Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Distributed Sniffer versus other products
- Thread starter karkclent
- Start date
Hi Karkclent,
I have posted a review of the portable Sniffers on my site @ the chart may give you an idea of what I used as comparison criteria.
I also ran across this today that may help you:
I'm putting together the same info on the distributed products as well. If you have a specific question feel free to email me.
Regards
'Making things work better; bit by bit.'
I have posted a review of the portable Sniffers on my site @ the chart may give you an idea of what I used as comparison criteria.
I also ran across this today that may help you:
I'm putting together the same info on the distributed products as well. If you have a specific question feel free to email me.
Regards
'Making things work better; bit by bit.'
This is not really a loaded question but has so many facets... I'll limit myself to the major points
Pros:
Sniffer has, at present, the most scalable solution for folks who intend to use it on large networks where many analyzers are deployed. Most other systems with any kind of distributed capability have added it recently in an effort to displace Sniffer. Some are just using proxy software as an ad hoc remote solution (Timbuctu etc)
Filtering is fairly intuitive and Expert supposedly identifies problems more quickly than the Expert systems of their major competitors.
They are the only distributed analyzer company I know of who truly has solutions for just about every topology - Ethernet, Token Ring, Gig, ATM, DS3, WAN serial, WAN T1/E1.
The interface itself is fairly intuitive once you get accustomed to it and the same interface is common to all topologies - makes transferance of acquired skills easier.
Sniffer University classes are generally very good - I've taken four of five classes and all but one were excellent (the one that wasn't so great was because of an outdated curriculum that has since been updated).
Lest you think I'm a Sniffer cheerleader...
Cons:
Way too pricey.
NAI has a crappy attitude regarding resellers and does not make enough effort to listen to what customers really want.
Front line tech Support is so-so and back line is good if you get the right person but they have lost a couple key back line support engineers lately (one in particular who was golden and they should have made more effort to retain)
Their Gig solution's capture capabilities are only now starting to catch up to Finisar's (Shomiti) THG solution and the Finisar hardware is still superior.
They STILL don't have a good solution for Distributed full duplex 100mb over copper analysis - the current answer is a four port Ethernet Sniffer w/special drivers that bind pairs of monitor cards together so the ET05 works as a dual full duplex analyzer but it has limitations.
Tendency to rush products to market before they're really ready for release.
WAN products not really in the same class as some others.
All told, they're still worth considering if you have the money and most folks in big and busy networks wouldn't dream of being without Sniffer but there's plenty of room for improvement.
I have opinions about the alternatives (Finisar, Acterna, Network Instruments, Etherpeek NX, Fluke etc) but prefer to limit this online discussion to Sniffer.
Feel free to email me to discuss at greater length.
Please note that my employer does NOT resell any analyzer solutions nor do we have any official affiliation with any of the companies I've mentioned (but we have had product development discussions with all of them regarding peripheral products we manufacture).
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
Pros:
Sniffer has, at present, the most scalable solution for folks who intend to use it on large networks where many analyzers are deployed. Most other systems with any kind of distributed capability have added it recently in an effort to displace Sniffer. Some are just using proxy software as an ad hoc remote solution (Timbuctu etc)
Filtering is fairly intuitive and Expert supposedly identifies problems more quickly than the Expert systems of their major competitors.
They are the only distributed analyzer company I know of who truly has solutions for just about every topology - Ethernet, Token Ring, Gig, ATM, DS3, WAN serial, WAN T1/E1.
The interface itself is fairly intuitive once you get accustomed to it and the same interface is common to all topologies - makes transferance of acquired skills easier.
Sniffer University classes are generally very good - I've taken four of five classes and all but one were excellent (the one that wasn't so great was because of an outdated curriculum that has since been updated).
Lest you think I'm a Sniffer cheerleader...
Cons:
Way too pricey.
NAI has a crappy attitude regarding resellers and does not make enough effort to listen to what customers really want.
Front line tech Support is so-so and back line is good if you get the right person but they have lost a couple key back line support engineers lately (one in particular who was golden and they should have made more effort to retain)
Their Gig solution's capture capabilities are only now starting to catch up to Finisar's (Shomiti) THG solution and the Finisar hardware is still superior.
They STILL don't have a good solution for Distributed full duplex 100mb over copper analysis - the current answer is a four port Ethernet Sniffer w/special drivers that bind pairs of monitor cards together so the ET05 works as a dual full duplex analyzer but it has limitations.
