Examining Low-level Network Noise
With Observer 9.0, capturing network traffic was never easier.
Sometimes network troubles can be found by poking around in the various GUI tools supplied by Windows or through a command line. But sometimes IT pros just have to roll up their sleeves and get intimately acquainted with actual low-level network traffic. For those times, the new version of Network Instruments Observer is a great choice.
Like many other tools, Observer can capture all of the packets that go
by on the wire. But it offers superior features in both capture and analysis
that put it ahead of any other product that I’ve looked at.
| Network Instruments Observer’s Expert
Analysis shows the exact packets and their timing for any
connection. (Click image to view larger version.)
Observer divides its architecture into the Observer console and one or more probes. The probes do the actual data capturing, and 9.0 introduces the Advanced Multi-Probe. Using Advanced Multi-Probes, admins can hook multiple probes to a single Observer console or multiple consoles to a single probe. This makes it possible for far-flung staff to collaborate on identifying problems or for a single central administrative console to keep an eye on network segments separated by switches. Different probes can handle TCP/IP, wireless, WAN or gigabit traffic.
Another critical advance is the introduction of very large packet buffers for probes. Up to 4GB can be allocated. This supports the capture of traffic for long periods of time without worrying that Windows will page data out and cause packet loss.
Data can be analyzed in dozens of ways. There’s a raw packet view, which drills down into the data (and which knows how to decipher IP status bits, HTTP header fields and so on; you don’t have to deal with just ones and zeroes, though you can see them). But there’s also Expert Analysis mode, which applies heuristics to locate and explain trouble points on the network, a Connection Dynamics view to show the flow of a conversation and Server Analysis, which looks at a loaded server’s ability to process multiple connections.
Also new is Application Analysis, which can discover common application servers (using protocols such as DNS, FTP, SMTP or SQL Server’s TDS).
Any network will have millions of packets flowing by, so how can you find those of interest? Observer’s answer is a graphical filtering utility that can set such criteria as the IP address, port, protocol and pattern of bits. Multiple conditions can be connected with logical operators to build quite complex filters. Even better, there are out-of-the-box filters to catch things many network administrators are interested in: chat clients, attacks such as Sub Seven, peer-to-peer traffic over services such as Kazaa, and viruses such as SQL Slammer or SoBig.F.
On the wireless front, a new Site Survey view gives a picture of everything happening in your vicinity on the 802.11a, b and g bands.
All of this functionality is wrapped up in a tabbed, multi-window user interface that makes it easy to switch between different views of your information.
Observer will be a great asset to the toolbox of any administrator who deals with network loads, rogue traffic, mystery server issues or unauthorized wireless access points. You don’t always need to drill down to the actual bits, but when you do, this is the tool to use.
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.