Sniffer Distributed v4.3 is released

[AlfSutherland]

Hi all,

Just to let you all know that Sniffer Distributed v4.3 has been released. It is available to download from;

https://secure.nai.com/forms/upgrades/login.asp

The main new features (from my point of view) are;
1. Support for XP (at last)
2. Port number aggregation - ranges of port numbers can be added
3. Sniffer Reporter is now based on Crystal reports.
4. Improved VLAN decodes

There are a number of things to be aware of;
1.The product is to be more modular in format - Sniffer are moving to a more flexible feature structure, in that you can buy units/software for either "Expert" or "RMON" or both.
2. Console machines need to be NT,2000 or XP with IE6.0 with SP1
3. They are now licensing the agents (in a similar way to the Sniffer Investigator). This requires every agent to be authenticated with NAI within 30 days of installation. This authentication is to be done via email.

There are numerous other new features etc, so I do recommend reading the release notes.

Alf

 

[AlfSutherland]

and here are those release notes.......

Release Notes
=======================================================================
Sniffer Distributed 4.3 04/09/03

NAI-412-0033-7
=======================================================================
This release note describes the new features, fixed defects, and known issues for the Sniffer Distributed 4.3 release. This release also includes defects fixed in Sniffer Distributed 4.2 Service Pack 1 and 2.
=======================================================================
Sniffer Distributed Support Statement

The Sniffer Distributed product is a complex combination of hardware and software. Before releasing the product, Sniffer Technologies performs extensive testing to ensure the proper operation and configuration of all components. If you install the Sniffer Distributed agent software on hardware other than Network Associates® approved hardware, or modify the factory default configuration in any fashion (e.g., add other applications, drivers, OS patches, hardware etc.), you may adversely impact product performance. Therefore, unless authorized in advance by Sniffer Technologies Technical Support to install the software on your own hardware, or modify the factory default configuration, you will not be eligible for Sniffer Technologies Technical Support and you will operate the Sniffer Distributed product at your own risk.
=======================================================================
Table of Contents

Before You Begin Installing the Software
Console System Requirements
Appliance Security Patches
New Features
Miscellaneous New Features
New WebConsole or Config Console Enhancements
Features Removed
Changes Included from 4.2 Service Pack 1 and 2
Switches Tested with Sniffer Distributed 4.3
Matrix Switches Tested with Sniffer Distributed 4.3
Known Issues
Available Documentation
Contacting Network Associates
Copyright, Trademark, and Licensing Information

=======================================================================
Before You Begin Installing the Software

IMPORTANT: All updated Sniffer Distributed Appliances have a temporary software license that is configured to expire thirty (30) days after the Console connects to the Sniffer Distributed Appliance for the first time. This 30-day period is called the "pre-authorization" period. During this period, the following software options are temporarily enabled:

RMON+
Expert
Mobile
Voice

Before the thirty (30) day pre-authorization period expires, you must permanently enable or "authorize" the Sniffer Distributed Agent software options that you legally own.
Failure to authorize the Sniffer Distributed Appliance will cause it to automatically reboot and revert to an 'unauthorized' state. You will not be able to use the Sniffer Distributed Appliance until it is properly authorized. Please see the Sniffer Distributed Installation Guide for the steps to authorize your software.

Version Migration
A Version Migration utility was incorporated into the Agent and Console software so you can automatically save and restore the Agent and Console settings during a software upgrade. You can perform version migration locally from the Appliance, remotely from SniffView, or remotely from nPO Manager.

NOTE: The Version Migration utility does not migrate the Sniffer Reporter Agent or Sniffer Reporter Console settings and files. Please see the Sniffer Distributed Users Guide if you want to change Sniffer Reporter's configuration from the default settings.

Sniffer Distributed Console - You must export the Sniffer Distributed 4.2 Console settings prior to installing the new Console software.

NOTE: Failure to export the Sniffer Distributed 4.2 Console software settings will result in the loss of your settings and files. See the Sniffer Distributed Installation Guide for details.

Sniffer Distributed Appliance - Use the Remote Update option in SniffView to update the Agent software on the Appliance and migrate the 4.2 settings to the new version. See the Sniffer Distributed Installation Guide for details.
=======================================================================
Console System Requirements

The following is a list of the minimum hardware and software requirements for a personal computer running the 4.3 SniffView Console software.

Hardware: PIII 600 Mhz
Hard Drive: 270 MB available space
Memory: 256 MB (required)
Operating System:
Microsoft Windows NT Workstation 4.0 with SP 6A
Windows 2000 Professional & Advanced Server with SP 3
Windows XP Professional with SP 1
Additional Software:
Virtual Machine 5.00.3802
Browser:
Microsoft Internet Explorer 6.0 with SP1 on Windows NT, 2000, and XP
Browsers to support Java Plug in 1.3.1_02
=======================================================================
Appliance Security Patches

The following Microsoft NT Security patches have been tested and are installed on the Sniffer Distributed Appliance:

Patch Q299444 - Post-Windows NT 4.0 Service Pack 6a Security Rollup Package
Patch Q304876 - NNTP Service Contains Memory Leak
Patch Q305399 - Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail
Patch Q314147 - Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run
Patch Q326830 - Unchecked Buffer in Network Share Provider can lead to Denial of Service
Patch Q301625I - Personal Web Server
=========================================================================
New Features

Introduction of modular and flexible Sniffer Distributed Software Options

The Sniffer Distributed product can now be purchased with two software configurations and feature sets:

1. RMON+Expert is the traditional full version of Sniffer Distributed. This software option includes features such as:

1. Capture and robust decodes.
2. Real-Time and Post Capture Expert Analysis.
3. Support for Integrated Reporter and nPO Visualizer
4. Support for nPO Manager
5. Groupware
6. Switch Expert
7. Matrix Switch UI
8. Maximum capture buffer size of 50% available RAM.


