Gigabit Analyzers

To test the devices, we blasted them with traffic from Spirent Communications' SmartBits network performance-analysis system, and introduced network anomalies with a Shunra Virtual Enterprise appliance. We looked at the devices' decodes and expert alarms, and compared their management capabilities, including how they handle multiple users and centralize capture files. Finally, we considered prices. All the products were up to the task, and a network engineer would do well with any of them. The analyzers from Finisar and Fluke, which were identical except for their labels and shades of blue used for the cases, edged out the devices from WildPackets and Acterna for first place.

For the most part, the products were similar in performance and capabilities, but there were some subtle differences. Finisar's THGs and Surveyor Software and their identical twin system, the Fluke Networks OptiView Protocol Expert ProPlus, Protocol Expert VoIP Option and Link Analyzer HD, provide the best packages of performance, management decodes and price. Network General's Sniffer Distributed s6040 is a solid performer in all categories, but is much more expensive than the others. Acterna's DA-3400 has the best VoIP (voice over IP) capabilities--a key reason to buy a network analyzer--but lost points for management because it can't accommodate multiple users and it didn't come equipped to store files on the probe or stream captures to a hard disk. WildPackets' Omni3 has the best management capabilities, but we don't like its user interface and found a problem with the utilization graphs' accuracy.

All these products will help a good network engineer diagnose problems and network anomalies quickly; however, none replace the knowledge of a good network engineer. There are many problems an analyzer won't find automatically. Even the so-called expert alarms can be misleading. For example, no standard exists for how many broadcasts per second or what level of utilization should be cause for concern. Those thresholds usually are set incorrectly by the vendors and require some knowledge to interpret. These devices provide the important data and let the thresholds be tuned, but it takes a good engineer to provide a sane interpretation.The only difference between Fluke Networks' OptiView Protocol Expert ProPlus and Finisar Network Tools' THGs is the label. The companies sent us identical network analyzers, which are made by Finisar and rebranded by Fluke. Because the products' features, test performance and even pricing are identical, we're running a single review to cover both. Your choice will depend on your organization's other network needs and perhaps the discounts you can negotiate with either company.

Finisar's package features the THGs (Ten, Hundred, Gigabyte) hardware and Surveyor software, while Fluke's setup includes the OptiView Protocol Expert ProPlus hardware, Protocol Expert VoIP Option and Link Analyzer HD. In both cases, the client GUI is simple and effective, though not especially creative. It lists all the probes it knows about in a panel on the left. Although an analyzer can tap directly into a full-duplex connection using two ports, it also can be used to tap into a mirrored port on a switch. It was easy to choose which of the two ports we wanted to view or sync at any time. We also liked being able to see each port's speed and link status. The ports accept a copper or fiber connection. In addition, our test units came with an 80-GB hard disk, for streaming capture inputs to that disk (a feature we didn't test).The THGs and OptiView packages each offer a thorough assortment of color-coded, resizable graphs. These units have good decodes and can make quick filters based on the decode content.

Both devices handle VoIP especially well. Upon execution, the VoIP app reveals a tabular list of current VoIP calls and their status. Using icons, we could limit the display to calls based on SIP, H.323 or SCCP signaling protocols as well as active or inactive calls. We could identify outgoing SIP calls and view many of their vital statistics. MOS (Mean Opinion Score) numbers, for example, decreased noticeably and

reflected the calls' poor quality when we used the Shunra appliance to inject delay, jitter and packet loss. You can drill down into each call for more detailed statistics, such as SIP users or phone numbers associated with the call. We would like Finisar's and Fluke's products to report on the status of the Layer 2 (802.1p) and Layer 3 (DiffServ) QoS bits of the packets associated with each call, like the Acterna DA-3400 does. The THGs and OptiView did show us the jitter, dropped packets and RTCP (Real Time Transport Control Protocol) information for each call and reflected the network anomalies we introduced. On the other hand, a graph of calls with a setup time of more than 150 milliseconds didn't work for our SIP calls, even though we introduced impairments that caused those calls to take seconds to ring at the other end.

We displayed various categories of expert events by clicking on icons roughly correlating to the OSI layers. We also drilled down into each event to reveal more details as well as possible explanations and solutions.

