davidson@intvax.UUCP (08/14/87)
I am looking for a good general purpose ethernet analyzer. I know of the HP4972A and Excelan's model. Does anyone have any opinions about these or does anyone have another brand that they can recommend? I am asking for a general purpose model because I don't know what kind of procedures you would want to do with analyzers. I really need it to isolate a problem we are currently having on our lan but it would be nice to be able to do other things later on. I just don't know what they would be. If anyone wants to elaborate on what kind of operations are commonly done with ethernet analyzers, I will be glad to read it. -- William [i aM not a dweeb] Davidson Sandia National Laboratories ...ucbvax!unmvax!sandia!intvax!davidson (505) 846-1868
hedrick@topaz.rutgers.edu.UUCP (08/14/87)
We use the HP Lanalyser. With the newest software, it will do a good job of summarizing what is going on at level 2 of your Ethernet. I.e. traffic patterns, bad packets, and even a 2-d matrix of who sends to whom. However it doesn't know about anything above level 2. In most cases where we have network problems they involve misbehaving TCP/IP implementations, not hardware problems. It turns out that a Sun running etherfind or tcpdump is the most useful diagnostic tool that we have. An IBM PC with MIT's netwatch isn't bad, but the Sun software gives you a lot more control over what you want to look at, and doesn't drop packets as often under heavy load. (However the Sun still can't keep up with an Ethernet that is fully used. In a broadcast storm, you'll generally see enough packets to be able to figure out what is going on, but if 100 hosts send broadcasts at the same instant, you won't see them all.) I have heard rumors of some competitor to the HP that has similar capabilities. The other advantage of the Sun is that you can direct output to a file and then analyse it easily. HP lets you upload statistics, but their serial port runs DDCMP, and they don't supply any software for the host. So we haven't found any way to actually use the upload capability. However the HP is a really solid piece of work, and anyone who is doing serious work with Ethernet will probably want it or something equivalent.
jin@hplabsz.HPL.HP.COM (Tai Jin) (08/16/87)
In article <13975@topaz.rutgers.edu> hedrick@topaz.rutgers.edu (Charles Hedrick) writes: >analyse it easily. HP lets you upload statistics, but their serial >port runs DDCMP, and they don't supply any software for the host. So >we haven't found any way to actually use the upload capability. >However the HP is a really solid piece of work, and anyone who is >doing serious work with Ethernet will probably want it or something >equivalent. I have a utility (netfilter) that formats/filters packet traces generated by an HP 300 or 800 system. Another utility is used to read the Lanalyzer packet trace and convert it to the format that netfilter understands.
davew@gvgpsa.UUCP (David White) (08/16/87)
In article <13975@topaz.rutgers.edu> hedrick@topaz.rutgers.edu (Charles Hedrick) writes: >.... An IBM PC with MIT's netwatch isn't bad, but the Sun I would be interested in getting a copy of the MIT NETWATCH program. Could anybody tell me how to get a copy of it? -- =================================================================== Dave White Grass Valley Group, Inc. P.O. Box 1114 Grass Valley, CA 95945 UUCP: ...!tektronix!gvgpsa!davew PHONE: +1 916 478 3052
dml@rabbit1.UUCP (David Langdon) (08/16/87)
in article <310@intvax.UUCP>, davidson@intvax.UUCP (William M. Davidson) says: > > I am looking for a good general purpose ethernet analyzer. I know of > the HP4972A and Excelan's model. Does anyone have any opinions about these > or does anyone have another brand that they can recommend? > We are trying to collect information on LANalyzers as well. If possible, could you pass any information you collect along to me?? Thanx in advance. -- David Langdon Rabbit Software Corp. (215) 647-0440 7 Great Valley Parkway East Malvern PA 19355 ...!ihnp4!{cbmvax,cuuxb}!hutch!dml ...!psuvax1!burdvax!hutch!dm:0
erikjan@dutesta.UUCP (Erik J. Bos) (08/18/87)
