|
|
TrafficDirector is shipped with the capability to respond to most network management needs. However, you can customize TrafficDirector to conform to your specific network management requirements. This chapter describes the two primary tools you can use to customize TrafficDirector: Filter Editor and Domain Editor.
Before you start a data capture session or create a custom domain, you need to decide the type and extent of the data to collect for display and analysis. You select an appropriate filter to screen the incoming data when you start a data capture session or create a custom domain.
TrafficDirector is shipped with a number of predefined filters. These filters should handle most data capture and domain requirements. If you need filtering parameters that are not available in the existing filters, you can use Filter Editor to edit existing filters or create new filters that meet your requirements. You can view the list of available filters by running the Domain Editor Add function (see the "Defining New Domains" section).
To collect only selected data, you can create a set of filters that are either inclusive or exclusive and that pass, capture, and store only the packets that meet the filter criteria. Filter creation begins with a filter format that uniquely describes the specific characteristics of the frame which must be matched for acceptance or rejection of data packets from the data capture buffers. Filter formats are based on the detailed structure of the seven-level protocol stack that makes up a transmission frame.
TrafficDirector includes a substantial number of pre-established formats for the most commonly used stacks. You can create new filters using these formats to explore a current problem or define and store them for later use. To see a list of the filter formats that are available, use the Add function in the Filter Editor (see the "Adding New Filter Definitions" section).
When you have created the appropriate filter, you insert it into the filter definition to be used for the data capture session. You can create highly selective filters that eliminate extra detail that may otherwise obscure the protocol decode process. The TrafficDirector Filter Editor offers the following four functions:
Before you get started adding or modifying filters, you need to be aware of the different ways you can specify field values. Values you can specify for a field in any given filter depend upon the type of filter format you select. As mentioned earlier, TrafficDirector includes many pre-established formats for the most commonly used stacks. Once you select a filter format, the corresponding fields are displayed.
Except for the filter name, which is required, the remaining fields are all optional; you define only those fields that fit your needs. The fields you will see may require a single-byte value or multiple bytes. How you specify the values is up to you.
In the TrafficDirector Filter Editor, you can choose from two filter types: physical or logical. The filter type depends upon the filter format you select. A physical format is topology-specific. This means that the filter criteria you define must be used with a specific media type and is applied to frames at fixed positions. We recommend using a Token-Ring-specific physical filter only on Token-Ring topologies. The TrafficDirector predefined physical filters are as follows:
| SMT | Use this filter only on FDDI networks. |
| TRMAC | Use this filter only on Token-Ring networks. |
| TRNONMAC | Use this filter only on Token-Ring networks. |
A logical filter is one you can use on any network. This means that no matter the topology, TrafficDirector applies the criteria you specify at the appropriate position in a frame. For example, if you need an IP filter to be applied on a Token-Ring network as well as on an Ethernet network, you can define one filter that works on both.
In TrafficDirector, when you specify values during filter definition, you can use different numeric styles: decimal, hexadecimal (hex), binary, or IP address format (dotted). The numeric style you use to specify values depends on two things: whether the field is single-byte or multibyte and whether the field is tied to a certain type, such as MAC address, which accepts only a hex value. To find out whether a field is single-byte or multibyte, you can open any predefined filter format file contained in your $NSHOME/usr directory. For example, if you wanted to find out how many bytes the Time to Live field requires in an IP filter format, in your $NSHOME/usr directory, enter the following:
cat ip.ff
After pressing Enter, the filter format file (ip.ff) is displayed, showing all fields defined for the IP filter type, number of bytes required for each field, and any specific value type associated with a field (such as MACADDR, the MAC address type).
In single-byte fields, you can specify the following numeric types, keeping in mind any restrictions as noted:
| Hex | Hex values must contain characters from the hex numeric set, 0 to 9 or a to f. However, if a hex value you specify is all numeric, TrafficDirector translates it as a decimal number. This means that if you are using hex and you want to specify Time to Live as 128 seconds, when you enter the hex value 80, TrafficDirector translates the Time to Live field as 80 seconds, instead of the 128 you wanted. |
| Decimal | Decimal values must contain all numbers and no periods. This means that if you want to specify Time to Live as 128 seconds, you enter 128, not 128.00. If you do enter 128.00, TrafficDirector translates your entry as a 2-byte value and displays an error message advising you that Time to Live is a single-byte field. |
| Binary | Binary numbers, which are only 0s and 1s, must begin with an uppercase B. |
| Wildcards | There are two acceptable wildcards you can specify when you only want to specify part of a numeric value. When you are specifying hex or decimal numbers, you can specify an uppercase X as a wildcard (it is case sensitive). This uppercase X is a placeholder for 1 byte of information for decimal values or 4 bits for hex values. However, if you are working with binary numbers, you must use a lowercase x as a wildcard (again, it is case sensitive). This lowercase x is a placeholder for 1 bit of information. |
In multiple-byte fields, you can specify the following numeric types, keeping in mind any restrictions as noted:
| Hex | Hex values must contain characters from the hex numeric set, 0 to 9 or a to f. However, if a hex value you specify is all numeric, TrafficDirector translates it as a decimal number. |
| Decimal | Decimal values in multiple-byte fields can contain numbers and periods. However, that TrafficDirector reads each side of a period as a separate number. This means that if you specify a number as 255.255.255.75, TrafficDirector reads four values: 255, 255, 255, and 75. |
| Binary | Binary numbers, which are only 0s and 1s, must begin with an uppercase B. |
| Wildcards | There are two acceptable wildcards you can specify when you only want to specify part of a numeric value. When you are specifying hex or decimal numbers, you can specify an uppercase X as a wildcard (it is case sensitive). This uppercase X is a placeholder for 1 byte of information for decimal values or 4 bits for hex values. However, if you are working with binary numbers, you must use a lowercase x as a wildcard (again, it is case sensitive). This lowercase x is a placeholder for 1 bit of information. |
| Binary and Hex Combination | In TrafficDirector, you can use a combination of binary and hex values in any multibyte field. This is especially useful when you want to capture multicast packets on different network topologies. |
When you are ready to add a new filter, use the following procedure.
