EtherPeek In Depth

• What is EtherPeek?
• Keep Your Network Secure
• Using EtherPeek in a Switched Environment
• Distributed, Remote Analysis with EtherHelp

Packet Capture
Name Table and Resolving IP Names
Packet Decode
Statistics Windows
Packet Generation Feature
Filters
Plug-ins
Additional Features
System Recommendations

What is EtherPeek?

EtherPeek is a true 32-bit Ethernet packet-level network traffic and protocol analyzer designed to make the complex tasks of troubleshooting and debugging mixed-platform, multi-protocol networks easy. EtherPeek sets the industry standard for ease-of-use, while offering all of the expert debugging capabilities expected of a full-featured analyzer. EtherPeek captures all data packets on your Ethernet network, interprets the protocol layers of a captured frame, and exposes the core information. By monitoring, filtering, decoding and displaying packet data, EtherPeek is used to pinpoint protocol errors and detect network problems such as unauthorized nodes, misconfigured routers, excessive error rates and unreachable devices.

Using your existing network adapter hardware to monitor all conversations between devices sharing the same Ethernet cable, EtherPeek permits you to capture, analyze, monitor and troubleshoot these conversations to understand and optimize the performance of your network.

EtherPeek's graphical display makes it simple for you to discover and solve network problems quickly. It is not unusual for first time users of EtherPeek to resolve a baffling network problem in a matter of minutes! EtherPeek is also a great learning tool, permitting you to see how networked devices are interacting in your particular environment.

With EtherPeek, you can:

• determine conclusively which systems are communicating successfully over the network and which are not
• monitor traffic to pinpoint network bottlenecks
• generate network traffic to test network performance
• determine protocols in use
• debug network software
• pinpoint any equipment whose software is malfunctioning
• learn about network operation while discovering how various protocols work in communication links
• keep your network secure

Using EtherPeek in a Switched Environment

EtherPeek can be used to monitor a switched network environment. There are two ways to accomplish this aim. First, you can split the Ethernet at the workstation with a mini-hub and attach the machine running EtherPeek to the hub. This will work on all switches except those that only understand one MAC address per port. Your second option is to check to see if your switch can be set to a promiscuous mode where all frames go to all ports (thus eliminating the desirable aspects of a switch).

If this is possible, you can plug EtherPeek in on a free port. Most newer switches have a management port which uses the switch's management interface (usually telnet/text) to redirect all frames destined for port X (the port you want to monitor) to the management port. You then plug the machine running EtherPeek into the management port to see all traffic for the mirrored port.

You can also use an SNMP console to get statistics from the switch, though you won't get the fine level of packet information provided by EtherPeek by using this method.

Distributed, Remote Analysis with EtherHelp(tm)

EtherHelp, a free remote capture application that ships with EtherPeek, is specifically designed to help people who design, build, manage and support networks diagnose remote LAN or WAN segments without having to visit their location. Licensed users of EtherPeek may distribute the EtherHelp application freely for mutiple, simultaneous remote packet capture sessions.

How does EtherHelp work?

Beyond the ability to capture packets, EtherHelp borrows two other features from EtherPeek: filters and triggers. Filters allow a user to limit the packets captured to those that meet specific criteria. Triggers allow EtherHelp to stay poised for capture until a specific type of packet is present, whereupon capture begins. Filters and triggers are referred to as settings. If specifying certain packets for capture is important in troubleshooting a network problem, predefined filters can be set by network support personnel using the "Save Settings" command. Users then simply use the "Load Settings" command before starting capture.

IF YOU'RE ON A SWITCHED NETWORK and want to capture all traffic, check for a mirror port on your switch, and launch EtherHelp from a machine on that port. NOTE! Be certain to assess utilization through this port to make certain you're not trying to process too much traffic simultaneously.

