| This is the way that Network General (the | | | | access the remote control function of the PC. |
| creator of Sniffer (R)) has deployed | | | | This can be Gigabit if that is all that is |
| Distributed Sniffer (R) since the beginning. | | | | available. Other Configuration Issues: No |
| While the product that you are using may be | | | | Management Software (SMS, Radia, etc.) |
| from another or Open-Source vendor,( i.e. | | | | enabled. No management of this device other |
| Ethereal (R)/ WireShark (R)), this process is | | | | than remote control. Virus Protection (only |
| time honored and as such, is considered to be | | | | if it is considered mandatory by company |
| "Best Practice." This design is meant to | | | | policy). However, this laptop should have no |
| assure that the NIC that is listening to the | | | | email client or any other software that will |
| Monitor is not sending any packets itself. | | | | want to connect to the Internet (with the |
| The Monitor Card should have no protocols | | | | possible exception of Time Services). A |
| bound to itself and listens in promiscuous | | | | Firewall rule can always be created to |
| mode. Additionally, the PC should be as | | | | enforce its isolation from the public |
| passive as possible and not phoning home to | | | | Internet except on approved sockets. A Time |
| vendors because of unnecessary software it | | | | Server should be in place to keep the various |
| has loaded. One process is to take a | | | | Protocol Analysis Laptops in sync. This can |
| company's standard laptop and customize it by | | | | be an Internet source if Company Policy |
| removing anything that is not needed to | | | | permits or a local Intranet source. The |
| support the role of a Protocol Analyzer. Any | | | | laptop should not be a member of the Company |
| software that is not part of the laptops OS | | | | Domain. One logs into the PC itself, locally |
| requirements should be un-installed. Once the | | | | or via remote control. All Mirrors in |
| laptop has been stripped down this way, load | | | | switches are to be bi-directional. Consider |
| the Open Source Protocol Analyzer of your | | | | creating a shared folder to act as a Trace |
| choice and test it. Once testing is | | | | File depository. This is not required, but |
| satisfactorily completed, save an Image of | | | | can be helpful as these files can easily grow |
| the laptop to be used to generate other Open | | | | too large for many corporate email policy |
| Source Laptop Protocol Analyzers. System | | | | size limits. Use WinZip on the Laptop to |
| Requirements: Pentium 4 or higher. 1GB Memory | | | | allow compression of the large trace files to |
| or higher. 2 NICs. One of which is 100Mbs | | | | speed up transfer. |
| (not Gigabit) to be used as the Monitor Card. | | | | |
| (NOTE: This process is not appropriate for | | | | Barry Koplowitz founded Interpath |
| Gigabit Monitoring.) Remote Control Software | | | | Technologies Corporation in 1999. He has been |
| (i.e. VNC) that supports File Transfers from | | | | consulting in the IT field since 1984 and has |
| the laptop acting as a Protocol Analyzer to | | | | specialized in the area of Network & |
| the PC used by the Network Transaction | | | | Application Analysis/Troubleshooting--with |
| Analyst. Two NICs: 1st NIC - Monitor Card - | | | | various Protocol Analysis Tools--for the last |
| No IP bound to the card. This card just | | | | 11 years. He spent 3 years with Network |
| listens in promiscuous mode. It is the one | | | | General and NAI traveling around the United |
| that is attached to the Monitor Port in the | | | | States teaching for Sniffer University (R). |
| Switch. This should be a 100 Mbs NIC. 2nd NIC | | | | Since leaving Sniffer University, he has |
| - Transport Card - IP is bound (static) so | | | | worked consulting to large enterprise |
| that this card can be used on the Intranet to | | | | environments up to 120,000 nodes. |