This short test

drive
demonstrates
but a few of
Observer's
most powerful
features; it is
by no means
an exhaustive
treatment of
all that
Observer can
do for you. For
more
comprehensive
instructions on
how to use
Observer,
refer to the
help system or
user guide.
Everything
described in
this document
can be done
with the
standard
Observer
product.
Additional 15-
minute Test
Drives are
available
which describe
some of the
more
advanced
features of
Expert
Observer and
Observer
Suite.


How do I get started?


Starting the program
If you are a licensed user, start the program as you usually do. If you would like to run in demo mode as a licensed
user, from the Windows Start menu, choose Run. Enter "C:\Observer Files\Observer.exe" -demo, then click OK.
If you are an unlicensed user, you can choose from one of two demo modes. From the Windows Start menu, choose
Observer from the Observer program group. The Observer splash screen is displayed:


For the evaluation described in this document, it's best to choose the Simulation Demo. The Time Limited Functional
Demo has the following characteristics:
Packet Capture/Decode is limited to 250 packets per capture (you may run as many captures as you wish).
Statistics modes run for one minute and then stop. You can press again to run for another minute as many
times as you like.
These limitations make the Time Limited demo primarily useful for verifying that your hardware is compatible with Observer.
After you click Simulation Demo, the program prompts you for the type of simulation you want to run:

This document focuses on Ethernet. Other evaluation guides are available for WAN, Token Ring, FDDI, and Wireless Observer.
After you click OK, the Observer main window is displayed.
Mapping your network
Before Observer can tell you much about your network (especially on the station level), it needs to build a table of the devices
on your network, mapping their MAC addresses to meaningful aliases.
To map aliases, simply click Tools -> Discover Network Names to open the Discover Network Names window:

Select the discovery method. The choices are IP, IPX (Novell) or Msft (Microsoft login name). In this example, we've chosen
IP.
Click . If this is the first time you've run Discover Network Names, you will be prompted for a range of IP addresses.
Observer scans your network for MAC addresses, displaying the devices as it finds them

In the example shown here, we have chosen IP addresses as the discovery method, which can be resolved to their DNS names
by clicking the Resolve IP button. You can also Add..., Delete... or Edit... aliases in the list by clicking the appropriate button.
Click the Save Aliases button so that the other modes will have access to the network device list.

How much bandwidth am I using on my network?


Bandwidth Utilization mode lets you easily see how much bandwidth your network traffic is consuming.
Starting the Mode
To check bandwidth usage, choose Statistics->Bandwidth Utilization from the Observer main menu. You need not press
the start button; the mode starts automatically:


Interpreting the Display
Bandwidth Utilization is calculated by recording the number of bytes seen by the Observer (or Probe) station. By running the
mode at different times under typical network load, you can get an idea of what "normal" utilization is for your network.
Knowing what is normal for your network is key to understanding any analyzer statistical modes and putting them in context.
Once you understand and recognize what is normal for your network, you can easily spot the anomalies if and when they
occur.



How can I find which stations are using the most bandwidth?


Observer's Top Talkers mode lets you see who is using the most network bandwidth, which can show whether a particular
user, station, or application is consuming excessive network bandwidth. View LAN use patterns, detect faulty network
hardware, and determine what percentage of the network's bandwidth potential each system is using, all from one
comprehensive window.
Starting the Mode
Click Statistics -> Top Talkers. As with the other modes, click to begin analysis

Interpreting the Display
The figure above shows the graph display. To immediately identify the stations using the most bandwidth, sort by %Bytes,
which is done by clicking on that column heading. You can determine whether systems generating the most traffic are servers
(which probably means everything is OK) or user workstations (which could indicate a hardware problem or unauthorized use

of a computer).
You can start a packet capture on any of the listed addresses by right-clicking on that entry. The right click menu also allows
you to "drill down" to list the protocols generated by the selected station.

