chris@yarra.oz.au (Chris Jankowski) (08/30/90)
Original question: >I need a TCP/IP/Ethernet protocol analyzer for general troubleshooting >work in multivendor enviroment. It must be portable as I often work at >customer sites. It must also be good at decoding protocols. I don't >want to spend months ploughing through rims of hex dumps. I should have probably stressed that I am not particularly interested in network management, monitoring and collecting statistics. I received about 15 responses - many thanks. It seems that nearly every available solution is a class of its own which is an obvious sign that the market is not mature yet. 1. Sniffer from Network General =============================== Shines where ease of use and high quality decodes are at premium. Also very good intuitive user interface and very good presentation of decoded packets. Expensive. No traffic generation. (This is my choice - I need to work fast and deliver results quickly. Decodes and presentation are crucial. I do not need generate packets nor am I concerned with performance tests) dhs@hpctdlb.hp.com - Don Schoenecker writes: Best feature - Ease of use. "windows" interface. Limited functionallity for testing, but very good decodes. Decodes available for most protocols. New Ethernet stats package. Ethernet, Token Ring, Arcnet, Starlan interfaces ccc121e@monu6.cc.monash.edu.au - Dave Schwarz writes: The other thing to check is how you buy it, we just bought the card and soft ware and put it in a t3200 we had, which saved us about $7000 for a start. lars@spectrum.cmc.com - Lars Poulsen writes: If you have used a Sniffer, you'll never be happy with a lowend monitor. If you can't afford the Sniffer, you'll learn to live with what you can afford. 2. HP LANalyzer - model HP4972A =============================== A class of its own. Highest speed, great packet generator (programmable). Expensive. dhs@hpctdlb.hp.com - Don Schoenecker writes: Best feature - Performance is designed to be able to handle the worst case situations and still offer full functionallity. stats are the best there is. Ethernet performance ananlysis is complete and has many graphical displays. TCP/IP and DECnet performance analysis allow measurements of throughput, response times, lost packets, and other items for the network and transport protocols. (The only analyzer with the capability :-) Traffic generation - 16 messages completely definable, for easy stimulus response testing with programs. There is a "syntax directed" programming language. It uses softkeys and is very straight forward. Useful for active testing like sending ping messages and counting or timing events. Good decodes - XNS, Novell, TCP/IP, NFS, DECnet, OSI Ethernet and Starlan interfaces tmallory@bbn.com - Tracy Mallory writes: The HP is the ONLY analyzer that can keep up, 100%, with anything being transmitted up to the maximum capacity of the wire, in real-time. It can tell you if that the average traffic is 10,373 pps: most others top out around 3000 pps. The HP's buffer for storing packets is average: like all(most?) of them, it will store back-to-back packets until the buffer is filled. The HP's transmitter and receiver are essentially independent. The HP has support for 16 full-size, fully specified packets for transmission. Most other analyzers only allow 1 packet for transmission, and many do not allow you to specify the full contents of the packet(I think one allows more packets, but not fully specifed=zero padded). The maximum packet transmission rate is about 10k packets per second, which is slightly lower than the Excelan product, but respectable. It will tell you exactly what the traffic rate is while transmitting at this rate. The Excelan product was very difficult to use(and I think could only send a single, not fully specified, packet at high speed). You can write simple programs with loops, received packet matching, counters, timers, and sending of the predefined test packets. The packet decoding on the HP is an extra package. You should look at a current version to see if it suits your needs. The packet filtering is pretty good, though not quite as general as some of the others(though I think it can look at ANY byte in the packet). If your operation gets large enough, a Sniffer and an HP make a good combination. 3. LANWatch from FTP Software. ============================== Software package to be used with a standard card in a standard PC. Very good value for money if you can live with it or you cannot afford the two above. The software costs some 6% of the price of a full Sniffer set. Maybe good choice if you do not do anything fancy and already have a 386 portable with an Ethernet card. Several checks are missing in decodes (like eg. checking of checksums) and presentation is nowhere near that of a Sniffer full display mode. jbvb@ftp.com - James B. VanBokkelen writes: Our performance depends on the speed of the PC and network interface you use. On a 20Mhz 386 with an Interlan NI5210 interface, I've benchmarked LANWatch capturing bursts of 200 packets (the board can only buffer 40 or so) at a rate of 6300 pps (at 60 bytes long, this represents 40% of the bandwidth). The long-term average capture rate is normally bound by the display, which can only handle on the order of 100-180 pps. Filtering is done on the board wherever possible, and I've never seen a situation on our in-house net where a LANWatch with a filter set up missed any of the desired packets, unless the long-term rate of packets passing the filter was more than the screen could handle. If you want a traffic generator, we don't have one. If you want menus as a user interface, you'll prefer the Sniffer, otherwise you may prefer us. We include all the protocol parsing source code in the basic price. We provide source for the off-line analysis tools. The parsing tree and filtering we ship are pretty complete for IP, XNS, Banyan VINES, Ethertalk and 802.2/CLNP/TP, less so for Netware and DECNet. We don't parse ISO session or above, or SNA. We have an SMB parser, but we only invoke it where we know how SMB is encapsulated on a particular transport - if you know details of SMB over 'x', adding it is likely to be pretty simple. 