6 Network Protocol Analyzers

A network protocol analyzer is a vital part of a network administrator's toolkit. Network protocol analysis is the truth serum of network communications. If you want to find out why a network device is functioning in a certain way, use a protocol analyzer to sniff the traffic and expose the data and protocols that pass along the wire. You can use a network protocol analyzer to

troubleshoot hard-to-solve problems
detect and identify malicious software (malware)
gather information, such as baseline traffic patterns and network-utilization metrics
identify unused protocols so that you can remove them from the network
generate traffic for penetration testing
work with an Intrusion Detection System (IDS) or a honeypot
eavesdrop on traffic (e.g., locate unauthorized Instant Messaging—IM—traffic or wireless Access Points—APs)
learn about networking

If you manage a network and don't yet have a protocol analyzer, you need one. To help you find the network protocol analyzer that suits your environment, I first survey some typical features of software-based protocol analyzers. Then, I examine and compare these features in six popular network protocol analyzers.

Typical Features
Most software-based network protocol analyzers work in about the same way as Figure 1 shows. and display, at least initially, the same basic information. The analyzer runs on a host system. When you start the analyzer (in promiscuous mode), the host NIC's software driver intercepts all traffic that passes through the NIC. The protocol analyzer passes the intercepted traffic to the analyzer's packet-decoder engine, which identifies and splits packets into their respective layers. The protocol analyzer software analyzes the packets and displays packet information on the analyzer host's screen. Depending on the product's capabilities, you can then analyze and filter the traffic further.

A protocol analyzer window typically consists of three panes, which the sample window from the Ethereal product in Figure 2 shows. The top pane displays a summary of the captured packets. Typically, this pane shows at minimum the following fields: date; time (in milliseconds) that the packet was captured; source and destination IP addresses; source and destination port addresses; protocol type (network, transport, or application layer); and a summary of the captured data. The middle pane shows the logical breakout of a selected packet, and the bottom pane shows the packet in hexadecimal or ASCII-character form.

Analyzing packet decodes is a network protocol analyzer's most important job. The analyzer organizes captured packets by layer and protocol. The best packet analyzers can recognize a protocol by its most definitive layer—the upper layer—and display the captured information on a field-by-field basis. This type of information is typically displayed in the analyzer window's second pane. For example, any protocol analyzer can recognize TCP traffic. A good analyzer will note that the traffic is Microsoft Exchange Server running over the remote procedure call (RPC) protocol and will show you the email message's text. Most protocol analyzers recognize more than 300 distinct protocols and define and decode them by name. The more information the analyzer decodes and presents, the less manual decoding work you'll have to do yourself. Accurate packet decodes separate the best analyzers from the also-rans.

Be wary of vendors that claim to provide more than 4000 protocol decoders in their protocol analyzers; 300 to 400 is a more realistic range. Most products provide a similar number of decoders, notwithstanding what the marketing hype might suggest. For instance, one product might dissect a simple Ping process into several different protocols (e.g., Internet Control Message Protocol—ICMP, echo request, ICMP echo reply), whereas another product might decode the Ping process as only one protocol—although both products measure and decode the same information.

A common problem I've seen with many protocol analyzers, including those I review here, is the inability to accurately identify—and consequently decode—a protocol that runs over a nondefault port number. In today's security-conscious computer world, running well-known applications on not-so-well-known ports is a common defense against malicious hackers. Some decoders recognize traffic regardless of the port over which it runs, whereas others don't and will define the protocol simply by its lower layer (i.e., TCP or UDP), which also means that the decoder doesn't provide the more useful field-specific decode information. Some analyzers let you modify the decoder to recognize more than the default port for particular protocols.

Protocol-analyzer vendors often brag about their product's expert-analysis capabilities—whereby the analyzer reads a packet or series of packets and reports useful information about the captured packets. Expert analysis might report traffic anomalies or malicious packets or fully decode a data stream series between two hosts. The decoding option is invaluable because you can see an entire communications stream of data simply by clicking a packet. For example, you can click an HTTP packet and see the Web page it represents as an end user might see it when the underlying HTML code is rendered. Other common features include pre- and post-capture filtering (the ability to find certain packets that meet specific criteria), triggers (initiation of a secondary action when a predefined packet pattern occurs), replay (the ability to play back captured packets over the network), traffic statistics, reporting, and management of multiple sensors from one console.

The Reviews
In a market space crowded with vendors and products, I was pleasantly surprised to find many strong contenders among network protocol analyzers. When you evaluate protocol analyzers, look closely at features such as packet-capturing accuracy, the range of protocols that the analyzer decodes (make sure it matches the protocols in your environment), decode detail, expert analysis, placement model (i.e., distributed or not), price, and technical support. Let's examine six general-purpose network protocol analyzers: Ethereal, Fluke Networks' OptiView Protocol Expert 4.0, Network Associates' Netasyst Network Analyzer WLX, Network Instruments' Observer 9.0, Sunbelt Software's LanHound 1.1, and WildPackets' EtherPeek NX 2.1.

Previous [1] 2 3 4 5 6 Next

Another good low cost product for the budget minded admin is LinkFerret from Baseband technologies. According to their website, they write most of the code for the other analyzer vendors.

Randall Ader July 06, 2004

Another good sniffer is LanRaptor from www.shakti-software.com.

You can define your own protocols, so if they dont provide support, you can still fully decode any protocol that is important to you.

Anonymous User October 08, 2004 (Article Rating:

)

One thing not touched on in the article is the major difference between a software and a hardware analyzer. Only good packets can be seen by a software analyzer. If the packet cannot make it up to the top layer of the OSI 7 Layer model, you won't see it. Also the quality of the network driver is important. Some LAN cards and drivers won't work or work properly in a promiscuous mode.

Anonymous User November 23, 2004 (Article Rating:

)

Check our Greenleaf ViewComm System, excellent async and ethernet protocol analyzers - www.sysfire.com

Anonymous User January 04, 2005 (Article Rating:

)

This article is worthless

Anonymous User February 14, 2005 (Article Rating:

)

Good overview of some of the more popular protocol analyzers and their features. A matrix with comparison criteria and ratings would have been helpful. The posting made by the Anonymous user from Feb 14th, 2005 is worthless, not this article.

Anonymous User March 23, 2005 (Article Rating:

)

good passage!

haiwanxue March 10, 2006 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.