| As you see, the amount of answer coming in, You don't have to expect too
much support.
I have already spent some time (mostly nights) on ProBewatch so the
answer of your questions are based of what I have discovered.
Question 1.
For what I know (hoping I am wrong) there are no possibilities to relate
IP or other High level addresses to a Physical address (MAC).
You should look for the NAT packet probe for that
You can even not customize a host file to replace addresses by Names :<}
Question 2.
Watchdog set-up
See at the end of the note a summary of the basic things to know
using ProbeWatch (Sorry for the Tabs, this is a text version of a Word
document).
Question 3.
My feelings (which I am convinced are ok) are that the blue portion
(Multicast) is a percentage of the utilisation (The RED one)
45% BLUE and 5 %RED means that 45% of the 5% of the total bandwith
utilisation was due to Multicast.
Best regards,
Robert
------------------------------------------------------------------------------
ProbeWatch (3.1) Tips
Generalities
-------------
The directory structure is the following:
Network files: NSHOME\ipstack\
Executable files: NSHOME\bin\
Samples and Templates: NSHOME\samples\
Active configuration files: NSHOME\usr\
Data collection files: NSHOME\db\<probe_name>\<domain_name>
Report files: NSHOME\reports\
The file type structure is the following:
Domain files: *.dom
Configuration files : *.cfg
Filter files: *.fil
Log files: *.log
see dvconf.log for the Configuration Deamon log file and also the console
information.
see dvlog.log for the Logging Deamon (Reporting) log file
see dvtrap.log for the Watchdog Deamon log file
Command Line interface
-----------------------
Connecting to the console or using the Remote Login will allow some
parametrisation of the probe which are not possible using the Probe Watch
application lake the size of the Host table or the Host matrix.
Please refer to the Command line Help for more details about the set, get and do
commands in order to configure the probe.
Remark that domain installation are set in volatile memory, thus disappearing
after power off or probe reset, while set-up through the command line are saved
in non-volatile RAM.
NETScout Shell
--------------
The NETScout shell is the basic way to configure the DECpacket Probe most of the
here-under expained commands are NETScout Shell command.
WE refer to the Help in the NETScout Shell menu for more information about the
possible actions.
Start-up file
-------------
The start-up file is located in the NSHOME\usr
The default is: NSHOME\usr\startup
The start-up file name per agent is defined during the add off a NEW agent and
can be modified using a text editor.
The start-up file contains NS shell commands like:
- dvinstal to install domains
- dvadmin to define where traps should be sent
- dvwatch to specify the default trap profile
Configuration files (*.cfg) should be located in the NSHOME\usr directory
Host names should be located in the NSHOME\ipstack\hosts file
As example:
## Default start-up script file "start-up"#
## Note: "%1" is a macro replaced by the agent name.
dvinst dvinst.cfg %1
dvadmin add %1 dbc157 public
dvadmin add %1 teview public
dvwatch add %1 ALL watchdog.cfg
Domain installation file
-------------------------
The dvinst.cfg file should have the following layout:
#
# Domain configuration file for a NETscout RMON probe.
#
# Host Segment Short Long Packet
#Domain Mode Stats History History Host Conversation Capture
#----------- ----- ------- ------- ------- ---- ------------ -------
ALL MAC y y y y n n
IP NET y y y y y n
NOVELL NET y y y y n n
DECNET NET y y y y n n
VINES MAC y y y y n n
ATALK MAC y y y y n n
IP-SNET SUBNET y y y y y n
New Domain creation
--------------------
Domain are based on filters (see filter editor).
In order to add new domain for instance to cover DEC LAN domain protocols (other
than DECnet)
new domain can be added via the Domain editor.
Example: DECOTHER
File decother.dom
description: "All other DEC LAN protocols"
tr-rif-mask:
inclusive: Y
type: Any
filter-list: DECCLUST DECLAT DECMOPDL DECMOPRC
Protocol Monitoring
-------------------
The protocol monitoring function displays the protocol statistics collected per
installed domain.
