Software Product Description

Dr. WATSON (DWTNDA)

The Network Detective's Assistant™ v1.2

by EMPIRICAL Tools & Technologies™

http://www.cavebear.com/archive/dwtnda/

Overview

Dr. WATSON, The Network Detective's Assistant, is an integrated software program designed to place a wide range of powerful network diagnostic tools at its user's fingertips. It can be used to install, configure, troubleshoot and maintain multi­platform, geographically dispersed computer networks.

Dr. WATSON is based on many years practical experience with real networks and internetworks. After years of building and operating networks, such as the Interop show network, the authors of Dr. WATSON created a package containing the tools they always wished they had.

Dr. Watson is recognized by LAN Magazine as the product of the year in 1994 for network testing and diagnosis.

Dr. WATSON consolidates enhanced tools of proven use into a unified system that is easy to use, highly mobile and, can be used remotely in conjunction with third-party remote utility software.

Dr. WATSON is a collection of sophisticated tools intended to be used by people who have a firm knowledge of TCP/IP and NetWare networks.

Dr. WATSON was specifically designed to operate on standard IBM PC/AT compatible computers, including "laptop" and "notebook" models, running under the MS-DOS operating system, and equipped with almost any standard Ethernet adapter. No unusual operating systems or specialized hardware is needed. Because Dr. WATSON can operate on highly portable, battery powered notebook computers, it is easily carried to wherever it is needed.

With appropriate software "shims", Dr. WATSON may also be used on Windows 95, even while another TCP/IP stack is running.

Dr. WATSON attaches to a network by means of an Ethernet connection. It is not, however, limited, by the extent of the Ethernet. Rather, Dr. WATSON is able to reach out over the user's internet to probe devices no matter what their location.

Dr. WATSON is intended to be used on networks of any size. There is no inherent upper bound on the size of the network. Dr. WATSON was developed on the Internet, the world's largest computer network.

Dr. WATSON has very little startup delay; it can be put to work within seconds.

How Dr. WATSON Operates

Dr. WATSON interoperates with other network devices using the TCP/IP and Novell NetWare protocols. It is an active device, sending packets to other computers on the network and responding to packets received. Although Dr. WATSON does contain a tool to view traffic, it is not a mere protocol analyzer. Rather, Dr. WATSON deals with the network by interacting with it rather than simply viewing it. As such, Dr. WATSON is capable of substantially more sophisticated forms of information gathering and problem analysis than popular network analysis tools.

By means of these interactions, Dr. WATSON is able to perform a number of tests on behalf of the user. These tests allow the user to:

• Take a census of devices on the network.
• Perform a wide range of TCP/IP reachability tests, both on the local LAN and across a WAN.
• Perform SNMP queries.
• View network traffic.
• Use the Domain Name System to resolve host names and addresses.
• Examine routing information provided by routing protocols.

In addition, Dr. WATSON is able to act as an easily configured host. As such, Dr. WATSON can act as a target for protocol interactions and SNMP queries initiated by other computers.

Network Detective and the Toolbox

Dr. WATSON contains two distinct elements: Network Detective™ and the Network Detective's Toolbox. Both the toolbox and Detective are wrapped into a single program. The Network Detective, using both passive and active methods, operates without user intervention to discover and identify devices on the network. The user can control many of the Detective's operating parameters including the rate of packet generation, methods of inquiry used, and scope of inquiry. Detective data may be made visible on screen as it is collected and is also recorded in a file for subsequent analysis.

Once the Network Detective identifies a device, it builds a database entry for that device. This entry grows over time as the Network Detective learns increasingly more about the device. Among the information which the Network Detective may place into the database are:

• MAC, IP, and IPX addresses
• IP Subnetwork masks
• DNS host names
• SNMP system information
• NetWare server names
• Network services offered
• Network services used
• Unusual or illegal characteristics exhibited

The Network Detective's Toolbox consists of a collection of sophisticated user driven tools that initiate specific tests. The user may have many separate tests running at the same time. There is no need to wait for one test to complete before starting the next. To facilitate subsequent review, test results are recorded in a log.

