse the sort. This creates a view of the "bottom ten" stations or conversations.5.Choose Chart from the tab at the bottom of the view to return to chart view.2 !F!' SEE ALSON!!0 0<$㶣Customizing Table Views NF!!1j!(!a!Setting Protocol Color CodingF !(!& @&Setting Protocol Color Coding!!' $Surveyor provides a real-time protocol decode called Packet Summary View and protocol decodes in Capture View. To use these displays more effectively, you may want to set the colors used for display of packets. For example, you might want to display all transport layer packets in red and all other in black if you are looking only for protocol decode information in the transport layer.To set up or change color coding for protocol decode, do the following:(!!S t'V:H1.Choose System Settings from the Configuration menu. Select the Protocol Color Coding tab.2.Click on a protocol layer.3.Using the color buttons, set the foreground and background color display for the selected protocol.4.Repeat as required for other protocol layers.5.Make sure that the Use Color Coding box is checked. The default is to use color coding.6.Click the OK button..!1!' TIPS0!a!> JV:HUse the Default All button to return all color settings to their default values.Use the Set Default button to reset the default to the colors currently displayed.Deselect the Use Color Coding box to completely disable color coding.^-1!!1! !!Setting Protocol Summary Information by LayerM'a! !& N&Setting Protocol Summary Information!!- ($When using Capture View, you can control the display of summary data for packet decoding. To use the summary display more effectively, you may want to view only the information for certain protocol layers in the Summary field. For example, you might want to display all information in the transport layer only. You may also want to include or exclude expert symptom information for each packet.To set up or change layers to view for protocol decode, do the following: !!E XV:H1.Choose Capture View Options Display from the Configuration menu. 2.Select the Display Detail Protocol Summary check box./!!8 >V:H3.Select the Display Expert Symptoms check box if you wish to include expert symptom information in the Summary field. Packets that trigger an expert symptom and have expert symptom information will display in reverse video in Packet View.`6!p!* $lV:H4.Select a protocol layer from the pull down menu.J!!. ,8H5.Click the OK button..p!!' TIPS{!!' $Note that when selecting a layer, all information for layers underneath the layer selected will be included in the view.^-!!1 !>!!Setting Start of Elapsed Time in Capture ViewV0!>!& `&Setting Start of Elapsed Time in Capture View! !' 3$When using Capture View, you can control the display of summary data for packet decoding. To use these displays more effectively, you may want to set "time-zero" at a specific frame number rather than at the beginning of capture. For example, you might want to start elapsed time stamps at frame 5,000 rather than when the module is started.To change the starting point for elapsed time, do the following:>! !!m>!!Y V:H1.Choose Capture Display Options Display from the Configuration menu. 2.In the Elapsed Time Set Mark Option portion of the Display Options dialog box, select Frame ID nnn's Arrival Time. Set the frame ID number in the box. The default option is Module Arm Time, which starts time zero at the time the module is started.3.Click the OK button.Y( !+!1.+!!}!Setting the Monitoring View for a ModuleU/!!& ^&Customizing the Monitoring View for a Module+!5!& $One monitoring view is available for each module in Summary View. The first tab in the Summary View for a module displays the view selected.H!}!P nV:H1.In Summary View, choose Module from the Configuration menu. 2.Choose Monitor View Preferences.3.Click the radio button in the Monitor View Preferences tab for the view you want. Only one view is allowed.4.Click the OK button.L5!!1!!!Expert Diagnostic .ini FileH"}!!& D&Customizing Expert Information !!' $Surveyor provides diagnostic information that is general to all networks. However, you can customize the diagnostic information to your environment.As you use any diagnostic system you may find that certain error events occur regularly and or that events have a unique meaning in your environment. Custom solutions may apply to fixing the problems that are indicated by expert symptoms. By customizing the diagnostic information, you build an "information base" that applies to your particular environment. When the same problems occur, the custom information displays as well as standard information, providing the diagnostician with the benefit of previous experience related to your particular network.[!!? L$The Expertmsg.ini file contains Surveyor's diagnostic information. This file can be changed using a text editor, thus giving you a way to add information. Rules for adding information to Expertmsg.ini are included at the beginning of the file. Either possible causes or recommended actions can be added, or any other special technical note. Surveyor always looks for the file named Expertmsg.ini in the Surveyor installation directory and will use that file for its diagnostic information. If no Expertmsg.ini file is found in the directory, Surveyor will not provide diagnostic information.O!!1!-!!Enable/Disable Expert SymptomsG!!-!& B&Enable/Disable Expert Symptomsi!!K d=$  Select the Expert Symptoms tab to set which expert symptoms will be recorded and counted in Surveyor's expert views. Use the check boxes to enable/disable any expert symptom. If Expert Analysis mode is disabled, this tab will not appear in the Configuration Module Settings... menu. No symptoms are counted if Expert Analysis mode is disabled.The default is to have all symptoms recognized and counted. If the MAC Layer or Network Layer symptoms are disabled, then all expert symptoms for the protocol layer are disabled.-!!' $The setting for TCP/IP Retransmissions enables the Non Responsive Stations expert symptom.For GAM devices, Expert Symptoms apply to viewing captured data only; real-time expert views are not supported. J!!1!!"Setting Expert ThresholdsB!!& 8&Setting Expert Thresholds<!"Q py$Most expert symptoms have a threshold. When the threshold is exceeded, the event is recorded and counted in Surveyor's expert views. You can set many o!"!f these thresholds higher or lower from the Expert Thresholds tab.Select the Expert Thresholds tab from the Configuration Module Settings... menu to set thresholds for recording and counting expert symptoms. If values exceed the levels set in this dialog box for an expert symptom, the expert symptom will be counted on the Expert Overview tab and recorded in the Expert Analysis tab of Expert View.+!"E X$If Expert Analysis mode is disabled, this tab will not appear in the Configuration Module Settings... menu. No symptoms are counted if Expert Analysis mode is disabled. Thresholds cannot be set for an expert symptom if that symptom is disabled in the Expert Symptoms tab. If an expert symptom is disabled, it will be grayed in the Expert Thresholds tab.For GAM devices, Expert Thresholds apply to viewing captured data only; real-time expert views are not supported. j""D V$HDefault thresholds for expert symptoms are shown below:Utilization (%)40Bcast/Mcast (Pkts/Sec)400Errors (Pkts/Sec)400MST Topology Change (Pkts/Sec)5TCP/IP SYN Attack (Pkts/Sec)100TCP/IP Frozen Window (in Sec)5TCP/IP Long Ack (in MilliSec)200Non-Responsive Station (TCP Retrans)3BOOTP Requests (Pkts/Sec)10ARP Broadcast (Pkts/Sec)10K""1""" "Configuring Expert LoggingC""& :&Configuring Expert Logging""R r-$Expert log files contain entries of Surveyor expert events. All expert symptoms discovered by Surveyor are recorded in the log file. Entries in the expert log file are in ASCII text format.To configure expert logging, select View Options... from the View menu. You must have the Expert View analysis table active to configure the log file. To enable expert logging, check the Log Entries to File box. Specify the name of the log file in the File Name field. Log files are given a .log extension if no log extension is specified. Leave the Clean Contents When Rearm box checked to clear the log file of old entries when a capture is restarted. C"B "- (-$No history files are created for the expert log file. When the log file fills with entries, additional entries will begin to overwrite entries in the file. Select the maximum size of the log file in the Maximum Log File Size (MB) field.The default settings are as follows:" "6 :!$Log Entries to FileSelectedFile Name...\Shomiti\Surveyor\Log\Expert.txtClean Contents When RearmSelectedMaximum Log File Size (MB)10_.B "g "1.g " ")I"Assigning TCP or UDP Ports to Protocol ParsersW1 " "& b&Assigning TCP or UDP Ports to Protocol ParsersIg ""3 4-$~mFUse the ANALYSIS.INI file to assign any built-in Surveyor parser to a TCP or UDP port. This is useful when a network is running a protocol/application over a TCP or UDP port that is not using the default port. The assignment of a proper parser allows Surveyor to properly decode and analyze the packets associated with the TCP or UDP port.The assigning of parsers does not effect how the information is displayed in Surveyor's monitor views. See Assigning Protocol Names for information on assigning names for monitor views.w ""% $The ANALYSIS.INI file is located in your Windows installation directory. Examples of usage are included in the file.=""' ,ANALYSIS.INI FORMATz""' $The ANALYSIS.INI file has two sections, TCP and UDP. A section contain one or more entries with the following format: [4""' h$mapping=,,, "A"? Lt뀚"A" "2d is any valid 2 byte value that represents a TCP or UDP port value. It identifies the protocol, by port number, to be parsed in Surveyor's decode views. is a valid IP address in dotted decimal notation. This field can have a asterisk '*' to represent all IP addresses. is the name of a valid Surveyor built-in parser. See Parser Names for a list of parsers. is a name that will used to identify the mapping.4 ")B"' EXAMPLE 1 A"&C"( $Assume that the network administrator configured Oracle's TNS protocol to use TCP port 1029. This port value is different from the default value for TNS, which is 1521. The entry in the ANALYSIS.INI would be:/)B"UC"' $[TCP]G &C"C"' @$mapping=1029,*,TNS,Oracle TNS^UC"!D"' $"OracleTNS" is the string that will be used in Surveyor's displays to identify this decode.3 C"TD"' EXAMPLE 2vN!D"E"( $Assume that the network administrator configured Sybase's TDS protocol to use TCP port 11964. This value is different from the value for TDS which is 2048. Furthermore suppose the network administrator only wants to decode TCP port 11964 when associated with IP address 192.168.1.98. The entry in the ANALYSIS.INI file would be:/TD"E"' $[TCP]S,E"LF"' X$mapping=11964,192.168.1.98,TDS,Sybase TDS3 E"F"' EXAMPLE 3h@LF"G"( $Assume that a two real-time application have been installed on a network that both use RTP (Real-Time Transport Protocol). Assume that one if the applications use UDP port 10564 and the other used 11964. Both of the UDP ports differ from the default the port of 5004. The entries in the ANALYSIS.INI file would be:/F"H"' $[UDP]O(G"eH"' P$mapping=10564,*,RTP,RTP APPLICATION 1O(H"H"' P$mapping=11964,*,RTP,RTP APPLICATION 22 eH"H"' SEE ALSOCH")I"0 0&$2dParser Names W&H"I"1JI"I""Assigning Names to Protocols (Monitor)O))I"I"& R&Assigning Names to Protocols (Monitor)nGI"=L"' $Surveyor assigns names to protocols that have been detected, providing users with an easy way to view what protocols have been discovered on the network. In most cases, protocol names are well known; they are defined by the protocol's creator, or defined by a standards organization. However, you may want explicit information about a protocol that does not have a well known name or is counted in Surveyor monitor screens as a "TCP OTHER" or "UDP OTHER" protocol. Surveyor includes a monitor.ini file to assign names to protocols. Entries in the monitor.ini file allow you to:[I"M"- (V:H1.Rename the protocols that are currently being detected. For protocols that use TCP or UDP as their transport protocol, the protocol can be assigned a name to override it's default name.2.Extend the list of protocols that are monitored by Surveyor. You can extend the monitoring of protocols that use TCP or UDP as their transport protocol.H=L" O"4 6)$HU See How Surveyor Assigns Protocol Names to learn how Surveyor names protocol by default. Understanding how Surveyor assigns names to protocols by default is important for understanding how protocol names can be altered and how protocols can be added using MONITOR.INI.M"("4 6$Hb6The assigning of protocol names for monitor does not effect how the information is decoded by Surveyor. See Assigning TCP or UDP Ports to Protocol Parsers for information on assigning pa O"(")I"rsers for protocol decode.v O"ŀ"' $HThe MONITOR.INI file is located in your Windows installation directory. Examples of usage are included in the file.<(""' *MONITOR.INI FORMATŀ""( $MONITOR.INI contains two sections, TCP and UPD. Each section may have zero or more entries beginning with the keyword "mapping". Each "mapping" entry is following by an equal sign and a three variables: W0"Q"' `$mapping= ,,.M""1 09t뀚 is a two-byte value that appears in a port fields of a TCP or UPD packet header. It identifies the protocol, by port number, to be included as a discrete protocol in Surveyor's monitor views. is an alpha numeric string that is be between 1 and 12 characters This string is used as the name for the protocol in Surveyor's monitor tables. is an alpha numeric string that should be between 1 and 50 characters. This string is used as the name of the protocol where Surveyor displays a long name. *Q"Ȅ"' $S,""' X$The structure of the MONITOR.INI file is:/Ȅ"J"' $[TCP]U.""' \$mapping=,,b;J""' v$. . .b;"c"' v$. . .U.""' \$mapping=,,/c""' $[UDP]U."<"' \$mapping=,,b;""' v$. . .b;<""' v$. . .U."U"' \$mapping=,,3 ""' EXAMPLE 1U"Q"( C$Assume that you wish to rename TCP port 80 from HTTP to WWW for World Wide Web. The following entry would be made to the MONITOR.INI file in the TCP section:/""' $[TCP]G Q"lj"' @$mapping=80,WWW,World Wide Web3 ""' EXAMPLE 2g?lj"a"( $Assume that a company is using a proprietary protocol named "Company X Protocol" that uses UPD port 921. By default this protocol would appear with the generic name "UDP WKP 921" in the monitor tables. Making the following entry to the MONITOR.INI file UDP section would give the protocol a name with more meaning:/""' $[UDP]L%a"܋"' J$mapping=921,CXP,Company X Protocol3 ""' EXAMPLE 3a9܋"p"( s$By default Surveyor/Explorer report X Windows network traffic with a single entry in the Protocol Distribution table even though X Windows could use non-WKP TCP ports in the range 6000 to 6063. For example, if 100 X Windows packets detected on port 6000 and 200 were detected on port 6029, the Protocol Distribution table would report that 300 hundred XWIN packets were detected. If the network manager wanted the Protocol Distribution table to report the number of packet seen on each of the 64 X Window ports, the MONITOR.INI would need the following 64 entries:/""' $[TCP]V/p""' ^$mapping=6000,XWIN6000,X Windows on port 6000V/"K"' ^$mapping=6001,XWIN6001,X Windows on port 6001b;""' v$. . .b;K""' v$. . "")I" .b;"}"' v$. . .W0""' `$mapping=6063, XWIN6063,X Windows on port 60633 }""' EXAMPLE 4""( m$Assume that a company installed a audio/video application on its network named Video Audio Network Communicator. Assume that the application uses TCP port 2900. By default, packets on this port are attributed to the "TCP OTHERS" entry in the Protocol Distribution table along with other TCP non-WKP packets. To count and display the TCP port 2900 reported individually, the following entry needs to be made to the MONITOR.INI file:/""' $[TCP]]6"q"' l$mapping=2900,VIDEO,Video Audio Network Communicator2 ""' SEE ALSOZ*q""0 0T$U How Surveyor Assigns Protocol Names T#"Q"1^Q""#How Surveyor Assigns Protocol NamesL&""& L&How Surveyor Assigns Protocol Names_Q"#"' $Surveyor (and Explorer) explicitly monitor a predefined set of protocols/applications that use TCP or UDP as their transport layer. However, some of the TCP or UCP ports monitored are not given a well-known name. Also, some TCP and UDP ports are not explicitly monitored, and information about these remaining protocols are collected as though they were a single entity, one for TCP and one for UDP.Surveyor monitors two port ranges, which are called Well Known Ports (WKP) and non-Well Known Ports (non-WKP). In summary, there are four different ways TCP/UDP ports are monitored by Surveyor. They are:i8""1 0qV:H1.WKP that have been assigned a specific default name (i.e. HTTP, DNS, FTP, )2.WKP that use a generic name (i.e. TCP WKP 29, UDP PORT 64, )3.Non-WKP that have been assigned a specific default name (i.e. NFS, LOTUS NOTES, RADIUS, )4.Non-WKP that have not been assigned a name (TCP OTHER or UDP OTHER))#""4 6$H~mFBy changing the MONITOR.INI file, you can change names of generic names of WKPs and assign names to non-WKPs that are not assigned names by default. See Assigning Protocol Names for information on the monitor.ini file format and examples.E""' <MONITORING WELL KNOWN PORTSE"?"