Step 1 Click the Filter Editor icon in the TrafficDirector main window, or select Tools>Filter Editor from the menu bar. The Filter Editor window is displayed (Figure 12-1).
Step 2 Click New. The New Filter window is displayed (Figure 12-2). Most of the window shows blank spaces, which are used later to designate fields for a specified filter format, as described in Step 4.
Step 3 Enter a name for the new filter in the Filter Name field by specifying up to eight letters, numbers, dashes, or underscores. Keep in mind that the name must begin with a letter and is case-sensitive.
Step 4 To select a format for the new filter, highlight the format you want from those listed in the Filter Formats list. Then click Select Format.
The Add Filter window changes its display. Instead of a column of blank spaces, field names are displayed. Depending on the filter format selected, you might see only three fields or two pages. For example, if you selected the TCP filter format, the Add Filter window (Figure 12-3) displays field names for all the rectangles shown in the window, and the PgDn button is enabled. You can click this button to see the rest of the fields available for defining the filter. Then click the PgUp button to toggle back to the first page of the window.
Step 5 For certain filters, some fields already contain values. Fill in additional fields as needed.
Step 6 Click OK to add the filter. The filter is now displayed in the filter list.
To edit an existing filter definition, use the following procedure.
Step 1 Click the Filter Editor icon from the TrafficDirector main window, or select Tools>Filter Editor from the menu bar. The Filter Editor window (Figure 12-1) is displayed.
Step 2 Select the filter you want to edit from the filter list in the Filter Editor window by highlighting it.
Step 3 Click Edit. The Edit Filter window (Figure 12-4) is displayed. This window is the same as the New Filter window, except that existing fields are already filled in with the values you last specified.
Step 4 Change the fields you want to edit.
Step 5 Click OK to create the new filter or Cancel to quit.
Before using a filter in the Data Capture tool or creating a new filter, you can look at the field definitions for one or more existing filters. You can view the field definitions for an existing filter without changing any filter information. To see existing filter definitions, use the following procedure.
Step 1 Click the Filter Editor icon from the TrafficDirector main window, or select Tools>Filter Editor from the menu bar. The Filter Editor window is displayed (Figure 12-1).
Step 2 Select the filter you want to view from the filter list in the Filter Editor window by highlighting it.
Step 3 Click View. The View Filter window (Figure 12-5) is displayed. It is the same as the Edit Filter window, but you cannot change any fields.
Step 4 If applicable, click the PgDn or PgUp buttons to scroll through all the fields containing values for the filter you are viewing. Click Cancel when you are finished viewing the filter.
When you no longer need a filter, you can delete the filter definition to conserve system resources. To delete a filter definition from the filter list, use the following procedure.
Step 1 Click the Filter Editor icon from the TrafficDirector main window, or select Tools>Filter Editor from the menu bar. The Filter Editor window is displayed (Figure 12-1).
Step 2 Select the filter you want to delete from the filter list in the Filter Editor window.
Step 3 Click Delete. A cautionary window is displayed that prompts you to confirm that you want to delete the filter.
Step 4 Click OK to delete the filter definition or Cancel to quit without deleting the filter definition.
You can exit Filter Editor at any time by selecting File>Exit from the menu bar.
TrafficDirector is shipped with a number of standard domains already defined. These domains let you monitor most types of network traffic. If these are not sufficient, you can use the Domain Editor tool to create new domains or edit existing domains to meet your monitoring needs. You can choose to create generic or protocol-specific domains in TrafficDirector.
When you define a domain, you determine the subset of network traffic that the domain represents. Once you define a domain, you can install it on one or more agents and monitor that portion of network traffic.
In this section, you will learn how to define new domains, modify existing domains to meet new monitoring requirements, and delete domains when you no longer need them.
The Domain Editor lets you add, edit, or delete generic or protocol-specific domain definitions. When a domain is defined, you can attach it to one or more agents. TrafficDirector is shipped with a number of predefined domains. However, you can define a custom domain to monitor a specific subset of traffic on your network.