Tendency to rush products to market before they're really ready for release.
WAN products not really in the same class as some others.
All told, they're still worth considering if you have the money and most folks in big and busy networks wouldn't dream of being without Sniffer but there's plenty of room for improvement.
I have opinions about the alternatives (Finisar, Acterna, Network Instruments, Etherpeek NX, Fluke etc) but prefer to limit this online discussion to Sniffer.
Feel free to email me to discuss at greater length.
Please note that my employer does NOT resell any analyzer solutions nor do we have any official affiliation with any of the companies I've mentioned (but we have had product development discussions with all of them regarding peripheral products we manufacture).
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
Owen,
I have a comment on one of the cons you mentioned - 'They STILL don't have a good solution for Distributed full duplex 100mb over copper analysis - the current answer is a four port Ethernet Sniffer w/special drivers that bind pairs of monitor cards together so the ET05 works as a dual full duplex analyzer but it has limitations.'...
I've heard that Sniffer Distributed 4.3 may have support for the 10/100 Full Duplex Ethernet NIC on Copper \ Fiber. If this is true, would it overcome the limitation you're talking about...?
Also, isn't there a Distributed FDX pod solution currently available that might already provide this feature...?
Portable.
I have a comment on one of the cons you mentioned - 'They STILL don't have a good solution for Distributed full duplex 100mb over copper analysis - the current answer is a four port Ethernet Sniffer w/special drivers that bind pairs of monitor cards together so the ET05 works as a dual full duplex analyzer but it has limitations.'...
I've heard that Sniffer Distributed 4.3 may have support for the 10/100 Full Duplex Ethernet NIC on Copper \ Fiber. If this is true, would it overcome the limitation you're talking about...?
Also, isn't there a Distributed FDX pod solution currently available that might already provide this feature...?
Portable.
- Thread starter
- #5
note to "portable"
"I've heard that Sniffer Distributed 4.3 may have support for the 10/100 Full Duplex Ethernet NIC on Copper \ Fiber. If this is true, would it overcome the limitation you're talking about...?
Also, isn't there a Distributed FDX pod solution currently available that might already provide this feature...?"
They already have a true dual NIC 10/100 FD copper Ethernet card available for the Dolch Flex-Pac (luggable - also known as the beloved "lunchbox"
. My understanding is that it's a reworked Xyratec card, just as the Gig card is. Have no feedback from anyone using it as it's a pricey solution.
The major con of the interim solution is the fact that you don't have a nice clean display that shows you the two sides of the conversation in tabular format so you can see what was happening at the same time in real time (re/errors, utilization etc) on the two sides of the conversation.
Yes.... there is a "Pod" solution but there are a few caveats. Reliable sources tell me that the company who produced the FDX pod for NAI is in trouble - either out of business or on their way there. I don't think NAI is still shipping the FDX pod and if they are I'd be concerned about support. IMHO it was always an adhoc solution designed to overcome the limitations of the Sniffer platform re/line rate capture capabilities and the fact that there was no dual receive NIC.
Early versions of the Pod were unstable and riddled with problems. Eventually it was produced in a relatively stable version offering 512 meg buffer for full line rate captures. It would then "hand off" the capture to the 10/100 Sniffer via the regular NIC. It offered a nice "Channel A / Channel B" tabular format on the details tab of the dashboard. Biggest problem by most people's perceptionw as the $10,000 price (over and above the price of the Sniffer).
Keep in mind that FD Ethernet anaylis of busy links should be done by way of in-line passive copper taps - SPAN ports can send a copy of FD traffic but they squeeze it all onto one side of the wire. Not sure if this still holds true when a dual NIC device is available but I believe it is still there as a limitation - you have only 100mbs going out a SPAN port even if it's set for FD - I don't think it send data out both sides at the same time.
Contrary to what Cisco and Nortel claim, reports from the field lead us to believe that you CAN easily oversubscribe SPAN ports, thereby dropping packets which are not retransmitted. It also appears that starting a SPAN session of a particularly busy source, such as a large VLAN, can temporarily impact the CPU of the network switch and affect performance.
If NAI can get a true dual NIC card available for Distributed in v4.3 that will be great. Starting with v4.2 you are no longer limited to a 40mb buffer - the buffer can ve set to any size up to onw half of the onboard RAM (IIRC the RAM can be bumped up to a Gig on the P4 platforms)
My web email is phaelon56 ( at ) yahoo .com (insert 'at" symbol and put it all back together.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
"I've heard that Sniffer Distributed 4.3 may have support for the 10/100 Full Duplex Ethernet NIC on Copper \ Fiber. If this is true, would it overcome the limitation you're talking about...?