In article <362@rabbit1.UUCP> dml@rabbit1.UUCP (David Langdon) writes: >in article <310@intvax.UUCP>, davidson@intvax.UUCP (William M. Davidson) says: >> I am looking for a good general purpose ethernet analyzer. I know of >> the HP4972A and Excelan's model. Does anyone have any opinions about these >> or does anyone have another brand that they can recommend? >We are trying to collect information on LANalyzers as well. If possible, >could you pass any information you collect along to me?? Thanx in advance. I am trying to collect some information as well. Maybe it is a suggestion to put your collected information as a kind of summary on the net, so everyone can benefit from it. If you do, it would be highly appreciated, at least by me! Thanks in advance, -- Erik J. Bos BITNET : ETSTBOS at HDETUD1 Delft University of Technology USENET : erikjan@dutesta Faculty of Electrical Engineering UUCP : ..!mcvax!dutrun!dutesta!erikjan Mekelweg 4 SURFnet: TUDEDV::ERIKJAN 2628 CD DELFT, The Netherlands VOICE : +31 15 783502
dml@rabbit1.UUCP (David Langdon) (08/18/87)
in article <520@gvgpsa.UUCP>, davew@gvgpsa.UUCP (David White) says: > > In article <13975@topaz.rutgers.edu> hedrick@topaz.rutgers.edu (Charles Hedrick) writes: >>.... An IBM PC with MIT's netwatch isn't bad, but the Sun > > I would be interested in getting a copy of the MIT NETWATCH program. Could > anybody tell me how to get a copy of it? > So would I!!! Information on how to get it would be appreciated. Thanx in advance. -- David Langdon Rabbit Software Corp. (215) 647-0440 7 Great Valley Parkway East Malvern PA 19355 ...!ihnp4!{cbmvax,cuuxb}!hutch!dml ...!psuvax1!burdvax!hutch!dml
jwhitnel@csib.UUCP (Jerry Whitnell) (08/18/87)
In article <310@intvax.UUCP> davidson@intvax.UUCP (William M. Davidson) writes: >I am looking for a good general purpose ethernet analyzer. I know of >the HP4972A and Excelan's model. Does anyone have any opinions about these >or does anyone have another brand that they can recommend? Also take a look at Network General's Sniffer. Like the Execlan model, it's based on a PC compatible. It includes a disassemblers for almost all the major protocols at all the different levels, the ability to save and restore data from the buffer and the ability to write your own dissassemblers if they don't have it (which is very unlikly). They have an Ethernet version, and a Token Ring version. It also has the ability to filter packets based on station and contents. You can call them at (408) 734-0464. >William [i aM not a dweeb] Davidson >Sandia National Laboratories >...ucbvax!unmvax!sandia!intvax!davidson >(505) 846-1868 Jerry Whitnell It's a damn poor mind that can only Communication Solutions, Inc. think of one way to spell a word. -- Andrew Jackson
keeshu@nikhefk.UUCP (Kees Huyser) (08/19/87)
Since the questions about Ethernet analyzers pop up every few months or so
here's the list of answers I got on a similar question I posted a few months
ago. I hope it is of some help.
-- Kees
-----------------------<cut here>----------------------------------------
From: foster@seismo.uucp (Glen Foster)
Organization: Computing Analysis Corp., Arlington, VA
3Com has a program called "EtherSpy" that may do some of what you
want, it is similar to the MIT netwatch progam that allows you to look
at individual packets on the cable. It has a few more bells and
whistles than the MIT program, like assignment of logical names to
particular addresses, some protocol dependent decoding capabilities
(3Com's protocols, of course), etc. Run it on an AT, it drops too
many packets on a PC.
The program is ``unsupported'' by 3Com but your local 3Com support
office can probably get you a copy (especially if they sense a
potential sale). I was not charged for mine, I'll have to check for
distribution rights, if it's ok and you can't get it from 3Com, I'll
send you a copy.
The MIT PCIP netwatch program provides somewhat more limited
functionality but is completely free of charge and works adequately.
Neither of these could be described as "protocol analyzers" but could
be useful, especially in a development environment.
I will be interested in what you learn.
Glen Foster
---------------------------------------------------------------------
From: ncrwic!jmatrow@ncr-sd.uucp
Organization: NCR Corporation, Wichita, Kansas
The LANalyzer from Excelan would be worth investigating.
-----
John Matrow Automation Engineering, NCR E&M Wichita
<john.matrow@Wichita.NCR.COM>
{sdcvax,cbatt,dcdwest,nosc.ARPA,ihnp4}!ncr-sd!ncrwic!john.matrow
----------------------------------------------------------------------
From: rmarks@bbking.PRC.Unisys.COM
Organization: Unisys/Knowledge Systems Organization, Bluebell, PA
Excellan has a good board and software. It has an onboard processor
with 1 meg memory. The display software is a little weak but I am told
it has been improved since I used it six months ago.
