1. Overview

2. Release Notes

3. Operating System

4. Server Hardware Requirements

1. Minimum Hardware Requirements
2. Typical Hardware Requirements
3. Very Large Sites

5. Installation Procedure

6. Upgrade Procedure

7. Supported Web Browsers

8. Administration Tool

1. Getting Started
2. Product Keys
3. User Accounts
4. User Access Rights
5. ssadmin
6. Server Report
7. Log Viewer
8. Network Monitor Information
9. Shutdown / Reboot
10. Backup / Restore Utilities
11. Disaster Recovery Setups
12. Upgrading the Operating System
13. Migrating to a new server

9. Remote Network Appliance

1. Overview
2. Features
3. Applications
4. Hardware Requirements
5. RNA Floppy / Flash Disk
   • Creating an Initial USB Flash Disk
   • Creating an Initial Floppy Disk
   • Configure the Floppy / Flash Disk
   • Duplicating the Floppy / Flash Disk
6. RNA Server
7. Client/server Protocol
8. Server Configuration
9. Main Console
10. Advanced Console
11. LAN Segments Report
12. Frequently Asked Questions

10. LAN Analyzer

1. Overview
2. How it Works
3. Getting Started
4. Where to Connect the LAN Analyzer
5. Packet Decoding
6. Realtime LAN Analyzer
7. LAN Analyzer Console
8. Advanced Console
9. Configuration
   • General Options
   • Realtime Password
   • User Defined Protocols
   • Applying Changes
10. Frequently Asked Questions

11. Network Monitor

1. Overview
2. Getting Started
3. Realtime / Historical Database
4. Ping / SNMP Poller
5. SNMP Traps
6. Network Monitor Console
7. Executive Console
8. Graphing Console
9. Detailed Port Reports Console
10. Data Export Console
11. Realtime Reports
    
12. Historical Reports
13. Configuration
    1. General
    2. Email Alerts
    3. Device Groups
    4. Port Groups
    5. SNMP Communities
    6. Devices
    7. Apply Changes
    8. SNMP Trap Excludes
    9. Device Rewalk
    10. Poller Warnings
14. Renaming a Device
15. Command Line Data Export
16. Auto Populate
17. Configuration File Formats
18. Device Naming Convention
19. Frequently Asked Questions

12. System Security

13. Miscellaneous

1. Setting the Time on the Server
2. Crontab Files
3. Logfile Rotation
4. How to ssh or telnet to a Statseeker server
5. Regular System Administration
6. Configuring Windows to run a FTP Server

14. Licenses and Copyright Notices

1. Overview

This document includes installation and configuration information for Statseeker Versions 2.8.x.

Statseeker Network Monitoring Software consists of multiple modules which are combined into a single software distribution.

The modules include:

• Base System
• Remote Network Appliance
• LAN Analyzer
• Network Monitor

The Base system includes:

• Operating system installation and configuration
• Statseeker software installation, configuration and upgrade mechanisms
• Automated system administration (eg. backups, logfile rotation)
• Server administration tools (eg. email configuration)
• Underlying infrastructure for all other modules

The Remote Network Appliance (RNA) is a platform on which remote Statseeker applications such as LAN Analyzers are deployed. The architecture is based around a single boot floppy or flash disk which turns any networked PC into a powerful remote platform within minutes.

The LAN Analyzer monitors local and remote LAN segments building traffic matrix tables for every network node, conversation and protocol. The realtime and historical data collection clients run on the new RNA platform.

The Network Monitor is a high performance Network Monitoring Tool which collects and processes Ping/SNMP data for every port, on every network device, every 60 seconds.

2. Release Notes

Click here to view the current release notes.

3. Operating System

3.1 Overview

Statseeker software runs on the FreeBSD operating system. FreeBSD is derived from BSD UNIX® developed at the University of California, Berkeley. Statseeker chose FreeBSD as a platform due to its long history of high performance networking, its stability under extreme loads and its rigorous development/release model.

Statseeker's unique installation process automatically installs the FreeBSD operating system in minutes and ensures that no knowledge of Unix is required to successfully install the product.

The following table lists the Statseeker/Statscout/FreeBSD versions:

Statseeker Version	FreeBSD Version
Statseeker-2.8.3	FreeBSD-6.2-Release
Statseeker-2.8.2	FreeBSD-5.5-20060728-STABLE
Statseeker-2.8.1	FreeBSD-5.4-20051005-STABLE
Statseeker-2.8.0	FreeBSD-5.3-20050120-STABLE
Statscout-2.7.x	FreeBSD-4.9
Statscout-2.6.x	FreeBSD-4.8
Statscout-2.5.x	FreeBSD-4.2
Statscout-2.4.x	FreeBSD-4.0

4. Server Hardware Requirements

4.1 Minimum Requirements

Up to 10,000 ports and 10 LAN probes.

• CPU: 1Ghz
• RAM: 512M
• Disk: 20G
• NIC: 10M / 100M / 1G / 10G PCI Ethernet card
• Bootable CDROM

4.2 Typical Requirements

10,000 to 50,000 ports, or 100 LAN Analyzers.

• CPU: 2GHz
• RAM: 1G
• Disk: 40G
• NIC: 10M / 100M / 1G / 10G PCI Ethernet card
• Bootable CDROM

4.3 Very Large Sites

For sites over 50,000 ports or more than 100 LAN Analyzers, contact Statseeker Support for assistance with specifying your hardware requirements.

5. New Installation Procedure

You will need the following information before you start:

• A Customer Number and 2.8 Product Keys
• A "root" password
• A hostname for the server (yourserver.company.com)
• The IP address of your DNS
• Static IP, Netmask and Default Gateway addresses
• SMTP Gateway IP address (if available)
• HTTP Proxy IP address, Port Number, Username and Password (if required)
• NTP Server IP address (if available)

Warning: All data on the first hard disk will be deleted.

1. Connect the server to an appropriate part of your network. Statseeker highly recommends that you connect the server to a centrally located LAN segment with only ONE router connected to it.
2. Check that the BIOS of the server is set to the correct local time and that the first boot device is set to CDROM.
3. Boot the server from the Statseeker Installation CDROM.
4. Press [Enter] to proceed with the installation and to confirm that all data on the hard disk will be deleted.
5. When prompted "Is this machine's CMOS clock set to UTC ?", press [Enter] to select "No". Set the time zone of the server by following the instructions.
6. Enter a root password.
7. At the "Network interface information required" screen, select the Ethernet card and then Select [OK] to continue.
8. At the "Network Configuration" screen, fill in the following fields:
   • Host
   • Domain
   • IPv4 Gateway
   • Name Server
   • IPv4 Address
   • Netmask
   
   Leave the "Extra options to ifconfig" field blank.
   Select [OK] to continue.
9. When the installation is completed, remove the CDROM while the server reboots.
10. For security purposes, you will be prompted to type in a screen of random characters. Press "Enter" to continue.
11. Login on the console as "root" using the password entered previously, and run "ssadmin".

    You will be prompted for:

    • SMTP Gateway IP address, Masquerade as domain name
    • HTTP proxy IP address, port number, username and password
    • NTP server IP address
    
    
12. Enter "q" to exit "ssadmin".
13. Enter "exit" to logout from the console.
14. Point your browser at the server and log in as the admin web user using the password you entered previously.
15. At the "Command Console", select the "Administration Tool" -> "Product Keys".
16. Copy and paste the Customer Number and each Product Key from the Product Key email into the form and then press the save button.
17. Close the "Administration Tool".
18. At the "Command Console", press the [Refresh Product List] button.
19. To configure each module, refer to the on-line help documentation at www.statseeker.com.

6. Upgrade Procedure

Refer to the 2.8.2 Release Notes for upgrade instructions.

7. Supported Web Browsers

Your browser must have Javascript turned on to allow new browser windows to be created. Popup blockers will stop the product from operating.

The following web browsers have been tested:

• Netscape 7.x
• Mozilla 1.x
• Firefox 1.0
• Konqueror
• Opera
• Microsoft IE 6

8. Administration Tool

Note: The Administration Tool is accessible only to web users who have admin level access.

8.1 Getting Started

A Customer Number and Product Key must be added to activate this software. All other server configuration settings can be performed at a later time.

8.2 Customer Number and Product Keys

Customer Number

Each server is assigned a unique identifier called a Customer Number. It is important that you use this number when submitting support requests on the Statseeker web site.

Product Keys

The software is made up of multiple modules (eg. Network Monitor and LAN Analyzer). Each module requires a product key for activation. Product keys are tied to the version number and the MAC address of the server.

A module will NOT be displayed in the Command Console until a valid product key has been entered.

