5 Tips for Using a Protocol Analyzer

Troubleshooting network problems is not an art; it’s a science. Stumbling around in the dark hoping to figure out what’s wrong works some of the time. But to become a true network ninja, IT pros must have the right tools. One of the most important tools that the network manager wields is the protocol analyzer.

Protocol analyzers watch the traffic flying by a particular part of the network and show each and every packet. By displaying and decoding the actual bits on the network, protocol analyzers shed insight into exactly what is happening, which might be the only way to understand what’s causing a problem.  

Originally offered as dedicated appliances designed to intercept serial communications, protocol analyzers have since moved into the world of software. Commercial and open-source versions are available on a variety of platforms. Here are some tips to make the best use of these tools:

Tip 1: Get tap points in place. A key step before booting up the protocol analyzer is ensuring that the network has the appropriate tap points ready to go. Today’s networks are highly switched, which means it could be hard to find a spot to watch traffic, which is necessary for debugging a problem. Managed switches usually support a mirror port — a single port that can be told to copy all the traffic on one or more other ports or virtual LANs. Hook the analyzer to the mirror port, and it sees everything. Have dedicated ports on major switches ready to be reconfigured as mirror ports when needed.

Tip 2: Repurpose old hubs. When mirror ports are unavailable, or if the switch is not managed, there are other techniques. An Ethernet tap does what the term implies: It drops in between two Ethernet devices and copies all of the traffic to other ports for traffic analysis. Many network managers also keep a stockpile of old 100 megabit-per-second hubs, which can be inserted between a misbehaving device and the network to tap traffic.

Tip 3: Know what a healthy network looks like. Learn to use a protocol analyzer before the network has a problem. Walking through simple transactions such as Address Resolution Protocol requests, Internet Control Message Protocol redirects, the Transmission Control Protocol three-way handshake and a Domain Name Server query and response, especially with a good reference guide, helps to cement book learning and identify the minor flaws of individual networks.  

Tip 4: Find something better than tcpdump.  Protocol analyzers differentiate themselves by their decoding and analytical capabilities. The simplest and oldest analyzer, the venerable Unix tcpdump command, grabs packets, and that’s about all. It’s useful for verifying that two systems are talking — an important debugging step — but commercial and open-source tools take things much further, with upper-layer statistics, decodes, expert analysis and even snazzy features such as voice call replay. The only reason to use tcpdump is to capture packets for analysis by a smarter tool.  

Tip 5: For application performance issues, go to the pros.  Protocol analyzers are best for identifying reproducible misbehavior, such as communications errors or network configuration bugs. They aren’t that useful for answering broader questions about application performance, which may require more careful instrumentation and active probing of the system. When application performance is the problem, protocol analyzers offer a useful starting point and can supplement specialized performance monitors, but they aren’t a substitute.