TweetFollow Us on Twitter

EtherPeek Microscope

Volume Number: 16 (2000)
Issue Number: 3
Column Tag: Tools of the Trade

Put Your Network Under a Microscope with EtherPeek

by Bill von Hagen

Better living through network analysis software

Networking is arguably the most important innovation in modern computing. Networks are the backbones of most corporate and academic computing environments, plus access to the Internet is the most common reason for home computer purchases today. Unfortunately, diagnosing and resolving network problems poses a special set of headaches for system and network administrators. Bad network interface cards (NICs), bad connections, bad hubs, gateways, routers, or simply bad software can cause network problems.

It wasn't that long ago that the first line of defense for network problems was an armada of scopes, line testers, and other medieval devices to help track down the source of a problem. If the source of the problem was a computer system, system administrators could begin verifying the system's hardware, configuration, network software, and then make coffee and exchange hex dumps of network packets all night long. The next advance in network problem analysis was dedicated portable hardware that you could attach to your network at any suspected trouble spot. Often laptops running specialized software for capturing and analyzing network traffic were used. This is still a practical, sometimes necessary, option for organizations with extremely specialized needs (and unlimited budgets).

A more practical option is to buy EtherPeek, put if on a dedicated Mac, and dare problems to occur on your network segment. EtherPeek is a great example of just how much software can do to provide a comprehensive, understandable view of exactly what is happening on a network or network segment. EtherPeek makes it easy to identify and track down network problems before they bring your network to its knees. EtherPeek can also help you improve network performance by identifying hotspots or unnecessary network communication. It can identify abnormal traffic patterns and performance bottlenecks, and help you limit specific types of traffic to certain subnets by selecting systems to group on their own LAN segments. EtherPeek can also help you identify and eliminate unnecessary network communication, such as systems broadcasting or exporting network protocols that you don't use, increasing the bandwidth for the network communication that you actually want to take place on your network.

EtherPeek should only be installed on secure systems or servers to which access is restricted. It obtains the information it uses to analyze your network through what is called "packet sniffing." It grabs a copy of every network information unit (packet) on your network as it goes past, regardless of the system or network address they're intended for. (Ethernet interfaces normally only accept packets that are intended for their hardware address.) Packet sniffing is the most common way for hackers (or whatever term you prefer) to obtain logins, passwords, and other supposedly secure information by eavesdropping on network communication. General Network Diagnostics

EtherPeek provides a number of floating diagnostic windows that enable you to monitor the general performance and status of a network while you use its integrated capture and analysis commands to examine selected portions of those communications. When you first start EtherPeek, it displays a dialog in which you select the network interface that you want to monitor. After you select the appropriate network interface, you should also use the Capture menu's Network Speed command to verify that EtherPeek has detected the correct speed of your network (10 MB, 100 MB, or a custom OTHER setting). Correct this setting if necessary.

EtherPeek then displays a Network Statistics window that provides summary information about the amount of traffic on your network. It uses a speedometer/tachometer display to show network utilization and traffic at the current moment.

Once you're sure that you have EtherPeek listening on the correct network interface, the fun begins. First, obtain a summary of the network protocols that are in use on your network. Select the Statistics menu's Protocols command that displays a Protocol Analysis window. Protocol Analysis provides a constantly updated summary of the protocols in use on your network, grouping families of protocols together under their parent protocols. The Protocol Statistics window samples the packets on the selected network interface at a configurable rate ranging from every second to every ten minutes, and displays a running histogram of the percentage of different protocols and packet types seen on your network.

Figure 1 shows the Protocol Statistics window on a simple network where all of the current traffic consists of TCP/IP protocols such as, secure HTTP, and TELNET. This is the sort of display that you would see on a network composed primarily of UNIX systems, where none of the standard Apple or Microsoft protocols are being used.


Figure 1.The Protocol Statistics Window.

