reschly@BRL.MIL ("Robert J. Reschly Jr.") (01/09/89)
Harry,
As with nearly every simple answer, the answer is "Well, it depends".
I am at home as I type this and my notes are at work, so what follows is
from memory. I don't think there are any glaring deficiencies, though
I have become somewhat fuzzy about prices.
Last spring two of my co-workers and I conducted and in-depth
evaluation of offerings from Cabletron, Network General, Excelan,
Hewlett Packard (those being the major players at the time) and looked
at a few other lesser known offerings. The only current contender I
know about that we did not look at directly was the Spyder Systems (UK)
offering. Also, since we looked last spring, Network General claims to
have significantly improved the underlying hardware capability with
their latest offering.
We started out looking for a box which could do everything for us.
After sifting through the literature, talking with some of the engineers
designing various units, and playing with several of the boxes, our
judgement was that a box meeting all of our criteria did not exist. The
units with the best software were unable to give us the hardware
performance we sought. The units with satisfactory hardware capabilities
were sorely lacking in the software department. Given that we were and
still are driven more by hardware considerations (i.e. Guarantee the box
can capture the bits, then worry about the protocol stack. We can
decode a protocol stack if need be, but the best software in the world
will not necessarily do us any good if the hardware misses bits....) and
we already had some software in house for looking at protocol stacks
(our homebrew gateway software, and Van Jacobson's tcpdump for Sun 3's),
we settled on buying two of the Cabletron units. Once we resigned
ourselves to buying a box strictly on hardware considerations, the
additional features of the HP unit (~2.5x the capture buffer, and disk
based configurations) were not enough to make up for the cost
difference. All of us would have dearly loved to be able to recommend
the Network General box though....
Cabletron, LAN Specialist: Their "better" offering. It's underlying
hardware is good enough to capture anything on the network, and is able
to drive the wire at greater than 90% saturation. It also has some
rather nice cable/transceiver testing capabilities. Has enough buffer
memory for ~260 Maximum Segment Size (MSS) sized packets in capture
everything mode. It is severely lacking when dealing with anything
other than the link layer, needs a VT200 compatible terminal (requires
function keys out to F20, and uses scrolling and paging keys -- yeech!),
and has no nonvolatile storage (no saved configurations). It is,
however, relatively cheap: ~$5,000.
Hewlett Packard: I forget the model number, but it is the "portable"
unit with the attached keyboard and ~7inch monochrome CRT. Typical HP.
A solidly built, self-contained, closed box. Also able to capture
anything on the wire, and able to drive the wire to greater than 90%
saturation. Has enough buffer memory for ~650 MSS sized packets in
capture everything mode. Has a floppy disk and an optional 10MB(?) hard
disk available. The disks can be used to store configuration
information, and traffic dumps, though the box is not fast enough to use
the disk to extend buffer memory without risking missing some of the
bits. Like much of HP's fancier equipment, suffers from "softkeys on
the brain". Other than flipping a few bits in filters and entering
names, the keyboard might just as well not be present. Also loses when
it comes to anything above the link layer. Priced around $18,000.
Excelan, LANalyzer: This unit does not stand out in my mind. It is
probably best summarized as the Sniffer's baby brother. I don't recall
any of us noting any glaring deficiencies, just that it was not as
flexible, or as featureful as the Sniffer. My only other recollection
was observing that the mount for the transceiver cable jack looked
rather flimsy. The unit we played with was in a Toshiba 286 based
portable I think. I believe this box comes in somewhere between $15,000
and $18,000.
Network General, Sniffer: Slick. We all fell in love with the
amount of software support this box offered. It could dump nearly
anything it captured all the way up the stack to the application level.
It was all menu based, but the menuing software was probably the easiest
to use and least obtrusive software of any we have run across. We
seldom noticed it, per se, as we rummaged around with the system. The
box we evaluated was a Compaq 286 system bundled up and sold as a
package by Network General. Oh, if only the system was a bit heftier in
the hardware department. We were overrunning it even on a relatively
lightly loaded network. At least it was honest enough to let us know
when it was dropping packets (by beeping and keeping a tally) rather
than silently discarding them. *sigh* The other nice feature of the
Sniffer was that it could be configured for different networks. It
could also do ARCnet and IBM 4Mb token ring I believe. These features
were of no interest to us so we did not evaluate them. This box ran
around $19,000 to $21,000 configured for Ethernet, I think.
