Remember the good old packet capturing utilities? Those wonderful tools that
capture all traffic flowing across your network to tell you what's wrong. Well,
they're undergoing a change, and today they can do much more than packet
capturing. So much so that many packet capture utilities have rechristened
themsevles as protocol analyzers. As the name suggests, a protocol analyzer will
give you a complete report on the protocols flowing across your network. At the
core, they're still packet capture utilities, but they give you a protocol wise
breakup of the traffic, so that it's easier to analyze. Protocol analyzers are
useful in many ways. If your network is choked for instance, and you can't
figure out what's causing it, then you can easily find out what's wrong by
running a protocol analyzer. Likewise, if any of your applications are not
responding, say your mail server is taking ages to send out mails, then again
you can bring a protocol analyzer to the rescue. For instance, we've had
experiences in the past where a mail server had been completely choked by a mass
mailing worm. We ran a protocol analyzer and were able to detect not only the
nature of the worm, but also the machines infected by it. A protocol analyzer
tells you the exact problem.
Using the decode module of sniffer portable, you can see details of captured packets in human readable format |
A network protocol analyzer captures a copy of the packets flowing across
your network and decodes them with information about the physical and logical
addresses from where these packets are coming and going to, their sequence
numbers, protocol used by the packets and other similar information. They let
you determine the health of your network packet by packet.
Sometimes protocol analyzers are also referred to as 'Sniffers'. A network
protocol analyzer can be a hardware appliance or just a piece of software
running on a laptop or desktop. Protocol analyzers usually are of two types,
namely, distributed and standalone. Distributed protocol analyzers like OmniPeek
allow you to capture packets from a number of nodes on the network at the same
time, while the standalone ones operate from one node only. In this article, you
will find standalone protocol analyzers, which we have divided into four
categories. The first category contains protocol analyzers for WiFi networks.
The second one is meant for wired networks, and there's a third only for
analyzing HTTP protocols. Lastly are the do-it-all protocol analyzers.
How to deploy
If you want to analyze the traffic going out of your organization, then you
should put your protocol analyzer between your Firewall and main network switch.
If you are using a protocol analyzer from any port of your switch then make
sure, you point it to your organization's gateway. Otherwise, you will only get
broadcast and multicast packets from that port. Some switches have a special
port known as SPAN (Switched Port Analyzer) which is specifically meant for
traffic analysis purposes. The concept of SPAN port started due to the basic
differences between hub and switch. While hubs broadcast traffic to all ports,
switches contain it between the source and destination ports only. A SPAN port
will capture all traffic.
Features
Now that you know how to deploy a protocol analyzer, let's look at the kind
of features you can expect to find in a good protocol analyzer.
Decode: After a packet has been captured, a protocol analyzer will
decode it into human readable format using it's decode module. While it may not
be able to decode all contents of a packet, it provides various useful
information which otherwise can be hard to understand.
Expert analysis: This feature gives a detailed view of the events
taking place on the network. Based on algorithms present in the protocol
analyzer, it gives a diagnosis of the network which includes information like
severe events, key trends, utilization, etc.Packet generation: Many protocol
analyzers allow you to create your own customized packets and send them across
the network. This is used for various purposes, such as stress testing a network
or you can send packets to specific nodes to check their behavior.
Triggers: These are used to stop or start traffic capturing, when a
particular network event takes place or at a particular time.
Address book: An address book entry usually contains information about
IP addresses, MAC addresses, descriptions and the hostnames of the nodes.
Filters: Filters are used for capturing only the required data for a
specific condition. This saves your valuable time of going through all the
captured packets, before you can find what you are looking for and also saves
the buffer size. Filters can be based on IP addresses, protocols, MAC addresses,
etc. Filters can be applied to capture data and also on captured data.
Reports: You can create reports of network behavior, which can be
useful during network audits and also for understanding the trends on your
network.
All in Ones: Wireshark
In 1997 a need for tracking down networking problems and a quest for knowing
more about networking prompted Gerald Combs to start writing Ethereal, so as to
fulfill both these needs. Since then lots of development has happened and now it
has re-emerged under a new name called Wireshark. It is a piece of software that
understands the structure of different network protocols, thus it's able to
capture packets and interpret their meanings. Wireshark uses pcap to capture
packets, hence restricting capturing of packets only to pcap supported networks.
