Protocol Expert supports more than 250 protocols, including Cisco, IBM Lotus Notes, SIP, Virtual LAN (VLAN), and Voice over IP (VoIP). The product offers more than 150 predefined, customizable alarms that can generate alerts to send over a LAN, in an email message, or to a pager. You can set alarms and triggers to launch predefined applications, such as antivirus scanners or IDSs. I found Protocol Expert's protocol decodes informative, though not quite as detailed as those of Netasyst Network Analyzer and Observer. Protocol Expert lets you display the usual set of summary reports, such as protocol distributions, conversation tables, top senders, and host matrixes, by clicking a menu bar icon. You can save captured data to bitmap (.bmp), comma-separated value (CSV), or Microsoft Excel file formats. Protocol Expert also lets you modify captured traffic and replay it over the network. This feature can be useful in testing firewalls, IDSs, and other network defenses.
Protocol Expert's Expert View is formatted in a welcoming Open System Interconnection (OSI) layer model, which Figure 4 shows. Different layers report different events, which can make troubleshooting easier. For example, the Data Link layer expert analysis might report spoofed MAC addresses or broadcast storms, and the Transport layer might report IP checksum errors or synchronous idle character (SYN) attacks. I found the product's Expert View useful for the most part, although the Application layer expert-analysis module needs more depth. This module covers only the basic applications, such as FTP, HTTP, and NetWare Core Protocol (NCP), and even those reported summary counters need improvement. Several competitors offer Exchange, SQL Server, and many other common applications and counters.
Network Associates' Netasyst Network Analyzer
Network Associates has a long history of providing network protocol analyzer products, including the InfiniStream Network Management, Netasyst Network Analyzer, and Sniffer product lines. Recently, Network Associates sold these lines to Silver Lake Partners and Texas Pacific Group, which will sell the products through a new company called Network General upon completion of the acquisition (expected in third quarter 2004). The InfiniStream Network Management and Sniffer product lines, which include a hardware appliance and software, are targeted at larger enterprises that need high-speed (i.e., gigabits per second—or Gbps) analysis, long-term storage and capturing, and the ability to replay captured traffic over the network. Netasyst Network Analyzer is targeted at small-to-midsized businesses that have fewer than 1000 nodes. The product comes in two versions—standard and expert (X)—with three options for each version: 10Mbps/100Mbps LAN (L), 802.11 wireless (W), or wireless and LAN (WL). The standard and expert versions have the same packet-decoding engine, but the expert version offers additional analysis automation and tools. Pricing varies depending on the version and options you buy.
Netasyst Network Analyzer is a solid network protocol analyzer, and its maturity is evident. Although the Netasyst Network Analyzer name is new, the product is backed by Network Associates' years of experience in the protocol analyzer market. When you install Netasyst Network Analyzer, you can catch glimpses of the filenames of Sniffer and Net X-Ray, upon which the product is based. Netasyst Network Analyzer requires Windows XP or Win2K, Microsoft Internet Explorer (IE) 6.0 or later, and Sun Microsystems' Java 2 Runtime Environment (JRE2), which is used to display graphics. Netasyst Network Analyzer is chock-full of features everywhere you look. The default statistics dashboard displays at start-up and is one of the product's most recognized features. The dashboard displays network utilization, the number of packets, and the number of errors.
Netasyst Network Analyzer decodes more than 280 different protocols. The product provides some of the most accurate and detailed decodes among the products in this review. It's hard not to be impressed. For example, the summary window, which Figure 5 shows, offers a wealth of information. HTTP packet summaries tell you what the packets are doing (e.g., which HTML command is being issued, what page or graphic is being downloaded). Each packet flag has a value and a short explanation right in the decode, which isn't unusual for any protocol analyzer product. However, Netasyst Network Analyzer conveys this information a degree better than most of its competitors. It analyzes packets and notes relationships among them; for example, fragmented packets or session data that's split up among multiple packets is readily identified as belonging together. The product highlights abnormal conditions, such as long acknowledges (ACKs), retransmissions, and out-of-sequence packets. None of the other products I review noted as many network problems as Netasyst Network Analyzer does. Although the immediate value of seeing retransmissions and TCP window locks is questionable to the ordinary administrator, such information is useful for determining a baseline view of your network. Developers and network de-signers should strongly consider using Netasyst Network Analyzer when they fine-tune application performance. When I tested the product, it picked up traffic running on nonstandard ports. Many of its Windows decodes were exceptional; the product explained most packet fields and converted binary information into information I could understand.
Another interesting feature of Netasyst Network Analyzer (probably influenced by its antivirus cousin, McAfee VirusScan) is its ability to download malware filters from the McAfee Web site, which you can then load into Netasyst Network Analyzer to detect malicious code. The McAfee Web site http://www.nai.com/us/security/resources/sv_home.htm#filters currently lists 20 malware filters, including filters for recent viruses, such as MyDoom and Netsky. Although Netasyst Network Analyzer isn't meant to be a full network IDS or antivirus scanner, its ability to download malware filters can come in handy.
)
)
)
Randall Ader July 06, 2004