Problem solve Get help with specific problems with your technologies, process and projects.

Analyzing network traffic with tried-and-true packet monitor

Category: Network packet monitoring utility
Name of tool: EtherPeek v4.1
Company name: WildPackets
Price: $950, higher with annual maintenance contract
Windows platforms supported: 95/98/2000/Me/NT (at least service pack 3)
Quick description: A fully featured network packet capture utility

**** = Very cool, very useful

Key features:

Extremely easy and straightforward to use. Screen layout intuitive and simple to navigate.

Setting up the software to filter your traffic and focus on particular problems will take some experience and training.


Network problems can be notoriously difficult to troubleshoot and solve, given that you have to deal with issues with your cabling, infrastructure, protocols, and operating systems and understand how to juggle among these different pieces to figure out why something is wrong. Every enterprise networker should have some kind of packet capture tool to help.

These tools record network traffic and analyze it for patterns: a chatty print server sending out lots of packets might indicate that it is improperly configured, clogging your network with useless traffic. Or your router might not be able to talk to your firewall because of some setup mistake. Or a cable could be broken in a key place, or a PC set up with the wrong protocols. In any event, these tools are indispensable and often the only way a corporate support person can figure out when something is wrong.

There are three schools of thought when it comes to using network capture tools. One is to use something DOS-based, with character-mode screens that are filled with data. While these can be hard to understand, they can be useful to quickly get the entire picture of what is happening on your network. I have used an aging version of LanWatch for years and it does the trick. The advantage to using DOS- based programs is that they are generally quick to setup and run -- and don't require much in the way of computing resources (Indeed, I have run my version on a 286-based laptop).

But DOS being DOS does have its limitations. If you want to perform more than one task, or switch between a monitoring screen and an analysis screen, then you want something else. You can purchase a Sniffer or something that is dedicated to the task of analyzing your network: this is a great solution if you have the cash and intend to use it and really understand how it works. But that may be more work than you bargain for, especially when you are in the heat of trying to track down something to help a user in distress in your corporation get back up and running.

The third method is probably where most of us end up, using a Windows- based software protocol analyzer. It isn't as pricey, can still help us debug our network problems, and runs on a wide variety of computers. There are dozens of choices, ranging from the free Network Monitor tool included in every copy of Windows NT/2000 server versions to various shareware tools with names like Net Analyzer, Anasil, and LanExplorer.

Windows' own NetMon tool is fairly limited: you can only capture network traffic that originates from the same server that it runs on, making analysis of overall network trends and problems difficult. My favorite choice is WildPackets' EtherPeek. The product has been around for more than a decade and over time it continues to be the easiest packet capture tool and the most versatile.

Any tool should be able to quickly identify the physical network nodes operating on your network. The trouble is that usually these identities are expressed in long hexadecimal numbers that are almost always meaningless to most of us. A far better solution is to resolve these hexadecimal ID numbers into network host names so you can quickly focus in on the appropriate PC, router, or hub that is being temperamental. Any network analyzer worth its salt also allows you to filter out traffic based on particular IP addresses, or types of applications (such as all Web traffic, etc.) EtherPeek does this quite readily, although setting up the filters will take some practice and some guidance from the manual. You also want to be able to save your captured data to a disk file, and replay it for subsequent analysis. EtherPeek reads a wide variety of competitors' capture files, too, including Sniffer, LANalyzer, and TCPDump. And, you want to be able to sort your results to find the top talkers (or who is hogging all your network bandwidth), as well as examine network bottlenecks.

About the only downside is the price of the tool -- over $1000, if you purchase a maintenance contract. (I would recommend such a purchase, given that you'll want some support with a tool of this caliber.) You'll also need a fast 400 MHz or better Pentium with 128 M-byte of RAM if you want to capture traffic on a 100 M-byte Ethernet -- for 10 M-byte networks, just about any machine is adequate -- I tried it on a 200 MHz Pentium running NT version 4.0.

WildPackets has plenty of support and training courses available, should you wish to gain more experience with their tool. And, the supplied documentation does a great job walking you through the analysis process. Overall, this is a very useful tool and one that no one should be without.

Strom-meter key:
**** = Very cool, very useful.
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.

Bio: David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant, and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him email at

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.