Review: SolarWinds Sheds Light on Networks

We loaded up our lab with Castle Rock Computing's SNMPc Workgroup Edition; Ipswitch's WhatsUp Gold; MRTG, provided through GNU General Public License; SolarWinds.Net's SolarWinds Engineers Edition; Visualware's VisualRoute; and WildPackets' EtherPeek NX with Network Tools.

These packages range from being like the Swiss Army knives, with lots of functional utilities, to complex systems that monitor performance and faults on your network. But they all leverage the power of desktop PCs and are inexpensive or, in one case, free. These tools do many of the same things more complex systems do, such as discovering, mapping, monitoring and reporting, but they focus on fixing problems now rather than implementing a total solution.

Down to Brass Tacks

All these products rock--there's no heavy front-end lifting to implement them, and they get down to business with a payback faster than you can spell "ROI." We don't hesitate to recommend any of them. When it comes to a network manager's day-to-day struggle to survive, these are what keep you going.

Picking a winner may seem a bit like comparing apples and oranges--after all, is a hammer better than a wrench? We'll admit that your mileage may vary, but if we could take only one set of tools to a deserted network island, we'd load up our raft with SolarWinds.Net's networking tools. It has the kitchen sink and now our Editor's Choice award too. This mixed bag of disparate tools covers the entire gambit of our modified FCAPS (see "How We Tested," for how we fudged fault, configuration, accounting, performance and security) at a reasonable price. SolarWinds.Net's product is a tool for all reasons.MRTG (Multi Router Traffic Grapher) gets our Best Value award, having a sum total price tag of a big fat nada, zip, zero (under GNU). It is a hunter, gatherer and grapher, spewing SNMP performance statistics into HTML, and it has spawned an active Internet community, which adds lots of value.

This is the definitive network toolbox. It has a ton of utilities, ranging from simple, variable ping monitors and subnet calculators to more sophisticated performance monitors and address-management functions. What appeals to us most about SolarWinds is that, though it is definitely a bunch of separate, immediately usable utilities, there is structure tying the tools together. That is, even though the tools operate in separate windows, they are integrated in that they provide context launches of other tools. Selecting an IP address in the IP Address Management utility allows for a telnet, trace route, ping and browse of the selected address.

SolarWinds is available in multiple versions, from the Standard Edition to the Engineers Edition. Each step up adds more tools, with more functionality. The downside of the Engineers Edition is an annoying duplication of function. The toolbar with icons for launching applications is configurable, so we created groups of icons for the applications we wanted. For our money, we recommend the Engineers Edition, just because it has all the tools you could want.

SolarWinds offers several performance tools, from a simple availability monitor, WatchIT, which sits on the edge of the desktop reporting via color changes and WAV files dropped packets and response failures, to the Network Performance utility, a full-blown historical performance collection engine with a Microsoft Access database.The Router CPU Load feature tracks router and switch CPU load, reporting average, minimum, maximum and real-time values. Devices can be saved in groups, and the group can be reloaded so you can quickly check on an entire set of devices. The one thing we didn't like is that, though the peaks are saved, the actual value of the peak is not displayed.

At the high end of the performance application spectrum is the Network Performance tool. This is more like an application than a utility. It tracks interface performance, sends alerts on out-of-threshold violations and lets you create a baseline. Network Performance is the monitoring star of SolarWinds. There are summary charts for response time, load, utilization and errors. These are available separately, specifically for each monitored interface.

With brute force and a slap, SolarWinds makes quick security checks. A dictionary-driven brute-force function tries every password in the dictionary, checking router and switch SNMP communities and CLI (command-line interface) passwords. We ran a check on our simple, Alzheimer's-inspired passwords (at least I think we did), and SolarWinds let us pass. So we threw it a bone and created a "public" password, but no catch by SolarWinds. So we laid down in the middle of the road with the community "public," and voil, SolarWinds picked it off. Hey, it's about the dictionary--the bigger the better.