Last September at INTEROP'88 I saw a new version of the Sniffer being
demonstrated. I have not had a chance to play with this box myself, nor
have I received the set of owners manuals I was promised, so everything
which follows is based on what the market droid I talked to said and my
fuzzy recollections of the spec sheets. This version has been reworked
substantially, and offers several interesting features. The new version
is built around a Compaq 386 box, and everything hangs off the back of
the Compaq as a plug-in module. The Ethernet hardware has been beefed
up and can now support several (up to 6?) megabytes of capture buffer
memory in the add-on module. With that much memory, even if they can
only capture 256 (they ought to get at least 512) packets per megabyte,
that is still more packets than even the HP can do. Network General now
supports six(?) differing network technologies. The add on module can
be configured in several ways. It can be configured with any one or two
different network interface modules, or one interface module and a hard
disk. The latter is particularly interesting in secure computing
environments because that means you can buy a floppy only Compaq with no
permanent storage, and N network modules with the permanent storage in
the module. This way, configurations and such can be saved between
sessions, and can be locked up when not in use without also tying up the
computer. If this box truly meets the claims made for it, it is the
hands down winner with no reservations whatsoever. I only wish it had
been available six months sooner.... *MOBY sigh* Price: around $11,000
for the Compaq (gosh, is the Compaq that much? -- seems a bit steep) and
$10,000 to $15,000 for the network modules.
The only other real contender I know of is the Spyder Systems box.
I have overheard several people claiming it is a pretty good box, and
from what I have read of it, I suspect it's software is somewhere
between the LANalyzer and the old Sniffer. I have no information about
it's hardware capabilities though, and don't know if it is a dedicated
or hosted implementation. Not only that, but I don't know what it costs.
Probably worth a look before making any decisions.
I hope you find this useful.
Later,
Bob
--------
Phone: (301)278-6678 AV: 298-6678 FTS: 939-6678
Arpa: reschly@BRL.MIL (or BRL.ARPA) UUCP: ...!brl-smoke!reschly
Postal: Robert J. Reschly Jr.
U.S. Army Ballistic Research Laboratory
Systems Engineering and Concepts Analysis Division
Advanced Computer Systems Team
ATTN: SLCBR-SE (Reschly)
APG, MD 21005-5066 (Hey, *I* don't make 'em up!)
**** For a good time, call: (303) 499-7111. Seriously! ****kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) (01/10/89)
> Last spring two of my co-workers and I conducted and in-depth > evaluation of offerings from Cabletron, Network General, Excelan, > Hewlett Packard ... Lots can happen in that time. > Hewlett Packard: I forget the model number, The model number is HP 4972A. > Has a floppy disk and an optional 10MB(?) hard > disk available. A 20MB hard disk is standard. Up to two additional hard disks (10, 20 or 40MB) can be added. > Also loses when > it comes to anything above the link layer. We have a TCP/IP protocol interpreter that runs on the HP 4972A ( part number HP 18221A). It decodes the level 3 and 4 protocols of TCP, DUP, IP, ICMP, ARP and RARP. Other features include the use of an IP address list that allows users to define names to be used in the display of information. Addresses that do not have a user-defined name are displayed in dotted-decimal notation. The interpreter will also flag checksum errors and illegal frame lengths. Also included are utilities that allow users to capture conversations, trigger on events for further analysis (capture ICMP messages of specific type, capture one conversation start to finish, capture trivial window problems, and so on). You can do things like display the login time, time to first data transfer, number of frames that carry only one byte of data, number of frames with more than one byte of data, number of acknowledgements and total connect time. -Norm Kincl Information Archirtecture Group, Hewlett-Packard (I don't make or sell these things---call your local sales office if you want real details.)
