Using the Traffic Analysis Agent for NetWare

The Traffic Analysis Agent for NetWare (NLA 1.30) runs on a NetWare server. It is a set of NLM programs that enable NetWare to monitor traffic on Ethernet, FDDI, or token ring segments.

The Traffic Analysis Agent for NetWare implements token ring extensions for the RMON MIB (RFC 1513) for token ring media, and a Novell proprietary MIB for FDDI media, in addition to implementing an RMON (RFC 1757) for Ethernet media. The Traffic Analysis Agent for NetWare also implements the first two groups for RMON2 (RFC 2021).

The following figure illustrates a functional view of the Traffic Analysis Agent for NetWare:


Traffic analysis agent for NetWare

The following sections provide information about optimizing and using the Traffic Analysis Agent for NetWare:


Planning to Install the Traffic Analysis Agent for NetWare

To successfully install the Traffic Analysis Agent for NetWare on a NetWare server, the server must meet the system requirements specified in "Management and Monitoring Services Installation" in the Novell ZENworks 6.5 Server Management Installation Guide.

You should configure NetWare SNMP parameters as explained in Using SNMP Community Strings. This will ensure a smooth installation of the Traffic Analysis Agent for NetWare on the server.

NOTE:  Although it is not required, it is recommended that you uninstall previous versions of the Traffic Analysis Agent (referred to as the Traffic Analysis Agent in Novell ZENworks Server Management). If you do not uninstall the previous version of the agent, you must verify that the upgraded NetWare servers run the new Traffic Analysis Agent.


Optimizing the Traffic Analysis Agent for NetWare Performance

The measures described in the following sections can improve the performance of your Traffic Analysis Agent for NetWare servers.

You can configure the Traffic Analysis Agent for NetWare functions described in the following sections by setting the parameters in the lanz.ncf file.


Contents of the LANZ.NCF File

The lanz.ncf file loads all the NLM software required for the Traffic Analysis Agent for NetWare operation. The lanz.ncf file resides in the sys:\zfs_agnt\lanz directory.

The following example displays the complete text of the default lanz.ncf file.

#
# Novell NetWare Traffic Analysis Agent
# Version 1.3
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
# LANZ.NCF: Novell NetWare Traffic Analysis Agent Load File
#
# This NCF file is created by the Novell NetWare Traffic Analysis Agent install program.
# It is used to load the Novell NetWare Loadable Module files that make up Novell NetWare
# Traffic Analysis Agent.
# WARNING:   You should not modify this file unless you need to change one of
# the configuration parameters documented below. Other changes to this
# file are not recommended. Should you damage this file, you must reinstall
# Novell NetWare Traffic Analysis Agent.
#
# NOTE:      To enable or disable the monitoring of network adapters by
# Novell NetWare Traffic Analysis Agent, use the LANZCON utility as described in the
# Novell NetWare Traffic Analysis Agent Installation and Administration guide.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
# Load Parameter Descriptions
#
# load LANZSU debug=1
#
# debug=1    Turns on the LANZ Control screen to see the transactional
# messages from the Novell NetWare Traffic Analysis Agent.
#
# load LANZMEM bound=KB age=HHH
#
# bound=KB   This is the upper limit on memory that can be allocated
# dynamically by the Novell NetWare Traffic Analysis Agent.
#
# Increasing this number allows you to create larger packet
# capture buffers and maintain data for inactive stations
# for a longer period of time.
#
# Decreasing this value reduces the amount of memory that
# can be used by Novell NetWare Traffic Analysis Agent. This leaves more
# memory for the other server tasks.
#
# Novell NetWare Traffic Analysis Agent automatically purges data for
# inactive stations as the memory boundary is approached.
# This allows Novell NetWare Traffic Analysis Agent to adjust to
#
# the memory that is available to it dynamically.
#
# If the boundary is low, purging occurs frequently, saving
# only data for stations that have been recently active on
# the network. If this happens, a message appears on the
# system console indicating that not enough memory has been
# allocated to Novell NetWare Traffic Analysis Agent.
#
# KB is the memory boundary in kilobytes.
#
# Initial value: Set by the installation program
# based on memory usage
#
# Minimum recommended value:      512
#
# Maximum recommended value:      75% of free server memory
# when NLM files are loaded
#
# Default value:                  If bound=KB is not specified,
# it defaults to 3072.
#
# age=HHH    Novell NetWare Traffic Analysis Agent purges data for stations that have
# not been active on the network recently. This parameter
# controls how long data for inactive stations is maintained.
#
# Memory that is used by the station table is not available
# for other uses, such as capturing packets. Reducing the
# AGE value tends to increase the amount of memory
# available for capturing packets.
#
# If you cannot allocate capture buffers that are large,
# you may need to reduce the AGE value.
#
# HHH is the inactivity period, in hours, before station data
# is purged.
#
# Minimum recommended value:      1
#
# Default value:                  If age=HHH is not specified,
# it defaults to 168 (1 week)
#
# load LANZDI level=1
#
# level=1    It indicates that the LANZDI will stop receiving packets
# when CPU utilization gets high.
#
# Default is OFF. LANZDI will continue to receive packets even
# when CPU utilization gets high.
#
# load LANZSM topn=N
#
# topn=N     The number of concurrent sorts of top N nodes that
#
# Novell NetWare Traffic Analysis Agent supports for each network adapter.
#
# Recommended value: 4
# Minimum value:     2
# Maximum value:     10
#
# load LANZTR poll = 1
#
# poll=1     Polls token ring source-routed bridges.
#
# load LANZCTL trapreg=1
#
# trapreg=1 Causes SNMP traps to be sent to management consoles
# advertising themselves on the network, as well as stations
# listed in SYS:\ETC\TRAPTARG.CFG. Omitting this parameter
# or setting it to 0 causes traps to be sent only to those
# stations listed in the SYS:\ETC\TRAPTARG.CFG file.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
load gtrend.nlm
load lanzsu.nlm
load lanzmem.nlm bound = 3072 AGE = 168
load lanzlib.nlm
load lanzdi.nlm
load lanzael.nlm
load lanzhis.nlm
load lanzfcb.nlm
load lanzsm.nlm topn = 4
load lanztr.nlm
load lanzfddi.nlm
load lanzctl.nlm trapreg = 1


Modifying the LANZ.NCF File

The following sections describe how to modify the parameters of the commands in the lanz.ncf file to configure the Traffic Analysis Agent for NetWare functions:

To make changes in the lanz.ncf file and modify the configuration of the Traffic Analysis Agent for NetWare:

  1. Open the lanz.ncf file with a text editor.

  2. Insert or modify the appropriate parameter as shown and save the file.

  3. Unload and reload the Traffic Analysis Agent for NetWare, as described in Activating Changes in the LANZ.NCF File.


Turning On the LANZ Control Screen

The LANZ control screen reports significant events for the Traffic Analysis Agent for NetWare.

To turn on the LANZ control screen, insert the DEBUG parameter in the LOAD LANZSU.NLM statement, as shown below:

LOAD LANZSU.NLM DEBUG=1

The default is Off.


Disabling Packet Capture

You might want to disable packet capture to prevent others from observing sensitive data captured in the packets sent on the network segment.

To disable the packet capture, insert a comment mark (#) in the LOAD LANZFCB statement, as shown below:

LOAD LANZFCB.NLM

You can also control packet capture during high levels of traffic instead of disabling packet capture entirely. For details, see Setting Packet Flow Control.


Disabling Generation of Duplicate IP Address Alarms

In the DHCP environment, the IP address is released to the DHCP server when a DHCP client is shut down. During the process of releasing the IP address to the DHCP server, the client sends a DHCPRELEASE packet. If this packet does not reach the agent, false duplicate IP address alarms will be generated.

To disable the generation of duplicate IP address alarms, specify zero (0) as the value for the DUPIP parameter, as shown below:

LOAD LANZSM DUPIP=0

If the DUPIP parameter contains a non-zero value or if the parameter is not specified, duplicate IP address alarms are generated.