Another security tool, the Router Password Decrypt, decrypted Cisco Type 7 passwords successfully, though other types were not decrypted. Finally, with the Remote TCP Session Reset utility, we took great pleasure in jerking the rug out from under the troglodyte who continually leaves telnet sessions up in our lab (well, we enjoyed it until we fell on our asses ourselves).

SolarWinds has more address-related tools than any of the other products we tested, ranging from ping sweep to MAC (Media Access Control), IP and TCP/UDP services. In addition to device discovery, SolarWinds has DNS Audit, IP Address Management, Subnet Calculator and DHCP Scope Monitor utilities. All in all, it offers a great set of tools to find what's on the network and related addresses and names.The IP Address Management tool tracks addresses and determines whether they are being used, when they were last used, if they are available and response time to pings. For devices supporting SNMP, machine, type, name and location are also displayed.

The Subnet Calculator, besides doing the obvious, queries a host to determine its running mask. Guess what the MIB Browser does? Right: It performs table and specific OID (object identifier) gets, with textual explanations. MIB queries can be loaded into separate windows, making comparison easier. But, alas, there's no set access and no MIB compiler. Actually, a separate and included tool, Update System MIB, will change system name, location and contact fields. SolarWinds plans on adding a compiler in a future release.

The MIB Walker is nice, performing get nexts until the MIBs supported by a device are completely discovered. Be careful though--not only can this take more than a couple of minutes, we have seen it drive up CPU utilization. SolarWinds offers a good, not great, MIB browser (Castle Rock's SNMPc has the best MIB browser).

SolarWinds is the only product we tested to include router and switch configuration management; we downloaded and stored Cisco configurations. Also included is a differing application that will check what's stored against what is running. A TFTP server is also provided, to allow for upload of router and switch images and configurations.

The Traffic Generator, as its name suggests, generates random traffic, with variable packet size and either automatic interframe gap or user-selectable interframe gap. From your laptop you aren't going to bring the network down, but you'll do some damage (not that we ever have).We don't like that SolarWinds lacks a centralized database. We know, we know: We said the products had to be quick and easy to be included in our tests, but after adding the same addresses in two of three places, a little data sharing is in order. SolarWinds claims it will create a single database with a new discovery engine later this year.

SolarWinds Engineers Edition version 1.1.329, $995. SolarWinds.Net, (918) 307-8100; fax (918) 307-8080. www.solarwinds.net

Castle Rock Computing SNMPc Workgroup Edition | WildPackets EtherPeek NX | Ipswitch WhatsUp Gold Version 7 | MRTG (Multi Router Traffic Grapher) | Visualware VisualRoute

Castle Rock Computing SNMPc Workgroup Edition

SNMPc is not a network utility by design. It is an enterprise SNMP-monitoring system. But it has a light enough touch to fit onto a laptop, runs within minutes and offers a path for managing larger, more complex environments.

SNMPc comes in Workgroup and Enterprise editions. We tested the Workgroup Edition, which has the same functions (sans trend reporting) as the Enterprise Edition, because it fit our requirement to be a self-contained network-management tool. SNMPc scales to the Enterprise Edition by supporting multiple console access via a Java console, and distributed polling engines scale to larger or WAN distributed networks. Castle Rock is also the only vendor to support SNMPv3, attesting to SNMPc's place as a serious network-management tool.

The alert functionality in SNMPc is similar in design to large network-management applications. Alerts and alarms within SNMPc are triggered in response to poll, server and SNMP trap activity and are displayed on a rolling alert window. Filters can be set to create an action, which when matched can page, e-mail, execute, log or forward the event to another network-management application. Castle Rock has done about as much as possible to make this an out-of-the-box experience by populating hundreds of SNMP traps automatically.