vjs@rhyolite.SGI.COM (Vernon Schryver) (01/10/89)
In article <8901091832.AA05477@hp-iag.HP.COM>, kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) writes: > > [nice features of HP network monitors...] > > -Norm Kincl > Information Archirtecture Group, Hewlett-Packard Some of the "dedicated" network monitors are indeed quite nice. However, for utility and fexibility, it is hard to beat a "native" monitor which runs on a significant number of the hosts in your network. Imagine how handy it is to reach out across a few gateways to a workstation on the troubled network, and tell that workstation to snoop on the wire. Think how it is to watch for damaged packets at many places along a cable, without having to crawl into ceilings or floors, or to make any cabling changes. Think about not having to lug a fragile box all over creation. (I assume boxes built to HP standards are not really fragile, but things that cost lots tend to seem fragile.) Since such a monitor is "just" software, one can hope to get a good deal if you need more than a single monitor. Such native monitors are available for at least one company's UNIX workstations. They are not quite as fast as some (but not all) dedicated monitors, but they are more programmable by users. (You just start hacking in C.) Monitors for PC's might be useful, if the PC runs a real operating system, so that you can rsh/rlogin/telnet/sethost/... to the PC and then run the monitor. (Or have a remote monitoring deamon.) Vendors of workstations tend to like native monitors. We can tell customers with problems to "do such and such and send me the results." This is handy for finger pointing :-) and as well as for finding bugs. Might one expect a network management system to include network monitors for all of the levels? Vernon Schryver Silicon Graphics vjs@sgi.com
murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) (01/11/89)
Just from curiosity, can any of those monitors have its own IP address and send out a packet ( a probe or some kind) to the net? Or are they listen-only? Yuko
brooks@Apple.COM (Kevin Brooks) (01/12/89)
In article <8901091832.AA05477@hp-iag.HP.COM> kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) writes: > >> Last spring two of my co-workers and I conducted and in-depth >> evaluation of offerings from Cabletron, Network General, Excelan, >> Hewlett Packard ... > >Lots can happen in that time. > >> Also loses when >> it comes to anything above the link layer. > >We have a TCP/IP protocol interpreter that runs on the HP 4972A ( part >number HP 18221A). It decodes the level 3 and 4 protocols of TCP, >DUP, IP, ICMP, ARP and RARP. This may be a bit misleading, the HP 4972A does not actually decode the tcp/ip protocol suite rather it displays or I should say tags each field as to what the code in the field represents not what the code means. This means that you still need to decode the protocol stack your self but your saved the time of counting bytes. I would not call this protocol decode. The Excelan product has very similar protocol decode features. I did a fairly extensive evaluation of the HP 4972a, the Network General Sniffer, FTP's lanwatch, and the Excelan Lanalyzer. If anyone is interested in seeing a copy of my report send me email and I'll send you a copy. Kevin Brooks A/UX Specialist, Apple Computer APPLELINK: BROOKS3 UUCP: {mtxinu,sun,nsc,voder}!apple!brooks DOMAIN: brooks@apple.apple.com CSNET: brooks@apple.CSNET ARPA: brooks%apple@csnet-relay.ARPA
brooks@Apple.COM (Kevin Brooks) (01/12/89)
In article <8901110133.AA02616@ucbvax.Berkeley.EDU> murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) writes: > >Just from curiosity, can any of those monitors have its own >IP address and send out a packet ( a probe or some kind) >to the net? Or are they listen-only? > >Yuko You don't actually asign an IP address to the monitors since TCP/IP is not there game, but they all have their own ethernet address and can all transmit packets out. You can define the bytes in the packet if you need to, to say simulate an IP address and some type of request. The Excelan is the only monitor that can transmit and monitor the net at the same time. Kevin Brooks A/UX Specialist, Apple Computer APPLELINK: BROOKS3 UUCP: {mtxinu,sun,nsc,voder}!apple!brooks DOMAIN: brooks@apple.apple.com CSNET: brooks@apple.CSNET ARPA: brooks%apple@csnet-relay.ARPA
murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) (01/12/89)
> From: Kevin Brooks <brooks@apple.com> > You can define the bytes in the packet if you need to, to say > simulate an IP address and some type of request. Thank you for the reply. So am I correct in that this simulated packet should not be an Ethernert ARP reuqest, because it may cause the confusion in the net? Yuko