Among the tools found in the Network Detective's Toolbox are:

• ARP (Address Resolution Protocol)
• PING
• Traceroute
• Domain Name System (DNS) resolvers
• Network traffic watch
• SNMP MIB browser/manager (client)
• SNMP agent (server)
• Routing protocol clients
• Packet Generators

These tools are described in more detail later in this document.

Network Detective

Dr. WATSON's Detective is an automatic tool which will discover devices on the network and perform inquiries to build a database describing the existence of each device and its characteristics.

• Real-time update of information windows. Dr. WATSON lets the user watch as the information base grows.
• Automatically discovers network devices.
• Acquires additional data about each device from that device and from third party devices (e.g. from name servers). Dr. WATSON is "protocol smart" and knows how to interact with devices to obtain information.
• User control over use of detection modes. Dr. WATSON's methods of investigation may be constrained by the user to comport with local rules.
• User control over methods used to acquire additional data. Dr. WATSON is able to engage in more extensive investigation if permitted by the user. In particular, the user may permit Dr. WATSON to discover and analyze devices which may lie outside the user's own network.
• All information is immediately visible on the screen.
• User may selectively override restrictions on investigation. The user may instruct Dr. WATSON to override previously imposed limits on its investigation of specific devices.
• Displays are indexed by IP address, MAC address, and IPX address. Dr. WATSON makes its database available through windows which show each device by its address types. For example, the MAC address window displays all devices in the database according to their 48­bit MAC address. Double clicking on that item will show the user everything that Dr. WATSON is learning about that item. For example, when an item is initially displayed, the only information available is the address. Then, as Dr. WATSON learns more about the device and performs inquiries, additional information will become visible. Such information may include hostnames, data derived from SNMP MIBs, IP subnet masks, protocols used, whether the device is communicating outside the organization, etc.
• Data is appended to a permanent, ASCII disk file which may be subsequently incorporated into a database of the user's choice or manipulated by standard text tools and spreadsheets. In addition, the data may serve as a baseline for security audits to determine the presence of otherwise unknown devices or devices which are unexpectedly in communication with outside sites.

Reachability tools:

The single most important task of a network is to carry data from one location to another. Dr. WATSON includes a rich set of reachability tools which can be used to determine whether it is possible to "reach" across the network to communicate with another device.

