by May 15, 2007 0 comments



Remember the good old packet capturing utilities? Those wonderful tools that
capture all traffic flowing across your network to tell you what’s wrong. Well,
they’re undergoing a change, and today they can do much more than packet
capturing. So much so that many packet capture utilities have rechristened
themsevles as protocol analyzers. As the name suggests, a protocol analyzer will
give you a complete report on the protocols flowing across your network. At the
core, they’re still packet capture utilities, but they give you a protocol wise
breakup of the traffic, so that it’s easier to analyze. Protocol analyzers are
useful in many ways. If your network is choked for instance, and you can’t
figure out what’s causing it, then you can easily find out what’s wrong by
running a protocol analyzer. Likewise, if any of your applications are not
responding, say your mail server is taking ages to send out mails, then again
you can bring a protocol analyzer to the rescue. For instance, we’ve had
experiences in the past where a mail server had been completely choked by a mass
mailing worm. We ran a protocol analyzer and were able to detect not only the
nature of the worm, but also the machines infected by it. A protocol analyzer
tells you the exact problem.

Using the decode module of
sniffer portable, you can see details of captured packets in human readable
format

A network protocol analyzer captures a copy of the packets flowing across
your network and decodes them with information about the physical and logical
addresses from where these packets are coming and going to, their sequence
numbers, protocol used by the packets and other similar information. They let
you determine the health of your network packet by packet.

Sometimes protocol analyzers are also referred to as ‘Sniffers’. A network
protocol analyzer can be a hardware appliance or just a piece of software
running on a laptop or desktop. Protocol analyzers usually are of two types,
namely, distributed and standalone. Distributed protocol analyzers like OmniPeek
allow you to capture packets from a number of nodes on the network at the same
time, while the standalone ones operate from one node only. In this article, you
will find standalone protocol analyzers, which we have divided into four
categories. The first category contains protocol analyzers for WiFi networks.
The second one is meant for wired networks, and there’s a third only for
analyzing HTTP protocols. Lastly are the do-it-all protocol analyzers.

How to deploy
If you want to analyze the traffic going out of your organization, then you
should put your protocol analyzer between your Firewall and main network switch.
If you are using a protocol analyzer from any port of your switch then make
sure, you point it to your organization’s gateway. Otherwise, you will only get
broadcast and multicast packets from that port. Some switches have a special
port known as SPAN (Switched Port Analyzer) which is specifically meant for
traffic analysis purposes. The concept of SPAN port started due to the basic
differences between hub and switch. While hubs broadcast traffic to all ports,
switches contain it between the source and destination ports only. A SPAN port
will capture all traffic.

Features
Now that you know how to deploy a protocol analyzer, let’s look at the kind
of features you can expect to find in a good protocol analyzer.

Decode: After a packet has been captured, a protocol analyzer will
decode it into human readable format using it’s decode module. While it may not
be able to decode all contents of a packet, it provides various useful
information which otherwise can be hard to understand.

Expert analysis: This feature gives a detailed view of the events
taking place on the network. Based on algorithms present in the protocol
analyzer, it gives a diagnosis of the network which includes information like
severe events, key trends, utilization, etc.Packet generation: Many protocol
analyzers allow you to create your own customized packets and send them across
the network. This is used for various purposes, such as stress testing a network
or you can send packets to specific nodes to check their behavior.

Triggers: These are used to stop or start traffic capturing, when a
particular network event takes place or at a particular time.

Address book: An address book entry usually contains information about
IP addresses, MAC addresses, descriptions and the hostnames of the nodes.
Filters: Filters are used for capturing only the required data for a
specific condition. This saves your valuable time of going through all the
captured packets, before you can find what you are looking for and also saves
the buffer size. Filters can be based on IP addresses, protocols, MAC addresses,
etc. Filters can be applied to capture data and also on captured data.

Reports: You can create reports of network behavior, which can be
useful during network audits and also for understanding the trends on your
network.




All in Ones: Wireshark
In 1997 a need for tracking down networking problems and a quest for knowing
more about networking prompted Gerald Combs to start writing Ethereal, so as to
fulfill both these needs. Since then lots of development has happened and now it
has re-emerged under a new name called Wireshark. It is a piece of software that
understands the structure of different network protocols, thus it’s able to
capture packets and interpret their meanings. Wireshark uses pcap to capture
packets, hence restricting capturing of packets only to pcap supported networks.
Some of the major features of Wireshark include its capability to capture
packets not only from wired networks but also from wireless networks. Live data
can be read and the captured file can be edited or converted using editcap
program. It also has a display filter, which selectively highlights and colors
packet summary information. This can be used to refine data display. It has the
capability to dissect hundreds of protocols. It can be run on almost all OSs
from Linux, Solaris, UNIX and Windows to MAC OS X.

Expert
Analysis with Wireshark
In the interface of the Wireshark, go to the
capture option. Select the correct interface option, which represents the
desired network to be sniffed. Now, start capturing packets.

