Using a Network Sniffer


There is no substitute for a network sniffer tool when you need to understand what your network is really doing. A good network sniffer provides you with several different capabilities. The first is to understand what your network is doing at the "macro" level. At the macro level, you can look at traffic on a network segment in the aggregate, perform long-term monitoring, and answer questions such as:

  • How much network traffic is there?
  • Is there a bandwidth issue on this segment?
  • How does the network traffic vary during the day?
  • What network protocols are present?>
  • Is there a lot of broadcast or multicast traffic?
  • Are there errors on the network?
  • Who are the heaviest users of the network?

The sniffer also helps you analyze your network at the "micro" level. In this mode, the sniffer is used to capture all data frames on a network segment over an interval of time for later analysis. When capture mode is complete, the sniffer is placed in analysis mode to study the captured network data. In analysis mode, the contents of each individual data frame can be viewed.

When network data is captured on a high-speed network segment (such as a 1000Base-TX LAN) an extremely large amount of data is often collected. Fortunately, most sniffers allow you to select a subset of data to view based on criteria such as source and destination MAC address, source and destination IP address, network protocol, etc. At least one sniffer vendor has incorporated an expert system analysis tool into their sniffer product which is able to point out a variety of network problems it finds in a trace.

A few examples of how analysis of a network data capture might be used include:

  • Analyze a conversation between client and server to see which is causing a delay in a user application
  • Analyze a conversation between client and server to see if there are network retransmissions due to dropped packets
  • Determine if there are occurrences of "frozen window" in TCP/IP network "conversations", possibly indicating a buffer-full situation at a server or client
  • Determine the source of unwanted broadcasts
  • Determine the source of an IP multicast data stream
  • Check the operation of router access lists
  • Validate firewall access policies
  • Determine if there are excessive ICMP redirects
  • Determine if there are routing table errors
  • Determine if route redistribution is configured correctly
  • Analyze a security breach on your network
  • Determine exactly how a particular network application (ie., FTP) works

FLG Networking Services uses the WireShark network sniffer for network analysis and troubleshooting, which can be downloaded here. If you have a network performance issue or other network problem, FLG Networking Services can help.