reschly@BRL.MIL ("Robert J. Reschly Jr.") (01/09/89)
Harry, As with nearly every simple answer, the answer is "Well, it depends". I am at home as I type this and my notes are at work, so what follows is from memory. I don't think there are any glaring deficiencies, though I have become somewhat fuzzy about prices. Last spring two of my co-workers and I conducted and in-depth evaluation of offerings from Cabletron, Network General, Excelan, Hewlett Packard (those being the major players at the time) and looked at a few other lesser known offerings. The only current contender I know about that we did not look at directly was the Spyder Systems (UK) offering. Also, since we looked last spring, Network General claims to have significantly improved the underlying hardware capability with their latest offering. We started out looking for a box which could do everything for us. After sifting through the literature, talking with some of the engineers designing various units, and playing with several of the boxes, our judgement was that a box meeting all of our criteria did not exist. The units with the best software were unable to give us the hardware performance we sought. The units with satisfactory hardware capabilities were sorely lacking in the software department. Given that we were and still are driven more by hardware considerations (i.e. Guarantee the box can capture the bits, then worry about the protocol stack. We can decode a protocol stack if need be, but the best software in the world will not necessarily do us any good if the hardware misses bits....) and we already had some software in house for looking at protocol stacks (our homebrew gateway software, and Van Jacobson's tcpdump for Sun 3's), we settled on buying two of the Cabletron units. Once we resigned ourselves to buying a box strictly on hardware considerations, the additional features of the HP unit (~2.5x the capture buffer, and disk based configurations) were not enough to make up for the cost difference. All of us would have dearly loved to be able to recommend the Network General box though.... Cabletron, LAN Specialist: Their "better" offering. It's underlying hardware is good enough to capture anything on the network, and is able to drive the wire at greater than 90% saturation. It also has some rather nice cable/transceiver testing capabilities. Has enough buffer memory for ~260 Maximum Segment Size (MSS) sized packets in capture everything mode. It is severely lacking when dealing with anything other than the link layer, needs a VT200 compatible terminal (requires function keys out to F20, and uses scrolling and paging keys -- yeech!), and has no nonvolatile storage (no saved configurations). It is, however, relatively cheap: ~$5,000. Hewlett Packard: I forget the model number, but it is the "portable" unit with the attached keyboard and ~7inch monochrome CRT. Typical HP. A solidly built, self-contained, closed box. Also able to capture anything on the wire, and able to drive the wire to greater than 90% saturation. Has enough buffer memory for ~650 MSS sized packets in capture everything mode. Has a floppy disk and an optional 10MB(?) hard disk available. The disks can be used to store configuration information, and traffic dumps, though the box is not fast enough to use the disk to extend buffer memory without risking missing some of the bits. Like much of HP's fancier equipment, suffers from "softkeys on the brain". Other than flipping a few bits in filters and entering names, the keyboard might just as well not be present. Also loses when it comes to anything above the link layer. Priced around $18,000. Excelan, LANalyzer: This unit does not stand out in my mind. It is probably best summarized as the Sniffer's baby brother. I don't recall any of us noting any glaring deficiencies, just that it was not as flexible, or as featureful as the Sniffer. My only other recollection was observing that the mount for the transceiver cable jack looked rather flimsy. The unit we played with was in a Toshiba 286 based portable I think. I believe this box comes in somewhere between $15,000 and $18,000. Network General, Sniffer: Slick. We all fell in love with the amount of software support this box offered. It could dump nearly anything it captured all the way up the stack to the application level. It was all menu based, but the menuing software was probably the easiest to use and least obtrusive software of any we have run across. We seldom noticed it, per se, as we rummaged around with the system. The box we evaluated was a Compaq 286 system bundled up and sold as a package by Network General. Oh, if only the system was a bit heftier in the hardware department. We were overrunning it even on a relatively