Observer does more than observe, it fixes
- By Earl Greer, John Brown
- Nov 14, 2004
Version 10 of Network Instruments' Observer arrived at our offices when we were trying to solve a problem. We had recently deployed a mission-critical suite of applications, and serious intermittent delays were occurring. The application developers blamed the network, and the network administrators blamed the new applications. We turned to Observer, our new protocol analyzer, to stop the fight.
Our solution was simple: In an office of about 30 workers, we manually created a new icon on each user's desktop PC. We told them to click on the icon anytime they experienced a slowdown. The icon copied an identification message across the network. We then set up a filter in Observer to trigger an alarm each time one of the messages appeared on the network. The application paged an administrator and created a date/time record.
Within two days, we identified the application that was responsible for the slowdowns.
At the top of the list of new features in Observer 10 is an interface for triggers and alarms, which made it easier for us to set up the troubleshooting process.
Observer 10's data-mining capabilities also save time. If you have ever had to slog through large or multiple data files for information, you will appreciate the fact that the analyzer allows you to apply filters to data files before loading a trace. Observer 10 also has an enhanced reporting engine with new templates that you can easily customize.
New wireless enhancements made it possible for us to run Observer on 802.11g equipment, which Network General's Sniffer cannot do. We were pleased that there is only one version of the analyzer for wireless and all other protocols. Some protocol analyzers use separate programs.
Observer is easy to use because many views can be applied to the same data. Version 10 has added new virtual local-area network detection capabilities and a statistical view that works as a general indicator of overall virtual LAN load and as another starting point for tracking and isolating problems. We liked the ability to filter by virtual LAN and found the detection feature useful when we mapped the networks at our main office.
Critics of Observer say the application has a cluttered interface. The arrays of technical data can seem intimidating. However, after getting comfortable with the product, we were glad to have all our troubleshooting tools and information at our fingertips. Perhaps the issue is merely a matter of taste.
Another significant improvement is Observer 10's support for remote monitoring (RMON). Although there are no standards for RMON information, it is now viewable through Observer 10. The integration of RMON information into the Observer interface eliminates the need for another management application.
Observer 10 also allows centralized management of remote wireless devices using its wireless probe. New security expert conditions can detect unknown devices after you discover devices through the site survey feature. We deliberately spoofed a wireless card's Media Access Control address to verify that Observer 10 would detect the event.
The wireless site survey can scan for all wireless LAN traffic in the immediate area of your antenna. Or you can request that it only report on the traffic you specify. Then, you can enforce Wired Equivalent Privacy or other security standards by setting thresholds that create a real-time security policy in which violations are logged and notifications are sent via e-mail or pager.
Still to come ...we hope
Although we greatly appreciate the new features that Network Instruments developers have added to Observer 10, we would like to see a few more.
In the decode view, for example, different protocols are often depicted using the same color. That approach makes it more difficult to understand what you are looking at. You can assign colors to protocols, but we would like Observer to have distinct default decode colors for each protocol.
Further, we could use an easier way to apply color schemes based on the type of troubleshooting we're doing.
One suggestion for Observer developers is an optional color scheme that emulates Sniffer's colors, thereby allowing analysts who are switching to Observer to have an instant comfort level when viewing the decodes.
We also would like to see some sort of automatic update feature, especially for filters, or at least an automated feature that works within Observer to inform administrators about updates or new security bulletins.
The bottom line
Observer's developers have fixed the minor bugs we reported a few months ago in a review of Version 9. Because of its attractive price, ease of use and extensive features, Observer 10 is now our recommended choice for a protocol analyzer.
In times of low budgets, managers may be tempted to use a free protocol analyzer, such as Ethereal (www.ethereal.com). Although Ethereal is a good product considering that it is free, Observer can detect more problems more quickly than Ethereal, making the low-cost Observer a better choice.
We recommend purchasing the Expert versions of Observer and the Expert probes. When things go wrong in a distributed network, they can do so quickly, and you may not have the time to bring in a human expert.
Greer is a network security consultant, and Brown is a network analyst at a large Texas state agency. They can be reached at email@example.com.