[Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx]

Nancy,

From: nancy d wallace [mailto:nancyd@xxxxxxxxxxxxxx] 
> i work for a school district and we are experiencing network 
> bogg-downs (is that a word)

> i desperately need help setting up ethereal on my laptop to 
> sniff out traffic -- my router is directly connected to a 
> 3com 3300 switch -- i would like to set the laptop up to 
> mirror the ports on the switch one at a time so i can tell 
> where the heavy traffic is coming from

I presume by bogg-downs you mean your users get poor performance. Ethereal
can be an excellent tool to use when diagnosing poor performance. However
there are a few more rudimentary tests that I would suggest investigating
before trying to use a sniffer.

- Are you sure this is a network performance issue?
- Is performance slow for only one server or workstation, or do all users of
this switch suffer. 
- Is there a problem only for traffic across the router.
- Is performance slow randomly, during work peak times (or lunchtime web
browsing?

[My e-money's on the router's WAN link being full]

I am not familiar with the 3Com 3300 switch, but I would suggest.
- Log onto the switch and router and see whether any of the ports have high
utilisation while performance is bad. 
- Do these ports still have high utilisation when things are OK?
- Install an SNMP collection tool to monitor the switch and the router. I
thoroughly recommend MRTG to do this
	http://people.ee.ethz.ch/~oetiker/webtools/mrtg/  
- Try to marry up which users have poor performance to which users have high
network utilisation or have a high number of broadcast frames.
- Trying pinging various IP addresses within your site and across your WAN.
That will help tell you whether only one remote machine is slow or whether
every remote site is affected.

Once you know which port (or ports) are "interesting", check out what the
connected user or server of this port is doing while performance is bad. Are
they playing Quake VI or downloading the whole of ftp.mirror.ac.uk?  You
seem to be running Windows so check the eventlog and PerfMon counters on
these boxes.  

If your still stumped, then, and only then, would I recommend you run a
trace. But even then you have to be pretty confident you know what you're
looking for. There's a whole universe of possible causes for the problems
you are experiencing [Eg DNS errors, TCP Resets, Broadcast storms,
undersized packets, erratic latency, packet loss, OSPF route flaps, a
plethora of DoS attacks], and Ethereal can show you them all, but only if
you know what you're looking for.  There's only one way to learn however, so
jump in if you feel like it. 

I'll suppose you've got this far and you still think a network trace is
required:

> i have set the ports up on the switch (one to be monitored and 
> one to do the analyzing -- 3com terms for this) -- i have loaded 
> ethereal and received messages that winpcap was needed -- i downloaded 
> that and loaded it and now whenever i execute ethereal, i don't know what
to set

I'm not quire sure what your problem is here.  Does Ethereal capture?
[Capture - Start then select OK. ] Do you want to know what sort of capture
filter to set. I'd suggest you should start off without a filter and collect
everything. Only once you've seen what's going on on your LAN should you
begin play with filters.

This email list is specifically for questions about Ethereal rather than
general network performance analysis. If you are still having problems with
Ethereal please re-phrase your question.  If you have any questions about
the general performance analysis suggestions I've given above, then they
would probably be best addressed off list.

HTH

Alistair






-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422 
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.