lightly loaded network. At least it was honest enough to let us know when it was dropping packets (by beeping and keeping a tally) rather than silently discarding them. *sigh* The other nice feature of the Sniffer was that it could be configured for different networks. It could also do ARCnet and IBM 4Mb token ring I believe. These features were of no interest to us so we did not evaluate them. This box ran around $19,000 to $21,000 configured for Ethernet, I think. Last September at INTEROP'88 I saw a new version of the Sniffer being demonstrated. I have not had a chance to play with this box myself, nor have I received the set of owners manuals I was promised, so everything which follows is based on what the market droid I talked to said and my fuzzy recollections of the spec sheets. This version has been reworked substantially, and offers several interesting features. The new version is built around a Compaq 386 box, and everything hangs off the back of the Compaq as a plug-in module. The Ethernet hardware has been beefed up and can now support several (up to 6?) megabytes of capture buffer memory in the add-on module. With that much memory, even if they can only capture 256 (they ought to get at least 512) packets per megabyte, that is still more packets than even the HP can do. Network General now supports six(?) differing network technologies. The add on module can be configured in several ways. It can be configured with any one or two different network interface modules, or one interface module and a hard disk. The latter is particularly interesting in secure computing environments because that means you can buy a floppy only Compaq with no permanent storage, and N network modules with the permanent storage in the module. This way, configurations and such can be saved between sessions, and can be locked up when not in use without also tying up the computer. If this box truly meets the claims made for it, it is the hands down winner with no reservations whatsoever. I only wish it had been available six months sooner.... *MOBY sigh* Price: around $11,000 for the Compaq (gosh, is the Compaq that much? -- seems a bit steep) and $10,000 to $15,000 for the network modules. The only other real contender I know of is the Spyder Systems box. I have overheard several people claiming it is a pretty good box, and from what I have read of it, I suspect it's software is somewhere between the LANalyzer and the old Sniffer. I have no information about it's hardware capabilities though, and don't know if it is a dedicated or hosted implementation. Not only that, but I don't know what it costs. Probably worth a look before making any decisions. I hope you find this useful. Later, Bob -------- Phone: (301)278-6678 AV: 298-6678 FTS: 939-6678 Arpa: reschly@BRL.MIL (or BRL.ARPA) UUCP: ...!brl-smoke!reschly Postal: Robert J. Reschly Jr. U.S. Army Ballistic Research Laboratory Systems Engineering and Concepts Analysis Division Advanced Computer Systems Team ATTN: SLCBR-SE (Reschly) APG, MD 21005-5066 (Hey, *I* don't make 'em up!) **** For a good time, call: (303) 499-7111. Seriously! ****
kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) (01/10/89)
> Last spring two of my co-workers and I conducted and in-depth > evaluation of offerings from Cabletron, Network General, Excelan, > Hewlett Packard ... Lots can happen in that time. > Hewlett Packard: I forget the model number, The model number is HP 4972A. > Has a floppy disk and an optional 10MB(?) hard > disk available. A 20MB hard disk is standard. Up to two additional hard disks (10, 20 or 40MB) can be added. > Also loses when > it comes to anything above the link layer. We have a TCP/IP protocol interpreter that runs on the HP 4972A ( part number HP 18221A). It decodes the level 3 and 4 protocols of TCP, DUP, IP, ICMP, ARP and RARP. Other features include the use of an IP address list that allows users to define names to be used in the display of information. Addresses that do not have a user-defined name are displayed in dotted-decimal notation. The interpreter will also flag checksum errors and illegal frame lengths. Also included are utilities that allow users to capture conversations, trigger on events for further analysis (capture ICMP messages of specific type, capture one conversation start to finish, capture trivial window problems, and so on). You can do things like display the login time, time to first data transfer, number of frames that carry only one byte of data, number of frames with more than one byte of data, number of acknowledgements and total connect time. -Norm Kincl Information Archirtecture Group, Hewlett-Packard (I don't make or sell these things---call your local sales office if you want real details.)
