A Picture from AppDancer Is Worth a Thousand Decodes

The coolness factor of AppDancer/FA lies in this ability to show flows. I'm not talking about just reblasting packets over the wire, though that is possible. I'm talking about seeing and hearing what the client saw and heard. If you capture a VoIP call, you don't simply revisit the packets; you play back the entire conversation. No client or agent is required -- it's all part of the decode. Likewise, if you capture a movie stream you can watch and listen to the movie. The protocols that are supported for flow analysis are FTP, POP, SMTP, Microsoft SQL, DNS and RTP. So instead of trying to figure out the end-user experience based on a summary list of packets and delta times, you can see what the user saw!

Linking to Traffic

I set up the AppDancer/FA in our Real-World Labs® at Syracuse University. I captured Web traffic and was able to view the HTML objects. They are not stored on the analyzer; rather, the AppDancer/FA provides a URL pointer to the page. In the version I tested AppDancer/FA supported only HTTP gets, but company representatives say a newer build in the works will support posts.

In other tests, I tried to capture a VoIP call but couldn't grab the call setup because my Cisco systems were using the Cisco proprietary call setup protocol, Skinny. I was able to grab the body of the call, however, via RTP. This was very cool: I could monitor the call and replay it in post-capture analysis. Unlike the HTML pointer to the actual page, the RTP traffic is stored on the analyzer.

More useful (if not as cool) is the display of a packet flow, which shows the packets of a particular exchange -- e-mail or Web page download, for example -- with total and delta times. This shows the end-user experience from top down. From an overview to each individual packet, AppDancer/FA lets you see all the critical commands and handshakes without your having to reconstruct decoded packets. The bottom line is that it is easier to troubleshoot a problem when you have a clear visual representation of what the application is actually doing.Like most analyzers, AppDancer/FA provides real-time statistics on network performance. I monitored routers and switches via SNMP and got interface speed, errors, discards and utilization statistics, as expected. AppDancer/FA can also use Cisco IOS commands via telnet to retrieve device status. After adding a couple Cisco devices, I got buffer, memory and CPU usage stats. AppDancer/FA displayed results in average as well as real time, showing peaks for both statistics.

The capture and decode functionality is standard. The buffer, which ranges in size from 256 KB to 48 MB, can accept a whole packet or portions of a packet. Filtering accepts protocols such as FTP, HTTP, H.323 and SIP. A flow filter can be configured choosing source and destination pairs, with secondary filters for TCP, IP, SMTP and the like.

At the core of most protocol analyzers is the decode ability; accuracy and detail are paramount in decoding. With this in mind, the gold standard in protocol analyzers is Network Associates' Sniffer. I measured the accuracy and number of AppDancer/FA's decodes against those of the Sniffer and found them relatively comparable, though AppDancer's are less detailed.

The analysis or standard protocol decode provided by AppDancer/FA is post capture, not real time. The view shows the classic three-pane display: summary, decode and hex. Statistical displays are preset and easy to access. They are available in graphic and table form by node and protocol. One display that I particularly liked is the response time distribution graphic, which showed ranges of response time in 10 different buckets, from 0-25 ms to more than 2,000 ms. (For what it's worth, some of the developers and founders of AppDancer worked on Sniffer Pro, and in fact worked on the product that Network Associates bought to create Sniffer Pro, Cinco Networks' NetXray.)

AppDancer covers more than 200 Layer 3-plus protocols, in addition to Ethernet, IP, IPX, SPX, HTTP, FTP, NNTP, IMAP, SMTP, POP, PPP, RIP, Quake, SMB, RADIUS and X Window. AppDancer also supports a distinguished list of enterprise-application protocols, including Microsoft SQL and Exchange and Sybase SQL. And plans to include support for Oracle and MGCP are in place, according to AppDancer.

I encouraged the company to add IPsec to help troubleshoot negotiations between client and servers and to provide a tool for wireless security diagnostics.The alarm functions included in AppDancer/FA can be run real time or applied to capture files. Alerting mechanisms include e-mail, pager, script and SNMP trap. I was surprised by the easy-to-configure threshold ranges with varying severity levels for devices and protocols. This is not state tracking, such as is offered with the Sniffer Expert system, but AppDancer supports TCP retransmits and response times in its application flows.

Coming in at just under $5,000 dollars, a price that includes the VoIP and data base SQL decodes, the AppDancer/FA compares well with Sniffer. It is a bit more pricey than full version of WildPackets EtherPeek NX, but AppDancer/FA's detail in the display of TCP streams and replay of those streams are things EtherPeek and Sniffer don't offer.

Bruce Boardman is executive editor of Network Computing, testing and writing about network management and systems. He has 12 years' IT experience managing networks and distributed computing for a financial service provider. Send your comments on this article to Bruce Boardman at [email protected].