LANdecoder32 Adapter/Interface Tradeoffs

LANdecoder32™ Adapter/Interface Tradeoffs

To insure that LANdecoder32 meets your needs, we feel it is important that you understand the tradeoffs inherent in configuring your monitoring and analysis platform. The choices to consider are not unique to Triticom's monitoring solution. However, due to the flexibility of the product, LANdecoder32 can be utilized in a variety of ways in order to best address your network topology and the you have at your disposal.

LANdecoder32 supports two distinct ways to monitor traffic and protocols on a network segment:

Remote interface, which allows you to monitor a network attached to an RMON probe with which you PC communicates using TCP/IP protocols.
Local interface, which allows you to monitor a network attached to an adapter installed in your PC.

An overview of each type of traffic monitoring is given below, along with a discussion of the strengths and weaknesses inherent in each approach.

Remote Interface

LANdecoder32 can communicate with industry-standard RMON probes (like RMONster) connected to your network(s). You must have TCP/IP protocol support installed on your machine. Based on your usage of LANdecoder32, it instructs the RMON probe as to what data and statistics to maintain about the network the probe is attached to and which, if any, frames the probe should capture. LANdecoder32 maintains communications with the RMON probe so that network statistics can be updated on your computer. When you want to analyze specific frames that have been captured on the RMON probe, LANdecoder32 downloads them from the probe to your machine so that they can be decoded and analyzed

Strengths

General Purpose. Any network segment can be monitored, including those to which your machine is not directly attached. The only requirements are that an RMON probe be present on the segment to be monitored, and that your machine can communicate with that probe using TCP/IP. For example, you could use the Internet (or an Intranet) to monitor a network segment at a remote location right from your desktop.

Weaknesses

In-Band Communication. Typically, you will communicate with the probe (using TCP/IP) over the same network which you are monitoring. This implies that part of the traffic you are monitoring will be your own communications with the probe. (Note that LANdecoder32 has a feature which lets you easily exclude this traffic from a frame capture session.) If the network you are monitoring is malfunctioning, however, it may be difficult for LANdeocder32 to communicate with the probe. Thus, at the very time a problem occurs and trouble-shooting is required, LANdecoder32 may lose contact with the RMON probe! RMON probes are useful for collecting on-going data and "normal" traffic, but may be inappropriate for emergency trouble-shooting or critical maintenance. Note that you can lessen this problem if your RMON probe has more than one network interface -- you can then communicate with it over one network to monitor another. For example, some probes have dial-up capabilities, so you might connect directly to a probe over telephone lines using PPP in order to monitor a "down" network segment connected to another port on the probe.

Connection Requirements. LANdeocder32 must stay in communication with the remote RMON probe in order to operate successfully. If a network malfunction disrupts communications with the probe for more than about 20 minutes, the LANdecoder32 "gives up" and assumes the monitoring session is ended. If communications are later restored with the probe, LANdeocder32 treats this as a "new" monitoring session, and all previously data is discarded.

Increased Traffic. TCP/IP-based SNMP traffic will increase the load on whatever network segments it traverses as it travels between LANdecoder32 and the RMON probe. Normally, LANdecoder32's RMON traffic is quite light -- less than 1% network bandwidth for typical statistics-gathering operation on a 10-Mbps Ethernet. However, retrieval of a frame capture session from the probe may result in significant bandwidth utilization.

Slow Capture Retrieval. Retrieval of the results of a large capture session from the RMON probe may be a slow operation. This is essentially unavoidable -- the traffic you are downloading from the probe may have been collected over minutes or hours of operation, and may represent many megabytes of frame data. This traffic must be "player back" over the network (with the addition of SNMP and RMON overhead) in order to be downloaded to LANdecoder32. It is not unusual for the retrieval of a large capture session to take many minutes, or even hours. Note that this problem can be made much worse if you are retrieving frames over a "slow" link, such as a PPP connection. Effective usage of LANdecoder32's capture filtering and frame slicing features can help to lessen this problem -- the more precise you can filter out unwanted data from the capture session, the quicker the desired data can be downloaded to LANdecoder32 from the probe.

Local Interfaces

LANdecoder32 supports two separate methods of collecting statistics and frames from a network to which your PC is directly attached: Microsoft's NDIS drivers and Triticom's AccuCapture drivers. These two different modes of "Local" operation are supported by specialized LANdecoder32 driver software installed on your PC. These drivers collect much the same data that an RMON probe would, but do so in a your machine so that the data can be communicated instantly to LANdecoder32, without the overhead and delays inherent in RMON.

Whether NDIS or Triticom's AccuCapture drivers are used in your machine, locally collected data has some strengths and weaknesses as compared to remote RMON data, discussed previously.

Strengths

Self-Contained. Most of the "weaknesses" of RMON, as describe above, are related to its "distributed" nature. Using RMON, monitoring/capture functions are performed by a separate computer (the RMON probe) and results must be communicated back to LANdecoder32. Local drivers make this entire process happen in your machine. Thus there is no communication overhead or increased bandwidth utilization, and no frame capture retrieval delays.

Passive Monitoring. LANdecoder32 generates no network traffic when operating with local drivers.

Quick Capture Retrieval. Since captured frames are already present on your computer, they can be decoded for analysis instantly.

Weaknesses

Direct Connection Required. Only network segments directly connected to your PC can be monitored. No remote monitoring operations are possible.

Increased Processing Load. LANdecoder32's specialized driver software is running in your Windows environment along with LANdecoder32 itself, and this increases the processing load on your PC. During periods of heavy network traffic, your PC may seem to pause or "freeze" temporarily. This is because LANdecoder32's design gives highest priority to the operation of the driver software, ensuring that the fidelity of the statistics and captured frames are preserved. Under normal operation, such pauses are brief and may note even be noticeable, depending on the loading levels present on your network and the power of your PC.

Local NDIS Drivers

When using Microsoft's industry-standard NDIS (Network Device Interface Specification) drivers as a basis for network monitoring, it should be noted that NDIS was designed as a general-purpose mechanism to support network communications, not as a tool to support high-performance statistics-gathering and protocol analysis. Strengths and weaknesses of using NDIS are discussed below.

Strengths

Single Adapter Operation. The same adapter used to communicate using standard protocols on the network can also be used simultaneously for network monitoring operations. Thus, the adapter(s) you use to talk to file servers, other workgroup computers, and even remote RMON probes, can also be used to monitor the network(s) to which your computer is attached.

Easy Configuration. NDIS is supported by installing a new component using the standard Windows "network" installation procedures and dialogs. No special configuration or installation steps are required, and no knowledge of adapter hardware settings and resources is needed.

Weaknesses

Inconsistent Error Reporting. The degree to which NDIS drivers report frame errors, such as Checksum errors or "runt" frames, varies widely from vendor to vendor. Note that the severity of this issue is lessened for Token-Ring, since error statistics are reported "in-band" to the Ring Error Monitor and can thus be observed by LANdecoder32.

No Capture of Error Frames. NDIS provides no mechanism by which "bad" frames can be captured from an Ethernet. Any frame with a low-level error, such as a Checksum error, is simply flushed and cannot be captured by LANdecoder32.

Inconsistent Performance under Heavy Loads. As noted above, NDIS was not designed to support high-performance, packet capture type operations. Many NDIS drivers are incapable of keeping up with a heavily loaded network, and begin to drop frames. Unfortunately, the inconsistent level of NDIS error reporting (mentioned above) means that some NDIS drivers which drop frames under heavy loads do not even report this fact to LANdecoder32.

"Promiscuous" NDIS Drivers Required. In order to do its job, LANdecoder32 must program the underlying, vendor-supplied NDIS driver for "promiscuous"or "copy all frames" operation. While many NDIS drivers support this type of operation, many do not. If your adapter does not support "promiscuous" operation, LANdecoder32 will inform you of this. You may have to contact your adapter vendor to determine whether promiscuous NDIS drivers are available.

AccuCapture Drivers

Unlike NDIS drivers, Triticom has designed its direct-to-the-adapter AccuCapture drivers with the sole purpose of streamlining and optimizing Ethernet network monitoring and frame capture operations under Windows 95 and NT 4.0. By installing a supported adapter which is dedicated to LANdecoder32 operation, you can ensure maximum performance and high-fidelity error and statistic reporting.

The relative strengths and weaknesses of Triticom's AccuCapture drivers are summarized below.

Strengths

Consistent Error Reporting. Six distinct classes of error frames are detected and reported.

Capture of Error Frames. Unlike NDIS, frames with lower-level errors (such as Checksum errors) can be captured by LANdecoder32 using AccuCapture drivers.

Consistent Performance under Heavy Loads. AccuCapture drivers are designed specifically to support the operations required for network traffic monitoring and frame capture with the highest possible level of performance. If network loads do surpass the capabilities of your adapter/machine, the fact that frames are being dropped is accurately reported.

No Other Drivers Required. Triticom's AccuCapture drivers require no other vendor-supplied software. They interface directly with the underlying network adapter hardware for maximum performance.

Weaknesses

Dedicated Adapter Required. The adapter to which AccuCapture drivers are bound is dedicated solely to network monitoring and analysis. No other protocols or functions may be used with this adapter. (Windows' "Hardware Profile" features may be used to allow the adapter to be used for "normal" network operation if the appropriate profile is selected during Windows' startup.)

Only Specific Adapters Supported. Only specific 10-Mbps and 10/100-Mbps Ethernet adapters are supported by AccuCapture drivers. While many of the most widely-used, industry-standard adapters are supported, it will never be possible to support all adapters due to the special requirements of "promiscuous" operation and the sheer number of adapters on the market.

More Complex Configuration. While configuration of AccuCapture drivers is quite simple, it does require some knowledge of adapter hardware settings and resources. Triticom's installation instructions, are intended to minimize this problem.

There are many choices to consider when deciding upon a configuration for your monitoring and analysis platform. You should consider the strengths and weaknesses of each approach discussed above to determine which configuration will best meet you monitoring and analysis needs. Due to the variety of monitoring interfaces supported, LANdecoder32 offers the flexibility to address these needs.