Sniffer Now Does Windows
February 22, 1999
By Dan Backman
Trying to keep an eye on your network? Network Associates' Sniffer protocol analyzers let you watch it like a hawk, scratching through the layers of protocols in your network, and letting problem solving and analysis take place at nearly any level.
In fact, no network manager's bag of tricks should be without a protocol analyzer to capture and analyze network traffic on the scene or through distributed probes. Sniffer, originally a product of Network General, has become synonymous with protocol analysis, the magic DOS box with powerful expert systems and voluminous protocol decodes--all buried under an arcane text-based user interface.
As a result of Network Associates' merger with Network General last year, Sniffer now heads up Network Associates' Total Network Visibility suite. Network Associates has retired Sniffer's old DOS interface in favor of 32-bit Windows, and is making the product available at two levels: the enterprise-class Sniffer Pro and the workgroup-level Sniffer Basic. The two are nearly identical--Sniffer Pro adds real-time expert analysis and more than 300 protocol decodes. Both share the same code base: They borrow the Windows interface and real-time monitoring functions from Network General's NetXRay product line and incorporate a new portable protocol interpreter (based on Sniffer's DOS version). Former NetXRay users will benefit from Sniffer Basic's rewritten capture and analysis subsystem.
Sniffer's new interface is similar to NetXRay. The dashboard, real-time monitoring, filters and packet generator functions are untouched, and the protocol decode screens look similar. The big changes--Sniffer Pro's expert analysis and multiple protocol decodes--are under the hood.
Sniffer Basic is an excellent choice for all network professionals, with its relatively low-cost, easy-to-use interface, extensive multilayer protocol decodes and real-time monitoring capabilities. Sniffer Pro offers a convenient upgrade path to expert diagnosis systems and an array of WAN and proprietary protocol decodes.
Performance Counts Sniffer Basic incorporates the old Sniffer's frame capture and protocol-analysis engine, so users can take advantage of the enhanced NDIS capture drivers (when using a supported NIC) provided by Network Associates. These drivers improve capture performance, support accurate error counters and enable capture of bad frames. I tested both Sniffers using Network Associates' Card-Bus 10/100 Ethernet adapter on a Pentium 133-MHz laptop running Windows98. Another advantage of Sniffer's migration to Windows is support for standard Ethernet cards via NDIS3. (Because of the unpredictable performance of third-party NDIS drivers, Network Associates only guarantees capture performance or accurate error counters on its supported cards.)
In the lab, Sniffer Basic (using the supported NIC) easily kept pace with the bare minimum of a high-traffic conventional (shared 10-Mbps) Ethernet segment (4,850 pps at 64-bit frames) in both monitor and capture modes. I also captured and replayed Ethernet traffic using a DOS-based Sniffer, and saw the Windows-based Sniffer Basic never missed a frame. According to Network Associates, Sniffer Basic operating on a 166-MHz or faster Pentium is guaranteed to capture 100 percent of a 10-Mbps, half-duplex Ethernet segment (and, if you use a supported CardBus token-ring NIC, 100 percent of a 4-Mbps and 16-Mbps token-ring network). Our tests showed no dropped packets on a 133-MHz Pentium Toshiba Tecra 510CDT with the supplied CardBus NIC.
Network Associates also offers a PCI-based 10/100-Mbps Ethernet NIC. When used in conjunction with a 400-MHz or faster Pentium II workstation, Network Associates claims that Sniffer Basic and Sniffer Pro should support approximately 95 percent to 100 percent of a half-duplex 100-Mbps segment.
A Fully Stocked Toolbox Sniffer Basic includes a full suite of most common IP, IPX and AppleTalk suites. In the lab, it produced in-depth decodes of NetBIOS traffic, MS Browse activity, NLSP (NetWare Link Services Protocol) and NCP (NetWare Core Protocol) activity, NFS (Network File System) traffic, LDAP searches and various Internet protocols. Unfortunately, the beta I tested had no interpreters for several basic protocols, such as ARP (Address Resolution Protocol), IMAP and Network Time Protocol (NTP). According to Network Associates, this deficiency will be fixed in a free service patch available on the Web. The version of Sniffer Pro I tested included full support for these missing decodes.
Sniffer Pro's expert systems are activated by starting a capture (real time) or viewing an existing capture; its expert analysis incorporates the more powerful features of the previous DOS-based Sniffer. In our tests, Sniffer Pro's expert systems helped pinpoint traffic patterns, such as minor broadcast storms, slow ACKs (acknowledgments) and Ethernet CRC (cyclic redundancy check) errors on our network. Sniffer Pro's ability to display expert diagnoses, symptoms and objects in an easy-to-interpret GUI is a big improvement.
The filter interface is identical to NetXRay. Using the same filter set for captures, triggers and displays, both Basic and Pro let you create address or protocol-based filters, as well as more advanced filters using data patterns and operators. One upgrade from NetXRay is the ability to create inclusive or exclusive filters based on IPX addresses.
Sniffer Basic and Pro feature a handful of IP utilities, including traceroute, ping, DNS lookup, finger and whois. Both allow multiple alarm severities and actions, including the ability to dial a beeper or pager, play sounds or send e-mail via SMTP. But I was disappointed to see that the real-time capture display, a useful NetXRay feature, was dropped. Network Associates says this feature severely limited performance, and was cut to provide better support in Sniffer Pro for real-time expert analysis.
Send your comments on this article to Dan Backman at dbackman@nwc.com.
|
Here
Here
REPORTS
ANALYTICS
Follow 
