Protocol Analyzer is one of the most powerful tools in the network Administrator library. It can save the company a lot of time and money by turning problems that are difficult, time-consuming, annoying to CEOs and even having to restart all machines to be short-lived and easily reflected in weekly status reports. 4@.@]
Y H#k6gh
However, just like any other complex tool, it must be properly used to achieve maximum benefit. When using the Protocol Analyzer to diagnose network failures, you should try to avoid ...
\@ ' el8[x? Network management, Internet cafes, web management, Internet, viruses, trojans, security, software, forum error 1 parser mistakenly reset
^4d6lm-z{*~/_ correctly placed analyzer plays a decisive role in diagnosing faults quickly. Imagine that the parser is placed in a network window, like a building window, where changes in vision depend on which window to look out. Looking from the south window, there is no traffic congestion on the North Highway of the building. Tracing often takes a long time when analyzing an analyzer that is placed in an improperly positioned network. So, how do you properly place the analyzer? We can give an example to illustrate.
The following are a few possible problems and cause analysis:
Imagine a: A host, Server A, the host cannot communicate with any other host. Possible causes: 5LN xjah9[*l J
1 Server A is not configured properly; www.54master.comq@hu) _y
' T
2 Server A configuration of the network card error;
3 Server A is on the local area network problem; "I am the Webmaster" forum, China's largest network management exchanges camp!
~HL) n\
4) Server A has an error on the LAN segment.
j6lq!} " wfx{"I am network Management" forum, China's largest network management Exchange camp! Imagine B: A host, Server B, the host cannot communicate with any of the hosts in the remote Network X, and hosts on the LAN or other remote network have no faults (this means that the problem cannot occur on the LAN section of Server B or Server B). "I am the Webmaster" Forum LT%PJW ']v
Possible causes:
1 Server B has some configuration errors about network x;
2 The connection to the network segment of the router where the server B is connected to the net X is out of question;
(3) Server B Local Area network with one or more of the Web X link out of the problem; #?i5f! dt&@+~
4 The network x is used to connect to the network of server B where the router is in the network segment out of the problem; "I am Network Management" forum, China's largest network management exchanges camp! @1q6y[e ' |
5 network x out of the question. #s Xyp (B t
Imagine C: A host, Server C, the host cannot communicate with another host in the LAN, but communicates with other hosts on the network normally (this means that the problem cannot occur in Server C or the LAN segment of Server C). "I am network Management" forum, China's largest network management exchanges camp! JUC4?B;IC*K3UT7}
Possible reasons: "I am the Webmaster" Forum RJ3K1FVG
1 Host C error configuration;
2 Host C network card fails;
3 There is a problem with the LAN section of host C.
Imagine D: A host, Server D, the host can not communicate with a remote host, but with Server D on the LAN segment of the other host communication is normal, to the remote network or remote network itself connectivity is also no fault. "I am network Management" Forum {hq#[t
N$x-p
Possible causes: network management, Internet cafes, web management, Internet, viruses, trojans, security, software, forum PJ) OKHB+DH
1 host D error configuration;
2 host D NIC error;
3 There is a problem with the LAN section of host D.
Some of these problems can be diagnosed or excluded without the analyzer. For example, imagine the third case in a, where the fault is determined by checking other hosts on Server A's local area network; Imagine that the second and third cases in D can also be determined by this method (assuming host D can communicate with other hosts on the local area network).
The error configuration of a single server or host is easily detected by detection. However, some other problems, such as the Fault in the network or network segment, need to be diagnosed by the analyzer. M%n8il}*\ ([IG
In all of the possible scenarios above, at first, you may be able to place the analyzer near the most likely problem host or suspect network or network segment as close as possible, but if you do not find a meaningful problem, be prepared to move the analyzer, you know, before the failure of the location is determined, All that is done is based on conjecture. In the third scenario of scenario B, there should be a parser on Server B's LAN and network X, at least the parser should be able to be moved from one end to the other. "I am the Webmaster" Forum W3[0[h*eou
For example, in one failure, a server suddenly stopped working. People initially suspected that the site personnel to the server caused by misoperation, in fact, the tracker indicates that because many hosts send connection request information to the server while the server is not responding, resulting in server deadlock.
After taking a few days to determine what was wrong with the server, it was told to observe the tracker, so the site operator was asked to move the tracker from the host's local area network (this is the third of the scenarios in B) to the server's local area network. The result found that the access control list was not correctly added to the router on the server's local area network, and that the wrong access control list filtered all information from the network on which the client host resides. If you had more doubts, you would find that the connection request information was not seen at all on the server's local area network. Because there is no view of the network at both ends of the situation, the site can not work for many days. #g &j! F,u1r2qhf
How do you know where the tracker works at the end of the network? In the tracker, the frame information originating from the client host has all the source MAC addresses of the real client, while the destination MAC address is stored in the router. N! B6xa ^w
Unfortunately, the problem is getting more complex, and it's not enough to know just which network the parser is connected to. When a LAN is decomposed into multiple parts, the first step is to find the free hub port or coaxial cable of the connector, however, in the network switching environment, not only the analyzer access to the switch device free port is all right. C j.q^ $R &b u*z1g4n
Most switching devices have the ability to designate a specific port as a connector or image port, except that the terminology is different from the manufacturer of the exchange device. If all traffic from or to a specific port can also be sent to the image port, all settings are complete by connecting the parser to the image port. Www.54master.com
Y:j?q.jhb
The problem is that some switching devices cannot send traffic between the two ports to the image port. For example, in a duplex environment, two hosts that are part of a monitored connection can send information at the same time, and the switch can receive each frame of data and transfer it to another port in the link. For image ports, however, a data frame must be buffered, and if too many frames are processed, the buffer overflows, the data frame is lost, and the trace becomes unreliable. To make it worse, it is not known to be tracking unreliable clues.