2. RMON+ is a software option that includes all the features of RMON+ Expert, with the exceptions of:

1. Real-Time and Post Capture Expert Analysis.
2. Groupware
3. Switch Expert
4. Matrix Switch UI
5. Maximum capture buffer size of 64 MB

Software Add-ons:

The following options can be added onto initial purchase configurations.

Expert Analysis is a software add-on to a RMON+ configuration that provides the Real-Time and Post Capture Expert Analysis, Groupware, Switch Expert, Matrix switch UI, and maximum capture buffer of 50% available RAM

Sniffer Mobile is an add-on module for Sniffer Distributed Appliances that provides mobile wireless network management tools and protocol decodes for the wired or core side of GPRS, CDMA-2000, and W-CDMA 2.5G/3G Mobile wireless data networks. The Expert Analysis feature set is a prerequisite for this add-on.

Sniffer Voice is an add-on module for Sniffer Distributed Appliances that provides decodes and Expert analysis for Voice over IP (VoIP) protocols. The Expert Analysis feature set is a prerequisite for this add-on.

Apogee Bulk Transfer is an add-on module for Sniffer Distributed Appliances that provides special bulk transfer capabilities to work with Apogee NetCountant.

SniffView Console Support for Windows XP
The SniffView 4.3 console is now supported on Windows XP.

New Gigabit and Full Duplex Ethernet Sniffer Distributed s4000 Appliances
There are three new Appliances available for this release:

EFD1 - 1 port, full line rate capture for half duplex and full duplex 10/100 Ethernet analysis and monitoring. With built in full duplex/half duplex support, there is no longer a need to use a Full Duplex Pod.

RG3S - Lower cost, 1 port, combination Gigabit (SX) and 10/100 Ethernet monitoring solution. This product will not do full line rate capture on Gigabit and is designed for monitoring in a full duplex and half-duplex Gigabit environment. This product ships only with the "RMON+" software configuration.

RG3L - Lower cost, 1 port, combination Gigabit (LX) and 10/100 Ethernet monitoring solution. This product will not do full line rate capture on Gigabit and is designed for monitoring in a full duplex and half-duplex Gigabit environment. This product ships only with the "RMON+" software configuration.

ATM Reporting Enhancements

The following are enhancements to the Sniffer Distributed Model ATMR appliance.

Reporting per VPI/VCI Pairs
The following reports are now available per ATM VPI.VCI.
Top Hosts
Top Conversations
Protocol Distribution
ATM Link

Grouping of VPI.VCI pairs
The ability to group VPI.VCI pairs into logical groups for reporting.

RMON for VPI.VCI Pairs
Now 3rd party RMON consoles can query ATMR's and provide RMON1/2 reports per ATM VPI.VCI.

SniffView Authentication Enhancements
There are two main enhancements provided with his feature:

Storing the Agent Database Locally or Remotely
No longer are you limited to storing the SniffView database locally on the Console PC. You can now store the SniffView database on NPO Manager, allowing many Consoles to access the Agent database from a central location.

NOTE: To ensure database reliability, do not allow more than one person to alter or change the data at any given time. We recommend issuing editing permissions to only one person. All other users should be assigned 'read only' permissions. This will avoid synchronization issues caused by two parties attempting to edit the same file simultaneously.

Authentication with nPO Manager and Radius
The SniffView console now has the authentication capabilities of NPO Manager and Radius authentication server.
=======================================================================
Miscellaneous New Features

Same Decodes and Expert as Sniffer Portable 4.7.5
The Sniffer Distributed 4.3 release now has the same Decodes and Experts as Sniffer Portable 4.7.5 (with some minor variations such as no support for 802.11 decodes).

Port Aggregation for Sniffer Distributed Appliances
New protocols can be added to the Sniffer Distributed Appliance for monitoring purposes, based on a range of TCP or UDP ports.

Support for McAfee Anti-Virus, NT Hardening
Sniffer Distributed Appliances have shipped with McAfee Anti-Virus installed and pre-configured for proper use. Along with McAfee, additional NT hardening recommendations are included in the Sniffer Distributed Installation Guide (see the Appendix).

Increase Bandwidth Settings on WAN Appliances
Bandwidth Settings on the WANE, ET4W, and ET2W products have been expanded to include speeds up to 8192000 bps for high-speed WAN serial interfaces.

Migrated to Latest Version of Crystal Reports
The Sniffer Reporter product is now using Crystal Reports 8.5. This results in increased compatibility with nPO Visualizer and resolves previous report display defects found in Sniffer Reporter.

Default RMON Table Sizes
The product will incorporate the following default table sizes:

RMON1 Host = 2000
RMON1 Matrix = 4000
RMON2Host IP and IPX = 5000
RMON2MatrixIPandIPX = 20,000
ART = 5000

S4000 Recovery CD
A "Recovery CD" is included with this release. This factory CD is a bootable disk that contains an image of the Sniffer Distributed Appliance partition. Please see the paperwork included in the box for Recovery instructions.

