Five network maintenance tools tested

With the right packet sniffers you can truly lead the dog's life, as RMIT IT Test Lab's Kire Terzievski finds out.



Network monitoring and troubleshooting devices are intelligent hardware and software tools that can help you manage your network.

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT




These tools can help with analysis, migration, monitoring, security, testing, and administration of the network. What's most impressive, is network monitoring devices will help you see problems immediately. Hardware tools like the Fluke OptiView are great for frontline troubleshooting and taking the guesswork out of problem-solving network issues.

On the other hand, there are software solutions that include analysis systems which can help you monitor and solve network issues by identifying the problems and making recommendations -- like the Observer software, and more specialised, forensic applications like CA's eTrust Network Forensics.

Then there are packet shapers which are centred on providing visibility, control, and acceleration. Visibility, so that you are able to see everything on the network -- revealing the source of any network problems; control, to set policies that reflect priorities; and acceleration of the performance in which data is delivered -- done by compression.

Advanced Discovery
Network monitoring and troubleshooting products discover devices by monitoring traffic and by actively querying hosts. Once discovered, they usually provide the most thorough information possible in terms of: DNS name, NetBIOS name, SNMP name, IPX name, and address.

Real-time remote monitoring and problem discovery makes it easy and economical to extend your knowledge and expertise across your network. Some software uses a Web browser interface to monitor distant sites directly from your desktop. With some products you can run multiple sessions at any one time.

Reporting Software
This is an important consideration. Reporter software will transform collected network performance data into usable documents. Some software packages can even draw you a map of your entire network. You can document collisions, utilisation, and errors, and publish them in a variety of formats -- including HTML and PDF.

In this review we look at hardware- and software-based solutions. The most difficult part was comparing these products as they are each very different, and have specialised functions ranging between network monitoring, capture, and troubleshooting.


Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT


Exinda Optimizer Enterprise 4700
Exinda is a Melbourne-based company focusing on packet shaping, much like Packeteer. The Exinda unit is aimed at small- and medium-sized businesses (SMBs) and enterprise markets but only offers a 100Mb throughput whereas the Packeteer scales right up to 1Gb. Exinda does have other units starting from 2Mb up to 100Mb, and it promises a 1Gb unit in the near future.

Out of the box, it's easy to set up, in fact it was so easy we could set its IP address from the front control panel instead of having to console in. We plugged the LAN side to Port 2 and the WAN side to Port 3. Ports 0 and 1 on the 4700 are additional interfaces that can be used as management ports or to plug in additional networks.

We then simply opened up an Internet browser and entered the IP address of the unit to get to the GUI. Unlike the Packeteer this product doesn't require a highly skilled user to take control and set up basic policies and generate reports.

With very little effort you can prioritise traffic and allow applications to burst (which means they can borrow more bandwidth from other applications providing they don't need it). Peer-to-peer applications are grouped by the 4700 and can be instantly blocked or limited during business hours and given more bandwidth after hours.

With the 4700 you can see which applications, hosts, and conversations are consuming bandwidth. The top 10 for all the above can be easily obtained so troubleshooting is made easier and you can even drill down as far as finding out what URLs hosts are going to. There are options to check to see that a remote site is reachable from your network and you can schedule reports to be sent automatically.

The 4700 is much easier to use than to the Packeteer; it focuses more on monitoring what everyone is doing on your network and the reporting is excellent.

Product Optimizer Enterprise 4700
Price AU$1,700 to AU$12,000
Vendor Exinda Networks
Phone 03 9415 8332
Web www.exinda.com
 
Interoperability
½
Shaping at 100M.
Futureproofing
½
Not much available in terms of extra options and scalability for large enterprise.
ROI
Excellent monitoring and reporting. Good price.
Service
12 months; Optional Software Subscription & Hardware Maintenance.
Rating
Exinda Optimizer Enterprise 4700

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT


Computer Associates eTrust Network Forensics
eTrust Network Forensics is a product borne from SilentRunner which was developed by a defence contractor. Computer Associates acquired SilentRunner a few years back and has turned this product in a commercial product for enterprise.

eTrust Network Forensics allows you to visualise, uncover, and investigate network traffic. It captures raw network data and uses forensic analysis to check for exploitation, internal data theft, and security or human related violations.

Be prepared to spend money on training as this tool is very complex and requires users to do an introductory course, possibly followed by an advanced analysis course.

CA supplied us with log files from IDSes and firewalls which we opened in the application to get a feel for the type of information we could plot. CA ran us through some of the basics. eTrust Network Forensics can produce complex graphs, but they can be very hard to read, especially if you are displaying a lot of traffic. It's almost an art, understanding what the graphs are trying to tell us which is why we suggest training. The interface needs some work -- it's clunky and you can't browse for log files, and you must type the full path to the file. The window system also needs improvement -- at one stage we had more than 10 windows open and we couldn't really keep track of where we were.