Some of the major features of Wireshark include its capability to capture
packets not only from wired networks but also from wireless networks. Live data
can be read and the captured file can be edited or converted using editcap
program. It also has a display filter, which selectively highlights and colors
packet summary information. This can be used to refine data display. It has the
capability to dissect hundreds of protocols. It can be run on almost all OSs
from Linux, Solaris, UNIX and Windows to MAC OS X.
Expert Analysis with Wireshark |
In the interface of the Wireshark, go to the capture option. Select the correct interface option, which represents the desired network to be sniffed. Now, start capturing packets. Once done with the capturing of packets, in the pop up
Captured RTP Streams of a voice If you want to view the summary of any packet, which has
Graphical analysis of VoIP Streams To analyze the stream, choose Payload option and save the |
OmniPeek Enterprise
Omnipeek Enterprise can work as a distributed network analyzer, when used with
OmniEngines, else it works as a standalone protocol analyzer. With OmniPeek, you
can capture traffic from WAN links, WLAN, 10/100/1000 Ethernet networks, etc.
OmniPeek is easy to use. It gives you a live picture of the network, as soon as
it starts capturing packets. It provides various features like Expert Analysis,
Peer maps, Live graphs of the network, Protocol and node statistics, etc.
Another useful feature that OmniPeek has is Visual expert. It comes with tools
which can be used to do a detailed analysis of the data flows. One of the tools
is Packet Visualize, which shows conversations between a server and a client and
provides expert diagnosis of the conversation with the summary.
OmniPeek's Expert system diagnosis feature lets you identity problems
occurring in the network by the diagnosis of conversations taking place in the
network. It gives a complete analysis of conversation flows with detailed event
logs and node information which can be easily understood and lets you identify
problems quickly. Its expert 'EventFinder' feature gives remedies, descriptions
and likely cause of the problem which is identified by the Expert diagnosis
module.
Expert Analysis with OmniPeek |
In OmniPeek when you start capturing packets, you can see their live details as and when they were captured. To see Live Expert analysis of the network, see Hierarchy view in Expert analysis. It lets you track events and see events as client server or p2p patterns. The Hierarchy view displays information as data flows between two nodes, and events that have taken place between the nodes. A green light just besides the node, means that the node is active, red light denotes that one or more severe events has taken place associated with that node, while yellow light indicates minor severity. It also shows the no. of packets transferred, event taken place, bytes transferred between the nodes and the duration for which they have been active. Going to the events tab, you can see the details of the severe events detected. Also you can see the flows independently in the Flat view option. You can even compare the two flows.
In Expert Analysis, it shows APDEX The Application view under Expert analysis uses Apdex |
Observer
OBserver can run on wired as well as the wireless networks. It provides instant
view of captured packets and can also present them in human readable format,
which is pretty similar to Ethereal's interface. OBserver is capable of
providing information about things like Network summary, Bandwidth utilization,
Access point load monitor and VLAN analysis in real time. The software has
pretty effective filters, which help users to analyze the network easily, by
only showing the relevant data which is useful and required by the user. When
OBserver finds any error or warning such as attack or problem in the network, it
can also alert the user by firing up e-mails and pager messages. It also has a
feature called Traffic generation with the help of which it can stress test your
network by generating heavy traffics. It also provides VLAN analysis, Internet
OBsersver analysis, Router OBserver etc. It provides network trending and
detailed reporting to help you keep an eye on overall health of your network.
Under the channel option you can check the
stats of each and every channel
Wired Protocol Analyzers: Packetyzer
It's a network protocol analyzer again based on Ethereal project and also
sometimes referred to as packet sniffer. It includes open source Ethereal packet
capture and dissection library. It decodes various protocols including the ones
from wireless LAN, virtual LAN and 802.1x. It applies sophisticated packet
filtering to filter and search specific packets. Its filtering is very powerful.