Setting Packet Flow Control

The Traffic Analysis Agent for NetWare typically operates in promiscuous mode, receiving all packets on the network. However, if server utilization is high and performance becomes degraded, you can set the LEVEL parameter to 1, which configures the agent to pause when server traffic is high, and then automatically resume operation in promiscuous mode when the traffic level returns to normal.

The default is not to specify the LEVEL parameter at all, which allows continuous operation in promiscuous mode.

To set packet flow control, use the LEVEL parameter setting, as shown below:

LOAD LANZDI LEVEL=1

Setting the Upper Limit of Available Memory

The BOUND parameter sets the upper limit of available memory that can be allocated dynamically to the Traffic Analysis Agent for NetWare.

The value of the BOUND parameter is measured in kilobytes (KB). The default value is 3072 KB. The minimum recommended value is 512 KB. The maximum recommended value is 75% of the memory that is available after all NLM files are loaded.

You might receive the message "Insufficient memory available for the Traffic Analysis Agent for NetWare" in the following situations:

  • The server has too little memory
  • The server has sufficient memory, but the memory is not available to the Traffic Analysis Agent for NetWare
  • You requested a packet capture buffer that is too large, and the agent granted you less memory than requested

In each case, you should increase the value of the BOUND parameter and add more RAM to your NetWare server.

To change the upper limit of available memory, edit the BOUND parameter, with the appropriate value, as shown below:

LOAD LANZMEM BOUND=3072 AGE=168

Purging Data from Server Memory

The Traffic Analysis Agent for NetWare holds its data in server memory. You can control the amount of data held in memory by setting the value of the AGE parameter. When data reaches the age specified in the parameter, the data is purged from memory. The AGE parameter is particularly useful on large, bridged networks.

The value of the AGE parameter is measured in hours. The default value is 168, or one week. The minimum recommended value is one hour.

You should lower the AGE parameter if you receive the message "Insufficient memory available for the Traffic Analysis Agent for NetWare" and you have allocated sufficient memory for the agent.

Having insufficient memory is not harmful to the agent or the server. The Traffic Analysis Agent for NetWare can run indefinitely, even when the memory allocated to it is not sufficient.

To modify the amount of data held in server memory, change the value of the AGE parameter, as shown below:

LOAD LANZMEM BOUND=3072 AGE=168

Sorting Concurrent Top Stations

The Traffic Analysis Agent for NetWare sorts stations whenever the top eight graphs on the Segment Dashboard view, the Stations view, or both are displayed by Novell ConsoleOne. The sorts are independent of each other and can be computed on the basis of different statistics.

Because each of the sort computations uses server CPU cycles, you should limit the number of concurrent computations.

To set the number of concurrent sort computations per network adapter, set the TOPN parameter, as shown below:

LOAD LANZSM TOPN=n

The default value is 4. The minimum value is 2. The maximum value is 10.


Automatically Sending Alarms to the Management Site Server

The Traffic Analysis Agent for NetWare can automatically send SNMP alarms (sometimes referred to as SNMP traps) to the Management Site Server or other nodes on the network in the following configurations:

  • The Traffic Analysis Agent for NetWare receives the SAP packets sent by the Management Site Server.
  • The Management Site Server or other node is listed in the server's TRAPTARG.CFG file. This file can be edited to add other trap targets.

The traptarg.cfg file is stored in the sys:\etc directory. The file provides instructions for its use. You can edit the file with any ASCII text editor.

To enable alarms to be sent automatically, add the TRAPREG parameter setting, as shown below:

LOAD LANZCTL TRAPREG=1

The default is 1. If you omit the TRAPREG parameter or set its value to zero (0), the agent sends alarms only to management consoles listed in the traptarg.cfg file.


Polling Source Route Bridges

To control source route bridge polling on token ring networks, use the POLL parameter, as shown below:

LOAD LANZTR POLL=1

1 = On and 0 = Off.

Setting the POLL parameter to 1 polls source routed bridges once every second. You cannot change the polling rate. The default is On.

To turn off this function, set the POLL parameter to zero (0), as shown below:

LOAD LANZTR POLL=0

The default is to omit the POLL parameter. Also, the LOAD LANZTR statement is commented out on systems that do not have a token ring adapter installed.


