Sniffing Out the Latest EtherPeek

• 08/16/2000

We decided that more network administrators are using laptop computers for administration than in the past. To check the mobility of the product, we loaded EtherPeek on a Dell Inspiron 7000 with a Pentium II 400-MHz processor with 192 MB of SDRAM and an ATI Rage 8 MB video adapter. The connection to the network was done via a 3Com 3C575 10/100 auto-sensing PC Card. The laptop was running Microsoft Corp.'s Windows NT Workstation 4.0 with Service Pack 4 installed.

EtherPeek comes on a CD ROM that is easy to install. The product occupies barely over 4 MB of disk space once installed, and does not use excessive amounts of CPU time when doing its job. We manually copied the PDF files to the laptop so we could have the help and advanced files present on the laptop as we worked. In total, the product was installed and brought into active use in less than five minutes.

Using EtherPeek has gotten easier and sweeter with the newer version. We have previous experience with Network Associates Inc.’s (NAI) Sniffer Pro, which is a great product, as well. Many comparisons we’ll make are head-to-head with the NAI product.

One of the most important uses for any sniffer is to decode packets and to understand the source and destination for any packet. In many situations, excessive traffic between two or more locations will be the reason for sniffing the networks or for decoding packets. When we started the product, it immediately started watching the network for any activity. It compiled statistics, collated the IP addresses and protocols seen, and began to provide a picture of the network’s activity. We then opened one of the sessions to examine the high level of Web activity to see what was happening on the network.

The gathered data showed that HTTP was the dominant protocol in use, and that there were only three sites involved with 65 percent of all HTTP traffic flowing across the network. When double-clicking on the protocol, it brought up a window displaying what IP addresses are performing HTTP protocol sessions. We quickly found the subject of the search: A user who was downloading music files from a Web site and clogging up the Internet circuit.

Similarly, we were able to quickly look at other forms of traffic, such as Open Shortest Path First (OSPF) routing protocol, to see which routers were participating in the OSPF HELLO protocol sessions. This was an unexpected pleasure to find, and also a great feature for network engineers who must quickly find network routing problems. We had once upon a time saw intermittent RIP issues, and EtherPeek provided unexpected insight into that hidden problem.

We then used its tools for reporting and resolving names found during the protocol sessions. These reports then collated the number of sessions, and allowed us to sort the data by top talkers, bytes sent or received, and the time spent in the conversations. We found much use for this function to quickly see what groups of users were spending the most time on the Internet, or processing the most traffic.

The product has noticeably matured over the years and versions. We never expected EtherPeek to replace a hardware sniffer, but it provides tools and actions along with similarly superb reporting that rivals what the big sniffers do as a normal course of action. The price seems a bit high, but we found the usefulness of EtherPeek outweighs the concerns of its cost. When you consider the cost of a hardware sniffer, or of a consultant that needs to troubleshoot your network, EtherPeek is a definite plus in the network troubleshooting column.

[Infobox]

EtherPeek 4.0
AG Group Inc., Walnut Creek, Calif.
(800) 466-2447
www.aggroup.com

Price:
Suggested retail is $995, but can be found for less.

+ Vastly improved interface

+ Excellent packet decoders

+ Low hardware requirements, thus suitable for laptop use

- Somewhat high price

- WAN connectivity testing would be a plus