Also, isn't there a Distributed FDX pod solution currently available that might already provide this feature...?"
They already have a true dual NIC 10/100 FD copper Ethernet card available for the Dolch Flex-Pac (luggable - also known as the beloved "lunchbox"
. My understanding is that it's a reworked Xyratec card, just as the Gig card is. Have no feedback from anyone using it as it's a pricey solution. The major con of the interim solution is the fact that you don't have a nice clean display that shows you the two sides of the conversation in tabular format so you can see what was happening at the same time in real time (re/errors, utilization etc) on the two sides of the conversation.
Yes.... there is a "Pod" solution but there are a few caveats. Reliable sources tell me that the company who produced the FDX pod for NAI is in trouble - either out of business or on their way there. I don't think NAI is still shipping the FDX pod and if they are I'd be concerned about support. IMHO it was always an adhoc solution designed to overcome the limitations of the Sniffer platform re/line rate capture capabilities and the fact that there was no dual receive NIC.
Early versions of the Pod were unstable and riddled with problems. Eventually it was produced in a relatively stable version offering 512 meg buffer for full line rate captures. It would then "hand off" the capture to the 10/100 Sniffer via the regular NIC. It offered a nice "Channel A / Channel B" tabular format on the details tab of the dashboard. Biggest problem by most people's perceptionw as the $10,000 price (over and above the price of the Sniffer).
Keep in mind that FD Ethernet anaylis of busy links should be done by way of in-line passive copper taps - SPAN ports can send a copy of FD traffic but they squeeze it all onto one side of the wire. Not sure if this still holds true when a dual NIC device is available but I believe it is still there as a limitation - you have only 100mbs going out a SPAN port even if it's set for FD - I don't think it send data out both sides at the same time.
Contrary to what Cisco and Nortel claim, reports from the field lead us to believe that you CAN easily oversubscribe SPAN ports, thereby dropping packets which are not retransmitted. It also appears that starting a SPAN session of a particularly busy source, such as a large VLAN, can temporarily impact the CPU of the network switch and affect performance.
If NAI can get a true dual NIC card available for Distributed in v4.3 that will be great. Starting with v4.2 you are no longer limited to a 40mb buffer - the buffer can ve set to any size up to onw half of the onboard RAM (IIRC the RAM can be bumped up to a Gig on the P4 platforms)
My web email is phaelon56 ( at ) yahoo .com (insert 'at" symbol and put it all back together.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
You also might want to check out the most powerful Distributed Analyzer in the Marketplace today, NIKSUN NetVCR ( These guys have been cleaning up against NetScout and Sniffer recently becuase they give you the ability to capture vast amounts of packets into a wrap database (from 72GB upto 1.46TB internally, no limit when using a SAN) and quickly access the data and mine it for the information you are looking for, whilst continuously capturing data. This gets round the problem of almost always having to wait for a problem to happen again when you have a distributed Sniffer seeing the right traffic. It also overcomes the Gigabit Sniffer's 288MB capture limit (do you always know exactly what to filter for? With only 288MB of capture at Gigabit you had better!!!!). On top of that, a great reporting system, web front end, Unix-based appliance for maximum speed and reliabiliy and export to Sniffer .ENC and TCPDump .PCAP files. AT A CHEAPER COST THAN SNIFFER!!!!
Check out a new Sniffer Product - InfiniStream™ Security Forensics, with features similar to the ones pointed out by Spence...
Here's an extract from the site...
'The InfiniStream™ Security Forensics solution provides historical archival, retrieval, and analysis of raw packet streams so security and network analysts can research and understand if, when, and how any network-based event occurred. In environments where network-attached resources carry high financial or public relations value, InfiniStream software enables network and security administrators to achieve near real-time, historical certainty that their network is performing securely and efficiently.'
Here's an extract from the site...
'The InfiniStream™ Security Forensics solution provides historical archival, retrieval, and analysis of raw packet streams so security and network analysts can research and understand if, when, and how any network-based event occurred. In environments where network-attached resources carry high financial or public relations value, InfiniStream software enables network and security administrators to achieve near real-time, historical certainty that their network is performing securely and efficiently.'
- Status
Similar threads
- Locked
- Question