vjs@rhyolite.SGI.COM (Vernon Schryver) (01/10/89)
In article <8901091832.AA05477@hp-iag.HP.COM>, kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) writes: > > [nice features of HP network monitors...] > > -Norm Kincl > Information Archirtecture Group, Hewlett-Packard Some of the "dedicated" network monitors are indeed quite nice. However, for utility and fexibility, it is hard to beat a "native" monitor which runs on a significant number of the hosts in your network. Imagine how handy it is to reach out across a few gateways to a workstation on the troubled network, and tell that workstation to snoop on the wire. Think how it is to watch for damaged packets at many places along a cable, without having to crawl into ceilings or floors, or to make any cabling changes. Think about not having to lug a fragile box all over creation. (I assume boxes built to HP standards are not really fragile, but things that cost lots tend to seem fragile.) Since such a monitor is "just" software, one can hope to get a good deal if you need more than a single monitor. Such native monitors are available for at least one company's UNIX workstations. They are not quite as fast as some (but not all) dedicated monitors, but they are more programmable by users. (You just start hacking in C.) Monitors for PC's might be useful, if the PC runs a real operating system, so that you can rsh/rlogin/telnet/sethost/... to the PC and then run the monitor. (Or have a remote monitoring deamon.) Vendors of workstations tend to like native monitors. We can tell customers with problems to "do such and such and send me the results." This is handy for finger pointing :-) and as well as for finding bugs. Might one expect a network management system to include network monitors for all of the levels? Vernon Schryver Silicon Graphics vjs@sgi.com
murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) (01/11/89)
Just from curiosity, can any of those monitors have its own IP address and send out a packet ( a probe or some kind) to the net? Or are they listen-only? Yuko
brooks@Apple.COM (Kevin Brooks) (01/12/89)
In article <8901091832.AA05477@hp-iag.HP.COM> kincl%hp-iag@HP-SDE.SDE.HP.COM (Norman Kincl) writes: > >> Last spring two of my co-workers and I conducted and in-depth >> evaluation of offerings from Cabletron, Network General, Excelan, >> Hewlett Packard ... > >Lots can happen in that time. > >> Also loses when >> it comes to anything above the link layer. > >We have a TCP/IP protocol interpreter that runs on the HP 4972A ( part >number HP 18221A). It decodes the level 3 and 4 protocols of TCP, >DUP, IP, ICMP, ARP and RARP. This may be a bit misleading, the HP 4972A does not actually decode the tcp/ip protocol suite rather it displays or I should say tags each field as to what the code in the field represents not what the code means. This means that you still need to decode the protocol stack your self but your saved the time of counting bytes. I would not call this protocol decode. The Excelan product has very similar protocol decode features. I did a fairly extensive evaluation of the HP 4972a, the Network General Sniffer, FTP's lanwatch, and the Excelan Lanalyzer. If anyone is interested in seeing a copy of my report send me email and I'll send you a copy. Kevin Brooks A/UX Specialist, Apple Computer APPLELINK: BROOKS3 UUCP: {mtxinu,sun,nsc,voder}!apple!brooks DOMAIN: brooks@apple.apple.com CSNET: brooks@apple.CSNET ARPA: brooks%apple@csnet-relay.ARPA
brooks@Apple.COM (Kevin Brooks) (01/12/89)
In article <8901110133.AA02616@ucbvax.Berkeley.EDU> murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) writes: > >Just from curiosity, can any of those monitors have its own >IP address and send out a packet ( a probe or some kind) >to the net? Or are they listen-only? > >Yuko You don't actually asign an IP address to the monitors since TCP/IP is not there game, but they all have their own ethernet address and can all transmit packets out. You can define the bytes in the packet if you need to, to say simulate an IP address and some type of request. The Excelan is the only monitor that can transmit and monitor the net at the same time. Kevin Brooks A/UX Specialist, Apple Computer APPLELINK: BROOKS3 UUCP: {mtxinu,sun,nsc,voder}!apple!brooks DOMAIN: brooks@apple.apple.com CSNET: brooks@apple.CSNET ARPA: brooks%apple@csnet-relay.ARPA
murayama@CS.UCL.AC.UK (Yuko Murayama, +44-1-387-7050 ext.3695) (01/12/89)
> From: Kevin Brooks <brooks@apple.com> > You can define the bytes in the packet if you need to, to say > simulate an IP address and some type of request. Thank you for the reply. So am I correct in that this simulated packet should not be an Ethernert ARP reuqest, because it may cause the confusion in the net? Yuko