Packets can run, but they can't hide from EtherPeek

Pros and
cons:
+ Easy to use, flexible
+ Comprehensive network analysis
+ Good filters and triggers

Real-life requirements:
133-MHz or faster processor; Win9x, NT or Mac OS; Ethernet connection; up to 6M free on
hard drive

A good network sniffer need not set you back thousands of dollars.

The GCN Lab recently took a look at the $995 EtherPeek 3.1, a software package that
lets you watch the packets traveling across your LAN. The AG Group Inc. software runs
under Microsoft Windows 9x, Windows NT and Mac OS.

To understand how EtherPeek works, think of two computers sharing data over an
Ethernet. One PC broadcasts a data packet labeled with the second PC’s network
address. All the other network cards on the LAN can see this header, but only the
designated PC receives the packet. EtherPeek works by making its PC’s network card
accept every packet, in what is called promiscuous mode.

The lab tried out an earlier EtherPeek version with far less depth. It set filters
based on packet characteristics, looked at statistics based on protocols or node addresses
and parsed out packets with a decoder. Such tools are helpful for troubleshooting and
learning the hows and whys of your network traffic.   But that’s all that
the earlier EtherPeek could do.

Version 3.1 is better at packet capture and has more protocols and decoders. It does
the basics of packet capture and much more.

You can view a summary window of the protocols captured and the network nodes
generating or receiving traffic.

Click on any item to bring up another window with detailed information about that node
or protocol.

You can set up filters based on physical or logical addresses, protocols, packet
contents and error conditions. Triggers can start or stop the packet filtering under
predefined conditions, such as at specific times or when certain types of packets are
detected.

A name table includes basic labels for packet types, and you can add your own labels
for physical and logical addresses.

For instance, if a packet came from a computer at IP address 208.228.76.64 , I could
associate it in the name table with www.gcn.com.

Resolved IP addresses automatically appear in the name table. EtherPeek 3.1 assigns
names to both the IP address and the Ethernet address, also called the media access
control or MAC address.

Two companion pieces of software, AGNet Tools and EtherHelp, dovetail nicely with
EtherPeek.

AGNet Tools is a collection of TCP/IP utilities, much like the NetScan Tools package
from Northwest Performance Software Inc. of Maple Valley, Wash. [GCN, March 23, Page 1].

AGNet’s tools, though not as numerous as NetScan’s, certainly hit the high
spots. You get Ping as well as Ping Scan, which lets you ping an entire range of IP
addresses and try to resolve an IP address to the computer’s network name.

Also in the AGNet Tools suite is a TraceRoute tool that identifies the relay points, or
hops, in reaching another IP address.

It counts the number of hops and measures how long it takes a packet to travel between
addresses.

NameLookup and NameScan resolve IP addresses into names for single IP addresses or a
range of addresses. Port Scanner looks for accessible Transmission Control Protocol and
User Datagram Protocol ports at a remote IP address.

A Service Scanner tool can test a range of IP addresses to discover which ones are
running services such as File Transfer Protocol or Telnet.

Rounding out the suite are Finger, Whois and Throughput tools.

Finger finds information associated with an e-mail address.

Whois looks for Internet directory information on whois servers, such as
whois.internic.net.

You can set up filters
based on physical or logical addresses, protocols, contents and error conditions.

The Throughput tool asks for a uniform resource locator for a Web or FTP server, and
then it pulls up that site. In doing so, it counts the number of items loaded, file sizes,
length of download and throughput speed.

You can only license EtherPeek for individual machines, so using it to troubleshoot a
WAN environment would require buying as many copies as you have LANs.

To get around that, the companion EtherHelp package lets a remote user start up
EtherPeek, capture a predetermined number of packets and save them to a file.

The file then can go out to network support personnel working from a different network,
so they can troubleshoot the remote network’s traffic.

The only real difference between EtherPeek and EtherHelp is that EtherHelp users cannot
see the packet information as it is captured.

EtherPeek users can distribute EtherHelp freely. A particularly good feature is that
EtherHelp can be set to filter only specified packet types.

EtherPeek 3.1 has so many capabilities for such a low price that it has advantages over
dedicated protocol analyzers.

Many network managers in the past have faulted the performance of software-only line
monitors and packet analyzers.

But the latest Intel processors and the huge memory resources in computers erase the
worry of a software analyzer dropping its packets.

I tested EtherPeek on a 300-MHz Dell Computer Corp. Dimension Pentium II PC with 128M
of RAM. Performance was good even under heavy network loads.

I then decided to push my luck running it under NT on a 100-MHz processor with 32M of
RAM.

Performance remained good. EtherPeek handled heavy loads on the 100-MHz system almost
as well as on the 300-MHz system.

The heavier your network load, the more horsepower you’ll need. But EtherPeek,
plus additional memory and a processor upgrade, would still cost less than a dedicated
hardware network analyzer.

AG Group has developed an application programming interface for creating EtherPeek
plug-ins. Some plug-ins come with the package for reporting on protocols such as AppleTalk
and Telnet.

EtherPeek is just right for small to midsized networks. It’s also helpful as a
complementary tool on large networks with hardware analyzers.

The intuitive interface and easy tools stand out in comparison to the product’s
high-priced competition.