Is Internet usage the bandwidth hog?



Internet porn, bootlegged music and software files: all of these not only clog network bandwidth with traffic unrelated to
business: they also waste productivity, expose your network to viruses, and subject your company to possible legal problems.
Observer makes it easy to see where your users are surfing, how much data they've downloaded, and what kinds of files are
being downloaded.
Starting the Mode
To check Internet usage, choose Statistics -> Internet Observer from the main menu, and the Internet Observer mode is
displayed. As with the other modes, click to begin scanning:

Interpreting the Display
In graph view (shown above), you can see all the web pages that your users are surfing. Sorting by name shows all your users
in the first column, followed by the list of sites they have visited, with starting times and ending times for each site. You can
easily see if a user's internet usage conforms to your company's policies for such use.


What protocols do I have running on my network?


Printers sending packets out to non-existent Appletalk devices; routers broadcasting messages in protocols that no other
devices understand; these are just two examples of misconfigured devices that could be wasting bandwidth on your network.
Observer makes it easy to see what protocols are being used on your network, and what devices are using them.

Starting the Mode
To see what protocols are running on your network, choose Statistics->Protocol Distribution, then click . Observer
will display a tree of protocols and subprotocols that it senses on your network

Interpreting the Display
You can collapse or expand the tree's subprotocol branches. Statistics for each protocol and subprotocol give you raw bytes
and utilization percentages for each protocol and subprotocol. Look for any protocols that shouldn't be running on your
network (i.e., AppleTalk is listed but you know you shouldn't have any AppleTalk chatter on your network). You can also see if
an expected protocol is generating an unexpected amount of traffic, which may indicate a hardware or configuration problem.
By right-clicking the display, you can jump immediately to a list of stations generating the selected protocol.


Is my WAN link overloaded?


Router Observer mode lets you quickly find out if a router is acting as a bottleneck and, if so, whether the source of the
packets clogging the router are incoming or outgoing (or both).
Starting the Mode
Click Statistics->Router Observer, then press the Settings button. Observer displays a list of devices from which you can
select the router you're interested in looking at. Click on a router and set its speed. Click OK to close the dialog.
Click to begin displaying bandwidth usage statistics for the router:


Interpreting the Display
The top status bar shows router speed and IP address. In Graph view, dials show packets per second, bytes per second, and
the current utilization. Note the bar graph on the right; when you are getting user complaints that the network is slow. By
checking the 1 minute, 1 hour, and total bandwidth utilization averages, you can tell whether a bandwidth problem is
temporary or chronic.The listing also shows the numbers by direction (in or out of the router).

What is the error activity on my network?


Observer offers excellent tools to flag and determine the source of CRC errors, alignment errors, and packet size errors on
your network. Observer shows you a broad summary of error activity in the Network Vital Signs display. You can then use
Network Errors by Station to determine which device on your network is causing the problem so that you can investigate
further.
To get a broad look at network health along with a summary of errors, choose Statistics->Vital Signs from the Observer
main menu. The mode starts automatically. Here is what Dial view looks like:

Interpreting the Display
The Network Vital Signs mode shows current error conditions on your LAN mapped against bandwidth usage, with a gray
"shadow" showing you an image of the reading taken immediately prior to the current reading. The shape and color of the
spiral line graph give you an all-in-one, easily recognizable "signature" of key activities unique to your network. Though the

normal shape for a healthy network is quite variable, there are three possible overall states for the line graph to represent:
All yellow lines indicate that there wasn't enough activity for any significant error counts. In other words, the network
is basically idle.
All green lines indicate that network activity and error counts are within threshold values that you can change by
clicking the Settings button.
A combination of red and blue lines means trouble, the red lines flagging error counts above a threshold.
The example above shows two Network Vital Signs displays in a sequence. The first display shows a relatively idle network (all
yellow lines).
The second display shows some significant problems developing with CRC and alignment errors-you may want to find out
where they are coming from by running the Network Errors by Station mode (described in the next section).
As with other statistical modes, Vital Signs will be more useful to you as you gain experience with what error and utilization
rates are typical at your site.
Once familiar with your network's "signature," you will be able to immediately notice spikes in utilization and error activity as
they occur. If you see an unusual divergence from the typical Vital Signs signature for your network, you can then use
Network Errors by Station to pinpoint the source of the anomaly. This mode is described in the next section.