• ARP. The Address Resolution Protocol (ARP) is one of the most fundamental reachability tools. It operates at a very low level within most protocol stacks and often reflects whether a computer is operating at its most fundamental level regardless of whether that computer is offering higher level protocol services. On most other systems ARP occurs only as a side effect of other network operations and is not directly under user control. Dr. WATSON allows the user the means to perform ARP transactions under controlled and repeatable conditions at any time.
  • User control over repetition rate and interval.
  • User control over address fields.
  • ARP not only provides MAC address information, but also serves as a basic reachability test.
  • Dr. WATSON's ARP table is visible to the user as a table in its own window which is updated, in real-time, as ARP activity occurs on the network.
• PING. Ping is a shorthand term covering a wide variety of means to "bounce" a packet off a remote device. Unlike ARP, Ping is able to reach across routers. Dr. WATSON's PING tool gives the user a multiplicity of means to "bounce" packets off other network devices. The user is thus able to generate network traffic load and to determine round trip times, packet size sensitivity of the underlying communications path, packet loss rates, UDP server existence and other important data about the network or other devices. Unlike most PING implementations found on other systems, Dr. WATSON's PING tool supports ICMP, UDP, and SNMP.
  • ICMP, UDP, and SNMP variations. Ping is most often performed as an Internet Control Message Protocol (ICMP) transaction. However, Dr. WATSON supports UDP and SNMP as alternate methods. This repertoire of forms allows the user to do more than merely determine whether a remote node is responding. The user is able to do a detailed profile of the remote device to ascertain what services that device supports.
  • Variable repetition interval. Dr. WATSON gives the user means to schedule repeated pings with millisecond precision.
  • Variable size and content. Dr. WATSON allows the user to specify how much data each ping is to contain and the form of that data. This is useful to detect packet size and data pattern sensitivity of underlying communications media.
  • Periodic summary reporting. Dr. WATSON supports periodic reporting of ping activity. This facilitates unattended operation during long reachability testing sessions.
• TRACEROUTE. Modern internetworks usually have a multiplicity of potential paths between any two devices. Dr. WATSON's traceroute capability allows the user to explore and discover the actual path taken by packets as they traverse the network and will discover whether there are any links with packet size restrictions.
  • Method and function similar to BSD traceroute
  • Variable data size, maximum TTL and UDP port number. Dr. WATSON gives the user means to limit or extend the normal traceroute function.
• Path Maximum Transmission Unit (MTU) discovery. Dr. WATSON uses Internet standard algorithms to ascertain the approximate maximum size packet which can flow over a given path without being fragmented.
• Packet watch window. It is very useful for a user of Dr. WATSON to be able to look onto a LAN segment to see whether it is carrying traffic and, if so, what kind of traffic it is. Dr. WATSON's packet watch window provides this.
  • Moderate degree of packet decoding. Dr. WATSON's packet watch window is designed for the most common need of simply seeing whether traffic exists and for base level traffic characterization.
  • Does not display passwords or other sensitive data. Dr. WATSON does not make this information available to eavesdroppers.
• SNMP agent (server). Dr. WATSON is an IP host and is visible to an SNMP manager station. Dr. WATSON's embedded SNMP agent supports MIB I and MIB-II.
  • Supports GET, GETNEXT, and SET requests
  • User control of community strings.
  • User control of sysDescr, sysLocation and sysContact variables.
• SNMP manager (client): Dr. WATSON contains an SNMP manager.
  • Reads MIB I and MIB-II groups.
• Domain Name System (DNS) resolver: Dr. WATSON is integrated with the widely deployed Domain Name System. Control of DNS name services is given to its users and to internal software. DNS services included are:
  • Converts DNS name to IP address.
  • Converts IP address to DNS name.
  • Supports multiple, ordered name servers.
• Local host file format is the same format as that used by Unix and other systems, including most TCP/IP packages for IBM PC/AT computers. Dr. WATSON is able to operate on networks which lack DNS services. In lieu of DNS, Dr. WATSON can perform name to IP address and IP address to name mappings using a text file database.
• Routing protocol clients. Dr. WATSON displays its IP routing table as a simple to understand table in a window. This table changes in real-time as it learns new information from the routing protocols which are active. The user is able to immediately see routing storms, phantom routers, and the like.
• Visible, dynamic and user-alterable ARP and Routing tables. Dr. WATSON displays important network data, in tabular form, which instantly changes as the network operates. Real-time, visible changes can be seen on screen. For example, the user may watch the routing table to observe the real-time effect of routing protocol activity. All table entries can be added to, modified or deleted as desired.
• Visible and immediately user-alterable configuration. Changes to Dr. WATSON's configuration have immediate effect. The user may, for example, change IP address, subnet mask or host name. Among the items which may be altered in real­time are:
  • IP parameters (address, subnet mask, host name, domain name, etc.).
  • IP Routes.
  • IPX internal network numbers.
  • SNMP agent data (sysDescr, sysContact, sysLocation).
  • DNS servers used.
• Packet Generators. Dr. WATSON's packet generators give the user means to generate certain packet types under controlled and repeatable conditions. These are powerful tools when working with hosts that appear to have ARP and routing anomalies. The packet types generated are:
  • ARP reply
  • ICMP subnet mask request
  • ICMP redirect
  • ICMP Router Discovery solicitation

Features

• Supports TCP/IP. Dr. WATSON contains a rich set of protocols from the TCP/IP protocol suite. These protocols give Dr. WATSON the means to be more than a mere network monitor. Dr. WATSON can directly interact with other TCP/IP hosts on the network. The following list enumerates the TCP/IP capabilities incorporated into Dr. WATSON:

