For our tests, which took place at the Syracuse University Real-World Labs®, we sought products that let administrators analyze multiple, full-duplex networks from a remotely located user interface. They also had to support both Fast Ethernet and Gigabit Ethernet connections. We received three entries that were up to the task. Sniffer Technologies' Distributed Sniffer System (DSS) with RMON 4.0 garnered our Editor's Choice award, but all the entries, including DominoNAS from Acterna (formerly known as Wavetek Wandel Goltermann), and Shomiti Systems Surveyor 3.1 software with Explorer hardware pods, were well qualified for the demanding task of remotely troubleshooting switched and routed networks. Hewlett-Packard Co.'s spin-off, Agilent Technologies, was invited to participate but declined.

Although in the end this came down to a photo finish, Sniffer's DSS exhibited a few outstanding features that set it apart. First, it lets multiple network engineers simultaneously access the GUI to view the results of a capture. The other clincher is its ability to interact with switches. The SniffView console includes an application that can remotely change the ports that are monitored on the span port, and also pull statistics via SNMP. This boosted the DSS' score in the remote-access category.

We didn't score products on price, but Sniffer's solution is the least expensive. However, Shomiti's Gigabit Ethernet and Fast Ethernet pods can be independently located anywhere on the network, which makes them a little more versatile. Also note that both Acterna and Shomiti had new releases of their products in beta at the time of our tests. The beta versions weren't cooked enough for us to look at, but they may be worth your consideration by this article's publication date or soon after.

We assumed most networks that required distributed analyzers were probably running Fast Ethernet and at least thinking about adding some Gigabit Ethernet. In the case of the DSS, both media types were mounted in a PC. Shomiti provided standalone Explorer pods, and Acterna DominoNAS provided standalone Domino pods for each media. The Fast Ethernet interfaces on the products we received were designed for twisted-pair connections. The gigabit interfaces were designed for fiber connections, which is the preferred way to connect gigabit networks. (For more on gigabit networking, see "Gigabit Over Copper: Bandwidth To Burn?")

The gigabit interfaces were a mixture of single-mode and multimode fiber. This could have made it difficult to standardize our test environment, but fortunately the interfaces came with GBICs, which are standardized matchbook-sized cartridges that can easily slip into a port to change it from single-mode to multimode. As a result, we were able standardize our test environment by borrowing some multimode GBICs from a switch we had on hand.

All three products were able to tap directly in to a full-duplex circuit, and to plug in to a port mirroring or span port on a switch. The advantage of the full-duplex tap is that there is no reliance upon the switch to forward data, and there is no danger of oversubscribing the unidirectional span port with bidirectional traffic, which can double the capacity of the incoming mirrored port. In addition, each product supplied a separate network interface for connection to the network for out-of-band access. This made it possible to remotely access the equipment that was gathering data, without having to interfere with the monitored network.

In spite of the fact that we enlisted the services of a Spirent Communications SmartBits 6000 to blast up to 2 Gbps, we were pleasantly surprised to see that all the products handled the traffic without breaking a sweat. Surprisingly, even Sniffer's DSS performed flawlessly, a break from the past weak performances of similar Sniffer systems.

Potential Security Breaches

Keep in mind that the distributed nature of these analyzers makes them a security incident waiting to happen. All the products came with the ability to provide password protection for remote access, but they all had a default setting that allowed remote access to the analyzer via either an easy-to-guess password or no password at all.

If you implement any of these products, be sure to establish policies and procedures early on for how their access will be administered. You'll also find that if you allow access to them through a firewall, you'll have to have the appropriate ports opened. If you do this, take care to be as restrictive as possible.

Given that we had some VoIP (voice over IP) phones from Cisco Systems and Alcatel installed in our Syracuse University Real-World Labs®, we couldn't wait to see how well they decoded the protocols involved. We discovered that Shomiti's Surveyor was able to decode the proprietary protocol SSP (Skinny Station Protocol) that Cisco uses for its Ethernet phones. Acterna sent us a patch with the same decode, which we didn't get a chance to try. While we were glad to be able to decode the Cisco implementation, we were disappointed that the Alcatel phones could not be analyzed by any of the products. Obviously neither one was using the SIP protocol standard that was designed for this type of application. (Alcatel and other vendors have told us the standard isn't mature enough.)

It's interesting that this hasn't stopped Sniffer, Shomiti and Acterna from coming up with decodes for SIP. This experience increases our suspicion that these vendors are more dedicated to tying customers to their phones than giving more than lip service to standards. Sniffer's DSS was able to decode a long list of VPN tunneling protocols, and all the products were able to decode other standardized multimedia protocols, such as MGCP (Media Gateway Control Protocol) and H.323.