Frequently Asked Question about
Dr. Watson, The Network Detective's Assistant (DWTNDA)
Version 1.2

Revision 3

What is Dr. Watson? (DWTNDA)

DWTNDA is not related to the Microsoft program called "drwatson.exe"

Dr. Watson (DWTNDA) is a software product that is designed to help knowledgeable network engineers, administrators, designers, and repairmen deal with the problems that arise when a network is installed, expanded, or reconfigured. It is also a designed to help keep track of the overall network population and configuration.

Dr. Watson is recognized by LAN Magazine as the 1994 product of the year for network testing and diagnosis.

DWTNDA will run on DOS, Windows 95 and 98 (via the appropriate shims).

DWTNDA may run on Windows NT, however, it requires a shim from Dan Lanciani ( that has not yet been tested.

What sorts of things can Dr. Watson do?

Dr. Watson is an integrated collection of tools. Some of these tools are enhanced versions of those which TCP/IP experts have found useful through the years. Other tools in Dr. Watson are new, not found anywhere else.

Dr. Watson's "detective" module locates other devices on the network and builds a database of their addresses, names, protocol characteristics, and operational mis-behaviour. All of this information is visible on the screen and is recorded for subsequent review in flat text files.

One of Dr. Watson's most basic functions gives the user a means to view the traffic passing on the network. The purpose of this function is not to eliminate the need for a packet monitor (see question 4), but rather, to allow the user to quickly find out whether the LAN is carrying traffic at all and to do a quick "by eye" characterization of the traffic.

Dr. Watson gives the user a suite of "reachability" tests. These tests allow the user to interact with remote devices using a number of protocols at various layers. Typically the user would see whether a remote device is reachable at low protocol layer, then at the next higher protocol layer, and so forth. Dr. Watson gives the user complete control over these tests so that the user can control the repetition rate, the data patterns, the packet sizes, the protocols used, etc.

Since many networks are composed of distinct LANs and WANs connected by routers, Dr. Watson has a tool, "traceroute", to find the actual path traversed by packets.

Dr. Watson can act both as an SNMP agent and SNMP MIB browser.

Because Dr. Watson is "protocol smart", it can participate in routing and other protocols to create "tables" which give the user a clean, visual way to view important network activity. For example, Dr. Watson can display a routing table with real-time updates as routing information is propagated by routers onto the network.

Dr. Watson's functions are packaged into a multi-window environment. allowing the user to run any number of simultaneous tests.

To aide post-test review, Dr. Watson maintains a log of the users activities and of the results observed. The user may add comments to this log.

For a complete list of Dr. Watson's powers, see the Software Product Description.

Can Dr. Watson be used on a network with Suns and other workstations?

Yes. Dr. Watson is specifically designed for use on multi-vendor TCP/IP networks. Dr. Watson is extensively used daily on networks with equipment and network software from:

Microsoft Bay Networks cisco Proteon
Synoptics Cabletron FTP Software SGI
Sun Digital Ultrix IBM NCD
Intercon Apple HP Novell (TCP/IP)

If you have TCP/IP devices on your network, Dr. Watson can work with them.

Dr. Watson is one of the very few products that has undergone formal interoperability testing at both the TCP/IP Bakeoff and the SNMP Test Summit.

Is Dr. Watson a packet monitor (similar to Network General's Sniffer?

No. Dr. Watson is an active device. Dr. Watson actually performs protocol interactions with other devices on the network. Packet monitors are primarily passive devices which merely show you what packets happen to pass on the network.

Is "Active" better?

It is not so much a matter of being better or worse. Rather, it is a difference. Passive monitors have their place. Passive monitors can do a pretty good job of showing you detailed traces of the packets passing by on your LAN. However, active devices can actually exercise the network, interact with other devices, and, in general, do a much better job of verifying that your network is acting properly and that devices are responsive.

A passive device, such as a packet monitor is like a person who watches a game of sports on television. Dr. Watson, on the other hand, is like the player on the field. The passive viewer can not interact with other "players" on the network. Dr. Watson can.

Experienced users equipped with both Dr. Watson and a packet monitor usually find that Dr. Watson is the first tool they use when dealing with a network problem. These users report that they usually resort to a packet monitor only for those few remaining situations where it is necessary to actually take a detailed snapshot of the traffic flowing on the LAN.

