Sniffer Pro hunts down network traffic problems

Even the Ghostbusters would have a hard time tracking down all the spooky problems that can plague a complex computer network. When the connection to your World Wide Web site smells like it has been slimed, it's time to call Network Associates Inc.'s Sniffer Pro.

Protocol analyzers such as Sniffer enable network managers to watch all levels of traffic on their networks, ferreting out the problems and showing where performance can be fine-tuned.

Sniffer has long been a market leader among network protocol analyzers, and this new version's ease of use and broader support for networks and network adapters should keep it close to the front of the pack. In this rapidly changing arena, competitors are never far behind.

It took less than five minutes to install Sniffer. We installed it to a 450 MHz Dell Computer Corp. OptiPlex GX1 with 128M of memory and running Microsoft Corp. Windows NT 4.0. Does Sniffer really need that much horsepower? Going by the book, Sniffer needs 64M of RAM routinely and 128M for Asynchronous Transfer Mode networks, and experience shows that better hardware means fewer network packets will be dropped.

We were turned off by the unusual two-year license agreement. After that time, Network Associates expects you to destroy the product and all documentation.

Normally, trouble-shooters place Sniffer on a notebook computer so they can take it wherever trouble lurks. But in the test, it made sense to place it on a desktop PC because we have connections to four different network segments conveniently located in my office.

With two PCI network adapters - an Olicom OC-3137 for Token Ring and an Adaptec ANA-1611 for Ethernet - we were able to launch Sniffer twice and monitor two subnets at the same time. That new feature is more than a convenience, as it enables you to test a router by monitoring each side at the same time.

When Sniffer left its DOS roots and became a 32-bit Windows application last year, it left behind the ability to control the PC completely and ensure the capture of all the network packets.

Although Sniffer lost the certainty of capturing all packets - because some packets may be lost with Windows mediating between Sniffer and the network interface card - it gained the flexibility of supporting a large number of network adapters.

No longer are you tied to a special network card whose real purpose was copy protection.

You now can use any Ethernet or token-ring network adapter with a Network Device Interface Specification driver with Sniffer. But we recommend selecting a card from a list of just nine for which Network Associates provides enhanced driver support.

Those cards will capture more traffic on busy networks, and the manual says they will give you additional network error statistics. The Ethernet card on the test machine was on the list, so we were able to install an enhanced driver to support it.

But comparative tests using old DOS-based Sniffers convinced us we were not losing any packets with either of my two cards, despite my using both at the same time.

Despite the arcane nature of what Sniffer does, even novices will quickly learn to use the intuitive interface. One of the first things I noticed was the Traffic Map, a graphic representation of real-time traffic flows. My screen quickly overflowed with data from my large network segments, but I was able to zoom in on parts of the graphic.

You can select to monitor only those nodes you are interested in. The manual does not mention it, but you can click the lightning bolts between nodes for additional information on specific traffic movements.

Good Maintenance Tools

Sniffer has strong tools that support maintenance of the Address Book, which lists all nodes, and the Hosts Table, which shows only active nodes.

In the Host Table, we tried to right click the hardware addresses to get a box showing the Internet Protocol address and other information as in the Address Book. Here, we suffered our only disappointment using Sniffer Pro.

Surprisingly, Sniffer doesn't offer this capability in the Host Table. On the other hand, you can highlight a hardware address in the Host Table and then use Sniffer to execute a DNS lookup to find the IP address for that PC. We also were glad to see that our edits on hardware addresses in the Address Book carried over into the Host Table.

Because the heart and soul of protocol analysis is the decoding of the protocols, we quickly performed packet captures and examined individual packets with Sniffer interpreting the meaning of each code transmitted. Sniffer decodes more than 400 protocols, so it is unlikely you will run into one it does not understand. The decodes we examined were clear and easily understood.

The expert feature of Sniffer gives complete information on problems in the network, broken down by symptoms and diagnoses. Some of the diagnoses are clear even to the novice, as when the expert correctly informed me that my Windows Internet Name Service server was down.

One protocol analyzer can watch only one network segment at a time. Currently, protocol analyzers are evolving into tools that are integrated parts of enterprisewide monitoring and self-healing systems.

Network Associates currently sells a line of network probes, switch monitors and protocol monitors distributed throughout the network. Smaller offices are not forgotten, and Network Associates offers Sniffer Basic as a cost-effective version with most of the analytic tools of Sniffer Pro but with support only for the protocols likely to be found in simpler networks.

Sniffer has advanced features for crafting test packets and sending them over the network. However, because of the potential for use of this feature to crash the networks, and because protocol analyzers inherently are an open window onto all network traffic, we recommend these products be entrusted only to select employees.

With proper security precautions, Sniffer can be left on to constantly monitor network segments, sending alarms to troubleshooters at the first glimmer of something strange in the network neighborhood.

Sniffer has dials and gadgets galore and there are far too many features in the product to cover thoroughly here. The bottom line: Sniffer does just about everything you'd want a protocol analyzer to do, and it's easy to use.

Greer is a senior network analyst at a large Texas state agency.

************************

Sniffer Pro

Network Associates Inc.(408) 988-3832www.nai.com

Price and AvailabilityAvailable on the open market for $11,995. For more information, call (877) 947-5529, Ext. 7154.

RemarksSniffer Pro bundles into one package nearly everything a network manager would want in a protocol analyzer. It gives excellent performance on all major topologies, and decodes more than 400 protocols. Although it's expensive, Sniffer Pro is an excellent choice for a protocol analyzer.