Statseeker software version numbers are made up of:

1. Major number (eg. 2.8.0)
2. Minor number (eg. 2.8.0)
3. Incremental number (eg. 2.8.0)
4. Development build snapshot (eg. 2.8.0.ymmddhhmm)

A Product Key is tied to the major and minor version numbers, and not to the incremental or development build numbers. For example, the same product key for 2.8.0 can be used on any 2.8.x release. A new product key is required for 2.9.0.

8.3 User Accounts

Create additional web users and set / change a web users' password.

8.4 User Access Rights

Sets certain access rights to areas within the Network Monitor. Access to the Administration Tool is set via the SYSTEM Access Area.

Access levels provide:

• user - All reports
• oper - All user access, plus limited administration functions
• admin - All oper access, plus all administration functions

Network Monitor users can choose either the Standard fully functional console, or the Executive console with limited functionality. The Executive console provides quick links to high level network reports which may be useful for managers.

8.5 ssadmin

The Server Administration Tool (ssadmin) is a set of utilities used to administer the server.

The following features and utilities are available:

• Set the CMOS time/date
• Configure one or more NTP servers
• Configure SMTP gateway
• Display and clear email queues
• Configure HTTP proxy settings (required for software updates)
• Set up Ethernet interface speed and duplex
• Turn on/off network services (eg. ICMP control/telnet/ftp/dns lookups)
• Change server IP/netmask/default gateway configuration
• Change server host and domain names
• Software upgrades via download or CDROM
• Backup
• Restore
• Server migration
• Change Unix user and web passwords
• Shutdown/reboot server
• Activate SMP kernel for multiprocessing or hyperthread capable CPUs
• Configure self signed certificates for SSL / HTTPS functionality

To use ssadmin:

1. Telnet to the server
2. Log in as the "statseeker" user
3. Run "ssadmin"

8.6 Server Report

The server report is a detailed technical report that is used to troubleshoot the Statseeker server. The report takes approximately 7 minutes to complete.

The compressed output file can be saved and emailed to Statseeker Technical Support to aid in the correction of possible issues with the server.

8.7 Log Viewer

Logfile

• Statseeker Messages
  Error and log messages from the Statseeker software.
• Web Server Access
  HTTP requests made to the web server running on the Statseeker server.
• Web Server Errors
  Error messages from the web server running on the Statseeker server.
• Email Log
  Messages from the sendmail process running on the Statseeker server.
• System Messages
  Error and log messages from the operating system running on the Statseeker server.

Filter

A text filter that may be used to limit the data displayed to only those lines containing the specified regular expression. Some regular expression special characters are:

"." represents any character. "*" represents zero or more repetitions of the previous character. Use "[" and "]" to enclose a set of characters, any one of which will result in a successful match. "\" is used to remove the special meaning of regular expression special characters. For example, use \. to match a period.

Regular expression examples:

BACKUP

Will match any line which contains the text BACKUP

2003-08-25.*BACKUP

Will match any line which contains the text 2003-08-25 followed anywhere on the same line by the text BACKUP

10\.1\.22\.25[0123]

Will match any line which contains the text 10.1.22.250, 10.1.22.251, 10.1.22.252 or 10.1.22.253

8.8 Network Monitor Information

Multiple instances of the Network Monitor module can run simultaneously on the same server. Each instance is called a Network. Most customers only require a single Network. The product license key for the Network Monitor defines how many Networks that will be automatically created when the key is entered.

Multiple Networks are useful for organizations such as System Integrators, wanting to monitor multiple client networks from a single server, or customers wanting to divide their network into separate business units.

8.9 Shutdown/Reboot

The Shutdown/Reboot tool remotely shuts down or reboots a Statseeker server via a browser.

8.10 Backup / Restore Utilities

8.10.1 Overview

The backup/restore utilities in 2.8.x have been rewritten to be faster, more robust and has been specifically designed:

• for backups in case of an unrecoverable machine failure.
• to simplify the process of upgrading the server operating system.
• to simplify the process of migrating to new server hardware.

The following directories and files are backed up:

• /home/statseeker
• /home/npm1, /home/npmX, ....
• /etc/master.passwd
• /etc/group

The utility has been specificially designed to backup and restore Statseeker data only. Non-Statseeker data, the operating system and Statseeker applications programs are NOT backed up. If you create additional Unix user accounts/directories/scripts, or install other software packages, they will NOT be included in the back up. The utility assumes the server is used for the Statseeker application only and that no modifications have been performed. Local changes will have to be reapplied after a machine restore. The restore mechanism does not restore the entire contents of /etc/master.passwd or /etc/group, only the Statseeker specific user accounts/groups. Locally added user accounts will be lost after a restore and will have to be added manually.

Never stop a restore while in progress as the server will be left in an unknown/incomplete state. A full reinstallation will need to be performed if a restore does not complete fully.

Some customers choose to use a different backup utility than provided by Statseeker (eg. locally written scripts which use dump or another commercial product). If you choose to use a different backup method, then you also need to provide your own restore method/procedure which will work for restores, data migration, and operating system upgrades. Statseeker will not provide technical support for issues related to Non-Statseek backup/restore utilities.

8.10.2 Features

• Simple terminal user interface, integrated into the ssadmin utility.
• Multiple data transfer options:
  • FTP to remote server
  • SSH / SCP to remote server
  • Tape drive
  • Write to a local directory
• Automatic timed backups can be configured for the hour of the day and days of the week.
• Ability to manually start/stop a backup or restore.
• Automatic cycling of old backup files.
• Email notification upon success or failure.
• Automatic verification of the backup data files after every backup, irrespective of the transfer method.
• Status display which shows current status, transfer rate and total data transferred.
• Enhanced logging for simpler problem identification/resolution.

8.10.3 Tape Backup

Tapes and tape drives can be rather fiddly devices. FreeBSD supports most common SCSI controllers and tape drives. At system boot time, the kernel will scan the SCSI controller for attached devices. All SCSI tape drives will be detected as the device 'sa0'. The following is an example kernel boot message when the tape device is detected:

   sa0 at ahc0 bus 0 target 6 lun 0
   sa0: <ARCHIVE Python 06408-XXX 8071> Removable Sequential Access SCSI-3 device 
   sa0: 80.000MB/s transfers (40.000MHz, offset 32, 16bit)
   

Notes / Common Problems:

• The backup test utility performs a test write/read/verify. This gives a good indication whether the tape drive is functioning correctly.
• If a tape is not in the tape drive when a backup/restore/test is performed, then the kernel will display a message "Device not configured".
• Tape drives need to be regularly cleaned with a cleaning tape for best performance. A typical tape drive should be able to write/read between 500K to several megabytes per second.
• The backup utility always verifies the data written to the tape. If the verify fails, then most common problem tends to be old/faulty tapes, or the drive needs cleaning.

8.10.4 FTP Backup (Recommended)

FTP is generally the simplest backup method as virtually all modern operating systems include FTP clients and servers.
On your FTP server:

1. Create the username and password
2. Create the directory, making sure that the user has read/write permissions to the directory.

Use the ssadmin tool to set:

1. IP Address of the FTP server
2. Username and Password for logging into the FTP server
3. The full path to the directory where the data is to be stored. You can determine this by manually ftp'ing to the server, change to the relevent directory, and typing 'pwd' to print the entire directory path.
4. Set the Cycle count (ie. the number of backups to keep on the remote host)
5. Use the "Backup Test" option in ssadmin to verify that the Statseeker server can login, create a file, and then delete the file.

Notes / Common Problems:

• When using a MS Windows based machine as the FTP server, make sure you are not trying to use anonymous FTP as the user login as this will stop the backup cycle feature from operating. Also make sure that Unix directory listing format is selected, otherwise the utility will not be able retrieve a list of backup files and a failure will occur on both a backup and restore.
• If the server is connected via 100M Ethernet, the backup should transfer at a rate better than five megabytes per second. The symptom of a backup running slow (eg. 100k per second) is typical of a duplexing mismatch between the Statseeker server and the switch, or the FTP server and the switch. Statseeker recommends hard setting the speed and duplex of all servers. Use the ssadmin utility on the Statseeker server to set the interface speed/duplex to match that of the switch port.

8.10.5 SSH Backup (Advanced Users)

The SSH backup method is for advanced users who understand how SSH operates. Security conscious customers will have banned the use of FTP within their networks in favour of SSH. The SSH method is similar to FTP, except that:

• all data is encrypted before being sent over the network, therefore requires significantly more CPU resources on both the Statseeker and remote servers.
• ssh requires you to create a SSH key on the Statseeker server to be copied onto the remote machine so automatic logins can occur.

