Observer does more than observe, it fixes

Version 10 of Network Instruments' Observer arrived at our offices when we were trying to solve a problem. We had recently deployed a mission-critical suite of applications, and serious intermittent delays were occurring. The application developers blamed the network, and the network administrators blamed the new applications. We turned to Observer, our new protocol analyzer, to stop the fight.

Our solution was simple: In an office of about 30 workers, we manually created a new icon on each user's desktop PC. We told them to click on the icon anytime they experienced a slowdown. The icon copied an identification message across the network. We then set up a filter in Observer to trigger an alarm each time one of the messages appeared on the network. The application paged an administrator and created a date/time record.

Within two days, we identified the application that was responsible for the slowdowns.

New features

At the top of the list of new features in Observer 10 is an interface for triggers and alarms, which made it easier for us to set up the troubleshooting process.

Observer 10's data-mining capabilities also save time. If you have ever had to slog through large or multiple data files for information, you will appreciate the fact that the analyzer allows you to apply filters to data files before loading a trace. Observer 10 also has an enhanced reporting engine with new templates that you can easily customize.

New wireless enhancements made it possible for us to run Observer on 802.11g equipment, which Network General's Sniffer cannot do. We were pleased that there is only one version of the analyzer for wireless and all other protocols. Some protocol analyzers use separate programs.

Observer is easy to use because many views can be applied to the same data. Version 10 has added new virtual local-area network detection capabilities and a statistical view that works as a general indicator of overall virtual LAN load and as another starting point for tracking and isolating problems. We liked the ability to filter by virtual LAN and found the detection feature useful when we mapped the networks at our main office.

Critics of Observer say the application has a cluttered interface. The arrays of technical data can seem intimidating. However, after getting comfortable with the product, we were glad to have all our troubleshooting tools and information at our fingertips. Perhaps the issue is merely a matter of taste.

Another significant improvement is Observer 10's support for remote monitoring (RMON). Although there are no standards for RMON information, it is now viewable through Observer 10. The integration of RMON information into the Observer interface eliminates the need for another management application.

Observer 10 also allows centralized management of remote wireless devices using its wireless probe. New security expert conditions can detect unknown devices after you discover devices through the site survey feature. We deliberately spoofed a wireless card's Media Access Control address to verify that Observer 10 would detect the event.

The wireless site survey can scan for all wireless LAN traffic in the immediate area of your antenna. Or you can request that it only report on the traffic you specify. Then, you can enforce Wired Equivalent Privacy or other security standards by setting thresholds that create a real-time security policy in which violations are logged and notifications are sent via e-mail or pager.

Still to come ...we hope

Although we greatly appreciate the new features that Network Instruments developers have added to Observer 10, we would like to see a few more.

In the decode view, for example, different protocols are often depicted using the same color. That approach makes it more difficult to understand what you are looking at. You can assign colors to protocols, but we would like Observer to have distinct default decode colors for each protocol.

Further, we could use an easier way to apply color schemes based on the type of troubleshooting we're doing.

One suggestion for Observer developers is an optional color scheme that emulates Sniffer's colors, thereby allowing analysts who are switching to Observer to have an instant comfort level when viewing the decodes.

We also would like to see some sort of automatic update feature, especially for filters, or at least an automated feature that works within Observer to inform administrators about updates or new security bulletins.

The bottom line

Observer's developers have fixed the minor bugs we reported a few months ago in a review of Version 9. Because of its attractive price, ease of use and extensive features, Observer 10 is now our recommended choice for a protocol analyzer.

In times of low budgets, managers may be tempted to use a free protocol analyzer, such as Ethereal ( Although Ethereal is a good product considering that it is free, Observer can detect more problems more quickly than Ethereal, making the low-cost Observer a better choice.

We recommend purchasing the Expert versions of Observer and the Expert probes. When things go wrong in a distributed network, they can do so quickly, and you may not have the time to bring in a human expert.

Greer is a network security consultant, and Brown is a network analyst at a large Texas state agency. They can be reached at

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group