Network Analyzers

Monitor your network for potential problems and attacks

Ed Roth

August 18, 2002

3 Min Read
ITPro Today logo in a gray background | ITPro Today

EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.winnetmag.com/buyersguide. To view previous Buyer's Guides on the Web, go to http://www.winnetmag.com/articles/index.cfm?departmentid=118.

Network analyzers (aka sniffers) let you view the data and protocols running over your network. You can troubleshoot network problems, analyze network traffic statistics historically or in realtime, and alert a network manager to potential problems and attacks. Some sniffers offer features such as proprietary packet fabrication and injection, which you can use for firewall testing and custom application debugging. Although people can use sniffers for malicious purposes (e.g., capturing passwords, reading nonencrypted email), you can also use a sniffer to thwart inappropriate activity. Some of these network analyzers can detect and log improper activity on your network and capture that evidence, which you can reconstruct later for disciplinary or legal purposes.

Obviously, you want to ensure that the product you purchase can capture and analyze your network protocols and that the analyzer can keep up with your network. Less extensive analyzers highlight application protocols (e.g., TCP/IP, HTTP, SMTP, Telnet, FTP) on 10Mbps or 100Mbps Ethernet. Enterprise offerings can perform on other topologies (e.g., Token Ring) at faster speeds, letting you peer into the inner workings of the most advanced networks and look at tunneling, routing, directory access, voice, video, and other protocols. Products that employ realtime data-capture filtering and postcapture filtering save you time and effort when you're looking for relevant data. You can also use filters to identify known attack signatures (e.g., Nimda, Code Red) to aid in your defense against attackers.

After you determine that a particular product can perform an informative breakdown of the network packets that you need to view, you can consider productivity-enhancing and ease-of-use features. Packet time stamping, conditional alerts through email or pager, online context-sensitive glossary, and a browser-based interface are examples of functionality that you should evaluate. Unless you enjoy working with media access control (MAC) addresses, you'll want to ensure that logical node name mapping is available. Graphical reports can let you quickly determine which nodes are communicating with one another, who the bandwidth hogs are, where errors occur, and which protocols your network uses. If you plan to monitor many nodes, make sure that the vendor has put some effort into providing intelligent, easy-to-interpret reports rather than 500 dots with lines between them. If you plan to use other methods for cataloging or analyzing historical data, look for appropriate export and copy/paste functionality.

Most of these products work with any Ethernet NIC that supports promiscuous mode. For non-Ethernet networks, you might need to purchase a specific vendor-approved adapter. The hardware requirements for these packages range from a 486MHz system with 16MB of RAM to an 800MHz Pentium III system with 256MB of RAM.

The network analyzers in this Buyer's Guide represent a wide range of functionality and price points. In an effort to provide a comprehensive solution to overall network management, AppDancer Networks has grouped its traditional protocol-analysis tool with other network- and application-monitoring and management tools in its AppDancer/FA network flow analyzer product. Network Associates and WildPackets are releasing products for managing emerging network technologies (e.g., wireless, voice). Some products (e.g., Network Instruments' Observer) let you monitor multiple network segments by adding probes, which run on a standard, nondedicated computer, to collect network data from the segment on which they reside. Distinct's Distinct Network Monitor offers an interesting option through its rental program; if you're looking to resolve a one-time incident, you might want to check out that option (for details, see Distinct's Web site—http://www.network-monitor.com).

To select a network analyzer that suits your needs, think about your specific goals for the product, as well as how often you'll use it. Nail down your requirements and do a little research so that you get the functionality you need without paying for unnecessary features. You should also consider other factors, such as technical support, ease of use, and supported hardware and software platforms.

—Ed Roth

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like