Use the ssadmin tool to:

1. Create public/private SSH keys using the ssadmin menu options "Operating System -> Generate SSH key for statseeker", making sure you enter an empty passphrase. Copy the generated public key to the ~/.ssh/authorized_keys file on the remote host.
2. Go to the backup/restore controls in ssadmin and update the configuration (ie. Main Menu -> Backup / Restore -> Configure)
3. Set the IP address of the remote host
4. Set the username to use when logging into the remote host
5. The full path to the directory where the data is to be stored
6. Log on to the Statseeker server as "statseeker", and ssh to the remote host using the IP address (ie. ssh {username}@A.B.C.D). Answer "yes" to continue connecting and complete the authentication setup. Log out of the remote host.
7. Set the Cycle count (ie. the number of backups to keep on the remote host)
8. Use the "Backup Test" option in ssadmin to verify that the Statseeker server can automatically login, create a file, and then delete the file.

Notes / Common Problems

• SSH utilizes a lot of CPU resouces on the source and target machines because all data has to be encrypted/unencrpted, therefore SSH will not operate as fast as FTP.
• Backup test fails because it can't automatically log into the remote system. Verify that the "statseeker" user can automatically logon to the remote host without entering a password.

8.10.6 Secondary local storage (Advanced Users)

This basically writes the backup data files to a local directory, where the directory could be on a secondary disk. This backup method is not advised as it defeats the purpose of a backup. If the machine has a fatal hardware issue, then backup files will be lost. This backup method was added as it aids in certain disaster recovery scenarios.

Notes / Common Problems

• Contact Statseeker Support for instructions on how to add a secondary disk to the system. Various steps must be performed to get the disk operational (eg. fdisk, disklabel, newfs, mount points).
• A fresh installation of the software only installs on the first disk, therefore any data stored a secondary disk will not be touched.

8.11 Disaster Recovery (DR)

Some customers operate in an environment where a disaster recovery procedure must be implemented for every installed system. Statseeker was not designed with redundancy in mind, therefore there are minimal options available. The following two options utilize the backup/restore utility to quickly activate a DR server by restoring the latest backed up data from the production machine.

Option 1

This option relies on the DR machine being able to reach the backup files stored on a centrally located server.

1. Setup the production server to use the Statseeker backup utility so the backup files are stored on a FTP/SSH server.
2. Perform a clean installation of Statseeker software onto the DR server. Do not add the product keys.
3. On a failure of the production machine, perform a restore onto the DR server, then add the product keys.

Option 2

This option stores the backup files on the DR server. The restore on the DR machine will be much quicker as it will have the data locally.

1. Perform a clean installation on the DR server. Do not add the product keys.
2. Create a directory on the DR server for the backup files to be stored and change ownership to the "statseeker" user.
3. Configure the production server to use the Statseeker backup utility so the backup files are stored on the DR server.
4. On a failure of the production machine, perform a restore onto the DR server, then add the product keys.

8.12 Upgrading the Operating System

1. Use the Backup/Restore utility in ssadmin to perform a backup of the server.
2. Perform a clean installation using the latest Statseeker Installation CDROM.
3. DO NOT enter Customer Number and Product Keys.
4. Perform a restore. The server will reboot after a successful restore.
5. Enter the Customer Number and Product Keys.

8.13 Migrating to a new Server

Use the following procedure to migrate to a new hardware platform for versions 2.7 or 2.8:

1. Request new product keys for the hardware.
2. Perform a clean installation of the software onto a new machine.
3. DO NOT enter Customer Number and Product Keys.
4. Perform a backup of the old server.
5. Perform a restore to the new server.
6. Add the new product keys.

9. Remote Network Appliance (RNA)

9.1 Overview

The Remote Network Appliance (RNA) is a platform on which remote Statseeker applications such as LAN Analyzers are deployed. The architecture is based around a single boot floppy or flash disk which turns any networked PC into a powerful remote platform within minutes.

The RNA operates entirely in RAM, therefore any network connected PC can be turned into an RNA without affecting the operating system installed on its hard disk. The server automatically updates any older RNA floppy or flash disks.

The RNA runs a true multiuser/multitasking operating system, therefore many applications can run simultaneously on the same RNA. For example, multiple users can be using the realtime LAN Analyzer at the same time historical data collection is occurring.

9.2 Features

• Single boot floppy or flash disk
• Runs entirely in RAM
• Simple and cost effective to deploy
• Uses standard HTTP protocol
• Automatic floppy / flash disk updates
• Multiuser / multitasking environment
• Rate limited data transfers

9.3 Applications

There are currently two applications which run on the RNA platform:

• Realtime LAN Analyzer
• LAN Analyzer historical data collector client

9.4 Hardware Requirements

Minimum hardware requirements:

• CPU: Pentium 133Mhz
• RAM: 32M
• FDD: Standard 1.44M FDD, USB FDD or USB flash drive
• NIC: PCI Ethernet card (Maximum of 8).

Note: If you want to use a USB flash disk, then the PC must contain BIOS which can boot off a USB device.

The RNA does NOT require the following peripherals:

• Hard disk
• CDROM
• Monitor
• Keyboard
• Mouse
• Sound
• Floppy drive not required if using a USB flash drive

Ethernet Cards:

An RNA can be fitted with up to eight PCI Ethernet network cards. The RNA assigns its IP address to the first detected NIC. All other NICs will be activated (ie. ifconfig'ed up), but do not have an IP address or protocol stack assigned. ISA and laptop PCCARD/PCMCIA NICs are NOT supported. Refer to the FreeBSD Hardware Release Notes for a full list of supported Ethernet controllers.

9.5 RNA Floppy / Flash Disk

Creating an Initial USB Flash Disk

Contact Statseeker support for instructions on how to create an initial USB flash disk.

Creating an Initial Floppy Disk

1. Log into the server as "admin" and go to:
   Administration Tool -> Remote Network Appliances -> Create Floppy

   

   

2. Download the rna_fdd.exe self extracting DOS executable to a Windows based platform, and save it in a temporary directory.
3. Run the rna_fdd.exe program. This will extract three files:
   • rna_fdd.bin (floppy disk image)
   • fdimage.exe (program to write floppy disk images)
   • mkflp.bat (batch file)
4. Insert a formatted floppy disk and run the mkflp.bat batch file. The rna_fdd.bin floppy disk image will be written to the floppy disk.

Configuring the Floppy or Flash Disk

1. Boot a PC with the RNA floppy disk.
2. Switch to the configuration menu (Alt-F2)
3. Select the Change Configuration option.
4. You will be prompted for:
   • IP Address
   • Subnet mask
   • Default gateway
5. Reboot the PC with the RNA floppy disk for the new IP configuration to take effect.

Duplicating the Floppy or Flash Disk

To duplicate the RNA floppy or flash disk:

1. Boot a PC with the RNA floppy or flash disk
2. Switch to the configuration menu (Alt-F2)
3. Select the diskcopy option. This will read the current disk image into memory, then ask you to insert a target disk.
4. The diskcopy program will write the disk image and then verify it.
5. Once a disk has been successfully copied, you will be asked to enter a new IP configuration.

9.6 RNA Server

The RNA server performs the following tasks:

• Regularly polls all enabled RNAs (default is 60 seconds)
• Synchronizes the system time of each RNA to within one second
• Automatically updates all RNA floppies at upgrade time
• Downloads all applications and configuration files to each RNA
• Retrieves logfiles from the RNAs
• Monitors the health of each RNA

9.7 Client/Server Protocol

All communication between the server and each RNA is initiated by the server, using a Server push/pull model. The RNA never initiates a connection back to the server. RNAs can be located on the inside or outside of firewalls as the server can be configured to communicate via a HTTP proxy.

Data transfers can be bandwidth limited on a per RNA basis. This allows the user to limit the amount of bandwidth the RNA will use on low speed WAN links.

The server utilizes an asynchronous polling method to simultaneously communicate with multiple RNAs at once. The default is 10 simultaneous connections. This is tunable for very large RNA deployments.

Statseeker's HTTP implementation only supports the Basic authentication scheme. The Digest scheme is not supported as yet.

9.8 Server Configuration

Adding an RNA to the Server Configuration

1. Log into the Statseeker server as "admin" and go to:
   Administration Tool -> Remote Network Appliances -> Add
2. Fill in the required fields and click the save button
   • RNA Name (allowable characters are a-z, A-Z, 0-9, and underscore)
   • IP Address
   • Mode (enabled or disabled)
   • Title (allowable characters are a-z, A-Z, 0-9, underscore and space)
   • Via Proxy (enable if deploying an RNA on the outside of a firewall and all communications are only possible via your HTTP proxy)
   • Rate Limit (Allows you to limit the data transfer rate of all RNA client/server communications)
   • Details (allowable characters are a-z, A-Z, 0-9, underscore and space)
   • Interface descriptions 0 to 7 (allowable characters are a-z, A-Z, 0-9, underscore and space). A short description of what network the interface is connect to.
3. Boot the designated PC with the RNA floppy or flash disk.

