TweetFollow Us on Twitter

EtherPeek Microscope

Volume Number: 16 (2000)
Issue Number: 3
Column Tag: Tools of the Trade

Put Your Network Under a Microscope with EtherPeek

by Bill von Hagen

Better living through network analysis software

Networking is arguably the most important innovation in modern computing. Networks are the backbones of most corporate and academic computing environments, plus access to the Internet is the most common reason for home computer purchases today. Unfortunately, diagnosing and resolving network problems poses a special set of headaches for system and network administrators. Bad network interface cards (NICs), bad connections, bad hubs, gateways, routers, or simply bad software can cause network problems.

It wasn't that long ago that the first line of defense for network problems was an armada of scopes, line testers, and other medieval devices to help track down the source of a problem. If the source of the problem was a computer system, system administrators could begin verifying the system's hardware, configuration, network software, and then make coffee and exchange hex dumps of network packets all night long. The next advance in network problem analysis was dedicated portable hardware that you could attach to your network at any suspected trouble spot. Often laptops running specialized software for capturing and analyzing network traffic were used. This is still a practical, sometimes necessary, option for organizations with extremely specialized needs (and unlimited budgets).

A more practical option is to buy EtherPeek, put if on a dedicated Mac, and dare problems to occur on your network segment. EtherPeek is a great example of just how much software can do to provide a comprehensive, understandable view of exactly what is happening on a network or network segment. EtherPeek makes it easy to identify and track down network problems before they bring your network to its knees. EtherPeek can also help you improve network performance by identifying hotspots or unnecessary network communication. It can identify abnormal traffic patterns and performance bottlenecks, and help you limit specific types of traffic to certain subnets by selecting systems to group on their own LAN segments. EtherPeek can also help you identify and eliminate unnecessary network communication, such as systems broadcasting or exporting network protocols that you don't use, increasing the bandwidth for the network communication that you actually want to take place on your network.

EtherPeek should only be installed on secure systems or servers to which access is restricted. It obtains the information it uses to analyze your network through what is called "packet sniffing." It grabs a copy of every network information unit (packet) on your network as it goes past, regardless of the system or network address they're intended for. (Ethernet interfaces normally only accept packets that are intended for their hardware address.) Packet sniffing is the most common way for hackers (or whatever term you prefer) to obtain logins, passwords, and other supposedly secure information by eavesdropping on network communication. General Network Diagnostics

EtherPeek provides a number of floating diagnostic windows that enable you to monitor the general performance and status of a network while you use its integrated capture and analysis commands to examine selected portions of those communications. When you first start EtherPeek, it displays a dialog in which you select the network interface that you want to monitor. After you select the appropriate network interface, you should also use the Capture menu's Network Speed command to verify that EtherPeek has detected the correct speed of your network (10 MB, 100 MB, or a custom OTHER setting). Correct this setting if necessary.

EtherPeek then displays a Network Statistics window that provides summary information about the amount of traffic on your network. It uses a speedometer/tachometer display to show network utilization and traffic at the current moment.

Once you're sure that you have EtherPeek listening on the correct network interface, the fun begins. First, obtain a summary of the network protocols that are in use on your network. Select the Statistics menu's Protocols command that displays a Protocol Analysis window. Protocol Analysis provides a constantly updated summary of the protocols in use on your network, grouping families of protocols together under their parent protocols. The Protocol Statistics window samples the packets on the selected network interface at a configurable rate ranging from every second to every ten minutes, and displays a running histogram of the percentage of different protocols and packet types seen on your network.

Figure 1 shows the Protocol Statistics window on a simple network where all of the current traffic consists of TCP/IP protocols such as, secure HTTP, and TELNET. This is the sort of display that you would see on a network composed primarily of UNIX systems, where none of the standard Apple or Microsoft protocols are being used.


Figure 1.The Protocol Statistics Window.

To watch a specific family of protocols, click on the arrowhead beside other family names to hide the protocols in those families, which helps you focus on those that you are specifically interested. Figure 2 shows a Protocol Statistics window after bringing up a PC with AppleTalk support on the same network, with all of the Ethernet Type 2 protocols collapsed. This shows Apple's AppleTalk protocol, the standard PC networking protocols (IPX, IPX-LSAP, NetBEUI/NetBios), and the Datagrams associated with PC Server Message Block (SMB) file and device sharing.


Figure 2.Protocol Statistics Window With Additional Protocols.

All of EtherPeek's statistics windows can be sorted by any field, just click on the heading for that field; this is a very nice feature. For example, you could click the Bytes header in the Protocol Statistics window to sort its contents by the number of bytes being sent within each protocol family. This makes it easy to see the heaviest used protocols on your network.

Protocol statistics can be quite useful to identify the types of traffic going out over your network and the amount of traffic using each protocol, but don't provide detailed information about the systems between which that traffic is taking place. The Statistics menu's Nodes command displays that information. Each host that is communicating on your network is identified by its MAC address, which is the unique hardware address of an Ethernet card. To make this information useful, each MAC address is followed by each protocol family address that communicates using that hardware address. Figure 3 shows a sample Node Statistics window in which you can see that the MAC address 00:00:94:B5:72:A5 is receiving IP packets as the address 192.168.6.85, while the MAC address 00:00:C0:8C:CE:92 is handling both the AppleTalk address AT-65339.7 and the IP address 192.168.6.95.


Figure 3.The Node Statistics Window.

The Node Statistics window makes it easy to verify which hosts are communicating on your network, which protocols they're using, and the amount of traffic to and from each node. This can be very useful in identifying whether heavy network users are using the recommended protocols. For example, many UNIX sites use software or special hardware that enables them to use AppleTalk over IP to spool print jobs from print servers to Apple LaserWriters on their networks. Any Macintosh on the same network can print directly to a LaserWriter by simply selecting it from the Chooser, which would disrupt or suspend the UNIX print spooling and would not be logged by the UNIX spooling software. On primarily UNIX networks, you could easily spot this sort of disruption by watching for any hosts that are not print servers but which are sending lots of AppleTalk traffic.

Identifying certain types of traffic can be useful, but the ability to identify the systems between which that traffic is flowing is usually more important in identifying performance problems. Select the Statistics menu's Conversation command to display a Conversation Statistics window that provides a summary of all communications between different network addresses. As shown in Figure 4, the Conversation Statistics window displays the source and destination nodes for each network conversation, the number of packets exchanged by those nodes, and the total number of bytes in those conversations. The Conversation Statistics window is updated every 5 seconds, by default, but you can change the update rate to any value between 5 seconds and one hour.


Figure 4.The Conversation Statistics Window.

Capturing and Analyzing Packets

EtherPeek's various statistics windows give you a great high-level picture of your network, but diagnosing actual network problems requires more information than summaries and reports can provide. EtherPeek enables you to capture a stream of packets and examine them in detail, so it is easy for you to actually see problems .

To capture packets, Select the File menu's New option to display the Capture Buffer Options dialog. The Capture Buffer Options dialog lets you define various options for the buffer in which EtherPeek temporarily stores any captured packets . Next click the Continuous Capture option and click OK. Once a packet capture window displays, you click the Start Capture button to actually start capturing packets. Figure 5 shows a sample capture window containing traffic between hosts on a local network and actual Internet hosts.


Figure 5.A Packet Capture Window.

Whenever possible, the packet capture window automatically uses DNS to resolve IP addresses into actual host names. Figure 5 shows both IP addresses and host names because some of the systems on the test network use private IP addresses that can't be resolved through a global DNS server.

At any time during or after completing a packet capture session, you can examine the contents of a captured packet in more detail. Just double-click the packet you want to examine. This displays a window that provides detailed information about that packet, as shown in Figure 6.


Figure 6.Captured Packet Details.

The detail window shows the contents of the selected packet, its header, and the actual contents of the packet in hexadecimal. You can click on any of the details shown in the top portion of a packet detail window to highlight the associated raw packet data.

Once you've captured the information you need, click the Stop Capture button to terminate the packet capture session. At this point, you can begin debugging or save the contents of the capture window for future analysis using the File menu's Save command.

Using Packet Filters

Capturing a constant stream of packets is a great diagnostic if you're examining general networking issues, but may often provide more information that you need. To limit captured packets, EtherPeek lets you create filters that identify the packets that you actually want to see. EtherPeek supports two classes of packet filters - simple filters let you capture packets based on specific parts of their header, and advanced filters let you create complex Boolean expressions based on header information or packet content. Figure 7 shows EtherPeek's simple filter definition window.


Figure 7.The Edit Filter Dialog.

EtherPeek's simple filters let you restrict the captured packets based on their source address, protocol family, or the port to which they are addressed. Port filtering is a great feature when trying to debug network problems related to a service such as FTP, Telnet, or Sendmail that uses a specific port.

EtherPeek's advanced filters let you define filters using Boolean combinations of the source address, protocol family, target port, packet value, packet contents, packet length, or different packet errors. Packet content filters are especially useful when watching for network attacks. You can limit the captured packets to those that contain specific string values, such as the password packets used by the TELNET and FTP protocols.

Automating Your Network Debugging

Although EtherPeek's filters make it easy to capture selected types of traffic in separate capture windows, constantly scanning a large number of open capture windows can be confusing. A better approach to look for specific events is to have EtherPeek automatically perform some action whenever the event occurs, such as beginning a packet capture session or logging a message. EtherPeek provides three general ways of programming to automatically react to specific network events: Triggers, plug-ins, and notifications.

Triggers let you start or stop capturing packets at specific times or when specific network events occur, based on user defined filters. Time triggers make it easy for you to automatically snapshot network traffic associated with regularly scheduled events such as network backups or automatic system reboots. These are especially handy when you need to capture traffic snapshots for tasks scheduled at off-peak times, such as 4 AM, when you might prefer to be home sleeping. Filter triggers begin or end a packet capture session whenever the conditions defined in a specific filter are met.

Plug-ins are EtherPeek's most powerful method of reacting to specific events. Plug-ins are external modules that perform detailed packet analysis and constantly monitor all seen packets . EtherPeek comes with a number of plug-ins that perform tasks such as, looking for duplicate IP addresses, watching for specific types of network attacks, and analyzing FTP, NetWare, and SMTP (email) traffic. Once enabled, plug-ins are globally active; that means the traffic being captured by a filter trigger can be simultaneously analyzed by any number of plug-ins.

Both triggers and plug-ins have associated severity levels, which make it easy to integrate them with EtherPeek's notifications. Notifications are actions that you associate with specific events in EtherPeek, and consist of any of five different actions. You can log messages to EtherPeek's log file, be paged (if you're using supported paging server software, which is currently PageNOW!), be sent email, use the Speech Manager to announce the event, or launch an AppleScript that you create to do anything you want. Notifications also have associated severity levels: informational, minor, major, and severe. makes It is easy to create notifications with your own names, select the action you want to associated with them, and associate them with a specific severity level in EtherPeek's Notifications dialog . After notifications have been defined, any trigger or plug-in with a specific security level automatically triggers any notifications associated with that severity level. By default, EtherPeek comes with one predefined notification associated with all four severity levels - logging messages to its log file.

Generating Reports

System and network administrators rarely have the luxury of sitting at a desk to just monitor EtherPeek statistics windows. Today's networked computing environments require office to office or wiring closet to wiring closet travel, software and hardware installation and , or simply debugging user problems. To help keep an eye on your network while you're off fire-fighting, or to get a high-level view of network performance for use at an upcoming meeting, you can set EtherPeek to automatically generate statistical reports in HTML format.

The Statistics menu's HTML Output command lets you configure the frequency with which these reports are generated, the directory where the output files are placed, and a directory of report generation templates. EtherPeek generates Protocol Statistics and Node Statistics reports, plus a summary report that provides general information about all of the traffic on your network. The Protocol and Nodes Statistics reports exactly match the current view in the windows on your screen. For example, if you've collapsed or sorted families within the Protocol Statistics window, the reports generated by EtherPeek are collapsed or sorted in the same way.

Documentation

EtherPeek is a rarity among modern software packages because it comes with a well written, printed manual. You should think twice before buying a diagnostic tool that only comes with PDF manuals or other online documentation. Online documents can be tricky to access when you're experiencing hardware problems. EtherPeek's documentation not only explains the buttons and how to use the dialogs, but also includes multiple examples of how to use EtherPeek to monitor your network and troubleshoot various types of problems. If you are new to network troubleshooting, need some suggestions or just want a sanity check of your own approaches to troubleshooting, this information is invaluable.

Diagnosing the Diagnostics

Diagnostic tools are a tough business because they have to provide useful information when things are going well, handle anomalous events with ease, and provide information about those anomalies in a useful form. The last thing you need when experiencing a network problem is to have problems with your diagnostic software. Luckily, when testing EtherPeek, I got a first-hand opportunity to submit a problem report and watch AG Group's customer support staff in action.

One of the systems on my test network dual-boots Windows 98 and the BeOS. The BeOS is somewhat picky about Ethernet card support, so I have two network cards in the machine, one for each operating system with the other disabled by that operating system. When the machine comes up, the hub to which these cards is connected erupts in a flood of blinking lights, indicating chatter between the two cards until the OS de jour shuts down one of them. A perfect test! I started EtherPeek on a Mac, opened a packet capture window, and then fired up the dual-boot system and let the chattering begin.

Within seconds, the Protocol Statistics window had reported over 4000 different detected protocols , a big change from the 30 or so seen in normal circumstances. Each of the bogus protocols had a name of the form ETHER-XX-XX, where X was a hex digit. Capturing all of these packets also brought the Mac to its knees. The only way I could successfully stop the capture and save the contents of the capture buffer was to turn on continuous logging to disk and shut down the BeOS/Win98 box a second or two after turning it on. Looking at the capture buffer, I could see that one of the cards was sending thousands of undersized and otherwise bogus packets.

AG Group's customer support was quick to tell me that the ETHER-XX-XX packets meant that the value in the type field for those packets was not a known protocol type. They also explained how to set up an Advanced Filter to ignore undefined packet types, and even offered me a copy of an incremental release of EtherPeek with some new features to improve performance in heavy traffic situations, such as mine. (Coming soon to the next version of EtherPeek!) Admittedly, I identified myself as someone who was reviewing their software and thus your mileage may vary. The speed with which they responded and the quality of their response meant that the support person I contacted actually understood both their software and networking in general.

Diagnostic tools can't fix hardware problems, but they can tell you when to punt a cheap network card. In a real business situation, my NIC could have caused real performance problems for other users. Final score: cheap NIC, 0, EtherPeek and AG Group's support staff, 10.

Conclusion

Network problems are hard to identify and often harder to track down to a specific host or network device. EtherPeek simplifies network troubleshooting by providing excellent packet capture and analysis capabilities within a powerful, well-designed graphical interface. If you manage a network, EtherPeek provides the capabilities and features you need. If you are in the network driver or network software business, EtherPeek should be a fundamental part of your arsenal of debugging and verification tools. Beyond simply diagnosing problems, EtherPeek is also an excellent tool for enhancing network performance by identifying local network traffic that you can isolate, and by helping you eliminate wasted traffic or questionable hardware.

EtherPeek can turn any Mac on your network into a powerful network debugging and monitoring station capable of extracting admiration and sysadmin envy from even the most hardened UNIX geek. If your organization doesn't already have Macs, EtherPeek might just be the best argument you could offer for buying one. If you don't have Macs and your management won't let you buy a superior machine, EtherPeek is also available for Windows systems.


Bill von Hagen is a writer, computer system administrator, and the author of "SGML for Dummies." You can contact him at wvh@gethip.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

DiskCatalogMaker 6.4.12 - Catalog your d...
DiskCatalogMaker is a simple disk management tool which catalogs disks. Simple, light-weight, and fast. Finder-like intuitive look and feel. Super-fast search algorithm. Can compress catalog data... Read more
Macs Fan Control 1.3.0.0 - Monitor and c...
Macs Fan Control allows you to monitor and control almost any aspect of your computer's fans, with support for controlling fan speed, temperature sensors pane, menu-bar icon, and autostart with... Read more
Lyn 1.5.11 - Lightweight image browser a...
Lyn is a lightweight and fast image browser and viewer designed for photographers, graphic artists and Web designers. Featuring an extremely versatile and aesthetically pleasing interface, it... Read more
NeoOffice 2014.11 - Mac-tailored, OpenOf...
NeoOffice is a complete office suite for OS X. With NeoOffice, users can view, edit, and save OpenOffice documents, PDF files, and most Microsoft Word, Excel, and PowerPoint documents. NeoOffice 3.x... Read more
LaunchBar 6.4 - Powerful file/URL/email...
LaunchBar is an award-winning productivity utility that offers an amazingly intuitive and efficient way to search and access any kind of information stored on your computer or on the Web. It provides... Read more
Remotix 3.1.4 - Access all your computer...
Remotix is a fast and powerful application to easily access multiple Macs (and PCs) from your own Mac. Features Complete Apple Screen Sharing support - including Mac OS X login, clipboard... Read more
DesktopLyrics 2.6.6 - Displays current i...
DesktopLyrics is an application that displays the lyrics of the song currently playing in "iTunes" right on your desktop. The lyrics for the song have to be set in iTunes; DesktopLyrics does nothing... Read more
VOX 2.5.1 - Music player that supports m...
VOX is a beautiful music player that supports many filetypes. The beauty is in its simplicity, yet behind the minimal exterior lies a powerful music player with a ton of features and support for all... Read more
NetNewsWire 4.0.0 - RSS and Atom news re...
NetNewsWire is the best way to keep up with the sites and authors you read most regularly. Let NetNewsWire pull down the latest articles, and read them in a distraction-free and Mac-like way. Native... Read more
MacUpdate Desktop 6.0.6 - Search and ins...
MacUpdate Desktop 6 brings seamless 1-click installs and version updates to your Mac. With a free MacUpdate account and MacUpdate Desktop 6, Mac users can now install almost any Mac app on macupdate.... Read more

Biz Builder Delux (Games)
Biz Builder Delux 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Ah, there's nothing like the rhythmic bustle of a burgeoning business burg... especially when you're the one building it... | Read more »
Auroch Digital is Bringing Back Games Wo...
| Read more »
Carbo - Handwriting in the Digital Age...
Carbo - Handwriting in the Digital Age 1.0 Device: iOS Universal Category: Productivity Price: $3.99, Version: 1.0 (iTunes) Description: | Read more »
Draggy Dead (Games)
Draggy Dead 1.1 Device: iOS Universal Category: Games Price: $.99, Version: 1.1 (iTunes) Description: Ditch your dead end job and take up a rewarding career in Grave Robbing today!Guide the recently deceased to a fun filled life of... | Read more »
Bad Dinos (Games)
Bad Dinos 1.0.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0.0 (iTunes) Description: | Read more »
The Apple Watch isn't Great as a Fi...
| Read more »
Show the World What You See With Stre.am...
Live broadcasting is getting popular on mobile devices, which is why you can now get Stre.am, by Infinite Takes. [Read more] | Read more »
PhotoTime's 2.1 Update Adds Apple W...
The latest PhotoTime update is adding even more functionality to the handy photo organizing app. Yep, including Apple Watch support. [Read more] | Read more »
Oh My Glob! Adventure Time Puzzle Quest...
Finn and Jake are taking over D3 Go!'s popular puzzle game series in the upcoming Adventure Time Puzzle Quest. [Read more] | Read more »
Earthcore: Shattered Elements - Tips, Tr...
At first glance, Earthcore: Shattered Elements seems like a rather simple card-battling game. Once you’re introduced to skills that will change quite a bit. Even more so once you start to acquire hero cards. But it’s not so complicated that we... | Read more »

Price Scanner via MacPrices.net

OtterBox Maximizes Portability, Productivity...
From the kitchen recipe book to the boarsroom presentation, the OtterBox Agility Tablet System turns tablets into one of the most versatile pieces of handheld technology available. Available now, the... Read more
Launch of New Car App Gallery and Open Develo...
Automatic, a company on a mission to bring the power of the Internet into every car, has announced the launch of the Automatic App Gallery, an app store for nearly every car or truck on the road... Read more
Memorial Day Weekend Sale: 13-inch 1.6GHz Mac...
Best Buy has the new 13″ 1.6GHz/128GB MacBook Air on sale for $849 on their online store this weekend. Choose free shipping or free local store pickup (if available). Sale price for online orders... Read more
Memorial Day Weekend Sale: 27-inch 3.5GHz 5K...
Best Buy has the 27″ 3.5GHz 5K iMac on sale for $2099.99 this weekend. Choose free shipping or free local store pickup (if available). Sale price for online orders only, in-store prices may vary.... Read more
Sale! 16GB iPad mini 3 for $349, save $50
B&H Photo has the 16GB iPad mini 3 WiFi on sale for $349 including free shipping plus NY sales tax only. Their price is $50 off MSRP, and it’s the lowest price available for this model. Read more
Price drop on 2014 15-inch Retina MacBook Pro...
B&H Photo has dropped prices on 2014 15″ Retina MacBook Pros by $200. Shipping is free, and B&H charges NY sales tax only: - 15″ 2.2GHz Retina MacBook Pro: $1799.99 save $200 - 15″ 2.5GHz... Read more
With a Mission to Make Mobile Free, Scratch W...
Scratch Wireless, claiming to be the world’s first truly free mobile service, has announced the availability of a new Scratch-enabled Android smartphone, the Coolpad Arise. The smartphone is equipped... Read more
First-Ever Titanium Alloy Curved iPhone 6 Scr...
One of the most common problems with mobile phones is damage to the screens. The slightest drop can cause a dreaded spider web of gashes and cracks in the glass panel surface that can cost $hundreds... Read more
Preorder new 12-inch MacBook, $10 off, save o...
Adorama has new 12″ Retina MacBooks available for preorder for $10 off MSRP including free shipping plus NY & NJ sales tax only. For a limited time, Adorama will include a free Apple USB-C to USB... Read more
Will iOS 9 Finally Bring Productivity Friendl...
Ah, the irony. From its original announcement in 2010, Apple has doggedly insisted that the iPad remain “simple,” thus arbitrarily limiting its considerable potential as a content creation and... Read more

Jobs Board

*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
Architect / Senior Software Engineer, *Apple...
Changing the world is all in a day039s work at Apple . If you love innovation, here039s your chance to make a career of it. You039ll work hard. But the job comes with Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
*Apple* Pay Support Readiness Project Manage...
Changing the world is all in a day039s work at Apple . If you love innovation, here039s your chance to make a career of it. You039ll work hard. But the job comes with Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.