The protocol displayed are function of what is define in the protmon.cfg file
The default is the following:
#
# Configuration file for Protocol Monitor
#
title: "Protocol Monitor"
parent: ALL
children: IP NOVELL DECNET VINES ATALK
This is related to what is install (see the dvinst.cfg file)
All other protocols not defined as children will be displayed as OTHER.
If for instance a specific display should be done for other DEC protocols
(excluding DECNET) a new domain should be created (see above), and the
dvinst.cfg file should be adapted.
New protmon.cfg
---------------
#
# Configuration file for Protocol Monitor
#
title: "Protocol Monitor"
parent: ALL
children: IP NOVELL DECNET VINES ATALK DECOTHER
New dvinst.cfg
---------------
#
# Domain configuration file for a NETscout RMON probe.
#
# Host Segment Short Long Packet
#Domain Mode Stats History History Host Conversation Capture
#------------- ----- ------- ------- ------- ---- ------------ -------
ALL MAC y y y y n n
IP NET y y y y y n
NOVELL NET y y y y n n
DECNET NET y y y y n n
VINES MAC y y y y n n
ATALK MAC y y y y n n
IP-SNET SUBNET y y y y y n
DECOTHER MAC y y y y n n
Watchdog configuration file
---------------------------
The description of the file is in: dvwatch.doc
dvwatch
-------
Usage:
% dvwatch add agent domain config-file
% dvwatch delete agent domain config-file
% dvwatch list agent
The dvwatch utility is used to administer agent watchdogs. A "watchdog" is the
combination of an RMON alarm and one or two RMON events.
The "add" option creates (or recreates) a watchdog according to the specifica-
tions in the configuration file.
The "delete" option deletes the watchdog specified by the configuration file.
The "list" option provides a tabular listing of all watchdogs installed
at the agent.
Configuration file contents:
variable-table: # name of variable table
variable: # name of variable
sample-type: # absolute or delta
sample-interval: # in seconds
rising-threshold: # can be float for delta
falling-threshold: # can be float for delta
trap-condition: # rising, falling, either
rising-description: # rising trap description string
falling-description: # falling trap description string
trap-community: # trap community string
# For host variables only:
host: # host MAC address
# For conversation variables only:
src-host: # source host MAC address
dst-host: # destination host MAC address
The following table provides a list of each parameter and its description.
Parameter Description
--------------------- -----------------------------------------------
variable-table: The name of the table containing the watched
variable; one of:
ET (Ethernet Statistics)
TRP (Token Ring Promiscuous Statistics)
TRNP (Token Ring MAC Statistics)
HOST (Host Statistics)
CONV (Conversation Statistics)
MISC (Miscellaneous Variables)
PVAR (Proxy Variables)
variable The name of the watched variable.
Examples: Packets, "Octets In"
The variable name applies to the RMON variable
in the table associated with the domain
specified in the command line.
For host variables, the MAC address of the
host must be specified using the "host"
parameter.
For conversation variables, the MAC addresses
of the source and destination hosts must be
supplied using the "src-host" and "dst-host"
parameters.
sample-type The watchdog type: ABSOLUTE or DELTA.
sample-interval The interval (in seconds) between samples of
the variable.
rising-threshold The rising threshold for the sampled variable's
value. This is an absolute integral value
for an ABSOLUTE-type watchdog, or a per-second
rate for a DELTA-type watchdog.
falling-threshold The falling threshold for the sampled variable's
value. This is an absolute integral value
for an ABSOLUTE-type watchdog, or a per-second
rate for a DELTA-type watchdog.
trap-condition RISING, FALLING, or EITHER.
If RISING is specified, a trap is generated
when the variable's value (either absolute
or delta) reaches or exceeds the rising
threshold value.
If FALLING is specified, a trap is generated
when the variable's value reaches or falls
below the falling-threshold value.
If EITHER is specified, both RISING and FALLING
traps will generated when the corresponding
criterion is met.
