12.2 EtherVision

12.2.1 Operation

Figure 12.10 illustrates the EtherVision Available Options menu when the program is initialized . Note that the first option, Monitor Traffic, results in two options. You can either monitor traffic based on the source address in each frame or the destination address in each frame. Similar to EtherPeek, EtherVision requires the use of a promiscuous LAN adapter card for its production version because the program needs to read each frame on the network. Unlike EtherPeek, which provides a packet decoding capability and operates at and above the data-link layer, EtherVision is restricted to operating at the data-link layer. While it can neither decode packets nor provide higher layer information, the program can provide summary statistics by station, which may be all you require for gathering information required by the models presented in this book.

Figure 12.10: Use the EtherVision Available Options Menu to Monitor the Traffic Based on Source or Destination Address

12.2.2 Statistics

Figure 12.11 illustrates the EtherVision monitoring screen after an elapsed period of 73 seconds. Note that at this time the program discovered nine distinct source addresses and accumulated statistics concerning the number of frames transmitted by each station. Using a table of vendor hardware addresses, the program can identify the manufacturer of most LAN adapter cards by comparing the first three bytes in each address against entries in its table that represent registered vendor IDs. In addition, the program provides the ability to associate names to hardware addresses to facilitate the recognition of different stations . In the example shown in Figure 12.11, the dark area near the bottom of the screen indicates that the highlighted address at the top of the screen has the name Doc, used a LAN adapter manufactured by 3 Com Corporation, and transmitted 10.8 percent of all the frames flowing on the LAN since monitoring commenced.

Figure 12.11: Monitoring Screen Display Indicates the Distribution of Frames by Network Address

In concluding this brief review of EtherVision, we will examine its Statistics display, which is obtained by pressing the F7 key from the monitoring display. Figure 12.12 illustrates an example of this display. Note that this screen provides specific information about Ethernet frames, to include the total frames flowing on the network and their average size or length. This display also indicates the distribution of frame by length, network utilization, and other statistical information that can be used with one or more of the models previously developed in this book.

Figure 12.12: The EtherVision Statistics Display Provides a Summary of Various Network Statistics

Regardless of the network monitoring tool utilized, it is important to note that the use of an appropriate tool can provide a literal window of observation concerning the activity on a network. By accumulating statistics, you can spot trends, gather metrics to exercise performance models, and obtain the ability to denote potential problems before they become problems. Thus, while this author will not recommend the use of a specific tool, he emphatically recommends the use of a network monitoring tool!

For readers who wish to contact the developers of the two programs discussed in this chapter, Table 12.1 lists their voice, fax, and postal addresses. In addition, the Web addresses of both vendors are listed as a point of reference concerning the latest versions of their products.