You deserve EtherPeek NX. So what if it costs more--you work hard, you're a professional, treat yourself. EtherPeek is, first and foremost, a good protocol analyzer, but it also comes with quite a few tools that make it a great pick for fixing network problems. It's part analyzer, part network tool, part real-time performance manager and all about getting to the root of a problem. This is a great friend to have when you're facing a malfunction all by your lonesome.
EtherPeek and WildPackets have been around for a long time (the company used to be AG Group), but lest you be confused, it's the same (albeit improved) product and the same development group. The iteration we tested, NX, does protocol analysis and performance monitoring and includes iNetTools, which is what WildPackets calls the utilities: Ping, Ping Scan, TraceRoute, Name Lookup, Name Scan, F-16 Flight Simulator, DNS Lookup, Port Scan, Service Scan, Finger, Whois and Throughput Measurement. Guess which one I'm kidding about? No, not Finger.
Quick, easy, flexible, accurate--it's no wonder we all love using EtherPeek's protocol analysis. With a few mouse clicks, we set up pre- and post-capture filters with common offset filters for protocols and addresses. Advanced filtering or chained and nested or and and filtering is also possible.
Decodes are complete from Layer 2 through TCP and UDP services, like SMTP, SNMP and FTP. EtherPeek also has what WildPackets calls "analysis modules." EtherPeek set the standard for readable decodes long ago, and this version continues the tradition with a configurable three-pane display, user-selectable display options and colors for readability. Capture buffer navigation is easy, with stepwise, find and jump-to functions. Decode layer position is maintained from packet to packet, meaning that once you've scrolled down to HTTP, HTTP rather than the Ethernet header will be displayed when the next packet is selected. This is necessary for a decode to be usable.
Specific traffic monitoring capabilities that come with the product include the detection of duplicate addresses, Internet attack, unanswered Novell NetWare RIP/SAP/NCP requests, logging Web URL accesses, and successful and failed e-mail transfers. In addition, an accompanying SDK allows for custom tracking of other protocols and applications.
The performance statistics for these analysis modules are gathered in a summary screen based on packets in the capture buffer, either in real or in stop time. The summary screen displays statistical buckets grouped by the analysis modules. For example, the e-mail analysis module (which is, by the way, one of the smallest modules) lists initiated, successful and failed SMTP transfers. These statistical buckets can be displayed as total packets, bytes or percentages, or as per-second values.
The summary screen gave us an overview of what was happening on the wire. We were interested in the Internet-attack analysis module, which provides a security analysis report on attacks such as Gin, Jolt, Land, Oversized IP, Pimp, RIP, Teardrop and WinNuke. These statistical buckets could be graphed and saved. In addition, we periodically took snapshots of the statistics. The snapshot is displayed directly next to the real-time collections and compared with previous snapshots, making diagnostic comparisons easy.
Two layers of alarms, Suspect and Problem, can be set. The configuration window offers the selection of thresholds by byte or packet, either total or per second, with a range of severities, from "information" through "severe." The rearm mechanism is based on number of units under alarm threshold passing within a specified time period. We welcome this sophisticated and complete set of alarm threshold mechanisms on an analyzer.
Two other displays, one for protocols and one for nodes, provide interesting high-level views. The protocol display shows Layer 2 through 5 summaries, while the node displays total traffic in bytes and packets sorted by node. A wide range of right-click context launches let us, for example, select specified packets in the capture buffer, see graphed packets, save protocol and node statistics, and create alarms.
EtherPeek offers fine-grain control over the alarm, letting us link to any of the statistics monitored in the node, protocol or summary screens. As would be expected with a protocol analyzer, this includes Ethernet statistics like broadcast, multicast, unicast, utilization, errors and packet size. In addition, we got protocol types, SMTP, FTP, ICMP, IP, NetWare, newsgroup, Internet attack and Web URLs. Not bad.