( ;$Surveyor monitors all protocols that fall in the WKP (Well Known Port) range, ports with a value between 0 and 1023. If Surveyor/Explorer detects a TCP or UDP with a port in the WKP range, information will be maintained on that port (total bytes, total packet, conversation, etc.).7"v"( $Some of the ports have been assigned a name that is typically associated with the port value. For example, TCP port 80 is assigned the name HTTP. This name is used to represent that port when information about the port is displayed in the monitor tables of Surveyor.}U?""( $Other WKPs are not assigned a default name. If these ports are detected, their name takes the generic form: "TCP WKP " or "UDP WKP: " where is the WKP value. For example, the TCP port 29 is not assigned a default name so if this port is detected the name used to represent the port would be: "TCP WKP 29".S,v"F"' XMONITORING NON WELL KNOWN PORTS (NON-WKP)k""( $Surveyor also collects information about a subset of ports that fall outside of the WKP range, port numbers greater than 1023. These ports are called non-WKP. Some of these ports are monitored by Surveyor since applications associated with them are widely accepted. The non-WKP ports that Surveyor monitors and their associated port values are listed below:*F"#' $"#"]"l#E#Z0 $$NameTCP port valuesY##E#Z( $$LOTUS NOTES1352Zl##E#Z* $$TDS (Oracle)1521Q #p#E#Z $ $RSP1704Z##E#Z* $$TNS (Sybase)2048Q p##E#Z $ $NFS2049U#p#E#Z  $$CC:MAIL3264W##E#Z$ $$XWIN6000-6063(p##% $]#L#E#Z0 $$NameUDP port valuesT##E#Z $$RADIUS1645Q L##E#Z $ $RSP1704T#E#E#Z $$RADIUS1812R ##E#Z $$HSRP1985Q E##E#Z $ $NFS2049Q #9#E#Z $ $RTP5004R ##E#Z $$RTCP50059#=#' $Surveyor treats all other non-WKP as a single entity given a single generic name. The name for TCP non-WKP ports is "TCP OTHER". The name for UDP non-WKP ports is "UDP OTHER". For example, if 900 occurrences of the TCP port 11964 was detected and 200 occurrences of the TCP port 10564, there would be a single name to identify these 1100 occurrences of the TCP non-WKPs called "TCP OTHER". 2 #o#' SEE ALSOO=##0 0>$~mFAssigning Protocol Names = o##1L#0#D$Parser Names5#0#& &Parser Namesw# #( $The tables below contain the Parser Names that are built into Surveyor. Each parser is responsible for decoding a specific protocol. Parser Names are as similar as possible to protocol names. Parser Names must be entered exactly as shown in the tables to correctly reference the built-in parser.The Parser Names are organized by protocol suite in the following tables. P0# #B#TcSUITE: DLCn # #U#z2 $$Parser NameProtocolf! # #E#ZB $$ETHERNETV2Ethernet Version 2b #U #E#Z: $$IEEE8023IEEE 802.3 (RAW)x3 # #E#Zf $$IEEE8022IEEE 802.2 (LLC - Logical Link Controlr-U #? #E#ZZ $$IEEESNAPIEEE Sub-Network Access ProtocolA # #E#Z $$IEEE8025IEEE 802.5 Token Ring (what about TR MAC and TR LLC)o*? #4 #E#ZT $$FDDIFiberoptic Digital Data Interface] # #E#Z0 $$LOOPBACKIEEE 802.1dJ4 # #E#Z $$IEEE8021PIEEE 802.1p - Generic Attribute Registration Protocol (GARP)H ##E#Z $$IEEE8021QIEEE 802.1q - Virtual Bridged Local Area Networks Protocol( ##% $b #7#B#T@cSUITE: APPLICATIONS / OTHERSn##U#z2 $$Parser NameProtocolW7# @#E#Z$ $$CCMAILCC:Mail# @##Z#f@#E#Z* $$NOTESLotus Notesg" @#@#E#ZD $ $TDSSybase Tabular Data Stream|7f@#IA#E#Zn $ $TNSOracle's Transparent Network Substrate Protocola@#A#E#Z8 $ $SMBServer Message Block(IA#A#% $WA#)B#B#T*cSUITE: APPLE TALKsA#B#U#z< $$Parser NameProtocol Names.)B#C#E#Z\ $$AARPAppleTalk Address Resolution Protocoll'B#{C#E#ZN $$ADSPAppleTalk Data Stream ProtocoldC#C#E#Z> $ $AEPAppleTalk Echo Protocolf!{C#ED#E#ZB $ $AFPAppleTalk Filing Protocolg"C#D#E#ZD $ $ASPAppleTalk Session Protocolk&ED#E#E#ZL $ $ATPAppleTalk Transaction Protocolu0D#E#E#Z` $$AURPAppleTalk Update-based Routing Protocolg"E#E#E#ZD $ $DDPDatagram Delivery ProtocolaE#TF#E#Z8 $ $LAPLink Access ProtocolbE#F#E#Z: $ $NBPName Binding ProtocoldTF#G#E#Z> $ $PAPPrinter Access Protocolp+F#G#E#ZV $$RTMPRouting Table Maintenance Protocolf!G#G#E#ZB $ $ZIPZone Information Protocol(G#H#% $TG#lH#B#T$cSUITE: BANYAN sH#H#U#z< $$Parser NameProtocol Nameo*lH#NI#E#ZT $$VARPVines Address Resolution Protocolj%H#I#E#ZJ $$VFRPVines Fragmentation Protocolm(NI#%J#E#ZP $$VICPVines Internet Control ProtocoldI#J#E#Z> $ $VIPVines Internet Protocolw2%J#K#E#Zd $$VIPCVines Interprocess Communication Protocolt/J#tK#E#Z^ $$VNETRPCVines Network Remote Procedure Callk&K#K#E#ZL $$VRTPVines Routing Update Protocolm(tK#LL#E#ZP $$VSSPVines Sequenced Packet Protocol(K#tL#% $RLL#L#B#T cSUITE: CISCOstL#9M#U#z< $$Parser NameProtocol Namee L#M#E#Z@ $ $CDPCisco Discovery Protocolk&9M# N#E#ZL $$DISLDynamic Inter-Switch Protocoli$M#rN#E#ZH $$HSRPHot Standby Router Protocolh# N#N#E#ZF $ $ISLInter-Switch Link Protocol u0rN#OO#E#Z` $$VTPADVTVLan Trunk Protocol - Advertisement m(N#O#E#ZP $$VTPSTATVLan Trunk Protocol - StatusHOO#U#E#Z $+$O#U##IGRPInterior Gateway Routing Protocol (see Internet Protocol suite)RO##E#Z $+$EIGRPEnhanced Interior Gateway Routing Protocol (see Internet Protocol suite)(U##% $S#g#B#T"cSUITE: DECNETs#ځ#U#z< $$Parser NameProtocol Nameg"g#A#E#ZD $$CTERMNetwork Command Terminalbځ##E#Z: $ $DAPData Access Protocol dA##E#Z> $ $DRPDECnet Routing Protocolc#j#E#Z< $$FOUNDFoundation Services l'#փ#E#ZN $$MOP Maintenance Operation Protocol:j#U#E#Zt $$NICENetwork Information and Command Exchange Protocole փ##E#Z@ $ $NSPNetwork Service Protocol(U##% $T#6#B#T$cSUITE: FUJITSUs##U#z< $$Parser NameProtocol Namei$6##E#ZH $ $FNAFujitsu Network Architecturei$#{#E#ZH $$LNDFCLocal Network Flow Control(##% $P{##B#TcSUITE: IBMs#f#U#z< $$Parser NameProtocol Namej%#Ї#E#ZJ $$32703270 Bisynchronous Interfacep+f#@#E#ZV $$NETBEUINetBIOS Extended User Interfaceh#Ї##E#ZF $ $SNAServer Network ArchitectureM@##E#Z $ $XID(##% $^#{#B#T8cSUITE: INTERNET PROTOCOLs##U#z< $$Parser NameProtocol Nameh#{#V#E#ZF $ $ARPAddress Resolution Protocoly4#ϊ#E#Zh $$DVMRPDistance Vector Multicast Routing Protocolf!V#5#E#ZB $ $EGPExterior Gateway Protocoly4ϊ##E#Zh $$EIGRPEnhanced Interior Gateway Routing Protocolh#5##E#ZF $ $GGPGateway to Gateway Protocolo*##E#ZT $$ICMPInternet Control Message Protocolp+##E#ZV $$IGMPInternet Group Management Protocolo*#d#E#ZT $$IGRPInterior Gateway Routing Protocol]##E#Z0 $ $IPInternet Protocoly4d#:#E#Zh $$MOSPFEnhanced Interior Gateway Routing Protocolf!##E#ZB $$OSPFOpen Shortest Path Firstk&:# #E#ZL $ $PIMProtocol Independent Multicastq,#|#E#ZX $$RARPReverse Address Resolution Protocolk& # #E#ZL $$RSVPResource Reservation Protocol|# ##r-|#~#E#ZZ $$RTCPReal Time Transport Control Protocoli$ ##E#ZH $ $RTPReal Time Transport Protocolk&~#R#E#ZL $ $TCPTransmission Control Protocol d##E#Z> $ $UDPUser Datagram Protocol JR##E#Z  $$e #e#E#Z@ $ $BGPBoarder Gateway Protocola##E#Z8 $$BOOTPBootstrap Protocolq,e#7#E#ZX $$DHCPDynamic Host Configuration Protocol_##E#Z4 $ $DNSDomain Name Serverc7##E#Z< $ $FTPFile Transfer ProtocolV#O#E#Z" $$GOPHERGopherj%##E#ZJ $$HTTPHyper Text Transfer Protocolr-O#+#E#ZZ $$HTTPSSecure Hyper Text Transfer Protocoln)##E#ZR $$IMAPInternet Message Access Protocols.+# #E#Z\ $$LDAPLightweight Directory Access Protocolu0##E#Z` $ $LPRPrinter (Need to added ProtoIDs support)t/ ##E#Z^ $$MIMEMulti-purpose Internet Mail ExtensionsX#M#E#Z& $$MOUNTNFS Mountl'##E#ZN $$NBNAMENetBIOS Name Service over IPt/M#-#E#Z^ $$NBDATAGRAMNetBIOS Datagram Service over IPs.##E#Z\ $$NBSESSION NetBIOS Session Service over IPh#-##E#ZF $$NETCPNetScout Control Protocol`#h#E#Z6 $ $NFSNetwork File Serverm%##H#`J $ $NISNetwork Information Servicesl'h#A#E#ZN $$NNTPNetwork News Transfer Protocolb##E#Z: $ $NTPNetwork Time ProtocolaA##E#Z8 $ $POPPost Office Protocol\#`#E#Z. $$PORTMAPPort Mapperz5##E#Zj $$RADIUSRemote Authentication Dial In User Serviceg"`#A#E#ZD $$REXECRemote Program Executioni$##E#ZH $ $RIPRouting Information Protocol\A##E#Z. $$RLOGINRemote Login\#b#E#Z. $$RSHELLRemote Shellk&##E#ZL $$SMTPSimple Mail Transfer Protocolp+b#=#E#ZV $$SNMPSimple Network Management Protocoly4##E#Zh $$SNMPTRAPSimple Network Management Protocol Trapk&=#!#E#ZL $$SUNRPCSun's Remote Procedure Callh###E#ZF $$TELNETRemote Terminal Protocoll'!# $E#ZN $$TFTPTrivial File Transfer Protocol# $#q,#}$E#ZX $$XDMCPX Display Manager Control ProtocolW $$E#Z$ $$XWINX Windows(}$$% $n,$j$B#TXcSUITE: INTERNET PROTOCOL NEXT GENERATIONs$$U#z< $$Parser NameProtocol Name}8j$Z$E#Zp $$DNCPNGDynamic Host Configuration Protocol over IPng{6$$E#Zl $$ICMPNGInternet Control Message Protocol over IPngv1Z$K$E#Zb $$IDRPNGInterdomain Routing Protocol over IPng{6$$E#Zl $$IPNGInternet Protocol (Version 6) Next Generationr-K$8$E#ZZ $$OSPFNGOpen Shortest Path First over IPngu0$$E#Z` $$RIPNGRouting Information Protocol over IPngw28$$$E#Zd $$RSVPNGResource Reservation Protocol over IPng($L$% $T$$$B#T$cSUITE: NETWAREsL$$U#z< $$Parser NameProtocol Namee $x$E#Z@ $ $IPXInternet Packet Exchangeg"$$E#ZD $$IPXBURSTIPX Packet Burst Modeh#x$G$E#ZF $$IPXDIAGIPX Diagnostic Protocol_$$E#Z4 $$IPXNBNetBIOS over IPXu0G$$E#Z` $$IPXRIPRouting Information Protocol over IPXs.$$E#Z\ $$IPXWANWide Area Network Protocol over IPXs.$ $E#Z\ $$NBCASTNetware Broadcast Message Protocol c$d $E#Z< $$NCP Netware Core Protocolh# $ $E#ZF $ $NDSNetware Directory Services i$d $5 $E#ZH $$NLSPNetware Link State Protocolf! $ $E#ZB $$NMPIName Management Protocoli$5 $ $E#ZH $ $SAPService Advertising Protocolf! $j $E#ZB $$SERIALSerialization Protocolg" $ $E#ZD $ $SPXSequenced Packet Exchanged8j $Q $H#`p $+$SPX2Sequenced Packet Exchanged Version 2 (use SPX)h# $ $E#ZF $$WDOGNetware Watch Dog Protocol(Q $ $% $P $1 $B#TcSUITE: PPPs $ $U#z< $$Parser NameProtocol Name|71 $ $E#Zn $$PPPCHAPChallenge Handshake Authentication Protocold $$E#Z> $$PPPIPCPIP Control Protocolf! $$E#ZB $$PPPIPXCPIPX Control Protocole $O$E#Z@ $$PPPLCPLink Control Protocolp+$$E#ZV $$PPPNBFCPNetBOIS Frame Control Protocol(O$ @$% $$ @$#P$\@$B#TcSUITE: XNSs @$@$U#z< $$Parser NameProtocol Namek&\@$:A$E#ZL $ $IDPInternetwork Datagram Protocole @$A$E#Z@ $ $PEPPacket Exchange Protocole :A$B$E#Z@ $ $SSPSequence Packet Protocol`A$dB$E#Z6 $$XECHOXNS Echo ProtocolbB$B$E#Z: $$XERRORXNS Error Protocoln)dB$4C$E#ZR $$XRIPXNS Routing Information Protocol(B$\C$% $2 4C$C$' SEE ALSOe5\C$C$0 0j$b6Assigning TCP or UDP Ports to Protocol Parsers *C$D$' $= C$ZD$1ZD$D$HI$File Formats5D$D$& &File FormatsP#ZD$D$- *F/.CAP EXTENSION CAPTURE FILESD$E$( $File extension for all capture files. Capture file format is compliant with RFC 1761, referred to as "Snoop" format. However, capture files include extensions that expand the information provided by snoop format.S&D$1F$- *L/.NAM EXTENSION NAME TABLE FILES"E$SG$4 6$File extension for all name tables. The name table file format is identical to .ini file format. The default hosts.nam file contains names associated with well-known hexadecimal representations. For example, BROADCAST=C000FFFFFFFF.R%1F$G$- *J/.CFD EXTENSION CAPTURE FILTERSR+SG$G$' V$File extension for all capture filters. O"G$FH$- *D/.DFD EXTENSION VIEW FILTERSO(G$H$' P$File extension for all view filters. Z-FH$H$- *Z/.TSP EXTENSION TRANSMIT SPECIFICATIONSY2H$HI$' d$File extension for all transmit specifications.@H$I$1 I$I$$Module Settings8HI$I$& $&Module SettingsyI$qK$8 >$Module settings set options for the capture and transmit functions of devices. To set device properties, select Module Settings from the Configuration menu. Tabs appear that apply to the currently active device type; a tab will only appear if this option can be set for the current device type. Hardware devices can have properties set according to the table below:I$dM$5#8} ]F F O O F j j j &0.&&Z10.J&;10.p&aň10.&S%q10.΀&10.&10.&Aj10.N&WVM10Hardware DeviceBuffer Size Slicing Size Capture Buffer Options Full Duplex Expert Mode Expert Symptoms Expert Thresholds MAC Control Frame/qK$lN$#^ ]F F O O F j j j &$2$$"$,$8$B$L$V$CMM2NOYESYESYES*YESYESYESNO<dM$rO$#dx ]F F O O F j j j $2*$2$<$F$R$\$f$p$Explorer with CMM2NOYESYESYES*YESYESYESNO/lN$w$#d^ ]F F O O F j j j $2 $$$($rO$w$HI$4$<$H$T$GAMNOYESYESYES*NOYES*YES*YES ?rO$$#d~ ]F F O O F j j j $2($0$:$D$P$X$f$t$Explorer with GAMNOYESYESYES*NOYES**YES**YES-w$w$#dZ ]F F O O F j j j $2$$"$,$4$>$H$R$NDISYESYESYESNOYESYESYESNO$T$#d& ]F F O O F j j j $$ $$$$$$"$a6w$$+ $m4*GAMs are inherently full-duplex. There is no configuration setting of full-duplex or half-duplex for GAMs. Full-duplex monitor/capture with GAMs or CMM2s requires two synchronized modules connected through a tap device.**Sets values for viewing captured data only. No real-time expert views are supported.T$x$4 6$The Shomiti Voyager probe does not have any module settings. The Module choice will be grayed out on the Configuration menu for Voyager.h$$= HtՁ/~Default values are:Capture Buffer Size512K (NDIS only)Packet Slicing Size, CaptureFull packet lengthPacket Slicing Size, MonitorFull packet length (CMM2), 128 bytes (NDIS)Enable Full Buffer Auto Save Not selectedFull DuplexDisabledExpert ModeEnabledExpert SymptomsAll symptoms enabledExpert ThresholdEach threshold has its own default value Lx$i$1i$$A$Setting Capture Buffer SizeD$$& <&Setting Capture Buffer Size<i$$F Z$NDIS modules require that a capture buffer size be set. The buffer size is the amount of system memory that will be used to save captured data. Buffer sizes can be set between 64K and 16M in multiples of two. If the module is not an NDIS module, you will not be able to set the capture buffer size. CMM2s and GAMs have a hardware buffer and do not require system memory for captured data.Select the Buffer Size tab from the Configuration Module Settings menu to set the buffer size.X,$A$, (XtՁ/~The default buffer size for NDIS is 512K.L$$1$ъ$$Setting Packet Slicing SizeDA$ъ$& <&Setting Packet Slicing Size$|$'  $CMM2s, GAMs, and NDIS-compatible Ethernet cards support slicing packets. Packet slicing means that a subset of the entire packet is saved in the capture buffer. You can save the first 32 bytes (Mac layer), the first 64 bytes (Network layer), the first 128 bytes (Application layer) or the full length of the packet. Packet slicing can be set separately for monitor and capture. For monitor, packet slicing can improve performance when monitoring the entire packet contents is not required. For capture, packet slicing can save space in the capture buffer for more packets when analysis of the entire contents of each packet is not required.'ъ$$E X$For CMM2 modules, the default is no packet slicing (full packet length). For NDIS modules, the default setting is no packet slicing for capture, 128-byte packet slice for monitor. For NDIS modules, you cannot have both monitor and capture set to full packet size. Packet slicing for monitor mode is not supported for GAM devices.Select the Packet Slicing tab from the Configuration Module Settings menu to set the packet slicing size for both capture and monitor.I|$ $1 $M$$Setting Full-Duplex Mode$ $$A$M$& 6&Setting Full-Duplex ModeS& $$- (M4ȚHCaution: The setting for full-duplex applies only to single CMM2 modules. Note that setting a single CMM2 module to full-duplex is not the way CMM2 modules are typically used with full-duplex traffic. A more typical configuration is to have two synchronized CMM2s, each monitoring receive traffic in one direction. The configuration using two modules establishes a passive monitor/capture for full duplex traffic at full line rate. Using a single CMM2 in full-duplex is more commonly used in a testing environment to measure device performance. NM$$1 0$H"eCMM2 modules can be enabled to function in full-duplex mode. CMM2 modules appear in the Resource Browser with the following icon: . The capture buffer memory within the CMM2 is allocated to both transmit and capture functions, one-half the memory allocated to each. Check or uncheck the box to enable or disable full duplex mode. $1$: B$HThe tab for is context sensitive and is only visible if the device is a CMM2. Select the CMM2 tab from the Configuration Module Settings... menu to enable full-duplex mode for CMM2. If full-duplex is enabled, both the capture and the transmit mode buttons must be set at the same time to use a single module in full-duplex mode. Also, the module interface must be set to 10Mbps or 100Mbps. The CMM2 cannot auto negotiate the network speed in full-duplex mode.g$$' $HThe default is full-duplex not enabled, which means the CMM2 will only function in half-duplex mode.1$$( u$HGAM modules have separate send and receive buffers on the card. GAM modules are set for full-duplex by connecting both the send and receive ports on the GBIC connector to the network.