TweetFollow Us on Twitter

EtherPeek Microscope

Volume Number: 16 (2000)
Issue Number: 3
Column Tag: Tools of the Trade

Put Your Network Under a Microscope with EtherPeek

by Bill von Hagen

Better living through network analysis software

Networking is arguably the most important innovation in modern computing. Networks are the backbones of most corporate and academic computing environments, plus access to the Internet is the most common reason for home computer purchases today. Unfortunately, diagnosing and resolving network problems poses a special set of headaches for system and network administrators. Bad network interface cards (NICs), bad connections, bad hubs, gateways, routers, or simply bad software can cause network problems.

It wasn't that long ago that the first line of defense for network problems was an armada of scopes, line testers, and other medieval devices to help track down the source of a problem. If the source of the problem was a computer system, system administrators could begin verifying the system's hardware, configuration, network software, and then make coffee and exchange hex dumps of network packets all night long. The next advance in network problem analysis was dedicated portable hardware that you could attach to your network at any suspected trouble spot. Often laptops running specialized software for capturing and analyzing network traffic were used. This is still a practical, sometimes necessary, option for organizations with extremely specialized needs (and unlimited budgets).

A more practical option is to buy EtherPeek, put if on a dedicated Mac, and dare problems to occur on your network segment. EtherPeek is a great example of just how much software can do to provide a comprehensive, understandable view of exactly what is happening on a network or network segment. EtherPeek makes it easy to identify and track down network problems before they bring your network to its knees. EtherPeek can also help you improve network performance by identifying hotspots or unnecessary network communication. It can identify abnormal traffic patterns and performance bottlenecks, and help you limit specific types of traffic to certain subnets by selecting systems to group on their own LAN segments. EtherPeek can also help you identify and eliminate unnecessary network communication, such as systems broadcasting or exporting network protocols that you don't use, increasing the bandwidth for the network communication that you actually want to take place on your network.

EtherPeek should only be installed on secure systems or servers to which access is restricted. It obtains the information it uses to analyze your network through what is called "packet sniffing." It grabs a copy of every network information unit (packet) on your network as it goes past, regardless of the system or network address they're intended for. (Ethernet interfaces normally only accept packets that are intended for their hardware address.) Packet sniffing is the most common way for hackers (or whatever term you prefer) to obtain logins, passwords, and other supposedly secure information by eavesdropping on network communication. General Network Diagnostics

EtherPeek provides a number of floating diagnostic windows that enable you to monitor the general performance and status of a network while you use its integrated capture and analysis commands to examine selected portions of those communications. When you first start EtherPeek, it displays a dialog in which you select the network interface that you want to monitor. After you select the appropriate network interface, you should also use the Capture menu's Network Speed command to verify that EtherPeek has detected the correct speed of your network (10 MB, 100 MB, or a custom OTHER setting). Correct this setting if necessary.

EtherPeek then displays a Network Statistics window that provides summary information about the amount of traffic on your network. It uses a speedometer/tachometer display to show network utilization and traffic at the current moment.

Once you're sure that you have EtherPeek listening on the correct network interface, the fun begins. First, obtain a summary of the network protocols that are in use on your network. Select the Statistics menu's Protocols command that displays a Protocol Analysis window. Protocol Analysis provides a constantly updated summary of the protocols in use on your network, grouping families of protocols together under their parent protocols. The Protocol Statistics window samples the packets on the selected network interface at a configurable rate ranging from every second to every ten minutes, and displays a running histogram of the percentage of different protocols and packet types seen on your network.

Figure 1 shows the Protocol Statistics window on a simple network where all of the current traffic consists of TCP/IP protocols such as, secure HTTP, and TELNET. This is the sort of display that you would see on a network composed primarily of UNIX systems, where none of the standard Apple or Microsoft protocols are being used.


Figure 1.The Protocol Statistics Window.

To watch a specific family of protocols, click on the arrowhead beside other family names to hide the protocols in those families, which helps you focus on those that you are specifically interested. Figure 2 shows a Protocol Statistics window after bringing up a PC with AppleTalk support on the same network, with all of the Ethernet Type 2 protocols collapsed. This shows Apple's AppleTalk protocol, the standard PC networking protocols (IPX, IPX-LSAP, NetBEUI/NetBios), and the Datagrams associated with PC Server Message Block (SMB) file and device sharing.


