Netasyst Network Analyzer has a full complement of features, including many statistics screens, graphical charts, SNMP traps, and triggers. The product also provides dozens of alarms with predefined thresholds, which you can set to generate alerts for various problems, such as slow servers, high-volume VoIP traffic, excessive logon failures, FTP logon attempts, WINS duplicate name errors, too many retransmissions, domain controller (DC) shutdown, Layer 2 errors, broadcast storms, and network topology changes. Although most protocol analyzers provide alarms, Netasyst Network Analyzer is unique in that its thresholds are predefined. In the wireless versions of the product, you can enable route AP or wireless node discovery. Netasyst Network Analyzer also provides more VoIP features than its competitors. On the downside, Netasyst Network Analyzer doesn't decode 802.11g, Kerberos, or RDP traffic and splits LAN and wireless functionality into different product versions.
Network Instruments' Observer
Network Instruments' Observer is another solid top performer and a contender for midsized-to-large networks. Observer is built to be distributed, designed to handle large volumes of data, and coded to run on more types of network interfaces than any of the other reviewed products. Distributed protocol analyzers provide two functions: a management station and a client packet-capturing component. Clients can be distributed throughout the enterprise, and all the distributed data is collected and analyzed on one management workstation. Network Instruments calls this distributed architecture Distributed Network Analysis (NI-DNA). When you install Observer, you can choose to install the complete Observer package, which includes the decoding and reporting console, or a probe—software that captures packets on local and remote networks and interacts with the Observer console. Network Instruments says that it's had as many as 350 probes reporting in one production environment. Data can be reported separately or in aggregate. Observer can reserve up to 4GB of memory for packet capturing coming from up to 64 different network interfaces. (Could anyone need that many interfaces?) Observer supports wired topologies from 10Mbps to full-duplex gigabit.
Although some protocol analyzer vendors differentiate their products between LAN and wireless capabilities, every version of Observer supports LAN, remote monitoring (RMON), WAN, and wireless. Network Instruments readily promotes WAN solutions involving DS3, E1, High-Speed Serial Interface (HSSI), and T1 interfaces. You can order prebuilt 4U (7") rack-mounted solutions, with or without the WAN kit. Observer also offers more wireless options than its competitors. It's one of the few LAN protocol analyzers that decodes the 802.11a, 802.11b, and 802.11g wireless protocols. Furthermore, all Observer probes sport the same look and feel. Competing protocol analyzers don't provide nearly as wide a spectrum of choices with the same interface as Observer does.
One of the first things you notice about Observer is that it provides Help windows with explanations during the setup and first use of the product (other products, such as EtherPeek, also provide this sort of help). Multiple 15-minute tutorial windows are available to help you learn to use the product. In Observer, Network Instruments seems to have considered the end-user experience a bit more than some of its competitors have. You can right-click any packet and create a quick filter that displays only packets that are related to that packet's IP address, only packets that are related to that packet's IP address and the other host involved, or only packets sent and received between the two related hosts and to the same or related IP port numbers. For example, with one click you can capture all traffic between a Web server and its back-end database and filter out unrelated traffic. Other protocol analyzers let you define the same types of filters, but most require more than a dozen clicks to accomplish what Observer does in one click.
Like other analyzers, Observer displays a wide spectrum of reports, summaries, and statistics, which Figure 6 shows. The product's filters include more than 30 malware filters, including filters for wireless Denial of Service (DoS) attacks, common malware, and what Observer calls hack filters (which is a subset of a larger filter set that Observer can use). Observer contains a full complement of alarms and triggers. The product also has a distinct network-mapping feature that you can use separately to convert IP and MAC addresses to DNS or NetBIOS names. In my testing, the product analyzed traffic to automatically determine which machines were servers and even which application functions they performed. Observer recognizes 14 different applications, such as Exchange, Oracle, SQL Server, and VoIP.
I found most of Observer's protocol decodes and the information shown at each layer to be among the best of the products I reviewed. Observer sometimes had problems recognizing well-known protocols on nondefault ports (e.g., HTTP, RDP); however, you can modify Observer's decoders to monitor traffic on other ports, as you can with other protocol analyzers. For certain protocols, Observer stood ahead of the pack. It was one of the few analyzers to recognize and properly decode my Kerberos and LDAP traffic each and every time. Other analyzers would note the UDP packets on port 88 and might label them Kerberos packets in the detail view, but Observer told me the difference between my Kerberos requests and tickets that were successfully granted. Observer can replay up to 5MB of data from the capture buffer over the network.
)
)
)
Randall Ader July 06, 2004