The Workgroup Edition's reporting capabilities are limited but not completely lacking. The Enterprise Edition includes detailed historical performance reporting, but we didn't test that edition, in keeping with our toolbox test criteria. We did, however, take a peek at the Enterprise reports, which gather long-term usage and availability information with a tunable baseline that can be used to set thresholds. Reports can be scheduled on a daily, weekly and monthly basis and output in HTML.

SNMPc's reporting is linked with SNMP. SNMPv3, cable modem, interface, bridge and protocol, to cite a partial list, have predefined, easily accessible right-click context launch queries. We would have liked MIB access, which wasn't supported by the device, to be grayed out in those menus.The SNMPc MIB browser, on the other hand, has it all: MIB browsing, SNMPv3 support, MIB walking and a huge library of MIBs. The walking is a side benefit from the MIB browser's automated functions that allow for SNMP operations such as next, get, getbulk and set, limited by error or continuous. It also contains a delay to mitigate device-CPU and WAN-bandwidth utilization during the automated multi-get routine.

SNMPc Workgroup Edition, $495. Castle Rock Computing, (408) 366-6540. www.castlerock.com

WildPackets EtherPeek NX

You deserve EtherPeek NX. So what if it costs more--you work hard, you're a professional, treat yourself. EtherPeek is, first and foremost, a good protocol analyzer, but it also comes with quite a few tools that make it a great pick for fixing network problems. It's part analyzer, part network tool, part real-time performance manager and all about getting to the root of a problem. This is a great friend to have when you're facing a malfunction all by your lonesome.EtherPeek and WildPackets have been around for a long time (the company used to be AG Group), but lest you be confused, it's the same (albeit improved) product and the same development group. The iteration we tested, NX, does protocol analysis and performance monitoring and includes iNetTools, which is what WildPackets calls the utilities: Ping, Ping Scan, TraceRoute, Name Lookup, Name Scan, F-16 Flight Simulator, DNS Lookup, Port Scan, Service Scan, Finger, Whois and Throughput Measurement. Guess which one I'm kidding about? No, not Finger.

Quick, easy, flexible, accurate--it's no wonder we all love using EtherPeek's protocol analysis. With a few mouse clicks, we set up pre- and post-capture filters with common offset filters for protocols and addresses. Advanced filtering or chained and nested or and and filtering is also possible.

Decodes are complete from Layer 2 through TCP and UDP services, like SMTP, SNMP and FTP. EtherPeek also has what WildPackets calls "analysis modules." EtherPeek set the standard for readable decodes long ago, and this version continues the tradition with a configurable three-pane display, user-selectable display options and colors for readability. Capture buffer navigation is easy, with stepwise, find and jump-to functions. Decode layer position is maintained from packet to packet, meaning that once you've scrolled down to HTTP, HTTP rather than the Ethernet header will be displayed when the next packet is selected. This is necessary for a decode to be usable.

Specific traffic monitoring capabilities that come with the product include the detection of duplicate addresses, Internet attack, unanswered Novell NetWare RIP/SAP/NCP requests, logging Web URL accesses, and successful and failed e-mail transfers. In addition, an accompanying SDK allows for custom tracking of other protocols and applications.

The performance statistics for these analysis modules are gathered in a summary screen based on packets in the capture buffer, either in real or in stop time. The summary screen displays statistical buckets grouped by the analysis modules. For example, the e-mail analysis module (which is, by the way, one of the smallest modules) lists initiated, successful and failed SMTP transfers. These statistical buckets can be displayed as total packets, bytes or percentages, or as per-second values.The summary screen gave us an overview of what was happening on the wire. We were interested in the Internet-attack analysis module, which provides a security analysis report on attacks such as Gin, Jolt, Land, Oversized IP, Pimp, RIP, Teardrop and WinNuke. These statistical buckets could be graphed and saved. In addition, we periodically took snapshots of the statistics. The snapshot is displayed directly next to the real-time collections and compared with previous snapshots, making diagnostic comparisons easy.

