SAPMON (C) 1996 GALLAB Ver.1.2 This utility is written to help troubleshooting network problems related to the distribution of SAP packets. A good example is when a workstation cannot connect to a fileserver. It is also useful to give us an idea on how big is the SAP traffic on the network, and what kind of SAPs are they. I have put together a list of available SAP type/service descriptions which helps to determine the available services on your network. You can add to this file the SAP you know about, and the program will use this information. If you find information about some SAP types not included in the list please let me know and I will update the package to help the others as well. How to get SAPMON working ------------------------- This is a DOS utility. You have to load the following before you start SAPMON: 1. LSL.COM 2. 3. IPXODI (NETX or VLM can be loaded but not necessary) It also functions with the Novell 32 bit clients on all platforms. You can run it in a DOS box. What you will see ----------------- You get three type of screen output. The first is when you start SAPMON without any switches: SAPMON (C) 1996 GALLAB Ver.1.2 SAP Monitoring started Press any key to stop, ESC to exit Type Server Name Socket Hops Network# Service Type ---- ----------- ------ ---- -------- ------------ 018A DUS-NWC2 1D90 01 0101B818 Access Server 0640 MKLEMM E885 02 0101B8A4 NT Server-RPC Services, G 0890 CCS@DUS-NWC2 4E30 01 0101B818 *** Unknown service *** 0640 MICHAELK E885 02 0101B8A4 NT Server-RPC Services, G 030C 0060B02D753900CTDUS-BACK 400C 01 0101B864 HP LaserJet /QUICK SILVER 0004 DUS-ISORA 0451 01 0101B807 NetWare File Server / NT 0107 DUS-ISORA 8104 01 0101B807 RSPX Server /386 NETWARE 023F DUS-ISORA 907B 01 0101B807 SMS TESTING & DEVELOPMENT 0827 DUS-ISORA 400A 01 0101B807 Palindrome Service Broker 0103 DUS-ISORA_LSNR 428A 01 0101B807 SEQUELNET ORACLE CORP You see here the information about the SAP services advertised. The type of the service, the name assigned to the service, the socket where this service listens, how many routers (hops) are between our station and the service, the network address of the device where this service runs (usually if this is a NetWare server then this is its ineternal network address) and the service type description from the SAPLIST.TXT file. The second screen is what you get if you apply any of the filters. Here you see additionally the packet number eg. #1, the address of the device which is in the source field of the IPX header of the packet (logical address) and the type of the packet. SAPMON (C) 1996 GALLAB Ver.1.2 SAP Monitoring started Press any key to stop, ESC to exit Type Server Name Socket Hops Network# Service Type ---- ----------- ------ ---- -------- ------------ #1 Source: 0101B864:00805F38EA77 General Service Response 0107 DUS-NDS1 8104 01 0101B81C RSPX Server /386 NETWARE 027B DUS-NDS1 0000 01 0101B81C NW Management Agent 2.1 0004 DUS-NDS1 0451 01 0101B81C NetWare File Server / NT 023F DUS-NDS1 907B 01 0101B81C SMS TESTING & DEVELOPMENT 0827 DUS-NDS1 401F 01 0101B81C Palindrome Service Broker 0278 NOVELL_INC______________ 5D3F 01 0101B81C NDS Replica /Tree /DIRECT #2 Source: 0101B864:0800096823D6 General Service Response 030C 0800096823D600CCDUS-SOD- 400C 01 0101B864 HP LaserJet /QUICK SILVER #3 Source: 0101B864:00AA00B348C3 General Service Query 0278 0800096823D600CCDUS-SOD- 400C 01 0101B864 NDS Replica /Tree /DIRECT #4 Source: 0101B864:0800097E4E73 General Service Response 030C 0800097E4E7300CTDUS-GWS- 400C 01 0101B864 HP LaserJet /QUICK SILVER The third screen is if you use the /gXXXX switch to get the description of SAP type XXXX: SAPMON (C) 1996 GALLAB Ver.1.2 Type Service Name ---- ------------ 0004 NetWare File Server / NT server with FPNW / Win95 with File&Prnt share for NW NOVELL - PROVO There is also a help page: Usage: SAPMON [Switch] Where Switch can be one of the following: /? show this Help /gXXXX get the Service Type for the SAP Type XXXX (hex) /fXXXX view only the XXXX SAP Types (hex) /nXXXXXXXX view only packets sent from network XXXXXXXX (hex) /mXXXXXXXXXXXX view only packets sent by node XXXXXXXXXXXX (hex) /oXXXXXXXX view only SAPs originated from network XXXXXXXX (hex) /sXXXX view only SAPs on socket XXXX (hex) /hXX view only SAPs XX hops away (decimal) /a show packets with Source Address and Packet Type information /tX show packets wich are type X where X can be: 1 General Service Query 2 General Service Response 3 Nearest Service Query 4 Nearest Service Response Any of the screen outputs can be redirected to a file with the usual method: SAPMON >filename.ext Of course in this case the speed of the monitoring will be slower that means you might miss SAP packets. Remember that the SAPLIST.TXT file has to be in the current directory. You can pause and restart monitoring any time by pressing a key, to exit you have to press the ESC key. SAPMON is a passive online monitor. This means it does not generate any packets just monitors the traffic. If you pause monitoring and then restart, the packets came in the mean time are lost. Some theory ----------- Let me explain how SAP works to you to be able to understand what are the switches in SAPMON doing. Those of you who know all this please jump to the next section. SAP stands for Service Advertising Protocol. The services in an IPX environment use SAP to advertise themselves. This makes it possible for the clients to connect to these services. These services or servers can be fileservers, printservers, faxservers and so on. A number, the SAP Type is assigned by Novell to these services and they also get a name assigned by the person who installs the service. This information then gets advertised using SAP. The structure of a SAP response and request packet are the folowing: MAC header MAC header IPX header IPX header Packet Type 2 bytes Packet Type 2 bytes Server Type 2 bytes 1. SAP record SAP Type 2 bytes Server Name 48 bytes Network Address 4 bytes Node Address 6 bytes Socket 2 bytes Hops 2 bytes . . . 7. SAP record SAP Type 2 bytes Server Name 48 bytes Network Address 4 bytes Node Address 6 bytes Socket 2 bytes Hops 2 bytes One SAP response packet can contain information about up to 7 services. All relevant information from these packets are decoded and shown by SAPMON on the screen. How to use SAPMON ----------------- If you start SAPMON without any parameters, it will start monitoring the segment for all SAPs. Here comes the explanation of what the switches are doing. /g This switch does a search in the SAPLIST.TXT file and displays the full service type for the given SAP type. The SAPLIST.TXT file is a simple text file what you can edit as well with a text editor. Actually it contains more than 1350 SAP types with the corresponding service type which helps a lot identifying the SAPs flying around. The format of this file is simple, there is the SAP type with 4 hex digits, then a TAB and the service type in each line. The service type can be up to 255 characters long. This version can handle up to 1800 lines in this file. Keep the file sorted by the SAP type. The company names are the companies registered these SAP types. /f This switch enables the filter to show only the specified SAP type in the packets. This is useful to identify if a certain SAP type is available on the network. /n This switch filters on the source IPX network address in the SAP packet. Use this to see which SAPs are coming from a certain network. /m This switch filters on the source IPX node address in the SAP packet. Use this to see what SAPs are sent by a certain node. /o This switch filters on the network address in the SAP record in the packet. Use this option to see what services are running on a certain server. /s This switch filters on the socket of the SAP. Use this to see who is using a certain socket. /h This switch filters on the hop count of the SAP. Use this to see which SAPs are coming from a given distance. /a This shows for each SAP packet the source address and packet type informations as well. This also means that you will actually see the packets on your screen. /t This switch filters on the packet type. Use this if you are interested only for a certain packet type eg. General Service Query. Please feel free to try out SAPMON and distribute it if you like it. If you have any comments or recommendations, send an email to lgal@bitsmart.com HISTORY ------- Version 1.2 - Increased the maximum possible number of records in SAPLIST.TXT to 1800 - Fixed a bug displaying query packets - Fixed a bug displaying Hops - Added Socket display - Added filtering by source Network Address - Added filtering by source MAC Address - Added filtering by SAP Packet Type - Added filtering by Socket - Added filtering by Hops - Added filtering by Originating Network Address - Added message stating filtering is active - Added Packet Number display Version 1.1 - Increased the maximum possible number of records in SAPLIST.TXT to 1500 - Fixed a bug with the line length in SAPLIST.TXT. It can be 255 chars now. - Added a lot of new SAPs to SAPLIST.TXT. It has now 1368 entries. Version 1.0 - Original release with 970 SAPs in the SAPLIST.TXT file.