By Network Management Expert Robert J. Shimonski
Network management teams in organizations usually have a great need to do network analysis and protocol analysis so that they can baseline the systems and know how to fine-tune performance. How many times have you heard from a technician that the problem is with the network, only to find out that it was a login script issue, or an over-utilized server slowing down the clients? To the client, it is simple to blame the network. For one reason, who can really tell? Well, I have an answer for you: The network analyst can tell. This person will be able to stick their head into the wire (so to speak) and really tell if there is a problem with the network or not. This is actually pretty easy to do if you have the right tools and the "know-how." If you are not in the know, then it may just look like gibberish to you. This is where we begin -- what tools do you need?
Examples of tools you can use to perform such analysis are the Fluke LAN meter and Sniffer Pro Protocol Analyzer. Knowing the OSI model is key to network analysis, because some tools only function on certain layers of the model. The Fluke product may be better at looking at cabling problems, where Sniffer Pro can actually look at Layer 2 and above with a critical eye. This may make you want to use them both to get a full picture. Don't forget the tools you have within your gear already staged onsite. For instance, you can use a Cisco switch's IOS to debug a problem or look at the port for detailed statistics of problems going through the port. Other tools include Etherpeek and its Token Ring counterpart. Today we'll discuss the Sniffer Pro.
Sniffer Pro (version 4.5 now) is the flagship of protocol analyzers. Again, a protocol analyzer simply performs analysis of the data going through the wire where it is attached and "captures" it for your analysis. It's that simple. In the following graphic you will see the basics of the protocol analyzer. After you take the capture, you will be able to peer into the actual data packets and see IP addresses, MAC addresses, timestamps, and tons of totally useful information. In the graphic below, I simply caught some Web browser traffic from my Web browser to a Web site out on the Internet.
|A simple capture of a web browser visiting a web site|
In the panes above (top to bottom: Summary, Detail and Hex) you can see that the protocol analyzer captures HTTP traffic, which also uses TCP. This means that it is looking at data on Layers 4 and 7 of the OSI model. Many students ask me what a port is, and even when I spell it out for them in the most simplistic of terms, looking at the protocol analyzer is when it is really driven home and all the OSI model nonsense (or what you thought was nonsense) comes to life.
Now, when there is a problem on the network, you can easily put a Sniffer Pro into action, capture the data and be able to diagnose what the problem could be. Don't get me wrong, the Sniffer needs to be read by an expert. If you are not trained in the Sniffer Pro, you may find it difficult to read and use right out of the box. (See the sources below for more info on the Sniffer.)
The Sniffer keeps record address books of all the hosts on your network, so you can build filters to separate all the traffic and only look for very specific granular things, connect directly to a switch to do analysis with it, etc. In future tips, I will discuss such things in depth.
In our next tip, we will learn how to do a capture from start to finish and save the capture for archiving. We will also look into using Microsoft's version of a protocol analyzer and network analysis with Network Monitor. Until next time?
For more information on the Sniffer Pro product
- Product specific information:
Sniffer Product Documentation
- 100-page cram and information guide to the Sniffer Pro:
SCP Sniffer Pro
Do you have questions about network analysis or specific tools? Ask Robert about it in his Net Management Answer Man Forum!
Read Robert's other Net Management and Testing Tips.