The network or LAN has become a critical component of most businesses.
Without a fully functioning LAN, services such as e-mail, Internet, file
sharing, and even VoIP would not be possible. With the increasing importance
and dependence on the LAN, monitoring the health and performance of the LAN
by network administrators has become crucial. Network Instruments' Observer
7.0 is a software-based network analyzer that runs on Windows 95/98 as well
as Windows NT/2000. Using Observer's many built-in network and
troubleshooting utilities, a network administrator can monitor, track, or
even capture network traffic for analysis. Observer 7.0 also features the
ability to capture and decode H.323 VoIP traffic, which is useful for
Internet telephony developers and service providers.
INSTALLATION
TMC Labs' experience with using network analyzers taught us that these
software packages are often complex to install and set up. With that said,
TMC Labs was very impressed with the ease of installation of the Observer
software. We installed the main Observer program on a Compaq Proliant 550MHz
with 128MB of RAM running Windows 2000. After the installation program was
complete, a pop-up message told us to add the "VMONI1.SYS"
protocol driver as a protocol under Windows 2000's network settings. After
completing this task, a reboot was required. Once we rebooted and logged
back in, we launched the Observer software and were able to quickly run
several of the built-in utilities without even having to refer to the
manual.
One final installation task involved installing a remote
"probe" on a second LAN segment. "Probes" are used
because by the very nature and design of networks, network analyzers cannot
see network traffic on another LAN segment separated by a router. Installing
a "probe" isn't required, but we wanted to test Observer's
capability to analyze network traffic on at least two different LAN
segments. (Observer can analyze up to 252 segments.)
Fortunately, TMC has two LAN segments since we have two office buildings
connected via a leased T1 line. We could have set up a second test LAN
segment in the lab, but it's always more interesting to test network
analyzers with "real" network traffic.
Thus, we drove over to our corporate headquarters and hunted for a PC
that we could install the remote probe onto. Within the MIS room we found
several high-end PCs, all of which would have done nicely. We installed a
"probe" on a Compaq Proliant 500MHz running Windows NT 4.0 with
128MB of RAM. The installation was so simple, one of the TMC Labs engineers
said, "That's it? That's all we have to do?" A quick check of the
Services revealed that the Network Instruments probe was indeed installed
and running. But would the main Observer software "see" this
remote probe? We anxiously anticipated whether this would work or not as we
drove back to the labs. What we discovered is discussed in the Operational
Testing section, but first, our analysis of Network Instruments'
documentation.
DOCUMENTATION
The documentation consisted of a one-inch thick, soft-cover manual as well
as a quick start guide. TMC Labs was very pleased with the documentation.
First, we were very pleased that the main manual was just a single manual,
instead of several separate manuals, which usually just adds to the
confusion. The text used appropriate formatting and also included "call
out" tips to assist the user. A table of contents, an index, and
appropriate screenshots were all present within the manual. We also were
impressed with the manual's step-by-step installation instructions for the
various Windows environments (95/98/NT/2000).
The only flaw we found was in the online help file. While a lot of
information is included in the online help file, it uses an older .HLP file
format. Also, there were no clickable links within the help file to
automatically bring us to where we needed to be. For example, we had
difficulty finding where the VoIP Expert feature was located. We searched
the online help, but the help file only described what VoIP Expert did and
did not fully explain how to get to that feature. It would have been nice if
a "link" were included that we could click on to bring us to the
VoIP Expert screen. The ability to click on links within the help file will
aid in navigating the software with the other features as well and we highly
recommend implementing this feature in a future release.
FEATURES
Observer 7 features "What-If Live Modeling" by measuring actual
client/server conversations and peer-to-peer conversations, then plots
possible response times, utilization, and packet flow scenarios. VoIP Expert
is an interesting feature that reports and analyzes problems with VoIP/H.323
connections and determines at what level of network load H.323 conversations
are exhibiting acceptable quality behavior.
