Network Protocol Analyzers
- What the Heck Is a Protocol Analyzer?
- Packet Analyzers
- Net Therapy 101: Techniques for Using Your Analyzer
- Appropriate Analysis: Some Analyzer Scenarios
- Packet Analyzer Limitations and Solutions
- Summary
- Q&A
- Workshop
This chapter is from the book
This chapter is from the book
This chapter is from the book
All are lunatics, but he who can analyze his delusion is called a philosopher.
—Ambrose Bierce
Tell me about your network....
Many network troubleshooting cases that you'll encounter will be "elementary, my dear Watson," that is, solvable by deductive reasoning alone. However, to solve the most hard-boiled network crimes, you'll need to get a wiretap to give you the hard data that you need. Protocol analyzers provide a type of "wiretap" that allows you to gather objective data about a networking problem.
Like a wiretap, protocol analyzers shouldn't be used indiscriminately; you definitely want to use your noodle before you use your analyzer. You should always formulate a theory before breaking out the analyzer—otherwise, what are you looking for? (After all, it's a big network out there.) To wit: Only use protocol analyzers when you've exhausted other means; there are a lot of bits and bytes out there, and digging through them can be tough.
Still, when you run into a problem that needs an analyzer, it can be the difference between a stone wall and a breakthrough. After you've formulated a theory, analyzers can prove your theory by providing you tangible evidence to either sift through yourself or to give to a vendor for analysis.
What the Heck Is a Protocol Analyzer?
Every time I talk about protocol analyzers, I think about a piece of network gear reclined on a couch, with some Freudian white-bearded psychoanalyst listening to it babble on about its problems. As silly as that seems, this picture isn't far off—a protocol analyzer's primary job is to listen while other network gear talks.
Protocol analyzers, while they have a physical and data-link connection, operate primarily on the network layer. Although some have special hardware to detect data link or physical problems, most are simply software operating on a PC with a network card that is able to run in "promiscuous" mode—that is, a NIC that is physically able to listen for frames that are destined for MAC addresses other than its own.
So, one caveat here is to not rely 100% on typical protocol analyzers to analyze data link information—typically, the network interfaces, unless they are special purpose (just being promiscuous isn't enough), aren't beefy enough to give you good data link detail.
Here are the two basic kinds of protocol analysis tools:
Packet analyzers—Capture the actual packets on the wire and store them for later analysis, do a certain amount of statistical analysis, but this is not the primary function.
Statistical analyzers—Primary function is to gather quantitative data to be able to later report on various statistical trends, but typically don't store packets for later analysis.
A packet analyzer can be either standalone or distributed. Statistical analyzers are typically distributed. Like it sounds, a distributed analyzer is one that has several points of capture, with a centralized console (see Figure 21.1). Network Observer is a good example of a distributed packet analyzer. CompuWare's EcoScope is a good example of a distributed statistical analyzer. We'll discuss statistical analyzers in Hour 23, "Network Management Tools," because they are really network management tools.
){kind=link}
Figure 21.1 A distributed analyzer setup.
TIP
If you don't own a commercial packet analyzer, but would like to get up to speed on the concepts discussed in this chapter, check out the Network Monitor that comes with Windows NT Server and Windows 2000 server. It lives in C:\WINNT\SYSTEM32\NetMon and works either with NT Server or NT Workstation. It only captures packets to or from the station that you use it on, and it has other limitations. A full-featured version of Microsoft's Network Monitor is only available if you purchase Microsoft's SMS (Systems Management Server). Still, the free version is a good way for you to get familiar with how this stuff works.
Perhaps even better than Network Monitor is Ethereal, a freeware packet analyzer that is available for various distributions of Unix. It does not have the limitations of the standalone Network Monitor, and if you have a PC running Linux, downloading this and running it is as easy as browsing http://www.ethereal.com. Although it doesn't have some of the bells and whistles of the commercial analyzers, it's got some serious meat and potatoes: it decodes most of the major protocols out there, plus, it reads just about every major packet analyzer file format there is. For example, although I don't use Network Associates' Sniffer anymore, Ethereal is more than capable of reading my old Sniffer traces.