To watch a specific family of protocols, click on the arrowhead beside other family names to hide the protocols in those families, which helps you focus on those that you are specifically interested. Figure 2 shows a Protocol Statistics window after bringing up a PC with AppleTalk support on the same network, with all of the Ethernet Type 2 protocols collapsed. This shows Apple's AppleTalk protocol, the standard PC networking protocols (IPX, IPX-LSAP, NetBEUI/NetBios), and the Datagrams associated with PC Server Message Block (SMB) file and device sharing.


Figure 2.Protocol Statistics Window With Additional Protocols.

All of EtherPeek's statistics windows can be sorted by any field, just click on the heading for that field; this is a very nice feature. For example, you could click the Bytes header in the Protocol Statistics window to sort its contents by the number of bytes being sent within each protocol family. This makes it easy to see the heaviest used protocols on your network.

Protocol statistics can be quite useful to identify the types of traffic going out over your network and the amount of traffic using each protocol, but don't provide detailed information about the systems between which that traffic is taking place. The Statistics menu's Nodes command displays that information. Each host that is communicating on your network is identified by its MAC address, which is the unique hardware address of an Ethernet card. To make this information useful, each MAC address is followed by each protocol family address that communicates using that hardware address. Figure 3 shows a sample Node Statistics window in which you can see that the MAC address 00:00:94:B5:72:A5 is receiving IP packets as the address 192.168.6.85, while the MAC address 00:00:C0:8C:CE:92 is handling both the AppleTalk address AT-65339.7 and the IP address 192.168.6.95.


Figure 3.The Node Statistics Window.

The Node Statistics window makes it easy to verify which hosts are communicating on your network, which protocols they're using, and the amount of traffic to and from each node. This can be very useful in identifying whether heavy network users are using the recommended protocols. For example, many UNIX sites use software or special hardware that enables them to use AppleTalk over IP to spool print jobs from print servers to Apple LaserWriters on their networks. Any Macintosh on the same network can print directly to a LaserWriter by simply selecting it from the Chooser, which would disrupt or suspend the UNIX print spooling and would not be logged by the UNIX spooling software. On primarily UNIX networks, you could easily spot this sort of disruption by watching for any hosts that are not print servers but which are sending lots of AppleTalk traffic.

Identifying certain types of traffic can be useful, but the ability to identify the systems between which that traffic is flowing is usually more important in identifying performance problems. Select the Statistics menu's Conversation command to display a Conversation Statistics window that provides a summary of all communications between different network addresses. As shown in Figure 4, the Conversation Statistics window displays the source and destination nodes for each network conversation, the number of packets exchanged by those nodes, and the total number of bytes in those conversations. The Conversation Statistics window is updated every 5 seconds, by default, but you can change the update rate to any value between 5 seconds and one hour.


Figure 4.The Conversation Statistics Window.

Capturing and Analyzing Packets

EtherPeek's various statistics windows give you a great high-level picture of your network, but diagnosing actual network problems requires more information than summaries and reports can provide. EtherPeek enables you to capture a stream of packets and examine them in detail, so it is easy for you to actually see problems .

To capture packets, Select the File menu's New option to display the Capture Buffer Options dialog. The Capture Buffer Options dialog lets you define various options for the buffer in which EtherPeek temporarily stores any captured packets . Next click the Continuous Capture option and click OK. Once a packet capture window displays, you click the Start Capture button to actually start capturing packets. Figure 5 shows a sample capture window containing traffic between hosts on a local network and actual Internet hosts.


Figure 5.A Packet Capture Window.

Whenever possible, the packet capture window automatically uses DNS to resolve IP addresses into actual host names. Figure 5 shows both IP addresses and host names because some of the systems on the test network use private IP addresses that can't be resolved through a global DNS server.

At any time during or after completing a packet capture session, you can examine the contents of a captured packet in more detail. Just double-click the packet you want to examine. This displays a window that provides detailed information about that packet, as shown in Figure 6.


Figure 6.Captured Packet Details.

The detail window shows the contents of the selected packet, its header, and the actual contents of the packet in hexadecimal. You can click on any of the details shown in the top portion of a packet detail window to highlight the associated raw packet data.

Once you've captured the information you need, click the Stop Capture button to terminate the packet capture session. At this point, you can begin debugging or save the contents of the capture window for future analysis using the File menu's Save command.

