Ethereal, a free packet analyzer for Windows, Linux, and UNIX, is always the first tool I turn to for network-analysis tasks. However, despite Ethereal's effectiveness, cross-platform support, popularity, and price (or lack thereof), the market for commercial network-monitoring tools thrives. I recently test-drove some high-end Network Instruments equipment to see what I was missing. The big difference is that Network Instruments' Full-Duplex Probe Appliance, combined with one of the company's Copper nTAP device, lets me monitor servers from anywhere—even over a slow link.
The Full-Duplex Probe Appliance is a 1U box running Windows XP. It comes with a 1.8GHz AMD Sempron 2600+ processor, 1GB of RAM, a network adapter for monitoring, and a second network adapter for regular network connectivity. You connect the probe's first network adapter to an nTAP device that sits between your switch and the server you want to monitor. The nTAP device sends a copy of the network signal to the probe without affecting the servers' network connectivity. The probe includes Network Instruments' Observer software, which lets you perform expert analysis of your network traffic. Because the probe runs Windows XP, you can also simply install Ethereal locally if you prefer the familiar. If you have an additional copy of Observer, you can also view analysis remotely with very low-bandwidth usage.
The benefit of the Full-Duplex Probe Appliance is that it performs protocol analysis locally and sends only the data you want to see to your management workstation. Therefore, you can monitor devices on remote networks—even over a slow WAN link. To illustrate the differences between the functionality of Ethereal and Network Instruments, I tested three network-monitoring configurations:
Configuration 1: Ethereal Over Remote Desktop
I installed Ethereal on the server I wanted to monitor, accessed the server over the network through Remote Desktop, and started a packet capture. To measure the amount of data sent from my remote monitoring station to my local workstation, I started a second Ethereal packet capture on my management workstation located on a different network and connected via a VPN. I set the Ethereal filter on the management workstation to catch only Remote Desktop Protocol (RDP) packets between the server being monitored and my management workstation. I captured packets for 90 seconds. The resulting Ethereal file was 441KB, for a rate of 39.2Kbps. To see the data live, I had the remote instance of Ethereal set to display packets as they were captured. This meant the screen was always updating, and therefore RDP had to send more data from the server being monitored to my management workstation.
Configuration 2: Network Instruments Probe and Observer
I started Ethereal and Observer—Network Instruments' packet-analysis tool—on my management workstation. I started a packet capture on the probe through Observer and set it to show me packets as they were decoded. I set the local Ethereal filter to capture packets only between my management workstation and the probe. This captured the data being sent between my local copy of Observer and remote copy on the probe. Ethereal captured 24KB of data in 90 seconds, for a rate of 2.1Kbps.
Configuration 3: Network Instruments Probe Using RMON
I reconfigured the probe to use Remote Monitoring (RMON), an SNMP Management Information Base (MIB) for network traffic analysis, and started monitoring by using AdventNet SNMP Utilities MIB Browser, an RMON-compliant SNMP monitoring application. I set SNMP Utilities MIB Browser to poll the probe every 5 seconds for the allHostsInPkts value. (This value doesn't include as much information as the Ethereal or Observer packet decoding but served as a useful value for testing a minimal RMON-based monitoring session.) I started the same packet capture with Ethereal, capturing only packets between my management workstation and the probe. Doing so captured the SNMP data the probe sent to SNMP Utilities. This time, Ethereal captured 44KB of data in 90 seconds, for a rate of 3.9Kbps.
At 39Kbps, using one instance of Ethereal over a WAN link isn't unthinkable. I measured less than one tenth the traffic produced by Remote Desktop using either SNMP or Observer's proprietary protocols though. If you're WAN link is already busy with other traffic or you need to monitor multiple subnets, using the probe-based solutions can cut down on the bandwidth necessary to perform the task.
Network Instruments hardware is also configured to capture and analyze all packets, even under heavy load. I didn't test loads heavy enough to cause Ethereal to lose packets, so I couldn't verify or dispute this claim. However, if you simply use a dedicated monitoring workstation, be conscious of hardware requirements, and remember that you'll need your packet analyzer most when a heavy load is slowing down your network.
It might take a large network to justify the price of a Network Instruments probe and nTAP devices for all your servers, but the solution provides an impressive and reliable way to keep tabs on traffic, with easy configuration and zero impact on your servers and switches.