Product eTrust Network Forensics
Price AU$30,000 per annum
Vendor Computer Associates
Phone 1800 999 985
Web http://ca.com/etrust
 
Interoperability
Excellent distributed network monitoring.
Futureproofing
½
Appliance version available.
ROI
½
Expensive and staff will require extensive training.
Service  
N/A.
Rating
½

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT


Observer 10.1
The Observer is a network protocol analyser, monitor, and troubleshooting tool. It has three levels of licensing; the standalone Observer; the Expert Observer which enables you to pinpoint your network problems through expert analysis; and the Observer Suite which includes the Expert Observer plus additional network management and analysis solutions.

The standalone Observer includes a local probe that makes the local network visible to it. In order to monitor multiple networks from a single console you have to install what is called a probe. A probe collects and report network traffic and reports it back to the console.

The installation of the Observer was straightforward -- there are only a few screens to get through. The quickest way to collect information from your network is to run Discover Network Names function. All you have to do is specify your network range of addresses, then Observer resolves DNS names and IP addresses to give you a list of all of your network devices.

Observer isn't limited to only monitoring wired networks, it can also monitor your wireless network to provide you with an overall network monitoring solution. The Wireless Site Survey can see A, B, and G devices. What's really impressive is that it can show you what the link quality is like, the encryption status, and other information such as the up time of each device, and when the device was first and last seen. You can then select the "Top Talkers", which has to be one of the easiest functions to use. It allows you to see which devices are sending and receiving the most traffic on the network.

Routers can be examined for bottlenecks by using the Router Observer while Internet usage can be monitored by using the Internet Observer. The monitor here can determine which Internet protocols are in use and which Internet sites users are visiting.

In real time it can also display the amount of bandwidth that is utilised, and how your network has been trending or performing over time.

Other features include packet capture and decoding. Application analysis, which is included in the Expert Observer and Observer Suite, can monitor your critical servers to make sure they perform in a satisfactory way. It can also show you response times as well as error counts associated with your servers. The Real-Time Expert, which is also part of the Expert Observer and Observer Suite, can analyse a problem on your network, then give you a reason for what may be causing the problem.

The overall design and layout of this tool is excellent. It makes it very easy for someone to gaze over and quickly see what's happening on their network. Network data can also be viewed in a variety of formats, and it can also be exported into easy-to-read Web-based reports.

Product Observer 10.1
Price Observer 10.1 AU$1309
Expert Observer 10.1 AU$4015
Observer Suite 10.1 AU$5604.50
Vendor Digital Networks Australia
Phone 02 8436 9600
Web www.networkinstruments.com
 
Interoperability
Supports most common network topologies.
Futureproofing
Many software and hardware Probes available.
ROI
All combinations of the software represent good value.
Service
Network Instruments provides technical support via the web and by phone via partners or direct. Technical support is free with the purchase of a maintenance agreement.
Rating

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT


Fluke OptiView Series II Integrated Network Analyser
The Fluke OptiView is a complete network analyser that combines network monitoring and troubleshooting capabilities into one handheld tool.

This product can give you a complete insight of your network in seconds. It offers a seven-layer protocol analysis, traffic analysis, and also tests your patch cables.

The OptiView is essentially a mobile PC which features a large touch screen and runs on Microsoft Windows XP. Previous versions we had seen were running on Windows 98.

The device includes three USB ports, 10/100 BASE Ethernet, Fibre 100 BASE FX, Fibre 1000 BASE-X, VGA, and PC Card Slot. By having an all in one device such as this it will save you carrying around a laptop when on the road. And if you need a word processor or you need to check your e-mail on the road you can do so from the OptiView.

When we connected the OptiView to our 100Mb network it configured itself with a valid IP address. So where it can't gain an IP address through a DHCP server it will look at your local traffic and give itself an IP address.

The look and feel of the user interface is impressive. Real-time results for devices, networks and problems were displayed in a format which was easy to read and navigate.

The OptiView has a discovery process, which scans your entire network for devices, networks and problems. The devices on your network are discovered by monitoring traffic and by actively querying hosts.

You can also create different traffic loads to assist you with the stress testing of your network and for doing packet capture. As an option you can buy the Integrated Protocol Expert software which can also run on the OptiView. In the past this wasn't possible as the old OptiView wasn't powerful enough to run this application. By using this Expert software you will be able to decode captured files to uncover difficult application and network problems.

