Network Sniffers (1)

The tools known as network sniffers are named after a product called the Sniffer Network Analyzer. Introduced in 1988 by Network General Corp. (now Network Associates Inc.), the Sniffer was one of the first devices that let managers sit at their desks and take the pulse of the larger network.

The original sniffers read the message headers of data packets on the network, giving administrators details about the addresses of senders and receivers, file sizes and other low-level information about those packets, in addition to verifying transmission. Using graphs and text-based descriptions, sniffers helped network managers evaluate and diagnose performance problems with servers, the network wire, hubs and applications.

Two Types of Sniffers

Today, sniffers exist in two broad varieties. The first is a stand-alone product incorporated into a portable computer that consultants can carry to customer sites and plug into the network to gather diagnostic data. The second is part of a larger package of network-monitoring hardware and software for helping organizations keep tabs on their LANs, WANs and Web services. These bundles give administrators a centralized view of networks to monitor high-level activity, such as which applications are running, which users are logged on to the network and who is the source of unusually large files or high volumes of traffic.

Rather than merely identifying low-level characteristics such as packet source and destination, current sniffers can decode data from all seven layers of the Open System Interconnection network stack and can often recommend fixes for problems. If application-level analysis fails to provide a solution, sniffers can drill into low-level activities.

Modern sniffers typically incorporate remote monitoring standards (Rmon and Rmon 2), which define a standard way for systems to automatically collect key performance data points such as resource utilization. Rmon-savvy sniffers can take constant readings on the health of network components and compare those readings against historical trends. If necessary, they can trigger alarms when traffic loads or performance delays surpass limits set by network administrators.

Among today's wide-ranging network analysis products is the Sniffer Total Network Visibility Suite from the Sniffer Technologies unit of Santa Clara, Calif.-based Network Associates. Intended for companies that conduct business over the Internet, the application can generate reports about protocol and bandwidth usage when traffic over the public network stalls.

Similarly, Westford, Mass.-based NetScout Systems Inc. recently introduced the nGenius Application Service Level Manager to track response times of individual links on the user's Web site and determine which servers are experiencing slowdowns. The application can look at performance over the public network to create a customer-side view so administrators can ensure that communications in individual regions aren't faltering while the rest of the network looks healthy.

It's useful to remember that sniffers have Jekyll and Hyde personalities: They help keep networks humming, but they can also be used by hackers to uncover user names and passwords from data packets traveling across public or private WANs. Encrypting the headers of data packets (using the Secure Sockets Layer standard in browser-based environments, for example) thwarts sniffer-assisted password thefts.

Copenhagen-based NetTest (formerly GN Nettest) recently introduced Fastnet, a network-monitoring system that helps e-businesses with capacity planning and network troubleshooting.

The anticipated convergence of voice and data networks could once again put sniffers in the spotlight, as prioritizing traffic flow down to the IP packet level becomes essential to keeping voice and video messages intelligible.

For example, last spring, Sniffer Technologies introduced Sniffer Voice, a tool designed for managers of converged networks. Besides providing traditional diagnostic services for managing e-mail, Internet and database traffic, the product identifies and recommends fixes for network problems that can make IP voice traffic unintelligible.

Hackers Like Them, Too

In the end, there's no substitute for a network sniffer when you need to understand what your network is doing. A good sniffer helps you look at a network segment and determine the volume of traffic and how it varies during the course of a day, which users make heaviest use of the network and whether there are broadcast traffic or bandwidth issues. A sniffer also helps you capture all the data frames on a network segment during a given time period.

However, network sniffers are expensive. If you're planning to get one, understand clearly what you want to do with it and what speeds you'll need it to handle.