Figure 2.Protocol Statistics Window With Additional Protocols.

All of EtherPeek's statistics windows can be sorted by any field, just click on the heading for that field; this is a very nice feature. For example, you could click the Bytes header in the Protocol Statistics window to sort its contents by the number of bytes being sent within each protocol family. This makes it easy to see the heaviest used protocols on your network.

Protocol statistics can be quite useful to identify the types of traffic going out over your network and the amount of traffic using each protocol, but don't provide detailed information about the systems between which that traffic is taking place. The Statistics menu's Nodes command displays that information. Each host that is communicating on your network is identified by its MAC address, which is the unique hardware address of an Ethernet card. To make this information useful, each MAC address is followed by each protocol family address that communicates using that hardware address. Figure 3 shows a sample Node Statistics window in which you can see that the MAC address 00:00:94:B5:72:A5 is receiving IP packets as the address 192.168.6.85, while the MAC address 00:00:C0:8C:CE:92 is handling both the AppleTalk address AT-65339.7 and the IP address 192.168.6.95.


Figure 3.The Node Statistics Window.

The Node Statistics window makes it easy to verify which hosts are communicating on your network, which protocols they're using, and the amount of traffic to and from each node. This can be very useful in identifying whether heavy network users are using the recommended protocols. For example, many UNIX sites use software or special hardware that enables them to use AppleTalk over IP to spool print jobs from print servers to Apple LaserWriters on their networks. Any Macintosh on the same network can print directly to a LaserWriter by simply selecting it from the Chooser, which would disrupt or suspend the UNIX print spooling and would not be logged by the UNIX spooling software. On primarily UNIX networks, you could easily spot this sort of disruption by watching for any hosts that are not print servers but which are sending lots of AppleTalk traffic.

Identifying certain types of traffic can be useful, but the ability to identify the systems between which that traffic is flowing is usually more important in identifying performance problems. Select the Statistics menu's Conversation command to display a Conversation Statistics window that provides a summary of all communications between different network addresses. As shown in Figure 4, the Conversation Statistics window displays the source and destination nodes for each network conversation, the number of packets exchanged by those nodes, and the total number of bytes in those conversations. The Conversation Statistics window is updated every 5 seconds, by default, but you can change the update rate to any value between 5 seconds and one hour.


Figure 4.The Conversation Statistics Window.

Capturing and Analyzing Packets

EtherPeek's various statistics windows give you a great high-level picture of your network, but diagnosing actual network problems requires more information than summaries and reports can provide. EtherPeek enables you to capture a stream of packets and examine them in detail, so it is easy for you to actually see problems .

To capture packets, Select the File menu's New option to display the Capture Buffer Options dialog. The Capture Buffer Options dialog lets you define various options for the buffer in which EtherPeek temporarily stores any captured packets . Next click the Continuous Capture option and click OK. Once a packet capture window displays, you click the Start Capture button to actually start capturing packets. Figure 5 shows a sample capture window containing traffic between hosts on a local network and actual Internet hosts.


Figure 5.A Packet Capture Window.

Whenever possible, the packet capture window automatically uses DNS to resolve IP addresses into actual host names. Figure 5 shows both IP addresses and host names because some of the systems on the test network use private IP addresses that can't be resolved through a global DNS server.

At any time during or after completing a packet capture session, you can examine the contents of a captured packet in more detail. Just double-click the packet you want to examine. This displays a window that provides detailed information about that packet, as shown in Figure 6.


Figure 6.Captured Packet Details.

The detail window shows the contents of the selected packet, its header, and the actual contents of the packet in hexadecimal. You can click on any of the details shown in the top portion of a packet detail window to highlight the associated raw packet data.

Once you've captured the information you need, click the Stop Capture button to terminate the packet capture session. At this point, you can begin debugging or save the contents of the capture window for future analysis using the File menu's Save command.