Using Packet Filters

Capturing a constant stream of packets is a great diagnostic if you're examining general networking issues, but may often provide more information that you need. To limit captured packets, EtherPeek lets you create filters that identify the packets that you actually want to see. EtherPeek supports two classes of packet filters - simple filters let you capture packets based on specific parts of their header, and advanced filters let you create complex Boolean expressions based on header information or packet content. Figure 7 shows EtherPeek's simple filter definition window.


Figure 7.The Edit Filter Dialog.

EtherPeek's simple filters let you restrict the captured packets based on their source address, protocol family, or the port to which they are addressed. Port filtering is a great feature when trying to debug network problems related to a service such as FTP, Telnet, or Sendmail that uses a specific port.

EtherPeek's advanced filters let you define filters using Boolean combinations of the source address, protocol family, target port, packet value, packet contents, packet length, or different packet errors. Packet content filters are especially useful when watching for network attacks. You can limit the captured packets to those that contain specific string values, such as the password packets used by the TELNET and FTP protocols.

Automating Your Network Debugging

Although EtherPeek's filters make it easy to capture selected types of traffic in separate capture windows, constantly scanning a large number of open capture windows can be confusing. A better approach to look for specific events is to have EtherPeek automatically perform some action whenever the event occurs, such as beginning a packet capture session or logging a message. EtherPeek provides three general ways of programming to automatically react to specific network events: Triggers, plug-ins, and notifications.

Triggers let you start or stop capturing packets at specific times or when specific network events occur, based on user defined filters. Time triggers make it easy for you to automatically snapshot network traffic associated with regularly scheduled events such as network backups or automatic system reboots. These are especially handy when you need to capture traffic snapshots for tasks scheduled at off-peak times, such as 4 AM, when you might prefer to be home sleeping. Filter triggers begin or end a packet capture session whenever the conditions defined in a specific filter are met.

Plug-ins are EtherPeek's most powerful method of reacting to specific events. Plug-ins are external modules that perform detailed packet analysis and constantly monitor all seen packets . EtherPeek comes with a number of plug-ins that perform tasks such as, looking for duplicate IP addresses, watching for specific types of network attacks, and analyzing FTP, NetWare, and SMTP (email) traffic. Once enabled, plug-ins are globally active; that means the traffic being captured by a filter trigger can be simultaneously analyzed by any number of plug-ins.

Both triggers and plug-ins have associated severity levels, which make it easy to integrate them with EtherPeek's notifications. Notifications are actions that you associate with specific events in EtherPeek, and consist of any of five different actions. You can log messages to EtherPeek's log file, be paged (if you're using supported paging server software, which is currently PageNOW!), be sent email, use the Speech Manager to announce the event, or launch an AppleScript that you create to do anything you want. Notifications also have associated severity levels: informational, minor, major, and severe. makes It is easy to create notifications with your own names, select the action you want to associated with them, and associate them with a specific severity level in EtherPeek's Notifications dialog . After notifications have been defined, any trigger or plug-in with a specific security level automatically triggers any notifications associated with that severity level. By default, EtherPeek comes with one predefined notification associated with all four severity levels - logging messages to its log file.

Generating Reports

System and network administrators rarely have the luxury of sitting at a desk to just monitor EtherPeek statistics windows. Today's networked computing environments require office to office or wiring closet to wiring closet travel, software and hardware installation and , or simply debugging user problems. To help keep an eye on your network while you're off fire-fighting, or to get a high-level view of network performance for use at an upcoming meeting, you can set EtherPeek to automatically generate statistical reports in HTML format.

The Statistics menu's HTML Output command lets you configure the frequency with which these reports are generated, the directory where the output files are placed, and a directory of report generation templates. EtherPeek generates Protocol Statistics and Node Statistics reports, plus a summary report that provides general information about all of the traffic on your network. The Protocol and Nodes Statistics reports exactly match the current view in the windows on your screen. For example, if you've collapsed or sorted families within the Protocol Statistics window, the reports generated by EtherPeek are collapsed or sorted in the same way.