Another nice feature is the "Expert Summary Displays," which
display error events in a single, concise display. For connection-oriented
problems, a simple double-click "drills down" for further
analysis. IT managers will love the built-in Web server that allows them to
remotely run reports and monitor network performance without having to be in
the office.
Other features include:
* Network Activity Display -- Shows critical network utilization and
broadcast information graphed against a traffic reference line. This display
can show you the health of a LAN at a glance and can warn of impending
slowdowns due to broadcast or multicast storms.
- Triggers and Alarms with integration to SNMP.
- Efficiency History -- Used to grade your segment's capacity to carry
data. By comparing a result to previous results, you can quickly
determine network trends or judge the effect of a change to the network.
- Traffic Generator -- Allows you to stress your segment by generating
generic broadcast traffic, source- or destination-specific generic
traffic, or protocol-specific traffic for stressing a specific device or
group of devices.
- Internet Observer -- Used to keep track of a user's Internet usage.
Views are available for sites that use DHCP, and sites that share a
router on a corporate backbone.
- Protocol Distribution -- Displays how your traffic is divided between
the different protocols (IP, IPX, NetBeui) active on your network.
OPERATIONAL TESTING
As previously stated in the Installation section, we had just installed the
remote probe in our corporate headquarters and then returned to the lab to
see if the main Observer program could "see" the remote probe. We
had left the Observer program running, so we were a bit surprised that when
we turned on the computer monitor, we could see a new "entry"
called "Probe0001" within Observer. This makes perfectly good
sense, since it would be a poor design decision to have to close Observer
and re-open it in order to view any new remote probes added to remote LAN
segments. If we did have to close the program, this would affect the
statistics as well as prevent some packets from being captured by the
Observer program. Thus, TMC Labs gives Network Instruments high marks for
this design.
In any event, we clicked on the remote probe and then ran the "Top
Talkers" network utility. Sure enough, we started to see network
statistics coming from the remote corporate headquarters LAN segment.
Success! Although we have tested network analyzers in the past, it was still
pretty neat to be able to see statistics and network traffic on a remote LAN
segment. The Top Talkers utility shows all stations on the LAN (subject to
any filter criteria which we can specify) and the Broadcast/Multicast
statistics. In addition, it provides detailed traffic flow statistics that
can show a "bandwidth hog," a broadcast/multicast storm, or an
unbalanced switch. In addition to numerical values, a graphical
representation (bar) is also available to visually inspect who are the
"top talkers" on the network.
One of the first utilities we ran was the "Discover Network
Names." This utility captures all network addresses on the segment,
stores them in the filter table, and automatically assigns them aliases. You
can assign a name to a network address or use the IP address, DNS name,
NetWare login name, or Microsoft network login name. After storing the
network names, you can use the stored names in all your queries.
We also ran Internet Observer, which displays the Web sites that are
visited by users on your LAN. This can be used to determine who is using an
exorbitant amount of Internet bandwidth or whether it's time to buy a bigger
Internet pipe. Other utilities could also be executed simultaneously,
resulting in interesting graphs and readouts.
In any of the network modes or utilities that we tested, we were able to
sort on any column we wished simply by clicking on the column heading, which
certainly was a useful feature. Another important feature of the Observer
software is that it supports both "shared" (hubs) networks as well
as "switched" (switches) networks. In the case of a
"switched" network environment, Observer requires that the
switch(es) support both port mirroring (sometimes called "port
monitor" or "port spanning") and a SNMP or telnet interface
to control the management options of the switch. In the case of a
"shared" network environment, because all the packets are sent
across the entire network to every NIC device, Observer is able to see each
and every packet.
TMC Labs liked Observer's ability to analyze H.323 VoIP traffic with its
VoIP Expert module, although it did take us a while to figure out how to
find the VoIP Expert module. The online help and documentation weren't much
help in finding it either. Eventually, we found the VoIP module as part of
"Decode and Analysis" within the Packet Capture module. We should
point out that VoIP uses RTP (Real-time Transport Protocol) a UDP-based
protocol for the transmission of real-time data, for use in such
applications as streaming audio and video conferencing. While RTP packets
contain the actual real-time data, the protocol is accompanied by RTCP
(Real-time Transport Control Protocol), which is used to send information
about the data being transferred: the number of packets sent and received,
the identities of the stations involved in the conversation, and so forth.