Using Packet Filters

Capturing a constant stream of packets is a great diagnostic if you're examining general networking issues, but may often provide more information that you need. To limit captured packets, EtherPeek lets you create filters that identify the packets that you actually want to see. EtherPeek supports two classes of packet filters - simple filters let you capture packets based on specific parts of their header, and advanced filters let you create complex Boolean expressions based on header information or packet content. Figure 7 shows EtherPeek's simple filter definition window.


Figure 7.The Edit Filter Dialog.

EtherPeek's simple filters let you restrict the captured packets based on their source address, protocol family, or the port to which they are addressed. Port filtering is a great feature when trying to debug network problems related to a service such as FTP, Telnet, or Sendmail that uses a specific port.

EtherPeek's advanced filters let you define filters using Boolean combinations of the source address, protocol family, target port, packet value, packet contents, packet length, or different packet errors. Packet content filters are especially useful when watching for network attacks. You can limit the captured packets to those that contain specific string values, such as the password packets used by the TELNET and FTP protocols.

Automating Your Network Debugging

Although EtherPeek's filters make it easy to capture selected types of traffic in separate capture windows, constantly scanning a large number of open capture windows can be confusing. A better approach to look for specific events is to have EtherPeek automatically perform some action whenever the event occurs, such as beginning a packet capture session or logging a message. EtherPeek provides three general ways of programming to automatically react to specific network events: Triggers, plug-ins, and notifications.

Triggers let you start or stop capturing packets at specific times or when specific network events occur, based on user defined filters. Time triggers make it easy for you to automatically snapshot network traffic associated with regularly scheduled events such as network backups or automatic system reboots. These are especially handy when you need to capture traffic snapshots for tasks scheduled at off-peak times, such as 4 AM, when you might prefer to be home sleeping. Filter triggers begin or end a packet capture session whenever the conditions defined in a specific filter are met.

Plug-ins are EtherPeek's most powerful method of reacting to specific events. Plug-ins are external modules that perform detailed packet analysis and constantly monitor all seen packets . EtherPeek comes with a number of plug-ins that perform tasks such as, looking for duplicate IP addresses, watching for specific types of network attacks, and analyzing FTP, NetWare, and SMTP (email) traffic. Once enabled, plug-ins are globally active; that means the traffic being captured by a filter trigger can be simultaneously analyzed by any number of plug-ins.

Both triggers and plug-ins have associated severity levels, which make it easy to integrate them with EtherPeek's notifications. Notifications are actions that you associate with specific events in EtherPeek, and consist of any of five different actions. You can log messages to EtherPeek's log file, be paged (if you're using supported paging server software, which is currently PageNOW!), be sent email, use the Speech Manager to announce the event, or launch an AppleScript that you create to do anything you want. Notifications also have associated severity levels: informational, minor, major, and severe. makes It is easy to create notifications with your own names, select the action you want to associated with them, and associate them with a specific severity level in EtherPeek's Notifications dialog . After notifications have been defined, any trigger or plug-in with a specific security level automatically triggers any notifications associated with that severity level. By default, EtherPeek comes with one predefined notification associated with all four severity levels - logging messages to its log file.

Generating Reports

System and network administrators rarely have the luxury of sitting at a desk to just monitor EtherPeek statistics windows. Today's networked computing environments require office to office or wiring closet to wiring closet travel, software and hardware installation and , or simply debugging user problems. To help keep an eye on your network while you're off fire-fighting, or to get a high-level view of network performance for use at an upcoming meeting, you can set EtherPeek to automatically generate statistical reports in HTML format.

The Statistics menu's HTML Output command lets you configure the frequency with which these reports are generated, the directory where the output files are placed, and a directory of report generation templates. EtherPeek generates Protocol Statistics and Node Statistics reports, plus a summary report that provides general information about all of the traffic on your network. The Protocol and Nodes Statistics reports exactly match the current view in the windows on your screen. For example, if you've collapsed or sorted families within the Protocol Statistics window, the reports generated by EtherPeek are collapsed or sorted in the same way.