THGs (Ten, Hundred, Gigabit Ethernet Analysis Module) Dual Interface, 80-GB HD, 256-MB Hardware Analyzer: Model Number THGsE2001; Surveyor 10/100/Gigabit Ethernet Software with Remote, PacketBlaster, Expert and Multi-QoS VoIP SW: Model Number CA3013-062. Finisar Network Tools, (888) 746 6484, (408) 400 1000. www.finisar.com/nt

OptiView Link Analyzer and OptiView Protocol Expert, Fluke Networks, (800) 283-5853 (425) 446-4519. www.flukenetworks.com

If you want to view packets while capturing them and have a dynamic visual of conversations between endpoints, WildPackets' Omni3 is your only option. We've always liked WildPackets' EtherPeek, the client-based version of Omni3. However, EtherPeek software's usability doesn't translate to the Omni3 as well as we had hoped.

Omni3 comprises several components. The Omnipliance hardware device runs OmniPeek wired network-analysis software, OmniPeek (10/100/1000 Ethernet WAN, WLAN), the Peek DNX remote engine, and OmniPeek Console for remote capture.The original EtherPeek GUI is the basis for Omni3. Once a capture is running, it looks very similar to EtherPeek, with tabs along the bottom that allow snappy navigation among the packet, expert and summary views. The Peer Map, one of Omni3's more impressive applications, gives you a visual mesh of all IP, IPX and Ethernet conversations, much like Network General's Matrix application. Because this view can become unreadable on a network with many endpoints, WildPackets lets you drag endpoints around and apply some quick filters during the capture, making the view more useful.

Omni3's graphing capabilities are weaker than the competition's. The graphs give an inaccurate portrayal of network utilization, showing close to 90 percent utilization whether we sent 10 percent or 100 percent. WildPackets said this bug would be fixed in an April release, but we still deducted a half point from the performance score. We also couldn't clearly separate the utilization in both directions of a full-duplex circuit. Furthermore, the graphs' display needs improvement. All the graphs shared one window and were dynamically condensed, smaller and smaller, each time we added another graph. The other products did a better job with placement, and added more color and detail.Although we like EtherPeek's software filter setup, it doesn't translate well to the new Omni3 probe. Adding filters requires multiple menus, and it's difficult to know where to set up the filter you're looking for. Furthermore, we had to specifically set up a "Hardware Filter," which let us change only IP address and port numbers, before we could get Omni3 to pass our performance test. No other probe has such a restrictive requirement.

WildPackets Omni3 has a "capture to disk" feature, designed to capture data to its 80-GB hard disk at a line rate of 30 percent to 60 percent utilization and overcome memory limitations. The vendor says multiple users can set up multiple captures on the probe at the same time. We didn't test this feature.

Omni3 provides good VoIP stats, but not as good as WildPackets' VxWorks, which isn't available on the Omni3 platform. Although the stats on standard items, such as latency, jitter and delay, are fine, Omni3's VoIP application doesn't identify and summarize calls as well as Fluke's, Finisar's and Acterna's products do.

Omni3: OmniPeek, $4,195; Peek DNX, $5,695; OmniPeek, $6,895; OmniPeek Console, $1,145; Omnipliance, $13,995. WildPackets, (925) 937-3200. www.wildpackets.comAlthough the Acterna DA-3400 analyzer sits in third place, it has the best VoIP application among the products we tested. We also liked the DA-3400's user interface, which was sharp, uncluttered and easy to understand. Had Acterna's management features been more impressive, this platform would have been a strong contender.

Acterna's DA-3400 has a unique decode engine. The use of background color coding makes the decodes refreshingly easy to read. Highlighting a packet in the packet summary conveniently brings up a list of buttons that represent every protocol in that packet, for use as quick filters. This handy feature compensates for the engine's lack of dynamically collapsible decode layers, which the other units possess.

It's easy to remotely configure this device to use both ports as separate monitor ports, or to use them together to tap into a full duplex connection. We also like the way the Acterna DA-3400 shows the current status of the link light.

In our tests, the Acterna DA-3400's VoIP app listed all current and past calls that it knew about in a color-coded table. It provided MOS scores for all calls, and indicated with an icon whether the call was in progress or completed. Finisar and Fluke provide this information too, but Acterna goes a step further and shows the status of the 802.1p and DiffServ QoS (quality of service) bits for the packets involved in each call. At a glance, we could see if an incorrect QoS setting could account for poor call quality. Acterna also shows both directions of the call, while the Fluke and Finisar units do not.