There is a name table, and in addition to IP and MAC, protocols and ports can be given names. You can do this naming by editing the table or importing a pre-existing list, either in the native EtherPeek format or as a delimited file, making possible the import of host files. However, an additional field is required to indicate that the enterers are IP, as the EtherPeek supports Ethernet MAC and port resolution in its name table.
EtherPeek can group packets into threads so related packets, like subsequent SNMP gets, can be tracked easily. Finally, EtherPeek's help files are descriptive and tutorial without being condescending.
EtherPeek NX, $2,995 (includes annual maintenance). WildPackets, (800) 466-2447, (925) 937-7900; fax (925) 937-2479. www.wildpackets.com or info@wildpackets.com
Ipswitch WhatsUp Gold Version 7
WhatsUp Gold keeps getting better. In version 7, Ipswitch has added import and export of ASCII map and device data, more SNMP monitoring, RCP/UDP port monitors, speech notification of alerts, and improved alert management. Version 7 also shows its maturity in its complete help files and its cookbook approach for first-time users. For new network managers, it is the easiest of these packages to learn and use.
This release sports new Web-based templates that have a much-improved look. When we upgraded from 6.2a, the installation wizard recognized the existing installation and offered to skip the new templates or back up the existing templates and install the new ones. We chose the latter and were glad we did.
This isn't to say that the 32-bit interface has stood still; it now offers a tabbed selection of statistics, notifications, map editing and status. These views are available off the drop-down menu, but the tabs make it easier to navigate from one view to another on separate subnets. We also liked the status display. Even though it gives only a single map's status, it does represent all the interfaces or services that are associated with a networked device being monitored. WhatsUp is great for the quick and dirty "It's up and functioning" check or the ever-popular "Hey, what's with so-and-so's FTP service?"
WhatsUp will run as a Windows NT service, and when doing so it uses only the Web console for access. This Web access with fairly granular access control and the ability to run as an NT service makes WhatsUp resemble a full-blown network-management system, but it still fits quickly onto a laptop and doesn't cost an arm and a leg. The Web interface allows for read access only; configuration is still done via the Win32 console.
The automatically drawn maps of devices resulting from the discovery process can be edited to change the type of device and to create connections between devices. An SDK that supports a C++ interface as well as import and export of the map and associated device information in INI and XML formats is available.
WhatsUp comes with a number of predefined reports as well as a simple-to-use report-creation tool. WhatsUp led the pack with the most reporting formats, from PDF, HTML, Microsoft Word and Excel, and Seagate Crystal Report formats to RTF, CSV, ASCII and DIF. Furthermore, regular performance reports can be scheduled to run at specific intervals and sent to any recipient via e-mail or posted to the Web interface for on-demand viewing. This eliminates the need to run reports manually and ensures distribution of management information to network stakeholders. Reports can be saved in a variety of formats, including Word, PDF and HTML.
The reporting includes command-line parameters for scheduling output, but one of the alarm notification methods will mail the status of devices in the network. The SNMP functionality includes graphing SNMP OIDs and getting ARP (Address Resolution Protocol), route, address and interface tables. It also includes a MIB browser, but there isn't any write access to the MIB nor MIB walker to explore the installed MIBs automatically.
One polling option that is unique to WhatsUp Gold is the ability to poll devices based on a status dependency. For example, a device can be configured for polling only when another device is down.
WhatsUp Gold Version 7, $795. Ipswitch, (781) 676-5700; fax (781) 676-5710. www.ipswitch.com
MRTG (Multi Router Traffic Grapher)
MRTG gathers performance statistics from devices, displaying real-time result graphs via HTML. Any OID
is manageable, as long as the ANS.1 string is specified in the script. MRTG runs in a combination of PERL and C++, and the best part is that it's free under GNU. Of course, the downside is that because it's free, you can't buy support for it. However, a lot of support is available on the Web. A good place to start is people.ee.ethz.ch/~oetiker/webtools/mrtg/.
