Prot Fig1

All About Buying a Protocol Analyzer

If you aren t familiar with the latest generation of protocol analyzers, this article can help you understand the main facets of these multifunctional tools.

Protocol analysis is the process of looking at network traffic to understand or troubleshoot what is being communicated, who is communicating, and the timing of communications across the media and equipment on a network. In some situations, protocol analysis and artificial traffic generation are used to predict how a network, with its servers and applications, will respond to different types of traffic.

The broad use for protocol analysis makes the protocol analyzer a mainstay solution in the network and test engineer's bag of tools. Since there are many different flavors of protocol analyzers, you will want to make sure that you are not investing in too minimal or too powerful (read expensive) a solution for your needs.

Protocol analyzers have come a long way from the first-generation products introduced to mainstream network technologists almost two decades ago. Modern protocol analyzers now are packed with functions, capabilities, and ease-of-use features that speed analysis and troubleshooting (Figure 1).

Figure 1. Some Ways to Look at Network Traffic With a Protocol Analyzer

When you decide it is time to evaluate a new protocol analyzer, first consider on which topology network you will be capturing packets: 10/100/1,000/10,000-MB/s Ethernet? Or will you be looking for a protocol analyzer for a wide area network (WAN) or even a wireless local area network (WLAN)?

In general, the slower the speed of the network, the less expensive the tool will be. This is because vendors can use standard PCs and network interface cards (NICs) to capture packets on the slower networks.

Most importantly, remember that your protocol analyzer must keep up with the data speeds on the network you are analyzing. If the protocol analyzer can t keep up with all the passing data, then you won t be able to fully analyze and capture the information necessary to solve your problems.

Why is this so important? Imagine you are searching for a clue at a crime scene. If you can t properly photograph or record every aspect of the scene when you first visit, there is a chance you will miss one of the key clues to help solve the crime. You might get a chance to return to the scene or you might not. A protocol analyzer that can t capture every potential packet even at line speeds diminishes your ability to solve a network problem.

Also important is the buffer size offered on a protocol analyzer. Faster networks require a larger buffer to capture a greater amount of data over time. However, don't be sold by the size of the buffer alone. Some of the best network engineers will only use a buffer of <1 MB. This is because they use specific filters before starting a capture, and they want to limit the number of packets to be analyzed (Figure 2).

Figure 2. Multistate Capture Filters That Control Which Packets to be Captured to Buffer

High-speed protocol analyzers must use special hardware and software to keep up with the data stream at Gigabit Ethernet and higher speeds. This advanced technology adds to the price of the protocol analyzer but provides a powerful tool to investigate even the most annoying issues.

10/100 Ethernet
In many cases, you can buy a software-only solution that will install on your laptop and use the embedded NIC with standard drivers for 10/100 Ethernet LAN analysis. The benefits of this solution are the price and the convenience of having your protocol analyzer on your laptop with other business applications.

Custom drivers are provided by some vendors to work with specific NICs. While these don't necessarily improve packet capture performance, they do allow you to capture error packets that normally are discarded by standard NIC drivers. However, in today's switched environments, error packets on the wire are less common and usually don't present a great concern when troubleshooting network performance problems.

Gigabit Ethernet
Gigabit Ethernet is very common on networks today, and almost every protocol analyzer vendor has a product designed for this technology. Most common solutions consist of software and a PC; however, the software for gigabit speeds usually is installed on a high-performance PC.

Pay special attention to the NIC. A standard NIC is least desirable, while a custom network adapter with an onboard buffer will provide greater performance. Having an onboard buffer will allow packets to be stored to RAM without going through the PC bus media interface.

The most desirable solution for gigabit analysis is a fully custom piece of hardware that has dual custom interface cards capable of line-rate capture and analysis. Since most Gigabit Ethernet links operate in full duplex mode, you need to capture two synchronized gigabit streams of traffic at the same time via an in-line tap. Most software PC combinations don't offer this type of option.

Also important is the filtering capability of a Gigabit Ethernet protocol analyzer. Make sure that it can apply capture filters on the hardware before the packets are stored in the buffer. If the filtering capability is applied after the packets are captured, then you are negating the purpose of this important function.

