Ethereal
Ethereal is one of the best open-source programs ever made. Although Ethereal was originally created as a UNIX/Linux program based on Libpcap (an open-source interface for capturing network packets), it has long been available for Windows. Unlike most open-source programs, Ethereal's GUI is easy to understand and navigate, and the product comes with a 400-page manual in PDF format—which beats the typical one-page man page (i.e., an online documentation page for UNIX/Linux) file that's associated with most open-source tools. You'll need to download and install the Windows version of Libpcap—WinPcap, a free packet-capture architecture for Windows systems—at http://winpcap.polito.it before you install and use Ethereal. The downloaded Ethereal product comes in both GUI and command-line versions. The command-line version is useful for scripting or activating Ethereal's packet-capturing features according to the occurrence of an event (think IDS or honeypot analysis). Because Ethereal is open-source software, the Ethereal Web site is the primary source of information about the product. The Web site provides information about Ethereal features, FAQs, and links to Ethereal developer and technical support mailing lists.
Ethereal includes all the features that you typically find in a protocol analyzer. You can capture or display all network traffic or only traffic that meets specific criteria. By default, you must stop packet capturing to display traffic, although you can tell Ethereal to display captured packets while capturing occurs (which incurs a performance penalty). You can print out packet traces in varying levels of detail and formats or save them to files so that you can analyze them later. You can tell Ethereal to convert captured information, such as IP and media access control (MAC) addresses, to its common names, rather than display raw numbers.
Ethereal also provides several windows that display summary information and statistics. Although Ethereal's displays aren't as handy as the dashboard displays and pie charts that some competing products—such as EtherPeek or Netasyst Network Analyzer—offer, the statistics that Ethereal provides are useful and include protocol spectrum spreads, protocol summaries, and conversation lists (i.e., which host was talking to which other host). One of Ethereal's most valuable features is its ability to pick one TCP packet and display all the payload data between the two communicating hosts over the duration of the session. Ethereal's implementation of this feature is the most user-friendly of any product in this review, although the feature tracks only TCP streams. Other protocol analyzers can perform stream analysis for protocols other than TCP. Figure 3 shows a decoded HTTP session in Ethereal that displays the basic HTTP GET request and the resulting Web site's reply.
Ethereal supports 512 different protocol decoders (according to http://www.ethereal.com/faq.html#q1.2), and more are being added all the time. Ethereal recognizes and decodes the familiar protocol types, including AOL Instant Messenger (AIM), Abstract Syntax Notation One (ASN.1), DNS, FTP, HTTP, Lightweight Directory Access Protocol (LDAP), POP, RPC, Session Initiation Protocol (SIP), and SMTP. The product's UNIX roots are evident because many Windows-standard transport and application-level decoders (such as Exchange, Microsoft SQL Server, and RDP) either aren't available or aren't installed in the default configuration. However, Ethereal is one of the few protocol analyzers that provides decoders for the MetaMachine eDonkey 2000, Jabber, and Quake protocols. Most Ethereal decoders don't explicitly recognize protocols that run over nondefault ports, but if you recognize a particular protocol in a packet, you can right-click the packet and choose to decode it by using a particular protocol decoder.
Ethereal is a great network protocol analyzer for beginning to immediate users. For such users, Ethereal's capabilities are sufficient, although some enterprises might have concerns about the prod-uct's lack of dedicated technical support. Advanced users who want more accurate decodes, better expert analysis, and distributed architectures will find commercially available network protocol analyzers a better choice.
PRICE: Free DECISION SUMMARY PROS: Great for beginners and users without complex requirements
Free
Easy-to-navigate GUI
Support for hundreds of protocol decoders
Performs TCP stream analysis CONS: Less-detailed protocol decodes than those of commercial products
Not enterprise-ready
No guaranteed technical support
Fluke Networks' OptiView Protocol Expert
Fluke Networks, long known for its handheld protocol analyzers, is trying to create a similar reputation with its OptiView software analyzers, a suite of products that sniff traffic on Ethernet, token-ring, and fiber-tapped networks. (For more information about hardware protocol analyzer products, see the sidebar "Hardware Protocol Analyzers.") Fluke Networks' OptiView Protocol Expert provides protocol analysis for packets captured by Protocol Expert or other products in the OptiView suite, including OptiView Integrated Network Analyzer, OptiView Link Analyzer, and OptiView Workgroup Analyzer. OptiView Protocol Expert runs on Windows 2000 Professional and Windows 98 but not on Windows Server 2003 or Win2K Server. I reviewed Protocol Expert 4.0—which was the most current release of the product available when I evaluated it. (Fluke Networks released Protocol Expert 5.0 as an upgrade to some existing customers but didn't make it available as a trial product.) The vendor says it will release the latest production version of Protocol Expert—6.1—in late June.
Protocol Expert is a capable analyzer console, but its UI needs improvement. (Fluke Networks says it's improved the product's UI in version 6.1.) I found Protocol Expert's GUI awkward to navigate. I spent too much time trying to figure out how to enable or disable basic features, such as turning on and off packet capturing or printing reports. Although step-by-step assistance is available under the Help menu, first-time users shouldn't have to search for help with features whose operation should be readily apparent. In addition, I found the display difficult to read and to customize. Gray border areas took up valuable screen real estate, and the default font was hard to read at a resolution of 800x600. On the packet-decoding window, I couldn't rearrange packet-detail columns. After I got used to Protocol Expert's GUI, however, I found that the product performed reliably. Fluke Networks offers 1- to 5-day training classes (5-day classes are $2750) to help shorten the learning curve.
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