Frame Editing
Frame editing functionality is now available via SniffView for local trace files.

=======================================================================
New Web Console or Config Console Enhancements:

Support for NAT and HTTPS
You can now access WebConsole using HTTPS and via a firewall using NAT.

Store JAVA-Plug-In on Sniffer Distributed Appliance
The Java-Plug-in used by WebConsole is now stored on the Sniffer Distributed Appliance's hard drive. The Java plug-in version is listed in the Sniffer Distributed Installation Guide.

Frame Editing
Frame editing functionality is now available via SniffView for local trace files.

Silent Authentication to nPO Manager
When connecting to a WebConsole-enabled Sniffer Distributed Appliance that is being managed by an nPO Manager, the user must be authenticated before allowed access to the Appliance.
After authentication, the user can access the WebConsole user interface on the Sniffer Distributed Appliance.

Sniffer Distributed 4.3 Update Package for NPO MANAGER and Remote Reboot
A complete "Sniffer Distributed 4.3 update package" is provided, to support an automated software update from nPO Manager 1.0 and 2.0. This package will be posted on the download website.

Config Console for WAN and ATMR appliances
There is now a Config Console for ET2W, ET3W, WDS3, ET2T, WQE1, HSSI and ATMR appliances, which allow them to be centrally managed and controlled by nPO Manager.
=======================================================================
Features Removed

Reports Tab and Favorite Reports Removed in Web Console
Visualizer 2.x does not support the "on-demand" report feature in Web Console. The Reports Tab and Favorite Reports on the Web Console Home page have been removed. Using nPO Visualizer, you can now connect to the web-enabled Sniffer Distributed Appliance responsible for the report to drill down and troubleshoot issues.

Auto Discovery of IPX in Address Book has been removed from the user interface.

Reset button in ART screens has been removed.

Pager and Beeper Features have been removed from the list of available alarm actions.
=======================================================================
Changes Included from 4.2 Service Pack 1 and 2

In the SniffView Console:

When viewing a trace file from the Expert tab, you can now export data in HTML format from Host Table, Matrix Table, Protocol Distribution, and Statistics views.

When viewing a trace file, a new Time Search option allows you to do a textual search in the Relative, Delta, or Absolute time columns of the trace file.
You can now set the default tab in the Monitor windows for Host, Matrix, Protocol Distribution, and Global Statistics displays of data. The last selected tab will be the one displayed when the window is reopened.

When viewing the Summary pane of a trace file, enhanced Print to File options now give you greater control of the columns to be printed as follows:

A WYSIWYG (What You See Is What You Get) view allows you to print columns exactly as you see them on screen.

You can drag and drop columns across the screen to print according to the on-screen order.

Using the Display > Display Setup > Summary Display tab, you can now specify exactly which columns you want to print in your Summary pane printout (columns included in the Summary pane display are also included in the printed output).

In contrast to previous releases, the Relative Time and Absolute Time fields can now be included in exported Summary pane output (if they are included in the Summary pane using the options in the Display > Display Setup > Summary Display tab).

The Summary pane details can now be printed regardless of length.

You can now select or deselect entire protocol families from the Advanced tab on the Define Filter dialog box.

Added decode support for GARP VLAN Registration Protocol (GVRP) and GARP Multicast Registration Protocol (GMRP), two protocols used in the management of 802.1Q VLANs. (CQ# 21472)

Improved performance on an ET05 Appliance when the Appliance is in FDX or HDX mode.

=======================================================================
Switches Tested with Sniffer Distributed 4.3

Model Switch Code Version Tested
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 2900 Version 4.5(2)*
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 2926 Version 4.5(2)*
-------------------------------------------------------------------------------------------------------
Cisco 2900XL series including:
2916xl and other 4 MB models Version 11.2(8)SA5 *
2924(M)XL Version 12.0(5.1)XP *
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 4003 Version 5.5(1)*, 6.1(3)*
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 4006 Version 5.5(1)*, 6.1(3)*
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 5000 series including: Version 4.5(2)*
WS-C5000
WS-C5002
WS-C5500
WS-C5505
WS-C5509
-------------------------------------------------------------------------------------------------------
Cisco Catalyst 6000 series including: Version 5.4(1)*, 6.3(3)*, 7.1(2)*
WS-C6000
WS-C6006
WS-C6009
WS-C6506
WS-C6509
--------------------------------------------------------------------------------------------------------
Nortel Baystack 450 Versions: HW:RevD FW:V1.47*
SW:V3.1.0.22 ISVN:1*
---------------------------------------------------------------------------------------------------------

NOTE: An asterisk (*) next to the switch version number indicates some features are not supported for this release.