Keep Your Network Secure

EtherPeek is extremely useful when installing, testing and verifying security products in use on networks. EtherPeek's performance analysis capabilities allow a network security analyst to watch traffic levels to/from a firewall so that the network can be adjusted for optimal security performance. Use EtherPeek to:

• detect new or unauthorized nodes & protocols
• conduct regular password studies
• track down failed login attempts
• identify illicit URL & Newsgroup accesses
• collect messages looking for passwords
• filter connection-request messages to security-sensitive high transaction servers from unauthorized address groups in various protocols
• identify specific hacker activities on a network
• identify specific IP addresses seen on firewall logging facilities on trusted-to-untrusted IP traffic that is suspicious in nature
• install and test firewalls

EtherPeek Features/Benefits

• Easy-to-use graphical interface to simplify network troubleshooting & monitoring
• Powerful decoding with support for all major protocol suites
• Powerful event trigger mechanism to capture data of interest
• Simple and advanced filtering capabilities to zero-in on network problems
• Real-time statistics
• Summary Statistics for baselining and monitoring key traffic elements
• History Statistics to graph network utilization, packets per second and bytes per second over time
• HTML, XML & Tab-delimited Output to view real-time traffic statistics reports with your Web browser
• ProtoSpecs(tm) technology for fine delineation of packet type
• Protocol definitions to explain unknown protocol types
• Plug-In Modules for Expert Packet Analysis
• Network Speed Dialog for switching between media speeds
• Log File Window for ready display of specified network events
• PageNOW! Page Server Support (personal edition) for Triggers & Plug-Ins
• Save packet data as text, RTF or in Sniffer-readable format
• On-line Help
• Ability to load in Sniffer and LANAlyzer format files
• Ships with EtherHelp and iNetTools

Packet Capture Windows

Similar to a phone tap, EtherPeek captures all data packets exchanged between nodes on the Ethernet wire - regardless of the types of hardware and software installed on the network. EtherPeek is shipped with default column settings in Packet Capture Windows. These columns display a variety of packet detail, including source and destination logical addresses, protocol types, packet size, and time-stamps.

EtherPeek allows you to capture packets in multiple, configurable Capture Windows, each with its own dedicated capture buffer. You can establish and view multiple Capture Windows up to the limits of available memory and screen space.

Name Table and Resolving IP Names

EtherPeek has a Name Table that houses name-for-address translations of devices and protocols on your network. Once names are entered into the Name Table, devices and protocols communicating on your network can be displayed by their familiar names, or by vendor type, in addition to being identified by their logical and physical (MAC) addresses. EtherPeek can resolve IP names on your network if Domain Name Services are present. The Macintosh version also has the ability to resolve AppleTalk names. Once names are resolved, they will be added automatically to your Name Table, and names will replace logical address entries for devices in packet capture and statistics windows.

Packet Decoding

Sometimes network problems are revealed by information contained in a packet. Protocol decoders allow you to open packets and look inside, pinpoint sources of error packets, track down faulty hardware and cabling, and learn about and examine protocol structure and compliance.

EtherPeek allows you to decode one or multiple packets during or after capture. View a decoded packet by double-clicking a packet line from a Capture or Packet File Window.

Statistics Windows

Global Statistics

Under its default settings, EtherPeek begins calculating global statistics as soon as the program is launched. It captures all network traffic continuously in the background from the moment the program loads and the network interface is chosen until you quit the program. All packets are captured, processed and then discarded. Global statistics menu options, which include Node, Protocol, Conversation, Network, Error, Size, Summary and History Statistics items, keep only the aggregate information needed to provide an updated tally of all the tracked parameters.

None of the packets used to calculate global statistics can be saved, decoded to a file, or used for any other purpose than calculating global statistics. Nor can capture for global statistics be altered by filters, triggers, or any other function.

Traffic Statistics

Real-time filtering, saving, triggering capture and decoding of packets are the work of EtherPeekÕs Capture Windows. Sophisticated post-capture traffic analysis can be done in Packet File Windows. Both Packet File Windows and Capture Windows offer most of the same types of statistical displays as are found in global statistics. The difference is in the data: global capture for global statistics, user-controlled sampling for captured and saved packets.

Capture and Packet File Windows provide access to many different traffic statistics views, including:

• Node Statistics
  
• Protocol Statistics
• Conversation Statistics
• Size Statistics
• Summary Statistics
• History Statistics

Node Statistics display real-time packet counts and traffic volumes, sent and received, by each device or node on the network. In addition, it shows the total number of physical addresses and the total number of logical addresses seen.

If your network performance drops, reviewing Node Statistics is often the first step in the process of identifying a likely cause. For example, if, upon examining the data provided in a node statistics window, you discover that a node and one particular communication partner appear to be using more than their fair share of the network, you can create an address filter for the two devices and easily determine if the traffic they are generating is in line with expectations, contains many retransmissions or error packets, etc.

Protocol Statistics show network traffic volume, in packets and in bytes, broken down by protocol and sub-protocol. This window is useful in determining which protocols or sub-protocols are generating a high percentage of the overall network traffic.

Conversation Statistics shows traffic between pairs of network nodes, including the traffic volume in bytes and packets for each protocol or sub-protocol the pair has used since EtherPeek started calculating statistics.

Packet Size Distribution Statistics set up size classes for packets (their length in bytes) and show what percentage of the packets on the network are in each size class.

Summary Statistics allow you to monitor key network statistics in real-time and save these statistics for later comparison. Use this feature to baseline "normal" network activity, save the data, and then compare these saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different ethernet segments or two different networks. For example, a field support engineer could compare the real-time statistics on a client's network with a saved "healthy" router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

History Statistics graph network performance at selected intervals over time. You can choose to measure that performance as Utilization (percent of capacity as set in the Network Speed dialog), or as Packets/second or Bytes.

Network Trend Analysis

EtherPeek's graphing and trending features allow you to collect, display, analyze and save virtually any node, protocol, network or summary statistic available over a user-specified period of time. View trends through a variety of graph options from within the program. Output data in HTML or enhanced XML formatted reports for web access from any location, or save statistics in tab-delimited

Packet Generation

EtherPeek is capable of sending as well as receiving packets. Packet transmission is a useful feature with many possible applications. For instance, you can:

• Generate network traffic and probe specific computers to observe their reactions.
• Check network connections by sending packets from one workstation and verifying that they are received by another.
• Send packets to test protocol implementations you have developed.
• Replay communications to observe their impact on your network.

The Send feature of EtherPeek allows you to:

• send a single packet out on the network
• send a burst of multiple copies of a packet at specified intervals
• send selected packets at specified intervals
• use a Start or Stop Trigger to send a packet when a particular event occurs
• echo packets back on to network on capture

Filters

One of the great challenges of network troubleshooting is sorting through the vast amount of packet information. EtherPeek's simple and advanced filters are uniquely flexible and powerful in the number of ways they allow you to specify searches for packets of interest. EtherPeek filters can be enabled for real-time packet capture as well as for post-capture traffic analysis.

Filters are discrete, individual tools that can be saved, imported, edited, and used in combination with one another. You can build filters to test for just about anything found in a packet: addresses, protocols, sub-protocols, ports, error conditions, and more.

Filters are used to isolate particular types of traffic on the network for troubleshooting, analysis, and diagnostics. Filters can be used singly or in groups. If multiple filters are used together, EtherPeek treats them as being OR'ed together. That is, a packet matching any one of the enabled filters will pass.

Note: Filters never apply to global statistics, which are always calculated on the basis of all network traffic. Filters can only be used either to restrict the flow of packets into a Capture Window or to select packets already captured to a buffer, either in a Capture Window or from a saved packet file in a Packet File Window.

Ready-made Filters

EtherPeek ships with a number of filters already made and loaded, by default, into the Filters window. These may be used as they are, or they can provide a starting place for creating your own more precise filters.

Simple Filter

The Simple view of EtherPeek's Edit Filter dialog allows you to create filters based on address, protocol, and/or port.

Advanced Filter

Advanced filters allow you to create more complex filters with a wider range of filter parameters (including specific offsets and string values). In addition, the Advanced view allows you to construct a single filter based on a chain of filter properties connected by logical AND, logical OR, and logical NOT statements.

Make Filter Command

The Make Filter command creates a filter based on a selected packet or statistics item. When you use this command, an unnamed filter matching the parameters of the packet, node, protocol or conversation selected is made. If multiple items are selected, a filter will be created for each one.

Using Multiple Filters Simultaneously

When multiple filters are enabled simultaneously, EtherPeek considers them to be connected by logical OR statements. That is, packets matching any one of the enabled filters will pass and be processed by EtherPeek.

Filter Parameters

Filters can operate on the following properties of packets:

• Address
• Protocol
• Port
• Value
• String
• Length
• Error
• Plug-in

Plug-ins

Plug-ins are external modules which provide EtherPeek with increased packet analyzing capabilities. Loaded at launch time, Plug-ins receive incoming packets during packet capture, process the packets to determine if they meet specified criteria, and provide notification of the results of their analysis in a variety of ways: placing the messages received from Plug-ins in the Plug-in column in EtherPeek's Capture Window; logging messages delivered from a Plug-in to EtherPeek's log file; or sending a message to page server software.

Plug-in modules included with EtherPeek increase the program's built-in functionality. Plug-ins provide an automatic method of analyzing packet contents during or after capture - sorting, displaying or logging specific information from some or all of the packets captured.

The current set of Plug-ins provide the ability for the program to:

• Extract AppleTalk packet details (Transaction IDs, NBP Lookups, etc.)
• Verify checksums for AppleTalk and IP packets
• Detect duplicate IP addresses in use
• Log ftp transfer file names
• Detect when a destination host or port is unreachable.
• Extract IP packet detail like Transaction IDs, Session IDs and port numbers.
• Detect various Internet attacks
• Display Ping of Death packets.
• Display contents of Telnet sessions.
• Log Web URL and Usenet newsgroup accesses.

ProtoSpecs!"

ProtoSpecs are an exclusive feature that quickly and accurately identifies the protocols nested within Ethernet packets. ProtoSpecs use multiple identifiers within a packet to create a tree-structure that specifies a top-level or parent protocol (such as IP) and sub-protocols that it contains (such as FTP or SNMP).

ProtoSpecs recognize hundreds of different protocols and sub-protocols. Nevertheless, there are still some protocols that are not identified by name in the program. EtherPeek will list unidentified Ethernet Type 2 (two bytes), LSAP (one byte), and SNAP (five bytes) protocol types by their numeric value in hexadecimal. You may add these to the Name Table to assign them a symbolic name.

When EtherPeek cannot identify a higher-level sub-protocol, it lists the protocol with other unidentified types at the highest known protocol level. For example, UDP port 1378, which is reserved for the Elan License Manager, is not uniquely identified by EtherPeek. Instead, the packet statistics associated with this protocol are collected under the identified name of UDP protocol statistics.

Additional Features

• Capture Buffer Options. Tell EtherPeek how to handle packets during longer captures, including automatically saving to disk and restarting capture.
• Triggers. Automate the start and stop of capture using triggers. Any filter can be specified as a trigger criterion, so you can focus captures with pinpoint accuracy.
• SmartDecoders(tm). SmartDecoders allow you to identify conversational threads buried among the overall stream of network traffic.
• Protocol Definitions. EtherPeek provides a definition of what a protocol abbreviation stands for and a concise description of what a protocol is used for.

System Recommendations

EtherPeek for Windows:

• Pentium 166 or better running Windows 95/98/2000 or Windows NT4.0
• 64 MB of RAM recommended

For 100 MBit EtherNet:

• 400 Mhz Pentium II
• 128 MB RAM
• NDIS3 Compatible 10/100 Network Interface Card
• Color Monitor strongly recommended

EtherPeek v4 for Macintosh:

• PCI-based Power Macintosh running System 8.0 or later
• 32MB RAM Recommended
• Supported Ethernet Interface

EtherPeek v3.5.4 for Macintosh:

• 68040 or PowerPC based Macintosh
• System 7.1 or later
• 8 MB of RAM minimum
• Supported Ethernet Interface Card