Content Monitors

We connected each product to a test network to monitor FTP, HTTP, IC (Internet chat), IM (instant messenger), POP3, SMTP, telnet and Usenet News NNTP (Network News Transfer Protocol) traffic generated by 20 Microsoft Windows 2000 clients.

Network traffic monitors are normally placed where they can access all network traffic. For example, a monitoring device may sit behind a firewall, viewing incoming and outgoing packets in pass-by or pass-through mode. Devices using pass-by mode connect to a hub or switched port configured to monitor or mirror all traffic on the switch. Pass-by monitoring is passive and collects packets on the network without affecting network bandwidth. In pass-through mode, the monitoring device is inserted directly into the network path. During the pass, the device monitors and inspects packets. Pass-through monitoring directly affects network performance. Not all the products we tested perform in pass-through mode, so our test bed was set up for pass-by monitoring, which they all support.

Test Bed

An Extreme Networks Summit48 switch was configured with a mirror port for the devices under test. The eSniff 1100 could make direct use of the mirror port to monitor traffic. We used a Silicon Graphics SGI 1450 server as the monitoring device for all software. The SGI 1450 is a four-way, 700-MHz Pentium III-class server with almost 4 GB of RAM and two NICs. A Fast Ethernet NIC was used to connect the server to the mirror port on the Summit48, home to 20 Dell Computer Corp. Celeron 500 systems running Windows 2000 Pro. SGI's Gigabit Ethernet NIC was also connected to the Summit48 to manage and administer the server while it monitored network traffic from the mirror port in a passive or pass-by mode.

To test POP3 and SMTP traffic, we set up a Sun Microsystems UltraSPARC III workstation running Sun Solaris 2.6 with Sendmail 8.11.3. This box was also used to generate telnet and FTP activity. To generate tests for IC, IM and HTTP, we connected client PCs to the Internet and used real-world traffic. In addition, Usenet News traffic was obtained from Syracuse University's NNTP server (news.syr.edu).

For each device, client PCs generated random traffic using FTP, IC, IM and telnet. A subset of the 20 clients under test POPed more than 100 mail messages and returned the same using SMTP. HTTP traffic was generated from Internet sites using cURL (the name plays on "client for URLs"), a command-line utility to get Web pages using URL syntax (see curl.haxx.se). With cURL, we wrote batch programs to download 50 Web sites that could be categorized as gambling, games, porn, racism, shopping and sports. Each batch program logged results and exceptions (errors) to files to verify the success or failure of each URL request. Batch files were executed simultaneously on each client for each product to simulate network activity requesting and receiving 1,000 URLs within about two minutes. This amounts to about eight pages per second. Using Extreme Networks' Web-based management tool and the Windows NT Performance Monitor, we found this activity did not stress the Summit48 switch or the NIC.

The ability of a monitoring device to capture all the traffic passing by a switch or hub is dependent on the amount of traffic and the hardware used. The eSniff 1100 and the SGI 1450 were both capable of capturing 100 Mbps, ample bandwidth for eight Web pages to pass by the port without error and without saturating the switch port or the NIC.

The eSniff 1100 reported 100 percent of all pages delivered to four clients; the same was true when we ran cURL with 10 clients. When we ramped up to 20 clients, eSniff fell to 96 percent. SurfControl's SuperScout maintained 100 percent throughout each test. Elron Software's Internet Manager and Pearl Software's Pearl Echo received just under 100 percent using 20 clients. Allowing for a 2.6 percent statistical variance, all products performed equally. If vendors were asked to take the stand to confirm 100 percent monitoring compliance, only SurfControl could answer in the affirmative.

From here, it became an academic exercise to saturate the switch with traffic where packets would be dropped and not monitored by the products under review. For final Web pages downloaded and final results, see "Monitoring Efficiency: cURL Results".