Protocol Analyzers

Here's a quiz. When network problems happen, you:

A. pay to upgrade your network bandwidth, and pray.

B. ask your VAR (value-added reseller) for help, upon which a quote for new switches appears on your desk.

C. ask your server and applications vendors for help, and watch as they wildly point fingers at one another.

D. tap into the wire with an analyzer and observe what is and isn't happening, and how long it's all taking.Even a basic network analyzer can tell you if it's the server or the client that's slow, or if your network is overloaded. Sometimes it can pinpoint the cause of the problem, but at minimum, it should tell you where to concentrate your resources.

So how high-end should you go? As with many other technologies, the more experience you have, the less you'll need to spend.

Get Real--Ethereal, That Is

One of our favorite analyzers is the open-source Ethereal. While lacking some of the features in commercial products, it's free and could meet your needs, especially if you have a small or departmental network or you're just looking to get basic information. And unlike most commercial offerings, which run only on Windows, it's Linux-compatible.Ethereal will capture and decode many major protocols to reveal what's happening packet by packet and the time in milliseconds between packets. So if a user's client slows down, it will let you see when the user transmitted a request to a server, how long it takes the server to respond, and how long the client is taking to acknowledge a query from the server. If one of these processes is excessively long, Ethereal will clue you in to the source of the problem. For example, if packets are getting dropped and retransmitted from the server, it can point to a problem with the server, or to a problem on the network between the client and the server.

Ethereal does have its limitations, and even low-end (less than $1,000) commercial products, like those from Network Instruments or WildPackets, will add many useful features. For comparison:

>> Ethereal doesn't always have the latest decodes, and those it has aren't necessarily easy to read. Commercial products provide extensive decodes and color coding to make them more readable.

>> Low-end commercial products can show you basic network statistics in real time. They will also let you choose from a number of real-time graphs to track utilization over a period of time. Ethereal won't do that for you.

>> Filters aren't easy to set up with Ethereal, but they're essential if you're viewing a transaction from the backbone. You can find a more user-friendly Windows GUI for Ethereal at packetyzer.com. While sometimes difficult to install, it provides some color coding and easier-to-use filters. You may also be able to get basic network statistics via SNMP, but this will require network-management software (for more on SNMP, see "Ping Me ... We'll Do Lunch," page 50).

>> Many commercial analyzers can automatically detect retransmitted packets and will increment a counter and highlight the packets involved. You won't find this in Ethereal--though all the information you need is there, it will take time and expertise to sift through packets in the trace file. But you also won't find this capability in the under-$1,000 products; you'll have to spend in the $3,000 range to get what vendors call "expert intelligence" capabilities, such as those found in WildPackets' EtherPeek and OptiView's Protocol Expert.

The key with any analyzer is to run it while the trouble is occurring. If you've watched the transaction when it was working well, or if you can observe a well-behaving transaction for comparison, you'll have an easier time diagnosing the problem.

Special CasesIf you're tapping into wireless connections and Ethereal supports your wireless NIC, the open-source analyzer will be of some benefit. It won't decode the wireless protocol, but if you need to decode only Layer 3 and above, it will do fine. If your network uses WEP, a commercial product will help you troubleshoot by letting you enter the WEP key to see data.

When tapping into high-speed connections, especially near the backbone, you'll need a hardware-based product. Probes with hardware acceleration can reliably filter and capture packets on a highly used connection. This is especially important for a Gigabit backbone.

Today, with most networks using switching, tapping into the data stream isn't as easy as it was when everything was shared. But there are still ways to do it, even if you don't have a high-end probe:

>> Run an analyzer on the client. This will let you see packets from the client's perspective, though you'll have to install the analyzer on the desktop. One disadvantage of this approach is that it's difficult to bring the analyzer files back with you for later analysis.

>> Use a shared hub. A shared hub can be plugged into the wall jack. You can then plug the user's desktop and your laptop into the shared hub and see all the packets. This setup could introduce problems, however, if the devices involved don't autonegotiate correctly.

>> Span or mirror traffic from a switch. Many switches can send all traffic from one or more ports out another port, to which an analyzer can be attached. This setup works best for monitoring backbone connections--it's difficult to coordinate a client's desktop symptoms with the associated packets. A variation would be to plug a switch into the wall jack near the desktop.

>> Use taps. Hardware taps from companies such as Datacom Systems and Net Optics will tap into a full-duplex connection and send a copy of the traffic out another port for the analyzer.

"Complete Buyer's Guide: Hand Held Network Test Analyzers""PoE Promises Simplified Infrastructure,"

"Layer 2 Layout: Layer 2 Discovery Digs Deep,"