The Expert software summarises the address or name of the stations involved, and the position of frames in the capture file that trigger the Expert System to identify the problem. It also recommends what actions you should take to correct the problem. There are many other options to do with VLANs, WANs, wireless, and reporting that you can add, and the overall price of this device can really blow out.

You can also point a Web browser at the IP address of an OptiView so you can use your PC to obtain remote access to an OptiView analyser over TCP/IP and you can run up to seven multiple sessions on a single analyser. There is also a rack-mounted version of this product. The box is an OptiView analyser minus the touch screen and Windows front end. This option is also considerably less expensive.

The OptiView is ideal if you want an on-the-go troubleshooting device. None of the other devices have this sort of flexibility. It also has the advantages of being able to address problems in the bottom few layers of the OSI model much better than any of the other solutions.

Product OptiView Series II Integrated Network Analyser
Price AU$23,155 to AU$51,855 depending on Options
Vendor Fluke Networks
Phone 02 8850 3333
Web www.flukenetworks.com
 
Interoperability
Does cable testing unlike any of the other products tested here.
Futureproofing
½
Many upgrades available. New Analyser available in Sept inc VoIP perf monitoring.
ROI
½
Can get very expensive with all the addons.
Service
12 months; Extended warranties available. Offer hot spare within 24 hours where available.
Rating
½
Fluke OptiView Series II

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT

Packeteer PacketShaper Seeker 6500
The PacketShaper Seeker 6500 is an appliance whose main job is to classify and analyse network traffic and then enforce policy-based bandwidth allocation.

We tested the 1500 some time ago which is a smaller version of the 6500.

There are six different packet shapers available from Packeteer. They support throughputs of 2Mb to 1Gb. The 6500 is placed in the midrange and supports 100Mb. However there are 14 different versions of the 6500 and the one we looked at is the entry shaper which mainly focuses on monitoring. If you want compression it will cost you an extra AU$6600.

There are six different packets shapers available from Packeteer. They support throughputs of 2Mbps to 1Gbps. The 6500 is placed in the midrange and supports 100Mbps.

The 6500 includes two 10/100Mbps ports located on the front of the unit. One of the ports is labelled "Inside" and this is how you plug into your LAN while the "Outside" port is connected to your router. The 6500 can also act as a pass-through device where, if the device was to fail, you would still have network access. There were also two LAN expansion slots available on the front of the unit and a serial port.

Setup was a breeze; you just have to launch a browser and type in its default out-of-the-box IP address and then you can change it to reflect your network. You can also use the serial port to set the IP address. You can, however, still do everything from the console if you prefer to do things this way.

The 3500 uses a Web-based GUI. This isn't the most user-friendly GUI and it can prove awkward to use at first. From the GUI you can do things like classify network traffic into categories which will enable you see what is running on your network, how much bandwidth each application is using, and how your applications are performing.

The 3500 can detect traffic on your network that's coming from file-sharing applications such as Kazaa. What you can do is block Kazaa by discarding packets of this type. The 3500 can also detect if a VoIP service is running on your network. You can specify the percentage of bandwidth to reserve for this sort of traffic. And by setting the burst option you can allow VoIP traffic to borrow available bandwidth from other partitions, up to a pre-defined limit.

From the console you can view who the top-talking IPs are. And if a virus is sending requests back out to the Internet through someone's machine you will quickly be able to spot it out from here. The 3500 can do packet capture from the console as well, but you will need something like Ethereal to decode the packets.

The Packeteer uses Flow Detail Records (FDR), which is a method for gathering and processing per-flow statistics. Some think of it as NetFlow on steroids. It offers enhanced troubleshooting and forensic capabilities which will help you determine the source of a DoS attack, or you can view which ports are the busiest as well as see which hosts generated traffic through each port. It offers integration with accounting and billing programs, so for example, enterprises can track such things as each department's application usage and bill them accordingly -- and you can specify for how long you want to keep historical data.

The 3500 displays some great graphs, but exporting them can be messy. We were told you can use a utility which imports data from the 3500, then publishes the data back out to a Word document; or you can right click on the image and save it that way. There are other options. If you have multiple packet shapers (probably more than 10) -- you can use Packeteer's ReportCenter, which basically acts as a centralised collaboration tool which collects data from all your shapers and generates reports for you.