Two layers of alarms, Suspect and Problem, can be set. The configuration window offers the selection of thresholds by byte or packet, either total or per second, with a range of severities, from "information" through "severe." The rearm mechanism is based on number of units under alarm threshold passing within a specified time period. We welcome this sophisticated and complete set of alarm threshold mechanisms on an analyzer.

Two other displays, one for protocols and one for nodes, provide interesting high-level views. The protocol display shows Layer 2 through 5 summaries, while the node displays total traffic in bytes and packets sorted by node. A wide range of right-click context launches let us, for example, select specified packets in the capture buffer, see graphed packets, save protocol and node statistics, and create alarms.

EtherPeek offers fine-grain control over the alarm, letting us link to any of the statistics monitored in the node, protocol or summary screens. As would be expected with a protocol analyzer, this includes Ethernet statistics like broadcast, multicast, unicast, utilization, errors and packet size. In addition, we got protocol types, SMTP, FTP, ICMP, IP, NetWare, newsgroup, Internet attack and Web URLs. Not bad.

There is a name table, and in addition to IP and MAC, protocols and ports can be given names. You can do this naming by editing the table or importing a pre-existing list, either in the native EtherPeek format or as a delimited file, making possible the import of host files. However, an additional field is required to indicate that the enterers are IP, as the EtherPeek supports Ethernet MAC and port resolution in its name table.EtherPeek can group packets into threads so related packets, like subsequent SNMP gets, can be tracked easily. Finally, EtherPeek's help files are descriptive and tutorial without being condescending.

EtherPeek NX, $2,995 (includes annual maintenance). WildPackets, (800) 466-2447, (925) 937-7900; fax (925) 937-2479. www.wildpackets.com or [email protected]

Ipswitch WhatsUp Gold Version 7

WhatsUp Gold keeps getting better. In version 7, Ipswitch has added import and export of ASCII map and device data, more SNMP monitoring, RCP/UDP port monitors, speech notification of alerts, and improved alert management. Version 7 also shows its maturity in its complete help files and its cookbook approach for first-time users. For new network managers, it is the easiest of these packages to learn and use.This release sports new Web-based templates that have a much-improved look. When we upgraded from 6.2a, the installation wizard recognized the existing installation and offered to skip the new templates or back up the existing templates and install the new ones. We chose the latter and were glad we did.

This isn't to say that the 32-bit interface has stood still; it now offers a tabbed selection of statistics, notifications, map editing and status. These views are available off the drop-down menu, but the tabs make it easier to navigate from one view to another on separate subnets. We also liked the status display. Even though it gives only a single map's status, it does represent all the interfaces or services that are associated with a networked device being monitored. WhatsUp is great for the quick and dirty "It's up and functioning" check or the ever-popular "Hey, what's with so-and-so's FTP service?"

WhatsUp will run as a Windows NT service, and when doing so it uses only the Web console for access. This Web access with fairly granular access control and the ability to run as an NT service makes WhatsUp resemble a full-blown network-management system, but it still fits quickly onto a laptop and doesn't cost an arm and a leg. The Web interface allows for read access only; configuration is still done via the Win32 console.

The automatically drawn maps of devices resulting from the discovery process can be edited to change the type of device and to create connections between devices. An SDK that supports a C++ interface as well as import and export of the map and associated device information in INI and XML formats is available.

WhatsUp comes with a number of predefined reports as well as a simple-to-use report-creation tool. WhatsUp led the pack with the most reporting formats, from PDF, HTML, Microsoft Word and Excel, and Seagate Crystal Report formats to RTF, CSV, ASCII and DIF. Furthermore, regular performance reports can be scheduled to run at specific intervals and sent to any recipient via e-mail or posted to the Web interface for on-demand viewing. This eliminates the need to run reports manually and ensures distribution of management information to network stakeholders. Reports can be saved in a variety of formats, including Word, PDF and HTML.The reporting includes command-line parameters for scheduling output, but one of the alarm notification methods will mail the status of devices in the network. The SNMP functionality includes graphing SNMP OIDs and getting ARP (Address Resolution Protocol), route, address and interface tables. It also includes a MIB browser, but there isn't any write access to the MIB nor MIB walker to explore the installed MIBs automatically.