Documentation

EtherPeek is a rarity among modern software packages because it comes with a well written, printed manual. You should think twice before buying a diagnostic tool that only comes with PDF manuals or other online documentation. Online documents can be tricky to access when you're experiencing hardware problems. EtherPeek's documentation not only explains the buttons and how to use the dialogs, but also includes multiple examples of how to use EtherPeek to monitor your network and troubleshoot various types of problems. If you are new to network troubleshooting, need some suggestions or just want a sanity check of your own approaches to troubleshooting, this information is invaluable.

Diagnosing the Diagnostics

Diagnostic tools are a tough business because they have to provide useful information when things are going well, handle anomalous events with ease, and provide information about those anomalies in a useful form. The last thing you need when experiencing a network problem is to have problems with your diagnostic software. Luckily, when testing EtherPeek, I got a first-hand opportunity to submit a problem report and watch AG Group's customer support staff in action.

One of the systems on my test network dual-boots Windows 98 and the BeOS. The BeOS is somewhat picky about Ethernet card support, so I have two network cards in the machine, one for each operating system with the other disabled by that operating system. When the machine comes up, the hub to which these cards is connected erupts in a flood of blinking lights, indicating chatter between the two cards until the OS de jour shuts down one of them. A perfect test! I started EtherPeek on a Mac, opened a packet capture window, and then fired up the dual-boot system and let the chattering begin.

Within seconds, the Protocol Statistics window had reported over 4000 different detected protocols , a big change from the 30 or so seen in normal circumstances. Each of the bogus protocols had a name of the form ETHER-XX-XX, where X was a hex digit. Capturing all of these packets also brought the Mac to its knees. The only way I could successfully stop the capture and save the contents of the capture buffer was to turn on continuous logging to disk and shut down the BeOS/Win98 box a second or two after turning it on. Looking at the capture buffer, I could see that one of the cards was sending thousands of undersized and otherwise bogus packets.

AG Group's customer support was quick to tell me that the ETHER-XX-XX packets meant that the value in the type field for those packets was not a known protocol type. They also explained how to set up an Advanced Filter to ignore undefined packet types, and even offered me a copy of an incremental release of EtherPeek with some new features to improve performance in heavy traffic situations, such as mine. (Coming soon to the next version of EtherPeek!) Admittedly, I identified myself as someone who was reviewing their software and thus your mileage may vary. The speed with which they responded and the quality of their response meant that the support person I contacted actually understood both their software and networking in general.

Diagnostic tools can't fix hardware problems, but they can tell you when to punt a cheap network card. In a real business situation, my NIC could have caused real performance problems for other users. Final score: cheap NIC, 0, EtherPeek and AG Group's support staff, 10.

Conclusion

Network problems are hard to identify and often harder to track down to a specific host or network device. EtherPeek simplifies network troubleshooting by providing excellent packet capture and analysis capabilities within a powerful, well-designed graphical interface. If you manage a network, EtherPeek provides the capabilities and features you need. If you are in the network driver or network software business, EtherPeek should be a fundamental part of your arsenal of debugging and verification tools. Beyond simply diagnosing problems, EtherPeek is also an excellent tool for enhancing network performance by identifying local network traffic that you can isolate, and by helping you eliminate wasted traffic or questionable hardware.

EtherPeek can turn any Mac on your network into a powerful network debugging and monitoring station capable of extracting admiration and sysadmin envy from even the most hardened UNIX geek. If your organization doesn't already have Macs, EtherPeek might just be the best argument you could offer for buying one. If you don't have Macs and your management won't let you buy a superior machine, EtherPeek is also available for Windows systems.


Bill von Hagen is a writer, computer system administrator, and the author of "SGML for Dummies." You can contact him at wvh@gethip.com.

