A network protocol analyzer is a vital part of a network administrator's toolkit. Network protocol analysis is the truth serum of network communications. If you want to find out why a network device is functioning in a certain way, use a protocol analyzer to sniff the traffic and expose the data and protocols that pass along the wire. You can use a network protocol analyzer to
- troubleshoot hard-to-solve problems
- detect and identify malicious software (malware)
- gather information, such as baseline traffic patterns and network-utilization metrics
- identify unused protocols so that you can remove them from the network
- generate traffic for penetration testing
- work with an Intrusion Detection System (IDS) or a honeypot
- eavesdrop on traffic (e.g., locate unauthorized Instant Messaging—IM—traffic or wireless Access Points—APs)
- learn about networking
If you manage a network and don't yet have a protocol analyzer, you need one. To help you find the network protocol analyzer that suits your environment, I first survey some typical features of software-based protocol analyzers. Then, I examine and compare these features in six popular network protocol analyzers.
Typical Features
Most software-based network protocol analyzers work in about the same way as Figure 1 shows. and display, at least initially, the same basic information. The analyzer runs on a host system. When you start the analyzer (in promiscuous mode), the host NIC's software driver intercepts all traffic that passes through the NIC. The protocol analyzer passes the intercepted traffic to the analyzer's packet-decoder engine, which identifies and splits packets into their respective layers. The protocol analyzer software analyzes the packets and displays packet information on the analyzer host's screen. Depending on the product's capabilities, you can then analyze and filter the traffic further.
A protocol analyzer window typically consists of three panes, which the sample window from the Ethereal product in Figure 2 shows. The top pane displays a summary of the captured packets. Typically, this pane shows at minimum the following fields: date; time (in milliseconds) that the packet was captured; source and destination IP addresses; source and destination port addresses; protocol type (network, transport, or application layer); and a summary of the captured data. The middle pane shows the logical breakout of a selected packet, and the bottom pane shows the packet in hexadecimal or ASCII-character form.
Analyzing packet decodes is a network protocol analyzer's most important job. The analyzer organizes captured packets by layer and protocol. The best packet analyzers can recognize a protocol by its most definitive layer—the upper layer—and display the captured information on a field-by-field basis. This type of information is typically displayed in the analyzer window's second pane. For example, any protocol analyzer can recognize TCP traffic. A good analyzer will note that the traffic is Microsoft Exchange Server running over the remote procedure call (RPC) protocol and will show you the email message's text. Most protocol analyzers recognize more than 300 distinct protocols and define and decode them by name. The more information the analyzer decodes and presents, the less manual decoding work you'll have to do yourself. Accurate packet decodes separate the best analyzers from the also-rans.
Be wary of vendors that claim to provide more than 4000 protocol decoders in their protocol analyzers; 300 to 400 is a more realistic range. Most products provide a similar number of decoders, notwithstanding what the marketing hype might suggest. For instance, one product might dissect a simple Ping process into several different protocols (e.g., Internet Control Message Protocol—ICMP, echo request, ICMP echo reply), whereas another product might decode the Ping process as only one protocol—although both products measure and decode the same information.
A common problem I've seen with many protocol analyzers, including those I review here, is the inability to accurately identify—and consequently decode—a protocol that runs over a nondefault port number. In today's security-conscious computer world, running well-known applications on not-so-well-known ports is a common defense against malicious hackers. Some decoders recognize traffic regardless of the port over which it runs, whereas others don't and will define the protocol simply by its lower layer (i.e., TCP or UDP), which also means that the decoder doesn't provide the more useful field-specific decode information. Some analyzers let you modify the decoder to recognize more than the default port for particular protocols.
Protocol-analyzer vendors often brag about their product's expert-analysis capabilities—whereby the analyzer reads a packet or series of packets and reports useful information about the captured packets. Expert analysis might report traffic anomalies or malicious packets or fully decode a data stream series between two hosts. The decoding option is invaluable because you can see an entire communications stream of data simply by clicking a packet. For example, you can click an HTTP packet and see the Web page it represents as an end user might see it when the underlying HTML code is rendered. Other common features include pre- and post-capture filtering (the ability to find certain packets that meet specific criteria), triggers (initiation of a secondary action when a predefined packet pattern occurs), replay (the ability to play back captured packets over the network), traffic statistics, reporting, and management of multiple sensors from one console.
The Reviews
In a market space crowded with vendors and products, I was pleasantly surprised to find many strong contenders among network protocol analyzers. When you evaluate protocol analyzers, look closely at features such as packet-capturing accuracy, the range of protocols that the analyzer decodes (make sure it matches the protocols in your environment), decode detail, expert analysis, placement model (i.e., distributed or not), price, and technical support. Let's examine six general-purpose network protocol analyzers: Ethereal, Fluke Networks' OptiView Protocol Expert 4.0, Network Associates' Netasyst Network Analyzer WLX, Network Instruments' Observer 9.0, Sunbelt Software's LanHound 1.1, and WildPackets' EtherPeek NX 2.1.
Previous
Register