By analyzing an RTCP conversation and then using it to interpret the RTP
data we could use Observer's VoIP Expert to diagnose problems in a VoIP or
other RTP/RTCP session.
We made some NetMeeting calls and then tested the Observer's ability to
capture and decode the H.323 traffic. It performed without a hitch. We
discovered an interesting feature within VoIP Expert that we did not see
discussed in the manual. After capturing a H.323 NetMeeting call, we were
able to go to the "UDP Events" screen, right-click on the "RTP/G.723"
connection, select "Save/Play Audio..." and save the H.323 VoIP
conversation to a WAV file! Thus, we were able to "spy" on any
H.323 VoIP call on the network, record it and then play it back later.
The VoIP Expert displays H.323 conversational data in three separate
graphs. The displays can be used to diagnose why a connection may be
experiencing problems, or at what level of network load are H.323
conversations exhibiting acceptable quality behavior.
One of the other more interesting features we examined was Observer's
ability to report on the various IP sub-protocols. This feature allows you
to view how your IP traffic is divided between all port level services, that
is, WWW, SQL, telnet, FTP, LPD/LPR, NFS, and user-configurable ports. This
information helps in the identification of TCP/IP usage patterns and
possible segmentation of a heavily used server.
No LAN analyzer tools would be complete without a packet capture
capability and we must say Observer has a good one with its powerful
filtering capabilities. You can collect specific data about LAN traffic by
filtering packets by station, groups of stations or error condition on your
LAN segment. Filters are selected with the help of an easy-to-use,
drag-and-drop interface and can be saved for later use. In addition, you can
isolate packets further by selecting a particular protocol, sub-protocol, or
user-defined offset filter in conjunction with the station address/IP
address filters. Post filtering is supported for viewing your data in
different ways once the capture is complete. The Packet Capture mode shows
total traffic, captured data and dropped packets (if any). We should point
out that if you use the minimum hardware requirements, there shouldn't be
any dropped packets.
Observer's Decode and Analysis is a sub mode of Packet Capture that lets
you view captured traffic packet-by-packet. By using display filters, you
can view only the pertinent packets and hide the rest. Observer can decode
all major protocols and sub-protocols, and you can view both the raw data
and the decoded data. For example, if want to confirm that the server is
sending e-mail, you can view the packets captured from the e-mail server.
ROOM FOR IMPROVEMENT
There wasn't much to complain about this product -- it's a pretty complete
solution. Still, we would like to see support for WINS to perform computer
name resolution. One other suggestion might be to include some common
filters with the product. Finally, atutorial might help inexperienced
network administers in figuring out what to look for when using Observer.
Observer is such a powerful and feature-rich product, it is easy for a new
user to get lost in its extensive feature set. Thus, either a tutorial in
the manual, or better yet, a multimedia tutorial would certainly lower the
learning curve. Also, as previously stated, the online help needs to be
improved to include navigation links for quick access to the various
features and modules of the software.
CONCLUSION
Network Observer has so many network testing tools, we couldn't possibly
talk about them all in this review. Needless to say, TMC Labs was very
impressed with Network Instruments' Observer 7, especially since it includes
VoIP testing capabilities. We also liked the "dashboard" feature
so common in many LAN testing tools, which displays critical LAN statistics
on "odometer-type" readouts. Observer's support of both the RMON1
and RMON2 industry standards certainly is also a key benefit of this
product. TMC Labs would highly recommend Observer 7 for Internet telephony
developers, ITSPs looking to monitor QoS on their networks, or just your
average IT manager looking to monitor the network in a typical corporate
setting.
[ Return
To The November 2000 Table Of Contents ]
|