Activating Changes in the LANZ.NCF File

To activate the changes you make in the lanz.ncf file:

  1. Save the LANZNCF file.

  2. Enter ULANZ at the server prompt to unload the agent.

  3. Enter LANZ to reload the agent.


Using the Console Utility of the Traffic Analysis Agent for NetWare

The Traffic Analysis Agent for NetWare 1.3 provides a console utility (lanzcon.nlm) that performs the following three tasks:

When you install the Traffic Analysis Agent for NetWare, lanzcon.nlm is installed automatically in the sys:\zfs_agnt\lanz directory.

The following topics are discussed in greater detail in this section:


Loading the Console Utility of the Traffic Analysis Agent for NetWare

To use lanzcon.nlm, enter the following command at the NetWare console prompt:

LOAD LANZCON CONTROLCOMMUNITY = <control community string>

IMPORTANT:  If LANZCON is launched without any command line argument, then the default control community string is PUBLIC.

lanzcon.nlm is loaded and displays a list of network adapters, along with summary information about the network adapters currently installed on the server.

The following information is displayed for each network adapter:

  • Number (#): The network adapter entry number in the network interface table.

  • Description: A brief description of the network adapter.

  • Media Type: The type of network connected to the network adapter: Ethernet, FDDI, or token ring.

  • Adapter Address: The physical address of the network adapter.


Enabling or Disabling Network Adapter Monitoring

To enable or disable monitoring of a selected network adapter:

  1. From the Network Adapters screen, select the appropriate adapter then press F3.

    • If the selected adapter is currently monitoring an Ethernet or token ring network, the console displays the Adapter Is Monitoring screen.
    • If the selected adapter is not monitoring an Ethernet or token ring network, the console displays the Adapter Is Not Monitoring screen.

  2. Select Yes or No to enable or disable monitoring.

    If you disable monitoring, all LAN analysis data for the selected adapter is deleted.

Using LANZCON, an FDDI adapter cannot be disabled. To disable an FDDI adapter:

  1. Unload LANZCON, if loaded.

  2. Unload LANZ, if loaded.

  3. Open lanz.ncf from sys:\zfs_agnt\lanz directory for editing.

  4. Comment the statement LOAD lanzfddi.nlm by entering the # symbol at the beginning of this statement.

  5. Save lanz.ncf and exit.

  6. Reload LANZ.


Viewing Network Adapter Information

To bring up detailed information for network adapter items:

  1. From the Network Adapters screen, select an adapter then press Enter.

  2. From the Select Information to View screen, select Show Adapter Items.

    The LANZCON utility displays the Network Adapter Items screen that lists all the items related to the selected network adapter.

The screen for a token ring adapter includes the information from the Novell Token Ring RMON MIB. For details, see Viewing the Agent Item Status.

To return to the Select Information to View menu, press Esc.

The following information is provided for the selected adapter:

  • Item: The types of items that are currently being monitored by the selected adapter. The Network Adapter Items screen shows a set of typical items consisting of token ring, Statistics, History, Host, Matrix, and Host TopN. The Traffic Analysis Agent for NetWare monitors these items by default. In the Network Adapter Items screen, the Host TopN item, indicating the list of the busiest nodes, has been added by a user. You can add other items to this display in Novell ConsoleOne, depending on your configuration.

    You can select any item to view more information about each topic. To view the values for the selected item, select the desired item then press Enter. Refer to the following sections for more examples of the screens.

  • Index: The entry number of the displayed item in the list of all the items of the same type. The related tables are identified by this index.

  • Description: A textual description of the entry. This column indicates the software entity or user that created the item. The items automatically monitored by the Traffic Analysis Agent for NetWare are indicated by the monitor.

    For a token ring network entry, this column shows the media speed and the local ring number.


Viewing the Agent Item Status

When you click the Select Information to View menu > Show Agent Items, LANZCON displays all the items for each network adapter being monitored by the Traffic Analysis Agent for NetWare.