Some switching devices support internal parser functions, which themselves capture data frames that are passed to the object being tracked. The reliability of this functional component depends on the buffer capacity of the switch. In some cases, we have to choose an image port or an internal parser. But whenever possible, it is best to connect one of the hosts and parsers to the hub and hang the hub on the switch.
Why do you do that? This is because the trace remains unreliable even if the switch has sufficient capacity to cache all the data frames so that the image port or internal analyzer is unlikely to lose data. For example, in standard Ethernet, a RJ45 connector that is in a faulty port on the switch creates an interactive session whenever the switch transmits a data frame to the server, the switch interprets this as a conflict and stops working, the data frame is undone after 16 attempts, but the data frame is still sent to the image port. So the tracker discovers the data frame and shows that the server response failed. Another scenario is that substandard wiring causes 1% of data frames to be corrupted. If the analyzer is hooked up to the hub with the host mentioned in the first case (which can be transmitted at any point in the data frame), or in the second case, where a corrupted data frame is in the network, the host hangs to the hub, and the port of the receiving switch undoes the data frame before it is sent to the image port. The tracker does not have any error indications. Of course, every time you change a way, you have to take a risk to correct unexpected problems that may arise. If the RJ45 connector fails simply because it is not fixed on the switch port, the failure may not exist as long as the connector is reinserted into the hub, at least the problem is resolved. Www.54master.comN ' R (MM0V/]S+N:VBK
It is also necessary to keep in mind that for switching devices, each port in its network segment is valid, so you should move the hub (or parser) to a host or router Exchange port when no problem is found on the swap port connected to the server.
Also, note that the hub cannot be hung to a duplex environment. Some parsers work in duplex mode, which has two Ethernet ports and a function module, the function module divides the communication pair into two parts, and sends each Ethernet port separately, then the software combines the data received from each Ethernet port into a single tracking chain. If the network is a duplex environment, this parser is needed. Network management, Internet cafes, web management, Internet, viruses, trojans, security, software, forum M "ko1|*p|
Error 2 Too much filtering *l*ks0ct "e5x
Filtering allows the protocol parser to ignore certain data frames, freeing up more capture buffer space for the frames of interest. If you can filter data from higher protocol layers, such as IP addresses and port numbers to higher levels of data, the parser rarely requires filtering based on source or destination MAC addresses. However, the usual problem with actual tracking is that there is too much filtering. "I am the Webmaster" Forum Lrs&z Q{8q5q,o
There is a site has been such a failure: the server and a specific client connection between the problem, inexplicably disconnected, other clients do not have any problems. Because the client is on the same subnet as the server, the only way to restore the client to the server is to restart the server, once the disconnect occurs. "I am webmaster" Forum u! v,[#fu #\3up
The site has a parser installed, and because of the large amount of data, the filter is configured to capture only the data frames between the two hosts (based on the MAC address). No problem was found in the first two days, but on the third day the problem occurred: the trace indicates that the server suddenly stopped sending a multiple-path session and the last session. When you ping a client from the server side, the tracker shows that the server did not send any data frames. The site operator concludes that there is a problem with the TCP stack or the operating system. Network network, Internet, virus, Trojan, security, software, forum Zd~|r
So I asked for another trace, and I didn't use the filter this time. A day and a half later captured another event: the trace clearly indicated that the server was sending data continuously, but at the same time it was never answered. After a deeper excavation, the target MAC address of the server data frame was discovered suddenly changed. "I am network Management" forum, China's largest network management exchanges camp! ^-|k rp%u:n^
Since the destination MAC address is no longer matched to the client, the first trace that is not using the filter will no longer capture the MAC address, indicating that the server has stopped working. It was also found that the server received an ARP packet with a new MAC address configured for the client IP address before the address changed, causing the server to upgrade the ARP cache and send data to the wrong host.
The source MAC address of the ARP data frame is tracked down by the host that sends ARP for no reason, and somehow the host also configures the static IP address and the DHCP address of the client. When the host is started, the assigned static address, which conflicts with the server, then calls DHCP, the correct address is configured. Pzn4c|8j
Based on this, it can be concluded that the filter seems to make sense, but many times the source of the problem often appears to be false in the filter, and if the tracker does not indicate the cause of the problem, the filter should be closed or at least extended until the tracker does find out why. Only when all the filters are turned off will the tracker still be unable to find out the cause of the problem--there is no way to reach the network.