*$$' $HB$ $1n $G$$MAC Control Frame:$G$& (&MAC Control Frame= $$) )$For Gigabit Ethernet a MAC Control Frame is sent to ensure that sending devices do not overflow receive buffers. For GAM devices, you can select to capture these frames or ignore them. The default is to capture MAC Control Frames. This setting applies only to GAM devices.X'G$$1$,$$Setting the COM Port for Century 12-TapP*$,$& T&Setting the COM Port for Century 12-Tap$K$& $The Century 12-Tap can be controlled from a PC with Surveyor software. The Surveyor software can be used to control which LAN segment is selected by the 12-Tap. The Century 12-Tap is often connected through an Explorer and viewed in the resource browser as a remote device. However, the 12-Tap can be connected to a COM port on the PC and controlled as a local resource from Surveyor. In this configuration, the COM port used to connect Century 12-Tap to the PC must be configured in Surveyor software._,$$9 @$To configure the COM port, select System Settings from the Configuration menu. Select the Century 12-Tap Local COM Port tab. Set the COM port value to the COM port where the 12-Tap is connected to the PC. Just one port can be selected. There is no default port selected.The 12-Tap is connected to the PC using a standard 9-pin serial cable.FK$)$1< )$g$%Setting Update Timers>$g$& 0&Setting Update TimersY)$%: B?$Timers control how often counters, tables, and displays are updated. There are two types of timers, display timers and polling timers. Polling timers control how often data is updated from remote systems. Display timers control how often displays of data are updated in the Surveyor software. All timer values are in seconds.For GAM devices, only thg$%$e MAC layer timer value is used. Other monitor timers are not used by this device. To configure the timers, select System Settings from the Configuration menu. Select the Timers tab.?g$ %U xt ~.Polling TimersMAC layer Counters Sets the interval for polling devices for MAC layer counters.Network Layer Counters Sets the interval for polling devices for network layer counters.Host Table Sets the interval for polling devices to update remote host information on the local PC.Conversation Matrix Sets the interval for polling devices for information on MAC, network, and application conversations.Expert DataSets the interval for polling devices for expert data.<%G%E Xt ~.Remote Name TableSets the polling interval for refreshing the local copy of the name table for a remote resource.Display TimersMonitoring View, Local Sets the time between refreshing counters in displays of counter data for resources in the local PC. This applies only to the Utilization/Error strip charts.Monitoring View, Remote Sets the time between refreshing counters in displays of counter data for resources in remote hosts. This applies only to the Utilization/Error strip charts. %E%) $Values for polling timers must be between 1 and 214783647. Values for the display timers must be between 5 and 214783647. The display timer for remote must be a multiple of the MAC layer counters polling timer.+G%p%( $:E%%( $$Default Values:-p%%< Ft ~MAC layer Counters 3 secondsNetwork Layer Counters 5 secondsHost Table 7 secondsConversation Matrix 10 secondsExpert Data15 secondsRemote Name Table300 secondsMonitoring View, Local 1 secondMonitoring View, Remote 3 seconds+%%( $R!%T%1T%%E%Configuring Remote CommunicationsJ$%%& H&Configuring Remote Communications^T%5 %9 @$The remote server protocol (RSP) is used to control the interface for connecting with remote systems. You configure the options that effect connection time outs, encryption of control packets, and auto-discovery of resources.To configure the timers, select System Settings from the Configuration menu. Select the Remote Communications tab.%K %E XtA}AEncrypt RSP Packets check box Select encryption if there is a need for security in the network when transferring packets between the remote resource and the local system. This is only necessary if high level of security is required on your network for the access of devices.No Autodiscovery check box Select this box to prevent autodiscovery of remote resources. If selected, you will only be able to access remote resources by manual discovery of resources using the Connect option from the Host menu. This box can be selected when working with only local resources to eliminate viewing all resources in the Resource Browser. The autodiscovery of resources may take some time, especially in a large network.5 %9%1 0{tA}ARSP Time Out Value Specifies in seconds how long the protocol waits before dropping a connection when the remote resource is not responding. The value must be between 1 and 30 seconds.+K %d%( $A:9%%( $$ADefault Values:vd%E%1 2tA}AEncrypt RSP Packets check box Not selectedNo Autodiscovery check box Not selectedRSP Time Out Value 10 secondsC%%1 %%oG%Configuring 12-Tap;E%%& *&Configuring 12-TapD%C%3 4#${H|A 12-Tap %C%E%can be attached to the local system or be available as a remote resource on the network. Typically a 12-Tap will be used in the wiring closet with an Explorer and be accessed as a remote resource. However, 12-Taps can be attached to the local system and accessed through a COM port on the PC. See Setting the COM Port for Century 12-Tap for information on configuring 12-Tap to talk to a local PC. 12-Taps are devices that work in conjunction with an Explorer to monitor multiple network segments. When the 12-Tap is connected properly with an Explorer, its icon will be visible in the resource browser. If you cannot see the 12-Tap icon, refer to the Explorer and 12-Tap hardware documentation for more information on connecting 12-Taps and Explorers to the network. %D%' $Although the tap shows as a "resource" to the Surveyor software, it does not directly perform monitor and other analysis functions. 12-Tap acts as a switching device for Explorer (or Century Media Modules), so one Explorer can be used to view many different LAN segments.You can use Surveyor to set the LAN segment viewed by the Explorer connected to the 12-Tap. To set the LAN segment: bC%#G%C T?V:H1.Double-click on the 12-Tap icon in the resource browser. 2.A dialog box appears showing the twelve port-pairs on the 12-Tap, numbered 1 to 12. Use the radio buttons to select the LAN segment you wish to monitor with Explorer. Only one LAN segment can be selected.You must know which LAN segment is connected to the port pair on 12-Tap you select.3.Use the Bypass check boxes to restrict any network segments from being used with Explorer. Any segment with the Bypass box checked cannot be set as the LAN segment for Explorer.LD%oG%0 08V:H4.Click the OK button.J#G%G%1G%G%RK%Configuring Ports to ScanBoG%G%& 8&Configuring Ports to ScanG%I%& $Surveyor must search the ports on the local system to find Century Media Modules. Sometimes this creates problems with devices already on the system. Use this function to restrict the ports which are scanned. The dialog box for configuring ports to scan comes up on Surveyor startup; ports to scan may have been configured at startup. However, you can use Surveyor to set the ports on the PC to scan at any time. To set up or change port scanning, do the following^G%RK%G \/V:H1.Choose System Settings from the Configuration menu. Select the Scanning Ports tab.2.A dialog box appears showing the ports within the local system to scan. Check the box of only those ports you Surveyor to scan for a Century Media Module.3.Click the OK button.CI%K%1K%K%;O%Resetting Explorer;RK%K%& *&Resetting Explorer`K%UL%% $The Explorer device can be reset from Surveyor software. To reset Explorer do the following:QK%N%b V:H"f1.Login to Surveyor with "super-user" privileges.2.Click on the Explorer icon in the Resource Browser.3.Choose Description from the Host menu.4.Click the Reset Explorer/Image Upgrade button.5.Check the Warm Boot radio button under Reset Options. Leave all other fields blank or unmarked.6.Click the OK button.UL%N%4 6 $HWhen you reset Explorer, you will lose the connection. Use the Connect option from the Remote menu to reconnect with Explorer.2 N%N%' SEE ALSOHN%;O%0 00$X#Updating Explorer BN%}O%1 }O%O%p%Updating Explorer:;O%O%& (&Updating ExplorerwI}O%:%. *$You can update the softwarO%:%;O%e or change address information for an Explorer from Surveyor.Before you can update Explorer with a new image, you must place the new image on a server that runs TFPT protocol. Download the new software from Shomiti's Web site, http:\\www.shomiti.com. Go to the software updates section of the Web site to find the new Explorer image. Place the software on the server that runs TFPT protocol. Before you can update Explorer address information automatically, you must have a server that contains the new address information and runs the BOOTP protocol.W2O%%% d$Use the following procedure to update Explorer.D:%Մ%h V:H"f1.Login to Surveyor with "super-user" privileges.2.Click on the Explorer icon in the Resource Browser.3.Choose Description from the Host menu.4.Set the new IP Address, IP Gateway Address, and Subnet Mask for Explorer. If no address update is needed, or you are updating the address from a BOOTP server, skip this step. 5.Click the Reset Explorer/image Upgrade button.6.Check the Enable BOOTP box if you are updating addresses from a BOOTP server.%dž%W |7V:H7.Check the Image Upgrade (TFTP) box if you are updating addresses from a TFTP server.8.Enter the IP address of a server that runs BOOTP and/or TFTP protocols in the IP Boot Server field.9.If you are updating the Explorer image, set the path name to the software image file in the Boot Image Filename field.10.Check the Warm Boot radio button under Reset Options. 11.Click the OK button.Մ%%9 @/4ȚHCAUTION:You must use the Warm Boot option for Explorer to load the new image from the network. The Cold Boot option will not update the image.dž%P%4 6 $HWhen you reset Explorer, you will lose the connection. Use the Connect option from the Remote menu to reconnect with Explorer.%%( $HWhen Explorer is restarted, the new software image is written to non-volatile memory in the Explorer and becomes the new executable image.P%ˉ%. *1$HUse the Cold Boot option to force Explorer to run its self-tests to verify the unit is operating properly, but not as part of the update procedure.2 %%' SEE ALSOIˉ%F%0 02$Resetting Explorer *%p%' $BF%%1*%% %Surveyor.ini File:p%%& (&Surveyor.ini FileD%0%D V$The Surveyor.ini file contains Surveyor's general configuration settings. You can save different sets of configuration information in different .ini files if you want to run the product with different configurations. Surveyor always looks for the file named Surveyor.ini in the Window's system directory and will use that file for its configuration. If no Surveyor.ini file is found in the directory, Surveyor will build another Surveyor.ini file based on the factory default configuration settings.h% %M h${}Different sets of configuration information can be especially useful for display and update timers. The first eight parameters of the .ini file are the configuration values for the various display timers.Counter Timer Value=3Network Counter Timer Value=5Host Timer Value=7Matrix Timer value=10Expert Timer Value=15Remote Name Table Timer Value=300Display Timer Value=3Local Display Timer Value=1For information on other Surveyor.ini settings, contact Shomiti Customer Support. It is not recommended to edit the Surveyor.ini file directly for other settings unless you contact Customer Support. 0% %p%W&0%c%1c%%;%Setting the Voyager Ports for ExplorerO) %%& R&Setting the Voyager Ports for Explorer8c%%' #$Suveyor supports a new multi-port RMON/RMON2 probe available from Shomiti called Voyager. If the Explorer device is connected to a Voyager probe, you can set the port-pair mirrored to Explorer. At least one analyzer port on the Explorer must be connected to one Tap Port on Voyager; both analyzer ports may be connected to Voyager Tap Ports A and B. Setting the port-pair changes the segments connected to Voyager which are mirrored to Explorer through its Tap ports. To set or change the Voyager port-pair, do the following:?%)%D VV:H"f"g1.Login to Surveyor with "super-user" privileges.2.Click on the Explorer icon in the Resource Browser.3.Click on the Multi Port Tap icon the Resource Browser. If Explorer is not connected properly to Voyager, this icon will not appear. .4.Select the port-pair from the menu. Only those port-pairs present on the Voyager hardware device will display. Ports are selected in pairs even if only one Voyager port is connected to a network segment or if only one Tap port is connected to Explorer. M%v%1 28V:H5.Click the OK button.)%3%) )$HThis procedure does the same thing as pressing the ADVANCE button on the Voyager device until the desired port-pair is mirrored to the Tap ports.v%%/ ,$H+Port numbers not physically present on Voyager will be gray. A selectable port-pair does not indicate that a link has been established from either Voyager port to a network segment, or whether the port-pair is in full-duplex or half-duplex mode. Refer to your Voyager User's Guide for information on making the proper connections to Explorer other information on setting up Voyager.+3%%( $H+%;%( $HF%%1x%%%Forcing Links for GAM>;%%& 0&Forcing Links for GAM%%K d$ Forcing the link is required when the GAM device is passively monitoring a link, such as when monitoring/analyzing a connection through a tap device. Since the GAM is not using the transmit port in this configuration, the device has no means of auto-negotiating a connection. The Link Force Link option from the Module menu allows you to alert the GAM that it has a connection and to begin listening for data.The Module menu also has a Link Link Status option which provides information about a GAM link. If the link is established, Link Status returns a "link OK" message. If there is a problem with the link, a message screen appears with diagnostic information that may help you troubleshoot the link.(%%% $1%7%1U7%[%$%[%" D7%%1$%% &Sniffer Translators=[%%& .&Sniffer Translators%%8 >3$Translators convert captured data back and forth between Surveyor capture file format (.cap files) and Sniffer uncompressed trace format (.enc or .trc files). Capture files are stored in Snoop format, compliant with RFC 1761. Capture files include extensions that provide additional information fields not found in RFC 1761. Start a translator by selecting one of the following from the Tools menu."% &? Lt灚~Snoop to Sniffer Converts Surveyor capture files to uncompressed trace files that can be viewed with the Sniffer. Sniffer to SnoopConverts uncompressed trace files (.enc or .trc format) to Surveyor capture files. % &[%U$%a&1ba&&&NIS-to-Name-Table Conversion UtilityM' &&& N&NIS-to-Name-Table Conversion Utility|a&]&3 4$The NIS2NAM.SH utility converts an NIS name table on a UNIX system to the name table format used by Surveyor. It provides a method of creating a Surveyor name table with addresses and associated symbolic names without having to re-enter information.NIS2NAM.SH is installed in the ..\Shomiti\Surveyor\scripts directory. It is a UNIX shell script, designed to run under a Bourne shell. To use the conversion utility, copy the NIS2NAM.SH file to a UNIX system as a text file. The UNIX system must have NIS running for the utility to produce the new name table for use with Surveyor. To execute the command on the UNIX system, type:m&&0 .$HNIS2NAM is the name you select for the new Surveyor name table. The UNIX system is searched for the NIS name table. If no NIS name table exists, the utility returns an error message. Once the new name table is created, copy it as a text file to the ..