=======================================================================
Matrix Switches Tested with Sniffer Distributed 4.3
-----------------------------------------------------------------------------------
NetOptics 1x8 In-Line Matrix Switch
NetOptics 1x8 Span Port Matrix Switch
NetOptics 1x8 Combination Span & In-Line Matrix Switch
NetOptics 1x4 Span Port Matrix Switch
NetOptics 2x8 In-Line Matrix Switch
NetOptics 2x8 Span Port Matrix Switch
NetOptics 2x8 Combination Span & In-Line Matrix Switch
NetOptics 1x16 In-Line Matrix Switch
NetOptics 1x4 In-Line Matrix Switch
NetOptics 2x16 Span Port Matrix Switch
NetOptics 2x8 Ethernet Span Port Matrix Switch (copper)
NetOptics 2x16 Ethernet Span Port Matrix Switch (copper)
-----------------------------------------------------------------------------------
Datacom 2x8 WAN Switch
Datacom 1x16 FDX Switch
Datacom 1x8 Gig SX Splitter/Sw System
Datacom 2x16 10/100 Span or TR Switch
Datacom 1x8 100FX Splitter/Sw System
Datacom 1x8 Gig SX Span Switch
Datacom 2x16 WAN T1/E1 Switch
Datacom 2x4 Gig SX Span Switch
Datacom 2x8 DS3 Splitter/Sw System
Datacom 2x8 Gig SX Splitter/Sw System
Datacom 1x8 Gig LX Splitter/Sw System
Datacom 2x8 ATM OC3/OC12 Splitter/Sw System
Datacom 2x8 Gig SX Span Switch
Datacom Gig SX Combo (8 Span + 4 Insert)
Datacom Gig Custom Switch System
Datacom 1x8 FX Splitter Switch

=======================================================================
Known Issues

In SniffView Console:

On the SniffView Console, an "RPC Server Unavailable" error message may appear while waiting for Expert to come up after running capture in high-speed mode.

When disconnecting from an Appliance or available Resources, the Console may not exit completely if RAM and/or CPU utilization is high on the Console machine. When disconnecting from the Appliance, check the Task Manager on the Console PC to see if the process (DSPRO.EXE) is listed. The process should disappear from the Task Manager's list after one minute. If not, select End Task to stop the process. (CQ# 3215, 4306, 9787, 15423)

When attempting to connect to a Sniffer Distributed Appliance from a SniffView Console installed on a machine running either Windows 2000 or Windows XP, the user must have either Power User or Administrator privileges, otherwise the connection attempt will fail. (CQ# 15820)

The Release 4.3 SniffView Console does not display whether Sniffer Voice is installed on Sniffer Distributed 4.2 Appliances in the Enabled Options column. To determine which Sniffer Distributed 4.2 Appliances have Sniffer Voice installed, open the 4.2 SniffView application (Start > Program Files > NAI > Distributed Sniffer Pro > Console) and look under the Version column to determine information pertaining to the software. (CQ# 24060)

NOTE: In order to use the Release 4.2 SniffView application, you must elect to maintain multiple console support during the installation of the Release 4.3 Console.

NOTE: You cannot determine whether Sniffer Voice is installed on a Release 4.2 Appliance if the Release 4.3 SniffView Console was freshly installed on a machine without the Release 4.2 SniffView Console present.

When using the Sniffer window to switch ports on a Datacom G824M-SP Gigabit Matrix Switch, an error message appears by mistake. (CQ# 22394)

When deleting a Monitor Filter, confirm the filter is not currently active. Otherwise, the software will not delete the filter until it has been deactivated or a new filter is applied. (CQ# 20961)

When configuring Alarm Capture to check every one (1) minute, you may experience a very long wait time and SniffView may become unresponsive when accessing fifty (50) Appliances world wide. (CQ# 15431)

When using the Post Capture Display Setup, the Use Address Book to Resolve Name and Resolve Name on Network Address options may not apply changes until the capture file is closed and then re-opened. (CQ# 12682)

When installing SniffView Console on a machine with an existing SniffView installation, it is important to close any existing Sniffer Distributed applications running on the machine before starting the installation. This includes applications such as Trap Capture, SniffView, Alarm Manager, and so on.

If the "This instance is halted waiting for a critical resource to be available" error appears when connecting to an Appliance from SniffView and connection to the Appliance is lost, you can either:

Reboot the SniffView machine.

OR

Open the Task Manager, display the Processes tab, and end all DsPro.exe processes in the list.

When using SniffView on a Windows XP machine, users must have Administrator privileges in order to launch Sniffer Reporter. (CQ# 24823)

As long as the number of IP conversations are less than or equal to 5000 with an average of 5 protocols per conversation, the IP detail view of the Host and Matrix tables, in the Sniffer Distributed 4.3 Console, will show the protocols for the conversations accurately. However, if the stated limits are crossed, these views may show incorrect protocols for few conversations. (CQ# 24068)

There are two issues related to refreshing the Matrix display with new conversations once certain thresholds are reached, as follows:

When more than 5000 IP conversations are displayed in the Matrix, new conversations are not added immediately. (CQ# 24351)

When the Matrix display reaches its maximum number of entries (20,000), new entries do not appear until the Refresh button is clicked. (CQ# 24327)

There are two workarounds for these issues:

1. Click the Refresh button in the Matrix display.

- OR -

2. Decrease the number of updates after which the Matrix display should be sorted. You can do this using the options in the General tab of the Matrix Properties dialog box. There are two options there that specify how frequently the Matrix display will be updated:

- Update every xx seconds. (Update Interval)
- Sort table every xx updates. (Update Count)

Together, these two options specify how often new updates are made to the display. The general formula is:

Refresh Delay = Update Interval * Update Count

NOTE: Be careful when adjusting the refresh delay using this method. Although this method can provide quick updates to the Matrix display, it will also be accompanied by a performance impact. To avoid this impact, either do not set the refresh delay too low or, alternatively, use the first option (the Refresh button).

