David Strom

IBM's Network Analyzer

By David Strom

When you think about IBM software, usually you think words like "slow," or "a day late and

a dollar short," or "lacking competition." Well, forget about these and other descriptions: IBM

has written some superlative software in its latest version of DatagLANce, its software-only

network protocol analyzer. Indeed, this product can go head-to-head with market-leader

Network General's [MENLO PARK, CA] Sniffer and even best the old workhorse on several


What, you haven't heard of this product? Didn't even know that IBM made a protocol

analyzer, or that it has been shipping one since the beginning of the year and is now on

version 1.2? Blame IBM's lousy marketing on that. Indeed, a search of Ziff's Computer Select

database came up empty: meaning that none of the hundreds of computer trade magazines and

newspapers in this archive have ever written about it in the last year. Obviously, IBM still has

a few lessons to learn about promoting its accomplishments.

Because of its high quality, I recommend the product for the enterprise, with a few caveats.

First is that the product is pricey: $7,000 list price for the single topology version, although

you can get it for thousands less from dealers and catalogs. This is still less than the price of

a Sniffer, although not by much. Low-end Sniffers go for a bit less than $10,000, but that

also includes an adapter card. However, DatagLANce can analyze up to four individual

network segments (two Ethernet and two Token Ring, which costs an extra $1,000)

concurrently: something that Sniffers can't do without buying into the higher-priced spread of

the Distributed Sniffer line. And, switching from a Token Ring to an Ethernet Sniffer is not

very easy and will require purchasing two separate copies of the software. [CHECK!]

But price isn't something that you should be so concerned about. After all, if you troubleshoot

a particularly thorny network problem it could easily cost you several thousand dollars in lost

productivity or in your own time and airfare to track things down.   

Another caveat is that you'll need to have an IBM adapter handy, since that solely what

DatagLANce supports. You have a wide choice of adapters in the IBM line, including the

latest PCMCIA adapters for both Ethernet and Token Ring. While that is a bit of an

inconvienence, the prices for these are reasonable: for example, a twisted-pair Ethernet ISA

card goes for around $100. I'm told IBM is considering widening the list to non-IBM

adapters, which I would encourage them to do.

Third, DatagLANce runs on top of OS/2 2.x. Now this is both a blessing and a curse. It is a

curse because for many people they would rather be on Mars than bring OS/2 into their shop.

Count me a Martian: I am one of those long-suffering OS/2 fans, and am glad to see that

IBM has developed a truly useful and unique application that shows off OS/2's advantages.

Want to use the same machine to analyze networks and for other office productivity

applications? No problem: just stick in another adapter, and configure the machine so that

DatagLANce uses one for its analysis functions, leaving the other for normal use. Try that in

a DOS or Windows machine: you can't. 

Another advantage is that OS/2's graphical Presentation Manager is just the right interface for

a network analyzer. I didn't used to think so, being a long-time Sniffer user and used to the

rather arcane command-line navigation tools that it uses. However, after trying out

DatagLANce for a week I am hooked and never want to go back to a character interface

again. It is easy to bring up various windows and navigate about while trying to troubleshoot

your problem. You don't need much training and the windows are designed without clutter

and come up quickly.

Now, Novell's LANalyzer works with Windows and offers some of the same graphical feel,

but costs and does less than DatagLANce. I also don't think Windows has the performance or

the stability that OS/2 does. For example, at one point during my tests I managed to lock up

my analysis session. I merely clicked on the right mouse button, killed the session, and

restarted it again. The rest of the applications running in my OS/2 machine were unaffected.

Now, that's the way multitasking and memory protection should work. 

Think about this for a minute: you've got three products from IBM: an adapter, the analyzer

software itself, and the operating system. Wouldn't it make sense for them to bundle all three,

put them inside an IBM Thinkpad (which are still impossible to buy because so many people

want them), and sell as a ready-to-run product? Wouldn't that be a good idea? Hello, Mr.

Gertsner, how many marketing VP's will it take to implement this one? Maybe I am asking

for too much here.

A final issue is that this software is copy protected. Now, as you know from my earlier

reviews, I am rabid against copy protection. I can see why IBM included a hardware key in

the product: after all, in the wrong hands, someone with this software can wreak all sorts of

havoc and uncover passwords and so forth. So having a hardware key can prevent this. Well,

I still don't like them. 

IBM has given users a way around it: if you don't want to attach the key to your parallel port,

you can run a routine that will eliminate the key. However, this routine permanently matches

the copy of your software to a particular network adapter in the machine. (Sniffer does

something similar.) If you want to run the software on another adapter (say the original

adapter breaks), or if you want to change your configuration from one network topology to

another (say you want to switch from token ring to Ethernet), you are out of luck. In IBM's

documentation, they say to call them and "we'll explore your alternatives at this time," but I

find that unacceptable for businesses that have purchased such an expensive tool. At the

minimum they should ship you a new version overnight, no questions asked.

