Problems arise for example with traffic analysis, especially
when it comes to the debugging of a faulty network. On standard
ethernet, most network administrators use the ``tcpdump'' tool
written by Van Jacobson ![[*]](/icons.gif/foot_motif.gif){kind=icon}
to locate machines that
transmit excessive data or to debug why one host is not able to
communicate with another. Although it is possible to set filters for
the ``libpcap'' packet capturing
library used by tcpdump the tool needs a fast machine and
generates a high CPU and bus load. It makes use of a special
``promiscuous'' mode for the network adapter. In this mode, every
received packet is passed to the networking software, not depending on
whether it was addressed to the machine or not. The resulting
interrupt and CPU load can get very high
with fast line speeds. An ATM OC3 connection -- which is more or less
the standard for desktop ATM connections today -- has a transfer rate
of 150 Mbit/s. This is far too much for a standard PC or workstation
to monitor in realtime with tcpdump. New tools and methods are
needed to allow traffic monitoring and analysis on such high speed
links.
An additional difficulty gets more and more important when higher amounts of data have to be analyzed: Often in order to resolve a problem, the administrator has to have an idea of what he is searching for in advance. This makes the debugging difficult. Tools that can for example immediately identify traffic sources that produce excess traffic and that can give an instant overview over the traffic state on a given link would be very helpful here.
Traffic monitoring is an important field as well. Monitoring is not only useful to get information about the kinds of applications that are used on the network, it is essential for security measurements. One of the most important steps when setting up a secure environment is the installation of a monitoring system. This system can for example be used to trace back the path of an intruder that is being found on a system or it can be used to get information about attacks as early as possible.