9.9 Main Console

The RNA console automatically refreshes every 30 seconds with the current state of each RNA.

The following status colour codes are used:

• Green - Up
• Red - Down
• Orange - Disabled or Warnings

The following information is displayed:

• Name
• Status
• Mode
• Title

The display can be sorted by clicking on the column headings. An arrow indicates which column it is currently sorted by. Clicking on the same column reverses the sort order.

The server itself runs a local RNA environment. It is displayed as an entry called LOCAL. The LOCAL RNA can not be disabled or deleted.

The following drill down functions are provided:

• Edit - change the configuration of an RNA
• Info - current detailed information of an active RNA
• Logs - log messages collected from a particular RNA

9.10 Advanced Console

The following detailed information is displayed:

• Name
• Status
• Mode
• IP Address
• Proxy
• Rate
• Up time
• CPU load
• Total memory
• Free memory
• RAM disk size
• Free space on RAM disk
• CPU speed
• Machine model/type
• RNA disk version number
• Title

The following drill down functions are provided:

• Edit - change the configuration of an RNA
• Info - current detailed information of an active RNA
• Logs - log messages collected from a particular RNA
• NICs - current list of network interfaces in an RNA
• Processes - current process list of an RNA
• Reboot - force a reboot of a running RNA
• Delete - delete the RNA from the servers' configuration

9.11 LAN Segments Report

The LAN Segments report displays the user defined titles for all RNA network interfaces. The display can be sorted by clicking on each of the column headings.

9.12 Frequently Asked Question:

1. Question: How many NICs can be installed in an RNA ?
   Answer:   Eight.
2. Question: Does the RNA require an IP address for each network interface ?
   Answer:   No. The RNA will assign the configured IP address to the first detected network card, then ifconfig all other interfaces UP, but with no IP protocol stack.
3. Question: Does the RNA support dynamic IP address allocation using Bootp or DHCP ?
   Answer:   No.
4. Question: Can the RNA boot off CDROM ?
   Answer:   No.
5. Question: Does the RNA support Realtek NICs ?
   Answer:   No.
6. Question: Does the RNA support PCCARD or PCMCIA NICs for laptops ?
   Answer:   No.
7. Question: How many RNAs can be configured in the server ?
   Answer:   The real world practical limit is currently unknown.
8. Question: Are USB floppy disk drives supported ?
   Answer:   Yes.
9. Question: Are USB flash disk drives supported ?
   Answer:   Yes.
10. Question: What other applications will be developed for the RNA ?
    Answer:   Statseeker may in the future build the following applications:
    • Packet analyzer/decoder
    • Remote ping/SNMP poller for the Network Monitor
    • Network performance/load tester
    • Packet shaper
11. Question: Can an email alert be sent when an RNA becomes unavailable ?
    Answer:   No. This is planned functionality and will be implemented in a future release.

---

10. LAN Analyzer

10.1 Overview

The LAN Analyzer monitors local and remote LAN segments, building traffic matrix tables for every network node, conversation and protocol. The realtime and historical data collection clients run on the new RNA platform.

It is important to understand that the LAN Analyzer is a 'technical tool' for technical people. It does not have a 'management view'. You should have a reasonable knowledge of network engineering (ie. IP addressing, subnetting, routing, protocols), and how your own network is constructed to gain the full benefits of the LAN Analyzer.

Features:

• High speed packet capture on all attached network segments
• Builds MAC/IP node/conversation/protocol matrix tables
• User defined protocols: TCP/UDP ports and IP addresses
• Displays a list of undefined TCP/UDP ports numbers
• Collects data for realtime and historical uses
• Realtime terminal interface accessed via most telnet clients
• Realtime access is password protected
• Five minute historical reporting intervals
• A server can collect data for hundreds of LAN segments
• Data is highly compressed to minimise network impact
• Decodes 802.1q VLAN packets

What the LAN Analyzer does NOT do:

• It does NOT monitor WAN interfaces (eg. FrameRelay, ATM, serial links)
• It does NOT use SNMP/RMON to retrieve realtime or historical data. SNMP/RMON are extremely inefficient and require significant bandwidth. All data is retrieved via a compressed TCP/HTTP stream.
• It does NOT display information in graphs... yet. This is a planned feature.

10.2 How It Works

A LAN Analyzer client program is sent to the RNA when it boots. The client monitors each network interface by capturing the first 60 bytes of each packet and builds address/protocol matrix tables. Every five minutes, the client dumps its matrix tables to a compressed file, clears its tables, and starts monitoring again. The server downloads and processes the dump files into a central historical database.

Due to the enormous size of the data, the server regularly deletes historical data after a user defined period of time (default of 30 days).

The strength of the LAN Analyzer is its ability to perform high speed table lookups and protocol decoding for each packet. For example, the LAN Analyzer does the following for each IP packet:

1. Decodes the packet headers
2. Searches and updates the MAC node table
3. Searches and updates the user defined IP protocol table
4. Searches and updates the IP nodes table
5. Searches and updates the IP conversations table

For a LAN segment which is running at 10,000 packets per second, the LAN Analyzer is performing at least 40,000 table lookups and updates per second.

10.3 Getting Started

Add LAN Analyzer product key using the Administration Tool.

A LAN Analyzer client is automatically started for each network interface on the server and for each RNA. To deploy a LAN Analyzer you must first deploy an RNA. The LAN Analyzer client will be automatically downloaded to each RNA at boot time.

To access the realtime LAN Analyzer, a password MUST be configured first by using the LAN Analyzer Configuration Tool.

10.4 Where to Connect a LAN Analyzer

The LAN Analyzer is a "LAN" tool however most customers use it to track traffic volumes over their WAN links. This is typically achieved by locating the RNA on the same network segment as the router, or by mirroring the routers' switch port to the LAN Analyzer.

The following examples display typical deployment configurations for the LAN Analyzer:

Example 1: Port mirroring

Example 2: VLAN mirroring

NOTE: Many of the newer switches do not allow packets to be transmitted on the monitor port, therefore the RNA will need to be fitted with at least two network interfaces (ie. one to monitor and the other to talk to the network).

10.5 Packet Decoding

The following diagrams show how the LAN Analyzer decodes a typical IP/TCP packet.

MAC Node Table:

Tips:

• Only the MAC addresses on the local subnet should appear in the table. All IP traffic coming from other subnets should contain a source MAC of the local router.
• Only the local subnet IP addresses should appear in the table.
• The alerts screen displays a possible list of duplicate IP addresses.
• The alerts screen displays a list of "Possible routers". A MAC is listed as a "Possible router" if:
  1. Its IP address keeps changing
  2. It transmits a routing type of packet (eg. RIP, OSPF, EGP, BGP, ICMP NetRedirect)
  Due to the complexity of many networks or incorrect device configuration, routers and devices which appear to be acting like a router are listed in the "Possible router" list of the alerts.
• The LAN Analyzer will usually lock onto each router's correct IP address once it has seen either a routing packet (eg. rip, ospf, bgp) or a ICMP NetRedirect.

IP Protocol Decoding:

The IP protocol decoder attempts to find a match in its defined set of IP protocols and subprotocols. If a match can not be found, then the packet is marked as "unknown". A "Protocol" is one of the types defined in /etc/protocols. For example:

• icmp (1)
• igmp (2)
• tcp (6)
• egp (8)
• udp (17)
• ospf (89)
• ...

The "SubProtocol" is the next layer down within each IP Protocol. For example:

• icmp EchoReply (0)
• icmp Unreachable (1)
• icmp NetRedirect (2)
• ...
• icmp TllExceeded (11)
• ...
• tcp ftp-data (20)
• tcp ftp (21)
• tcp ssh (22)
• tcp telnet (23)
• ...
• udp dns (53)
• udp bootps (67)
• udp bootpc (68)
• udp snmp (161)
• udp snmptrap (162)
• ...

If a match can not be found for a SubProtocol, then it is marked as {Protocol}.unknown.

Unknown TCP/UDP Port Numbers:

If the IP protocol cannot be determined for a TCP or UDP packet, then the Unknown Ports table is updated with both the source IP/Port and destination IP/Port. This table allows you to quickly identify which TCP/UDP port numbers are being used for local applications and from what IP addresses.

This information is extremely useful for detecting locally written applications or applications which are using unregistered port numbers. A new user defined entry can then be added to the LAN Analyzers protocol table.

IP Nodes:

Tips:

• All IP addresses from other subnets should contain the common MAC address of the local router.

IP Conversations:

10.6 Realtime LAN Analyzer

Overview

The realtime LAN Analyzer uses a telnet user interface and single keystroke commands to display realtime LAN statistics. All commands are listed on the initial help screen.