 
AAPL
$108.00
Apple Inc.
+1.02
MSFT
$46.95
Microsoft Corpora
+0.90
GOOG
$559.08
Google Inc.
+8.77

MacTech Search:
Community Search:

Software Updates via MacUpdate

Vitamin-R 2.20b1 - Personal productivity...
Vitamin-R creates the optimal conditions for your brain to work at its best by structuring your work into short bursts of distraction-free, highly focused activity alternating with opportunities for... Read more
Dropbox 2.10.44 - Cloud synchronization...
Dropbox is an application that creates a special Finder folder that automatically syncs online and between your computers. It allows you to both backup files and keep them up-to-date between systems... Read more
Sandvox 2.9.2 - Easily build eye-catchin...
Sandvox is for Mac users who want to create a professional looking website quickly and easily. With Sandvox, you don't need to be a Web genius to build a stylish, feature-rich, standards-compliant... Read more
Cocktail 8.0.1 - General maintenance and...
Cocktail is a general purpose utility for OS X that lets you clean, repair and optimize your Mac. It is a powerful digital toolset that helps hundreds of thousands of Mac users around the world get... Read more
LibreOffice 4.3.3.2 - Free Open Source o...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
VMware Fusion 7.0.1 - Run Windows apps a...
VMware Fusion allows you to create a Virtual Machine on your Mac and run Windows (including Windows 8.1) and Windows software on your Mac. Run your favorite Windows applications alongside Mac... Read more
OneNote 15.3.2 - Free digital notebook f...
OneNote is your very own digital notebook. With OneNote, you can capture that flash of genius, that moment of inspiration, or that list of errands that's too important to forget. Whether you're at... Read more
Audio Hijack Pro 2.11.4 - Record and enh...
Audio Hijack Pro drastically changes the way you use audio on your computer, giving you the freedom to listen to audio when you want and how you want. Record and enhance any audio with Audio Hijack... Read more
Iridient Developer 3.0.0 beta 3 - Powerf...
Iridient Developer (was RAW Developer) is a powerful image conversion application designed specifically for OS X. Iridient Developer gives advanced photographers total control over every aspect of... Read more
TextWrangler 4.5.11 - Free general purpo...
TextWrangler is the powerful general purpose text editor, and Unix and server administrator's tool. Oh, and also, like the best things in life, it's free. TextWrangler is the "little brother" to... Read more

Latest Forum Discussions

See All

Monster Flash Review
Monster Flash Review By Jordan Minor on October 31st, 2014 Our Rating: :: ALONE IN THE DARKUniversal App - Designed for iPhone and iPad Solid shooting and a surprising amount of spooky tension make Monster Flash a great portable... | Read more »
Retry Review
Retry Review By Rob Thomas on October 31st, 2014 Our Rating: :: SOARING HIGHUniversal App - Designed for iPhone and iPad Flappy who? Let Retry wash all those bad bird-related memories away on a cool retro-flavored flight… right... | Read more »
Dementia: Book of the Dead Review
Dementia: Book of the Dead Review By Lee Hamlet on October 31st, 2014 Our Rating: :: A TOUGH READUniversal App - Designed for iPhone and iPad A witch hunter is sent after a demonic book in the spooky but short-lived Dementia: Book... | Read more »
Card Dungeon, the Semi-Board Game Roguel...
Card Dungeon, the Semi-Board Game Roguelike, Has Been Renovated Posted by Jessica Fisher on October 31st, 2014 [ permalink ] | Read more »
Logitech Protection + Power iPhone5/5S C...
Made by: Logitech Price: $99.99 Hardware/iOS Integration Rating: 3 out of 5 stars Usability Rating: 0.5 out of 5 stars Reuse Value Rating: 0.75 out of 5 stars Build Quality Rating: 0.75 out of 5 stars Overall Rating: 1.25 out of 5 stars | Read more »
This Is Not a Test Goes Free, Permanentl...
This Is Not a Test Goes Free, Permanently Posted by Jessica Fisher on October 31st, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Swap Heroes Review
Swap Heroes Review By Campbell Bird on October 31st, 2014 Our Rating: :: STRATEGIC SWAPPINGUniversal App - Designed for iPhone and iPad Rotate a cast of heroes to fend of waves of monsters in this difficult, puzzle rpg.   | Read more »
Night Sky Pro™ (Reference)
Night Sky Pro™ 3.0.1 Device: iOS Universal Category: Reference Price: $2.99, Version: 3.0.1 (iTunes) Description: Night Sky Pro™Wonder No More™ Night Sky Pro™ is the ultimate stargazing experience. From the creators of the original... | Read more »
Audio Defence : Zombie Arena (Games)
Audio Defence : Zombie Arena 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: A zombie shooter audio game. Made from gut-wrenching 3D binaural sound, for a new kind of weird immersion. You... | Read more »
RPG Asdivine Hearts (Games)
RPG Asdivine Hearts 1.1.0 Device: iOS Universal Category: Games Price: $3.99, Version: 1.1.0 (iTunes) Description: SPECIAL PRICE50% OFF (USD 7.99 -> USD 3.99)!!! Travel alongside four companions and a cat in the adventure of a... | Read more »