Can Dr. Watson take a census of my TCP/IP devices?

Yes. Through a variety of active and passive techniques, Dr. Watson can build a database of IP devices on the network. The scope of the census may be extended or limited, at the user's option, to include devices on other subnets or other devices on an internet beyond the user's own IP network.

What sort of information can Dr. Watson gather about a device?

The census gathers over sixty attributes for each device. These attributes range from SNMP MIB data (such as sysName) to subnetwork masks to indications whether the device is offering certain protocol services and whether it is showing incorrect forms of protocol behavior.

Does Dr. Watson detect duplicate IP address assignments?

Yes. Dr. Watson can detect its own usage of an IP address already in use by another device. Dr. Watson can also detect when two other computers on the same LAN have the same IP address.

Can Dr. Watson take a census of my Novell NetWare devices?

To a limited extent, yes. Dr. Watson will note the IPX addresses of active NetWare devices and, if they are file servers, note their names. If these devices are also TCP/IP devices, Dr. Watson will link the NetWare information with the TCP/IP information.

How does Dr. Watson compare to an RMON (Remote Monitoring) device?

RMON stands for Remote MONitoring. An RMON device is essentially a very smart remote packet monitor. RMON devices are configured (using SNMP) to monitor the traffic on a network and to capture packets meeting given patterns. Except for the fact that an RMON device speaks SNMP (and hence IP and UDP) to convey configurations and results, an RMON device is not much different from a typical, passive, packet monitor.

Dr. Watson actively interacts with other devices on the network. The RMON specifications do not give this ability to RMON devices.

Does Dr. Watson support SNMP?

Yes. Dr. Watson contains both an SNMP version 1 mib browser and SNMP version 1 agent.

Dr. Watson's SNMP is based on the Epilogue Technologies' SNMP engine, the most widely deployed SNMP engine in commercial products.

Dr. Watson's SNMP has been extensively tested and Empirical was one of the participants in InterWorking Lab's SNMP Test Summit.

Can I use Dr. Watson to read SNMP data from other computers?

Yes. Dr. Watson 's MIB browser allows you to read MIB-II data from any TCP/IP device with an industry standard SNMP version 1 agent.

Dr. Watson's browser assembles MIB tables into an easy-to-read format for presentation to the user and incorporation into Dr. Watson's log file.

What is a "reachability test"?

A reachability test determines whether it is possible to send a packet from one point on the network to another. Most network problems are the result of either total or partial reachability failures. These failures occur due to equipment failures, cable noise, equipment mis-configuration, etc.

Various forms of reachability testing will exercise different parts of the network's infrastructure and can thus be used to "zero-in" on that portion of the network which is not performing properly.

What is "ping"?

"Ping" is a protocol used to test whether another device on the network is reachable and active. Ping is essentially an echo service -- the server responds with a copy (or near copy) of the client's original packet. Ping is very lightweight, causing very little network or CPU overhead. However, ping tests a significant portion of overall network functionality.

Dr. Watson's ping is much more powerful than the version found on typical Unix workstations. Dr. Watson's ping can use ICMP, UDP, or SNMP as the underlying protocol. (Most other versions only use ICMP.) Dr. Watson's version gives the user control over a large number of operational parameters including the packet rate, the packet size, the data pattern included in the packet, the reporting interval, and the underlying protocol to use.

Dr. Watson's ping also checks that the data which it receives from the server is a correct copy of that which was sent. (Many UNIX implementations do not do this.)

What is "traceroute"?

In a network composed of many distinct LANs and WANs, one usually does not have a good idea what pathway packets take when flowing from hither to yon.

"Traceroute" finds the actual path (i.e. the sequence of routers) a packet takes as it flows through the network.

Traceroute is extremely powerful. It shows the incremental delay for each "hop" of the path, thus illuminating slow or congested links. Traceroute also can find sub-optimal routes, routing loops, and routing dead-ends.

Dr. Watson 's traceroute has been enhanced beyond the version found on some UNIX workstations. Dr. Watson's traceroute performs "MTU" discovery -- in other words, it can find the maximum sized packet which can flow along the path without fragmentation. If fragmentation does occur, Dr. Watson will indicate where it is occurring.