To define a new protocol domain, use the following procedure. Keep in mind that after defining a new domain, you need to add it on an agent for it to be useful. For more information about Domain Manager and adding domains on an agent, see the "Installing, Deinstalling, and Monitoring Domains Using Domain Manager" chapter.
Step 1 Click the Domain Editor icon from the TrafficDirector main window or select Tools>Domain Editor from the menu bar. The Domain Editor window is displayed (Figure 12-6).
Step 2 To the right of the Domain Type field, select Protocol.
Step 3 Click the New button. The New Protocol Domain window is displayed (Figure 12-7).
Step 4 In the Domain Name field, enter the name you want associated with the domain you are defining. This can be a maximum of 15 letters and must begin with a letter. You can use only letters, numbers, dashes, and underscores. The name is case insensitive.
Step 5 To the right of the Data Link Layer field, click the selection button. When you do so, a list of supported network topologies (media) is displayed. You can choose from Ethernet, Token Ring, FDDI, and WAN.
Step 6 To the right of the Network Layer field, click the selection button. A list of parent protocols is displayed. Parent protocols are high-level protocols. The list shows the protocol name, as well as a number that maps to an RMON2 definition. The protocols you see are those that work on the media type you selected in Step 5. Select the protocols you want to include as part of the domain you are defining.
Step 7 For any of the Application Layer fields 1 through 5, click the selection button to the right of each field you want to define. Keep in mind that all these fields are optional, which means that you can define none of these fields or as many as all five.
For each selection button you click, a list of protocol children is displayed. Children protocols are those that are related to the protocols you selected in
Step 6. You can choose to examine multiple children protocols running on a level above selected parent protocols. The list shows the children protocol name, as well as a number that maps to an RMON2 definition.
Select any children protocols you want to include as part of the domain you are defining.
Step 8 When you have finished defining the domain, click OK to save your choices or Cancel to close the window without saving your definition.
You can define generic domains only on SwitchProbe devices. To define a new generic domain, use the following procedure. Keep in mind that after defining a new domain, you need to add it on an agent for it to be useful. For more information about Domain Manager and adding domains on an agent, see the "Installing, Deinstalling, and Monitoring Domains Using Domain Manager" chapter.
Step 1 Click the Domain Editor icon from the TrafficDirector main window, or select Tools>Domain Editor from the menu bar. The Domain Editor window is displayed (Figure 12-6).
Step 2 To the right of the Domain Type field, select Generic.
Step 3 Click the New button. The New Generic Domain window is displayed (Figure 12-8).
Step 4 In the Domain Name field, enter the name of the domain as you want it displayed throughout TrafficDirector. This can be a maximum of 15 letters and must begin with a letter. You can use only letters, numbers, dashes, and underscores. The name is case insensitive.
Step 5 Under the Host Address Mode heading, select how you want host addresses displayed: MAC, NET, or SUBNET.
Under the Domain Type heading, select one of the following:
| Inclusive | The default value. Choosing this type means that a packet is accepted into the domain if it matches any of the filters. |
| Exclusive | Choosing this type means that a packet is accepted into the domain if it fails to match all of the filters. |
Under the Packet Type heading, select one of the following:
| Good | Selects only good packets as part of the domain. |
| Bad | Selects only bad packets as part of the domain. |
| All | Selects all packets as part of the domain. (The default value.) |
Step 8 Under the Selected Filters heading, scroll down and select one or more (up to eight) filters you want to include as part of the generic domain you are defining. You can mix and match any of the network layer protocols displayed.
The filters you select determine the type of packets the new generic domain recognizes as follows:
Step 9 Click OK to define the new generic domain with your choices, or click Cancel to close the window without saving your choices.
You can change a domain definition when you want to monitor a different subset of network traffic. You can also use the Edit Domain function to create a new domain by modifying an existing domain and then renaming it. You can view the parameters of an existing domain without editing it. You can also edit a previously defined domain whether it is attached to an agent or not. To change or view the information for an existing domain, use the following procedure.
Step 1 Select the domain you want to edit from the Agent Summary area in the Domain Editor window.
Step 2 Click Edit or View from the Domain Editor window.
Depending on the type of protocol you selected, one of the following is displayed. (Keep in mind that each window corresponds to the Add window, except that fields are already filled with values you specified earlier.)
If you selected a protocol domain and clicked Edit, the Edit Protocol Domain window is displayed (Figure 12-9).
If you selected a generic domain and clicked Edit, the Edit Generic Domain window is displayed (Figure 12-10).
If you selected a protocol domain and clicked View, the View Protocol Domain window is displayed (Figure 12-11).
If you selected a generic domain and clicked View, the View Generic Domain window is displayed (Figure 12-12).
Step 3 Do one of the following:
Step 4 Do one of the following:
When you no longer need to monitor the subset of network traffic defined by a domain, you can delete the domain definition to save resources. To delete a domain definition from TrafficDirector:
Step 1 Select the domain you want to delete from the Agent Summary list in the Domain Editor window.
Step 2 Click Delete from the Domain Editor window. A cautionary prompt appears, asking if you want to continue.
Step 3 Click OK to delete the domain definition or Cancel to return to the Domain Editor window.
To exit Domain Editor at any time, select File>Exit from the menu bar.
|
|