It is possible to filter on addresses, both MAC and IP, by protocol, by port
number etc. Complex filter can be built up by combining elements. It captures
packets form the network and can provide live detailed information of the
packets. It is configurable and can capture session as per need and examine the
captured protocol with ease. An interesting feature of Packetyzer is the
import/export flexibility which allows it to open packets from a large number of
other capture programs and save packets captured in a large number of formats of
other captured program. With RFprotect mobile, Packetyzer can sniff 802.11
traffic and capture 802.11 packets in promiscuous mode, including control and
management frames. It's a very effective tool for network professionals for
troubleshooting, analysis, protocol development and to handle security threat
better.
WiFi: Commview
Commview is a wireless network monitor and analyzer for 802.11 a/b/g
networks. It captures packets on-the-fly and provides critical information such
as list of access points and stations, per node and per channel statistics,
signal strengths, protocol distribution chart etc. All of this information helps
a network administrator to find out network problems, view and examine packets,
troubleshoot software and hardware.
Packets can be decrypted utilizing user defined WEP or WPA-PSK keys. The
convenient trees like structure display of protocol layer and packets' headers,
which help to determine details of a packet. One can view details of IP
connections like IP addresses, ports, sessions etc. It provides you with an
option to reconstruct TCP session. You can configure alarms that notify about
important events, such as suspicious packets, high bandwidth utilization,
unknown addresses, rogue access points, etc. You can browse captured and decoded
packets in real time. A log can be maintained for individual or all packets in a
file. One can also monitor the bandwidth utilization and can search for specific
string or Hex data in captured packets. There is also an option to view protocol
pie chart.
Overall, this is a very effective tool for IT administrators for monitoring
wireless networks.
CommView for WiFi |
When you start capturing packets, it first scans the available access points (APs) within that range. From the detected APs, select the one on which you want to capture the packets, and press Capture at the bottom. You can see the required statistics on the main console. To see live details in graphical format from the nodes window, select the AP and then select 'More statistics'. You can also see the information about packets, protocols, host, and matrix by MAC and IP addresses and generate a report. To see the packet |
WiFi: Kismet
Kismet is a wireless network detector, sniffer and intrusion detection
system. It works with any wireless card that supports raw monitoring mode (rfmon)
and can sniff 802.11a/b/g traffic. It identifies network by passively collecting
packets and detecting standard named network. It also can detect hidden networks
and can gather the presence of non-beaconing networks via data traffic. One of
the key features of Kismet is Ethereal/Tcpdump compatible data logging. It also
has built in channel hopping and multi card split channel hopping. The
client/server architecture allows multiple clients to view a single server
simultaneously. Its also has support for distributed remote drone sniffing. For
known networks, it can do runtime decoding of WEP packets. Its can multiplex
multiple simultaneous capture sources on a single Kismet instance. Graphics
mapping of networks is also available.
Under streams option HTTP Analyzer shows
the amount of data sent on the left and data
received on right window
HTTP traffic: HTTP analyzer
HTTP analyzer is a sniffer, which monitors and inspects HTTP/HTTPS traffic in
real time. It can trace and examine various information ranging from header,
content, cookies, query string, post data, request/response stream to
redirection URLs. Along with several filtering options, it provides Cache
information and Session clearing as well as HTTP status code information. You
can even handcraft a HTTP/ HTTPS request. Using drag drop option you can move an
existing request from the Session grid to the Request builder to execute it
again.
The HTTP analyzer automation library is packaged as COM components and can be
fully controlled by using OLE automation. It displays Winsock traffic
originating from Java applets and Java script embedded in Web page and also
displays Winsock traffic originating from ActiveX controls and COM objects
instanced by an application. It also allows viewing and editing of binary files
in Hexadecimal and textual format using Hex viewer. One can selectively clear
cache and cookies.
HTTP Traffic Analysis |
The HTTP protocol analyzer starts the action by capturing packets as soon as any HTTP data flow occurs. It shows you the details of all these packets in real time. To do this, select the processes and packets whose details you want to view. The header details of the packet are visible at the bottom. To view content present on the packet, select the Content option. If the content is an image, you will see it an image. To view data streams received and sent to data server, |