EtherPeek 4.0.1 for Windows

Proactively manage your network

When the network is down, no one is the focus of more attention than the network manager. Because companies rely on computer networks for day-to-day business operations and revenue, downtime can be costly, so tools that minimize or prevent downtime are valuable. AG Group's EtherPeek 4.0.1 for Windows is a software-based network- and protocol-analysis tool. EtherPeek helps network managers configure, manage, and troubleshoot Ethernet networks by monitoring and capturing network traffic and simplifying traffic analysis.

To test EtherPeek's features, I installed it on a custom-built 466MHz Intel Celeron-equipped PC that had 128MB of RAM and ran Windows NT Workstation 4.0 with Service Pack 6 (SP6). A D-Link DFE-530TX PCI Fast Ethernet adapter connected the PC to the network.

Installing EtherPeek was a snap: The software came on a CD-ROM and presented me with a menu of options that included installing EtherPeek, installing AGNetTools (a suite of TCP/IP troubleshooting utilities that include Ping, Ping Scan, Trace Route, Name Lookup, Name Scan, Port Scan, Service Scan, Finger, Whois, and Throughput), and viewing documentation. During the installation, the software prompted me for user information and the product's serial number. After the required reboot, I launched EtherPeek, which prompted me to specify a network adapter for network monitoring.

I initially connected my system directly to a network switch that didn't provide port-mirroring capabilities. In this setup, EtherPeek can see only network traffic destined for or generated by my PC. The EtherPeek manual presented several options for monitoring switched-network environments. I chose to connect my monitoring PC to a 10Base-T hub; I then connected a hub-based branch of the Windows 2000 Magazine Lab network to the 10Base-T hub. With my monitoring PC connected to a hub-based network, EtherPeek could report statistics for all the devices attached to my Ethernet segment.

I referred to the product's hard-copy manual and the online documentation several times throughout my tests. The printed manual contains a 10-page section that outlines the basics of packets and protocols and how EtherPeek interprets them. After reading this section, I was ready to dive in and test the product.

EtherPeek's main program window contains menus for all of EtherPeek's operations. Each statistics monitor and packet-capture operation appears in a separate section of the main window. I opened a window for each category that the Statistics menu offers.

Statistics Monitoring
EtherPeek's Statistics menu lets you monitor network traffic in the following categories: History, Nodes, Protocols, Conversations, Network, Error, Size, and Summary. The History window displays statistics in a user-selectable graphic format. You can choose to view a bar, area, or line graph of overall network utilization or of the bytes per second or packets per second sent over the network.

The Nodes window displays a table of all the nodes in your network segment and their corresponding utilization statistics. For each node, the table showed the media access control (MAC) and IP address, the byte total, the packet total, and the node's overall network-utilization percentages for inbound and outbound traffic.

The Protocols window, which uses AG Group's ProtoSpecs technology to organize all the protocols into an expandable tree format, provides an example of EtherPeek's user-friendly functionality. As Figure 1 shows, the Protocols window enumerates in table format all the protocols on the network. For each protocol listed, the table displays the total network-utilization percentage, total bytes, and total packets. You can access a description of any protocol by right-clicking the protocol in the treeview and selecting Protocol Info.

The Conversations window outlines in table format all conversations between devices on the network. For each conversation, the table displays the source and destination nodes, which protocol the conversation used, and the conversation's total bytes and total packets.

The Network window displays realtime information about network traffic as a percentage of total network capacity and as packets per second. EtherPeek uses speedometer-type gauges to display this information.

The Error window also uses a gauge to represent statistics. This window provides numbers for cyclical redundancy check (CRC), frame-alignment, and runt- and oversize-packet errors.

The Size window displays a chart that represents the number of packets per packet-size range. You can display this packet-distribution information in a bar or pie chart.

The Summary window shows detailed realtime network statistics in table format. You can arrange the table's columns in ascending or descending order by clicking the column headings. You can also save table data to a delimited text file for use in a reporting or data-logging application. A snapshot feature lets you save statistics for later comparison.

