Making The Diagnosis With Windows Protocol Analyzers
The AG Group EtherPeek For Windows 2.0 (Beta)
EtherPeek first gained popularity as an easy-to-use packet-capture utility for the Macintosh. Now it's available for the Windows environment. While the beta copy of EtherPeek for Windows version 2.0 was a substantial improvement over the first revision (which lacked application-layer protocol decodes), it is focused specifically on packet capture and protocol decode. It offers little support for real-time network monitoring.
EtherPeek relies completely on active packet captures for network statistics; all statistics other than utilization and error counts must be computed during or following the capture session. Unfortunately, The AG Group has yet to optimize its NDIS capture drivers. We found that both version 1.1.1 and 2.0 beta drop packets-even during moderate network utilization.
EtherPeek includes no expert systems or traffic generation. AG claims it will add traffic generation and buffer replay to the final version of 2.0.
Dan Backman can be reached at dbackman@nwc.com.
Is Almost Good Enough?
Standard NICs are designed to filter out "noise" for improved performance. However, network analysis requires the NIC to enter a "promiscuous" mode, disabling MAC (Media Access Control)-layer filtering. This lets the card pick up network traffic that would otherwise be filtered via hardware-but it also increases the amount of traffic the workstation must process. On heavily loaded networks, this can place significant processing demands on the host computer. We found that the capture performance of software analyzers is highly dependent on the type of NIC, chipset, bus type and NDIS (Network Driver Interface Specification) drivers.
In addition, accurate error counters also are an issue. Although NDIS includes various error counters, many drivers don't bother to update them. This is a serious concern when using software protocol analyzers because most depend entirely on NDIS for all network data. Both NetXRay and LANdecoder32 delivered accurate error counters using their own proprietary drivers, but most software analyzers are forced to rely upon standard Microsoft Windows95 and Windows NT NDIS drivers for network operations. Ask your software vendor for the recommended NICs if you're interested in error counters.
We tested each product using four different Ethernet cards-a 3Com Corp. 3C509 Etherlink III, a 3Com 3C905 Fast Etherlink XL, a Kingston Technology Corp. EtheRx 10/100 (using Digital's 21140 PCI chipset), and a CNet Technologies ISA NE2000-compatible ISA adapter. All products were tested on 200-MHz Pentium Pro workstations with 128 MB of RAM. We found that this hardware
configuration, coupled with PCI Ethernet cards, yielded accurate network performance indicators and packet captures.
Expect to allocate at least a high-end Pentium-class workstation to network monitoring and packet capture for your network-as accuracy is largely dependent upon workstation resources. If you're using a desktop workstation, we recommend you use a PCI-based NIC. In addition, a laptop running these software analyzers is an excellent choice for front-line network analysis, although we recommend a CardBus network card.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