Supported Terminal Emulators

The LAN Analyzer supports a limited number of terminal emulators. These include:

• vt100
• vt200
• vt220
• xterm

Alerts

The Alerts screen displays a list of possible duplicate IP addresses and possible IP routers.

Short/Long Displays

The node/conversation tables can be displayed in either a short or long modes. Short mode only displays totals, while long mode displays totals and a protocol breakdown.

Matching Conversation

Each direction of an IP conversation is displayed as a separate table entry. The Matching conversation feature searches the table for the corresponding entry displayed on the top row.

Sorting Schemes

Each of the node/conversation/protocol tables can be displayed in the following order:

• by address
• by total bytes
• by total packets
• by bytes per second
• by packets per second

The current view is resorted every 10 seconds.

10.7 LAN Analyzer Console

Real-Time

To start a real-time LAN Analyzer session, select the segment to be monitored and click on the "Real-Time" button. A telnet connection to the RNA will be initiated.

LAN Segments

This is a single select list of LAN segments which are currently being monitored.

Protocols

This is a single select report filter option.

Create Report

Reports are generated by selecting one of the options in Create Reports list.

Sort Filter

The default is by Bytes.

Preset Times

Preset Times provides a fast way of selecting common time periods. For example:

• Last five minutes
• Last 30 minutes
• Yesterday
• ...

This filter modifies the current settings for the Start and End times.

Specific Times

Specifies a start and end time range.

Address Filter

This is a powerful filter which allows you to specify the exact network addresses or network ranges to filter on.

10.8 Advanced Console

Additional Features:

Format

Reports can be generated using the following delimited formats:

• Space
• Tab
• Comma

The default is spaced delimited.

Time Range Filter

Set the time range for reporting.

Exclude Filters

Set the exclude filters for reporting.

10.9 Configuration

General Options

Set the number of days that the historical LAN Analyzer data will be kept before it is deleted. The default is 30 days.

Realtime Password

A realtime password must be set before you can access the realtime version of the LAN Analyzer. The same password is set for every remote realtime LAN Analyzer. This is no 'username' for the realtime LAN Analyzer. Only a password.

User Defined Protocols

Add custom definitions for local TCP/UDP ports.

Apply Changes

Configuration changes will not take affect until the Apply changes link is pressed. This creates the config files and sends them to each RNA. It may take several minutes for the new configuration information to be updated on all RNAs.

10.10 Frequently Asked Questions

1. Question: Can the LAN Analyzer monitor token ring LAN segments ?
   Answer:   The RNA contains support for token ring, but this has not been tested.
2. Question: Can I stop a LAN segment from being monitored ?
   Answer:   No. An instance of the LAN Analyzer is started on every server and RNA network interface.
3. Question: Can I change the five minute data collection interval to something else ?
   Answer:   No.

---

11. Network Monitor

11.1 Overview

The Network Monitor is a high performance network monitoring tool which collects and processes Ping/SNMP data for every port, on every network device, every 60 seconds.

11.2 Getting Started

Go to the Configuration Tool "Config Button" from the Network Monitor Console:

1. General: Configure a Network title. All other options can be left at their defaults.
2. Communities: Configure all the READ SNMP community strings that are needed to communicate with your network devices.
3. Devices: Add a device. Fill in the displayed form. Submit the configuration.
4. Click on the Apply changes link. Check that this was successful.
5. Reload the Main Console. The newly added device will be displayed. Wait for a few minutes for data to be collected.

11.3 Realtime and Historical Database

The Network Monitor does not use a conventional database to store its realtime and historical data. The proprietary database enables the Network Monitor to scale to several hundred thousand ports.

11.4 Ping / SNMP Poller

The ping and SNMP poller can collect data from every port on a 100,000 port network, every 60 seconds, from a central server. The pollers design is a balance of:

• Be light on the network:

  It is difficult to collect large amounts of data using an inefficient protocol (ie. SNMP), without affecting the load on the network. The Network Monitor achieves this by maximising the number of MIB OIDs within each request. The optimum number of OIDs is calculated on a per device basis.

• Be light on the network devices:

  It is easy for a network monitoring application to overrun the CPU resources of a switch/router by sending SNMP requests too quickly. Switches generally have little CPU resources to respond to SNMP requests. The Network Monitor is light on every network device as it sends only one request to each device at any one time.

• Automatically back-off when network failures occur.

  Most network management applications tend to increase the level of SNMP traffic when network infrastructure faults occur as their SNMP pollers go into constant timeout/retry. The Network Monitor only attempts to collected SNMP data from devices which are available via a ping.

Features:

• Uses minimal CPU resources to collect data from a large number of devices.
• Multiple pollers can be started on multi CPU systems to spread the load across the system.
• Automatically adapts its transmission rate depending on network load and latency.
• Warns when it can not keep up with the volume of requests. This typically occurs on low end machines with a very large number of ports configured.

NOTE: There are various tunable poller parameters that may need to be adjusted for large networks (eg. greater than 30,000 ports). Contact Statseeker Technical Support for assistance if you are monitoring a large network and your server experiences poller warnings.

11.5 SNMP Traps

The Network Monitor collects and decodes SNMP traps ONLY for the devices which it is monitoring. Traps for all other devices are discarded. All traps are stored in highly compressed text files. The Network Monitor does not contain functionality to further process a trap message (eg. alert notifications). It simply logs the trap in the current log file. The Network Monitor can NOT generate a SNMP trap.

In future releases, the SNMP trap collection functionality will be moved to a generic message collection and processing module.

11.6 Network Monitor Console

Functions:

• Setting of various device, port and sort filters.
• Generating realtime and historical reports.
• Drilling down to secondary reporting consoles and Configuration tools.

Console Options

Real-Time Reports

Selecting an option generates a report.

Hourly Port Total Filter

Hour range filter that only applies to the realtime "Hourly Port Totals" reports.

Historical Reports

Selecting an option generates a report.

SNMP Trap Filter

Text filter that only applies to the Historical Reports "SNMP Trap" report option.

Sort Filter

Defines which order the reports will be displayed.

Device Group

Report and secondary console filter.

Port Groups

Report and secondary console filter.

Device/Port Type

Report and secondary console filter.

Device List

Report and secondary console filter.

Device Filter

Device name text filter that applies to reports and secondary consoles.

11.7 Executive Console

A cut down version of the Network Monitor Console. It has been designed to give a top level management view of the network.

11.8 Graphing Console

Functions:

• Generates network delay and port utilization graphs.
• Daily, monthly and yearly graph formats.

Console Options

Time and Date

Port List

Multiple select.

Create Report

Click one of the options to generate the graphs.

Graph Options

Scales

Day Filter

Yearly only

11.9 Detailed Port Reports Console

Functions:

• Generates monthly port reports.

Console Options:

Month / Year Selection

Pull down select lists.

Port List

Multiple select list.

Create Report

Select one of the data types to generate a report.

11.10 Data Export Console

Functions:

• Exports data to comma delimited format.

Console Options

Month / Year Selection

Pull down select lists.

Port List

Multiple select list.

Create Report

Select one of the data types to generate a report.

To create a report, first select the ports then the year required and then click on the type of report required. The output can then be saved as a CSV file. The device name, the interface index, the speed, the selected year and the report type will be displayed at the top of the output for each selected port, followed by each day of collected data for that port.

   device: Core-Router 1 10000000 2004 HourlyRxByte
   2004,190,7,Jul,8,5,Thu,0,0,0,0,0,0,0,0,0,0,0,0,0,181135,532862,...
   2004,194,7,Jul,12,2,Mon,0,0,0,0,0,0,0,0,0,0,3206169,3185770,...
   2004,195,7,Jul,13,3,Tue,3153743,3184115,3181854,3185635,...
   2004,196,7,Jul,14,4,Wed,3878197,3910854,3911721,3910929,...
   2004,197,7,Jul,15,5,Thu,3174254,3198956,3184523,3185335,...
   2004,198,7,Jul,16,6,Fri,3177195,3184506,3186035,3185370,...

The data is comma delimited with the first seven fields being: the year, julian date, day of month, month, month of year, day of week and the day.

11.11 Realtime Reports

Note: All auto refreshing realtime reports refresh every 30 seconds, unless otherwise indicated.

Functions:

• Single click realtime report generation.

Device Reports:

Network Summary

This is a collection of various realtime reports useful for glancing at overall network performance.

Up / Down Status

The current network availability of each device defined by a ping response.

Network Delay

The current and last several five minute period network delay times to each device.

Today's Outages

A chronological ordered list of outages for each device.