In WebConsole:

In WebConsole, the browser may hang when two or more users are in GroupWare and active users open a trace file. This issue appears inconsistently on different machines and browsers, irrespective of the installed operating system. In a given session, the browser may hang sometimes and work fine other times. This issue is related to the Java plug-in's (1.3.1_02) behavior with HTTPS. (CQ# 19554)

When using the WebConsole via HTTPS, Expert is not supported in Groupware mode.

Although the WebConsole and Config Console interfaces are accessible through a Web Browser such as Internet Explorer 5.5 with SP2, these interfaces do not support standard browser button behavior, such as Back, Forward, and Refresh (F5). Pressing the Refresh (F5) button will cause a general error.

The first access of WebConsole on a Windows XP machine must be performed by a user with Administrator privileges in order to install the Java plug-in required for successful WebConsole operations. (CQ# 24820)

In Config Console:

Selecting the Database Option from Config Console will not enable the functionality on the back end until a Console session is started.


In Sniffer Reporter:

Importing CSV files collected using the ATMbook and FDX Pod into Sniffer Reporter is not supported. Doing so will result in erroneous data being imported into Sniffer Reporter. The Sniffer Distributed options that enable the collection of CSV files when using these devices will be disabled in a future release (that is, the options in the Database > Options > Database Options dialog box). (CQ# 22462)

The Availability by DLCI report for Frame Relay does not show the correct number of Top DLCIs. The graph only works with the Top 3 or Top 5 DLCIs; Top 10, Top 20, or a custom number of DLCIs do not work. (CQ# 23817)

Sniffer Reporter generates reports from data collected over the short term - typically 7 days. Due to changes in the report database file, report data collected by previous versions of the product will not be saved with this release of Sniffer Reporter.

Avoid setting the Frame Relay DLCI Data poll interval for less than 15 minutes. This may cause the CSV file to grow too large for the Reporter Agent import function to complete within the specified timeframe.

NOTE: The Frame Relay DLCI Data logging interval can be found under the Database Options menu of Sniffer Pro, or the Sniffer Distributed Console. This affects Frame Relay Line Statistics as well as DLCI statistics.)

If the default Host or Matrix table sizes are increased, set the Host and Matrix polling intervals to 15 minutes or more.

Error Message: "91, Object variable or With block variable not set" after rebooting. Workaround: The path to the database is corrupted. From the Control Panel, open the ODBC Data Source Administrator, and choose reportAgent. Select Configure, then select Repair Database. Notice that the path should be C:\...\Program\Data\reportAgent.mdb.

Error Message: "3343, Unrecognized database format" on startup.
Workaround: Stop the Reporter engine, delete the data.mdb file, and then restart service. This will create a new data.mdb file. Alternatively, from the Control Panel, select ODBC\System DSN\Add\Microsoft Access Driver. Click Repair, and select the damaged file. Click OK to repair the damaged database.

Expert and ART reports are not available for two port Gigabit (Xyratex) interfaces.

Misleading values may be displayed on a report if you run a report with a start time, which falls between the specified data collection interval. For example, if the data collection interval is set for every five minutes (1:00 PM, 1:05 PM… 11:00 PM) and you want to run a report from 1:02 PM to 2:00 PM, the report will display data from 1:00 PM to 2:00 PM. All of the values from 1:02 PM to 2:00 PM will display correctly, but the value attributed to 1:00 PM will be zero, even though data is available for this time. To avoid this, refrain from running a report with a start time that falls between the specified data collection interval.

Reporter rolls up data in such a manner that data is displayed for a time period earlier than was requested. This variation corresponds to one logging interval and increases as logging intervals increase (from 1 minute to 1 hour). For example, if you request a report from 12:00 AM - 12:59 AM and the data logging interval is set at 1 minute, data from 11:59 PM - 12:58 AM will be displayed.

Rolled-up data is also affected. For example, data rolled up for one day and set at a 1 minute logging interval (12:00 AM - 11:59 PM) would display from 11:59 PM of the day before to 11:58 PM of that day, or 11:56 PM - 11:55 PM for 5 minute intervals, or 11:01 PM - 11:00 PM for 1 hour intervals.

The workaround is to request a report from the starting time period you want data for, incremented by the logging interval as follows:

Data Desired Logging Interval Data to Request
3:00 - 5:00 PM 1 minute 3:01 - 5:00 PM
5 minutes 3:05 - 5:00 PM
15 minutes 3:15 - 5:00 PM
1 hour 4:00 - 5:00 PM

Using Version Migration:

In WebConsole, after performing version migration the same user name should be used to import the settings properly. (CQ# 23889)

When using Version Migration to import the software settings from a 4.2, 4.2 SP1or 4.2SP2 Sniffer Distributed Console, you must manually change the Analyze option in Tools > Expert Options > Objects > Route from No to Yes. In addition, you must re-enter the Maximum Objects value, preferably to 1000. (CQ# 23651)

After using Version Migration to move from Sniffer Distributed 4.2 with the Sniffer Mobile add-on to Sniffer Distributed 4.3, there will be duplicate protocol entries in the Tools > Options > Protocols > UDP tab for several Sniffer Mobile protocols (GTP, MobileIP, and MobileIPRP). This happens because the names of the protocols associated with the UDP ports for these protocols were changed between Release 4.2 and Release 4.3. You can remove the duplicate entries by deleting the relevant registry entries, as follows:

