print

Tip of the Month

Network Analysis Tip of the Month – August 2005

Robo-Peek (Automated captures based on Alarms!)

Author – Saurabh Bhasin

Utilization percentage is a configurable alarm. You can configure “current utilization percentage” and/or “average utilization”. Double click on “average or current utilization” and set it to your liking. By default, the problem alarm is set to notify when the average utilization exceeds 75/s for 5 seconds. Be sure to set the severity level to “Severe” from the drop-down. After that, you need to change every other alarm that is set to “Severe” and bring them down to “Major”. That way the only severe notification remaining would be this utilization alarm.

Next, you will create a command line notification for any “Severe” alarm that is activated. In this case, our “Severe” utilization alarm. The command notification will be a PING that initiates a capture.

Instructions

Either time/date or packets passing through the filters activate triggers. Alarm messages create a signal that is acted upon by the notifications module, which causes an action to occur (Log, Email, Sound, Execute, log to syslog server or send SNMP traps).

1. Create an address filter combined with the ICMP Protocol (example: Protocol =ICMP AND Address = 1.2.3.4) this will be your trigger filter. Name this filter PING TRIGGER.

[Note: IP address 1.2.3.4 is used as an example. The IP address must be a valid host address that can echo a reply. Maybe you can PING your Gateway or some other host/device you are certain will be available to echo-reply.]

2. Go to Tools -> Options and create a new notification with the action type set to 'Execute' a Ping and check only the SEVERE box.

[Note: You must enter the full path to the PING executable. Here's an example of the settings:

Command: C:\WINDOWS\system32\ping.exe
Arguments: 1.2.3.4 -n 1

The above argument example will send one ICMP PING packet to whatever valid IP address you choose. A loopback address will not work since the packets never reach the wire.]

3. Modify your problem alarm settings for “Utilization” and set it to SEVERE as mentioned above - also make sure that no other Alarm levels are set to Severe, or they too will activate your trigger.

4. Set up a new capture; set your capture options to have your new PING TRIGGER as the “Start Trigger Event”. When the utilization alarm is activated, the alarm will execute a PING, which will start your capture.

You can then set a stop trigger event based on a time, elapsed time, bytes captured, or filter etc. You could then use the save to disk option and Repeat mode; so the trigger would go off every time the severe alarm was activated and save a separate capture for each run.