We give the eSniff 1100 our Editor's Choice award because it makes monitoring an Ethernet network a piece of cake. The 1100's ease of installation and configuration far surpasses that of both Elron's IM and SurfControl's SuperScout, using only one component piece to monitor Internet and e-mail activity. And unlike Pearl Echo, eSniff 1100 does not require client configuration. Another big plus: There are no hardware requirements for the 1100. This self-contained Linux-based appliance has a 1U form factor and plugs right into the network. The 1100 boots a Linux kernel (2.2.17) with 128 MB of RAM and sports a 10/100 Ethernet NIC. Just take the 1100 out of the box and you're almost ready to begin monitoring.

After giving the 1100 a mirrored Ethernet port to the switch on our test bed, we were ready to configure it. We attached a PC-compatible monitor (VGA or SVGA) and keyboard (IBM PS/2-style) to the 1100; you can also use terminal emulation with a laptop or PC connected to the COM port. After an initial password challenge, a menu-driven configuration tool presented itself.

The menu provides input for IP address, net mask, broadcast address, default gateway, DNS server address and domain name; the 1100 reports on the host name resolved in DNS or the host IP address. We elected to wait 14 days before automatically archiving logs and chose to receive automatic updates from eSniff. If other eSniff devices were attached to the network, we could also identify them by IP address. Once the TCP/IP configuration was set, the 1100 began monitoring traffic.

In the 1100, eSniff uses proprietary linguistic and mathematical analysis to passively monitor IP-based traffic. Although Pearl Echo outgunned the 1100 in the quantity of protocols monitored, eSniff's device monitors telnet activity as well as FTP, HTTP, POP3 and SMTP. Unlike Echo, eSniff reports only "abusive" traffic that is outside acceptable boundaries. The device captures traffic and saves it to a rollout partition, where it is queued and analyzed by proprietary linguistic and mathematical algorithms defined by rules, or eBoundaries -- collections of words or phrases categorized by subject: acquisition, confidential, conflict, gambling, games, porn, racism, resignation, shopping, sports, substance abuse and trading. Packets that do not trigger rules and stay within eBoundaries are acceptable and are discarded. Packets that trigger rules are not acceptable and fall outside eBoundaries; these are saved for reporting. Each eBoundary is associated with a color for graphical reporting and has sensitivity levels (off, low, medium or high) that determine the extent of analysis on the linguistic content of messages.

Although eSniff provides adequate descriptions of eBoundaries, they can't be reviewed and edited (Elron's IM and Pearl Echo allow for customization). We were initially put off by this limitation; after running our test scripts, however, eSniff accurately categorized the Web and e-mail traffic generated under test conditions for gambling, games, porn, racism and shopping. Random tests that included job searches, transferring confidential messages, and transmitting information on acquisitions and mergers were also reported accurately as resignation, confidential and acquisition, respectively. Note that, like the features of other products under review, the 1100's confidential eBoundary can also identify encrypted traffic.

In addition to the default eBoundaries, keywords can be added and associated with colors for graphical reporting. Typical uses for keywords include information specific to an enterprise, such as project and product names, patents, and perhaps the names of individuals under heightened scrutiny. Sensitivity levels for filters or eBoundaries aim to coordinate monitoring with an AUP. Enterprises can focus on specific problem areas, thus reducing the amount of data collected and the effort necessary to maintain and report it. During our testing, with 20 clients generating more than 1,000 HTTP requests in less than two minutes, we quickly filled 90 MB of disk space.

For Web monitoring, the 1100 not only identifies the site accessed (as do the other participants) but also captures the full content of those Web pages for later review. And, like Pearl Echo, it will provide the full content of e-mail messages that fall within patterns of abuse without use of a second product. Elron's IM and SurfControl's SuperScout require added code bases to monitor e-mail content.

But like Elron's IM and SurfControl's SuperScout, eSniff provides a Web browser reporting method; only eSniff and IM use the same Web browser method to access management functions and reporting. In addition, eSniff provides two levels of access: eSniff user and eAccess user. Both eAccess users and eSniff users can create, restore and download archives as well as view logs and reports. Only the eSniff user has full access to all eSniff management and reporting functions, including the ability to install updates; establish system settings, such as passwords, date and time, and language; set or change category sensitivity levels; add keywords; configure ignored URLs; and manage disk space.

The 1100's reporting tools, though not as advanced as those in Elron's IM and SurfControl's SuperScout, get the job done, identifying abuse and drilling down to the full content of the offense. Other products report the URL and provide a link for a Web browser to replicate the incident; if the page moves without reference or is removed from the original Web site, however, the record is lost. With the 1100, the exact page that falls outside an eBoundary is captured when downloaded. We believe that this could prove invaluable in case of human-resources actions or lawsuits.

Unlike Elron's IM, however, the 1100 was unable to match IP addresses with MAC (Media Access Control) addresses. To prevent IP spoofing, this feature will be forthcoming in version 2.4. The 1100 monitored and reported on 96 percent of the traffic generated in our tests. Allowing for a 2.6 percent statistical variance across all reported scores, this performance was comparable with that of the other products tested--with considerably lower hardware requirements. For large sites, eSniff recommends one 1100 per 1,000 users. An enterprise version will soon allow a single administrative console for content management and reporting across multiple appliances. Also on tap is an option that will automatically download and install software upgrades from eSniff at no additional charge during the first year of operation. Version 2.4 will provide an auto-update feature that will inform administrators of available upgrades, which can then be scheduled and installed at leisure.

eSniff 1100 2.3. Available: Now. eSniff Corp., (303) 798-1568, (800) 262-0274; fax (720) 833-0903. www.esniff.com