By running a configuration routine (cfgmaker), MRTG can discover a device. The product walks through the interfaces, listing IP address, SNMP community and speed. It then creates a small HTML table to format the results of the get.
The default interface number is used to index interfaces. This sounds logical enough, but as the documentation correctly notes, SNMP interface numbers change periodically for no particular reason--"every full moon, just for fun." MRTG allows for the naming of the interface based on selectable variables, a somewhat advanced feature when compared with the offerings of many commercial performance-management products. The options are IP address, Ethernet address, description and name.
We created a configuration file for a couple of devices and began the collection of data by running MRTG with a collection frequency of five minutes. Users can set this polling option. The statistics we collected and reported via a preformatted HTML page showed daily five-minute averages, weekly 30-minute averages and monthly two-hour averages; if we had run it long enough, it would have shown yearly daily averages.
Another included routine, Indexmaker, creates HTML indexes for all the files we configured to collect our performance statistics. This is good shrinkwrapped functional-ity for nonshrinkwrapped software.
MRTG makes some guesses when disconnected, creating flat graphs if disconnected for a long time but taking a reasonable guess as to why the packets may have gotten lost. More important, data representation assumption is clearly explained, something that many commercial products hide to improve ease of use!
The product's setup is manual and command-line oriented, but all it takes is the ability to follow directions and the willingness to troubleshoot errors. Clearly, MRTG is not idiot-proof, but once running, it is very stable.
MRTG (Multi Router Traffic Grapher), free under GNU. people.ee.ethz.ch/~oetiker/webtools/mrtg/
Visualware VisualRoute
VisualRoute runs traceroute over and over, tracking the differences from one traceroute to the next measurement at each hop. This data is provided as a table with a line per hop showing IP address, name, location if available, time zone, latency and a historical current graph overlaid with minimum/maximum values. This is all displayed over a map of the world.
VisualRoute is a fun application to run, and it does offer some decent quick information about tracking a possible path problem. Of course, unless you're working for a service provider, the map of the world seems like overkill, but the tabled information is useful in any routed environment. And though the map is optional, it is good for tracking down locations. We found that the location information wasn't always available and suspect that it is sometimes a guess, but we generally did get stats on country, state, city, and longitude and latitude. It isn't perfect, but it does offer some help answering the where question.
Once a trace has been performed, the data can be saved as HTML, JPEG or text, making it easy to share a problem situation with tech support or a colleague via e-mail. The HTML version loses some of the graphic granularity when compared with the JPEG version, and the text version is just the table, no graphics. All in all, however, it's a useful feature.
In addition to this basic performance information, diagnostic path problems are indicated. For example, when we tested to VeriSign, VisualRoute indicated that the Port 80 service was up but that the ping packets were being blocked at a particular hop. Another handy feature is the ability to type in an e-mail address and get a listing of mail server addresses, which can then be clicked on to run a VisualRoute traceroute.
It's no wonder that Visualware's products are so popular. They run on Apple Computer Mac OS 9 and 10, BSD, Linux, Sun Microsystems Solaris, and Windows, with functionality that ranges from a single option running on a single workstation to combined suites that run in a distributed computing architecture. Oh, and that's how the pricing is as well--if you need only a single function, save your lunch money for a couple of days and you have it.
While we were testing VisualRoute, the company's Web site became unavailable from our location. VisualRoute diagnosed the problem and fingered Verio. Our mamas told us not to point, but darn it, it's nice to have a network tool that steers you in the right direction.
VisualRoute, $39.95. Visualware, (866) 847-9273, (703) 802-9006; fax (703) 832-8979. www.visualware.com
Bruce Boardman is executive editor of Network Computing, testing and writing on network systems and management. He has 12 years of IT experience managing networks and distributed computing for a financial service provider. Send your comments on this article to him at bboardman@nwc.com.
REPORTS
ANALYTICS
Follow 