Error 3 r3x capture time frame too short
The previous example shows that a site operator uses a filter because the amount of data in the network is too large. The parser captures only about 3 minutes of data, which makes it almost impossible for site operators to spot problems and allow the parser to stop them in time to really find the cause of the problem. The length of time the parser can capture data frames without filling them in the capture buffer depends on the speed of the network, the number of frames in the network, the size of the frame, and the size of the capture buffer.
Almost all parsers can control the size of captured data frames, which is useful when dealing with connection problems and less high protocol layer problems. In general, it is sufficient to capture only the first 64 bytes of data. Therefore, if all the frames in the network are 1024 bytes and have only 3 minutes of capture time, then capturing only 64 bytes will allow more than 30 minutes of capture time. &hv%a5i6pn.ri
Error 4 trigger not installed correctly
The trigger tells the parser to perform an action, such as terminating the capture. Triggers are useful when waiting for a problem to occur without knowing when it will occur. %ntb,[kd#yiox
Installing triggers means there is no need to manually control the analyzer at any time. The biggest problem with trigger installation is that it is often not defined correctly, which can greatly prolong the time to resolve the problem. "I am the Webmaster" forum wk9r ' wyzl6m:?
Of course, you should know more about how to install triggers and, if possible, test them before you use them. You can sometimes install another parser to send trigger data frames to confirm that the capture analysis trigger is installed correctly. "I am network Management" forum, China's largest network management exchanges camp! ' Cfb^8_,p
Another problem with triggers is that many parsers allow you to set the percentage of capture buffers that will be triggered. For example, you can specify that a 50% buffer is captured before triggering, while another 50% of the buffer is captured after triggering. The percentage of pre triggers is usually 0, 25, 50, 75, or 100. Gm?*qs ' p4i
If the trigger value is improperly set, it is possible to capture a sufficient number of relevant data frames to diagnose the problem. Pre-trigger values may be incorrectly set because their default settings often do not apply to existing problems: perhaps because the previous issue was not upgraded, perhaps because of careless mouse actions or incorrect keystrokes. For whatever reason, be sure to confirm that the trigger is installed correctly. Network management, Internet cafes, web management, Internet, viruses, trojans, security, software, forum (o\7f%| zy| #Z
So how to set it? Typically, you set the pre-trigger percentage to 100% to know what caused the trigger to close.
Of course, it is only turned off when the trigger triggers an event. A special trigger has been used in the past that can test the state and then send packets that the parser can use as a trigger. The test status can be an error message in the log file, or a connection cannot be created in the previous example. Generally, the whole program is more than 100 lines or slightly longer. "I am network Management" Forum | #S &c (u%s
Error 5th/time is not set correctly
The date/time on the parser is not set correctly it seems like a trivial matter, and many times it may be true. However, when dealing with problems in a wide-area network, sometimes running two parsers at once, one for each side of the network, it is useful to set the date/time correctly. www.54master.com F%lm{3o9bo "a7t1c" o/b
If you set the two parser clocks the same, it becomes easier to adjust the trace. Suppose that in one example, by discovering a common frame and comparing time, one of them would be found to be 4 hours and 37 minutes ahead of another 15.7891 seconds, if the clock set synchronization error in 1-2 seconds, time gap calculation is much easier. Network management, Internet cafes, web management, Internet, viruses, trojans, security, software, forum 5_rz|. [
In addition, setting the same date/time is absolutely essential if you need to struggle with events in the host to adjust the trace, because the time packet based synchronization is not optional. "I am network Management" forum, China's largest network management exchanges camp! B4lv6v2z}kks
Error 6 does not understand protocol Hlng*],n
Many parsers have "expert analysis" functions, meaning that they can keep track of information, such as serial numbers, time information, display retransmission information, freeze windows, no response status, and so on. This type of analysis is useful, but it can also be misleading, especially if the parser does not correct the error.
qer%r,qy^0a
For example, there is a situation where a telnet session from a remote location cannot be established, and a Telnet session from a local workstation is not a problem. So the site operators in the remote login server on the LAN hang a parser, the tracker indicates that from the remote host to the Telnet server data frames did not error, so they concluded that the operating system failure. "I am the Webmaster" Forum 2U ' y;i$d
H
R6\ #X
Another operator looked at the tracker and found that the local Telnet session was connected to port 2323 while the remote session was connected to Port 23. In addition, the remote login server's packet containing the RST flag setting is in response to the request for remotely connected connections.
Here, the site operators do not look at the TCP details carefully, so they do not realize the importance of different port numbers and RST packets, they rely on the diagnostics from the parser, since the remote login server port 23 is not installed, with a sense of conjecture is also considered the operating system out of the question. However, if a site worker understands TCP and remote logins, they immediately discover the problem and find a good solution within 5 minutes.
In fact, they waited half a day to install the tracker and lost a significant number of customers on the remote Web.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.