1. Start the Registry Editor.

2. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Network Associates, Inc.\snifferprob\4.31CommonSettings\Protocols\IP Protocols\UDP

3. Delete the following entries:
GTP
MobileIP
MobileIPRP

4. Exit the Registry Editor and reboot the Appliance. (CQ# 24720)

After performing Version Migration locally from the Sniffer Distributed Appliance, the Transport card Sniffer Driver bindings are left enabled in error.(CQ# 23608)

To disable the Transport Card Sniffer Driver:

1. Go to Network Neighborhood and right click Properties. The Network Neighborhood dialog box appears.
2. Select the Bindings tab and choose All Adapters from the Show Bindings for: field.
3. Click the plus (+) sign to expand the Adapter tree and select the Appliance's Transport card (SIS 900 PCI Fast Ethernet Adapter) Sniffer Driver.
4. Right click and select Disable.
5. Click OK and then Yes to confirm you want to change the bindings. The Microsoft TCP/IP Properties dialog box appears.
6. Click Apply and OK.
7. Click Yes to confirm you want to restart the Appliance.


Using External Authentication:

When external authentication is set to Radius and the shared secret is not the correct secret, the user will not be able to log into the Sniffer Distributed Appliance. The user has to remove the snifferprob.act file on the Appliance.

When using Config Console to configure external authentication, the default port number supplied by the application for Radius is 80 instead of the correct port number of 1645. (CQ# 24845)

Appliance Based Authorization:

While in pre-authorization mode, establishing a connection from the Console to the Appliance will result in a loss of memory (136K) per connection on the Appliance. Once the Appliance is authorized, this memory loss will no longer occur. We highly recommend you authorize your Appliance as soon as possible. (CQ# 24067)

Gigabit:

When the dual-port Gigabit Analysis adapter is in Endstation mode with Autonegotiation enabled, it may fail to consistently link up to a Cisco 6509 series switch GBIC port. The Link LED on the Cisco 6509 may blink or fail to come on. (CQ# 21072)

The single-port Gigabit Monitoring adapter in the EG2X Appliance will not recognize Oversize or Jabbers if the MaxFrameSize setting on the card is left at the default value (9014). Changing the default to a value smaller than 9014 will allow proper counts of Oversize and Jabbers.

From the appliance, go to Network Neighborhood > Adapters > SysKonnect > Properties and change the MaxFrameSize setting from 9014 to 9013 and reboot the appliance. (CQ# 24156)

When using a dual-port Gigabit Analysis adapter included with Model EG2S\EG2L Appliances, you will find that:

If you fail to select the 'Jumbo' option in the Configure tab of the Agent Config dialog box, all jumbo frames will be counted as 'Oversize'. If the 'Jumbo Frames' checkbox is selected, 'Baby Giant VLAN' frames will be counted in the 'Jumbo Frame' category.

Oversize frames are determined by the MaxFrameSize setting. Frames in the single port Gigabit Dashboard that exceeds the MaxFrameSize threshold will appear as 'Oversize' or 'Jabbers'. To correct this problem, adjust the MaxFrameSize value in the driver properties using the following method:

1.From Network Neighborhood, select the Properties > Adapters tab.
2.Select the Sniffer Adapter.
3.Click Properties.
4.Adjust the Max Frame Size value to fit your network needs.

When you enable the Use Hardware Triggers option from the Gigabit Capture Trigger menu, the triggers do not work for Runts, Jabbers, or Size in the Error and Signals section. The triggers will work for CRC and CV errors. You can use software triggers instead.

When selecting the 'Display' button on the Gigabit card, the CPU may reach 100% capacity and SNMP requests will timeout for a short duration. This issue occurs when many system resources (high object counts and RMON table use) are being utilized simultaneously. Increase the SNMP timeout value in your RMON Console application to mitigate the problem.

The Expert Report is not available because this adapter does not support real-time Expert.

The Expert Report is not available on the dual port Gigabit Monitoring adapter in the RG3S/L unless the Expert Analysis add-on has been installed.


When Configuring CIR Values:

When configuring the CIR value for a specific DLCI on the Bandwidth tab, the new setting will not apply until Expert Capture is executed. To change the CIR value for the specific DLCI that affects the Host Table Statistics, Database Statistics (Reporter), and Expert Alarm:

1.Stop all captures.
2.From Tools > Options > Bandwidth, change the CIR value.
3.Start an Expert capture and then immediately stop the capture and disconnect the Sniffview Console connection.
NOTE: Starting and stopping the Expert capture will apply the new settings. It is not necessary to continue the capture.
4.On the Distributed Agent, go to Settings > Control Panel > Services, stop and restart the DSAgentSrv service.
5.Reconnect to the Distributed Agent via the Sniffview Console. The new CIR value will now appear in the Host Table and Expert screens. (CQ# 20265)

Miscellaneous Issues:

Many Sniffer Distributed Appliances include multiple monitoring interfaces. The Sniffer Distributed Appliance supports one capture per interface so long as the total memory used by all simultaneous captures does not exceed half of the available memory in the Appliance. However, only one of these captures can be performed with the real-time Expert enabled. For example, a Model ET2W Appliance provides two separate monitoring interfaces (one for each of the ports on the 2-port PCI adapter). In this case, you could run simultaneous captures on each of these ports, providing that the total size of the capture buffers allocated to the two interfaces did not exceed half of the available memory on the Appliance. Further, only one of the captures could be performed in Expert mode (that is, with the Tools > Expert Options > Expert During Capture option enabled).