\Shomiti\Surveyor directory on your Windows system running Surveyor.u]&&A PtsNOTE: The name table automatically loaded by Surveyor is surveyor.nam. If you use another name for your converted name table, you will need to load the name table before performing other Surveyor functions. The default name table loaded by Surveyor may be changed. Change the Name Table= parameter in the surveyor.ini file to set a new default name table file./&&, (t!~!L&+&1+&o& &Build a Surveyor Name TableD&o&& <&Build a Surveyor Name Table+&&&& #$Once a Surveyor name table is built, it is easier to perform analysis tasks or specify station names and addresses when constructing filters. P)o&v&' RBUILDING A NAME TABLE FROM THE NETWORKvO&&&' $You can build a name table by capturing the node addresses on your network. .v&y &_ ]V:H[Di&{׫1.Run Surveyor in monitor mode. Do not use any filters. The Learn Names check box must be selected in the Name Table dialog box; if you also select the Learn Addresses option, Surveyor places any addresses it sees on the network into the name table as they are discovered in the data stream.2.Add names associated with the addresses learned from the network. This step can also be performed after the name table is saved.3.Save the name table to a file. You must save the name table before you exit Surveyor or new name table data will be lost. If you save the name table data to the default name table, hosts.nam, the new name table data will be loaded automatically whenever you restart Surveyor. If you save the name table to a new file, use the .nam file extension for easy reference.O(& &' PCONVERTING AN EXISTING NIS NAME TABLEy & &4 6$T0Surveyor has a UNIX utility for converting an existing NIS name table to Surveyor name table format. See the NIS-to-Name-Table Conversion Utility for more information on converting existing name table information.P &(&1(&t&D&Changing the Default Name TableL# &t&) "F& Changing the Default Name Table'(&&2 2$A default Name Table file, hosts.nam, is included with the software. Surveyor boots using this default name table. If you wish to change the start up default name table, you must edit the Surveyor.ini file by following these instructions:t&A&Y SV:H1.Locate t&A& &he Surveyor.ini file in your Windows95 or WindowsNT directory.2.Open the Surveyor.ini file with your text editor software.3.Search for this line, NameTable=C:\Shomiti\Surveyor\hosts.nam.4.Delete the hosts.nam text on that line.5.Replace text with your default name table file. It should have the .nam extension.6.Save the Surveyor.ini file, exit your editor and start Surveyor application..&A&' TIPSA&B&( M$Address and symbolic name associations can be discovered by Surveyor. This table can be saved as a file with the .nam extension and used as the default name table.A&C&= HW$"The name table can always be changed to another within the software by clicking on the button and selecting Open. Find the name table file you want and click OK.2 B&C&' SEE ALSONC& D&0 0<$W,Learn Network Addresses S#C&_D&0 0F$E Load a Name Table from a FileQ! D&D&0 0B${׫Save a Name Table to a File*_D&D&' $DD&E&1E&XE&&"&- *"V:H Module typeU(&w&- *PV:H Serial number for the module boardF"&&- *2V:H Capture memory sizeEw&&- *0V:H Counters supported@&B&1jOOB&z&&Custom Counters8&z&& $&Custom CountersB&&' $Custom counters are user-defined counters established in capture filters. When a certain condition in the filter is satisfied, counter 1, 2, or 3 can be incremented as a result of one of the actions taken by the capture filter. Custom counters are available in capture mode only.Custom counters are incremented in the MAC Statistics view as packets are captured. By setting counters, you can visually see in the MAC Statistics view how many frames of a certain type have been captured. (z&&% $J& &12OM &N&&&Counter Log File Overview& &&B&N&& 8&Counter Log File OverviewE &&K d$" =Counter log files contain snapshots of Surveyor counter information. All byte, frame, and error counter values are recorded in the log file. The time interval for capturing snapshots, the number of snapshots in the log file, and the creation of history files are set in the System Settings option of the Configuration menu. For Surveyor, log files are maintained by module. A log file and a set of history files are created in a unique directory for each Century Media Module and each Ethernet Adapter. The directory for the module log is named ..\Shomiti\Surveyor\log\local\module_n. The module log file is named module_n.csv where 'n' is the number of the module. The log directory structure starts from the installation directory for Surveyor.N&&? L$"For Surveyor in NDIS mode, log files are maintained by the Ethernet adapter (NDIS) running the Surveyor software. The directory for the NDIS log is named ..\Shomiti\Surveyor\log\local\NDIS_n and the NDIS log file is named NDIS_n.csv where 'n' is the number of the adapter the NDIS driver detected. The log files are text files in CSV format, a format easily imported into spreadsheet applications such as Microsoft Excel. Each line entry in the log file will create a separate row in the spreadsheet. Column titles for all counters are provided in the CSV text file. A template file for viewing counter information as graphs is provided. The template file works with Microsoft Excel Version 5.0 or greater. 2 &&' SEE ALSOR"&&&0 0D$tConfiguring Counter Logging R!&x&1 Mx&&K'Export Counter Log Files to ExcelJ$&&&& H&Export Counter Log Files to Excelx&&2 2k$Use these steps to view the counter data in the log files as Excel 5.0 graphics. The Excel template, charts.xlt, is located in the ..Shomiti\Surveyor\Examples|Log directory.&&A PV:H1.Start Excel 5.0 and open charts.xlt. You should see an empty worksheet called Data Sheet. Worksheets are named using tabs at the bottom of the Excel rows and columns.2.Open the log file. Remember to set the Open File Type to Text Files (*.csv) or All files ( *.* ) so you can see the log file.3.Select the entire worksheet. Move the mouse to the small button at the top left corner of the worksheet. Click the button to highlight everything on the worksheet.T&& ؀V:H4.Use Copy from the Edit menu or Ctrl-C to copy the contents of the worksheet into the Windows clipboard.5.Switch to the previously opened Charts window. To change windows, pull down the Windows menu and click on Charts.6.Click cell A1 of Data Sheet in the Charts window, the cell in the top-left corner of the worksheet.7.Use Paste from the Edit menu or Ctrl-V to paste the data into the worksheet named Data Sheet. &&+ $V:H8.Select one of the names on the bottom tabs to see a graph. Twelve graphs and one spreadsheet showing computed data are available. Select a graph by clicking on one of the tabs at the bottom of the spreadsheet. S+&r&( W$HThe rows of counter data displayed in a graph are the most current rows. For example, when displaying 500 rows of counter information, only the 500 most recently captured sets of counter information are used in the graph. Three types of graphs are available, each with four different row counts.i<&&- *xV:H Network Utilization (500, 1,000, 2,000, or 4,000 rows)[.r&B'- *\V:H&B'&& Bytes (500, 1,000, 2,000, or 4,000 rows)]0&'- *`V:H Packets (500, 1,000, 2,000, or 4,000 rows)[B'!'' $HRefer to Excel documentation for more information on using templates in Microsoft Excel.*'K'' $HH!''1 'c 'Log Directory Structure@K''& 4&ȀLog Directory Structure'', &1$The following is the directory structure for log files. The root directory is the installation directory for Surveyor, usually c:\Shomiti\Surveyor.''W |]&33333333(root)\log\local\module_1 (directory for module 1) module_1.csv (log file for module 1) \history (history directory for module 1) mmddhhmm.ss (first history file for module 1) mmddhhmm.ss (second history file for module 1) mmddhhmm.ss (third history file for module 1)(root)\log\local\module_2 (directory for module 1)''W |c&33333333 module_2.csv (log file for module 2) \history (history directory for module 2) mmddhhmm.ss (first history file for module 2) mmddhhmm.ss (second history file for module 2) mmddhhmm.ss (third history file for module 2)(root)\log\local\module_n (directory for module n) module_n.csv (log file for module n)''W |&33333333 \history (history directory for module n) mmddhhmm.ss (first history file for module n) mmddhhmm.ss (second history file for module n) mmddhhmm.ss (third history file for module n)(root)\log\local\NDIS_1 (directory for Ethernet Adaptor 1) NDIS_1.csv (log file for NDIS adapter) \history (history directory for NDIS adapter)?' 'j &333333333 mmddhhmm.ss (first history file) mmddhhmm.ss (second history file) mmddhhmm.ss (third history file)(root)\log\local\NDIS_n (directory for Ethernet Adaptor n) NDIS_n.csv (log file for NDIS adapter) \history (history directory for NDIS adapter) mmddhhmm.ss (first history file) mmddhhmm.ss (second history file)e9'c ', (r&33 mmddhhmm.ss (third history file)F ' '1B ' 'A'Copy (Export) Packets>c ' '& 0&Copy (Export) Packets ' '' $You can export packet decode information to another source. However, this cannot be done directly from the Capture View window. You must copy the data to an intermediate window.To export packet decode information, do the following:4 '-'H ^V:H"h1.Set the summary pane of the Capture View window to display the protocol decode information you want to export. For example, packets numbered 0004 through 0013.2.Select a packet within the window.3.Press the button. A window displays containing the protocol decode data that was visible in the summary pane of the Capture View window. 4.Select the data you want from the window and press Ctrl + C.5.Switch to the application where you want to store the packet information. ~L ''2 4V:H6.Press Ctrl + V.7.Click on a Surveyor window to return to Surveyor.--'''  TIP'@'( S$'@'c 'If you select a portion of the current packet within the detail decode of the packet, the entire decode for this single packet is moved to the copy window for export.'A'@ N3$ ހ$IYou can also export packets to CSV format from a data view. See Export Data to CSV Format or to a Bitmap or Export Data to Optimal CSV Format.Y(@'A'1CA'8B'JG'Export Data to CSV Format or to a BitmapQ+A'8B'& V&Export Data to CSV Format or to a Bitmap/A'gC'' &You can export tables to CSV format (Excel or Optimal) or charts to BMP format (bitmapped graphic). When saving a chart to a bitmap, it is recommended that the display settings for your monitor be greater than 256 colors to create an image with accurate colors.`8B'F'Q pV:H1.Select the view you want to export. Press one of view buttons on the Data Views or the Capture View toolbar.If you already have the desired view window open, click the window to make it the currently selected view.2.Click the Table tab to export to CSV format or click the Chart tab to export to a bitmap.3.Choose Export from the File menu.4.Enter the file name in the Save As dialog box. Table views will automatically be saved in CSV format and the file is given an extension of .csv. Chart views will automatically be saved in BMP format and the file is given an extension of.bmp.NgC'fF'0 0<V:H5.Click the Save button.-F'F''  TIPfF'JG'4 6$$IFrom Application Layer Matrix View you can save the table data in Optimal CSV format. See Export Data to Optimal CSV Format.R!F'G'1 G'G'N'Export Data to Optimal CSV FormatJ$JG'G'& H&Export Data to Optimal CSV FormatG'I'- (q&Optimal Performance, from Optimal Networks Inc., is a tool for planning, deploying, and troubleshooting distributed applications on large enterprise networks. Surveyor exports data into a special .csv file format that can be easily read by the Optimal Performance product. When saving a chart to a bitmap, it is recommended that the display settings for your monitor be greater than 256 colors to create an image with accurate colors.qLG' 1Frames 1--> 2Bytes 1 --> 2Bytes 2 --> 1MK'jM'M hV:H4.Choose Export to Optimal Performance from the File menu. 5.Enter the file name in the Save As dialog box. Table views will automatically be saved in Optimal CSV format and the file is given an extension of .csv.6.Click the Save button.L'cN'/ ,&HSurveyor logs both a start and stop time to the csv file. The start time is the time the table/chart window is first opened and the stop time is the last time the file is exported or saved to disk.*jM'N'' $HBcN'N'1C N' O'ہ'Identify a Module:N' O'& (&Identify a ModulevPN''& $You may want to verify that the correct module is connected to the correct network or network segment. If you have multiple modules in a system, you can identify which is which. An LED next to the interface c O''N'onnections for the board will blink for the selected module. The LED is present only on Shomiti analyzer cards (CMM2 or GAM).P O'ہ'; D+V:H1.From the Summary View, make sure that the resource you want to check is the currently active resource.2.From the Module menu, choose Identify. 3.Look at the back of the system where modules are connected to the network. The LED for the selected module will blink.?''1M M 'Q''Error Counters7ہ'Q'& "&Error Counterst''' $During transmit or receive, error events are counted as they occur. The MAC statistics view and the table associated with the Utilization/Errors chart displays the transmit or receive error counters. Click on the counter names below for information on counters.The Token Ring NIC adapter must support the reporting of these error counters for Surveyor to display them.[1Q'G'* $bRECEIVE ERROR COUNTERSTRANSMIT ERROR COUNTERS'"' $5 ,~B,TzAd)E۰&bKue'c⺠c0ɀmV؀¹Alignment/CRCTotal Tx CollisionCollision IndicationTx AttemptFragmentsTx DeferJabbersTx Excessive CollisionOversizeTx Excessive DeferDrop EventsTx Late CollisionUndersizeVery Long EventFG'h'1 2*$ydPackets Dropped+"''( $=h'І'' ,TOKEN RING COUNTERS3'' 3$<2MQ6GOǀ`J08WȀ+Line Error AC Error Frame Copy Burst Error Frequency Token Error Internal Error Abort Delimiter Lost Frame @І'C'1EM C'{''Packet Counters8'{'& $&Packet CountersC'M'& Y$Packet counters count the number of packets/bytes received or transmitted. Packet counters are viewed from the MAC Statistics view. The following counters are supported:?{''- *$V:H Total FramesCM'ω'- *,V:H Broadcast FramesC''- *,V:H Multicast FramesAω'S'- *(V:H Unicast Frames?''- *$V:H Error FramesGS'ي'- *4V:H Total Bytes ReceivedY'e'3 6$HW?A breakdown of the total number of error frames is provided by the error counters.*ي''' $HDe'Ӌ'1? Ӌ''R'Name Table Overview<''& ,&Name Table OverviewAӋ'P'? L$/kT0A Name Table provides associations between easy-to-remember symbolic names (Mickey) and hard-to-remember network addresses (0x78AB00004235). Surveyor and Explorer learn names automatically by viewing the network portion of DNS, SAP, and NetBOIS packets. A default name table is supplied by Surveyor containing well-known name-to-address associations. You can change the default name table . A conversion utility is available to convert existing name tables into the name table format used by Surveyor.''' !