📄 ethload user's guide.txt
字号:
promiscuous mode, you should not use this option. 5.10. Filter: -f. By default, ETHLOAD analyzes (or records) all received frames. If you want to analyze (or record) only specific frames, you must use the filter11 option to specify: - the IEEE 802.2 LLC SAP to analyze: -fhh where hh are two hexadecimal digits specifying the SAP value for both the DSAP and SSAP (see file SAPS for more details); - the Ethernet type or DoD SNAP type to analyze: -fhhhh where hhhh are four hexadecimal digits specifying a type (see file TYPES for more details); - the MAC source or destination addresses to analyze: - fhh-hh-hh-hh-hh-hh where hh are hexadecimal digits of the MAC address. 5.11. Buffers in memory: -m. For some datalink drivers (ODI, NDIS, packet driver), the datalink driver can benefit of having several buffers to put frames in at hardware interrupt time and allowing ETHLOAD to analyse them after. With the current version of ETHLOAD, the default is to use a single buffer. The maximum number of buffers to be allocated is 5. Please note, that the use of several buffers may lead to a problem: ETHLOAD in some case may analyse frames out of order. So, events histories can be disordered and timestamps can be slightly false. After quitting ETHLOAD, the number of buffer misses is displayed, this is the number of times that a frame had not been analysed because no buffer was available. The allocated queue size is also displayed together with its maximum size. As a rule of the thumb, you should increase the number of buffer until having no buffer miss. Remark: with ODI if a protocol stack is used while ETHLOAD is running, these buffers are not used and there can be only one frame received at a time. * * * * * *6. The different screens of ETHLOAD 6.1. Introduction 6.1.1. Screen layout The different screens displayed by ETHLOAD have all the same design: - the top line is just a copyright notice + version identification + percentage of dropped frames due to internal buffer shortage (either in ETHLOAD or in data link driver or even in Ethernet controller); - in the top right corner a character is flipping from '+' to '-' as frames are received; - the character on the left of the '+/-' flip-flop is displayed as a 'P' when ETHLOAD is processing a frame else it is a space; - the second line is a summary of all commands available for this screen; - if the real time trace option was specified in the command line, the bottom line displays the first bytes of the last received frame12: * six bytes of MAC destination address ; * six bytes of MAC source address ; * two byte(s) for either DIX packet type or for IEEE 802.3 frame length; * a few bytes of data. - on a Token Ring, the ring status is displayed in RED on the top line when the ring is beaconing or being purged. All screens are automatically refreshed every measure interval (5 seconds by default) to reflect the current statistics or table contents. You may also press the SPACE key to refresh the screen. 6.1.2. Commands. You can enter a single character command. The case of the character is ignored. Two commands are always recognized: - 'Z' or '0': for resetting all statistics of ETHLOAD to zero and clearing all tables. Note that all statistics are cleared and not only the ones currently displayed; - 'X' or <ESC>: for leaving the current screen and getting back to the previous menu. On some screens a large table is displayed: ARP table, ... As these tables are larger than the 23 lines of display available, you have to use the PgUp (or F8) and PgDn (or F7) key to scroll between the different pages; the keys Home and End will display the first and the last pages. The NumLock key is used to switch between numeric address format (when NumLock is lit) and symbolic name (when NumLock is not lit). 6.1.3. Data display. Three common display are often used: - top of sorted table display; - raw table display; - history of events display. The 'top display' consists of a title beginning with 'Top of...' and displays the contents of an internal table sorted from the highest frequency down to the lowest frequency. An example of such a display is the display of MAC Transmitter. The percentage displayed before each line is relative to: - the number of frames relevant for this screen; - the number of frames analyzed by ETHLOAD ; - the estimated13 bandwidth used relative to the raw LAN bandwidth (10 Mbps for Ethernet). For instance, if during 10 seconds on a 10 Mbps Ethernet there were 1000 DECnet packets and 1000 IP packets and within these 1000 IP packets there were 100 UDP packets, the IP protocol screen will display for the UDP protocol (assuming a mean packet length of 1000 bits): - 10 % (i.e. 10% of IP packets are UDP datagrams); - 5% (i.e. 5% of frames are UDP datagrams); - 0,1% (i.e. 0,1%14 of the Ethernet bandwidth is used by UDP datagrams). A reference is also displayed by indicating how many frames represents 100%. The user can switch from one display to another by pressing the '%' key. As all counters are 32 bits, they are limited to about 4E+9 frames. Once they reach this upper bound they are stopped and the whole table is kept unchanged. The time of this table overflow is then displayed in red. As the size of the table is limited in size, when the table is filled, this is displayed by a yellow message on the top of the screen. Each line of a 'top display' consists of: - percentage (e.g. the percentage of Ethernet frames transmitted by the displayed Ethernet node in respect to the total number of Ethernet frames); - display of the node (e.g. Ethernet MAC address with perhaps the corresponding host name of DECnet address); - a bar graph for visual representation (resolution 2.5%). The 'raw table display' is just the display of a non sorted internal table. An example is the display of the ARP table. Each line of a 'raw table display' consists of two values (e.g. the Ethernet MAC address associated with an IP address). The 'event history' is used to display a chronological log of events (e.g. the list of ICMP requests). Each line of an 'event history' consists of: - a time stamp in the form hh:mm:ss.hh; - a description of the event. 