When using an RJ48 connector on the WANic 650 T1 and E1 tap, data seen on pins 1 and 2 of either the IN or OUT port of Link 1 is considered DTE data. Similarly data seen on pins 4 and 5 of either the IN or OUT port of Link 1 is considered DCE data.(CQ# 18871)

After rebooting an Appliance, Windows NT may display a "Service Failed to Start" error message. The Event Viewer on the Appliance displays the following message: "The following boot-start or system-start driver(s) failed to load: TPkd ". This will not affect the Appliance's functionality.

If you uninstall the 4.2 Console software after installing the 4.3 Console software, the registry key for the OCX control is removed. This key is required to operate the 4.3 software. Go to the Windows System32 folder and open ocxupdate.dll to correct the problem. (CQ# 23574)

When a large capture buffer with a high number of objects (greater than the default of 1000) is analyzed in Expert, the application may appear non-responsive. Open the Windows NT Task Manager and check the CPU utilization level on the Appliance. Processing large capture buffers with many objects may affect CPU performance.

When opening large capture files, the Decode tab on the Expert window may appear blank for several seconds before the data displays. During this delay, the application is working to display the data.

When conducting a Remote Get/View on a large capture file, sometimes the Console loses connection with the Appliance. Because the Console can take more than 5 minutes to open a large capture file, you must change the Logout Sniffer Console setting in the Options tab of the Config Agent dialog box from its default of After inactive for 5 minutes to Never. Changing this setting will eliminate disconnection when opening a large capture file.

Some FDDI units may lock up when monitoring a FDDI ring with a high number of void frames. Because of this, the CollectMode default value has been changed. The new value will not monitor void frames. If you want to monitor void frames, run regedit and change the CollectMode value from '0' (No Void Frames) to '1' (All Void Frames). Reboot the PC after you modify the registry.

The location of the registry key follows:

CollectMode under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NCPFx\Parameters.

The value of CollectMode can be either:

0 - No Void Frames (default)
1 - All Frames

If any of the table sizes are set less than 100, you may experience a Windows NT blue screen on the 4-port WAN Appliance.

The Display Last Capture feature has been disabled to allocate the reserve memory to support new functionality. The reserve memory has been allocated to support very large capture buffers.

If a VPN client is installed on the same machine as SniffView Console, it may cause timestamp issues and Expert may fail to load. These issues have occurred with Novell Client 32, Cisco VPN Client, Nortel VPN Client, Timbuktu and CiscoWorks. If you have this configuration, we recommend uninstalling both SniffView Console and the conflicting software and then reinstalling only SniffView Console.

Configuring Managed Resources without going through nPO Manager: If you access Config Console without going through the nPO Manager interface to configure resources managed by nPO Manager (such as a Sniffer Distributed Appliance), you must do the following to ensure your changes are applied:

1. Access nPO Manager.
2. Connect to the resource.
3. Apply remaining changes.
4. Reboot the resource. (CQ# 24206)

If the Enable Snmp/Rmon option in the Config Agent dialog box's Snmp tab is not enabled, disconnecting and reconnecting to an Agent will cause the values in the Dashboard to be reset. To ensure that the values in the Dashboard are persistent through a Console disconnection and reconnection, make sure that the Enable Snmp/Rmon option in the Config Agent dialog box's Snmp tab is enabled. (CQ# 23676)

When working with ATM trace files, the Frame Editing feature is not available. When you open an ATM trace file and right-click in the Hex pane, the Edit command is grayed out, indicating that it is not available. (CQ# 24634)

The RMON Proxy Server (for use with NetScout probes) does not display data in the following windows -- PI Decode, Protocol Distribution IP tab, Host Table IP (Detail view), and Matrix Table IP (Detail view). (CQ# 24594, 24595, 24596, 24597)

When connected through the RMON Proxy Server, clicking the System Info button in the Help > About dialog box can result in an application failure. (CQ# 24739)

When connected through the RMON Proxy Server, performing the following sequence of actions can result in an application failure:

1. Go to Display > Display Setup.
2. Cycle through the available tabs.
3. Go to the Summary Display tab and click the Cancel button.

NOTE: This failure does not occur if you go directly to the Summary Display tab and click Cancel. It only happens if you cycle through the other tabs first. (CQ# 24743)

When using a Sniffer Distributed Appliance with one of the four-port WANic adapters, during periods of heavy traffic on multiple ports, it is occasionally possible for traffic seen on one port to appear in the Agent displays for another port. This is unlikely to occur during times of a stream of low speed traffic to a single port. (CQ# 24029)

When using a Sniffer Distributed Appliance with one of the multi-ported adapters (either WAN or Ethernet), under certain circumstances, starting simultaneous captures on multiple interfaces may result in a Windows NT blue screen with the error message NO_MORE_SYSTEM_PTEs. If you receive this error, try decreasing the value of the MaxPagePoolIn registry key for the adapter. This registry key can be found at:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\snifferprob\4.3\<NAI Adapter Name>\MiscOptions\MaxPagePoolInMb (185 Max)

By default, this key is set to 175 (decimal). Try setting the key to a lower value to avoid experiencing this problem. (CQ# 24384)