Cost is $10,000 with quantity discounts available.
Richard Marks
215-542-2139
----------------------------------------------------------------------
From: normt@ihlpa.uucp
Although this is not quite the arrangement you want, Excelan Inc. has a
"LANalyzer EX 5000E" which does this real well. It is a PC board with
an Ethernet controller, 80186 co-processor, and 2Meg of memory. The
software is a real nice menu driven package, which allows you to set up
various virtual receive channels and monitor (i.e. time averages, totals of
everything, statisical figures) for any or all of these channels, plus
you can optionally store and buffer to memory or disk any or all of the
received packets. There is also limited capability for transmitting
packets. 5 different packets can be stored and then transmitted on a time
or at some time interval or to produce a certain load characteristic. (i.e.
10, 20, 50% ... load on network). We have been using it for about a year
now to analyze our network of 10-12 microprocessors, and have found NO
bugs or problems.
This isn't quite what you want, since you are looking for a software
package to sit on an already existing interface, but it really does the
trick. I don't believe there is any way to use this without the hardware
supplied, it is just to dependant on the arrangement.
If you want more information or the address of Excelan (in the US) send
me mail and I'll get the info to you.
Norm Tiedemann (312) 979-3535
AT&T Bell Labs
Naperville, IL
60566
mcvax!seismo!ihnp4!ihlpa!normt
----------------------------------------------------------------------
From: csib!jwhitnel@csi.uucp (Jerry Whitnell)
Organization: Communications Solutions Inc., San Jose, Ca
Network General makes a product called the Sniffer that can be used to
monitor traffic on Ethernet. The Sniffer monitors and stores data packets
which can be displayed for further investigation. There is some statistics
in the product but it is primarily for debugging network applications. You
can reach them at:
Network General Corp
1296B Lawerence Station Road
Sunnyvale, CA USA 94089
(408) 734-0464
I've used the Token Ring version of the Sniffer (there is also a combined
Ethernet/Token Ring) and consider it very well done. I also know both the
founders, but have no other connection (finacial or otherwise) with them.
BTW, they also have a demo of the Token Ring product, so they should have
one for the Ethernet. Be sure to ask about it.
Jerry Whitnell
Communications Solutions, Inc.
----------------------------------------------------------------------
From: dave@rosevax.rosemount.com (Dave Marquardt)
Organization: Rosemount Inc., Eden Prairie, MN
Well, with either the MIT or CMU PC/IP packages, you get a program called
"netwatch". This program watches every packet going by, and displays them
by type, source address, destination address, etc. It also keeps statistics
on how many of which type of packets are going by. I don't think it's quite
what you'd want, but it might be useful.
Dave
--
Dave Marquardt
dave@rosevax.Rosemount.COM
{cbosgd,ihnp4,uiucdcs}!rosevax!dave
----------------------------------------------------------------------
From: Andy Linton <andy@cheviot.ncl.ac.uk>
Organization: Computing Laboratory, U of Newcastle upon Tyne, UK NE17RU
If you use the 3Com board and MIT's PC/IP software there is an Ether
monitor program bundled in with that software. It may work with the Micom
board - I don't know. Other PC/IP type implementations may have similar
programs.
--
SENDER : Andy Linton PHONE : +44 91 232 9233
ARPA : andy%cheviot.newcastle.ac.uk@cs.ucl.ac.uk
JANET : andy@uk.ac.newcastle.cheviot
UUCP : andy@cheviot.UUCP
----------------------------------------------------------------------
From: robert@acad.uucp (Robert Wenig ext 609)
Organization: Autodesk, Sausalito, CA
3COM has a product called ETHER-PROBE which can monitor all types of
ethernet activity including XNS, TCP-IP, etc.
----------------------------------------------------------------------
From: fair@ucbarpa.Berkeley.EDU (Erik E. Fair)
Organization: USENET Protocol Police, Western Gateway Division
Give FTP Software in Cambridge, MA, USA a yell (they can be reached
through romkey@xx.lcs.mit.edu on the ARPANET); they have an ethernet
monitoring program that runs under MS/DOS with a wide variety of
PC ethernet interfaces.
