print

Tip of the Month

February 2002

KISSTU (Keep it Simple- Summary Tab Use) for Valentine’s Day!

Many aspects of network behavior are uncovered by packet analyzers through summary data displays. With the "Peeks," this information is available via the Summary Tab.

If you’re off buying sweets for your sweetie on February 14th, let your analyzer collect information for you while you’re away. When you return, the Summary Statistics gathered will provide a quick reference for, and insight into:

Utilization. Use of your bandwidth is always an interesting statistic. Does the reported utilization look reasonable? Is it what you expect to find? If not, go to the Nodes Tab, or Conversations Tab, or Peer Map (EtherPeek NX) to find your top talkers and what they were doing.

Packet Size Distribution. The Packet Size Distribution display is often used as simply a graphic report of network activity for management. However, this screen can provide valuable insight into network issues. For instance, large file transfers should be using large packet sizes, while small packets such as "keep-a-lives" should be using the smallest possible size. This may seem obvious to you, but others doing node configurations on your network may not understand the effects of their actions. We have seen servers configured to utilize only 65 Byte packets regardless of file size!

AppleTalk, IP Statistics. Any connection-oriented protocol should have as many replies as requests. Sometimes capture timing and network factors may cause an imbalance of replies/requests, but the numbers should always be reasonably close. Too many unanswered requests are grounds for investigation!

In-depth, Expert Problem Detection. The Expert Tab available with EtherPeek NX should be your first stop if you’re experiencing any kind of anomalous network behavior and would like in-depth analysis of the source of that behavior.

ICMP Statistics. ICMP is often labeled as the "bad-news-protocol." In actuality, ICMP is one of the most informative and valuable protocols for the network analyst.

Ping packets are "ICMP Echo Request /Echo Replies." Generally, you will see a reply for almost every request. But don’t worry if a few replies are not seen. They may just have taken another route to the source or gotten lost.

"Time Exceeded" messages are generally reported when trace-route is running. Trace Route works in much the same way as a Ping with a Time To Live (TTL) of one and incrementing by one until the packet reaches the destination. Each router along the way will decrement the TTL by one and send an "ICMP Time Exceeded" message back to the source.

"ICMP Redirects" may be fine for networks with redundant routes, or they may be the result of a node with an incorrectly configured subnet mask or default gateway.

"ICMP Unreachable" messages may be broken into specific messages as follows:

ICMP Host Unreachable occurs when the destination host is not reporting on its segment and the network is otherwise working correctly.

ICMP Network Unreachable means that the destination node’s network is unreachable. A Router cannot forward packets to the next router to get to the destination.

ICMP Port Unreachable is sent from the destination station stating that the node is working…it just isn’t using that port. The destination port number and its related program are not running or are prohibited on the destination station.