Port Reports:

Utilization Graphs

This report displays up to fifty port utilization and network delay graphs. The report auto refreshes every five minutes. Clicking on any graph drills down to current day/month/year graphs and statistics.

Utilization %

The last fifteen minutes utilization percentages for each port.

Bits per Second

The current port bits per second.

Frames per Second

The current port frames per second.

Down Status

The current "administration" and "operational" status of each port.

Port Totals:

Bytes

The number of bytes that have passed through the interface for the current day.

Frames

The number of packets/frames that have passed through the interface for the current day.

Errors

The number of interface errors (eg. FCS errors) for the current day.

Tips: In general, you want to keep the number of errors to a minimum. WAN links should not continually run errors.

Ethernet switch ports that are connected to a single device (ie. not to a repeater) should run zero errors. It is common for several devices on every network to run high levels of errors when transmitting high volumes of network traffic. This is usually due to an auto negotiation speed/duplex incompatibility between the switch and NIC. It is good practice to hard set the speed and duplex of all NICs, especially network servers and switch interconnects.

Discards

The number of packet discards for each network interface for the current day.

Tip: A large number of discards indicates a congestion issue.

FECN/BECN

The number of FECN/BECN counts for each Frame Relay PVC for the current day.

Tip: A large number of FECN/BECNs indicates a congestion issue.

Threshold Exceeds

The number of five minute averages that a ports utilization has exceeded a predefined threshold level for the current day.

FR CIR Exceeds

The number of five minute averages that the FrameRelay PVC utilization has exceeded the specified CIR value for the current day.

1% Ripples

Identifies ports which display a constant saw tooth type of utilization pattern. It counts the number of times a ports utilization deviates up and down within a 1 - 5% range for the current day.

5% Ripples

Same as the 1% ripple counts however it looks for deviations in the 5 - 10% range.

Hourly Port Totals:

The hourly reports display the totals for the selected hour.

Bytes
Frames
Errors
Discards
FECN/BECN

Ports in Periods of:

Errors
Discards
FECN/BECN

Server Status:

Current status report for the server.

11.12 Historical Reports

Device Reports

Group Availability

Service level agreement availability for a group of devices (13 month view).

Availability

Service level agreement availability for each device (Monthly view).

Detailed Availability

Service level agreement availability for each device (Daily view).

Outages

A chronologically ordered list of outages for each device for the selected period.

SNMP Traps

A chronologically ordered list of received SNMP Traps for the selected period.

Port Reports

Availability

Service level agreement availability for each port (Monthly view).

Detailed Availability

Service level agreement availability for each port (Daily view).

Port Usage

Displays the ports in use on each device.

Port Totals

Bytes

The number of bytes that have passed through the interface for the selected period.

Frames

The number of frames that have passed through the interface for the selected period.

Errors

The number of errors that have passed through the interface for the selected period.

Discards

The number of discards for the interface for the selected period.

FECN/BECN

The number of FECN/BECN counts for each Frame Relay PVC for the selected period.

Threshold Exceeds

The number of five minute averages that a ports utilization has exceeded a predefined threshold level for the selected period.

FR CIR Exceeds

The number of five minute averages that the FrameRelay PVC utilization has exceeded the specified CIR value for the selected period.

1% Ripples

Identifies ports which display a constant saw tooth type of utilization pattern. It counts the number of times a ports utilization deviates up and down within a 1 - 5% range for the selected period.

5% Ripples

Same as the 1% ripple counts however it looks for deviations in the 5 - 10% range.

Ports in Hours of:

Errors
Discards
FECN/BECN

11.13 Configuration

General

Network Title

Describes the network that the Network Monitor is monitoring. This text appears on all Network Monitor consoles and reports. Default is: 'No Title Set'.

Auto Poller Optimization

The SNMP poller is automatically tuned every night for optimal data collection performance. This optimization tests the network and devices for the maximum number of SNMP OIDs that each device can process within a single SNMP request. Default is 'On'.

Note: Leave this 'On' unless instructed by Statseeker Technical Support.

SNMPv2

The configuration tool by default attempts to talk to all devices using SNMPv2, then falls back to SNMPv1. Turning this 'Off' will force the configuration tool to only use SNMPv1 for newly added devices, or for any manual or automatic rewalk functions. Default is 'On'.

Use ifAlias

Instructs the Network Monitor configuration tool to populate the interface descriptions with the values retrieved by the ifAlias OID. Default is 'On'

Number of Pollers

The number of concurrent Ping/SNMP poller processes. The number is restricted by the number of physical and virtual (ie. Hyperthreading) CPUs in the server. Default is '1'.

Note: leave this at its default value unless instructed by Statseeker Technical Support.

Default Graphing Delay Scale

The default delay scale on all Utilization and Network Delay graphs. This is useful for networks where the network delay is typically very small.

Email Alerts

The Network Monitor can be configured to send email alert messages when a device becomes unreachable for a specified length of time, when a port changes state or when a utilization threshold on a port is exceeded for a user specified period of time.

After an Email Group is created it can be associated with a device by using the Devices section of the Configuration Tool. The Email Group number is used to identify individual email groups. The Email Group name is used when configuring devices.

The email addresses are the addresses to which email alerts are sent. Each email group can have multiple space delimited email addresses defined.

Statseeker can bundle multiple alerts into a single email message. The Message Bundling settings are "Never bundle", "Always bundle", "Bundle if 2 or more", "Bundle if 5 or more", or "Bundle if 10 or more". If the number of alerts in a one minute period is more than the Message Bundling settings, they will be bundled into a single message.

Device Groups

A set of labels which can be assigned to devices for grouping and filtering purposes. Each device can belong to as many as twenty Device Groups. The Group Number is used to identify each device group.

The Group Name is used when adding a device to a device group.

The SLA Target is the percentage of the time that a device should be available in the SLA user specified periods. The "Starting from" and "Ending at" times specify the SLA period.

Port Groups

A set of labels which can be assigned to ports for grouping, filtering and alerting purposes. A port can only be assigned to a single port group.

Email alerts can be produced when a port state changes or when the port exceeds its utilization user specified threshold. The State Change check box sets the email alerting on or off. The Utilization Threshold Exceed pull down menu specifies the timeframe that a given port utilization percentage exceeds before the Network Monitor sends an email alert.

To assign a port to a Port Group, use the Devices section of the Configuration Tool.

SNMP Communities

A list of all the SNMP read-only community strings that are used in the devices.

Tip: Many people think that using cryptic SNMP community names makes their network more secure. In practice, a community name of "abcdefg" is no less secure than "D4f*3!#%". This is because SNMP v1/v2 transmits the community names in plain text. SNMPv3 is the only version which encrypts the SNMP community name. Statseeker 2.x does not support SNMP V3.

Valid characters are A-Z,a-z,0-9 and ~@#%^&_-+=:,

Devices / Ports

Device Options

Device Name

Maximum of 30 characters. Valid characters are A-Z,a-z,0-9 and ~@#%^&_-+=:;

Device Title

Description field that appears on the right hand side of reports. Maximum number of 30 characters. Valid characters are A-Z,a-z,0-9 and ~@#%^&_-+=:,

IP Address

The IP address of the device.

Community

SNMP read community string.

SNMP Version

Statseeker currently uses SNMPv1 and SNMPv2C. Statseeker determines if each device can respond to a SNMPv2C request. If not, it falls back to SNMPv1. Do not modify this setting unless instructed to do so by Statseeker Technical Support.

Polling Interval

The polling interval is the rate that a device is polled. Polling intervals between 10 and 180 seconds are accepted. The default is 60 seconds. Any value outside of the valid range will be reset to 60.

Device Priority

Report filter settings: Low, Medium or High.

Device Type

Report filter settings: Generic, repeater, bridge, switch, router, etc...

Device/SLA Group

Device Group report filter. Defines the device groups that the device belongs to. A device can belong to up to a maximum of 20 device groups.

Alert Time

Alert time is the amount of time a device must be unavailable before an email alert is sent. Email alerts will not be generated if the alert time is set to zero.

Email Group

The Network Monitor can be configured to send email alert messages when a device becomes unreachable for a specified length of time. Each email group can have multiple email addresses. Email Groups are created in the Email Alert section.

Upstream Neighbors

Conceptual Diagrams:

Figure 1: Router A has an upstream neighbor of Central Switch. Router X has an upstream neighbor of Router A. Switch X has an upstream neighbor of Router X.	Figure 2: Router A has an upstream neighbor of Central Switch. Router X has upstream neighbors of Router A and Router B. Switch X has an upstream neighbor of Router X.
Figure 3: Router A has an upstream neighbor of Central Switch. Router B has upstream neighbors of Router A and Router C. Router C has upstream neighbors of Router B and Router D. Router D has upstream neighbors of Router C and Router F. Router E has upstream neighbors of Router A and Router F. Router F has upstream neighbors of Router D and Router E.