Documentation

EtherPeek is a rarity among modern software packages because it comes with a well written, printed manual. You should think twice before buying a diagnostic tool that only comes with PDF manuals or other online documentation. Online documents can be tricky to access when you're experiencing hardware problems. EtherPeek's documentation not only explains the buttons and how to use the dialogs, but also includes multiple examples of how to use EtherPeek to monitor your network and troubleshoot various types of problems. If you are new to network troubleshooting, need some suggestions or just want a sanity check of your own approaches to troubleshooting, this information is invaluable.

Diagnosing the Diagnostics

Diagnostic tools are a tough business because they have to provide useful information when things are going well, handle anomalous events with ease, and provide information about those anomalies in a useful form. The last thing you need when experiencing a network problem is to have problems with your diagnostic software. Luckily, when testing EtherPeek, I got a first-hand opportunity to submit a problem report and watch AG Group's customer support staff in action.

One of the systems on my test network dual-boots Windows 98 and the BeOS. The BeOS is somewhat picky about Ethernet card support, so I have two network cards in the machine, one for each operating system with the other disabled by that operating system. When the machine comes up, the hub to which these cards is connected erupts in a flood of blinking lights, indicating chatter between the two cards until the OS de jour shuts down one of them. A perfect test! I started EtherPeek on a Mac, opened a packet capture window, and then fired up the dual-boot system and let the chattering begin.

Within seconds, the Protocol Statistics window had reported over 4000 different detected protocols , a big change from the 30 or so seen in normal circumstances. Each of the bogus protocols had a name of the form ETHER-XX-XX, where X was a hex digit. Capturing all of these packets also brought the Mac to its knees. The only way I could successfully stop the capture and save the contents of the capture buffer was to turn on continuous logging to disk and shut down the BeOS/Win98 box a second or two after turning it on. Looking at the capture buffer, I could see that one of the cards was sending thousands of undersized and otherwise bogus packets.

AG Group's customer support was quick to tell me that the ETHER-XX-XX packets meant that the value in the type field for those packets was not a known protocol type. They also explained how to set up an Advanced Filter to ignore undefined packet types, and even offered me a copy of an incremental release of EtherPeek with some new features to improve performance in heavy traffic situations, such as mine. (Coming soon to the next version of EtherPeek!) Admittedly, I identified myself as someone who was reviewing their software and thus your mileage may vary. The speed with which they responded and the quality of their response meant that the support person I contacted actually understood both their software and networking in general.

Diagnostic tools can't fix hardware problems, but they can tell you when to punt a cheap network card. In a real business situation, my NIC could have caused real performance problems for other users. Final score: cheap NIC, 0, EtherPeek and AG Group's support staff, 10.

Conclusion

Network problems are hard to identify and often harder to track down to a specific host or network device. EtherPeek simplifies network troubleshooting by providing excellent packet capture and analysis capabilities within a powerful, well-designed graphical interface. If you manage a network, EtherPeek provides the capabilities and features you need. If you are in the network driver or network software business, EtherPeek should be a fundamental part of your arsenal of debugging and verification tools. Beyond simply diagnosing problems, EtherPeek is also an excellent tool for enhancing network performance by identifying local network traffic that you can isolate, and by helping you eliminate wasted traffic or questionable hardware.

EtherPeek can turn any Mac on your network into a powerful network debugging and monitoring station capable of extracting admiration and sysadmin envy from even the most hardened UNIX geek. If your organization doesn't already have Macs, EtherPeek might just be the best argument you could offer for buying one. If you don't have Macs and your management won't let you buy a superior machine, EtherPeek is also available for Windows systems.


Bill von Hagen is a writer, computer system administrator, and the author of "SGML for Dummies." You can contact him at wvh@gethip.com.

 
AAPL
$100.40
Apple Inc.
-0.13
MSFT
$45.10
Microsoft Corpora
-0.23
GOOG
$583.91
Google Inc.
-2.95

MacTech Search:
Community Search:

Software Updates via MacUpdate

Parallels Desktop 10.0 - Run Windows app...
Parallels Desktop is simply the world's bestselling, top-rated, and most trusted solution for running Windows applications on your Mac. With Parallels Desktop for Mac, you can seamlessly run both... Read more
Chromium 36.0.1985.143 - Fast and stable...
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web. FreeSMUG-Free OpenSource Mac User Group build is... Read more
Macgo Blu-ray Player 2.10.6.1691 - Blu-r...
Macgo Mac Blu-ray Player can bring you the most unforgettable Blu-ray experience on your Mac. Overview Macgo Mac Blu-ray Player can satisfy just about every need you could possibly have in a Blu-ray... Read more
Apple Motion 5.1.2 - Create and customiz...
Apple Motion is designed for video editors, Motion 5 lets you customize Final Cut Pro titles, transitions, and effects. Or create your own dazzling animations in 2D or 3D space, with real-time... Read more
A Better Finder Rename 9.39 - File, phot...
A Better Finder Rename is the most complete renaming solution available on the market today. That's why, since 1996, tens of thousands of hobbyists, professionals and businesses depend on A Better... Read more
PopChar X 6.6 - Floating window shows av...
PopChar X helps you get the most out of your font collection. With its crystal-clear interface, PopChar X provides a frustration-free way to access any font's special characters. Expanded... Read more
MacUpdate Desktop 6.0.2 - Install Mac ap...
MacUpdate Desktop 6 brings seamless 1-click installs and version updates to your Mac. With a free MacUpdate account and MacUpdate Desktop 6, Mac users can now install almost any Mac app on macupdate.... Read more
PDFpenPro 6.3.2 - Advanced PDF toolkit f...
PDFpenPro allows users to edit PDF's easily. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Even correct text and edit graphics! Create... Read more
PDFpen 6.3.2 - Edit and annotate PDFs wi...
PDFpen allows users to easily edit PDF's. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Even correct text and edit graphics! Features... Read more
OS X Yosemite 10.10 DP6 - Developer Prev...
Note: This is a Developer Preview. You must be a registered Apple Mac Developer to download this update. You can also sign up for the free OS X Beta Program to download and preview public beta... Read more

Latest Forum Discussions

See All

One Tap RPG Review
One Tap RPG Review By Campbell Bird on August 20th, 2014 Our Rating: :: DUNGEON SLIDERUniversal App - Designed for iPhone and iPad This casual arcade game introduces some very light rpg elements into its fantasy-themed pachinko... | Read more »
Goodbye Paywall – Table Tennis Touch Eli...
Goodbye Paywall – Table Tennis Touch Eliminates In-App Purchases Posted by Jessica Fisher on August 20th, 2014 [ permalink ] | Read more »
Go to Bed – An Interview With Touchfight...
Touchfight Games is an exciting new indie studio that was co-formed between game journalist and author Nathan Meunier, artist Leonard Kenyon, and programmer Jon Kenyon. Their debut game Go To Bed will be released this fall, and with all the... | Read more »
Assault Vector Review
Assault Vector Review By Rob Thomas on August 19th, 2014 Our Rating: :: SIMPLE STRATEGYUniversal App - Designed for iPhone and iPad While this hex-based warp ride is fine in theory, Assault Vector is a bit too simple to be... | Read more »
Tom Hanks’ Hanx Writer has Taken the App...
Tom Hanks’ Hanx Writer has Taken the App Store by Storm Posted by Jessica Fisher on August 19th, 2014 [ permalink ] iPad Only App - Designed for the iPad | Read more »
It Came from Canada: Galaxy Dash
With its use of well-established tropes like endless flying and sci-fi space shooting, the upcoming Galaxy Dash: Race to the Outer Run most likely won’t confound expectations. However, with its robust amount of opportunities for fun player... | Read more »
PromptSmart Review
PromptSmart Review By Jennifer Allen on August 19th, 2014 Our Rating: :: SNAPPY SPEECHGIVINGUniversal App - Designed for iPhone and iPad Offering you a teleprompter in your pocket, PromptSmart is immensely helpful for those who do... | Read more »
The Firm (Games)
The Firm 1 Device: iOS iPhone Category: Games Price: $.99, Version: 1 (iTunes) Description: *** LIMITED TIME LAUNCH OFFER -50% ! *** "The Firm is one of those games that looks so easy on the surface, but it's actually like a cerebral... | Read more »
They Need To Be Fed 3 (Games)
They Need To Be Fed 3 1.0.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0.0 (iTunes) Description: 360 degree gravity platforming is back! Run, jump, collect, avoid enemies and feed yourself to the monster at the... | Read more »
Who Wore it Best? Phantom Flower vs. And...
Who Wore it Best? takes a break from all the bloodshed to check out two decidedly tranquil and nature-loving puzzles games: Phantom Flower and And Then it Rained. [ Who Wore it Best? Phantom Flower vs. And Then it Rained is a post from... | Read more »

Price Scanner via MacPrices.net

Best Buy’s College Student Deals: $100 off Ma...
Take an additional $100 off all MacBooks and iMacs, $50 off iPad Airs and iPad minis, at Best Buy Online with their College Students Deals Savings, valid through September 6th. Anyone with a valid .... Read more
MacBook Airs on sale for $100 off MSRP, free...
B&H Photo has three 2014 MacBook Airs on sale for $100 off MSRP. Shipping is free, and B&H charges NY sales tax only. They also include free copies of Parallels Desktop and LoJack for Laptops... Read more
Razer Taipan Mouse For Gamers And Non-Gamers...
If you’re a serious gamer on either Mac or Windows PCs, a serious gaming mouse is a necessity for first-tier performance. However, even if like me you’re not much of a gamer, there’s still a strong... Read more
15-inch 2.2GHz MacBook Pro on sale for $1899,...
Adorama has the new 15″ 2.2GHz Retina MacBook Pro on sale for $1899 including free shipping plus NY & NJ sales tax only. Their price is $100 off MSRP, and it’s the lowest price available for this... Read more
Mid-Size Tablet Shootout Posted: iPad mini wi...
I ‘m curious about how many iPads Apple is actually selling these days. It’s been widely rumored and anticipated that new models with A8 SoCs, 2 GB of RAM, 8 megapixel cameras, and fingerprint... Read more
The 15 Biggest iPad Air Problems And How To A...
What’s this? Fifteen “biggest” problems with the iPad Air? Does that mean there are a lot of smaller problems as well? Say it isn’t so! My old iPad 2 has manifested no hardware problems in three... Read more
TYLT Syncable-Duo, 2-in-1 USB Cable With Appl...
TYLT has introduced the Syncable-Duo, a universal cable solution for charging and syncing data to smartphones and tablets. The Syncable-Duo eliminates the need for multiple cables by incorporating... Read more
Save up to $140 off MSRP with Apple refurbish...
Apple is offering Certified Refurbished iPad Airs for up to $140 off MSRP. Apple’s one-year warranty is included with each model, and shipping is free. Stock tends to come and go with some of these... Read more
2.5GHz Mac mini on sale for $549, save $50
B&H Photo has the 2.5GHz Mac mini on sale for $549.99 including free shipping. That’s $50 off MSRP, and B&H will also include a free copy of Parallels Desktop software. NY sales tax only. Read more
Chromebooks Are Actually Sometimes A Better C...
Mac360′s Kate MacKenzie notes that when Steve Jobs announced the post-PC era, he was assuming that the dominant post-PC device would be the iPad he was unveiling, or another Apple product like the... Read more

Jobs Board

Position Opening at *Apple* - Apple (United...
**Job Summary** Being a Business Manager at an Apple Store means you're the catalyst for businesses to discover and leverage the power, ease, and flexibility of Apple Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** At the Apple Store, you connect business professionals and entrepreneurs with the tools they need in order to put Apple solutions to work in their Read more
Project Manager / Business Analyst, WW *Appl...
…a senior project manager / business analyst to work within our Worldwide Apple Fulfillment Operations and the Business Process Re-engineering team. This role will work Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** As businesses discover the power of Apple computers and mobile devices, it's your job - as a Solutions Engineer - to show them how to introduce these Read more
Position Opening at *Apple* - Apple (United...
**Job Summary** As more and more people discover Apple , they visit our stores seeking ways to incorporate our products into their lives. It's your job, as a Store Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.