To view the agent item status for the selected agent:

  1. From the Network Adapters screen, select an adapter then press Enter.

  2. From the Select Information to View screen, select Show Agent Items.

The All Novell NetWare Traffic Analysis Agent Items screen shows all the items related to the agent monitoring the segment. For example, if you are using multiple adapters to monitor multiple network segments, the screen lists all the items being monitored by the agent.

To delete any entry (except the token ring network entry), select the entry then click Delete, and then click Yes.

To return to the Network Adapter Items screen, press Esc.

The following information is provided for the agent:

  • Item: The types of items available. The All Novell NetWare Traffic Analysis Agent Items screen shows a set of typical items consisting of Statistics, History, Host, Matrix, and Host TopN. Additional items can be displayed, depending on your configuration.

    You can select any item for more information about each topic. To view the values for an item, select the desired item then press Enter. See the following sections for more examples of the screens.

  • Index: The entry number of the displayed item in the list of all items of the same type. The related tables are identified by this index.

  • Description: A textual description of the entry. This column indicates the software entity or user that created the item table. The items automatically monitored by the Traffic Analysis Agent for NetWare are indicated by the monitor.

    For a token ring network entry, this column shows the media speed and the local ring number.


Accessing Detailed Information About Each Item

This section describes the major categories of information available for both the selected network adapter and the Traffic Analysis Agent for NetWare. The following topics are covered:


Viewing the Token Ring RMON MIB Information

To view the Token Ring RMON MIB information:

  1. From the Network Adapter Items screen, select the token ring item then press Enter.

  2. From the Select Information to View screen, select Show Adapter Items then press Enter.

  3. Press Esc to exit this screen.


Viewing the FDDI Ring RMON MIB Information

To view the FDDI ring RMON MIB information:

  1. From the Network Adapter Items screen, select the FDDI Ring item then press Enter.

  2. From the Select Information to View screen, select Show Adapter Items then press Enter.


Viewing Statistics Information

The statistics information presents the basic statistics for each monitored adapter per segment.

To view the statistics information:

  1. From the Network Adapter Items screen, select Statistics.

  2. Press Enter.

    For an Ethernet network entry, the LANZCON utility displays the Statistics Information screen.

    This screen displays the statistical values of the selected network adapter. The display is updated periodically with the latest values for each field.

  3. To exit this screen, press Esc.


Viewing History Information

The history information defines sampling functions for the networks that are being monitored. The History Control table defines a set of samples at a particular sampling interval for a particular network adapter.

To view the history information:

  1. From the Network Adapter Items screen, select History then press Enter.

  2. To exit this screen, press Esc.

The field descriptions are as follows:

  • Index: An integer that uniquely identifies a row in the History Control table.

  • Data Source: Identifies the network adapter and the Ethernet, FDDI, or token ring segment that is the source of the data for entries defined by this object.

  • Buckets Requested: The requested number of discrete sampling intervals over which data will be saved in the portion of the media-specific table associated with this entry.

  • Buckets Granted: The actual number of discrete sampling intervals over which data will be saved.

  • Interval: The interval, in seconds, over which data is sampled for each bucket. The interval can be set to any number between 1 and 3,600 (one hour). The default interval for past hour is 30 seconds per sample, and the default interval for past day is 30 minutes (or 1,800 seconds) per sample.

    The sampling scheme is determined by the buckets granted and the control interval.

  • Owner: The entity that created the item. "Monitor" indicates that the item was created by the Traffic Analysis Agent for NetWare.

  • Status: A status of Valid indicates that the agent is operating normally under the instructions given by the table.


Viewing Host Information

The host group gathers statistics about specific hosts or nodes on the LAN. The Traffic Analysis Agent for NetWare learns of new nodes on the LAN by observing the source and destination MAC addresses in good packets. For each node known to the agent, a set of statistics is maintained.

To view the host (node) information:

  1. From the Network Adapter Items screen, select Host then press Enter.

The host group consists of three tables: two data tables and one control table. The two data tables are hostTable and hostTimeTable. The control table, hostControlTable, includes the following objects, which correspond to the fields displayed in the Host Information screen:

  • Index: An integer that uniquely identifies a row in the hostControlTable. Each row in the control table refers to a unique network adapter, and thus, a unique segment.

