A family of features for network analysis

\[Editor's Note: The information in this article has been revised since it was initially posted to more accurately reflect the product review.\]

In the early days of the information revolution, the only thing better than having two computers was having two computers that could "talk" to each other. As the accessibility of computer networking increased, so did the flexibility of the tools for managing and troubleshooting these networks. Now, such products offer low purchase prices and advanced monitoring functions. Modern software-based network analyzers operate on both standard PC and notebook computer platforms and support popular NICs.

Network Instruments’ Observer Suite 7.0b is one such analyzer. This product’s basic functions include capturing and analyzing LAN packets, gathering and storing bandwidth-usage levels, and determining packet errors (for network troubleshooting). Observer Suite’s advanced features include Internet-client-connection and router monitoring, network trending (for LAN long-term analysis and reporting), and remote-network probes (for gathering packet information from multiple remote-network segments).

Observer Suite is a GUI-based application for Windows 2000, Windows NT, and Windows 9x systems. The product operates on any Pentium PC-based system that connects to a LAN through an Observer Suite-supported NIC. The PC also needs to meet the minimum hardware requirements of 64MB of RAM and a 400MHz clock speed. Supported LAN-topologies include Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), and Gigabit Ethernet. Supported NICs need to operate in promiscuous mode (i.e., be able to detect all traffic on the network segment). Although this requirement is strict, the product accepts a variety of manufacturers’ chip sets, including most of the popular brands. (Review this list before you purchase the product, though, to be sure Observer Suite supports your NIC.) The product supports both SNMP and Observer Suite-compliant Remote-Monitoring (RMON) agents.

Network Instruments designed Observer Suite to accommodate small, midsize, and large networks. I tested the product on my small office/home office (SOHO) LAN, which utilizes wireless broadband Internet service. The always-on access, firewall, and Network Address Translation (NAT) routing technology let me test the tool’s functionality and features. (This configuration also let me test Observer Suite’s probes, which monitor remote-network segments across the Internet.) My test machine was a Compaq Armada 7400 notebook with an Intel EtherExpress Pro100 PC Card running Win2K Professional. Although the Armada 7400’s 300MHz clock speed was slower than the minimum requirement, I didn’t notice any performance problems.

Installation and configuration were simple. I ran the product’s setup utility, then installed Observer Suite’s network service. You perform all configuration, operation, and viewing functions from the main GUI.

For my first test, I wanted to simulate the limitations a user might encounter when connecting a network analyzer to a switched Ethernet environment. I started Observer Suite and noticed—as I expected—that the analyzer was receiving only IP broadcast packets from my 100Mbps switched Ethernet LAN. Many organizations use Ethernet switches to accommodate increased network throughput. When two computers that connect to ports on an Ethernet switch need to communicate, the switch creates a virtual circuit for the packet exchange, then destroys the virtual circuit after the exchange is complete. All other ports are unaware of this exchange, as is any connected network analyzer.

To address this limitation, many Ethernet switch vendors have added port-mirroring or port-spanning capabilities to their switch technologies. Port mirroring lets a connected analyzer gather all traffic from a specific port; port spanning gives the analyzer traffic samples from each port at predetermined intervals (e.g., every 250ms). Observer Suite can operate with switches that feature port mirroring or port spanning. (The product’s package includes an extensive list of these supported Ethernet switches.) My test switch, however, didn’t support these technologies, so I simply replaced the switch with an Ethernet hub. I used the hub to create a local hub segment, which then allowed Observer to gather network packets from all configured clients. I then added a remote network segment (a hub with several clients attached) by reconnecting my switch between the two hubs. This setup gave me the chance to test another Observer Suite feature: remote probes.

Many networks use a combination of switches and Ethernet hubs. Hubs share network signaling and bandwidth-usage among all ports, so Observer Suite can use a remote probe to gather packets from all traffic on a hub-based network segment, thus overcoming the switches’ limitations. The Observer Suite package includes one remote probe, which is an add-on program that you can install on a PC connected to a hub-based network segment. The remote probe captures all packet and traffic information on the segment, then forwards the information across the network (switched or not) to the main GUI for analysis and storage. The probe was easy to configure: I simply selected Remote LAN from the Advanced and RMON Probes window in the main GUI to get the network information from that segment. A remote probe can serve only one hub segment, so the administrator of a large LAN would need to purchase additional probes, at $295 each, from Network Instruments. Observer Suite started gathering packets and displayed packet information and network activity levels in the GUIs that Figure 1 shows.

I used Observer Suite’s handy configuration features, such as Discover Network Names, to quickly produce a list of system names, IP addresses, and media access control (MAC) addresses. Observer Suite also detected my NAT router.

Observer Suite includes a comprehensive, well-written user manual, but I found that I could intuitively operate and navigate through the program: I simply clicked the appropriate option buttons for the functions I wanted to configure. For example, a helpful dialog box appeared when I was configuring Observer Suite to monitor a router; the dialog box explained that I first needed to run Network Discovery and listed steps for locating this discovery function.

The Router Observer function was perfect for monitoring the amount of traffic crossing my SOHO’s NAT router. The function presented a clean, useful display of traffic information in packets per second, bits per second, and percentage of interface utilization. Another function I found useful was the Web Observer, which lists all networked systems that connect to the Internet and the host IP addresses to which they connect.

I also appreciated the product’s Network Trending function, which lets you sample and store bandwidth-usage levels and data from other Observer Suite functions. You can refer back to this information, note trends, and use the information when troubleshooting your network. You can customize the Network Trending configuration to sample and store data from only the Observer Suite functions that require trend analysis, and you can specify the intervals at which Network Trending takes samples.

The core feature of all network analyzers, however, is packet analysis. Network analyzers break down a captured packet—including the source and destination IP addresses, checksums (to ensure content integrity), and data found within the packet—and communicate the packet’s internal information and any existing packet errors to the network administrator. To test this core function, I captured packets from an Internet banking transaction. To analyze the packet data, I selected the Decode and Analysis submodes of the packet-capture function. My analysis assured me that the bank-account information I was sending across the Internet was encrypted; clear text would have appeared in the Decode packet-data display in the main GUI, which Figure 2 shows. Packet analysis at this level can help developers debug networks and might also be useful to network security personnel.

Using Observer Suite was a pleasant experience. This complex product was running quickly, and I could easily configure the options for useful network packet and traffic information. Observer Suite’s relatively low cost, ease of use, and powerful features make this product a valuable asset for the troubleshooting and long-term management of computer networks, large or small.

Observer Suite 7.0b
Contact: Network Instruments • 952-932-9899 or 800-526-7919
Web: http://www.networkinstruments.com
Price: $2995 for a CD-ROM version, packaged with a user manual
Decision Summary
Pros: Inexpensive; powerful; feature-rich; easy to configure
Cons: None significant