Ethernet monitor wanted


Thomas Narten (narten@Purdue.EDU)
08 Apr 86 21:58:18 EST (Tue)


We were recently struck by an unusual and deadly problem that killed
our Ethernet and many of the machines on it. The problem was apparently
caused by a piece of hardware that didn't take a power surge well.

The problem consisted of two things: The net became jammed with bogus
traffic (not legal packets), and lots of corrupted packets that had
correct Ethernet checksums in them. The jamming was intermittent, and
temporary, but the effects of the corrupted packets were felt for quite
a while.

IP packets were OK because they were checksummed at higher layers.
During one 3 hour period, one of our machines recorded over 200,000
IP checksum errors. Unfortunately, ARP relies on the Ethernet checksum
and hence the ARP tables became severely corrupted. You can imagine the
confusion this caused. (i.e. connections break, the ability to reach a
host comes and goes, ...)

Conclusion (as noted in this mail list before): its tough debugging a
network without tools.

We were fortunate enough to have MIT's PC monitoring program that plugs
into the Ethernet and prints out everything it sees. It was extremely
useful to us. In using it, however, I thought a more general monitoring
program would be extremely useful (even during times the network is
functioning normally).

I am wondering what (if any) other sorts of "promiscuous reader"
programs have been written and if they are available for use.

Things that would be useful include:

Having massive statistics gathered over a period of time. It would be
nice if the program could be run for an hour/day/week to accumulate
information about numbers/types/sizes of packets. This information
could (perhaps later) be broken down in such a way that one could see
all the stats for a given source address, or a given destination (i.e.
broadcast would be interesting), packet type (i.e. protocol), etc.

It would also be useful to have an interactive, screen oriented program
that lets you select what you see. This would be most useful when
tracking down problems.

Do any such programs exist? What are there capabities? What other sorts
of things would be useful to include?

Thomas Narten
----------



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:36:05 GMT