This defines the next device in the network path back towards the Statseeker server. A maximum of five upstream neighbors can be defined for complex redundant networks.

In the event that a device becomes unreachable, this list is checked to see if all its upstream neighbors are also unreachable. In the Real-Time Status report, the device will be displayed in red if ANY of its upstream neighbors are reachable, and orange if ALL of its upstream neighbors are unreachable.

Email alerts will only be generated for devices that are actually down.

Port Options

State

Set to On or Off. Most interfaces are set to "On" after an initial SNMP walk of the device. Every interface configured in the "On" state will be monitored.

Index

The SNMP Index is automatically populated with the value of ifIndex detected from the SNMP walk.

Name

Port name. This is automatically populated with the value of ifAlias.

Priority

Report filter settings: Low, medium, or high.

Port Group

Port groups are used for alerting based on port operational status changes and utilization thresholds, or to filter port related reports.

Type

Port Types: Serial, Ethernet 10M, Ethernet 100M, Ethernet 1G, Ethernet 10G, FrameRelay Trunk, FrameRelay PVC, ISDN Trunk, ISDN Channel, ATM Trunk, ATM PVC, Token Ring, FDDI, or VLAN.

The configuration tool attempts to guess the correct interface type from the SNMP walk information. The Type can be modified but is overwritten if the device is rewalked.

Threshold

The percentage used for threshold exceeds reporting and port utilization threshold alerting. Default: 90 percent.

Speed

The speed of the interface in bits per second. This can be modified for all interface Types with the exception of Ethernet. Ethernet Interfaces will automatically revert to 10M, 100M, 1G or 10G when the configuration is submitted. eg. 64000, 64K, 1544000, 1544K, 10000000, 10M, 1G, ...

CIR

CIR speed (FrameRelay only). Manual setting.

Title

Description field that appears on the right hand side of reports. This is automatically populated with the contents of ifAlias from the SNMP walk. If the ifAlias was blank, then it is filled with the contents of ifDescr. This field can be manually overridden, but will be overwritten on the next rewalk. Maximum number of 30 characters.

ifType

Informational only after a SNMP walk.

ifStatus

Informational only after a SNMP walk.

MIB Data Types

List of MIB OIDs which will be collected for the interface.

Apply Changes

Builds the runtime configuration files. The runtime processes (eg. poller, database and user interfaces) will only use the new configuration if no errors were detected.

Typical output from clicking on Apply changes:

    Building configuration.... Please wait.
       8 devices loaded
       169 ports loaded
       1 email groups loaded
       4 Device Group/SLA loaded
       8 Port Groups loaded
    ssbuild completed successfully
    Changes detected. Restarting SSD.
   

SNMP Trap Excludes

Filter incoming traps using a simple text matching filter. If the text filter matches a trap, the trap is discarded.

Devices are notorious for sending a magnitude of relatively useless traps to network management stations. For example, a trap may be generated every time a port goes up or down.

Device Rewalk

Performs a scheduled SNMP rewalk of all configured network devices. Network devices may need to be regularly re-walked.

Tip: Rewalk on a regular basis during normal working hours to:

1. Discover/add newly added interfaces, or to remove old entries.
2. Discover what speed each interface is operating at.

Poller Warnings

Poller warnings are errors detected by the Ping/SNMP poller. These errors may include:

• A device responds to a ping, but not to a SNMP request. This may be due to no SNMP read access, traffic being blocked by a filter or firewall, incorrect SNMP community name.
• Multiple responses were received from a single request. Typically caused by various routing/switching issues.
• Late transmissions, due to the poller not completing its tasks in a reasonable time.
• Unknown SNMP OID or index. This is usually caused by configuration interface changes made to the device, where the device no longer contains previously configured network interfaces. Rewalking the device will fix this.

11.14 Renaming a Device

npm-rename-device is a utility that allows you to rename devices.

To rename a single device:

1. Log in to the Statseeker server as the Network Monitor user (eg. npm1).
2. Type the following command:

   npm-rename-device {old name}  {new name}

To rename many devices at once:

1. Create a space/tab delimited file which contains two columns (ie. old name and new name)
2. Type the following command:

   npm-rename-device -f {filename}

11.15 Command Line Data Export

npm-export is a command line program which allows you to extract Network Monitor historical data and wrap it into simple shell scripts. The output is formatted in comma delimited fields.

  npm-export -d device [ -L ] [-i ifname] [ -Y yyyy [ -M mm [ -D dd ] ] ] -t type

   ifname is a specific interface name. If not specified, all interfaces on the device are displayed
   yyyy   specifies a year. Default is the current year.
   -L     specifies long format output
   type is one of:
	  NetworkDelay (288 values)
	  RxUtilPercent (288 values)
	  TxUtilPercent (288 values)
	  HourlyRxByte (24 values)
	  HourlyTxByte (24 values)
	  HourlyRxFrame (24 values)
	  HourlyTxFrame (24 values)
	  HourlyRxError (24 values)
	  HourlyTxError (24 values)
	  HourlyRxDiscard (24 values)
	  HourlyTxDiscard (24 values)
	  HourlyFECN (24 values)
	  HourlyBECN (24 values)
	  DailyRxByte (1 value)
	  DailyTxByte (1 value)
	  DailyRxFrame (1 value)
	  DailyTxFrame (1 value)
	  DailyRxError (1 value)
	  DailyTxError (1 value)
	  DailyRxDiscard (1 value)
	  DailyTxDiscard (1 value)
	  DailyFECN (1 value)
	  DailyBECN (1 value)

   Output fields are:
	  year
	  day of year (1 to 366)
	  month (1 to 12)
	  month name (Jan, ..., Dec)
	  day of month (1 to 31)
	  day of week (1 = Sun, to 7 = Sat)
	  day of week (Sun, ..., Sat)
	  data values
  

11.16 Auto Populate

The Network Monitor does not auto discover. It does have a command line tool that automatically populates the initial device configuration. The npm-populate program reads user supplied CSV file, performs a SNMP walk of each device, submits and builds a runtime configuration.

NOTE: This tool is designed to be used once, at initial configuration time.

CSV file format

The CSV file is made up of 12 comma separated fields. Fields marked "mandatory" must contain valid data. All other fields can be left empty and npm-populate will set a default if required.

Number	Field	Requirement	Comment
1	Device name	mandatory
2	IP address	mandatory
3	SNMP Community name	mandatory
4	Title
5	Device type		generic, repeater, bridge, switch, router, unix, novell, nt, or empty
6	Polling interval		Between 10 and 180 seconds. Defaults to 60.
7	Device priority		low, medium or high
8	Email group
9	Alert time		time in minutes (0=off)
10	Upstream neighbours		list of devices separated by a '|', or empty
11	Device group		list of device groups separated by a '|', or empty
12	SNMP version		1, 2, or empty

Procedure

1. Create a CSV file in the above format. There must be exactly 12 fields (ie. a total of 11 commas).
2. Copy the CSV file to /tmp on the Statseeker server.
3. Create all the required Community Names, Email Groups, Device Groups and Port Groups using the Network Monitor configuration GUI.
4. Any device which is an upstream neighbour must also be in the CSV file.
5. Log in as "npm1".
6. Type the following command:

   npm-populate {path to csv file}

7. Check its operation via the GUI.

11.17 Configuration File Formats

WARNING:

• Manually modifying configuration files with invalid information will stop the Network Monitor from functioning correctly.
• Each Network Monitor instance runs under its own Unix user account (eg. npm1, npm2, ...). Most customers will monitor a single network with the Unix username 'npm1'.
• NEVER make modifications to the Network Monitor configuration files as the 'root' user. ALWAYS login or 'su' to the Network Monitor user.
• The locations and formats of Network Monitor configuration files WILL change in the future.

Directory layout

 /home/npm1                     - Home directory
 /home/npm1/data/...            - Where all the data is stored
 /home/npm1/etc/crontabs        - Cron entries for this user
 /home/npm1/conf                - Config directory
 /home/npm1/conf/*.bin          - Runtime binary files. Do NOT touch.
 /home/npm1/conf/*.cfg          - Config files. Do NOT touch.
 /home/npm1/conf/devices/{name} - One directory for each device

One of these file is created for each device:
 /home/npm1/conf/devices/{name}/dev.cfg
 /home/npm1/conf/devices/{name}/ip.cfg
 /home/npm1/conf/devices/{name}/port.cfg
   

conf/devices/{name}/dev.cfg format

 device          {name of device}
 ip_address      {ip address of device}
 community       "{SNMP community name for the device}"
 snmpversion     [SNMPv2C or SNMPv1]
 title           "{description}"
 poll_interval   {number in seconds 10 to 180}
 maxoid          {Calculated value. Do NOT modify}
 alert_time      {Number of minutes before an email alert is generated}
 email_group     {Email group number defined in email.cfg}
 upstream        "{space delimited list of upstream devices}"
 type            { generic | repeater | bridge | switch | router | unix | novell | nt }"
 priority        { low | medium | high }
 sla             { Up to 20 SLA groups which the device belongs. Must match one
                   of the groups defined in sla.cfg }
   

conf/devices/{name}/port.cfg format

Each line contains an entry for a single port. The line must contain the correct number of fields (ie. 13).

