Protocol analysers are good for admin work

Ron Nutter Tech Republic

Published: 18 Apr 2002 16:14 BST

Check for e-mail problems

I use protocol analysers to monitor e-mail problems much more than I would have thought. To do this, you must set up an analyser with a filter that monitors the IP ports used by a mail server (typically port 25 for SMTP, 110 for POP3, and 143 for IMAP) to send and receive mail. Several good examples of how to do this are on packet-level.com.

I've found the type of filter I described above to be useful in figuring out why a particular e-mail won't go through when the only error I get in the Exchange server logs is "communications error." I have made the modification to the filter that the site suggests, but this modification just examines e-mail to and from a particular mail server. However, this technique is still a big help because I don't have to go through an entire capture session to look for the mail traffic. Entire capture sessions can be quite large, depending on the size of your network.

Verify that your firewall is working correctly

Since firewalls protect your network from unwelcome visitors, knowing that they're working correctly is important for verifying the security of your network. Checking the firewall will involve using several different filters (these can be predefined filters, administer-created filters, or downloaded filters, all with various functions), depending on the level of sophistication of the packet filtering being used.

In general, you will have two sets of filters, one checking packets based on outgoing traffic and one based on incoming traffic. Leaving the incoming filter running 24/7 would be a good idea, because this filter will be a good indication that the firewall is working as expected and will provide a quick alert if the firewall fails for some reason and begins letting unwanted packets through.

For example, NetDoppler utilizes several features of the ICMP, IP, and DNS protocols to perform tasks and tests on remote hosts to check latency and throughput and to isolate problems. PacketScrubber removes sensitive or confidential data from frames and packets within a trace file by changing the packet and frame payloads to null data.

Summary

We've just scratched the surface of the possible uses of a protocol analyser. Before you go out and buy the first one you see or purchase something that a vendor recommends, try to obtain trial versions of a few, use them, and see which candidate best meets your needs. It's also a good idea to keep the analyser you buy under some type of maintenance contract from the vendor to keep the application up to date and problem-free.

Editorial disclaimer: The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Have your say instantly in the Tech Update forum.

Let the editors know what you think in the Mailroom.