One of EtherPeek's most useful features is its ability to log statistics directly to an HTML file. You can log statistics captured in the Nodes, Protocols, Conversations, and Summary windows. From the main window's Statistics menu, I selected Statistics Output. In the resulting window, I configured the HTML output frequency and accepted the default path. EtherPeek wrote four HTML files, each of which provided a report that included neatly arranged statistics.

Capturing and Analyzing Packets
In addition to monitoring statistics, EtherPeek offers packet-capturing operations. Packet captures let you see the nuts and bolts of packets on your network. To start a packet capture from EtherPeek's main user interface (UI), select New from the File menu, then Start Capture from the Capture menu. The software can run multiple packet captures simultaneously and opens a separate window for each capture.

When I started a new packet capture, the software presented me with the Capture Buffer Options dialog box, which offers several configuration choices. I left the default selections, clicked OK, then clicked Start Capture in the resulting capture window. The first thing I noticed was that the software didn't take long to fill the default 4096KB buffer with captured packets. After the buffer reached capacity, the software stopped the capture. To ensure that you capture the data you want, EtherPeek offers several file-saving and buffering schemes that you can tailor for different packet-capture scenarios. To test this feature, I configured a continuous capture that used a 10MB buffer. I directed EtherPeek to write the buffer to disk until the capture files filled 100MB of disk space. EtherPeek saved each capture file with a filename that indicated what time the software saved the file to disk.

As the software captures the data, you can view captured packets in realtime from the capture buffer or save the data to a file to view later. To view the data from different perspectives, you use tabs at the bottom of the capture window that separate the data into the following categories: Packets, Nodes, Protocols, Conversations, Size, Summary, History, Log, and Filters. These views provide the same information that the Network Statistics window provides, similarly formatted.

A key benefit of capturing packet data from the network is the ability to gather only the necessary information and analyze that data to resolve a problem. EtherPeek's easy-to-use filtering and selection mechanisms help you locate meaningful data. For example, I used the software to search a capture file that contained more than 10,000 captured packets. I was looking for packets from one SMTP mail message. On the Filters tab, EtherPeek provides an SMTP filter whose criteria include packets that use TCP port 25. Applying the filter to the capture data narrowed the number of packets from 10,000 to 44. From those packets, I found one that originated on the PC whose email session I wanted to view. I highlighted the packet and selected Select Related Packets from the capture window's Edit menu. EtherPeek then formulated and applied a set of selection criteria based on the highlighted packet. The resulting dialog box reported that 22 packets met the criteria and selected those 22 packets. The software let me hide the selected packets or the unselected packets. I hid the unselected packets so that I could view only the packets of interest.

After I used the filter to narrow the number of packets to a manageable level, I double-clicked the first packet in the list. The resulting Packet Decode window displayed information about the packet in two panes: Packet Decode view and Raw Data view. When I clicked a section of data in either view, the software highlighted the corresponding representation of that data in the other view. For example, as Figure 2 shows, clicking on the SMTP Command branch in the Packet Decode view caused EtherPeek to highlight the RCPT TO command in the Raw Data view.

Using Plugins, Notifications, and Triggers
To analyze network packets, you can use EtherPeek's plugins, which are interpreters that translate cryptic hexadecimal packet data into meaningful, easily understood information. EtherPeek 4.0.1 includes 13 plugins that provide specific information about packets. The software uses these plugins globally, so they analyze any packets that EtherPeek monitors, captures, or stores. From the Tools menu's Plugins option, you can enable or disable individual plugins and select plugins' reporting and notification settings. To develop custom plugins, you can use the plugins software development kit (SDK) that EtherPeek's CD-ROM includes.

