Protocol analysers are good for admin work
Ron Nutter
Published: 18 Apr 2002 16:14 BST
Check for virus activity
Several protocol analysers (EtherPeek and Sniffer, for example) offer the ability to download filters that let you view specific types of traffic on your network. Instead of having to sort through all the network traffic, you can just download predefined filters to scan for virus activity such as Code Red and Nimda. I like to run these filters in what I call a global mode, which looks at all the packets crossing the wire regardless of source or destination.
You can also create your own virus filters. The information you need is contained in the virus alerts issued by such companies as McAfee and Norton. Looking for a file attachment by name in a mail message or looking for a certain command on an HTTP header line are just a couple of ways you can take a more proactive stance toward virus protection.
Watch out for unauthorised programs
With the IP-based network and the Internet becoming commonplace, it's easier to find unauthorised programs on your network and stop their use. The proliferation of peer-to-peer file sharing applications such as BearShare and Napster has consumed network bandwidth that could be better used elsewhere. The best way to halt usage of such applications is to download the applications onto a test workstation and have a protocol analyser watch for traffic going to and coming from the IP address of the test workstation. Once you've seen the traffic created, you can create filters that stop the application's usage. Each analyser has a different method for creating such filters, so you will want to take a look at your application's documentation for this step.
Check for WAN link usage
When you have more than one T1 connection to the Internet, knowing these links are working correctly is critical to the health of your network. If routing protocols such as OSPF and BGP4 are being used, it can be helpful to be able to see what the problem is when things go awry. Not all protocol analysers can track all IP traffic patterns, so knowing what is required to monitor your T1 or similar link can help decide what analyser will be best for you.
One tool that can track patterns is the Sniffer Portable WAN tool. This high-end utility automatically finds and labels Internetwork problems such as retransmissions, duplicate IP addresses, high rate of physical cyclic redundancy check (CRC) errors, WAN overload, and frame relay congestion. Once an issue is detected, Sniffer recommends solutions to potential network problems.
Many enterprise-level analysers require special PCMCIA cards with the appropriate type of connectors to sit in series with the V.35 or other type of connector that your laptop or workstation may use. For nonportable solutions, you may end up getting either an external pod-like interface or a special interface board to go into a conventional desktop form factor. This same process also applies to ATM and DS3 connections.
Previous
Did you find this article useful?
213 out of 378 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