Once a rising trap is generated, it will not be
generated again until the variable's sampled
value reaches or falls below the falling
threshold value, and then once again reaches or
rises above the rising threshold value.
Similarly, once a falling trap is generated,
it will not be generated again until the
variable's sampled value reaches or rises above
the rising threshold value, and then once again
reaches or falls below the falling threshold
value.
rising-description A description string to be included with a
rising trap.
Example: "Too many packets."
falling-description A description string to be included with a
falling trap.
Example: "Low traffic from host1 to host2!".
trap-community The community string associated with this
watchdog. The agent uses the community string
associated with a watchdog to decide which
host(s) should receive a trap message.
See the dvadmin documentation for a further
explanation.
host The MAC address of the host of interest, for
example, "00-01-02-03-04-05". This parameter
applies only if the "variable-table" parameter
is "HOST".
src-host The MAC addresses of the source and destination
dst-host hosts of interest. These parameters are re-
quired only if the "variable-table" parameter
is "CONV".
Add
___
% dvwatch add agent domain config-file
Create a watchdog at the agent using the parameters specified in the config-
uration file. If a watchdog already exists for the domain and variable
specified in the configuration file, it is deleted and then re-created.
Delete
------
% dvwatch delete agent config-file
Delete the watchdog corresponding to the domain and variable specified in
the configuration file.
List
----
% dvwatch list agent
List all watchdogs installed at the agent.
Sample output:
MIB Variable: hostOutPkts.49216.6.170.170.170.170.170.170
Variable Table: HOST
Variable: Packets Out
Sample interval: 10 seconds
Sample type: DELTA
Trap condition: RISING
Rising threshold: 0.100000 / second
Falling threshold: 0.000000 / second
Last sample: 0.000000 / second
Trap community: "public"
Last rising trap: Tue Nov 2 11:20:54 1993
Rising trap desc: Rising threshold reached
MIB Variable: etherStatsCollisions.49216
Variable Table: ET
Variable: Collisions
Sample interval: 60 seconds
Sample type: DELTA
Trap condition: Either RISING or FALLING
Rising threshold: 25.000000 / second
Falling threshold: 1.000000 / second
Last sample: 0.000000 / second
Trap community: "private"
Last rising trap: (None)
Rising trap desc: Rising threshold reached
Last falling trap: Tue Nov 2 11:35:51 1993
Falling trap desc: Falling threshold reached
MIB Variable: etherStatsPkts.49216
Variable Table: ET
Variable: Packets
Sample interval: 15 seconds
Sample type: DELTA
Trap condition: Either RISING or FALLING
Rising threshold: 1000.000000 / second
Falling threshold: 50.000000 / second
Last sample: 18.200000 / second
Trap community: "Tewksbury"
Last rising trap: (None)
Rising trap desc: Rising threshold reached
Last falling trap: Tue Nov 2 11:38:58 1993
Falling trap desc: Falling threshold reached
The following lists show the valid variable names allowed for each of the
tables. Be sure to enclose the variable name in quotes if it includes blanks.
ET Table
--------
Drop Events
Utilization (* see note)
Packets
Broadcasts
Multicasts
CRC/Align Errors
Undersize Packets
Oversize Packets
Fragments
Jabbers
Collisions
Packets64
Packets65.127
Packets128..255
Packets256..511
Packets512..1023
Packets1024..1518
TRP Table
---------
Drop Events
Utilization (* see note)
Packets
Data Broadcast Packets
Data Multicast Packets
MAC Octets
MAC Packets
Packets18..63
Packets64..127
Packets128..255
Packets256..511
Packets512..1023
Packets1024..2047
Packets2048..4095
Packets4096..8191
Packets8192..18000
Packets18000+
TRNP Table
----------
Drop Events
Purge Events
Purge Packets
Beacon Events
Monitor Contention Events
Claim Token Packets
NAUN Changes
Line Errors
Internal Errors
Burst Errors
AC Errors
Abort Errors
Lost Frame Errors
Congestion Errors
Frame Copied Errors
Frequency Errors
Token Errors
Soft Error Reports
HOST Table
----------
Packets In
Packets Out
Utilization In
Utilization Out (* see note)
Errors Out (* see note)
Broadcasts Out
Multicasts Out
CONV Table
----------
Packets
Utilization (* see note)
Errors
MISC Table
----------
Packet Matches
Number of Hosts
Number of Conversations
PVAR Table
----------
Value
Number of Failures
Note regarding "Utilization" variables:
An ABSOLUTE watchdog set on a "Utilization" variable is converted
internally to a DELTA watchdog set on the corresponding "octets"
variable. DELTA watchdogs are not allowed for "utilization" variables.