Since Gigabit Ethernet runs on different types of media, consider a solution that accepts gigabit interface converter (GBIC) or small form-factor pluggable (SFP) interfaces. This will allow you to move between 1,000Base-SX and 1,000Base-T with only a minimal investment in the appropriate module. A solution that uses a permanent interface will limit your flexibility and possibly cost you more in the long run.

10 Gigabit Ethernet (10GbE) is a fairly new technology for most companies. While many aren t running 10GbE now, recent articles predict the prices will drop drastically, and the number of ports shipped will increase over the next few years.

If your company currently isn't deploying 10GbE, then you probably shouldn t worry about this capability. Similar to the price of the router and switch ports, protocol analyzers that ship with 10-Gb capabilities will see steep price discounts as the technology moves from R&D into the mainstream market.

With an asynchronous transfer mode (ATM) WAN, you now have the issue of capturing cells vs. packets. You need to decide whether to view the captures in native cell format or reconstructed into packets.

The speeds and processing needed to analyze ATM almost certainly require a custom hardware solution. Make sure the ATM analyzer can recognize and filter on all the different permutations of encapsulations found these days, such as Ethernet bridged virtual circuits over multiprotocol label switching (MPLS).

Because of the speeds used by ATM, you also will need to carefully consider the filtering capabilities of the analyzer. An ATM analyzer should have the capability to filter on Internet Protocol (IP)-specific data, like address, protocol, or port.

However, since the traffic is cell based, this means the analyzer will need to reassemble the cells into packets in real time while looking for the filter condition. In addition, look for the capability to filter on IP layer ports or IP addresses across multiple encapsulation types on multiple virtual channels (VCs). Only a few manufacturers can meet this requirement.

WLAN is a growing technology, and protocol analyzers that capture packets from a wireless NIC are increasingly popular. As you move from 802.11b to 802.11a to 802.11g, make sure that your protocol analyzer supports each of these standards.

Also consider whether the protocol-analysis software will provide the same decodes for LAN as for WLAN. Having one user interface to learn and one application to maintain is the most desirable situation if you plan on troubleshooting both of these topologies.

Filtering and Slicing
Filtering is one of the least understood and under-utilized features in a protocol analyzer. Filtering on low-speed networks guarantees you only have to analyze the necessary packets for a specific condition.

With today's high-speed networks, filtering is imperative to speed analysis and saves valuable buffer capture space. When you consider that a fully loaded Gigabit Ethernet link can send up to 125 MB of traffic every second, even a protocol analyzer with a 2-GB buffer would be filled in 16 s.

Using capture filters ensures that the buffer space only is used by the packets you want to see. For example, you could capture only packets of a specific subnet associated with a specific port containing a specific flag within a certain protocol.

Power users will want to make sure the protocol analyzer can use multistate and multiconditional statements enabled with Boolean-type conditional operators. Filtering at the bit level and being able to use floating filters (pattern matching at any offset) are two other extremely helpful capabilities (Figure 3). A novice or part-time user probably will want simplified filtering capabilities that allow for IP, media access control (MAC), port, and protocol filtering.

Figure 3. Bit-Level Filtering Templates

Packet slicing is another way to save valuable buffer space on high-speed networks. The most common use for a protocol analyzer is the analysis within the first 128 B of the packet except when troubleshooting application payloads. Since IP packets can be up to 1,518 B long, make sure your analyzer can slice packets at various offsets. Usually, this is the first 32, 64, or 128 B.

When looking at the filtering and slicing capabilities on a protocol analyzer, make sure that these operations do not compromise the capture performance. For some protocol analyzers, this is an issue especially on high-speed links.

The decodes are the key to unlocking the mystery behind the data sent over your network (Figure 4). Think of decodes as a Rosetta stone. They convert the network data into understandable English that lets you interpret the message faster and easier; for example, understanding that the hex 81C4A402 =

Figure 4. Typical View of Packet Summary Detailed Decodes and Hex Detail

When it comes to understanding the nuances of certain applications and protocols, the accuracy of decodes is imperative. Unless you are really good at reading Hex and understanding a protocol's specifications, then your protocol analyzer must have recent decodes of today's most common protocols.