  • Data Source: Identifies the network adapter and the Ethernet, FDDI, or token ring segment that is the source of the data for the entries defined by this object.

  • Table Size: The number of rows in the hostTable associated with this row.

  • Last Delete Time: The value of the sysUpTime MIB object that corresponds to the last time an entry was deleted from the portion of the hostTable associated with this row. The value is zero (0) if no deletions occurred.

  • Owner: Indicates the entity or user that created the item. "Monitor" indicates that the item was created by the Traffic Analysis Agent for NetWare.

  • Status: A status of Valid indicates that the agent is operating normally under the instructions given by the table.


Viewing Matrix Information

The matrix group records information about the conversations between pairs of nodes on a network segment. The information is stored in the form of a matrix. This method of organization is useful to retrieve specific pairings of traffic information, such as finding out which nodes are making the most use of a server.

To view the matrix information:

  1. From the Network Adapter Items screen, select Matrix then press Enter.

The matrix group consists of three tables: two data tables and one control table. The data tables are matrixSDTable and matrixDSTable. The control table, matrixControlTable, includes the following objects, which correspond to the fields displayed in the Matrix Information screen:

  • Index: An integer that uniquely identifies a row in the matrixControlTable. Each row in the control table defines a function that discovers conversations on a particular network and places statistics about them in the two data tables.

  • Data Source: Identifies the network adapter, and the Ethernet, FDDI, or token ring segment that are the source of the data for the entries defined by this object.

  • Table Size: The number of rows in the matrixTable associated with this row.

  • Last Delete Time: The value of the sysUpTime object that corresponds to the last time an entry was deleted from the portion of the matrixTable associated with this row. The value is zero (0) if no deletions occurred.

  • Owner: Indicates the entity or user that created the item. "Monitor" indicates that the item was created by the Traffic Analysis Agent for NetWare.

  • Status: A status of Valid indicates that the agent is operating normally under the instructions given by the table.


Migrating Trend Files

In Novell ConsoleOne, you can view trends of traffic patterns on the monitored Ethernet, FDDI, and token ring segments. You can use the trend data to analyze traffic on the segment. For details, see Analyzing Trend Data for a Segment.

Earlier versions of the Traffic Analysis Agent for NetWare (1.20 and 1.21) collected trend data that was sampled every one minute. The Traffic Analysis Agent for NetWare 1.30 that ships with Novell ZENworks Server Management collects trend data that are sampled every one minute, one hour, and one day. This functionality of version 1.30 of the Traffic Analysis Agent for NetWare ensures minimal communication between the agent and Novell ConsoleOne, to reduce network traffic.

You can use the migrating tool (gtrend.exe) to convert the trend data collected by earlier versions of the Traffic Analysis Agent for NetWare to trend data that can be used by version 1.30 of Traffic Analysis Agent for NetWare and Novell ConsoleOne.

To migrate trend files collected by versions 1.20 or 1.21 of the Traffic Analysis Agent for NetWare:

  1. Copy gtrend.exe from the Installation CD to a TEMP folder on a 32-bit Windows machine.

  2. Copy the trend data files collected by earlier versions of the Traffic Analysis Agent for NetWare to the TEMP folder.

  3. Run gtrend.exe.

    This will migrate the existing one-minute trend files to the corresponding one-hour and one-day trend files that can be used by version 1.30 of the Traffic Analysis Agent for NetWare.

  4. Copy the migrated trend files to the sys:\gtrend\ folder on the NetWare server and run the version 1.30 of the Traffic Analysis Agent for NetWare on the same server.

    NOTE:  The migration tool will not migrate older token ring trend data collected by version 1.20 or 1.21 of the Traffic Analysis Agent for NetWare because the older agents implemented a proprietary Token Ring MIB that enabled the agent to collect trend data sampled every one minute. Version 1.3 of the Traffic Analysis Agent for NetWare implements the standard Token Ring MIB that supports historical trends (one minute, one hour and one day).