$The name table contains three columns: Protocol, Name, Address. The 1st column contains the name of the Protocol that the address is associated. The 2nd contains a name in the form of a character string that represents the address. The 3rd column contains the numeric address. Names can be associated with MAC, IP, IPX, or SNA addresses in a name table. The Name Table dialog box initially dP'''isplays the default name table. You can manually add, modify, or delete name table entries. You can also change the active name table so that Surveyor will use a different name table file. You can create many name tables, but only one table is active at a time.a;P't'& w$You can also let Surveyor learn names and addresses automatically from the network for MAC, IP, IPX, or SNA protocols. You can have Surveyor record all new addresses in the name table, or only those that have a corresponding symbolic name. Surveyor can capture name-address associations in real-time monitoring mode as well as capture mode. New names are added to the name table in monitor mode as they are discovered in the data stream. You must save any changes to the currently active name table in a name table file or changes will be lost when you exit Surveyor. _' '9 @$To learn all addresses, select the Learn Addresses check box in the Name Table dialog box. Surveyor will enter all new addresses. If no symbolic name is associated with an address, the address is repeated in the name column for that entry in the name table.To learn only addresses that have corresponding symbolic names, make sure the Learn Names check box is selected and the Learn Addresses check box is NOT selected in the Name Table dialog box. Surveyor will only add an item to the name table when it discovers a character string associated with an address from a DNS, SAP, or NetBOIS packet.t''@ NI$4huYou can display the ASCII characters for well-known vendor names in the MAC address. Check the Display Vendor Names box to display vendor names. Vendor names will be displayed in the monitoring and capture views as well as in the name table.Name table data is presented as a table which can be sorted by clicking the column headers. Click and drag on column dividers to size columns.For remote resources, Surveyor uses names learned from remote as well as local resources when displaying capture or monitor views. A local copy of the remote name table is updated at a specified time interval. For remote resources, the name table is updated at a specified time interval. The time interval for refreshing the remote name table is set in the configuration menu of Surveyor. If there are duplicate names between remote and local resources, local names take precedence and the name table will display the local name only.  ''' $The active name table can be loaded from a file. Loading the name table from a file will overwrite all existing entries in memory. Keep this in mind when using the network to learn names; until names are saved to a file, they can be lost if you exit Surveyor or overwrite the name table contents.Entries in the currently active name table appear in a Name Table area that is within the dialog boxes for appropriate filter statements. The Name Table area shows all name and address associations, including the protocol and the frame type. Before starting to write a capture or display filter, make sure the name table you want is the currently active name table (loaded into memory). This ensures that the proper symbolic names are available.R('R'* "Q$To use the same name table information for all systems running Surveyor, you can set up a common default name table. All Surveyor users can configure the path and name of the default name table, which can be the same file stored on a server.Name table entries are limited to 1,024 entries.C''1 P''`(Multi-QoS Overview=R''( *HMulti-QoS OverviewoF'M() Multi-QoS is a software plug-in to Surveyor that analyzes multi-media traffic over Ethernet-based networks. Multi-QoS validates Quality of Service (QoS) parameters presented by PSTN/IP Gateways, IP switches, and IPBXs. Multi-QoS provides a rich set of reported'M(R' and calculated data to validate IP networks that carry the multi-media data.The transmission of voice and video over traditional "data-only" networks is one of the most active areas in today's telecommunications industry. Voice over IP (VoIP) refers to the transmission of voice that has been compressed and transmitted over an IP (Internet Protocol) network. H.323 is a key industry standard that enables VoIP communications. The H.323 standard addresses call control, multimedia management, and bandwidth management as well as interfaces between LANs and other networks. wN'() Given the rapid acceptance of IP as the de facto protocol, QoS has become one of the biggest challenges for network administrators, especially for voice and video applications that require real-time performance. Policy-based systems, gateways, switches and routers are often configured with a myriad of vendor and protocol combinations to work in unison to provide priority for the real-time demands of multi-media traffic. Full decode of H.323 by Multi-QoS provides users with the ability to look at any packet of the previously captured data and understand its contents. Multi-QoS will validate if the network is performing as it has been configured and help you trouble shoot the problem if it is not. Like H.323, Multi-QoS supports SIP, SIP Plus, MGCP, and SGCP in order to assist in the troubleshooting of complex VoIP network scenarios.tM(`(( Multi-QoS features are available only from Surveyor menus and toolbars if you have the Multi-QoS plug-in module.@((1OOP(( (Multi-QoS Views9`((' $Multi-QoS Views( (D V The Multi-QoS views present call and channel information for the H.323 protocol. The views can be of capture files, a capture buffer, or in real-time monitoring mode. The following Multi-QoS views are available from the Capture Views menu as submenus of the Multi-QoS Views selection:Multi-QoS Conversation View The Multi-QoS Conversation View provides information about all conversations discovered by the H.323 protocol decode.Multi-QoS Channel View The channel view provides detailed channel information about a selected conversation in tabular format. All VoIP/Multi-Media channels for the selected conversation are displayed.D( (( 9Logic internal to Surveyor decodes the H.323 frames and organizes call and channel information into easy-to-read tables. No configuration is required to use the Multi-QoS logic; however, some of the displays can be customized to highlight the call information you are looking for. 2 ( (' SEE ALSO}@ ( (= Je4K6WMulti-QoS Conversation Table Multi-QoS Channel Table M ( (1P9P (( (J(Multi-QoS Conversation TableF (( (' >Multi-QoS Conversation Table (B () The table below briefly describes the columns in the Multi-QoS Conversation Table.The Multi-QoS Conversation Table fields can be exported to a .csv file. The fields appear in the exported file appear in the same order as the table below.a:( ( (' t Multi-QoS Conversation View, Table Column Descriptions tB ((W#~:   Table ColumnDescription= ((i#z 02Calling Party NumberPhone number of the calling party.9(?(I#br ,Called Party NumberPhone number of the called party.S((I#b Source AliasThe first alias from the list of aliases for the source. (H.225.0)i ?(P@(I#b@ (P@( (Source IPSource IP Address.](@(I#b (Destination AliasThe first alias from the list of aliases for the destination. (H.225.0)s*P@(iA(I#bT "Destination IPDestination IP Address.A@(B([# <    CTConnection Type. F = fast, N = Normal, U = Unknown.;iA(B(I#bv Start TimeTime the setup message was received. (Q.931)DB(C(I#b End TimeTime the release complete message was received. (Q.931)~B(C(I#b  Setup Time(s)Time differential between when the Setup Message was received and the Alerting Message was received. (Q.931)C(D(b#u H    Call StateCall state. Setup = Setup Message received Alerting = Alerting Message received Active = Connect Message received Released = Release Message received. (Q.931)HC(E(I#b &Call DescriptionThe cause for the Release Complete message. (Q.931)WD(*F(I#b 0Src Product H.323 VerSource Product H.323 Version. (portocolIdentifier in H.225.0)@E(F(I#b &Src Product NameSource Product Name. (productId in H.225.0)B*F(>G(I#b $Src Product VerSource Product Version. (versionId in H.225.0)]F(G(I#b 2Dest Product H.323 VerDestination Product H.323 Version. (portocolIdentifier in H.225.0)F>G(sH(I#b (Dest Product NameDestination Product Name. (productId in H.225.0)HG(I(I#b &Dest Product VerDestination Product Version. (versionId in H.225.0)ssH(I(I#b  Number of LCsNumber of Logical Channels. Number of video, audio, and data channels composing the conversation.bI("J(I#b2 Src PortSource Port.hI(J(I#b> Dest PortDestination Port.+"J(J((  HJ(J(1P QJ(>K((Multi-QoS Channel TableAJ(>K(' 4Multi-QoS Channel TableiJ(L(* "From the Conversation Table you can double-click on any conversation to display its associated channel information in the Channel Table. The table below describes the columns in the Multi-QoS Channel Table.The Multi-QoS Channel Table fields can be exported to a .csv file. The fields appear in the exported file appear in the same order as the table below.\5>K(-M(' j Multi-QoS Channel View, Table Column Descriptions tL(M(W#~:.  Table ColumnDescription1-M(;N(i#b.IndexOrder in which channels were created.7M(N(I#bn.Sync SourceInternal number identifying the source.|';N(7O(U#zN.0  ProtocolProtocol. RTP or T.120}N((V#|.2  DirectionStream origination. Forward = stream originating at the caller.Reverse = stream originating at the7O((J( callee.?7O((I#b~. LCNLogical Channel Number. (LogicalChannelNumber in H.245)y0((I#b`. SIDSession Identifier. (SessionID in H.245)r)((I#bR.CodecCodec type. (dataType in H.245)9( (I#br. PCPacket Count. The value is calculated by Surveyor.7((I#bn. BCByte Count. The value is calculated by Surveyor.< ((I#bx. PDPackets Dropped. The value is calculated by Surveyor.L((I#b.Jitter (ms)Jitter in milliseconds. The value is calculated by Surveyor.X(F(I#b.$Min Jitter (ms)Maximum Jitter in milliseconds. The value is calculated by Surveyor.X((I#b.$Max Jitter (ms)Maximum Jitter in milliseconds. The value is calculated by Surveyor.bF((I#b.Max IPG (ms)Maximum interpacket gap in milliseconds between two packets sent from the source. ((J#b.4Seq. No. - Max IPG (ms)Maximum interpacket gap in milliseconds between a packet sent from the source and the corresponding acknowledgement sequence number packet sent from the destination.E(+(I#b.RTCP PCReal-time Transport Control Protocol (RTCP) Packet Count.f((I#b:.RTCP BCRTCP Byte Count. j!+((I#bB.RTCP PDRTCP Packets Dropped.U((I#b.&RTCP Jitter (ms)RTCP reported jitter. Average reported RTCP interarrival jitter.\(>(I#b..RTCP Min Jitter (ms)RTCP reported minimum jitter. Minimum reported interarrival jitter.\((I#b..RTCP Max Jitter (ms)RTCP reported maximum jitter. Maximum reported interarrival jitter.K>(w(I#b."Low Seq NumberLowest Sequence Number. Lowest RTP sequence number seen.N((I#b.$High Seq NumberHighest Sequence Number. Highest RTP sequence number seen.Iw((I#b.Sdr Rprt CntSender Report Count. Number of RTCP Sender Reports seen.N(7(I#b. Rcvr Rprt CntReceiver Report Count. Number of RTCP Receiver Reports seen.S(ӌ(I#b.Scr Desc CntSource Description Count. Number of RTCP Source Descriptions seen.<7(X(I#bx.Goodbye CntGoodbye Count. Number of RTCP Goodbyes seen.Zӌ((I#b.App Def CntApplication Definition Count. Number of RTCP Application Definitions seen.OX((I#b.$Unknown Rpt CntUnknown Report Count. Count of all other RTCP reports seen.E(!(I#b.CNameRTCP Canonical Name. (RTCP Source Description, CNAME field)>((I#b|.RTCP NameRTCP Name. (RTCP Source Description, NAME field)A!(>(I#b.RTCP EmailRT(>(J(CP Email. (RTCP Source Description, EMAIL field)A((I#b.RTCP PhoneRTCP Phone. (RTCP Source Description, PHONE field)J>([(I#b. RTCP LocationRTCP Location. (RTCP Source Description, LOCATION field)>((I#b|.RTCP ToolRTCP Tool. (RTCP Source Description, TOOL field)>[(i(I#b|.RTCP NoteRTCP Note. (RTCP Source Description, NOTE field)*(('  *i((' ^-((1V9PQ(i((Customizing Table Displays - Multi-QoS AlarmsN'(i(' NCustomizing Multi-QoS Table Displays7((A PYou can customize the display of table information for Multi-QoS to include or exclude Multi-QoS fields from the table display. You can also configure the table view using color. When threshold values are reached, the fields can be highlighted with color to make specific data values in the table stand out.To set the columns for a table display, select View Options from the Views menu. The view option dialog box for the current window will display, Multi-QoS Channel Column Options or Multi-QoS Conversation Column Options. The dialog box contains all possible display fields and a check box for each field. Exclude fields from the table display by removing the check from the check box next to the field. The default is to display all fields.n(i((F ZQ5To highlight important values a table display, select View Configuration from the Views menu. Select the table you want to configure using the submenus, Multi-QoS Channel Table Configuration or Multi-QoS Conversation Table Configuration. A dialog box will display with the table fields you can configure. Set a threshold and a color for any of the fields in the dialog box. When the threshold is reached for a particular field, the row containing the field will change to red text and the field will display in the color you have selected.V((* "For minimum or maximum time ranges, thresholds are set in milliseconds. For example, set the Maximum Jitter field to appear in green whenever the maximum jitter exceeds 100 milliseconds. The row of the channel where the threshold is exceeded will be highlighted in red. The Maximum Jitter field within the bold row will display in green.Y(((1 Q(9((Exporting Multi-QoS Tables to CSV FormatR+(9(' VExporting Multi-QoS Tables to CSV FormatvM(() You can export Multi-QoS tables to CSV format. Multi-QoS data in .csv format can be imported to may spreadsheet and database applications like Microsoft Excel or to your Multi-QoS application, allowing you to display or report data. The order of the fields in the exported files is essential to proper interpretation of the data.Z39( (' fHPerform these steps to export a Multi-QoS table:((J bV:H1.Select the view you want to export. Press one of view buttons on the Data Views or the Capture View toolbar. If you already have the desired view window open, click the window to make it the currently selected view.2.Choose Save Multi-QoS Data from the File menu.3.Enter the file name in the Save As... dialog box. Table views will automatically be saved in CSV format and the file is given an extension of .csv. 4.Click the Save button.b ((' CSV is a comma-delimited text file format used by many applications to import/export text data.1(1z6(Times New RomanArialHelveticaCentury SchoolbookCourier NewSymbolTimesCourierGenevaTms RmnHelvMS SerifMS Sans SerifNew YorkSystemWingdingsTahomaUnivers (W1)MarlettGaramondArial NarrowArial BlackBook AntiquaBookman Old StyleBookshelf Symbol 3Century GothicTimes New Roman MT Extra BoldBookmanITC Lt BTBrushScript BTCentSchbook Win95BTFutura Bk BTFutura XBlk BTFutura XBlkCn BTFutura MdCn BTKidsLithographSwis721 BTSwis721 LtCn BTTechnicalArchitectureAvantGarde Bk BTAvantGarde Md BTBrochureFutura Md BTFutura Lt BTGarmdITC Bk BTMotterFemDPosterBodoni BTSwis721 Blk BTSwis721 BlkCn BTSwis721 Cn BTSwis721 Th BTSwiss921 BTTiffany Hv BTTiffany Lt BTZapfCalligr BTZapfChan MdIt BTZapfHumnst BTZapfEllipt BTFuturaBlack Win95BTSerifa Th BTSerifa BTSwiss911 XCm BTCourier10 BTZapfDingbats BTKeystrokeMonospac821 BTSymbolProp BTMICR 013 BTMICR 012 BTMICR 010 BTMorseCodeElectronicsLandmarksLandscapePlanningMedicineBullets3FurnitureHomePlanningHouseholdNauticalFlagsOfficePlanningMusicBorders1WeatherBullets1BoxesBorders2TransportationTracksBullets2ComputersArrows1Arrows2Business&GovernmentShapes1Shapes2BuildingsToolsTechnologyMonotype SortsMap SymbolsCentSchbook Mono BTGeographicSymbolsMusicalSymbolsHomePlanning2ModerneWebdingsAdLib Win95BTWingdings 3Arial Rounded MT BoldMead BoldMercurius Script MT BoldModern No. 20Wingdings 2Brush Script MTMatura MT Script CapitalsMonotype CorsivaTransport MTKeystrokes MTArial Special G1Arial Special G2Arial Narrow Special G1Arial Narrow Special G2Times New Roman Special G1Times New Roman Special G2CommonBulletsGalantMirrorNotesSignsLucida ConsoleImpactVerdanaXerox Serif NarrowXerox Sans Serif NarrowXerox Sans Serif WideXerox Serif WideDataGlyph SPAlbertus (W1)Albertus Xb (W1)Antique Olv (W1)CG Omega (W1)CG Times (W1)Clarendon Cd (W1)Coronet (W1)Garmond (W1)Letter Gothic (W1)LinePrinterMarigold (W1)Univers Cd (W1)CG Times (WN)Century Schlbk!}%} }}!} TB 0y 0ZzA1ȀeC Q!5;Y4T4Ƃt  [c1 Z6?\ʂ4|BnIMPI L%  UɄ3 4b:=O@=b=h+o/M5 Ec=A=rMwkA Jn^H+3d9XJ(@kȁLu;(w7Vr*&s,[nM]+Q5EhLD>f>/J ANy?2Z J%="ڇ; ;JvN79jLqOp-N3! n> OR> 2> +@(@)ހ?  !xOHOHZo3OӄNӄNƒJ acP o:H8=͉V'&`>0`>g%- @!S7 T  1wAx.  ЅB~ nl K_r==r=" YE,@ j +Y5tMJ6I@ `4=>4=f- %:aOOC-~ a0 qqqqq '; ';rC E X5qE2  ҉SIK7>,@9H <z6Ip.$K>R$5yI7 \Ȃ9 q*& CF< .G@  L=6 t 4RBxC_+}BsO % i*O ]?˅=a˅=bP;qNqNX|4G4  KC  +t0lLnȆJ kIB0=d0=  uMeQ]^9e2  W 3 QImL`_* {JB<,{/-ҁ@38=!X!Ĉ9@ Y8wu7}PD#Z<N* h[#C 7C>e> -{  9 ~FD1n1 m/\<eew!ZƇ85? $     ,EG<  v8 C Hi,h-Wd.gaKMNNj0,b1`r9 . P54 AF'oMmC'?*? ~مBUP4l2 ׃ :KjA LW[5d9Pk /A I 67J[ 7 !m 6:VK3q h KƇ8q,- J3mO͉ȁL@  X  *<< 3o3Ȃ97J n     { >  X!!  4P<,Z<';9Pb:';_*8=l ͉-  +DEDD ,N+P4r*+5$557+IILPP9P͉B W qeXP4 7J L9P3Ʉ3!9PL+C QgKZ JBBPD QƒJJPȂ9Z P qNX!MMM34=MOMOh+h+ E- t w! g QNqM4=Ȃ9B#C QمBkA.O LOӆ!ȁL  q ,%----OHF'#Ck͉ deCBm͉͉'<*ȁLq CȂ9eCB O=[5[5 a++++H+44PDF';(#CeCrCZ<B#CK3K7JKMNNӄNQ9H  gRE   n ͉pK9 ..q]59 =6IMӆ!89Pr=4=4=r=P:7 Ѕu7"@K>M,5;..:b:: //Eh+>,,<,,,%----9 ..../ ///000111A122E2?2<,-No3 347JK@ !9PȂ9Ʉ3A1K3P44ڇ;9PxCnM]> 'L~M> PDPD9PP5Io3:ʂ4 7r=E< CF' RȁL~& qM-N%OH~w7r*H+OO9PPOOP*O999*;:;L4// 300ʂ44aKL4l ӄNN Q54554OOOI=xC҉0FP[5%1KKeJCĈ9D q19 .m0͉l m0JqJ9PA1ȆJ>,,>,,VJ8=_*n46$527 J 69P=5 L% B9P9P@!3!