Network managers will at least once in their careers have to solve a network traffic problem. Perhaps it's when a few nodes aren't receiving IP addresses, even though everything seems to be configured correctly, or when performance stinks for no apparent reason. In these situations a network monitor and packet analyser such as EtherPeek for Windows 95 and Windows NT, version 3.5, from the AG Group, can save the day. EtherPeek 3.5 was all but unflappable during my tests, monitoring Ethernet segments in real-time using a relatively modest 133MHz Pentium laptop. EtherPeek 3.5 is a highly affordable and powerful tool, and I would recommend it to any network manager.
It's important to note that the future of stand-alone packet analysers looks uncertain as switches become more popular. In a switched environment it may not be easy or even feasible to monitor traffic outside of the switch; it can be difficult to find a place to connect a packet analyzer and see the traffic in which one is interested, because the switch ensures that only those nodes that need to see the traffic do so. Thus, buying EtherPeek 3.5 is more of a tactical move than a strategic one.
EtherPeek 3.5's installation was remarkably simple compared to other network packet analysers I've seen. Although I looked at a final version of EtherPeek 3.5, the user's manual had not been printed yet. However, the capture screen was clean and simple to read, so I did not feel the need for one.
Although EtherPeek can use Reverse Address Resolution Protocol (RARP) to identify the names of IP nodes, to save system resources it does this only upon request. Nevertheless, I was able to look up addresses while the capture was in progress, and the tool updated the capture screen at once.
Even when EtherPeek was capturing data, I could launch DOS and run various NetWare utilities to identify Media Access Control addresses and enter their names into the name table. Again, the capture screen was updated at once.
As a systems manager I like to think I run a tight ship, but sometimes reality disabuses me of that fiction. Using EtherPeek I found that my network environment was not as efficient as I'd like it to be. For example, although one of my NetWare servers was configured to run NetWare Link Services Protocol (NLSP), on my small-office LAN there actually was no advantage to running NLSP at all. In fact, turning off NLSP cut out a fair amount of traffic on my network. Further, I was surprised by how much traffic my print servers generated; they were checking the print queues several times per second. About half of my total network traffic originated from two print servers checking and rechecking their queues.
Though EtherPeek supports a number of protocols, I specifically looked at its capability to handle IP and IPX. The company has improved EtherPeek's IPX protocol packet decoding, but it still has a way to go. With IP packets, you can find out the source and destination of the packet, what sort of service is being used, the status of the request, and so on. By contrast, with IPX packets you can determine packet type, look at the source and destination of the packet, and examine the raw data. Network Associates' Sniffer Pro has let me view requests being made and their results for years. Although Novell is committed to IP, there will be legacy IPX machines in use for many years, so this remains an issue.
I found two minor problems with EtherPeek 3.5 during my tests. When I tried to have EtherPeek perform a RARP lookup on an entire 8MB capture buffer, EtherPeek issued a page fault. However, smaller lookups worked well. The AG Group is aware of this problem and cautions customers not to perform RARP lookups on large capture buffers. Nevertheless, the company agrees that having the program trap the error would be a better solution.
Also, when I tried to look at some data I had captured on-site on my laptop, I discovered that EtherPeek couldn't load the packet-decode extensions. When I rechecked this at my office, however, all was well. It seems that with Microsoft Word running, there was not enough memory left in the laptop for EtherPeek to load its packet decoders.
On the plus side, the reports and displays offered by EtherPeek were delightful. In many cases, just knowing where the traffic is coming from can help isolate a network problem. EtherPeek can deliver reports based on which nodes are sending data, receiving data, or both. Other reports detail packet size, errors, line utilisation, and more. More impressively, these reports can process data as it is captured -- seemingly without interfering with the capture, even on a modest 133MHz Pentium laptop with just 16MB of RAM.
EtherPeek's new filter maker made it a snap to filter captures to pare down the information overload that a line monitor can deliver. In addition, HTML versions of several statistics reports can be created on the fly. By storing these files on a Web server, I was able to check the network statistics via the Web.
EtherPeek can send e-mail via SMTP or it can send pages to alert staff members when user-selected trigger conditions are met. When I looked at EtherPeek 3.0 in conjunction with NeoCore's NeoSuite plug-in modules for the product, EtherPeek's capability for controlling plug-ins was very limited and crude. In this version, plug-ins can be controlled through a menu.
Despite the minor problems I encounter, EtherPeek showed itself to be a polished, mature product. The AG Group's Web site offers a fully functional evaluation copy for download, and I recommend it to anyone interested in using a network monitor or packet analyser to examine network traffic.
Mike Avery (email@example.com) is a networking consultant in Beaumont, Texas, who has designed and supported networks of all sizes.
The bottom line: excellent
EtherPeek for Windows 95 and Windows NT 4.0, version 3.5This is an improved network packet monitor that now offers more ease of use and power than previous versions.
Pros: Filter construction tool helps view management; HTML output for remote monitoring; great IP packet decoding; excellent price.
Cons: IPX decoder improved but still needs work.
Platforms: Windows 95, Windows 98, Windows NT 4.0.