Product PacketShaper Seeker 6500
Price AU$10,750 - as tested
from UA$2,150 to US$75,000 for the top of the range ISP Gbit version
Vendor Packeteer
Phone 02 9657 1003
Web www.packeteer.com
 
Interoperability
Shaping at 100M.
Futureproofing
Larger models capable of up to 1Gbit.
ROI
½
Excellent visability will get expensive when you add compression.
Service
12 months, various levels of contracted maintenance support.
Rating
½
PacketShaper Seeker 6500
Specifications

Product Name eTrust Network Forensics Exinda Optimizer Observer 10.1 OptiView Series II Integrated Network Analyser PacketShaper 6500
Vendor Computer Associates Exinda Networks Digital Networks Australia Fluke Networks Packeteer
Telephone 1800 999 985 03 9415 8332 02 8436 9600 02 8850 3333 02 9657 1003
Website http://ca.com/
etrust
www.exinda.com network
instruments.com
www.fluke
networks.com
packeteer.com
RRP price range (inc GST) AU$30,000 AU$1,700 to $12,000 Observer 10.1 AU$1309
Observer Suite 10.1 AU$5604.50
AU$23,155 to $51,855 AU$10,750 as tested
Software or Hardware Appliance Software or Hardware Appliance Hardware Appliance Software Hardware Appliance Hardware Appliance
Shape packets/limit bandwidth No Yes No No Yes
Compress data for transfer No Yes No No Yes
Real-Time Statistics Yes Yes Yes Yes Yes
Analysis and Troubleshooting Yes Yes Yes Yes Yes
Measures application performance No Yes Yes Yes, built into Protocol Analysis module Yes
Use of Probes Yes No Yes No Yes
Export Reports to Web/Word Yes Yes Web Only Yes Yes
Uses Triggers and Alarms Yes Yes Yes Yes Yes
Packet Capture and Decode Yes Yes Yes Yes Yes
Traffic Generator No No Yes Yes No
Block applications (eg Kazaa) No Yes No No Yes
Support for Wireless Networks Yes Yes Yes Yes Yes
Support for Windows, Mac & Unix/ Linux Yes Yes NA Yes Yes
Target Market Enterprise SMB, Enterprise NA Enterprise SMB, Enterprise
Top 5 Features 1. Advanced Visualisation
2. Pattern Analysis
3. Content Analysis
4. Forensics Knowledge Base
5. Communications Sequencing
1. Auto-detection of all network traffic
2. Service level validation
3. Automatic PDF e-mail reports
4. Adaptive configuration
5. Layer 7 application grouping
NA 1. Complete network vision in seconds
2. 7 Layer protocol analysis
3. Simple user interface
4. WAN, VLAN and wireless analysis
5. Web enabled remote control
1. Layer-7 application discovery
2. Detailed reporting and visibility tools
3. Application performance monitoring
4. TCP Rate control for efficient bi-directional control
5. State-of-the-art compression

Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT

How we tested
We evaluated the three software tools on a P4 2.8 GHz machine with 1GB of RAM running Windows Server 2003. We had 30 PCs connected to our local network across four switches and a single router to the outside world.

We then ran a discovery process and monitored traffic by querying hosts on our network to see who were the top talkers and looked to see if there were any trouble spots on our network and how all this information was managed and presented by each product.

The two packet shapers on the other hand were connected between the LAN and router. Since this falls outside the scope of the scenario we have not tested these. We instead focused on their monitoring features.

What to look for

  • Network interfaces supported
  • Protocols supported
  • Expert system (analyse, warns, and makes recommendations)
  • Captures and decodes packets
  • Shapes packets
  • Compresses data in order to accelerate data transfer and lower data costs
  • Analyses the seven layers of the OSI
  • Features remote monitoring (Via the Web)
  • Analyses WAN connections
  • Tests cables
  • VoIP analysis



Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT

Scenario
This company's network is bridged through a range of routers and switches between sites. Its capacity is stretched and volumes are peaking across links between many sites. There are packets being dropped due to the restrictive bandwidth of certain components in the network.

The company wants to examine this traffic in detail and use this to pinpoint areas for upgrade, and to detect any suspicious/malicious traffic that the company doesn't know about.

Approximate budget: Open
Concerns: Easy management, useful logging and reporting.

Editor's choice
The Exinda narrowly takes out the Editor's Choice for this month as it meets the concerns raised by this company.

T&B Editor's choice
The 4700 offers easy management, excellent logging, and reporting. The 4700 would also be able to pinpoint which applications and which conversations are consuming the most bandwidth so the company can upgrade a link or just better manage their traffic by means of data prioritisation. You also get compression for around the same price.




Contents
Introduction
Exinda Optimizer 4700
eTrust Network Forensics
Observer 10.1
Fluke OptiView Series II
PacketShaper 6500
Specifications
How we tested
Editor's choice
About RMIT


About RMIT IT Test Labs

RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.

This article was first published in Technology & Business magazine.
Click here for subscription information.