\I%C Cn%xCBIBrCIIImCxC6IKPP7 - 9IaK22A  5;b:::q4=r=nMnEȂ9aKKLF'Z< 6 6q;(3=656 6 67Ȃ9҉ Q8qE2?2K3Ѕu7@K>w7. //0 77 aKZka]93?2]%--d-/011w77JX҉aK5=M^9xC0 Q4ڇ;KȂ987A8 K#hN/P&P;)F24 K.ini FileAbout ResourcesAbout SurveyorAbsolute Sample Type Absolute TimeAccess Denied, Host, ICMPAccess Denied, Network, ICMPAccess Privileges, ChangeAccess Privileges, Create Access Privileges, Defined$Access Privileges, Show(Accounts, Create,Accounts, Delete0Accounts, Supplied Defaults4Actions8Activate a Filter<Activated Streams@Activating FiltersDAdd Packet TemplatesHAdd a NameLAdd a PacketPAdd a StatementTAdd Packets in Capture ViewXAdd States\Add/Delete Statements`Address DuplicationdAddress Errors: Duplicate AddresshAddress Mapping ViewlAddress, IllegalpAddress, Shomiti SystemsxAddresses, Updating Explorer|Advanced Filter ExampleAdvanced FiltersAlarm ActionsAlarm BrowserAlarm EditorsAlarm EventsAlarm Example, MAC ErrorsAlarm Example, Packet SizeAlarm Example, UtilizationAlarm ExamplesAlarm GroupsAlarm List and LogAlarm RowsAlarm Rows:CopyAlarm Rows:InsertAlarm ThresholdsAlarmsAlarms OverviewAlarms, Expert GroupAlerting MessageAll ICMP ErrorsAnalysis, View SymptomsApplication ConversationApplication Definition CountApplication Layer Host Table ViewApplication Layer Matrix ViewApplication Response TimeApplication Response Time ViewApply a Display FilterApply a Simple FilterApply an Alarm to a ResourceARP BroadcastsAssigning Names to Protocols (Monitor)Assigning Protocol NamesAssigning Protocol Parsers Assigning TCP or UDP Ports to Protocol ParsersAttach a Filter DescriptionBad IP Header, ICMPBitmap, ExportingBOOTP Requests BPDU Packets, Count$Broadcast/Multicast Storm(Broadcasts, Excessive,Broadcasts, OSPF0JBroadcasts, RIP4Broadcasts, SAP8Broadcasts, Total Router<Broadcasts:ARP@Buffer SizeDBuffer Size:SettingHBuild a Name TableLBurstsPButtonsTByte Count in Capture ViewXCall Description\Call State`Canonical NamedCapture + Monitor Mode, UsinghCapture and Display Filter DifferenceslCapture and Display FilterspCapture Buffer, Setting Save-to-DisktCapture Conversation ExamplexCapture Data|Capture Filter ExamplesCapture ViewCapture View Display OptionsCapture View, PrintingCapture View, Using TemplatesCapture/Monitor Views, ContrastCDP Packets, CountCentury Media ModuleChange Access PrivilegesChange PasswordChanging Addresses, ExplorerChanging the Default Name TableChannel Table for Multi-QoSChecksum ErrorsClear Alarm Log DisplayCMM2CodecCollect NamesCollisions, ExcessiveColor Coding, Packet SummaryColumn Options for Multi-QoSCombinations of Filter ElementsConfiguration SetsConfiguring 12-TapConfiguring Alarm ActionsConfiguring Counter LoggingConfiguring Expert LoggingConfiguring Multi-QoSConfiguring Ports to ScanConfiguring Remote CommunicationsConnect to a Remote ResourceConnection TypeContacting Customer SupportContinuous TransmissionConversation Example Conversation Table for Multi-QoSConversationsCopy (Export) PacketsCopy Alarm RowsCounter Data, Storing Counter Log Files$Counters,Counters, Custom0Counters, Error8Counters, Export to Excel<Counters, Packet@Coup MessageDCoup Message:HSRPHCRC Error FramesLCreate a FilterPCreate a Filter ElementTCreate a Simple FilterXCreate a Transmit Specification\Create Access Privileges`Create an AlarmdFCreate an Alarm GrouphCreate PasswordlCreate User NamepCreate/Modify Filter WindowtCreating and Applying a ConversationxCreating Filter Element Combinations|Creating Filter ElementsCSV Format for Multi-QoS TablesCSV Format, ExportingCumulative Byte CounterCurrent Users, ShowCustom CountersCustomer SupportCustomizing Chart ViewsCustomizing Diagnostic InformationCustomizing Table Displays for Multi-QoSCustomizing Table ViewsCustomizing Views and WindowsD/F SetDeactivated StreamsDecode PacketsDecode View, editingDefault AccountsDefault Name TableDefined StreamsDefinitionsDelete a NameDelete a StatementDelete an AccountDelete StatesDelta Sample TypeDelta TimeDescribe a FilterDestination Host Access Denied, ICMPDestination Host Unknown, ICMPDestination Network Access Denied, ICMPDestination Network Unknown, ICMPDestination UnreachableDetail ViewDevice PropertiesDiagnosis, Overview Diagnostic Information, CustomizingDialog Box, Transmit SpecificationDifferences:Capture and Display FiltersDirection indicatorDisable a Capture Filter for a Module Disable Expert Symptoms$Disable Expert Views(Disconnect from a Remote Host,Display Filter Refresh0Display Filters4Display Filters:Activating8Display Options in Capture View<Download a Filter@Duplicate Address ViewDDuplicate Network AddressHEdit the Name TableLElapsed TimePE-mail Address, Shomiti SystemsXEnable Expert Symptoms\Enable Expert Views`Enabling ConversationsdError CountershError ViewlErrorspErrors:PhysicaltExamples, Capture FilterxExamples, Transmit Specifications|Excessive ARPExcessive BOOTPe an Alarmd HExcessive BroadcastsExcessive CollisionsExcessive MulticastsExcessive TCP/IP RetransmissionsExpert AlarmsExpert LoggingExpert OverviewExpert Overview TableExpert Symptom .ini FileExpert SymptomsExpert ThresholdsExpert ViewExpert Views, Enable/DisableExpertmsg.ini FileExpiring, Time to LiveExplorerExplorer UpdatesExplorer:Setting Voyager Ports fromExport Counter Log Files to ExcelExport to BitmapExport to CSV FormatExport to Optimal CSV FormatExporting Multi-QoS Tables to CSV FormatFile FormatsFilter Combination ExampleFilter DescriptionFilter Element CombinationsFilter Element TemplatesFilter Element, ModifyingFilter ElementsFilter Elements, CreatingFilter Example 1Filter Example 2Filter Example 3 Filter Example 4Filter Interface: Getting StartedFilter StructureFilter TCP Port ExampleFilters:Activating Forcing Links for GAM$Fragment Reassembly Time Exceeded, ICMP(Fragmentation Needed, ICMP,Frame Arrival Time0Frame Length4Frame Rate8Frame Rate, Overload<Frame Size Distribution View@Frame type selection in filtersDFrame TypesHFrozen Window, TCP/IPLFull Duplex, SettingPGAMTGenerate TrafficXGet Version Information\Getting Started with the Filter Interface`Gigabit Analysis ModuledGlossaryhGo To FramelGood FramespGoodbye CounttGraphs, Byte CountersxGraphs, Packet CountersH.323 VersionHardware DependenciesHex View, editingHide Filter DetailsHints and Tips for a Transmit SpecificationHints and Tips for AlarmsHints and Tips for Expert FeaturesHints and Tips for ResourcesHints and Tips for Using FiltersHints and Tips for Using ViewsarmdEHistory FilesHost Access Denied, ICMPHost Matrix ViewHost Redirect for TOS, ICMPHost Redirect, ICMPHost Table ViewHost Table, Application LayerHost Table, Network LayerHost Unreachable for TOS, ICMPHost Unreachable, ICMPHost Users, ShowHost, Connect toHost, Disconnect fromHow Surveyor Assigns Protocol NamesHSRP Coup MessageHSRP Resign MessageICMP All ErrorsICMP Bad IP HeaderICMP Destination Host Access DeniedICMP Destination Host UnknownICMP Destination Network Access DeniedICMP Destination Network UnknownICMP Destination Unreachable ICMP Fragment Reassembly Time ExceededICMP Fragmentation Needed [D/F set]ICMP Host RedirectICMP Host Redirect for TOSICMP Host Unreachable ICMP Host Unreachable for TOS$ICMP Network Redirect(ICMP Network Redirect for TOS,ICMP Network Unreachable0ICMP Network Unreachable for TOS4ICMP Parameter Problem8ICMP Port Unreachable<ICMP Protocol Unreachable@ICMP Redirect, Redirect, ICMPDICMP Required IP Option MissingHICMP Source QuenchLICMP Source Route FailedPICMP Time ExceededTICMP Time to Live ExceededXICMP, Error Categories\Identify a Module`Illegal MAC Source AddressdIllegal Network Source AddresshIllegal VLAN IDlImage, Updating Explorerpini FiletInsert a New PacketxInsert Alarm Rows|Interarrival JitterInternet Address, Shomiti SystemsInterpacket GapIP Checksum ErrorsIP Option Missing, ICMPIP Time to Live ExpiringISL BPDU/CDP PacketsISL Illegal VLAN IDISL Protocol ViewJitterKeyboard ShortcutsLayer Viewing, Packet SummaryLearn Network AddressesLength, FrameLine SpeedList, AlarmLoad a Capture FilterLoad a Name Table from a Filed NLoad a Transmit SpecificationLock a ModuleLog Files, CountersLog, AlarmLoggingLogging:Expert SymptomsLogical Channel NumberLogical ChannelsLong Acknowledgement, TCP/IPMAC Control FrameMAC Source Address, IllegalMAC StationsMAC Stations, NewMAC Stations, TotalMAC Statistics (Capture)Macro FiltersMain WindowMapping Addresses, Viewing Mark Start TimeMode, ExpertModesModify a FilterModify a Filter Element Modify a Name$Modify a Transmit Specification(Modify Existing Statements,Module Arm Time0Module Capacity4Module Indicator8Module Port<Module Settings@Module, LockingDModule, UnlockingHModule, ViewingLMore Information on Detail ViewPMST Topology ChangeTMulticast StormXMulticasts, Excessive\Multi-QoS`Multi-QoS Channel TabledMulti-QoS Conversation TablehMulti-QoS OverviewlMulti-QoS ViewspMulti-State LogictName Table OverviewxNDIS features|NDIS modeNDIS versionNetwork Address DuplicationNetwork ConversationNetwork Layer Host Table ViewNetwork Layer Matrix ViewNetwork NamesNetwork OverloadNetwork Redirect for TOS, ICMPNetwork Redirect, ICMPNetwork Source Address, IllegalNetwork SpeedNetwork Unreachable for TOS, ICMPNetwork Unreachable, ICMPNew MAC StationsNFS RetransmissionsNIS ConversionNIS-to-Name-Table ConversionNon Responsive StationOpen a FilterOpen a Transmit SpecificationOptimal CSV FormatOptimal CSV Format, ExportingOptions for Multi-QoS DisplaysOSPF BroadcastsOverloadOverload Frame RateOverload Utilization PercentageOverload:NetworkOverview of Multi-QoSPacket CountersPacket DecodeedNPacket EditorPacket GapPacket Slicing Packet Summary ViewPacket Summary, View by LayerPacket Viewing OptionsPackets, Adding to Transmit SpecificationsParameter Problem, ICMP Parser Names$Party Number(Password, Change,Physical Errors0Port4Port Unreachable, ICMP8Ports<Ports:Voyager@Pre-defined filter elementsDPrint Frames to a FileHPrinting Capture ViewsLProtecting ResourcesPProtocol Color CodingTProtocol Distribution ViewXProtocol Parsers\Protocol selection in filters`Protocol SummarydProtocol Unreachable, ICMPhReassembly Time Exceeded, ICMPlRefreshpRefresh a ViewtRefresh OptionxRefresh:Display FilterReload a ViewRemote Resource, Connect toRemote Server ProtocolRemote vs. Local ResourcesRepeating FramesReport CountRequired IP Option Missing, ICMPResetting ExplorerResign MessageResign Message:HSRPResource BrowserResource ProtectionResourcesResponse Time, ApplicationsRestart, by alarmRetransmissions, NFSRetransmissions, TCP/IPRIP BroadcastsRoute Failed, ICMPRouter BroadcastsRows, AlarmRSPRST PacketsRTCPRules of the Capture FilterRunt FramesSAP BroadcastsSave a FilterSave a Name Table to a FileSave a Transmit SpecificationSave-to-DiskSearch the Capture File Select the ViewSelecting Filter ElementsSequence NumberSession IdentifierSet Alarm Log File Name Set Alarm Pager Numbers$Set Delta Time(Set Full Duplex,Set MII Mode0Set Port4Set Protocol Color Coding8Set Start of Elapsed Time in Capture View<Set the Mode@Set the Module InterfaceDSetting Protocol Summary Information by LayerHcket DecodeedJSetting Capture Buffer OptionsLSetting Capture Buffer SizePSetting Capture View Display OptionsTSetting Expert Analysis ModeXSetting Expert Thresholds\Setting Full-Duplex Mode`Setting Packet Slicing SizedSetting the COM Port for Century 12-TaphSetting the Monitoring View for a ModulelSetting the View by LayerpSetting Update TimerstSetting Voyager PortsxSetup Message|Setup TimeShortcutsShow Filter DetailsShow Host Users and Access PrivilegesSimple Filter: ApplySimple FiltersSize, Frame DistributionSlicing PacketsSniffer to SurveyorSource Quench, ICMPSource Route Failed, ICMPStandard Filter ElementsStart a ModuleState WindowStatementsStatesStation addresses for filtersStation ConversationStations, ApplicationStations, MACStations, NetworkStatus for Captured PacketsStatus GraphStop a ModuleStop and Save, by alarmStoring Counter DataStream ModesStructure, FiltersSummary ViewSupportSurveyor Implementation ProfileSurveyor to Sniffer Surveyor.ini File Symbolic Names Symptoms, Overview Symptoms, View of SYN Attack SYN Packets Synchronized Resources Table, Expert Capabilities TCP Checksum Errors$ TCP/IP Frozen Window( TCP/IP Long Ack, TCP/IP Retransmissions0 TCP/IP RST Packets4 TCP/IP SYN Attack8 TCP/IP Zero Window< Telephone, Shomiti Systems@ Templates for Adding PacketsD Templates for TransmitH Templates, Filter ElementsL Thresholds for Multi-Qos DisplaysP Thresholds, AlarmsT ThroughputX Throughput Display in Capture View` Time Exceeded, ICMPd Time to Live Exceeded, ICMPh Time to Live Expiringl Timestamps in Capture Viewp Tips, Alarmst Tips, Expert Featuresx dm;Tips, Transmit Specification| Tips, Using Filters Tips, Using Views Toolbars Topology Change:MST TOS Host Redirect, ICMP TOS Host Unreachable TOS Network Redirect, ICMP TOS, Network Unreachable Total MAC Stations Total Router Broadcasts Traffic direction in filters Traffic Rate Translators Transmission Modes Transmit Data Transmit Data from a Buffer Transmit Packet Templates Transmit Specification Dialog Box Transmit Specification Example 1 Transmit Specification Example 2 Transmit Specification Examples Transmit Specifications Transmitting Capture Files Trigger TTL Exceeded, ICMP Tutorial, Filters Tutorial, Transmit Specifications Unknown Host, ICMP Unknown Network, ICMP Unload a Module Unlock a Module Unreachable Destination, ICMP Unreachable Host, ICMP Unreachable Network, ICMP Unreachable Port, ICMP Unreachable Protocol, ICMP Unstable MST Updating Explorer User-defined filter elements User-Defined Templates for Transmit Using Templates in Capture View Using Templates in Transmit Specifications$ Utilities( Utilization Percentage, Overload, Utilization/Error View0 Version4 Version Information, Help System8 View by Layer< View Captured Data@ View Options for Multi-QoSD View PacketsH Viewing Options: PacketsL VLAN ID, IllegalP VLAN ViewT Voyager PortsX Web Address, Shomiti Systems\ What's New...