Acterna lost points on management. The DA-3400 can't accommodate multiple users, or even multiple levels of access, as the other devices can. Furthermore, this is the only product that didn't come to our lab with a hard disk, so we couldn't save trace files or capture to disk. Acterna does offer 5-GB hard disks, and the unit can accept up to two of them.

Acterna DA-3400, Acterna, (866) 228-3762, (301) 353-1560. www.acterna.com

Network General practically invented network analysis in the 1990s. Since then, McAfee bought, renamed and then spun off the company, which has returned with its original name. (See "Network Associates Splitting Up," ID# 1515buzz2). We tested Network General's new Distributed s6040 probe and found it solid and capable, with the best selection of easy-to-use graphs and good VoIP statistics. The Network General device's high price, more than twice those of the other vendors, hurt its outcome in this review.The Sniffer Distributed s6040 analyzer includes the s6040 probe with an 80-GB hard disk, Sniffer Distributed Console and applications, such as Sniffer Voice, Session and Expert. The probe's ports can be used for copper or fiber, separately or together for a full-duplex connection. These options are configured from the Sniffer Distributed Console application, which organizes all the available probes. After a change, the probe reboots. The Expert application then breaks down the different types of diagnoses and symptoms into layers similar to the OSI Layer. Clicking on the representative icon reveals all relevant objects, symptoms and the more severe diagnoses.

Sniffer Voice does a good job detecting the packet loss, latency and jitter in the VoIP conversations. It also detected a slow VoIP server response in our tests. We could drill down into each diagnosis, symptom and object for tremendous amounts of detail, including the called and calling parties, as well as detailed RTP and RTCP statistics. There were no MOS scores available. Sniffer Voice doesn't separate the VoIP app like the other probes do, but rather combines the VoIP information with all the other expert events, similar to what Omni3 does.The Sniffer Matrix app is a graphical display that shows a useful visual mesh of network conversations. And, although it can't be filtered and redrawn on the fly, it instantly showed when traffic was being sent between endpoints by highlighting the lines whenever traffic appeared. Matrix also lets you refresh the whole display. This application could be a good troubleshooting tool, with some filters set up ahead of time to limit the data.

Sniffer Distributed s6040, Network General Corp., (800) 764-3337, (408) 571-5000. www.networkgeneral.com

Peter Morrissey is a full-time faculty member of Syracuse University's School of Information Studies, and a contributing editor and columnist for Network Computing. Write to him at [email protected].

Even the most skilled network troubleshooter needs tools to do the job right. Any of the network analyzers in this roundup would be a critical component in an engineer's arsenal. Five vendors sent us devices: Acterna, Finisar Network Tools, Fluke Networks, Network General and WildPackets. All five products are remotely accessible and can tap into a full-duplex fiber or Copper Gigabit connection. Although Finisar and Fluke's network probes are identical products and won our Editor's Choice award, it's critical to consider your own network's needs and compare each vendor's prices and services.

Thousands of packets can traverse a Gigabit backbone in a fraction of a second. When you consider how tedious it is to look at a packet trace, one packet at a time, it's clear that reliable filtering is critical. For our performance test, we plugged the Spirent SmartBits tester into both ends of each analyzer's full-duplex tap. We streamed full line-rate gigabit traffic using 64-byte packets into one end and, as that was running, we sent 100,000 frames meeting our filter criteria through the other port. The pattern the filter had to match consisted of a source and destination IP address and a TCP port. The background traffic was nearly identical to the traffic that matched the filter: The TCP port was different by one bit. We tried to make the test difficult by requiring a match on source and destination IP address and port number, which required looking into the IP and TCP headers. All the products handled the tests with ease. This is likely because all the analyzers have ASICs and memory on their NICs designed for this purpose.To test VoIP capabilities, we made SIP (Session Initiation Protocol) calls through a Shunra Storm, which added delay, latency and jitter. We mirrored the traffic from all the related ports out to a Datacom Systems switch, which replicated the traffic to all the analyzers.

We also blasted up to 100 percent utilization with 64-byte packets from the Spirent SmartBits and measured the accuracy of the utilization graphs to test the accuracy of network-utilization indicators. All but the WildPackets Omni3 were dead-on. WildPackets attributed its inaccurate readings to a bug in the graphing software, which the vendor said would be fixed in a later version.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E WDesktop Management

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.Click here for more information about our Interactive Report Card ®.