Okay, enough of the fine print. How did this analyzer stack up in everyday usage? Testing an

analyzer is not easy: you can't always count on your network to misbehave when you want it

to. Nevertheless, I found some interesting things out even on the small network in my office

of less than ten nodes. 

I installed two other network analysis products while I was looking at DatagLANce: FTP

Software's Lanwatch, which is another software-only protocol analyzer that runs on top of

DOS, and Fluke's 675 Lanmeter, which is more of a cable testing tool than a full-blown

analyzer. All were on my Ethernet network with a single NetWare server. Not exactly the

kind of network that justifies the price of all this test gear, but read on.

Installing DatagLANce is not easy and took about an hour outside of the time it took to get

OS/2 installed. (Compare this with Lanwatch which took about 10 minutes to get running.)

Most of the problem is that the adapter configuration program runs under DOS, while the

analyzer runs on OS/2. And if you already had configured OS/2 (as I did) with a non-IBM

networking adapter, that will take some doing to remove those drivers and fiddle around with

CONFIG.SYS and rebooting between the two operating systems. Ideally, I'd like to see a

configuration program running under OS/2 that can set up the adapter on the fly. 

Speaking of that dreaded sink-hole left over from the dark days of DOS, CONFIG.SYS is

also where you have to set the size of the capture buffer. Yuk. You can set this during the

installation program, but I missed this option somehow and had to go in with a text editor

and fool with this parameter. The capture buffer takes RAM away from other OS/2

applications, and the bigger the buffer the more frames you can record from the network.

Almost immediately upon starting the DatagLANce machine on my toy network, alarm bells

started ringing. What was the problem? I was accumulating runt (too-short) packets at a

furious rate. Now, I never noticed a problem with my network before -- certainly the

Lanwatch software didn't seem to take note of this condition. But the Fluke tester showed a

cable break on my Ethernet that I couldn't pin down. Perhaps a bad terminating resistor or

bad connection. I think it was nice that the IBM software found this out -- I've been running

my network unaware of any problem for almost two years now. Just as soon as I finish my

next article I want to rip out the cabling and track this one down.

What about some of the things that you might want to use the DatagLANce analyzer for?

There are a few nice features that are far and beyond what other analyzers offer:

-- Great protocol decodes. When the network gets sick, you want to have the best diagnosis

possible. I've always been a fan of Network General's decode quality: they have long had the

best and most protocols under their wing. IBM's decodes are just as good, and the way they

are displayed makes it easy to find things out. 

-- Flexible displays. Once you know you have a problem, you want to isolate it and examine

just those particular nodes or a particular protocol to see what is going on. DatagLANce

makes it easy to do this, and without a lot of mouse clicks either.

-- Playback network trace files. One of the more important uses of analyzers happens way

after you've solved the problem: you want to train others to understand how you figured

things out. To do this well you'll need a way of recording your network traffic and then being

able to play it back, either on the screen or actually over the wire itself. DatagLANce allows

you to do both, and also allows you to read in trace files from LANalyzer, Sniffer, and

Network General/ProTool's Foundation Manager. I had a trace file from the latter product and

it read it flawlessly. 

 -- Know what you are capturing. Every analyzer can't capture every packet, and it is nice to

know when this happens just in case one of the packets you are looking for is among the lost

boys. IBM has all sorts of ways to filter, capture and examine network traffic all in real time,

something that Sniffer can only do in a more cumbersome process. 

As I said earlier, this is a superior piece of software and one that goes against the usual IBM

grain of mediocrity. Now if only more people knew about it.

Vital Stats

IBM's DatagLANce Network Analyzer for Ethernet and Token Ring

version 1.2

shipping since August

$8000 ($7000 for single support of either Ethernet or Token Ring networks)

Ready for Enterprise?  YES, but a bit pricey 

Competitive analysis: 

UP:  A wide variety of protocol decodes and some nifty playback features make this a

first-rate product.

UP: Costs less than Network General's Sniffer, especially for analyzing multiple network


DOWN: Comes with hardware key which is cumbersome but useful to protect network

security. Software may be operated without the key.

Test bed:

NetWare 3.11 server on combined thin-wire/twisted pair Ethernet network with a variety of

DOS, Windows, Macintoshes. A Fluke Lanmeter 675 network analyzer and FTP Software's

LANWatch were also used for comparison purposes.  Note: DatagLANce runs on OS/2 2.0 or

higher and requires an IBM networking adapter. It was tested on a Compaq Prolinea 486/33

with 32 megabytes of memory and an IBM Ethernet LAN adapter running OS/2 2.1.

IBM Corp.

POB 12195

Research Triangle Park, NC 27709-9990

919 254 1364

800 ibm-call (for orders)

919 254 0984 (fax)

internet: encookmeyer@vnet.ibm.com


Click here to return to the previous page

David Strom David Strom Port Washington, NY 11050 USA US TEL: 1 (516) 944-3407