Protocol analysers are good for admin work

Ron Nutter Tech Republic

Published: 18 Apr 2002 16:14 BST

Protocol analysers now top out at around $1,000, and some are even free -- and they can all make the life of a network administrator much easier. I'm going to explain how you can use various protocol analysers on your network to perform such tasks as benchmarking, intrusion detection, and troubleshooting e-mail problems.

Finding network abnormalities

I have never used a protocol analyser for a byte-level analysis to resolve a problem. Instead, I usually use one to benchmark my network or to spot abnormalities when troubleshooting. For example, several years ago, I received a panicked phone call from a network administrator in a bank several hours away from the office where I worked. Its network was locking up every 10 to 15 minutes. I talked with the administrator for several minutes and had him make sure that other possible causes such as a bad electrical ground, faulty network cable, or a broken network card weren't the source of the problem.

After I arrived at the site, I ran the protocol analyser for a few minutes. It was then that I noticed something strange: Each workstation on the network was requesting the current date and time from the Novell server 20 to 30 times per minute. In normal conditions, this should happen only when the workstations boot up. A little investigation found that a third-party utility was being loaded that was supposed to get the current date and time about two or three times per day. After removing this utility from the workstations, the problem disappeared. Had I not been using a protocol analyser, my troubleshooting time would have been much longer.

Perform intrusion detection

Unfortunately, detecting intrusions is becoming more and more important as unwelcome visitors from the outside try to access and damage your network. This is another area where a protocol analyser can be handy. First, look for services that shouldn't be running on a particular server, such as FTP. It's a good practice to check for and disable such rogue services whenever new servers are added to your network and when service packs or updates are applied to existing servers.

You should also watch for people trying to do things that they shouldn't be doing on your servers. For example, say you have a server that allows you to use the Secure Shell utility for remote administration. Upon analysing the server, you find another user taking advantage of this open port (ssh or port 22). This allows you to immediately track down their source address and block that address from accessing your network. Another way to find intrusions is to look at login accounts that have been disabled or should have been disabled to see whether they are being used to access the network.