Field 1 - Device Name

Field 2 - State

0 = off, don't collect data for the port
1 = on, do collect data for the port

Field 3 - SNMP Index number

Field 4 - Interface name

The interface name retrieved from the device using the extended MIB-2 interface table OID "ifName". If an "ifName" instance does not exist in the device, or the vendor does not correctly implement "ifName", then the interface name is set to be the same as the SNMP Index number (ie. ifIndex). This is a quoted field (ie. double quotes).

Field 5 - Port Priority

This can contain either 'L', 'M' or 'H' (ie. low, medium or high).

Field 6 - Port group number

Each port can belong to a single port group. This number must match one of the entries in the provider.conf configuration file. Specifically, it must match one of the first fields.

Field 7 - Port type number

Number	Type
1	Serial
2	Ethernet 10Mbps
3	Ethernet 100Mbps
4	Ethernet 1Gbps
5	Frame Relay Trunk
6	Frame Relay PVC
7	ISDN Trunk
8	ISDN Channel
9	ATM Trunk
10	ATM PVC
11	Token Ring
12	FDDI
13	Ethernet 10Gbps
14	Ethernet VLAN

Field 8 - Utilization threshold percentage

A percentage of the interface speed: 0 to 100. Various reports use this to count the number of times the utilization has exceeded the threshold level, and also for email alerting.

Field 9 - Interface speed

The speed of the interface, or maximum throughput speed in the case of a virtual circuit. Utilization percentages will be calculated from this value.

Field 10 - Frame Relay CIR speed

Leave this set to '0' for non Frame Relay PCV interfaces.

Field 11 - Community name

A double quoted field which contains the SNMP community name required to collect data for this interface. The community name is required for each port as many modern devices now use "Community Name Addressing". Community Name Addressing is used for devices such as switches where each slot, VLAN or stack is addressed with a different community name.

Field 12 - MIB OIDs to collect

A list of MIB OIDs to be collected for the interface. The list is created by walking the MIB tree of the device. Do not modify this field.

Field 13 - Interface title

A text field which describes the interface. If the device supports the ifAlias MIB OID, then this field is automatically populated with the value retrieved from the device.

conf/devices/{name}/ip.cfg

The IP addresses of the device collected from the SNMP walk. Do NOT modify this file. The Network Monitor uses this file to match up SNMP traps to the correct device name.

11.18 Device Naming Conventions

It is important to standardize on descriptive and simple device names. One common method is to use the following breakdown:

 "Location - Equipment Type - Device Number

For example, a name of NewYork-ro1 would be more appropriate than using nycro1.

Do not use an IP address for a device name.

The following table are commonly used equipment type names:

Equipment Type	Acronym
Router	-ro or -rtr
Switch	-sw or -swt
Bridge	-bg or -bdg
Hub/repeater	-hb, -hub or -rpt

11.19 Frequently Asked Questions

1. Question: How is utilization calculated ?
   Answer:   Using the following formula:

   Percent utilization = ((((Bytes2 - Bytes1) / (Time2 - Time1)) * 8) / InterfaceSpeed) * 100

2. Question: Can vendor specific mibs be added ?
   Answer:   No.
3. Question: What versions of SNMP does NPM use ?
   Answer:   SNMP v1 and v2. Version 3 will be supported in the future.
4. Question: How can I hard set the interface speed of an Ethernet port to a lower speed ?
   Answer:   In some circumstances, you may have a requirement to monitor a high speed Ethernet interface, simulated as a WAN link. For example, when you do not have SNMP read access to a WAN router which is connected to a switch. Use the following procedure:
   1. Exclude the device from the rewalk list.
   2. Change Statseekers' configuration of the particular port to be type "Serial" and enter the required interface speed.
   3. Build the new runtime configuration (ie. apply changes).

   Note: If you rewalk the device at any stage, you must set the port type and interface speed back to your original settings as the rewalk utility and GUI configuration tool will set the interface type back to Ethernet and N*Mbps. There may be an option in the future to allow you to "lock" the settings of an interface.

12. System Security

12.1 Server

Open Ports

• tcp port 23: telnetd
• tcp port 20/21: ftpd
• tcp port 22: sshd
• tcp port 80: httpd
• udp port 162: snmptrap

Protocols Used

• icmp
• udp snmp
• udp snmptrap
• tcp http

Server Processes

• Sendmail is configured to only process local mail. It will NOT accept remote SMTP connections.
• Sendmail runs as a non-privileged user
• Sendmail will make outgoing connections to the configured SMTP gateway.
• The syslog daemon only processes local messages. It will not accept messages from remote hosts.
• You can not login as root via a network connection. You must login as a normal user and then 'su'.

Cert Security Advisories

This section will be updated as relevant CERT notifications occur.

12.2 Remote Network Appliance

The RNA is a custom designed platform based on FreeBSD.

• There is no command line shell (eg. /bin/sh).
• The RNA will only execute Statseeker certified programs.
• The client/server protocol runs over HTTP. The data is not encrypted, however it is obscure and would require a lot of effort to reverse engineer it.
• The telnet daemon runs on tcp ports 30000-30007. All telnet data is sent across the network in plain text.

Open Ports

• tcp port 80: http
• tcp port 30000-30007: LAN Analyzer telnet

13. Miscellaneous

13.1 Setting the Time on the Server

Use the ssadmin tool to set the BIOS time and timezone for the server. The server will be rebooted if the time is changed.

13.2 Crontab Files

Crontab files for 'root', 'statseeker' and each Network Monitor domain user account are automatically created/updated by Statseeker software. Changes made to these crontabs will be overwritten.

13.3 Log File Rotation

All operating system and Statseeker specific log files are automatically rotated and compressed. Old log files are automatically deleted.

13.4 How to ssh or telnet to a Statseeker Server

Three standard users are configured during installation: "root", "statseeker", and a Network Monitor user (usually "npm1"). The name of the Network Monitor user appears in the network column in the Network Monitor Information section of the Administration Tool. The password for these three users will be the same root password you created during installation.

Login as "statseeker" if you are connecting to the Statseeker Server from a remote machine. Login as the Network Monitor user only if you need to run a specific Network Monitor user's command.

13.5 Regular System Administration

A Statseeker server requires very little system administration.

• Check system time is correct. PC hardware is notorious for having poor real time clocks.
• Check available file system space. Running out of file system space can cause data loss.
• Check system CPU load. A Statseeker server general runs at low CPU utilization.
• Check swap usage. A machine which is constantly swapping will quickly degrade in performance. The ONLY solution is to add more RAM.

13.6 Configuring Windows to run a FTP sever

1. Install "Internet Information Services" on the computer:
   
   1. Insert the appropriate Windows 2000 or XP cdrom.
   2. Close the install window, which is started when the CDROM is detected.
   3. Select: Start -> Settings -> Control Panel -> Add/Remove Programs -> Add/Remove Windows Components
   4. Select: Internet Information Services (IIS) and click on Details.
   5. De-select all options.
   6. Select:
      • Common Files
      • File Transfer Protocol (FTP)
      • Internet Information Services Snap-in
   7. Select: OK -> Next. Windows will install ISS.
   8. When completed, select Finish, and close all Control Panel windows.
2. Create a local user on the windows machine:
   1. Select: Start -> Settings -> Control Panel -> Users and Passwords -> Add
   2. Type in a Username and Fullname
      • Windows 2000:
          Next -> Others -> Power User -> Finish -> OK
      • Windows XP:
          User Account -> Create New Account -> (type an account name) -> Next -> Create Account ->
          (select the newly created account) -> Create a Password -> (type in a password) -> Create Password
   3. Close the Control Panel
3. Create a directory to store the FTP data
4. Configure FTP services:
   1. Select: Start -> Settings -> Control Panel -> Administration Tools -> Information Services
   2. Expand the computer name on the left hand pane and select:
      Default FTP Sites -> Action -> Property.
   3. Select the computers IP address from the IP dropdown list.
   4. From the Home Directory Tab, click on Browse and select the directory created in step 4.
   5. Select Unix in the directory listing style section and OK
   6. Close all windows you opened.
5. Configure Statseeker backup controls.