• Supports Novell NetWare. Dr. WATSON currently supports for the following protocols used in Novell NetWare to the extent needed to obtain addresses and server information.
  • IPX
  • SAP
  • RIP
  • DIAG
• Supports Digital LAVC. Dr. WATSON supports Digital's Local Area VAX Cluster protocol to the extent needed to identify clusters and the hosts in each cluster.
• May be used to generate network traffic load. Dr. WATSON is capable of generating various forms of network traffic loads. In one mode, Dr. WATSON directly interacts with other hosts on the network to directly produce the load. In another mode, Dr. WATSON can instigate very high traffic rates between pairs of third-party TCP/IP devices. The traffic generated by Dr. WATSON is real protocol traffic, not simply a blast of identical packets.
• Password protection of functions which might have adverse network impact. Dr. WATSON's tools are powerful. Those tools which may have an adverse effect may be username and password protected against misuse should an unauthorized person obtain access to the software.
• Window driven installation program. Dr. WATSON is installed and configured using programs with a window-oriented user interface. Users are not required to use a text editor.
• Windows oriented configuration utility. Dr. WATSON's configuration is almost entirely dynamic; the user is free to temporarily change most options, parameters, and protocol addresses at any time simply by opening a configuration window and making the desired changes. Permanent changes to Dr. WATSON's configuration may be made through a separate, menu driven configuration program, wconfig.
• Operates on any inexpensive, industry standard IBM PC/AT compatible computer with a 80386 or i486 compatible processor.
• Compatible with most standard Ethernet adapters. Dr. WATSON uses the industry standard "packet drivers" specification. The Dr. WATSON distribution diskettes include packet drivers for many of the most common Ethernet adapters. In addition, through the use of the appropriate "shims", Dr. WATSON may be used over ODI and NDIS drivers.
• Highly mobile when loaded onto a notebook computer and carried to the site of a problem.
• Remotely operable from a central location via dial-up modem using Symantec's The NORTON pcANYWHERE™. Empirical has tested Dr. WATSON with Symantec's product. Other remote utility programs may work as well.
• Runs on either color, monochrome, or LCD displays.
• Supports an optional mouse.
• May be run solely from keyboard if desired.
• May be run under Microsoft Windows as a DOS application.
• Independent of other networking products. Dr. WATSON contains its own network protocol stacks. With the exception of the device driver (packet driver) for the Ethernet adapter, Dr. WATSON contains all the networking software that is needed.
• On-line, context-sensitive help information facility is provided.
• Wide variety of utility-proven testing tools based on years of practical experience building and operating real, production networks and internetworks. The functions selected for inclusion into Dr. WATSON's repertoire are those which have been found useful on real life networks.
• Multiple tools may be run simultaneously. Dr. WATSON is capable of running numerous tasks at the same time. The high performance user interface allows the user to invoke many simultaneous operations.
• The user has a choice of methods to invoke tools. Dr. WATSON does not force users to use only the keyboard or only the mouse. Rather, users are given the flexibility to use whatever method they find most comfortable.
  • Tools may be selected using standard, pull-down menus.
  • Tools may be selected by typing into a command window:
  • Command history. Dr. WATSON remembers up to 40 commands entered through the command window. Prior commands may be re-invoked with or without changes by using the standard up and down arrows on the keyboard.
  • Command editing. Dr. WATSON allows prior commands to be displayed and edited. This is very useful when running a pattern of similar tests.
  • Command parameters are remembered from one invocation to the next, significantly reducing the time needed to run a pattern of similar tests.
• Log file retains results and user comments. Dr. WATSON records much of its ongoing activity into a disk-based log file. The user may review the contents of this file or enter comments. Because the file is recorded as a flat ASCII file, it is easily processed by user-written software or loaded into standard word processors.
  • Each entry is dated and time stamped.
  • Notes and memoranda can be entered into the log.
  • User may scroll through log file.
  • Log file data is appended to any existing log; historical data is retained.

