Product review: Sniffer Pro sees some switches

Protocol analysers have found their niche in the enterprise. They are a must-have tool in any IT arsenal. When your network is down and your business's bottom line is starting to suffer, a protocol analyser is often the best device with which to unearth the problem on your network.

Because of the way these devices are used, they have traditionally been classified as reactive troubleshooting tools, but that is changing. Although today's analysers, such as Network Associates' Sniffer Pro, are still used as reactive network firefighters, they now are also used for proactive network management. Using one to alert IT personnel before problems start affecting your network is the best way to prevent costly network downtime.

Network Associates' Sniffer Pro 2.5 is an exceptional network troubleshooting tool capable of monitoring today's networks. Because the protocol-analyser niche is less well-defined than it used to be, these products compete with a flood of monitoring and performance tools, including offerings from Cisco Systems and 3Com. Windows-based analysers such as AG Group's EtherPeek and Sunbelt's LanExplorer, are now a dime a dozen, but Sniffer Pro performs so well that it stands outside this 10-cent class.

I tested portions of the Sniffer Pro Portable Analysis Suite, which includes SnifferBasic, SnifferProLAN, SnifferProWAN, and SnifferPro HiSpeed. I ran these solutions on three different systems: a Pentium II 166MHz notebook with Windows 98 and 64Mbytes of RAM, using Network Associates' PC Card solution; a Compaq Pentium II 200MHz with Windows NT 4.0 and 96Mbytes of RAM; and a Dolch luggable with interfaces for token ring, 10/100 Ethernet, ATM, and WAN modules. The portable solutions will go where you go -- from wiring closets to computer rooms and anywhere in between.

Installing from scratch or upgrading existing Sniffer boxes is a snap. If you are finally moving up from the DOS-based Sniffer, be sure you have enough memory (32Mbytes minimum). Sniffer Pro 2.5 looks very much like its 2.0 predecessor, and very little has been done to improve an already outstanding interface. But under the hood, I noted significant improvements that continue to set Sniffer apart.

Sniffer shines in terms of extensive protocol decodes. This version includes more than 400 decodes that cover everything from legacy decodes to popular decodes and new or updated decodes for such protocols as Voice over IP H.323, Server Message Block, Border Gateway Protocol version 4, and Internet Inter-ORB Protocol.

Sniffer's Expert mode contains many improvements, including expert support for Novell IPX, NetWare 5.0, Oracle8, ATM, and some Cisco Layer 2 switches. Unless you know everything about networking, you should find Sniffer's Expert mode very useful in reducing troubleshooting time. The Expert mode breaks analysis into layers, diagnoses, symptoms, and objects.

The new Switch Expert captured my attention because switched environments have made troubleshooting and monitoring difficult. Before switches, every node on a network shared the same pipe, so it was easy to peek into that one pipe and see the whole picture. In a switched environment, bandwidth is no longer shared, so it is difficult to see the individual or aggregate traffic. Port mirroring is a popular way to monitor switches, by sending all traffic on a single switch port or multiple ports to a monitoring port. This is fairly straightforward, but it does require some manual configuration.

However, if your company uses virtual LANs (VLANs), port mirroring will not provide an accurate picture of your network. Sniffer addresses this problem by mirroring traffic from a single port or VLAN to a monitoring port, capturing traffic on that port and also providing Expert mode analysis.

However, the implementation is inelegant and requires using two network interface cards. The configuration card does not have to be directly attached to the switch, and it can set the mirroring port, as well as collect SNMP statistics from the switch's Management Information Box. TCP/IP must be bound to the configuration card, which ensures that the SNMP commands go over the network and are not rejected by the switch. Sniffer will not automatically detect your switches, so you will need to know the IP address of the switch you wish to monitor. The monitor card connects directly to the switch and captures all traffic mirrored to that port.

The information from the switch analysis is extremely useful, though more graphical analysis is needed. Sniffer automatically discovers VLAN configuration information from the switch and can then automatically mirror the VLAN to a monitoring port. I was also able to issue commands to mirror ports to a monitoring port.

The Expert analysis is helpful, but again, only if you have the right switch. If SMON continues to make inroads as a standard protocol for monitoring switches, I would expect Sniffer to adopt this approach.

With the new additions in this release, the relatively expensive Sniffer can provide a speedy return on investment by significantly reducing the time required to troubleshoot network-related problems. In addition, Sniffer is making significant inroads into proactive network management with its capable monitoring tools.

Laura Wonnacott ( is US Infoworld Test Center's technical directorThe bottom line: VERY GOODSniffer Pro Portable Analysis Suite 2.5Summary: With more and richer decodes, additions to its Expert mode, and support for some switched networks, Sniffer Pro leads the competitive pack. It is a great choice for the mixed-protocol and topology-diverse enterprise.

Business Case: When the network is down, business suffers. The IT department will achieve cost savings by solving network-related problems faster and end users will reap productivity benefits.

Pros: Extensive and solid decodes and topology support; outstanding interface; powerful Expert modeCons: Expensive; Limited switch support; limited application layer decodesCost: $11,995, starting price. Sniffer provides a fast return on investment by significantly reducing the time required to troubleshoot network-related problemsPlatforms: Windows 95/98, Windows NT 4.0Network Associates, Santa Clara, California;

Join the newsletter!

Error: Please check your email address.

More about 3Com AustraliaCiscoCompaqGatewayNAINovell

Show Comments

Market Place