6.1.4. Accuracy A final remark must be done on the accuracy of the figures: - some packets are lost15, so the load is always higher than indicated if you are using a slow Ethernet controller or a non efficient driver; - ETHLOAD relies on the MS-DOS timer which has a resolution of about 50 msec, moreover if the network load is high and you have a powerless CPU some timer ticks can be missed; - if you are running with IRQ disabled (i.e. without the -f option), some datalink drivers can miss frames without further notification, so the drop percentage is always higher than the one displayed by ETHLOAD. To summarize, ETHLOAD give reliable figure on a medium loaded Ethernet (10% ?) and on a correct CPU 80386dx 25 MHz. In all other case, ETHLOAD can only indicate that your Ethernet is probably heavily loaded and you will have to buy an expensive LAN analyzer! Moreover, all tables have a maximum size, so it may occurs that on a medium or large LAN some tables are filled. This is indicated on the screen. E.g. the MAC flow table will probably be more or less useless on a LAN with more than 50 stations. Version 2.0 of ETHLOAD will: - drop less frames due to an ordered multi-buffered scheme (only for NDIS and ODI); - use a finer timer. 6.2. MAC Level screen The MAC level screen can be divided into two parts: - three statistics summaries: last five16 seconds, busiest five seconds, cumulative; - VU-meter of the peak and current load. 6.2.1. MAC Summary Important figures are displayed for three important samples: - the last five seconds; - the busiest five seconds, i.e. the five seconds period when the Ethernet load was the highest ; - the cumulative since the start of ETHLOAD or the last reset. For all these samples, the following figures are displayed: - total number of Ethernet frames: the mean interframe gap is also displayed if available; - total number of bytes of data: i.e. MAC header + MAC data (the FCS and preamble is not taken into account) and the load17 of Ethernet in % of the 10 Mbps bandwidth of Ethernet; - the number of frames containing errors + rate of error per second. As the internal counters are 32 bits, counters are bounded to about 4E+9 frames/bytes. Once the counters reach this count; they are stopped and displayed as ******. If the datalink driver supports error differentiation (namely all but packet driver), the kind of error is also indicated: - CRC error (cabling problem ?); - too long packet (babbling transceiver or controller); - too short packet (garbage of collision). If you are using the ODI datalink driver, by using the 'E' command you have access to the MAC source address of faulty Ethernet frames (by the way don't be amazed by unknown MAC addresses because even the source address can be faulty in faulty frames... specially for runt frames). 6.2.2. MAC VU-meter The VU-meter is at the bottom of the screen and is graduated in Mbps. The '>' is the peak marker, i.e. the highest load on five seconds since ETHLOAD has been started or reset. The bar is the last five seconds marker. The color of the peak marker and of the bar is changing in respect to the load: - green under 1 Mbps; - yellow under 5 Mbps; - red over 5 Mbps. 6.2.3. MAC Commands The MAC level screen has two main commands: - 'Q' to quit ETHLOAD and get back to MS-DOS (a confirmation is requested); - 'P' to go to the Protocol screen (to choose between IP, XNS, OSI, DECnet, Netbeui). 6.3. TCP/IP screens In very short, you can display: - ARP: table of the mapping between IP addresses and MAC addresses (can be used to detect two hosts sharing the same IP address), the last ARP packet, the ARP senders, the requested IP addresses; - the IP fragmenters and the size of fragments, i.e. the IP host that transmit fragmented datagram (should be empty !); - important information about IP hosts: largest MTU (Maximum Transmit Unit) seen, missing IP datagrams (should be zero if host is on the same LAN and has only one interface), repeated IP datagrams (could indicate faulty transceiver or SQE test enabled were it shouldn't), minimum and maximum TTL (Time To Live) seen from this host; - ICMP: the last ICMP datagrams, the senders of ICMP datagrams; - mostly used protocols: UDP, TCP, ... - TCP: events (connection request, end of connection), connections, most used services (ports), important events for SMTP and POP, monitoring Telnet connections, ... - UDP: associations, most used services (ports), important events for BOOTP and TFTP,... 6.4. DECnet screens In very short, you can display: - Connect Initiate (with nearly all fields including objects,...) history; - Disconnect Initiate history; - Returned frames by a router because the end-node is no more reachable; - Top nodes (classified by transmitters and receivers): not to be confused with the MAC layer transmitters/receivers. On the MAC screens, DECnet routers usually represent a very high percentage but on the DECnet network layer screen, DECnet routers usually represent nothing and you can see remote DECnet address (i.e. some DECnet nodes on remote LAN). 6.5. OSI screens In very short, you can display: ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -