November 2000

Network Instruments, LLC
Fourth Floor
8800 West Highway Seven
Minneapolis, MN 55426 USA
Ph: 800-526-7919; Fax: 952-932-9545

Price: Basic Observer � $995, Observer Suite (includes Observer with one local and one remote probe and the following extensions: Expert, SNMP, RMON, and WEB)

RATINGS (0-5)
Installation: 5
Documentation: 4.5
Features: 4.75
GUI: 4.75
Overall: A

INSTALLATION
TMC Labs' experience with using network analyzers taught us that these software packages are often complex to install and set up. With that said, TMC Labs was very impressed with the ease of installation of the Observer software. We installed the main Observer program on a Compaq Proliant 550MHz with 128MB of RAM running Windows 2000. After the installation program was complete, a pop-up message told us to add the "VMONI1.SYS" protocol driver as a protocol under Windows 2000's network settings. After completing this task, a reboot was required. Once we rebooted and logged back in, we launched the Observer software and were able to quickly run several of the built-in utilities without even having to refer to the manual.

One final installation task involved installing a remote "probe" on a second LAN segment. "Probes" are used because by the very nature and design of networks, network analyzers cannot see network traffic on another LAN segment separated by a router. Installing a "probe" isn't required, but we wanted to test Observer's capability to analyze network traffic on at least two different LAN segments. (Observer can analyze up to 252 segments.)

Fortunately, TMC has two LAN segments since we have two office buildings connected via a leased T1 line. We could have set up a second test LAN segment in the lab, but it's always more interesting to test network analyzers with "real" network traffic.

Thus, we drove over to our corporate headquarters and hunted for a PC that we could install the remote probe onto. Within the MIS room we found several high-end PCs, all of which would have done nicely. We installed a "probe" on a Compaq Proliant 500MHz running Windows NT 4.0 with 128MB of RAM. The installation was so simple, one of the TMC Labs engineers said, "That's it? That's all we have to do?" A quick check of the Services revealed that the Network Instruments probe was indeed installed and running. But would the main Observer software "see" this remote probe? We anxiously anticipated whether this would work or not as we drove back to the labs. What we discovered is discussed in the Operational Testing section, but first, our analysis of Network Instruments' documentation.

DOCUMENTATION
The documentation consisted of a one-inch thick, soft-cover manual as well as a quick start guide. TMC Labs was very pleased with the documentation. First, we were very pleased that the main manual was just a single manual, instead of several separate manuals, which usually just adds to the confusion. The text used appropriate formatting and also included "call out" tips to assist the user. A table of contents, an index, and appropriate screenshots were all present within the manual. We also were impressed with the manual's step-by-step installation instructions for the various Windows environments (95/98/NT/2000).

The only flaw we found was in the online help file. While a lot of information is included in the online help file, it uses an older .HLP file format. Also, there were no clickable links within the help file to automatically bring us to where we needed to be. For example, we had difficulty finding where the VoIP Expert feature was located. We searched the online help, but the help file only described what VoIP Expert did and did not fully explain how to get to that feature. It would have been nice if a "link" were included that we could click on to bring us to the VoIP Expert screen. The ability to click on links within the help file will aid in navigating the software with the other features as well and we highly recommend implementing this feature in a future release.

FEATURES
Observer 7 features "What-If Live Modeling" by measuring actual client/server conversations and peer-to-peer conversations, then plots possible response times, utilization, and packet flow scenarios. VoIP Expert is an interesting feature that reports and analyzes problems with VoIP/H.323 connections and determines at what level of network load H.323 conversations are exhibiting acceptable quality behavior.

Another nice feature is the "Expert Summary Displays," which display error events in a single, concise display. For connection-oriented problems, a simple double-click "drills down" for further analysis. IT managers will love the built-in Web server that allows them to remotely run reports and monitor network performance without having to be in the office.

Other features include:

* Network Activity Display -- Shows critical network utilization and broadcast information graphed against a traffic reference line. This display can show you the health of a LAN at a glance and can warn of impending slowdowns due to broadcast or multicast storms.

• Triggers and Alarms with integration to SNMP.
• Efficiency History -- Used to grade your segment's capacity to carry data. By comparing a result to previous results, you can quickly determine network trends or judge the effect of a change to the network.
• Traffic Generator -- Allows you to stress your segment by generating generic broadcast traffic, source- or destination-specific generic traffic, or protocol-specific traffic for stressing a specific device or group of devices.
• Internet Observer -- Used to keep track of a user's Internet usage. Views are available for sites that use DHCP, and sites that share a router on a corporate backbone.
• Protocol Distribution -- Displays how your traffic is divided between the different protocols (IP, IPX, NetBeui) active on your network.

OPERATIONAL TESTING
As previously stated in the Installation section, we had just installed the remote probe in our corporate headquarters and then returned to the lab to see if the main Observer program could "see" the remote probe. We had left the Observer program running, so we were a bit surprised that when we turned on the computer monitor, we could see a new "entry" called "Probe0001" within Observer. This makes perfectly good sense, since it would be a poor design decision to have to close Observer and re-open it in order to view any new remote probes added to remote LAN segments. If we did have to close the program, this would affect the statistics as well as prevent some packets from being captured by the Observer program. Thus, TMC Labs gives Network Instruments high marks for this design.

In any event, we clicked on the remote probe and then ran the "Top Talkers" network utility. Sure enough, we started to see network statistics coming from the remote corporate headquarters LAN segment. Success! Although we have tested network analyzers in the past, it was still pretty neat to be able to see statistics and network traffic on a remote LAN segment. The Top Talkers utility shows all stations on the LAN (subject to any filter criteria which we can specify) and the Broadcast/Multicast statistics. In addition, it provides detailed traffic flow statistics that can show a "bandwidth hog," a broadcast/multicast storm, or an unbalanced switch. In addition to numerical values, a graphical representation (bar) is also available to visually inspect who are the "top talkers" on the network.

One of the first utilities we ran was the "Discover Network Names." This utility captures all network addresses on the segment, stores them in the filter table, and automatically assigns them aliases. You can assign a name to a network address or use the IP address, DNS name, NetWare login name, or Microsoft network login name. After storing the network names, you can use the stored names in all your queries.

We also ran Internet Observer, which displays the Web sites that are visited by users on your LAN. This can be used to determine who is using an exorbitant amount of Internet bandwidth or whether it's time to buy a bigger Internet pipe. Other utilities could also be executed simultaneously, resulting in interesting graphs and readouts.

In any of the network modes or utilities that we tested, we were able to sort on any column we wished simply by clicking on the column heading, which certainly was a useful feature. Another important feature of the Observer software is that it supports both "shared" (hubs) networks as well as "switched" (switches) networks. In the case of a "switched" network environment, Observer requires that the switch(es) support both port mirroring (sometimes called "port monitor" or "port spanning") and a SNMP or telnet interface to control the management options of the switch. In the case of a "shared" network environment, because all the packets are sent across the entire network to every NIC device, Observer is able to see each and every packet.

TMC Labs liked Observer's ability to analyze H.323 VoIP traffic with its VoIP Expert module, although it did take us a while to figure out how to find the VoIP Expert module. The online help and documentation weren't much help in finding it either. Eventually, we found the VoIP module as part of "Decode and Analysis" within the Packet Capture module. We should point out that VoIP uses RTP (Real-time Transport Protocol) a UDP-based protocol for the transmission of real-time data, for use in such applications as streaming audio and video conferencing. While RTP packets contain the actual real-time data, the protocol is accompanied by RTCP (Real-time Transport Control Protocol), which is used to send information about the data being transferred: the number of packets sent and received, the identities of the stations involved in the conversation, and so forth. By analyzing an RTCP conversation and then using it to interpret the RTP data we could use Observer's VoIP Expert to diagnose problems in a VoIP or other RTP/RTCP session.

We made some NetMeeting calls and then tested the Observer's ability to capture and decode the H.323 traffic. It performed without a hitch. We discovered an interesting feature within VoIP Expert that we did not see discussed in the manual. After capturing a H.323 NetMeeting call, we were able to go to the "UDP Events" screen, right-click on the "RTP/G.723" connection, select "Save/Play Audio..." and save the H.323 VoIP conversation to a WAV file! Thus, we were able to "spy" on any H.323 VoIP call on the network, record it and then play it back later.

The VoIP Expert displays H.323 conversational data in three separate graphs. The displays can be used to diagnose why a connection may be experiencing problems, or at what level of network load are H.323 conversations exhibiting acceptable quality behavior.

One of the other more interesting features we examined was Observer's ability to report on the various IP sub-protocols. This feature allows you to view how your IP traffic is divided between all port level services, that is, WWW, SQL, telnet, FTP, LPD/LPR, NFS, and user-configurable ports. This information helps in the identification of TCP/IP usage patterns and possible segmentation of a heavily used server.

No LAN analyzer tools would be complete without a packet capture capability and we must say Observer has a good one with its powerful filtering capabilities. You can collect specific data about LAN traffic by filtering packets by station, groups of stations or error condition on your LAN segment. Filters are selected with the help of an easy-to-use, drag-and-drop interface and can be saved for later use. In addition, you can isolate packets further by selecting a particular protocol, sub-protocol, or user-defined offset filter in conjunction with the station address/IP address filters. Post filtering is supported for viewing your data in different ways once the capture is complete. The Packet Capture mode shows total traffic, captured data and dropped packets (if any). We should point out that if you use the minimum hardware requirements, there shouldn't be any dropped packets.

Observer's Decode and Analysis is a sub mode of Packet Capture that lets you view captured traffic packet-by-packet. By using display filters, you can view only the pertinent packets and hide the rest. Observer can decode all major protocols and sub-protocols, and you can view both the raw data and the decoded data. For example, if want to confirm that the server is sending e-mail, you can view the packets captured from the e-mail server.

ROOM FOR IMPROVEMENT
There wasn't much to complain about this product -- it's a pretty complete solution. Still, we would like to see support for WINS to perform computer name resolution. One other suggestion might be to include some common filters with the product. Finally, atutorial might help inexperienced network administers in figuring out what to look for when using Observer. Observer is such a powerful and feature-rich product, it is easy for a new user to get lost in its extensive feature set. Thus, either a tutorial in the manual, or better yet, a multimedia tutorial would certainly lower the learning curve. Also, as previously stated, the online help needs to be improved to include navigation links for quick access to the various features and modules of the software.

CONCLUSION
Network Observer has so many network testing tools, we couldn't possibly talk about them all in this review. Needless to say, TMC Labs was very impressed with Network Instruments' Observer 7, especially since it includes VoIP testing capabilities. We also liked the "dashboard" feature so common in many LAN testing tools, which displays critical LAN statistics on "odometer-type" readouts. Observer's support of both the RMON1 and RMON2 industry standards certainly is also a key benefit of this product. TMC Labs would highly recommend Observer 7 for Internet telephony developers, ITSPs looking to monitor QoS on their networks, or just your average IT manager looking to monitor the network in a typical corporate setting.

[ Return To The November 2000 Table Of Contents ]