Once done with the capturing of packets, in the pop up
window you will be able to see all packets captured for each protocol. After
a while, stop packet capturing and in the Main window you can see all the
details of each packet captured. The details include IP address, destination
IP address, type of protocol used and information present in the packet
header. Now to analyze data, from the Analyze option, select Expert info.
This will list packets according to the security filters, i.e., errors,
warnings, notes and chats. You can also specify the type of packets you want
to filter, like errors only, errors and warnings etc. Select on any packet
to check its detail in the Main window. You can notice the hexadecimal codes
dump of the packets, as well as, details about the source ports, destination
ports, MAC addresses of the packets etc.

Captured RTP Streams of a voice
conversation

If you want to view the summary of any packet, which has
information like protocol hierarchy, details of conversation which took
place at the time of the capture, the IO graphs etc, you can go to the
Statistics tab to get all of these. If you have captured a VOIP
conversation, then you can go to the RTP option and select Show all streams.
In the pop-up window, you will notice all the streams of the conversation
and you can select the one which you want to hear.

Graphical analysis of VoIP Streams

To analyze the stream, choose Payload option and save the
file in .au format. Once this is done, you can hear one side of the
conversation, to hear the other part of the conversation, repeat the same
steps with the other stream.




OmniPeek Enterprise
Omnipeek Enterprise can work as a distributed network analyzer, when used with
OmniEngines, else it works as a standalone protocol analyzer. With OmniPeek, you
can capture traffic from WAN links, WLAN, 10/100/1000 Ethernet networks, etc.
OmniPeek is easy to use. It gives you a live picture of the network, as soon as
it starts capturing packets. It provides various features like Expert Analysis,
Peer maps, Live graphs of the network, Protocol and node statistics, etc.
Another useful feature that OmniPeek has is Visual expert. It comes with tools
which can be used to do a detailed analysis of the data flows. One of the tools
is Packet Visualize, which shows conversations between a server and a client and
provides expert diagnosis of the conversation with the summary.

OmniPeek’s Expert system diagnosis feature lets you identity problems
occurring in the network by the diagnosis of conversations taking place in the
network. It gives a complete analysis of conversation flows with detailed event
logs and node information which can be easily understood and lets you identify
problems quickly. Its expert ‘EventFinder’ feature gives remedies, descriptions
and likely cause of the problem which is identified by the Expert diagnosis
module.


Expert Analysis with OmniPeek
In OmniPeek when you start capturing
packets, you can see their live details as and when they were captured. To
see Live Expert analysis of the network, see Hierarchy view in Expert
analysis. It lets you track events and see events as client server or p2p
patterns. The Hierarchy view displays information as data flows between two
nodes, and events that have taken place between the nodes. A green light
just besides the node, means that the node is active, red light denotes that
one or more severe events has taken place associated with that node, while
yellow light indicates minor severity. It also shows the no. of packets
transferred, event taken place, bytes transferred between the nodes and the
duration for which they have been active. Going to the events tab, you can
see the details of the severe events detected. Also you can see the flows
independently in the Flat view option. You can even compare the two flows.

In Expert Analysis, it shows APDEX
score which represents Application performance

The Application view under Expert analysis uses Apdex
(Application performance index), which is an open standard. For Apdex score
you need to define threshold duration. To do this, select the flow on which
you want to apply Apdex and right click. Select event finder settings. In
the popup window expand application option and then the Apdex option. Select
the Apdex score option and in the Apdex threshold duration specify the no.
of seconds. By default threshold duration is 1 second. It will need at least
10 events before it can give you an Apdex score. Next in Expert analysis is
VoIP analysis. Here, you can see details of RTP flows with information about
their related codecs. When you select VoIP media conversation flow you can
see audio encoding (G.711, G.728 etc.) in codec column. Details of the
quality of the audio are presented under MOS (“Mean Opinion Score”). The
quality is quantified on a scale of 0.00 to 5.00. You can see Peer map and
all sorts of graphs about the network statistics under the Visuals option.




Observer
OBserver can run on wired as well as the wireless networks. It provides instant
view of captured packets and can also present them in human readable format,
which is pretty similar to Ethereal’s interface. OBserver is capable of
providing information about things like Network summary, Bandwidth utilization,
Access point load monitor and VLAN analysis in real time. The software has
pretty effective filters, which help users to analyze the network easily, by
only showing the relevant data which is useful and required by the user. When
OBserver finds any error or warning such as attack or problem in the network, it
can also alert the user by firing up e-mails and pager messages. It also has a
feature called Traffic generation with the help of which it can stress test your
network by generating heavy traffics. It also provides VLAN analysis, Internet
OBsersver analysis, Router OBserver etc. It provides network trending and
detailed reporting to help you keep an eye on overall health of your network.