One polling option that is unique to WhatsUp Gold is the ability to poll devices based on a status dependency. For example, a device can be configured for polling only when another device is down.

WhatsUp Gold Version 7, $795. Ipswitch, (781) 676-5700; fax (781) 676-5710. www.ipswitch.com

MRTG (Multi Router Traffic Grapher)

MRTG gathers performance statistics from devices, displaying real-time result graphs via HTML. Any OID

is manageable, as long as the ANS.1 string is specified in the script. MRTG runs in a combination of PERL and C++, and the best part is that it's free under GNU. Of course, the downside is that because it's free, you can't buy support for it. However, a lot of support is available on the Web. A good place to start is people.ee.ethz.ch/~oetiker/webtools/mrtg/.

By running a configuration routine (cfgmaker), MRTG can discover a device. The product walks through the interfaces, listing IP address, SNMP community and speed. It then creates a small HTML table to format the results of the get.

The default interface number is used to index interfaces. This sounds logical enough, but as the documentation correctly notes, SNMP interface numbers change periodically for no particular reason--"every full moon, just for fun." MRTG allows for the naming of the interface based on selectable variables, a somewhat advanced feature when compared with the offerings of many commercial performance-management products. The options are IP address, Ethernet address, description and name.

We created a configuration file for a couple of devices and began the collection of data by running MRTG with a collection frequency of five minutes. Users can set this polling option. The statistics we collected and reported via a preformatted HTML page showed daily five-minute averages, weekly 30-minute averages and monthly two-hour averages; if we had run it long enough, it would have shown yearly daily averages.Another included routine, Indexmaker, creates HTML indexes for all the files we configured to collect our performance statistics. This is good shrinkwrapped functional-ity for nonshrinkwrapped software.

MRTG makes some guesses when disconnected, creating flat graphs if disconnected for a long time but taking a reasonable guess as to why the packets may have gotten lost. More important, data representation assumption is clearly explained, something that many commercial products hide to improve ease of use!

The product's setup is manual and command-line oriented, but all it takes is the ability to follow directions and the willingness to troubleshoot errors. Clearly, MRTG is not idiot-proof, but once running, it is very stable.

MRTG (Multi Router Traffic Grapher), free under GNU. people.ee.ethz.ch/~oetiker/webtools/mrtg/

Visualware VisualRoute

VisualRoute runs traceroute over and over, tracking the differences from one traceroute to the next measurement at each hop. This data is provided as a table with a line per hop showing IP address, name, location if available, time zone, latency and a historical current graph overlaid with minimum/maximum values. This is all displayed over a map of the world.

VisualRoute is a fun application to run, and it does offer some decent quick information about tracking a possible path problem. Of course, unless you're working for a service provider, the map of the world seems like overkill, but the tabled information is useful in any routed environment. And though the map is optional, it is good for tracking down locations. We found that the location information wasn't always available and suspect that it is sometimes a guess, but we generally did get stats on country, state, city, and longitude and latitude. It isn't perfect, but it does offer some help answering the where question.

Once a trace has been performed, the data can be saved as HTML, JPEG or text, making it easy to share a problem situation with tech support or a colleague via e-mail. The HTML version loses some of the graphic granularity when compared with the JPEG version, and the text version is just the table, no graphics. All in all, however, it's a useful feature.

