| This is the way that Network General (the creator of | | | | (static) so that this card can be used on the Intranet |
| Sniffer (R)) has deployed Distributed Sniffer (R) since | | | | to access the remote control function of the PC. This |
| the beginning. While the product that you are using | | | | can be Gigabit if that is all that is available. Other |
| may be from another or Open-Source vendor,( i.e. | | | | Configuration Issues: No Management Software |
| Ethereal (R)/ WireShark (R)), this process is time | | | | (SMS, Radia, etc.) enabled. No management of this |
| honored and as such, is considered to be "Best | | | | device other than remote control. Virus Protection |
| Practice." This design is meant to assure that the NIC | | | | (only if it is considered mandatory by company |
| that is listening to the Monitor is not sending any | | | | policy). However, this laptop should have no email |
| packets itself. The Monitor Card should have no | | | | client or any other software that will want to |
| protocols bound to itself and listens in promiscuous | | | | connect to the Internet (with the possible exception |
| mode. Additionally, the PC should be as passive as | | | | of Time Services). A Firewall rule can always be |
| possible and not phoning home to vendors because | | | | created to enforce its isolation from the public |
| of unnecessary software it has loaded. One process | | | | Internet except on approved sockets. A Time |
| is to take a company's standard laptop and | | | | Server should be in place to keep the various |
| customize it by removing anything that is not needed | | | | Protocol Analysis Laptops in sync. This can be an |
| to support the role of a Protocol Analyzer. Any | | | | Internet source if Company Policy permits or a local |
| software that is not part of the laptops OS | | | | Intranet source. The laptop should not be a member |
| requirements should be un-installed. Once the laptop | | | | of the Company Domain. One logs into the PC itself, |
| has been stripped down this way, load the Open | | | | locally or via remote control. All Mirrors in switches |
| Source Protocol Analyzer of your choice and test it. | | | | are to be bi-directional. Consider creating a shared |
| Once testing is satisfactorily completed, save an | | | | folder to act as a Trace File depository. This is not |
| Image of the laptop to be used to generate other | | | | required, but can be helpful as these files can easily |
| Open Source Laptop Protocol Analyzers. System | | | | grow too large for many corporate email policy size |
| Requirements: Pentium 4 or higher. 1GB Memory or | | | | limits. Use WinZip on the Laptop to allow compression |
| higher. 2 NICs. One of which is 100Mbs (not Gigabit) | | | | of the large trace files to speed up transfer. |
| to be used as the Monitor Card. (NOTE: This process | | | | Barry Koplowitz founded Interpath Technologies |
| is not appropriate for Gigabit Monitoring.) Remote | | | | Corporation in 1999. He has been consulting in the IT |
| Control Software (i.e. VNC) that supports File | | | | field since 1984 and has specialized in the area of |
| Transfers from the laptop acting as a Protocol | | | | Network & Application Analysis/Troubleshooting--with |
| Analyzer to the PC used by the Network Transaction | | | | various Protocol Analysis Tools--for the last 11 years. |
| Analyst. Two NICs: 1st NIC - Monitor Card - No IP | | | | He spent 3 years with Network General and NAI |
| bound to the card. This card just listens in | | | | traveling around the United States teaching for |
| promiscuous mode. It is the one that is attached to | | | | Sniffer University (R). Since leaving Sniffer University, |
| the Monitor Port in the Switch. This should be a 100 | | | | he has worked consulting to large enterprise |
| Mbs NIC. 2nd NIC - Transport Card - IP is bound | | | | environments up to 120,000 nodes. |