What is "ARP"?

ARP is the Address Resolution Protocol. ARP is typically used by TCP/IP hosts to ascertain the Ethernet address of a host on a LAN.

Dr. Watson gives its user the ability to send an ARP request either to ascertain a device's Ethernet address or as a form of "reachability" test.

What protocols does Dr. Watson support?

In the TCP/IP family of protocols, Dr. Watson supports ARP, IP, ICMP, UDP, RIP, SNMP, and DNS.

In the IPX family of protocols, Dr. Watson supports IPX, SAP, RIP, and some parts of DIAG.

Dr. Watson has some support for Digital's LAVC protocol.

Is Dr. Watson restricted to a single LAN?

No. Dr. Watson "speaks" TCP/IP, a protocol which is specifically designed to be routed beyond the confines of a single LAN. Dr. Watson is truly an "internet" product.

Can Dr. Watson be used remotely?

Yes. Dr. Watson can been used over dial-up telephone with third-party software such as Symantec/Norton pcANYWHERE.

Dr. Watson can not yet be controlled remotely in-band over the network.

Does Dr. Watson support the Domain Name System (DNS)?

Dr. Watson can use the Domain Name System to translate domain names into IP addresses and to convert IP addresses to domain names.

Dr. Watson allows the user to specify a list of domain name servers.

Can Dr. Watson be used to place a stress load on a network?

Yes. Dr. Watson is able to generate a degree of network load. The load generated depends on the speed of the machine on which Dr. Watson is running and the type of Ethernet interface. Dr. Watson typically can generate up to 1500 to 2000 packets per second on a fast computer.

Dr. Watson can instigate much higher traffic loads, however, between other, higher performance machines. This capability has been able to generate loads which saturate Ethernets.

Can Dr. Watson disrupt my network?

Dr. Watson is like any tool; it can cause some disruption if misused.

As a consequence, Dr. Watson uses a password mechanism to help block access to those functions which could be abused.

Can't I get the same function from freely available (public) software?

Dr. Watson contains many functions which are also found in freely available software. However, in many instances the public software runs only on a Unix workstation with a TCP/IP stack. And in many cases, the functions found in Dr. Watson offer significant improvements over the public code.

Unlike most freely available network software, Dr. Watson is an integrated system rather than a collection of separate, isolated commands.

Dr. Watson's Detective functionality is not found in any public software.

How do I get a copy?

Contact Empirical Tools and Technologies on the World Wide Web at

What kind of platform does Dr. Watson require?

Dr. Watson runs on any IBM PC/AT compatible computer with a Intel 386 (or compatible) processor. It will run best if the processor speed is at least 16Mhz. The DOS "mem" program should also indicate a "Largest executable program size" of at least 500K bytes. It is desirable that "mem" also show at least 500K of either Extended or Expanded memory. Dr. Watson itself requires less than 1 megabyte of disk space. However, the size of its output files depends on the network on which it is used, but generally they are less than a few hundred kilobytes.

DWTNDA will run in the MS-DOS window on Windows 95 if the NDIS3PKT VxD is installed.  In that case, DWTNDA will use the NDIS3 driver used by Windows.

What kind of Ethernet interface does Dr. Watson use?

Dr. Watson can use almost any Ethernet adapter hardware. Dr. Watson uses the "packet driver" API. There are packet drivers for most Ethernet cards. Empirical provides a large number of packet drivers (including the Crynwr packet driver collection) with the product.

In addition, if used on Windows 95, NDIS3PKT, a software shim (in the form of a Virtual Device Driver or VxD) is available to allow the use of any card for which an NDIS 3 driver is available.

Can Dr. Watson use ODI or NDIS drivers?

Yes. There are "shim" programs which can be layered on top of an ODI or NDIS driver to simulate a packet driver.

Can Dr. Watson use a PCMCIA Ethernet card or a parallel port Ethernet adapter?


PCMCIA Ethernet adapters appear to work quite well.

Parallel port adapters do have limitations, however. Older parallel ports tended to be optimized for outgoing traffic. It is best if your computer has a "bi-directional" parallel port and a parallel port adapter (and software drivers) designed to take advantage of that capability. Nevertheless, parallel port adapters tend to choke on heavy packet loads and often consume so much of the CPU resources of the computer that the machine appears to have stopped functioning.