Plugins can also generate events (i.e., network anomalies that might require your attention), and you can customize the way EtherPeek notifies you about these abnormalities. The software offers four levels of event severity: Informational, Minor, Major, and Severe. For each level, you can select one or more of the four types of notification: log, email, execute, and page. If you select log notification, the software writes the event information to EtherPeek's text log file. For email notification, EtherPeek sends you (through an SMTP server) an email message that contains the event information. You can also configure the software to launch an executable file when an event occurs. If you require paging-notification functionality, you must purchase Mark/Space's PageNOW! software, which costs about $90. This product is the only third-party Windows paging server application that supports EtherPeek's paging capabilities. I tested the log, email, and execute notification methods, and they worked as I expected.

You can also set triggers to generate events as well as automatically stop and start packet captures. When you set up a trigger, you specify the level of severity and the type of notification that the software will send when the specified event happens. You can base a trigger on a set time or a network event, and you can set a trigger to stop capturing data after a certain event has occurred to ensure that the software doesn't overwrite the suspect packets in a continuous capture. This flexibility and the ability to send notifications make triggers a useful tool for troubleshooting network anomalies. As a test, I set up a trigger that passively monitored packets until it found an Internet Control Message Protocol (ICMP) packet. When it discovered an ICMP packet, the trigger began capturing all packets and emailed me a Severe-level event notification.

Additional Features and Utilities
In addition to reporting statistics and capturing and analyzing packets, EtherPeek lets you send an individual packet once or repeatedly over the network for troubleshooting and diagnostic purposes. To tell the software to resend a packet, select the Set Send Packet option from the Send menu and click the Send Packet option. I used this feature to generate errors on my network. I selected a packet from my capture results, clicked the Send menu, and clicked Edit Send Packet. In the Edit Send Packet window, I altered the size of and CRC data within the packet, then used the Set Send Packet option to retransmit the corrupted packet. I used this process to test the product's ability to detect and report errors.

EtherPeek can capture CRC, frame-alignment, runt-, and oversize packet errors. To use packet capture, the capture PC must have a custom driver that AG Group has written for a select group of NICs. At the time of this review, AG Group is dropping support for old ISA NE2000-compatible cards and adding support for faster cards that are based on more modern chipsets. In my tests, I used a prerelease version of an AG Group driver that the company developed for NICs that are based on the Digital/Intel DC21X4 chip.

To make the lists of individual nodes more meaningful, EtherPeek can display real node names instead of IP and MAC addresses. The software can resolve names through DNS or passive name resolution (i.e., the software examines incoming packets for symbolic names, then adds them to the name table) or through manual name table entry. EtherPeek includes separate vendor and protocol ID tables, which you can import into the main name table. After I imported the vendor ID table, the software replaced the vendor-specific portion of each MAC address in my Statistics and Capture windows with the vendor's name.

EtherPeek's Find Pattern utility lets you search packets to find occurrences of user-specified data. You can search packet ASCII data, packet hex data, packet list headers, and decoded text.

Proactive Network Management
EtherPeek provides many useful features; however, I would have liked more reporting features. Simple reports (e.g., reports about top bandwidth users or top error sources) would be a useful addition. Support for more NICs that enable error-packet capturing would make the product easier to implement. In addition, in a switched Ethernet environment, you might want to verify whether your switches can mirror ports before you purchase a network-monitoring device. If your switches don't provide mirrored-port support, a network-monitoring device will see only the traffic destined to or emanating from itself.

Overall, EtherPeek's robust and easy-to-use features simplify network management and promote proactive administration for both new and experienced administrators. For companies in which network downtime equals revenue loss, EtherPeek is an effective solution at an attractive price.

EtherPeek 4.0.1 for Windows
Contact: AG Group * 925-937-7900 or 800-466-2447
Price: $995
Decision Summary:
Pros: Simplifies complex troubleshooting tasks; uses HTML output of statistics; facilitates remote monitoring
Cons: Provides minimal hardware support for error packet capture; offers no built-in reporting functionality; might not work well in some switched network environments
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.