A common misunderstanding is judging a protocol analyzer by the number of decodes it supports. As the saying goes,  It's not the quantity but the quality that matters.• Make sure your protocol analyzer supports the applications you are running on your network. Know what protocols different groups in your organization are using on the network. In addition, ask your vendor how often updates for the product are released.

Perhaps the decodes that have been updated or added over the last year will give you a good idea of the support behind the product. Buy software support for your protocol analyzer since changes and modifications provide you with the best return on your investment and result in faster troubleshooting and analysis.

Distributed or Portable?
When evaluating a protocol analyzer, decide whether you want a portable or a distributed solution. A portable protocol analyzer is a great tool for bench testing or as a movable fire extinguisher on an as-needed basis. Portable solutions usually include the appropriate software installed on a laptop or luggable PC. These solutions cannot be run from other stations except where the license permits you to use a remote desktop client or virtual network computing (VNC).

A distributed protocol analyzer is designed with the network administrator in mind. It allows the administrator to deploy solutions at strategic locations on the network and access them from a remote location.

Having distributed protocol analyzers strategically placed throughout your network lets you troubleshoot from a central location. Do you want to troubleshoot St. Louis from your desk in Kansas City? Advanced distributed solutions can even be set up to run in monitor mode and wait for a certain event before capturing any necessary packets. This type of functionality is great when trying to troubleshoot intermittent events that can be predicted based on a certain type of traffic pattern.

Some protocol-analysis software works as both a portable solution and a distributed analyzer. This is the most flexible configuration since it allows you to take the product mobile on your laptop and leave it in a remote location to be accessed in a peer-to-peer configuration.

Expert Analysis
Almost every protocol-analysis vendor offers an expert system in its solutions. What is expert analysis, and how do you compare the offerings from different vendors? An expert system will examine the network data and create a database of statistics:

• Who's talking to whom, and what ports are being used.

• How long it takes one station to respond to another.

• If an application is performing properly.

• If any commonly known problems are visible.

Expert systems also provide a list of symptoms and diagnostics that point out possible problems on the network. For example, without even looking at individual packets, an expert system will help you identify the following:

• Duplicate network IP addresses.

• Transmission control protocol (TCP) retransmission errors.

• Slow server connect.

• Multiple file transfer protocol (FTP) login attempts.

Expert analysis won t solve all your problems, but it will help you quickly understand the communications occurring on your network without wading through the actual packets and decodes. Expert systems provide a good first pass at the traffic analysis and help summarize the tremendous amount of data found in every trace file.

Some high-end protocol analyzers run expert analysis in real time (make sure you re not limiting other functions), allowing you to automate actions based on the expert data. For example, if you see multiple FTP login attempts, capture all packets from the offending IP address.

When evaluating expert systems, make sure you are comfortable with the interface. How easy is it to drill down from the expert screen to the actual packets triggering the symptom? Which expert symptoms are defined? How flexible is the expert system, and can you modify the time settings that trigger long-delay messages?

With so many different types of protocol analyzers available today, making the right purchase can be daunting. Before you put your money down, find out if the analyzer supports the speed and interface for your topology and has capture performance adequate for the speed of the network; if it provides in-depth filtering for high-speed analysis and allows simplified filtering for users with basic needs; if the manufacturer ensures regular decode updates; if it works as a portable unit, a distributed monitoring tool, or both and if you can upgrade from portable to distributed; and if the analyzer is flexible, how well it interfaces with the decode and packet summary, and if application-specific expert diagnostics are available.

About the Author
Robert Finlay is a product marketing manager at Fluke Networks. He has spent 12 years as a product manager in the network management, security, and enterprise application space. Prior to joining Fluke Networks, Mr. Finlay worked at Network General, Network Associates, WebTrends, Preview Systems, and Sabrix. Fluke Networks, 6920 Seaway Blvd., Everett, WA 98203, 425-446-4519,
e-mail: [email protected]

Sponsored Recommendations


To join the conversation, and become an exclusive member of Electronic Design, create an account today!