Path: utzoo!utgpu!watmath!clyde!att!ucbvax!BRL.MIL!reschly From: reschly@BRL.MIL ("Robert J. Reschly Jr.") Newsgroups: comp.protocols.tcp-ip Subject: Re: Network Monitor Message-ID: <8901090311.aa25225@SEM.BRL.MIL> Date: 9 Jan 89 08:11:17 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 137 Harry, As with nearly every simple answer, the answer is "Well, it depends". I am at home as I type this and my notes are at work, so what follows is from memory. I don't think there are any glaring deficiencies, though I have become somewhat fuzzy about prices. Last spring two of my co-workers and I conducted and in-depth evaluation of offerings from Cabletron, Network General, Excelan, Hewlett Packard (those being the major players at the time) and looked at a few other lesser known offerings. The only current contender I know about that we did not look at directly was the Spyder Systems (UK) offering. Also, since we looked last spring, Network General claims to have significantly improved the underlying hardware capability with their latest offering. We started out looking for a box which could do everything for us. After sifting through the literature, talking with some of the engineers designing various units, and playing with several of the boxes, our judgement was that a box meeting all of our criteria did not exist. The units with the best software were unable to give us the hardware performance we sought. The units with satisfactory hardware capabilities were sorely lacking in the software department. Given that we were and still are driven more by hardware considerations (i.e. Guarantee the box can capture the bits, then worry about the protocol stack. We can decode a protocol stack if need be, but the best software in the world will not necessarily do us any good if the hardware misses bits....) and we already had some software in house for looking at protocol stacks (our homebrew gateway software, and Van Jacobson's tcpdump for Sun 3's), we settled on buying two of the Cabletron units. Once we resigned ourselves to buying a box strictly on hardware considerations, the additional features of the HP unit (~2.5x the capture buffer, and disk based configurations) were not enough to make up for the cost difference. All of us would have dearly loved to be able to recommend the Network General box though.... Cabletron, LAN Specialist: Their "better" offering. It's underlying hardware is good enough to capture anything on the network, and is able to drive the wire at greater than 90% saturation. It also has some rather nice cable/transceiver testing capabilities. Has enough buffer memory for ~260 Maximum Segment Size (MSS) sized packets in capture everything mode. It is severely lacking when dealing with anything other than the link layer, needs a VT200 compatible terminal (requires function keys out to F20, and uses scrolling and paging keys -- yeech!), and has no nonvolatile storage (no saved configurations). It is, however, relatively cheap: ~$5,000. Hewlett Packard: I forget the model number, but it is the "portable" unit with the attached keyboard and ~7inch monochrome CRT. Typical HP. A solidly built, self-contained, closed box. Also able to capture anything on the wire, and able to drive the wire to greater than 90% saturation. Has enough buffer memory for ~650 MSS sized packets in capture everything mode. Has a floppy disk and an optional 10MB(?) hard disk available. The disks can be used to store configuration information, and traffic dumps, though the box is not fast enough to use the disk to extend buffer memory without risking missing some of the bits. Like much of HP's fancier equipment, suffers from "softkeys on the brain". Other than flipping a few bits in filters and entering names, the keyboard might just as well not be present. Also loses when it comes to anything above the link layer. Priced around $18,000. Excelan, LANalyzer: This unit does not stand out in my mind. It is probably best summarized as the Sniffer's baby brother. I don't recall any of us noting any glaring deficiencies, just that it was not as flexible, or as featureful as the Sniffer. My only other recollection was observing that the mount for the transceiver cable jack looked rather flimsy. The unit we played with was in a Toshiba 286 based portable I think. I believe this box comes in somewhere between $15,000 and $18,000. Network General, Sniffer: Slick. We all fell in love with the amount of software support this box offered. It could dump nearly anything it captured all the way up the stack to the application level. It was all menu based, but the menuing software was probably the easiest to use and least obtrusive software of any we have run across. We seldom noticed it, per se, as we rummaged around with the system. The box we evaluated was a Compaq 286 system bundled up and sold as a package by Network General. Oh, if only the system was a bit heftier in the hardware department. We were overrunning it even on a relatively lightly loaded network. At least it was honest enough to let us know when it was dropping packets (by beeping and keeping a tally) rather than silently discarding them. *sigh* The other nice feature of the Sniffer was that it could be configured for different networks. It could also do ARCnet and IBM 4Mb token ring I believe. These features were of no interest to us so we did not evaluate them. This box ran around $19,000 to $21,000 configured for Ethernet, I think. Last September at INTEROP'88 I saw a new version of the Sniffer being demonstrated. I have not had a chance to play with this box myself, nor have I received the set of owners manuals I was promised, so everything which follows is based on what the market droid I talked to said and my fuzzy recollections of the spec sheets. This version has been reworked substantially, and offers several interesting features. The new version is built around a Compaq 386 box, and everything hangs off the back of the Compaq as a plug-in module. The Ethernet hardware has been beefed up and can now support several (up to 6?) megabytes of capture buffer memory in the add-on module. With that much memory, even if they can only capture 256 (they ought to get at least 512) packets per megabyte, that is still more packets than even the HP can do. Network General now supports six(?) differing network technologies. The add on module can be configured in several ways. It can be configured with any one or two different network interface modules, or one interface module and a hard disk. The latter is particularly interesting in secure computing environments because that means you can buy a floppy only Compaq with no permanent storage, and N network modules with the permanent storage in the module. This way, configurations and such can be saved between sessions, and can be locked up when not in use without also tying up the computer. If this box truly meets the claims made for it, it is the hands down winner with no reservations whatsoever. I only wish it had been available six months sooner.... *MOBY sigh* Price: around $11,000 for the Compaq (gosh, is the Compaq that much? -- seems a bit steep) and $10,000 to $15,000 for the network modules. The only other real contender I know of is the Spyder Systems box. I have overheard several people claiming it is a pretty good box, and from what I have read of it, I suspect it's software is somewhere between the LANalyzer and the old Sniffer. I have no information about it's hardware capabilities though, and don't know if it is a dedicated or hosted implementation. Not only that, but I don't know what it costs. Probably worth a look before making any decisions. I hope you find this useful. Later, Bob -------- Phone: (301)278-6678 AV: 298-6678 FTS: 939-6678 Arpa: reschly@BRL.MIL (or BRL.ARPA) UUCP: ...!brl-smoke!reschly Postal: Robert J. Reschly Jr. U.S. Army Ballistic Research Laboratory Systems Engineering and Concepts Analysis Division Advanced Computer Systems Team ATTN: SLCBR-SE (Reschly) APG, MD 21005-5066 (Hey, *I* don't make 'em up!) **** For a good time, call: (303) 499-7111. Seriously! ****