Analysis tools get in tune with switched nets

By Jeff Caruso
Network World, 03/15/99

Protocol analyzers are about to work much better in switched networks.

Network Associates will expand its Sniffer product line to monitor switches so net administrators can get traffic statistics across a switch's ports, detect configuration problems in virtual LANs, and track problems between switches and desktop machines. Network Associates is expected to lay out its full product strategy in coming weeks.

The products will come on the heels of Network Instruments' announcement last week of Version 6.0 of its Windows-based Observer protocol analyzer, which has been updated to gather data from specific switch ports and to collect statistics from an entire switch.

"One of the more difficult things to diagnose is a switch," says Rick Nelson, president of the Palatine, Ill., Network Diagnostic Clinic, which remotely monitors networks for libraries and schools. He is looking forward to using Observer to count errors and to catch problems that might occur over time through a switch.

No buzz

Although there's not much industry buzz about them today, protocol analyzers have long been a staple of network managers' tool kits, helping net managers zero in on trouble spots. But analyzers were originally designed for shared networks, picking up and examining all traffic as it is broadcast across a shared wire.

LAN switches break shared networks into segments, and traffic is only broadcast over a particular segment. This is a benefit of switches because it cuts down on the overall noise and devotes more bandwidth to each endstation.

A protocol analyzer, however, can usually hear traffic only on the segment to which it's connected, so it can't get the total picture of what's happening through the switch. If there is only one endstation on a segment, such as on a desktop switch, the analyzer can see even less. Finding which endstations are wreaking havoc on the network, or pinpointing congestion problems, is more difficult.

In the past, vendors have recommended that during a test users set their switches to promiscuous mode, which sends all Ethernet frames to all ports on the switch. This way, the analyzer can see all traffic. But this isn't a measurement of real-world switch conditions, and the benefit of the switch is eliminated if such a test is prolonged. AG Group, which makes the EtherPeek protocol analyzer, still recommends this approach.

Another technique is port mirroring, which copies traffic going through one port to a port where a protocol analyzer resides. But this approach limits the analyzer's view to one segment at a time.

Sniff this

Network Associates of Santa Clara, Calif., is preparing a slew of product improvements to deal with switches. The improvements will be made in the company's portable hardware/software Sniffer analyzer that plugs into a network, and its Distributed Sniffer, which uses servers throughout a network to report back to a central software-based console.

The company soon will unveil Versions 2.5 of its portable and distributed Sniffer protocol analyzers, which discover VLAN configurations in a switch and detect problems in the configuration. These capabilities are specific to certain switches, however. The new versions will support products in the Cisco Catalyst 5000, 5500 and 2900 series. Network Associates expects versions due out later this year to support Nortel Networks and 3Com gear.

Distributed Sniffer 3.0, due out by the end of June, will let network managers set thresholds for traffic levels through a switch port. When a threshold is reached, Sniffer will be able to take the traffic going through that port, mirror it to the port with the analyzer on it and alert a help desk.

Separately, Network Instruments has released a version of its PC-based Observer product that uses a technique it calls "port looping" to gather statistics through an entire switch. The product uses port mirroring to look at each port on the switch for only a short time.

By sampling traffic through each port, one at a time, Observer can build statistics about traffic through the switch that are fairly accurate, says Douglas Smith, president of the Minneapolis firm. Network Associates' version of port looping is called "port roving" and will be in a new release of Distributed Sniffer available by year-end.

Network Associates, however, will extend the concept to VLANs and will allow network managers to select which VLANs or ports from which they want to collect data.

In the second half of this year, Network Associates will release Desktop Sniffer, which lets managers get another perspective on desktops connected to switches and extends the Sniffer product set's reach into application management. The software resides on users' desktops, captures packets there and works with Distributed Sniffer to give network managers information about problems users are encountering when trying to access data or log on to the network. o