Example:
variable-table: ET
variable: Utilization
sample-type: ABSOLUTE
sample-interval: 10
rising-threshold: 50.0
falling-threshold: 0.5
trap-condition: RISING
rising-description: "Utilization above 50%"
falling-description: "Utilization below 0.5%"
trap-community: "public"
This configuration file serves to request a trap when utilization
rises to 50% or more, or falls below 0.5% for a period of 10 seconds.
On a 10 Mbit/second Ethernet, 100% utilization corresponds to 1,250,000
octets per second, so 50% utilization corresponds to 625,000 octets per
second, and 0.5% utilization corresponds to 6250 octets per second.
This calculation is performed internally by the dvwatch utility.
As example watchdog.cfg
-----------------------
#
# watchdog.cfg
#
# Sample configuration file for use with dvwatch
#
variable-table: ET
variable: "Packets"
sample-interval: 60 # seconds
sample-type: DELTA
trap-condition: EITHER # rising or falling or either
rising-threshold: 100.000000 # per second
falling-threshold: 50.000000 # per second
trap-community: "public"
rising-description: "100 or more packets per second"
rising-severity: "1"
rising-program-info: "prog-rising"
falling-description: "50 or less packets per second"
falling-severity: "0"
falling-program-info: "prog-falling"
Watchdog log file
------------------
All traps are saved in dvtrap.log
New filter creation
--------------------
Example (declat.fil):
filter-format-name: ETHERNET
filter-format-type: LOGICAL ETHERNET
filter-description: "DEC LAT"
#Field Name Size Type Match Value
#---------- ---- ---- -----------
"Destination Address" 6 MACADDR
"Source Address" 6 MACADDR
"Ether Type" 2 ETYPE 60-04
Vendor Identification file
--------------------------
The NSHOME\usr\vendorid.nam contains the list of the known Organization Unique
Identifier (OUI) to Vendor conversion table.
It may be edited and modified.
Report Creation (logging and reporting)
---------------------------------------
The data collection (Logging Deamon) is configured when ProbeWatch is started.
The configuration file use for the start-up is dvlog.cfg
The dvlog.log contains status messages
Import format for Excel
Use the segment details (see structure above) type of report generation to feed
Excel
Example:
Agent Dom Start Stop Sec Util Dro Octets Pkts
hub_prb ALL 01/16/1995 13:30 01/16/1995 13:45 899 0.546 0 5890908 25132
....
hub_prb ALL 01/16/1995 13:45 01/16/1995 14:00 900 0.442 0 4795070 22014
....
Known problems or limitations
==============================
Startup file
------------
Complex startup file containing lots of domain to be installed (dvinst.conf) may
cause errors messages or incomplete domain to be installed due to lack of probe
resource while starting collection and continuing to configure domain
simultaneously.
Work-around
The current work-around is to run the configuration (startup) several times
until all domains are installed or to install the domain interactively.
DECCLUST Filter
---------------
An error exist in the definition of the DECCLUST filter representing DEC LAVC
(Local Area Vax Cluster ) protocol use if VAX system are connected in cluster
mode using the LAN, this can cause if selected important par of the traffic to
be NOT displayed .
Work-around
Using the Filter editor modify the Ethernet type to be 60-07 in stead of 06-07
|