What devices are generating errors on my network?


To pinpoint errors displayed by Observer's statistical modes, choose Statistics->Errors by Station. Here is what List view
looks like:

As with the other Observer tabular displays, you can change the sort order and criteria by clicking on any of the column
headings. For example, if you're following up on CRC errors you noticed in the Network Vital Signs display, click on the CRC
errors column to your stations listed by top CRC offenders.
You can start a packet capture on any of the listed stations by right-clicking on that line of the display. This displays the filter
dialog (See "How do I apply filters when capturing packets?")
Capturing and decoding packets is described in the next section.


How do I capture and decode network traffic?


Now that you've seen some of the statistical modes offered by Observer, it's time to take a more detailed look at your network
protocols. Every protocol analyzer captures and decodes network traffic, but none do it better than Observer.

Starting the Mode
Choose Capture->Packet Capture from the Observer menu, then click . The graph shows you the amount of traffic
being captured:

The cyan line shows the total number of packets; yellow shows the number of packets being captured. Unless there are filters
in effect, the yellow line should cover the cyan line. This is a handy verification that you're capturing the percentage of traffic
that you intend to capture. The graph also shows any dropped packets as a red line (which is usually zero). Dropped packets
mean that something is wrong with the system running Observer; either it is not fast enough to keep up with traffic, or it is
misconfigured in some way. If you see dropped packets you should check your hardware for conflicts and make sure that
system processing power meets the minimum requirements for Observer.
Viewing the decoded packets
At any time during the capture, you can press the Decode button to open the Decode window: you can also choose Mode
Commands -> View from the Observer main menu. Once you do so, the decode window is displayed:

Decodes are displayed in the industry standard 3-panel format:
the packet header pane
the decode pane
the raw packet display pane
How do I apply filters when capturing packets?
To configure and apply a filter, choose Actions->Filter Setup for Selected Probe from the Observer main menu. The
Add/Edit/Select Filter dialog is displayed:

Click New... to create a new filter. The filter rule editor is displayed::

Right-click on the Address Rule and choose Edit... to display the address rule setup dialog.

The dialog above shows a filter that will capture any traffic from or to IP address 176.169.151.70. Click ok to close the setup
dialog and apply the rule.
Filter Rules are just one of the several types of rules you can create. In addition, you can chain multiple rules together with
logical operators to precisely capture traffic that you are interested in (for example, you can filter for CRC errors sensed on
port 80 within a range of IP addresses.) Refer to the Observer Reference Guide or online help for details on creating and
applying filters.

How do setup Observer to notify my of various network conditions?


Observer can be configured to automatically notify you of various network errors and conditions that might point to impending
trouble. You can have the message sent to the console, to an email address-you can even have Observer page you.
Starting the Mode
To set up the triggered notifications, choose Alarm Settings from the button bar near the bottom of the Observer main
window, right on top of the log display. A list of available Probes is displayed. Check the boxes next to the Probes for which
you want set alarms, then click the Selected Probe Alarm Settings button to display a list of available alarms.

Check the boxes to the left of the alarms that you want to set. When you are done, click the Triggers tab to set thresholds

that will trigger the selected alarms:

After you have set the threshold values, click the Actions tab to specify what sort of notification or other action you want
triggered when an alarm threshold has been exceeded:

When you have all the tabs set up the way you want them, click OK to apply the changes and close the setup dialog. The
event log window along the bottom of the Observer main window shows alarm activity as it occurs: