EtherPeek NX is WildPackets' offering in the Ethernet packet capture and analysis market, with sister product AiroPeek NX providing similar functionality for wireless networks. We looked at version 2.1 of EtherPeek and 2.0.5 of AiroPeek.
The operation of the packages is largely similar, so we'll deal with both in a single review. Before we go into the common functionality, though, it's worth looking at the differences which manifest themselves mainly in the setup process.
EtherPeek is trivial to get up and running. Once the installer has finished, you fire up the program, choose which network adaptor you want to use to capture packets, and go for it. (We had a LinkSys USB-connected Ethernet adaptor on our test laptop, which posed no problems for EtherPeek). AiroPeek is a bit more involved, because not only are you restricted to using one of a supported list of WLAN adaptors, but you also have to install a WildPackets-proprietary driver for it to work properly. Fortunately our Cisco AiroNet 350 PCMCIA card was on the "supported" list, and the documentation led us through the driver modification process with no problems.
With the software and drivers installed, you can go ahead and start capturing packets. EtherPeek goes ahead and watches what's flying down the wire (we connected it outside the external interface of our firewall so that there'd be plenty of traffic); because WLANs use a number of different "channels", AiroPeek asks you whether you'd like to pick one or more channels, or whether you'd like to identify traffic by its SSID, before going ahead and starting to capture packets. As with other packet analysers, EtherPeek and AiroPeek can both process either live data or stored capture files (they can, of course, both store their capture results for later reference). Both packages can also interface into WildPackets' external capture tools the RFGrabber (which captures WLAN packets for analysis by AiroPeek), the RMONGrabber (a link between EtherPeek and RMON data sources) and the PacketGrabber (a remote packet capture device for EtherPeek).
The user interface is common to both packages, and so once you've got the basic functions and running the two work pretty much the same. You can define filters for the traffic on the network (on an "include" or "exclude" basis), and as well as relying on the products to resolve addresses into names, you can define your own human-readable names for nodes (so you can map MAC addresses to machines' proper names, for instance).
As the capture is proceeding, you're given a "dashboard" in the bottom left corner that shows you the loading level of the local segment (or the wireless network if you're using AiroPeek). A second window in the bottom right lists summary information as it is deduced from the packet capture so a string of HTTP packets would result in a single summary entry of the form: "http://www.microsoft.com/ from Firewall External Interface". This information window is context-sensitive, and so if you double-click on (say) an entry for a Web request, it'll fire up an Explorer window and take you there so you can see what the link refers to.
Above the dashboard and summary windows, the main screen shows the actual packet capture detail. The detail is relative to the type of traffic being seen, so an HTTP request would be recognised as a layer 3 entity and a summary of the packet's meaning given in the capture window, while a WLAN Beacon packet (in AiroPeek) would be seen as a layer 2 entity and the information given would relate to the packet's lower-level properties. Of course, AiroPeek understands some extra things that relate only to wireless operation so it'll see things like signals bleeding over between channels, for instance, and of course it'll segregate traffic into separate columns representing the various 802.11 transmission speeds.
The packet window is rather like an Excel spreadsheet. Each line of the summary screen has the usual fields source, destination, size and so on. At the bottom of the windows, there's a set of tabs (like the ones you use to switch between sheets in a spreadsheet) that let you visualise the data in a number of different ways. By default you see the packet summary, but you can also click Nodes (which summarises traffic in/out by node), Protocol (traffic by protocol, split into a neat hierarchy), Summary (an in-depth detail of traffic levels by type), Graphs (a number of pretty pictures showing things like packet size distributions), Log (incident reports more about that shortly), Expert (a tool for correlating packets into conversations), Peer Map (a diagram showing conversations between end stations and Filters (which we mentioned earlier).
The Log item is particularly interesting, because it analyses the packets as they arrive and categorises them into incidents at varying levels of severity. Most flows receive no special attention but if, for instance, it thinks that an HTTP conversation is suffering from slow response, it'll flag this as a "low severity" problem but if someone's port scanning or SYN flooding, it'll notice this too and report it as such. It will also identify application-level issues where it knows what to look for in our test it noticed a number of malformed DNS packets coming in from outside, for example and for each type of issue there's a detailed description available for non-experts.
A reasonable sign of the usefulness of this type of product is whether it tells us anything about our lab network that we didn't already know, and in fact both products get ticks in the boxes. Although we expect the external port of our firewall to be seeing SYN floods and other illicit traffic, EtherPeek quantified this and the attractive bit packaged the important information in a comprehensive set of alerts that we could follow up. AiroPeek, on the other hand, told us that there was traffic bleeding between channels, and pointed out that we'd forgotten to flick the "don't advertise the SSID in beacons" box in our Access Point setup.
AiroPeek and EtherPeek are both excellent network analysis tools. AiroPeek is necessarily fiddly to set up, but the custom driver installation is only a one-off exercise so it's no great problem.
Always check the "supported hardware" list before buying, particularly for AiroPeek.