Sample Uses

Dr. WATSON is very versatile. Because it consists of a collection of tools, the user may direct them to almost any imaginable use. To illustrate, here are a few potential uses for Dr. WATSON:

• Look into a LAN segment to determine whether the network is active and carrying packets.
• Perform local and remote reachability tests. These tests check operation of the hardware and software along the path from "here" to "there" across the network. Dr. WATSON can, among other things, isolate delays, detect and isolate breaks in the path, detect packet size and packet rate sensitivity, and detect non-optimal routing.
• Take a census of devices on the network, ascertains their network configuration, notes anomalous behavior, and incorporates the results into a database. This database can then be used for further analysis, generation of reports (such as a table of active MAC addresses on a LAN), and to establish an historical baseline to help spot changes in the network device population or device configuration.
• Interact with other devices on the network. Dr. WATSON does more than merely replicate pre-canned packet images. It actually performs protocol interactions with the other devices. This capability can be used to generate traffic loads for stress testing or as a "tone" to "buzz out" network paths.
• Identify unknown devices either automatically via the Network Detective or manually through the application of Dr. WATSON's ARP, ping, DNS reverse name resolution, and SNMP query tools.
• Generate protocol interactions which are otherwise very hard to replicate. These are useful when developing new protocol stacks and also when hosts in the network have somehow incorporated incorrect or stale information into the tables that are used by their protocol stacks.
• Provide real-time displays of routing and other tables. This gives the operator a way to watch the effect of routing protocol activity which is much more comprehensible than by watching individual packets through a packet monitoring device.
• Use as a "trusted" host. When a device on a network is suspected of being a source of trouble, one can substitute Dr. WATSON in place of the suspected device to determine whether the problem is in the network or in the device.
• Run multiple tests simultaneously. This not only saves time, but also allows the operator to correlate one test with another as a means of obtaining a "three dimensional" view of a problem.
• Operate remotely. If a copy of Dr. WATSON is placed on a computer at an unattended location, then, through the use of a dial­up modem and the appropriate utility software, the remote Dr. WATSON may be invoked and used from a central facility. This capability provides for on-the-spot network interaction and quicker problem resolution while saving travel time and money.
• The database, constructed by Dr. WATSON's Network Detective module, may be used as a historical database. A baseline database may be compared with a current database to highlight changes in network configuration and the presence of new, and possibly otherwise, unknown devices. Similarly, a security audit of the database can indicate whether a device was found to be in communication with "outside" hosts.

Supported Configurations

• Industry Standard, IBM PC/AT compatible computers with 80386 or i486 compatible processors, including notebook and laptop computers.
• MS-DOS v6.0 or newer (including DOS under Windows 95.)
• 1 Mbyte of memory. (At least 500K available "largest executable program size" as reported by the DOS "mem" command.)
• Program and data files occupy approximately 900Kbytes of disk space. Additional disk space, typically amounting to no more than a few hundred Kbytes are used for files created as Dr. WATSON runs.
• Display adapters:
  • Full color VGA
  • Monochrome-VGA
  • Monochrome
  • LCD displays
• Optional Microsoft compatible mouse and mouse driver.
• Ethernet adapter, including PCMCIA-2 and "parallel port" adapters, through a driver conforming to version 9 of the Packet Driver Specification.
• To use memory effectively, Dr. WATSON uses DPMI 0.9 or DPMI 1.0, as provided by MS-DOS or Windows 95.

Documentation

Dr. WATSON is provided with an Installation and User Guide containing installation and configuration instructions, detailed descriptions of all Dr. WATSON functions and problem solving techniques.

Product Support

Product support for Dr. WATSON is available via electronic mail and through Dr. WATSON's page on the World Wide Web: http://www.cavebear.com/archive/dwtnda/

Additional Software

Included with Dr. WATSON is the Crynwr Packet Driver collection. Empirical Tools and Technologies does not offer support for these drivers. However, such support is available from Crynwr Software.

Media

Dr. WATSON is distributed as a self-extracting archive.

Ordering Information

See http://www.cavebear.com/archive/dwtnda/