Erik E. Fair ucbvax!fair fair@ucbarpa.berkeley.edu
----------------------------------------------------------------------
From: Susan Pollack <susan@nrcvax.uucp>
We saw you request on the net.
Network Research Corp. has developed a networking product
which runs on various computers from PCs (MS-DOS and Xenix)
to large DEC hosts (VMS). We have both XNS and TCP implementations.
Our PC products run on the 3Com 3C501, 3C505 and Micom 5010 boards.
Our basic packages includes telnet and ftp functions. In addition,
we offer a substantial library package and a network monitoring
package. I believe this package, running on top of our standard
FUSION Network Software standard package will provide you with
the features you were asking for. We offer network statistics,
network test and packet monitoring capabilities.
Please let me know where we can send additional information about
our product.
------
Susan R. Pollack
USENET- ...ihnp4!nrcvax!susan
...{sdcsvax|hplabs}!sdcrdcf!psivax!nrcvax!susan
ARPA ihnp4!nrcvax!susan@BERKELEY.EDU.ARPA
U.S. Mail Network Research Corporation
2380 N. Rose Ave., Oxnard, CA 93030
Telephone 805-485-2700 (outside CA 800-541-9508)
----------------------------------------------------------------------
--------------------------<and cut again>-----------------------------hilmes@utx1.UUCP (Douglas Hilmes) (08/19/87)
Yet another ethernet analyzer: The Sniffer from Network General.
I had it on loan for about two days. It does stats, filters packets and
gives the following kind of display for various protocols:
- - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - -
DLC: ---- DLC Header ----
DLC:
DLC: Frame 1 arrived at 10:25:26.611; frame size is 558 (022E hex) bytes.
DLC: Destination: Station 08002B0489EA, hostA
DLC: Source : Station 0000C8000064, hostP
DLC: Ethertype = 0800
DLC:
IP: ---- IP Header ----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 544 bytes
IP: Identification = 18218
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0
IP: Time to live = 15
IP: Protocol = 6 (TCP)
IP: Header checksum = D21F (correct)
IP: Source address = [200.0.0.100]
IP: Destination address = [200.0.0.42]
IP: No options
IP:
TCP: ---- TCP header ----
TCP:
TCP: Source port = 1019
TCP: Destination port = 514
TCP: Sequence number = 55601483
TCP: Acknowledgment number = 591953873
TCP: Data offset = 20
TCP: Flags = 10
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 4096
TCP: Checksum = CC0B (correct)
TCP: No TCP options
TCP: [504 byte(s) of data]
TCP:
--
{allegra|codas}!novavax!utx1!hilmes
Douglas Hilmes @ Racal-Milgo, Fort Lauderdale, Florida (305) 476 6738phil@amdcad.AMD.COM (Phil Ngai) (08/20/87)
<From: Susan Pollack <susan@nrcvax.uucp<
<
<We saw you request on the net.
<
<Network Research Corp. has developed a networking product
<which runs on various computers from PCs (MS-DOS and Xenix)
<to large DEC hosts (VMS). We have both XNS and TCP implementations.
<Our PC products run on the 3Com 3C501, 3C505 and Micom 5010 boards.
How big a network have you tested your Fusion product on? How many
gateways (routers), how many nodes? Do you do dynamic routing
(ala Berkeley routed, at least) or nameserver lookups?
--
I speak for myself, not the company.
Phil Ngai, {ucbvax,decwrl,allegra}!amdcad!phil or amdcad!phil@de222foster@seismo.CSS.GOV (Glen Foster) (08/20/87)
I have been informed that I cannot distribute EtherSpy so please don't ask. This program is now called "EtherProbe" and retails for about $1000 (but it is supported :-). Sorry, Glen
cyrus@hi.UUCP (Tait Cyrus) (08/21/87)
This subject has come up again and I will say what I did the
last time, for the benefit of those who did not see it then.
Here at the University of New Mexico a research project requires
some hardware that has ethernet abilities. We needed to be able
to talk tcp/ip. Instead of starting from scratch, we took the
PD tiny tcp/ip source and started to port it to our board. The first
problem was that the tiny tcp/ip was written for a 680XX and our
hardware using the NS320XX. Needless to say, we had byte ordering
problems. At that time we were not versed in tcp/ip and did not
know where our problem(s) were. We needed some way to statically
look at the packets our board was sending to see where we were
screwing things up.
