Network Computingwww.networkcomputing.com

One of LANdecoder32's most prominent screens is the large dashboard of performance meters. Displaying current utilization, frames and octets per second, as well as errors, broadcasts and multicasts, LANdecoder32 offers a detailed overview of network performance in a friendly screen. Short-term baseline graphs of these functions also are available. And alarm thresholds can be applied to all parameters. However, alarm actions are limited to logging and playing a sound. During our utilization tests, Triticom's product accurately displayed percent utilization and packets per second (pps) up to our maximum of 96 percent at 4,394 pps.

LANdecoder32 offers very competitive protocol decodes, but wading through large capture buffers is slightly less efficient than using the three-paned windows found in NetXRay and Surveyor. Although the interface displays packet functions in the buffer window, looking through individual packet decodes opens child windows. Scanning through packets is accomplished using arrow buttons at the top of the screen. LANdecoder32's decodes are handled by a separate application, launched through Windows95's start menu or automatically following a capture. What's most useful, however, is the "Expert Diagnosis" button on the decoder's toolbar. The expert diagnosis found several unsuccessf ul NCP (Network Control Program) operations, missing replies and one-way TCP packets flows in the capture buffer.

We found LANdecoder32's filters useful for specifying network-layer or MAC addresses, in addition to some application-layer protocols (by the guided building of offset filters). But its filter mechanism is not as evolved as those of NetXRay and Surveyor. In fact, we were extremely disappointed that LANdecoder32 is not capable of creating exclusion filters (excluding a specific MAC or IP address or specific protocol), which in turn, excluded it from our filter performance test. Likewise, while Triticom offers a name table, it didn't automatically learn MAC and IP addresses from our network. This resulted in a frustrating session of manually entering MAC addresses and host names.

LANdecoder32 performed well in our capture tests. It offers good network monitoring, captures and decodes, and the valuable addition of intelligent post-capture analysis. But this all comes at a price--LANdecoder32 costs twice that of most other products we tested.

Network Instruments Observer 4.0e
Observer 4.0e presents a good value, offering useful monitoring tools like active network analysis, as well as station and router interface performance monitors.

Aptly named, Observer is more useful as a performance monitor than a protocol decoder. It includes active network testing (it can blast packets to test network access efficiency), and we found its interface monitors to be productive tools. When you select a router port's MAC address and manually enter the maximum interface speed (in octets per second), Observer counts frames to and from that address, effectively measuring the utilization. We pointed observer at our Cisco Systems 2501 256-Kbps frame relay router and watched the dials push into the red zone during a 50-MB download from our corporate headquarters in Manhasset, N.Y.

We were disappointed in Observer's relatively short list of application-layer protocol decodes. In addition, we observed some stability problems when it was subjected to high levels of network utilization and errors, resulting in a crashed application. This occurred only when we artificially generated traffic in excess of 98 percent utilization on a 10-Mbps segment. While it is true that other products like NetXRay and EtherPeek appeared to lock the interface under extreme utilization (to give priority to data analysis), they gracefully recovered as soon as traffic levels decreased. Observer just crashed.

While Network Instruments suggests that TCP protocols are text-based and don't require extensive decodes, we found that other applications take the trouble to interpret status codes and additional control information in the protocols. That being said, Observer does make use of the three-paned decode window, which we found more efficient for searching through large captures. However, the packet list window pane only shows basic information and protocol type, as opposed to an abbreviated decode, which makes it harder to locate a particular conversation or packet type with the naked eye.