Under the channel option you can check the

stats of each and every channel

Wired Protocol Analyzers: Packetyzer
It’s a network protocol analyzer again based on Ethereal project and also
sometimes referred to as packet sniffer. It includes open source Ethereal packet
capture and dissection library. It decodes various protocols including the ones
from wireless LAN, virtual LAN and 802.1x. It applies sophisticated packet
filtering to filter and search specific packets. Its filtering is very powerful.
It is possible to filter on addresses, both MAC and IP, by protocol, by port
number etc. Complex filter can be built up by combining elements. It captures
packets form the network and can provide live detailed information of the
packets. It is configurable and can capture session as per need and examine the
captured protocol with ease. An interesting feature of Packetyzer is the
import/export flexibility which allows it to open packets from a large number of
other capture programs and save packets captured in a large number of formats of
other captured program. With RFprotect mobile, Packetyzer can sniff 802.11
traffic and capture 802.11 packets in promiscuous mode, including control and
management frames. It’s a very effective tool for network professionals for
troubleshooting, analysis, protocol development and to handle security threat
better.

WiFi: Commview
Commview is a wireless network monitor and analyzer for 802.11 a/b/g
networks. It captures packets on-the-fly and provides critical information such
as list of access points and stations, per node and per channel statistics,
signal strengths, protocol distribution chart etc. All of this information helps
a network administrator to find out network problems, view and examine packets,
troubleshoot software and hardware.

Packets can be decrypted utilizing user defined WEP or WPA-PSK keys. The
convenient trees like structure display of protocol layer and packets’ headers,
which help to determine details of a packet. One can view details of IP
connections like IP addresses, ports, sessions etc. It provides you with an
option to reconstruct TCP session. You can configure alarms that notify about
important events, such as suspicious packets, high bandwidth utilization,
unknown addresses, rogue access points, etc. You can browse captured and decoded
packets in real time. A log can be maintained for individual or all packets in a
file. One can also monitor the bandwidth utilization and can search for specific
string or Hex data in captured packets. There is also an option to view protocol
pie chart.

Overall, this is a very effective tool for IT administrators for monitoring
wireless networks.


CommView for WiFi
When you start capturing packets, it first
scans the available access points (APs) within that range. From the detected
APs, select the one on which you want to capture the packets, and press
Capture at the bottom. You can see the required statistics on the main
console. To see live details in graphical format from the nodes window,
select the AP and then select ‘More statistics’. You can also see the
information about packets, protocols, host, and matrix by MAC and IP
addresses and generate a report.

To see the packet
details, go to Packets tab that shows all captured packets. Click on
individual packets to see information ranging from header to protocol to
errors, data transfer rate to data length, etc. To reconstruct a TCP stream
of selected packets, go to Tools and select ‘Reconstruct TCP packets’. A new
window will appear where you can see the reconstructed TCP stream. Notice
the latest IP connection established and you can figure out easily the place
where the destination IP is hosted. The destination IP addresses not only
shows the IP address of the destination but also the small flag of the
country, which hosts the IP. And, if you are looking for some specific IP
address or Mac address, you can do that easily with the ‘Find packet’
option.

WiFi: Kismet
Kismet is a wireless network detector, sniffer and intrusion detection
system. It works with any wireless card that supports raw monitoring mode (rfmon)
and can sniff 802.11a/b/g traffic. It identifies network by passively collecting
packets and detecting standard named network. It also can detect hidden networks
and can gather the presence of non-beaconing networks via data traffic. One of
the key features of Kismet is Ethereal/Tcpdump compatible data logging. It also
has built in channel hopping and multi card split channel hopping. The
client/server architecture allows multiple clients to view a single server
simultaneously. Its also has support for distributed remote drone sniffing. For
known networks, it can do runtime decoding of WEP packets. Its can multiplex
multiple simultaneous capture sources on a single Kismet instance. Graphics
mapping of networks is also available.

Under streams option HTTP Analyzer shows

the amount of data sent on the left and data
received on right window

HTTP traffic: HTTP analyzer
HTTP analyzer is a sniffer, which monitors and inspects HTTP/HTTPS traffic in
real time. It can trace and examine various information ranging from header,
content, cookies, query string, post data, request/response stream to
redirection URLs. Along with several filtering options, it provides Cache
information and Session clearing as well as HTTP status code information. You
can even handcraft a HTTP/ HTTPS request. Using drag drop option you can move an
existing request from the Session grid to the Request builder to execute it
again.

The HTTP analyzer automation library is packaged as COM components and can be
fully controlled by using OLE automation. It displays Winsock traffic
originating from Java applets and Java script embedded in Web page and also
displays Winsock traffic originating from ActiveX controls and COM objects
instanced by an application. It also allows viewing and editing of binary files
in Hexadecimal and textual format using Hex viewer. One can selectively clear
cache and cookies.

HTTP Traffic Analysis
The HTTP protocol analyzer starts the action
by capturing packets as soon as any HTTP data flow occurs. It shows you the
details of all these packets in real time. To do this, select the processes
and packets whose details you want to view. The header details of the packet
are visible at the bottom. To view content present on the packet, select the
Content option. If the content is an image, you will see it an image.

To view data streams received and sent to data server,
select Streams tab. Here, on the left side of the window, you can see
contents of the request stream and on the right side you can view the
response stream. You can also view HTTP status code definition for every
successful stream by going to the Status code definition option.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<