We did this by building, on top of SUN's NIT protocol, a program
that dumped all packets from our board into files. As a result
of this, we were able to fully debug our software on our board.
Currently, this SUN program is very specific to what we wanted, but
we realize that other people, including ourselves, could benefit
from such an ethernet program.
Several people have been using the 'tcpdump' program which is
available via anonymous ftp from some machine I remember the name
of. This program is very nice and too have used it. The problem
with it is that it is SUN source derived which means that its source
can not be posted. Our program, on the other hand, is not SUN source
derived.
The last time I posted to the net about our program, several people
expressed an interest in it. We are currently enhancing this package
to be more versatile and will allow the user to specify a trigger condition
as well as a packet acceptance condition. In other words, once the
trigger condition has been seen, all packets matching the acceptance
condition are either display on the screen, saved into a file, or both.
Because this endeavor is not one of our regular projects and has
low priority, we will not be posting anything for a about a month.
Since there is no way to make something that will satisfy everyones
needs, we are hoping to have something that will make it easy for
additions/changes to be made. Eventhough this package only runs on
SUN's, we are trying to make this package generic enough that it
will be able to run under ANY hardware and ANY C compiler. The reason
I mention C compiler is because the compiler we have for the NS320XX,
quad aligns structures for efficiency which means that network
structures don't work.
I would appreciate any suggestions/thoughts that you might have
on such a program.
--
@__________@ W. Tait Cyrus (505) 277-0806
/| /| University of New Mexico
/ | / | Dept of EECE - Hypercube Project
@__|_______@ | Albuquerque, New Mexico 87131
| | | |
| | hc | | e-mail:
| @.......|..@ cyrus@hc.dspo.gov or
| / | / seismo!unmvax!hi!cyrus
@/_________@/johnk@hcx1.SSD.HARRIS.COM (08/21/87)
> I am looking for a good general purpose ethernet analyzer. I know of > the HP4972A and Excelan's model. Does anyone have any opinions about these > or does anyone have another brand that they can recommend? There seems to be sufficient interest in ethernet analyzers and MIT's netwatch (including mine) for someone to post their findings to the net. Could someone please do so? Thanks! John J. Krawczyk UUCP: johnk@hcx1.HARRIS.COM Harris Computer Systems 2101 W. Cypress Creek Road Ft. Lauderdale, FL 33309
steve@gec-mi-at.co.uk (Steve Lademann) (09/08/87)
Spider Systems of Edinburgh, Scotland manufacture a Ethernet Analyser which they call a SpiderMonitor. We have used this product here for a year or so and find it invaluable for our in-house protocol developments. I *believe* they are on the net, or contact me if you need more information. |Steve Lademann |Phone: 44 727 59292 x326 | |Marconi Instruments Ltd|UUCP : ...mcvax!ukc!hrc63!miduet!steve | |St. Albans AL4 0JN |NRS : steve@uk.co.gec-mi-at | |Herts. UK | "disclaimers.all"
romkey@kaos.UUCP (John Romkey) (09/12/87)
FTP Software has just announced a network analyzer called "LANWatch", which is an enhancement of the Netwatch program that I wrote as part of PC/IP at MIT. The normal mode of use simply displays a single line of information about packets that go by on the net, unparsing the packet header and telling you the source and destination addresses of the packet and the protocol types, up through all the protocol layers. Enhancements to the MIT code include handling more and larger packets, full screen packet display showing data and all protocol fields, support for more protocols, more flexible filtering, better statistics gathering, dumping packets to disk and reading packet dumps from disk, and support for more network interfaces. The package as distributed includes enough source and object code to allow users to add their own protocols and filters (using Microsoft C 4.0). LANWatch runs on IBM PC's, AT's and compatibles. It currently supports a variety of ethernet interfaces (changing daily...) and Proteon ProNET-10 Token Ring. You can contact FTP Software at: FTP Software, Inc. PO Box 150 Kendall Square Branch Boston, MA 02142 (617) 868-4878 I'm tooting my own horn here, because I work for FTP nowadays, but nobody else has mentioned LANWatch yet and I wanted to provide the information... If you call up FTP about LANWatch, please don't ask for me - I try to spend most of my time writing software instead of selling it (except when I post news :-)). -- - john romkey ...mit-eddie!blblbl!kaos!romkey romkey@xx.lcs.mit.edu