` Zero Window, TCP/IPd D Templates for TransmitH Templates, Filter ElementsL Thresholds for Multi-Qos DisplaysP Thresholds, AlarmsT ThroughputX Throughput Display in Capture View` Time Exceeded, ICMPd Time to Live Exceeded, ICMPh Time to Live Expiringl Timestamps in Capture Viewp Tips, Alarmst Tips, Expert Featuresx d9Broadcasts, RIPCreate an Alarm GroupExcessive BroadcastsHistory FilesLoad a Transmit SpecificationPacket EditorSetting Capture Buffer OptionsTips, Transmit Specification/@&@;)Lz LToolbars and Buttons[Capture Filter ButtonDisplay Filter ButtonyTransmit Specification ButtonTransmit from Buffer ButtonHelp ButtonOpen File Button>Save File ButtonSearch Box&Search Button Copy ButtonPrint ButtonIPrint ButtonStop Load ButtonZResume Load ButtonNavigation ButtonsCreate Filter Button%Open a Filter ButtonSave Filter ButtonPrint ButtonCut ButtonoAdd Button Show\Hide Detail ButtonLoad Filter Button (Capture Filter Only)CUnload Filter Button (Capture Filter Only)Trigger ButtonKeyboard Shortcuts Capture Button Monitor ButtonTransmit ButtonDetail View ButtonLoad Filter ButtonUnload Filter ButtonTransmit Capture File Button*Name Table ButtonOpen File ButtonSave Button4Start ButtonStop ButtonPacket View ButtonHost Table View ButtonNetwork Station View ButtonApplication Station View ButtonnHost Matrix View ButtonNetwork Conversion View ButtonApplication Conversation View ButtontProtocol Distribution View Button[Frame Size Distribution View ButtonVLAN View Button`Address mapping View ButtonMAC Statistics View ButtonUtilization/Error View Button (Capture)Utilization/Error View Button (Transmit)Alarm List and Log ButtonȀRefresh ButtonDuplicate Address ButtonExpert View ButtonƂApplication Response Time ButtonSettings ButtonCapture and Display Filters OverviewGetting Started with the Filter InterfaceSimple Filters Creating and Applying a ConversationSelecting Filter Elements Creating Filter ElementsgCreating Filter Element CombinationsFrame TypesAdvanced Filters͉Capture and Display Filter DifferencesnFilter StructureA StatesStatements3Actions=Rules of the Capture Filter@Hints and Tips for Using FiltersStandard Filter Elements and Filter Element TemplatesL Capture Filter Examples Filter Example 1 Filter Example 2 Filter Example 3, Filter TCP Port Filter Example 3, Advanced Filter׃ Frame Type Check BoxesK Info Button State Window Button Conversation Area Name Table Button Create/Modify Filter ToolbarP Action Button Fillter Combination Operator Buttons Available Filters Box Buttons for Filter Elements Filter Element Name Data Pattern Areal Open a Filter Modify a Filter Add/Delete Statements to Existing States Add/Delete States& Modify Existing Statements Describe a Filter Save a Filter Create a Filter- Apply a Simple FilterECreate a Filter ElementRModify a Filter Element7 Show/Hide Filter DetailsmActivate a FilterWCapture DatadDisable a Capture Filter for a Module'Load a Capture Filter]Transmit SpecificationskTransmit Specification Dialog BoxODefined Streams, Activated/Deactivated StreamsJRepeating FramesStream ModesBurstsZTransmission Modes9Transmitting Capture Files҉Using Templates in Transmit SpecificationsHints and Tips for a Transmit SpecificationaTransmit Specification ExamplesTransmit Specification Example 1, Packet GapsTransmit Specification Example 2, Bursts$ Active Stream IndicatorDefined Streams WindowDefined Streams Window7DA and SA FieldsNames Button,Packet Type-Packet Size0Start and Stop Sequence NumbersStream Mode ButtonsStream Mode ButtonsEBurst SettingsYBurst SettingsStream ButtonsT Transmission ModesTransmission ModeshTransmission Status<Transmit Specification ButtonsRepeat StreamsAuto CRCjData FieldRandom Access ModeCreate a Transmit Specification~Modify a Transmit SpecificationOpen a Transmit Specification% Save a Transmit SpecificationTransmit Data from a BufferTransmit Data (Generate Traffic)Load a Transmit SpecificationCYESummary ViewDetail ViewMore Information on Detail ViewPacket ViewAdd Packet Templates@ Insert a New PacketPacket EditorXAdd Packets in Capture ViewSearch the Capture FileePrinting Capture ViewsSetting Capture View Display Options\Set Delta TimeSelect the View0View Captured DataPrint Frames to a FileqCapture View Display OptionsAbout ResourcesVResource BrowserqRemote vs. Local ResourcesJResource ProtectionSurveyor Implementation Profile:Hardware DependenciesModesqSynchronized ResourcesDefault Accounts"Hints and Tips for ResourcesCreate User Name, Password, and PrivilegesDelete an Account Change Access PrivilegesShow Host Users and Access PrivilegesChange Password~Lock a ModuleUnlock a ModuleConnect to a Remote ResourceDisconnect from a Remote HostStart a ModuleStop a ModulenSet the Mode%Set the Module InterfaceSet MII Mode  Alarms OverviewAlarm Browser Alarm EditorsThresholdsnAlarm Actions> Alarm List and Log4Expert AlarmsЅHints and Tips for Alarms{ Alarm Examples Alarm Example, Utilization Alarm Example, MAC Errors  Alarm Example, Packet Size Apply an Alarm to a Resourcet Create an Alarm!Insert Alarm RowsX!Copy Alarm Rowsw!Create an Alarm Group !Set Alarm E-mail Addresses3!Set Alarm Pager Numbers@!Set Alarm Log File Name!Clear Alarm Log Displayӆ!Index ".CAP extensionG".CFD extension".DFD extension".NAM extension".TSP extension6"Statement"Activated Stream9"Address"Alarm"Alarm BrowserU"Alarm Generation Type"Alarm Notification Type"Alarm Interval#Alarm LogK#Alarm Falling Threshold #Alarm Rising Threshold#Alarm Sample Type#Alarm Setting#Alarm ValueA#CRC and Alignment Error Counteri#Base Address#Burst?#burst gap#Capture_#Capture Buffer;#Captured Framesq#Capture File#Capture Filter#Capture Viewr#Capture Modeہ#Gigabit Analysis Module (GAM)x#Century Media Module 2 (CMM2)*#Century 12-TapE#DA#Deactivated StreamN#Defined Stream#Detail Viewu#Device#Display Filter Window#DRAM!#ELSE statement$ELSE IF statement$Expert Alarms$Expert Diagnosis$Expert Symptom$Explorer$Fast EthernetD$Filter Element$Frame$Frame Rate$GoTo' $Good Frames$Hex Pane$Host3$Link Speed$Local Host$Module߃$Message WindowB$Mode of Operationk$Module Speed$Module Status$Module Type$Monitor$Monitor Modet$Monitor and Capture Modeۇ$Name Table%Network.%IF statement>%Packet:%Packet Detail Pane%%Drop Events Counter6%Packet Editor%Packet Gap%Packet Sizeu%Packet Summary%Packet Summary Pane*%Packet Type%PauseJ%Post Trigger Position`%Protocolk%Real-Time Buffer^%Resource%Resource Browser%Remote HostՃ%Remote Server Protocol (RSP)%%ROOT Statement%Collision Counter%Jabbers CounterІ%Oversize Counterm%Fragments Counter%SAa%Undersize Counter&StreamT&Start Sequence Number"&Statev&Stop Sequence Number@&Summary Pane&Summary View5&Synchronized Resource&Total Tx Collision'&Traffic Rate&Traffic&Transmit Specification8&Transmit Mode&Tx Attempt,&Tx Defer&Tx Excessive Collisions&Tx Excessive Defer&Tx Late Collision&Viewe&Very Long Event[&NIS~&NDIS&Network Adapter&Log FilesQ&Lost Frame&Frame Copyz&Frequency&Line ErrorɅ&Burst Errorh&AC Errorj&Abort Delimiter'Token Errorp'Internal Error'CRC Errors#'Voyager'WKP8'Analysis Table'Overview Table'Duplicate Network Address'Application Response Time'Frozen Window 'Zero Windowu'Expert View'Voice over IP (VoIP)'Multi-QoS'Cumulative Byte Counter'Throughput'Packets Dropped Counterptured FramesOJ'Other Glossary ItemsD'F'Expert Overview;(Expert Overview Table_*Application Response Timer*Broadcast/Multicast Storm*Duplicate Network Address+Excessive BOOTP+Excessive ARP+Excessive BroadcastsH+Excessive Multicasts+Excessive Collisionsh+HSRP Coup>,HSRP Errors,HSRP Resign<,ICMP All Errors,ICMP Bad IP Header,ICMP Destination Host Access Denied%-ICMP Destination Host Unknown-ICMP Destination Network Access Denied-ICMP Destination Network Unknown-ICMP Destination Unreachable.ICMP Fragmentation Needed [D/F set]9 .ICMP Fragment Reassembly Time Exceeded.ICMP Host Redirect.ICMP Host Redirect for TOS/ICMP Host Unreachable /ICMP Host Unreachable for TOS/ICMP Network Redirect/ICMP Network Redirect for TOS0ICMP Network Unreachable 0ICMP Network Unreachable for TOS0ICMP Parameter Problem1ICMP Port Unreachable1ICMP Protocol Unreachable1ICMP RedirectA1ICMP Required IP Option Missing2ICMP Source Route Failed2ICMP Source Quench?2ICMP Time to Live ExceededE2ICMP Time Exceeded3TCP Checksum Errorso3Illegal MAC Source Address 3Illegal Network Source AddressɄ3IP Checksum ErrorsK3IP Time to Live ExpiringP4ISL BPDU/CDP Packets4ISL Illegal VLAN ID4Network Overloadʂ4New MAC Stations4NFS Retransmissions4Non Responsive Station5OSPF Broadcasts5Overload Utilization Percentage5Overload Frame Rate[5Physical Errors$5RIP Broadcasts5SAP Broadcasts5TCP/IP Long Ack6TCP/IP Retransmissions 6TCP/IP RST Packets 6TCP/IP SYN Attack=6TCP/IP Frozen Window7TCP/IP Zero Window 7Total MAC Stations 7Total Router Broadcastsw7Unstable MSTu7Hints and Tips for Expert Features8Go To Frame88What's New...Ƈ8About Surveyor9About NDIS Mode^9Surveyor Help System Version InformationȂ9Contacting Customer Support99Frame Size Distribution ViewĈ9Protocol Distribution View:Host Table View ?:Network Layer Host Table Viewb:Application Layer Host Table View5;Host Matrix View;Network Layer Matrix View';Application Layer Matrix Viewڇ;VLAN View<Address Mapping View<Duplicate Address ViewZ<Expert View8=Application Response Time View=Utilization/Error View=Packet Summary Viewr=MAC Statistics (Capture)4=MAC Statistics (Transmit)˅=Status Graph=Top Portion of the Capture/Transmit Window=Status Graph0=Graphs and Frame Counters>Custom Counters>Error CountersK>Hints and Tips for Using Views`>Columns for Host Table View?Columns for Network Layer Host Table View?Columns for Application Layer Host Table Viewހ?Columns for Host Matrix View?Columns for Network Layer Matrix View@Columns for Application Layer Matrix View@Columns for Frame Size Distribution Viewҁ@Columns for Protocol Distribution ViewG@Columns for VLAN View@Columns for Address Mapping View(@Columns for Duplicate Address ViewwAColumns for Expert ViewjAColumns for Application Response Time ViewJ AButtons for Protocol Distribution ViewiAkACustomizing Views and WindowsBSetting Capture Buffer OptionsBSetting Expert Analysis ModeBConfiguring Alarm ActionsBConfiguring Counter LoggingمBCustomizing Table ViewsBCustomizing Chart ViewsCSetting Protocol Color CodingxCSetting Protocol Summary Information by Layer CSetting Start of Elapsed Time in Capture ViewmCSetting the Monitoring View for a Module#CExpert Diagnostic .ini FileeCEnable/Disable Expert SymptomsrCSetting Expert ThresholdsPDConfiguring Expert LoggingDAssigning TCP or UDP Ports to Protocol ParsersDAssigning Names to Protocols (Monitor)EHow Surveyor Assigns Protocol NamesFParser Names9HFile FormatsOHModule SettingsISetting Capture Buffer SizeISetting Packet Slicing Sizep ISetting Full-Duplex ModeIMAC Control FrameISetting the COM Port for Century 12-Tap6ISetting Update Timersew%JConfiguring Remote CommunicationsZ JConfiguring 12-TapƒJConfiguring Ports to ScanȆJResetting Explorer7JUpdating ExplorerKSurveyor.ini FileKSetting the Voyager Ports for ExplorerpKForcing Links for GAM_KaKSniffer TranslatorsLNIS-to-Name-Table Conversion UtilityLBuild a Surveyor Name Table LChanging the Default Name TableȁLEdit the Name TableLLoad a Name Table from a FileLSave a Name Table to a FilenMLearn Network AddressesIMDisplay Vendor NamesMGet Version InformationMCustom Counters MCounter Log File OverviewMExport Counter Log Files to ExcelNLog Directory StructureqNCopy (Export) PacketsNExport Data to CSV Format or to a BitmapӄNExport Data to Optimal CSV Format-NIdentify a ModuleOError CountersOPacket Counters*OName Table OverviewOOMulti-QoS OverviewPMulti-QoS ViewsPMulti-QoS Conversation Table9PMulti-QoS Channel Table QCustomizing Table Displays - Multi-QoS AlarmsQExporting Multi-QoS Tables to CSV FormatQr Application Response Time ViewJ AButtons for Protocol Distribution ViewiAkACustomizing Views and WindowsBSetting Capture Buffer OptionsBSetting Expert Analysis ModeBConfiguring Alarm ActionsBConfiguring Counter LoggingمBCustomizing Table ViewsBCustomizing Chart ViewsCSetting Protocol Color CodingxCSetting Protocol Summary Information by Layer CSetting Start of Elapsed Time in Capture ViewmCSetting the Monitoring View for a Module#CExpert Diagnostic .ini FileeCEnable/Disable Expert SymptomsrCSetting Expert ThresholdsPDConfiguring Expert LoggingDAssigning TCP or UDP Ports to Protocol ParsersDAssigning Names to Protocols (Monitor)EHow Surveyor Assigns Protocol NamesFParser Names9HFile FormatsOHModule SettingsISetting Capture Buffer SizeISetting Packet Slicing Sizep ISetting Full-Duplex ModeIMAC Control FrameISetting the COM Port for Century 12-Tap6ISetting Update Timersew E#J':J/&;)L4**l    &   ER7 mWd'~% @ Xe\0n%BBȁLLLnMIMM-N/(&(;)L4'k+"Tqd  D*ق8'߂& hC *<J:%_ ¹e&e؄" cnG@08p'H C> 8#g ^=6ݫ ۬t =4aňB߈xCAI+-P ~%%tByލOcX$ R% eІ%*Ow&]Ej1"Jm˅=6"B‘Pr/ÑqN5&k"W8b #4lK#ג4 [#KzޔWVMI#u }$;YD?#TZKpu%^-?C6ܚ =+u0E LDSG"Ens"ȆJ, J')dko&Ӣn9DDI/0=;mlަ "MΧQE^92 e_T&ǩ1 kǹ *?&<-` 3){;I{׫L"=_*lJ<,G /%J%bqeIҁ@E۰,&-X?3ʼu#=}3X!q']#.i#Ĉ9|ʸ9"e@ W"/ҿ8Mu7! ' $vyB$(PDڽZ<P罷*S+jhm]][,/#C".7ˋ@>79w $P-{ WGOɅ&Wj&Z90Ɉ&?$ nЊKq],L!<h͈ 8Զ~$\Խ8aՏ ֟'9SظmVa%+]e"|zcc C"Sہ#7x ڪ"RG,)--WG#J{ r#\;#3f.$ի"K`߫'@1#ۇ$v0ႂ*m᳁$Rn h00H,e$Lju'511`pf9 .' 1r掅5YE'"i#D~N#)%ߍ49B躆M_蘂 #F'-.%Z*^%bR$}">mCO$`)'&3 ?tD3DKu&مBt$+Q&NP42.#7H2ջԌUk%b֓ U-DQ׃ <":bjAyd'rsl[5^#, . /OA  6s"K 7K8$3 !6ڝm 6N-W:ѹK3mE#%[&X'<#G$$$~&.&5A#NVBAEI'J0q4X36y+  0qN"H#`z& s$ڛZyj$A1U E$=ӆ!;"&#'=%%Ȁ$b>$h+N'#ZeC("W8 Q? !5a ,Ci 5;G 4 44Z 3$ ƂJt5 *L tQt ;6 j [%z*#1"ZF6$?JZʂ4gB6&$`X.d"zPT&v IMi "ZI</k LX%g'  'c&oɄ32+%*%vt  >%3D$2dFъb:#2=U=m, h+V / 5!_#qs! !@&ؐ!EH!=-6!Mwm" ""V=#K #kAM#J#n?j$H+j$dY%l$_$X4*%(@% a%"[Di&ȁLn''o' #]w';(Ir(w7Ad)m%]}))g)&*r*+&=+,W,nM ,# ,&@?,إ.+v.i05T0Lb_1$01><2&f3J A8G4"542*f5?2ɺ5Z J25'C5b6DT]7%e7=`88&+:8ڇ;.:&Xt;';; HoED@ODހ?1޿D 2޿D tEE!~mFDl:GOHXG _H"cqHo3@:I"^IC"Ka<L ^!LoV^MgϓN:zN8=۟N"A(O)SO͉ᇬOVO'O`>ܼP%-N&Q"MQh&R&ݜS`T@!:U7-tV"4iV`%VT VdYwAP3Yu3Z.[\j[R;[\Ѕx ]2&]BPu]- o]n,^$ĺ^l 2'D_r=o_"s_Y_"dyk`EV`@`j`[`+Xaa5a%&b%"b6]]c@䜺cc%%8c |d")e4=1e-1eef%!g-bh6%h'ðh~Ɔi l>i0BiqCUhi'{icj';AjrC$$kE4+k ؓl?Wmn,"=nx#`Ro5/pE2Yp2qDq҉7qU"Dr7Os>,6&s@RsX"=yt9H>5u<ѱu.gHwK>)x,Tz&ΑP{߃$>\{$5mCO$`)'&3 ?tD3DKu&مBt$pK+Q&NP42.#7H2ջԌUk%b֓ U-DQ׃ <":bjAyd'rsl[5^#, 6W9P. /OA  6s"X#7JK 7K8$3 !6ڝm 6N-W:ѹK3mE#%[&X'<#G$$$~&.&5A#NVBAEI.=9+3>Sc?LW?Oy?-N@3!@'oA KB ~B%k/Bnm:B>fB\"BO!CRʊC> HoED@ODހ?1޿D 2޿D tEE!~mFDl:GOHXG _H"cqHo3$IӄN@:I"JחIƒJ^IC"Kae4KP<L ^!LoV^MgϓN:zN8=۟N"A(O)SO͉ᇬOVO'O`>ܼP%-N&Q"MQh&R&ݜS`T@!:U7-tV"4iV`%VT VdYwAP3Yu3Z.[\j[R;[\Ѕx ]2&]BPu]- o]n,^$ĺ^l A_K2'D_r=o_"s_Y_"dyk`EV`@`j`[`+Xaa5a%3 bM&b%"b6]]c@䜺cc%%8c |d")e4=1e-1eef%gOO!g-bh6%h'ðh~Ɔi l>i0BiqCUhi'{icj';AjrC$$kE4+k ؓl?Wmn,"=nx#`Ro5/pE2Yp2qDq҉S%qI7qU"Dr7Os>,6&s@RsX"=yt9H>5u<hu6Iѱu.gHwK>)x,Tz&ΑP{߃$>\{$5{H|IHotspot 1Start_ButtonHotspot 2Stop_ButtonHotspot 3Capture_ButtonHotspot 4Monitor_ButtonHotspot 5Transmit_ButtonHotspot 6Detail_Viewer_ButtonHotspot 7Load_Filter_ButtonHotspot 8Unload_Filter_ButtonHotspot 9Transmit_Capture_File_Buttonlp:'ʦLLLL...\..                                                               LLL`XD7ߍR9Boqs!͈W8b54j  m  إ<>6Uջt D@?,ǩHotspot 1Save_ButtonHotspot 2Print_ButtonTHotspot 3Start_ButtonHotspot 4Stop_ButtonHotspot 5Capture_ButtonHotspot 6Monitor_ButtonHotspot 7Transmit_ButtonHotspot 8Packet_View_ButtonHotspot 9Capture_Filter_ButtonHotspot 10Load_Filter_ButtonHotspot 11Unload_Filter_ButtonHotspot 12Display_Filter_ButtonHotspot 13Transmit_Specification_ButtonHotspot 14Transmit_from_Buffer_ButtonHotspot 15Name_Table_ButtonHotspot 16Alarm_List_and_Log_ButtonHotspot 17Help_Buttonn e lp6 D\~ &&9"" w wp w wp w wp w wp w wp w wp w  p  p  p  p  p  p   p  p  p  p  p  p   p "pp  p  p HDpDDH p "pwpp p p DpDKHDHp"pwppDDDDHp HpDDDDHDpDDHDHpș"pwpp䈈NHp̈Dp䈄HNHDp ̈ pșȈȈȈȈpp䈈NHp̀HpDNHHpDDHDHpș̌̌̌̈ppD䈈NHpp䈄HNHDpDKHDHpșȎppKKDDDDHppDDDDHHpDDH pșȈȈȈȈpwppKK pp HpDDHpȈȈȈȈȈpȇppD pp HpDDDHDHpȈȈȈȈȈp ̛ppKKDDDDHpHpDDHDDHDHHpDKH pp ̛ppKK䈈NHpHpHNHJHHpDDHDHpp ̆ppD䈈NHpDHpDNHJHDHp DHpppp䈈NHpHpHNHJDHpDDH D p pwppDDDDHp HpDDHDDHJHDpDKH"  p  p p  p  p DHpDDH  p  p  p  p  p  p   p  p  p  p  p  p         wp&&3& #Z]]0*L H^)x~r[o]zpR]})tD3.1Hotspot 1MAC_Statistics_View_ButtonHotspot 2Frame_Size_Distribution_View_ButtonHotspot 3Protocol_Distribution_View_ButtonHotspot 4Utilization_Error_View_Button_CaptureHotspot 5Utilization_Error_View_Button_TransmitHotspot 6Host_Table_View_ButtonHotspot 7Network_Station_View_ButtonHotspot 8Application_Station_View_ButtonHotspot 9DLC_Conversation_View_ButtonHotspot 10Network_Conversion_View_ButtonHotspot 11Application_Conversation_View_ButtonHotspot 12VLAN_View_ButtonHotspot 13Address_Mapping_View_Buttonlp4 v>\$wp$wp&wp  wp w wx wwp w wx wwpwpwpwpwpwxw̄wwpwwwwwwww"wxw̄wwpwwpwwwpw'wrwxwwwpwwpwwww'wrwxwwwpwwppwwwpw'rwxwwwpwwwww'rwxwwwpwwwww'wrwxwwwpwpwwp'rwxw̟Dwwpwpwwp'rwxwDOwwpwpwp'wrwxwODwwpwwwww'wrwxwOwwpwwwww"wxwOwwpwwpwwwpwxwOwwpwpww wxw̄wwpww wxw̄wwp w wx wwp w wx wwp  wp$wp$wp5a C5. Hotspot 1Duplicate_Address_ButtonHotspot 2Expert_View_ButtonHotspot 3Application_Response_Time_Buttonlp<4 `^\wwwp www www wwww wwwwwwwwwwwwwwww|w|wwwwwwwwwwwwww|wwwwwwwww|w|wwwww|w|wwwwww|wwwww|w|wwwww|w|wwwwwwww|wwwwwwwww|wwwwwwwwwwwww|wwwww|wwww wwww wwww wwwwHotspot 1Refresh_Buttonb Y lpb0_ Ȥ8~c| | |  |   |    |    |     |  |    |   |   |   |   |  |  |  |     |     |    |  |  | 8~c6Jt5 +1bm:BHotspot 1Open_File_ButtonVHotspot 2Search_BoxHotspot 3Search_ButtonHotspot 4Copy_ButtonHotspot 8Print_ButtonHotspot 7Save_File_Button3*lpD2 \wwwpwwwwwpw wp wp wpp wpp w w wwwpw w wp wp wp1(lpD2 \wwwwwwwww w wp w w w w wwww w w w w'  lp0be Ȥ@@@@@@c+ -+                +cFڛkHotspot 1Navigation_ButtonsHotspot 2Stop_Load_ButtonHotspot 3Resume_Load_ButtonHotspot 4Trigger_Button` W lp4 \e wwSwpw ww       w ww w wx w wx w wx w wx w wx w wx ww wxww w wx w wx w wx w wx w wx w wx ww wxww w wxww wx w wx w wxwGtDwtDwDGxwpwpwpwpwxŵww wxww w wxwwtwtwx w wxwwwwtww wxwDtwtDKGxwwwwwwww"wxŵwwwwxwwwwDGwwpwxwwtwtwxwtDDwwDDGwpwpwxww wwtGwtDDwtwDDGxwtDwtDwDGxwwpwwwpw'wrwxwwwwpwxwwwwDGwwp|Ǚ{wwxwwtwtwxwtwwNGwwwp|wwwxwwtDwtwtGNGxwtwDtw wxwwpwwww'wrwxwwwwpwxww wwp|Ǚ{wwxwwtwtwxwtwwNGwwwp|pwxwwtGwtDNGxwtwGtwwDDGxwwppwwwpw'rwxwwwwwxwwwwDGwwwp|Ǚ{wwxwwtDwxwtwwNGwwpwwpwwxwwtwwtwtGNGxwtwwtDwwDwKGxwwwww'rwxwwwwpwxwwwwDGwwwp|Ǚ{wwxwwtKKwxwtDDwwDDGwwwpwpwxwwtDDwtwDDGxwtwGwwDwwDGxwwwww'wrwxwwwwpwxww wwp|Ǚ{wwxwwtKKwx wwpwwwxwpw wxwtwGwwDwxwpwwp'rwxw̟DwwwpwxwwwwDGwwp|w{wwxwwtDwx wwwwxwpw wxwtwGwtDDwDGxwpwwp'rwxwDOwwwpwxwwwwDGwwp|w{wwxw ̪wtKKwxwtDDwwDDGwwppwwppwwxwwGwpwtDDwGwDDGxwDGwwGwtDKGxwpwp'wrwxwODwwwwp wwxww wwpw{wwxw ̪wtKKwxwtwwNGwwwwpwxwtGwpwttGwNGxwJGtwGwtDwDGxwwwww'wrwxwOwwww pwwxwwwwDGwwpw{wwxw ̆wtDwxwtwwNGwwwpwwwxwDGpwwtDNGxwJGDwGw wxwwwww"wxwOwwww w wwxwwwwDGwwpwxwwtwtwxwtwwNGwpwpxwtGwwpwwttGwNGxwJDGwtDwDGxwwpwwwpwxwOwwww wwxww w wxwwtwtwxwtDDwwDDGw wxwwGwwpwwtDDwGwDDGxwJGDwtDKGxwpww wxŵwwwwpwwxww w wxww wx w wx w wxwDGtwtDwDGxww wxŵwwwwxww w wx w wx w wx w wx w wx w wx ww wxww w wx w wx w wx w wx w wx w wx ww wxww       w wwSw]]*L /Fr][uo]]})tD315a C5 5ǩzpRHotspot 1Frame_Size_Distribution_View_ButtonHotspot 2Protocol_Distribution_View_ButtonHotspot 3Host_Table_View_ButtonHotspot 4Network_Station_View_ButtonHotspot 5Application_Station_View_ButtonHotspot 6DLC_Conversation_View_ButtonHotspot 7Application_Conversation_View_ButtonHotspot 8VLAN_View_ButtonHotspot 9Address_Mapping_View_ButtonHotspot 10Duplicate_Address_ButtonHotspot 11Expert_View_ButtonHotspot 12Application_Response_Time_ButtonHotspot 13Help_ButtonHotspot 14Network_Conversion_View_Buttonlp0\0*f  P ???????9p9999p99999999999pp  99p 99'    !    !p!  ppp  p   !     p p p0 pp    0   p   ! p p pp!        *      p p p p p! p p     *0     p pp p p0            $   *  p    pp p p       $9  p *      p pp p99 9999999               p                  p BBBBBBBBX1eNA(Ogm~d Create_Filter_ButtonOpen_a_Filter_ButtonSave_Filter_ButtonLoad_Filter_Button_Capture_Filter_OnlyUnload_Filter_ButtonSettings_ButtonState_Window_ButtonC^UlpP2vȤY                                                                                                                   0 BX0eNDl"^!L79wA(O^-? ǩHotspot 1Create_Filter_ButtonHotspot 2Open_a_Filter_ButtonHotspot 3Save_Filter_ButtonHotspot 4Print_ButtonCHotspot 5Cut_ButtonHotspot 6Add_ButtonHotspot 7Show_Hide_Detail_ButtonHotspot 8Load_Filter_Button_Capture_Filter_OnlyHotspot 9Unload_Filter_Button_Capture_Filter_OnlyHotspot 10Help_Button0'lp.0ʦ  |slp6.Ȥ             lp4.Ȥ     lp00,H?p999! p  ! 00p!   ! 0p0$$p99     Blp6.Ȥlp4.Ȥ        lp0߀ztnnnnnnnnnnnnnnnnQ06N-6E$6E$6E$6E$6E$6E$6E$6E$6=Zq"$67Zk"$61Ze"$61Ze"$61Ze"$61Ze"$61ZN"$6   Z1Ze"$6    c/// ////////// //////////////// //fZQ  W"$6  o///////// // / / /// // ///cZT    T"$6  c/ /////// // / / /// // ///cZT    T"$6     c/////// // / / /// // ///cZT    T"$6   Z/ / ////// // / / //// // ///cZT    T"$6      f // ///// //// ////// / //fZT   T"$6 h/////////// //////// ////// //////cZT W"w'6   h/ ///B/9///cZTl"w!6q/////9//9///cZTl"w     6 ///*/0////6// //fZQ f"w        61Ze"w   61Ze"w    61Ze"w     61Ze"w    64Z                   "w    6:Zn"wB6Ew  B v6Ew ?v6Ew$6E$6E$6E$6E$6E$6E$6E$6E$6E$6E$6E$6' $6$ $6 $6 $6 $6 $6 $6 j -6~UU< w'H *6~TTTTTTTTTTTTTTTT6 w!H *6~NNNNNNNNNNNNNNNN0 w    R6~NNNNNNNNNNNNNNNN0 w     O6~NNNNNNNNNNNNNNNN0$_ w     O6~NNNNNNNNNNNNNNNN0$Y w     R6~NNNNNNNNNNNNNNNN0$< w     U6- 6NNNNNNNNNNNNNNNN$6 w    U6-3NNNNNNNNNNNNNNNN $0 w    O60 3NNNNNNNNNNNNNNNN$0 w ^60 3NNNNNNNNNNNNNNNN $0 w ~^63 3NNNNNNNNNNNNNNNN  $   <0 w`63 3NNNNNNNNNNNNNNNN0$    ?0 w$663NNNNNNNNNNNNNNNN0$    B $663NNNNNNNNNNNNNNNN0$   E  $6-3NNNNNNNNNNNNNNNN0$   H $60 6NNNNNNNNNNNNNNNN0$  H  $6~NNNNNNNNNNNNNNNN0$   E   $6~NNNNNNNNNNNNNNNN3$    B0 $6~NNNNNNNNNNNNNNNN9$    ?0 $6~NNNNNNNNNNNNNNNN'   <0 $6~NNNNNNNNNNNNNNNN $0 $6~QQQQQQQQQQQQQQQQ'0 $6~WWWWWWWWWWWWWWWW $0 $6B'3 $6E$9 $6B'V $6E$\ $6B $6E $6~UU $6~TTTTTTTTTTTTTTTT  ? X6~NNNNNNNNNNNNNNNN w'`9 U6~NNNNNNNNNNNNNNNN  w!`9 U6~NNNNNNNNNNNNNNNN w     q6~NNNNNNNNNNNNNNNN -      w          t6~NNNNNNNNNNNNNNNN-       ' w       t60 6NNNNNNNNNNNNNNNN '    ' w       t63 3NNNNNNNNNNNNNNNN*      ' w         t63 3NNNNNNNNNNNNNNNN '        ' w        t63 3NNNNNNNNNNNNNNNN*        w       q63 3NNNNNNNNNNNNNNNN '      $ w     ~t63 3NNNNNNNNNNNNNNNN* -Z' w      ~t63 3NNNNNNNNNNNNNNNN *   -Z' w     m63 3NNNNNNNNNNNNNNNN<- <~ w$60 3NNNNNNNNNNNNNNNN6 $63 6NNNNNNNNNNNNNNNN0 $6~NNNNNNNNNNNNNNNN0 $6~NNNNNNNNNNNNNNNN0 $6~NNNNNNNNNNNNNNNN0 $6~NNNNNNNNNNNNNNNN0 $6~NNNNNNNNNNNNNNNN0 $6~QQQQQQQQQQQQQQQQ0 $6~WWWWWWWWWWWWWWWW0 $6B0 $6B0 $6B0 $6B0 $6B0 $6B0 $6~UU0$_ $6~TTTTTTTTTTTTTTTT0$Y $6~NNNNNNNNNNNNNNNN3$< $6~NNNNNNNNNNNNNNNN9$6 $6~NNNNNNNNNNNNNNNN<$0 w'6~NNNNNNNNNNNNNNNN6$0 w!6~NNNNNNNNNNNNNNNN0$0 w    6B6NNNNNNNNNNNNNNNN0$   <0 w       6?3 - - $   - $ - - - * $ $NNNN0$    ?0 w     6?3** ! !* !*** * $ !NNNN0$    B w      6?3** ! !*!** * 0 0 !NNNN0$   E  w       "6?3** ! $*!** * 0 0 !NNNN0$   H w      "6?3** ! $*!** * - ' !NNNN  $  H  w   6?3* * ! $ -$ -* * - ' $NNNN $   E   w<6?3** ! '****** ' !NNNN$    B0 w < y6?3** ! '****** 0 !NNNN $    ?0 w 9y6B6* * ! ** '**** $ !NNNN$   <0 w$6~ - - $ * -  ! - - - - $ $NNNN0$0 $6~NNNNNNNNNNNNNNNN0$0 $6~NNNNNNNNNNNNNNNN0$0 $6~NNNNNNNNNNNNNNNN0$3 $6~NNNNNNNNNNNNNNNN0$9 $6~QQQQQQQQQQQQQQQQ3$V $6~WWWWWWWWWWWWWWWW9$\ $6 $6 $6 $6 $6 $6)T N QZQTTcQWN Q Q N N $6&TQNWNNQ`TQN K K K K $6  0TT]WWNQ`WNN KW KW    6 $6    3TT]N WNQ`WNN KW KK#     ? $6 3TWZNWNT]Q Q N KW K K#     ? $6   3TWTTN Q W`QWNK K K K#   ? $6    3TZWQNW]]NQQQ Q N K        ? $6    3TZWTNW`ZN)>&#   6 $6    0QQNTNZTZN)>&#     < $6 -6WTTZN TN ]T);) !Z? $6   -6 !Z? $6 ]H $6 $6 $6 $6 $6 $6 $S6S0S6 $M6M0M6 $G6G0G6 $G6G0G6 $G6G0G6 $G6G0G6 $G6G0G6   5 $G6G0G6!     8 $?  <6Q N0'   -6!    8 $<  ?6N   N0*    *6    / $9?6KZ0*   *6        2 $9?6KZ0-    -69   J$9  ?6KQ0-    069     M$9 <6K Q0-    069 $ $9 96KQ00   *69 $ $9o6KZ00l66E+$< o6N  N03!l6E$?  o6Q N03*c6E$G6G0G6E$G6G0G6E$G6G0G6E$G6G0G6E$                6                0                6E$P6P0P6E$6E$6E$6E$6' $6$ $6 $6 $6 $6 $6 $6 $6 ;G N)N` $6 5A H#N` $6 r<~< B`< p p p p p` $6 r6~6 B`6<` $6 r0~0 `0@p '- $6 r0~0 `0   !- $6 r0~0 `0 - $S6S0S6    0  K0  '0   - $M6M0M6     0 N           " $$0            p  - $G6G0G6    N         *!        - $G6G0G6    *   N          0        - $G6G0G6     *   N        B     6  - $c`6`c0G6     *    N               0        p - $c`6`c0G6    *   N           "   *!              - $`c6c`0G6    0 N0        $$0     - $`c6c`0   6    0N0      '0     - $`c6c`0    6   0 N0         `0         p $- $`c6c`0   6 r0~0             "B`0        ` $`c6c`0   6 r0~0 B`0<` $`c6c`0    6 r0~0 B`0?` $`c6c`0   6 r3~3      `3E` $`c6c`0   6 r9~9 N`9N` $`c6c`0B96 2>  T  / $c`6`c0 B66 8D T&/ $c`6`c0 ~6 $G6G0G6 $G6G0G6 $G6G0G6 $G6G0G6 $                6                0                6 $P6P0P6 $6 $6^  $6^e         $ $6de            ! $6   3             h  )       #  - $6     9             n       8        #  ! $6    9 $         n     5                 ! $6    9           n   /           ! $6     9                n    ,         $ $6      9              n    , HZ96 $6    9          n  /KQ -6 $6 *B9rP HWn Hb*BT*6 $6 *B9 Z  DKTn H $6o6ZG*BWkE $6 $6 $6 $6 $S6S0S6 $M6M0M6 $G6G0G6 $G6G0G6 $G6G0G6 $G6G0G6 $6u6Ec06r6 $G6G0G6 $6   E6N H09   B6 $9    ?6K   K0<   E6 $9    ?6H  N0<  E6$      # $<  <6H Q0< E6!        & $<   <6H Q0< E6      & $<   <6H  N0< E6          $? <6H  N0< E6            $?   ?6H  N0<  E66     8$B   ?6K   N0<     966       ;$B E6N Q09 966k$G6G0G69 k$G6G0G6< b$G6G0G6E$G6G0G6E$                6                0                6E$P6P0P6E$6E$6E$6E$6E$6E$6E$6E$6E$6E$6M=:$6M::$6M1:$6M1:$6M1:$6M1:$6M1:$6M1:$6M$?M:$6M$9M:$6M$v<M:$6M$v6M:$6M$v0M:s6M$v0M:m6M$v0M:g6M$v0M:g6M$v0M:g6M$vM:g6M$v M:g6M$vM:g6M$v M:g6M$v  M:g6M$v0M:g6M$v0M:g6M$v0M:g6M$v0M:g6M$v0M:g6M$v0M:g6M${       3M:g6M${   9M:g6M${  <M:g6M$Tpp  6M:g6M$    0M:g6M$Tp'     0M:g6M${     0M:g6M$T$K?0M:g6M${ B?0M:g6M$Tp'36< 0M:g6M$v0M:g6M$T0M:g6M$v0M:g6M$Tp0M:g6M$v0M:g6M$90M:g6M$v0M:g6M$p pL3M:g6M$       [     M:g6M$pp  !        XM:g6M$ !     [M:g6M$p   !   [M:g6M$    !       a:g6M$pp           ^:g6M$         [ :g6M$p p Q H  :g6M$E Q H   :g6M$p$  K'9 :g6M$y :g6M$X :g6M$y `:g6M$pX :g6M$y   :g6M$? i     :g6M$} i  :g6M$ p pS f:g6M$     l   :g6M$  !      u   :g6M$  !       o    :g6M$      i ':g6M$  !       l ':g6M$  !      i!E:g6M$!    i :g6M$ p p!$Q   :g6M$?  Q # :g6M$!N  :g6M$y THg6M$X THg6M$y           THg6M$XTHg6M$yMTHg6M$kZMTHg6M$yMTHg6M$pXMTHg6M$5    yMTHg6M$        pMTHg6M$8 $   sMT`-Hg6M$popp $  mMTc*Hg6M$8     pMTf'Hg6M$op'    mMT!$Hg6M$8    pMTl!Hg6M$po' $  pMTi$Hg6M$8        sMT! 'Hg6M$op$    vMTc*Hg6M$yMT`-Hg6M$poeMTHg6M$yMTHg6M$opeMTHg6M$yMTHg6M$oeMTHg6M$yTHg6M$poeTHg6M$5   u T            Hg6M$o$ u THg6M$5   x :g6M$po  u :g6M$>   o :g6M$o'   i :g6M$5 lN:g6M$po$    i :g6M$5 l!   $:g6M$o' l$     $:g6M$y$  !:g6M$poe$ !:g6M$y$    :g6M$oe$    :g6M$y$  :g6M$oe$ T:g6M$y$ T:g6M$poe! Q:g6M$5  l :g6M$o'   l :g6M$8    o :g6M$po  l :g6M$8   f :g6M$o'    ` :g6M$8 c           :g6M$po'     `:g6M$8   cM:g6M$o$cM:g6M$yM:g6M$poeM:g6M$yM:g6M$oeM:g6M$yM:g6M$XM:g6M$yM:g6M$p*p pM:g6M$H ;M:g6M$*pp   5M:g6M$H5M:g6M$p*pGM:g6M$HJM:g6M$*ppGM:g6M$HJM:g6M$p*p p2M:g6M$~ 5M:g6M$6p$   2M:g6M$yM:g6M$p6M:g6M$v<M:g6M$6p6M:g6M$v0M:g6M$6AK0M:g6M$v0M:g6M$p6p0M:g6M$5   !  0M:g6M$6]    '  0M:g6M$5     '     M:g6M$p6p6pp   '  M:g6M$>     M:g6M$66p'       M:g6M$5    M:   6M$p6p6$         0M:      6M$5      0M:       6M$66p'   0M:      6M$v0M:        6M$p6p6e0M:      6M$v3M:    6M$66pe9M: B96M$6M:996M$<M: *0 6 6M1:g6M1:g6M1:g6M1:g6M1:j6M1:p6M1:$6M      :$6M     :$6M   :$6M      :$6M           :$6t       X$6w         R$6w<'$6z?'  $6z6$$6E$6E$6E$6E$6E$6E$6E$6E$6E$6E$6           ]6!        !       `6!       !     `6                W6                     Z6?       \    ?     _       ?6Z33BP?  6Z  6 3BP<< ]B 06Gnnnnnnnnnnnqw)W)W)WPWp p p p p pp p p p p p p p p p p p p p pp p p p p pp p p p p p p p p pW9999999W999p999pW999 99W9p9'  p p!  W !!      W  ppp ! p ppW  0 W p  p p p0 W    ! !!  W   p  p p p p   ppW  0!   W p    p p pp0  W   0 W     p    pp $p ppW *         W p   pp pp$9W  *       99W999p9999pW<<<<<<<WBBBBBBBW)W)W)WzzpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppApppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp9p p p p p983p33ppo0ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp333*p ! p3pp*pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp    *     3p  pp*pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp3   *p3 ppp*pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp3  *      3p pp*p       ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp3   *Ԁ׀p3 p ppϟϐϐϐϐϐϐϐϐϐϐϐϐϟpԀڀppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp3!   3p! 3pp``________________________``pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp333-p33p3pp00pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp6    6<<<ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppLYXG~~4+kd C>_NRnSNRn"P+ za~]"M_enM-w#uDQ_<Lu$V=#Available_Filter_BoxButtons_for_Filter_ElementsState_Window_ButtonCCreate_Modify_Filter_ToolbarCName_Table_ButtonCName_Table_ButtonCConversation_AreaData_Pattern_AreaFilter_Element_NameAction_ButtonOperator_ButtonsFrame_Type_Check_BoxesFillter_CombinationInfo_Buttonlp6,Ȥ  zzlp0xz t n n n n n n n n n n n n n n n n Q06 N-6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 =Zq"$6 7Zk"$6 1Ze"$6 1Ze"$6 1Ze"$6 K//////f////////EZe"$6 D//cZN"$6    ZJ/cZe"$6     c////// ////// ////// /// / /// //// ////////// ////////IZQ  W"$6   o ///$/// /// / // ////////// // ///IZT    T"$6   c ///$///// // // /// /////// // / /OZT    T"$6      c ///'///// /// // // //'/////// // / /OZT    T"$6    Z //////// / //// //// /!/ / ////// // / /LZT    T"$6       f ////// // / / //// //// /// ///// //// /LZT   T"$6  h //// /////////////////////////////////////// ////////IZT W"w'6    h /// ////-/-/ ///B/IZTl"w!6 q / // / // /!/!/-/-/////9//IZTl"w     6 ////////////////////$/*//9///*/3//LZQ f"w        6 1Ze"w   6 1Ze"w    6 1Ze"w     6 1Ze"w    6 4Z                   "w    6 :Zn"wB6 Ew  B v6 Ew ?v6 Ew$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 ' $6 $ $6  $6  $6  $6  $6  $6  j -6 ~UU< w'H *6 ~TTTTTTTTTTTTTTTT6 w!H *6 ~NNNNNNNNNNNNNNNN0 w    R6 ~NNNNNNNNNNNNNNNN0 w     O6 ~NNNNNNNNNNNNNNNN0$_ w     O6 ~NNNNNNNNNNNNNNNN0$Y w     R6 ~NNNNNNNNNNNNNNNN0$< w     U6 - 6NNNNNNNNNNNNNNNN$6 w    U6 -3NN - - - -NNNNNNNNNN $0 w    O6 0 3NN* ** *NNNNNNNNNN$0 w ^6 0 3NN* ** *NNNNNNNNNN $0 w ~^6 3 3NN* ** *NNNNNNNNNN  $   <0 w`6 3 3NN* ** *NNNNNNNNNN0$    ?0 w$6 63NN* -* -NNNNNNNNNN0$    B $6 63NN* 3* 3NNNNNNNNNN0$   E  $6 -3NN* 3* 3NNNNNNNNNN0$   H $6 0 6NN* 3* 3NNNNNNNNNN0$  H  $6 ~NN - * - *NNNNNNNNNN0$   E   $6 ~NNNNNNNNNNNNNNNN3$    B0 $6 ~NNNNNNNNNNNNNNNN9$    ?0 $6 ~NNNNNNNNNNNNNNNN'   <0 $6 ~NNNNNNNNNNNNNNNN $0 $6 ~QQQQQQQQQQQQQQQQ'0 $6 ~WWWWWWWWWWWWWWWW $0 $6 B'3 $6 E$9 $6 B'V $6 E$\ $6 B $6 E $6 ~UU $6 ~TTTTTTTTTTTTTTTT  ? X6 ~NNNNNNNNNNNNNNNN w'`9 U6 ~NNNNNNNNNNNNNNNN  w!`9 U6 ~NNNNNNNNNNNNNNNN w     q6 ~NNNNNNNNNNNNNNNN -      w          t6 ~NNNNNNNNNNNNNNNN-       ' w       t6 0 6NNNNNNNNNNNNNNNN '    ' w       t6 3 3NNNNNNN  -NNNNNNNN*      ' w         t6 3 3NNNNNNN*NNNNNNNN '        ' w        t6 3 3NNNNNNN*NNNNNNNN*        w       q6 3 3NNNNNNN*NNNNNNNN '      $ w     ~t6 3 3NNNNNNN*NNNNNNNN* -Z' w      ~t6 3 3NNNNNNN -NNNNNNNN *   -Z' w     m6 3 3NNNNNNN3NNNNNNNN<- <~ w$6 0 3NNNNNNN3NNNNNNNN6 $6 3 6NNNNNNN 0NNNNNNNN0 $6 ~NNNNNNN *NNNNNNNN0 $6 ~NNNNNNNNNNNNNNNN0 $6 ~NNNNNNNNNNNNNNNN0 $6 ~NNNNNNNNNNNNNNNN0 $6 ~NNNNNNNNNNNNNNNN0 $6 ~QQQQQQQQQQQQQQQQ0 $6 ~WWWWWWWWWWWWWWWW0 $6 B0 $6 B0 $6 B0 $6 B0 $6 B0 $6 B0 $6 ~UU0$_ $6 ~TTTTTTTTTTTTTTTT0$Y +6 ~NNNNNNNNNNNNNNNN3$< $6 ~NNNNNNNNNNNNNNNN9$6 +\6 ~NNNNNNNNNNNNNNNN<$0 w'6 ~NNNNNNNNNNNNNNNN6$0 w! \6 ~NNNNNNNNNNNNNNNN0$0 w    6 B6NNNNNNNNNNNNNNNN0$   <0 w        6 ?3NNNNNN  - -  $ *  - *  -  -NN0$    ?0 w     6 ?3NNNNNN** ' '****NN0$    B w       6 ?3NNNNNN*  * ' '****NN0$   E  w       "6 ?3NNNNNN*  *  ' '* ***NN0$   H w        6 ?3NNNNNN*  *    '****NN  $  H  w   6 ?3NNNNNN*  *    ' *  * -*NN $   E   w <l6 ?3NNNNNN**  '* ***NN$    B0 w < y6 ?3NNNNNN** ' '* ***NN $    ?0 w  9`6 B6NNNNNN**   '* ***NN$   <0 w$6 ~NNNNNN  -  -* - *  -  -NN0$0 +\6 ~NNNNNNNNNNNNNNNN0$0 $6 ~NNNNNNNNNNNNNNNN0$0 +6 ~NNNNNNNNNNNNNNNN0$3 $6 ~NNNNNNNNNNNNNNNN0$9 $6 ~QQQQQQQQQQQQQQQQ3$V $6 ~WWWWWWWWWWWWWWWW9$\ $6  $6  $6  $6  $6  $6 )T N QZQTTcQWN Q Q N N $6 &TQNWNNQ`TQN K K K K $6   0TT]WWNQ`WNN KW KW    6 $6     3TT]N WNQ`WNN KW KK#     ? $6  3TWZNWNT]Q Q N KW K K#     ? $6    3TWTTN Q W`QWNK K K K#   ? $6     3TZWQNW]]NQQQ Q N K        ? $6     3TZWTNW`ZN)>&#   6 $6     0QQNTNZTZN)>&#     < $6  -6WTTZN TN ]T);) !Z? $6    -6 !Z? $6  ]H $6  $6  $6  $6  $6  $6  $S6S0S6  $M6M0M6  $G6G0G6  $G6G0G6  $G6G0G6  $G6G0G6  $G6G0G6    5 $G6G0G6 !     8 $?  <6Q N0'   -6 !    8 $<  ?6N   N0*    *6     / $9?6KZ0*   *6         2 $9?6KZ0-    -6 9   J$9  ?6KQ0-    06 9     M$9 <6K Q0-    06 9 $ $9 96KQ00   *6 9 $ $9o6KZ00l6 6E+$< o6N  N03!l6 E$?  o6Q N03*c6 E$G6G0G6 E$G6G0G6 E$G6G0G6 E$G6G0G6 E$                6                0                6 E$P6P0P6 E$6 E$6 E$6 E$6 ' $6 $ $6  $6  $6  $6  $6  $6  $6  ;G N)N` $6  5A H#H` $6  r<~< B`<B` $6  r6~6 B`6B` $6  r0~0 `0 '- $6  r0~0 `0 !- $6  r0~0 `0 - $S6S0S6     0  K0  !<0   - $M6M0M6      0 N          $90   - $G6G0G6     N   '6   - $G6G0G6     *   N      *3    - $G6G0G6      *   N       B0B  - $c`6`c0G6      *    N             *3      - $c`6`c0G6     *   N              '6      - $`c6c`0G6     0 N0       $90    - $`c6c`0   6     0N0     !<0   - $`c6c`0    6    0 N0        `0     $- $`c6c`0   6  r0~0       B`0B` $`c6c`0   6  r0~0 B`0B` $`c6c`0    6  r0~0 B`0B` $`c6c`0   6  r3~3      `3     ` $`c6c`0   6  r9~9 N`9N` $`c6c`0B96  2>  T  / $c`6`c0 B66  8D T&/ $c`6`c0 ~6  $G6G0G6  $G6G0G6  $G6G0G6  $G6G0G6  $                6                0                6  $P6P0P6  $6  $6 ^  $6 ^e         $ $6 de            ! $6    3             h  )       #  - $6      9             n       8        #  ! $6     9 $         n     5                 ! $6     9           n   /           ! $6      9                n    ,         $ $6       9              n    , HZ96 $6     9          n  /KQ -6 $6  *B9rP HWn Hb*BT*6 $6  *B9 Z  DKTn H $6 o6ZG*BWkE $6  $6  $6  $6  $S6S0S6  $M6M0M6  $G6G0G6  $G6G0G6  $G6G0G6  $G6G0G6  $6u6Ec06r6  $G6G0G6  $6   E6N H09   B6  $9    ?6K   K0<   E6  $9    ?6H  N0<  E6 $      # $<  <6H Q0< E6 !        & $<   <6H Q0< E6       & $<   <6H  N0< E6           $? <6H  N0< E6             $?   ?6H  N0<  E6 6     8$B   ?6K   N0<     96 6       ;$B E6N Q09 96 6k$G6G0G6 9 k$G6G0G6 < b$G6G0G6 E$G6G0G6 E$                6                0                6 E$P6P0P6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 E$6 M=:$6 M::$6 M1:$6 M1:$6 M1:$6 M1:$6 M1:$6 M1:$6 M$?M:$6 M$9M:$6 M$v<M:$6 M$v6M:$6 M$v0M:s6 M$v0M:m6 M$v0M:g6 M$v0M:g6 M$v0M:g6 M$vM:g6 M$v M:g6 M$vM:g6 M$v M:g6 M$v  M:g6 M$v0M:g6 M$v0M:g6 M$v0M:g6 M$J{ m0M:g6 M$[ 0M:g6 M$a0M:g6 M${  !      !    Y3M:g6 M$~'    ! Y9M:g6 M$~'    _<M:g6 M$Tpp*   * _6M:g6 M$~! $   \0M:g6 M$Tp'    \0M:g6 M$~!  !$   Y0M:g6 M$T'! !63KY0M:g6 M$~ $$63 BY0M:g6 M$Tp$3'0B39 \0M:g6 M$v0M:g6 M$T0M:g6 M$v0M:g6 M$Tp0M:g6 M$v0M:g6 M$Tfp0M:g6 M$^3M:g6 M$T 9M:g6 M${           wM:g6 M$T' $      tM:g6 M$~ $       }M:g6 M$T '    '   zM:g6 M$~      !     z:g6 M$T'         w:g6 M$~       w :g6 M$T'  -- Bt :g6 M$~      !!--9w :g6 M$T$  6$*9*3w :g6 M$y :g6 M$T :g6 M$y `:g6 M$T :g6 M$y   :g6 M$T     :g6 M$y  :g6 M$T:g6 M${   9   :g6 M$T$      3   :g6 M${       6    :g6 M$T      3 ':g6 M$        6 ':g6 M$T'     6!E:g6 M${    6 :g6 M$T$ B93 :g6 M${996 :g6 M$T'*0 6 6 :g6 M$y THg6 M$T THg6 M$y           THg6 M$TTHg6 M$yMTHg6 M$9MTHg6 M$yMTHg6 M$p pLMTHg6 M$       ^MTHg6 M