4. Excalan (Novell) LANalyzer ============================= I went through a demo diskette and was not impressed with the quality off decodes. Also expensive. Monitoring oriented. dhs@hpctdlb.hp.com - Don Schoenecker writes: Best feature - Good general purpose package. Better than other PC analyzers for performance. Good Decodes Medium Ethernet stats Ethernet and Starlan interfaces 5. Spider Systems, Spider monitor ================================= I went through a demo diskette and was not impressed with the quality off decodes. Also expensive. Monitoring oriented. Supports remote slave monitoring stations. dhs@hpctdlb.hp.com - Don Schoenecker writes: Best feature - multi tasking within a PC. It does not tie up you PC while it does network measurements. Good Ethernet stats, medium decodes. Ethernet and Token Ring interfaces 6. HP LanProbe - Network segment monitor. ========================================= dhs@hpctdlb.hp.com - Don Schoenecker writes: Best feature - Remote monitoring of network operations. Good Ethernet stats. Network mapping (physical location of devices) Limited decodes (There are other devices similar to this, but I do not know details.) i.e. Excelan (Novell) LanTern, and one the runs on a vax. 7. ????? from Cabletron. ======================== sung@mcnc.org - Wayne Sung writes: I just looked at a unit by Cabletron. The decode is actually better than Network General. However, the software is so new (the hardware is a modified ethernet board that Intel already sells) that many features are missing. Given time, this should be a good product. 8. Public domain (PC based) software: ===================================== sung@mcnc.org - Wayne Sung writes: The low end jobs like MIT Netwatch are useful for spotting grossly out of line situations, as well as for new installations where you wonder if any packets are getting out at all. What you live with is that if you use the pc to process anything it will not do much above about 20 packets a second (the other commercial units do all the work with on-board processors and use the pc as a console terminal and/or long term storage). We keep some Netwatches running mostly to catch total stoppages. There is enough decode in Netwatch to see some idea of what is happening but you could not troubleshoot any protocol related problems with it. 9. Workstation based solutions - those are not portable yet (:-)). ============================== jmccabe@orville.nas.nasa.gov - Jim McCabe writes: NetVisualiser Silicon Graphics now has a protocol analyzer that has a very good graphical interface and can do some network monitoring as well. It sells for around $25K in the U.S., and is superior to the other systems I have used (Sniffer, Lanalyzer, HP, NNStat). It may also be the platform for a more complete SNMP-based network management system. Another benefit is that you get a workstation with it - and a fairly powerful one at that. This system also has remote monitoring stations which allow you to have one or more displays that are at fixed locations (like your desk) and several monitors at strategic points in your network (or your customers' networks). Thus you dont have to move the display around, as you do with the Sniffer or Lanalyzer. sung@mcnc.org - Wayne Sung writes: ...Any upper layer decoding can be done on a workstation (in fact tcpdump on a Sun decodes a whole lot better than any of them). These workstation based products also give a different kind of portability, since there should be more of them. Has anybody heard about this software? I only know Etherfind from Sun. To be fair I did omit one response from gmdzi!koepke@relay.eu.net as their product called Ethenex does not have any protocol decoding capabilities. Again many thanks to all respondents and I hope that this summary will help others to make their choices. -m------- Chris Jankowski - Senior Systems Engineer chris@yarra.oz{.au} ---mmm----- Pyramid Technology Corporation Pty. Ltd. fax +61 3 820 0536 -----mmmmm--- 11th Floor, 14 Queens Road tel. +61 3 820 0711 -------mmmmmmm- Melbourne, Victoria, 3004 AUSTRALIA (03) 820 0711 "Knowing how things work is the basis for appreciation, and is thus a source of civilized delight." -- William Safire
fstop@mtunf.ATT.COM (Paul Hanson) (08/30/90)
Have you heard of or seen the product called LANCE from an outfit named Micro Tech? I am evaluating remote monitoring systems. This is the best one I've seen so far. They just came out to give me a slide show. I intend to see and perhaps buy one in the near future. I need to centrally monitor a number of Ethernet LANs around the country. There are many products that have the excellent statistics, topology maps, reports etc. but which are designed to operate with a specific vendors bridges or routers (e.g. Vitalink WAN Manager, Wellfleet's SNMP NMS, Cabletron, Racal Interlan's LANCentral). There are only a few that have been designed to use their own monitoring probe. Micro Tech is the only one that I know of that has announced product. They just started shipping their product, LANCE, in June. the LANCE network management station software wants to run on a high res, color graphics workstation with a multitasking operating system (e.g. SUN SPARCstation 1+). You can contact the company directly. In Anaheim, CA, their number is 800-999-9MTI or 714-970-0300. Paul Hanson AT&T Bell Labs West Long Branch, NJ (201) 870-7559