On the need-to-improve side, Observer's main UI is overly busy because it attempts to provide as much functionality as possible in one window. The window is a little crunched, tabs obscure one another somewhat, and the overall picture can be a bit daunting to new users. Also, when I changed malware filters, the window often resized itself, thereby undoing my custom settings. Despite these minor imperfections, Observer is a solid standalone performer and an obvious choice for distributed-networking environments with a wide range of needs.
Sunbelt Software's LanHound
Although Sunbelt Software might be best known for its iHateSpam product, the vendor provides many other useful products. Sunbelt Software markets LanHound specifically as a low-cost choice that provides many of the basic features that most network administrators need in a protocol analyzer. LanHound consists of two products: an administrative console and a remote packet-capturing agent (the console also captures packets). LanHound runs on any platform with Win98 or later installed, except for Windows 2003.
LanHound has an easy-to-use GUI, which Figure 7 shows, with most of the features you expect in a protocol analyzer, including capture filtering, name lookups, alarms, triggers, and a host of display reports. The alarm feature is limited; it notifies you only when a protocol session, such as FTP or POP, sends unencrypted passwords. LanHound provides little other expert analysis beyond the alarm feature. Reports include histograms, host tables, packet summaries, and traffic matrixes. As with other analyzer products, you can slice and dice the analysis data that LanHound provides just about any way you want, including as bar graphs and pie charts. I was surprised to find that LanHound can manipulate and replay captured traffic back over the network—a feature that isn't always available in lower-end products.
Overall, I was pleased with LanHound's feature set, although as I expected, its decoding wasn't as strong and detailed across most protocols as that of competing products. For example, default packet details are displayed by default in hex instead of easier-to-read ASCII, which can make reading traffic such as HTTP difficult. LanHound's Server Message Block (SMB) traffic decoding was rather good, but the product completely missed identifying Exchange, RDP, and many other default Windows protocols. Like some other products I reviewed, LanHound missed classifying well-known protocols running over nondefault ports. LanHound is a low-end protocol analyzer that provides all the basics plus traffic replaying, but it lacks the decode support of other products in this review.
WildPackets' EtherPeek
WildPackets' product line includes protocol analyzers for a range of needs. EtherPeek is geared toward small-to-midsized businesses. I reviewed the NX 2.1 version of the product ("NX" means it provides expert analysis). EtherPeek offers a variation on the typical contents of the three-pane protocol analyzer window by providing a dashboard and a log window in two bottom panes, as Figure 8 shows. EtherPeek's UI is a bit softer on the eyes than the UIs of the other products and contains more default color differentiation. Although the purely technical side of me hated to admit it, EtherPeek's use of color does make analyzing protocols easier. Most other analyzers let you color-code packets, but EtherPeek does this automatically and thoughtfully. EtherPeek has the best UI, in terms of form and natural workflow, among the competitors.
Although EtherPeek is meant for smaller networks, it doesn't skimp on features. The product displays captured packets in real time by default (real-time display is turned off by default in most products because it affects performance), and still the display seems crisp and responsive. I didn't test EtherPeek under high network-utilization loads, but I'd be interested to see the results for display performance. Conventional wisdom says that the great-looking real-time interface, use of color, and default name resolution will slow the product down under larger packet loads, but you can disable these features if performance suffers. EtherPeek, like the other products in this review, can open multiple capture windows at the same time, each displaying different interfaces being captured or with different focuses. For instance, you could capture IP traffic in one window, IPX in another, and in another display RMON input (with the help of the WildPackets' RMONGrabber add-on).
EtherPeek decodes hundreds of protocols, and I found most of the decodes to be accurate. Netasyst Network Analyzer and Observer gave a few more decode details for several protocols, but EtherPeek held its own in most areas. The product showed TCP flags and whether they were on or off but not what they meant in practical terms. Or, EtherPeek noted that HTTP data was being downloaded but not that it was graphical. And just when I started to think that EtherPeek was a second-place product, I discovered that it recognized IM, Kerberos, and VoIP traffic correctly and surpassed some of its better-known competitors. In fact, on the network and application layers, EtherPeek came in just behind Netasyst Network Analyzer in its reporting capabilities. EtherPeek noted DNS errors, slow servers, POP logon errors, and unreachable hosts. Well-placed icons made these errors easy to notice. Unfortunately, making errors easy to see can be problematic. My EtherPeek testing revealed numerous bad TCP checksum false-positive errors, but WildPackets has promised to fix this problem soon.
)
)
)
Randall Ader July 06, 2004