In addition to this basic performance information, diagnostic path problems are indicated. For example, when we tested to VeriSign, VisualRoute indicated that the Port 80 service was up but that the ping packets were being blocked at a particular hop. Another handy feature is the ability to type in an e-mail address and get a listing of mail server addresses, which can then be clicked on to run a VisualRoute traceroute.It's no wonder that Visualware's products are so popular. They run on Apple Computer Mac OS 9 and 10, BSD, Linux, Sun Microsystems Solaris, and Windows, with functionality that ranges from a single option running on a single workstation to combined suites that run in a distributed computing architecture. Oh, and that's how the pricing is as well--if you need only a single function, save your lunch money for a couple of days and you have it.

While we were testing VisualRoute, the company's Web site became unavailable from our location. VisualRoute diagnosed the problem and fingered Verio. Our mamas told us not to point, but darn it, it's nice to have a network tool that steers you in the right direction.

VisualRoute, $39.95. Visualware, (866) 847-9273, (703) 802-9006; fax (703) 832-8979. www.visualware.com

Bruce Boardman is executive editor of Network Computing, testing and writing on network systems and management. He has 12 years of IT experience managing networks and distributed computing for a financial service provider. Send your comments on this article to him at [email protected].

Most engineers have items without which they feel naked. We're talking about the gadgets that fill your pockets and dangle from your belt. Whether it's a Leatherman, a Fluke Corp. tester or a utility knife, forgetting it on your bedside table is a sure way to ruin your day.We set out to test the Leatherman equivalent of network-management tools--products that aren't big, fancy or expensive but get the job done. We accepted only tools that can be installed easily on a desktop or laptop and that are inexpensive enough that you won't need to go through five layers of approval to buy one. The products range in price from zero to $2,995, with all but one less than $1,000.

We tested Castle Rock Computing's SNMPc Workgroup Edition; MRTG, provided through GNU General Public License; Ipswitch's WhatsUp Gold 7; SolarWinds.Net's SolarWinds Engineers Edition; Visualware's VisualRoute; and WildPackets' EtherPeek NX with Network Tools in our Real-World Labs® at Syracuse University. We loaded them on PCs and went to town on the network. All these products do some of the tasks--such as discovering, mapping, monitoring and reporting--that their more complex (and expensive) brethren do, but they require way less maintenance.

We liked all the tools we tested, but if we could have only one it would be SolarWinds.Net's offering, which won our Editor's Choice award. This product has a boatload of handy-dandy utilities, all linked via a logical structure, and offers some security-checking capabilities. Also, SolarWinds' Remote TCP Session Reset utility let us pinpoint which lowlife was leaving telnet sessions up (ouch, the truth hurts).

We awarded our Best Value prize to MRTG (Multi Router Traffic Grapher), which is free under GNU. Sure, you'll need to be comfortable with the CLI, but given the rich feature set you can't beat the price.

Our labs and the host network at Syracuse University gave us more than enough devices and traffic to get a good feeling of how the products functioned. We installed all the packages on desktop or laptop Pentium III machines, each with 256 MB of RAM.We limited ourselves to running the most basic versions of these applications to minimize their price. We felt that high prices and complex architectures would make it less likely the products would be used for quick diagnostics and tactical deployments. We know that in many cases these products are deployed as strategic solutions with a fair amount of success, but we didn't want to consider larger concerns such as redundancy, implementation and data access.

For comparison categories, we looked at FCAPS (fault, configuration, accounting, performance, security), with a substitution of inventory for accounting and with the addition of price. An inventory of the network is obviously part of an accounting system, but we didn't feel as though these tools were really trying to solve that larger problem. Instead, they can provide an inventory of what's on the network, vital when trying to diagnose problems like duplicate addresses.

We gave a slightly higher weight to performance and price in our report card--performance because it is generally a starting point for diagnostic procedure and price because of the tools' tactical nature. If you want to argue about this weighting, send in your arguments, and we'll point out why we disagree. Our price scores reflect only the products tested; add-ons and modules may increase cost.

R E V I E W

Network Toolbox Suites

Sorry,
your browser
is not Java
enabled

Welcome toNETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® iconabove. The program components take a few moments to load.Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.