When capturing from one of the four-port WANic adapters with the Capture > Define Filter > Buffer > Save to file option enabled, the Agent will leak memory at the rate of 20MB per hour. (CQ# 24757)

Under certain circumstances, using the Address Book's Autodiscovery feature with an ATM Appliance can cause a Windows NT blue screen. (CQ# 24812)

When launching the Microsoft Internet Service Manager, you may encounter the following error message:

&quot;Error connecting to <servername> The RPC service is not available.&quot;

There are no ill effects from receving this message. It can safely be ignored. (CQ# 28437)

Setting Up Logging in the Windows Registry to Tune Matrix Table Sizes.
On busy networks, it is possible to set the size of the RMON2 IP Matrix table to a value that is so low that it causes entries in the table to be aged out before the application is polled from a third party RMON Console (for example, Concord's Network Health or Lucent's VitalNet). This can result in incomplete statistics in the RMON Console. The Sniffer Distributed Appliance includes a registry key that can be enabled to provide valuable logging information on how many Inserts and Deletes are occurring in this table over a given period. Network Associates Technical Support representatives can then use this information to determine the appropriate size of the RMON2 IP Matrix table for your network. Set this registry key as follows:

1. Start the Registry Editor.

2. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Network Associates, Inc.\snifferprob\4.x\adaptername\MatrixTableOptions\InsertDeleteLogIntervalInSec

3. By default this key is set to zero; logging is not enabled. Double-click the key and set its value to 3600. This specifies that the number of Inserts and Deletes made to the Matrix table over every one hour (3,600 second) interval will be logged.

4. Use the Services Control Panel to restart the Sniffer Distributed Agent service (DSAgentSrv).

5. After an hour has passed, examine the Log tab in the Config Agent dialog box to see how many Inserts and Deletes have been made to the Matrix table over the last hour. Leave the key enabled for a few hours during your network's busiest hours to get an idea of how the Inserts and Deletes vary over time. Then, disable logging of Matrix table Inserts and Deletes by resetting the InsertDeleteLogIntervalInSec key to zero and restarting the Sniffer Distributed Agent (DSAgentSrv) service.

6. Contact your Network Associates Technical Support Representative and inform them of the different entries in the Log tab for Inserts and Deletes (the snifferprob.log file will also contain these entries). The Technical Support Representative will be able to use this information to help you set the RMON2 IP Matrix table size optimally for your network.

Documentation Issues:

The online help files for WebConsole incorrectly state that you can use WebConsole for network segments running WAN or ATM. Although you can use Config Console with these types of segments, WebConsole is not supported for them. (CQ# 24467)

======================================================================
Improving Expert Performance

Tips on Improving Expert Performance During Capture

Under heavy traffic loads, the Expert may not be able to capture and analyze in real time all of the packets seen by the network adapter card. You can see that this is happening when the # Dropped field in the Capture Panel increments. The following guidelines describe how to customize various options to increase the Expert analyzer's ability to perform real-time analysis, thereby reducing the number of dropped frames and decreasing processor load during capture.

If you do not expect to see RIP traffic (or if RIP traffic is not your main concern), disable the RIP Expert by selecting the No traffic analysis (RIP disabled) option in the RIP Options tab of the Expert UI Object Properties dialog box (accessed by selecting Expert Options from the Tools menu).

If you decide not to use capture filters to limit capture to just the traffic you are interested in, disable Expert analysis for protocols not used on your network. You can do this in the Protocols tab of the Expert UI Object Properties dialog box (accessed by selecting Expert Options from the Tools menu).

To allow the Expert to process more contiguous packet streams, increase the capture buffer to the maximum size allowed by your available memory. You can do this using the Buffer size option on the Buffer tab of the Define Filter dialog box (accessed by selecting Define Filter from the Capture menu).

In order to collect the most accurate Expert analysis for multiple objects, disable the Recycle Expert Objects on the Objects tab of the Expert UI Object Properties dialog box (accessed by selecting Expert Options from the Tools menu).
NOTE: The disadvantage to this technique is that new objects will not be created once all allowable objects have been used.

Alternatives to disabling the Recycle Expert Objects option include capturing to file or disabling the Expert during capture to obtain accurate decodes and postcapture Expert analysis for captured frames.
You set options for capturing to files on the Buffer tab of the Define Filter dialog box (accessed by selecting Define Filter from the Capture menu). Disable Expert analysis during capture on the Objects tab of the Expert UI Object Properties dialog box (accessed by selecting Expert Options from the Tools menu).

Disabling unused Expert alarms and/or disabling alarm recycling will increase the performance of real-time Expert analysis. You can set these options in the Objects and Alarms tabs of the Expert UI Object Properties dialog box, respectively.

To disable the Expert during capture, Recycle Expert Objects, and Recycle alarms options:
1. Select the Expert Options command from the Tools menu.
2. Uncheck the check boxes corresponding to each option.
The change will take effect once the next trace file is opened or the next capture session is started.

To change the maximum number of alarms
1. Select the Expert Options command from the Tools menu.
2. Click in the Alarms Maximum field and change the value found there.

To disable Expert analysis for unneeded protocols:
1. Select the Expert Options command from the Tools menu.
2. Click on the Protocols tab.
3. Enable or disable Expert analysis for protocols by clicking in the Analyze column and selecting either Yes or No for each protocol. When you have finished enabling and disabling protocols, click Apply and then OK.
The change will take effect once the next trace file is opened or the next capture session is started.

Alf