Can Dr. Watson run under Microsoft Windows 95?

Yes. Dr. Watson can operate in a DOS window in Windows 95. To do so requires NDIS3PKT, a software shim that allows Dr. Watson to share the NDIS 3 device driver with other networking software (such as the Microsoft TCP/IP stack) that may also be running. With this shim, Dr. Watson may run simultaneously with other networking software on Windows 95.

It is recommended, but not necessary, that DWTNDA use a different IP address than the Windows 95 system.

How long does it take to start Dr. Watson?

Usually only a few seconds. Configuration changes can be made while Dr. Watson is running.

Is there on-line help?

Yes, Dr. Watson has a context sensitive on-line help facility.

Do I need to provide a TCP/IP stack to run Dr. Watson?

No. Dr. Watson comes with its own protocol stacks.

Can Dr. Watson co-exist on a machine running another TCP/IP stack?

On Windows 95, through the use of an appropriate software "shim" (NDIS3PKT), Dr. Watson is able to share the NDIS 3 device driver with the existing TCP/IP stack. In fact, Dr. Watson is able to run simultaneously with the Microsoft TCP/IP stack, even at a different IP address!

On DOS Dr. Watson can reside on the same computer as other TCP/IP software. However, since Dr. Watson contains its own TCP/IP protocol stack it can not be run at the same time as those other packages. In general, it is necessary to unload the other package before running Dr. Watson.

What support does Dr. Watson have for Novell NetWare?

Dr. Watson is primarily a TCP/IP product. NetWare most often uses the IPX protocol rather than IP. However, Novell does offer NetWare over TCP/IP. For that version, Dr. Watson can interact with NetWare just like it does any other TCP/IP device.

For IPX based NetWare, Dr. Watson does have the ability to locate NetWare nodes and interact with them to a limited extent.

Empirical does intend to extend Dr. Watson in the future to further accommodate IPX based NetWare.

Can Dr. Watson co-exist on a machine running Novell NetWare?

Yes, with some limitations. Dr. Watson operates best if it has control of its own Ethernet adapter. Consequently, it is not desirable to run both NetWare and Dr. Watson through the same adapter. However, on a machine equipped with two Ethernet adapters, Dr. Watson and NetWare can reside side by side.

Note, however, that the presence of NetWare reduces the amount of memory available to Dr. Watson.

What Ethernet frame types does Dr. Watson support?

For TCP/IP Dr. Watson supports Ethernet-II framing.

For IPX, Dr. Watson supports both Ethernet-II and Novell's "raw Ethernet" format, i.e. IEEE 802.3 without IEEE 802.2.

Can Dr. Watson operate on Token Ring or FDDI?

Not directly. Dr. Watson is designed to run on a computer which is attached to an Ethernet. However, Dr. Watson can "talk" to computers which are on Token Ring or FDDI (or any other media) as long as the various forms of network media are joined into an internet via routers (or special bridging devices which are capable of doing a correct job of packet reformatting.)

What about Banyon Vines and Lantastic?

Dr. Watson does not support these products.

What is in Dr. Watson's MIB?

Dr. Watson offers MIB-II.

Does Dr. Watson need a mouse or color screen?

Dr. Watson is easiest to use on a machine with a mouse. A color screen is also desirable. However, Dr. Watson can operate on a monochrome or LCD computer or on one without a mouse.

Can Dr. Watson run on a laptop or notebook computer?


Does DWTNDA support IP Multicast?

Yes.  DWTNDA allows one to join IP multicast groups using IGMP version 1 or IGMP version 2.  When joined to a group, DWTNDA will respond to pings addressed to the group.

At the moment, however, DWTNDA must be placed into promiscuous/all-packets mode in order to receive multicast packets.

DWTNDA has a tabular display which can show the IGMP "join" activity occurring on a LAN.

In addition, DWTNDA allows the user to send "pings" (in all of the supported ping encapsulations) to an IP Multicast Group address.  The TTL for multicast may be controlled apart from the TTL used for unicast packets.

Modified May 31, 1999