Price Scanner via MacPrices.net

Tablets Ascendent Again; Global Tablet Market...
The worldwide tablet grew 11.5% year over year in the third quarter of 2014 (3Q14) with shipments reaching 53.8 million units according to preliminary data from the International Data Corporation (... Read more
Apple now offering refurbished 2014 13-inch R...
The Apple Store is now offering Apple Certified Refurbished 2014 13″ Retina MacBook Pros for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and... Read more
Apple Regains Momentum As Windows Stutters An...
The latest smartphone sales data from Kantar Worldpanel ComTech, for the three months to March 2014, shows Apple performing strongly in the first quarter of the year, with sales bouncing back in... Read more
Worldwide Smartphone Shipments Increase 25.2%...
New smartphone releases and an increased emphasis on emerging markets drove global smartphone shipments above 300 million units for the second consecutive quarter, according to preliminary data from... Read more
Apple now offering refurbished 2014 15-inch M...
The Apple Store is now offering Apple Certified Refurbished 2014 15″ Retina MacBook Pros for up to $400 off the cost of new models. An Apple one-year warranty is included with each model, and... Read more
Apple drops prices on refurbished 2013 Retina...
The Apple Store has dropped prices on 2013 Apple Certified Refurbished 13″ and 15″ Retina MacBook Pros, with Retina models now available starting at $999. Apple’s one-year warranty is standard, and... Read more
New 2.8GHz Mac mini on sale for $949, save $5...
Abt Electronics has the new 2.8GHz Mac mini in stock and on sale for $949.05 including free shipping. Their price is $50 off MSRP, and it’s the lowest price available for this model from any reseller... Read more
Sale! 3.7GHz Quad Core Mac Pro available for...
 B&H Photo has the 3.7GHz Quad Core Mac Pro on sale for $2649 including free shipping plus NY sales tax only. Their price is $350 off MSRP, and it’s the lowest price for this model from any... Read more
Mujjo Steps Up The Game With Refined Touchscr...
Netherlands based Mujjo have just launched their Refined Touchscreen Gloves, stepping up their game. The gloves feature a updated elegant design that takes these knitted gloves to the next level. A... Read more
Sale! Preorder the new 27-inch 5K iMac for $2...
 Abt Electronics has the new 27″ 3.5GHz 5K iMac on sale and available for preorder for $2374.05 including free shipping. Their price is $125 off MSRP, and it’s the lowest price available for this... Read more

Jobs Board

Position Opening at *Apple* - Apple (United...
…Summary** As a Specialist, you help create the energy and excitement around Apple products, providing the right solutions and getting products into customers' hands. You Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** Being a Business Manager at an Apple Store means you're the catalyst for businesses to discover and leverage the power, ease, and flexibility of Apple Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** As more and more people discover Apple , they visit our stores seeking ways to incorporate our products into their lives. It's your job, as a Store Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** At the Apple Store, you connect business professionals and entrepreneurs with the tools they need in order to put Apple solutions to work in their Read more
Solutions Specialist with *Apple* Knowledge...
Company Description: We are an Apple Authorized Sales and Service Provider. We have been selling and servicing Apple computers in the Fairfield County area for over Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.