Ethereal
Ethereal is one of the best open-source programs ever made. Although Ethereal was originally created as a UNIX/Linux program based on Libpcap (an open-source interface for capturing network packets), it has long been available for Windows. Unlike most open-source programs, Ethereal's GUI is easy to understand and navigate, and the product comes with a 400-page manual in PDF format—which beats the typical one-page man page (i.e., an online documentation page for UNIX/Linux) file that's associated with most open-source tools. You'll need to download and install the Windows version of Libpcap—WinPcap, a free packet-capture architecture for Windows systems—at http://winpcap.polito.it before you install and use Ethereal. The downloaded Ethereal product comes in both GUI and command-line versions. The command-line version is useful for scripting or activating Ethereal's packet-capturing features according to the occurrence of an event (think IDS or honeypot analysis). Because Ethereal is open-source software, the Ethereal Web site is the primary source of information about the product. The Web site provides information about Ethereal features, FAQs, and links to Ethereal developer and technical support mailing lists.
Ethereal includes all the features that you typically find in a protocol analyzer. You can capture or display all network traffic or only traffic that meets specific criteria. By default, you must stop packet capturing to display traffic, although you can tell Ethereal to display captured packets while capturing occurs (which incurs a performance penalty). You can print out packet traces in varying levels of detail and formats or save them to files so that you can analyze them later. You can tell Ethereal to convert captured information, such as IP and media access control (MAC) addresses, to its common names, rather than display raw numbers.
Ethereal also provides several windows that display summary information and statistics. Although Ethereal's displays aren't as handy as the dashboard displays and pie charts that some competing products—such as EtherPeek or Netasyst Network Analyzer—offer, the statistics that Ethereal provides are useful and include protocol spectrum spreads, protocol summaries, and conversation lists (i.e., which host was talking to which other host). One of Ethereal's most valuable features is its ability to pick one TCP packet and display all the payload data between the two communicating hosts over the duration of the session. Ethereal's implementation of this feature is the most user-friendly of any product in this review, although the feature tracks only TCP streams. Other protocol analyzers can perform stream analysis for protocols other than TCP. Figure 3 shows a decoded HTTP session in Ethereal that displays the basic HTTP GET request and the resulting Web site's reply.
Ethereal supports 512 different protocol decoders (according to http://www.ethereal.com/faq.html#q1.2), and more are being added all the time. Ethereal recognizes and decodes the familiar protocol types, including AOL Instant Messenger (AIM), Abstract Syntax Notation One (ASN.1), DNS, FTP, HTTP, Lightweight Directory Access Protocol (LDAP), POP, RPC, Session Initiation Protocol (SIP), and SMTP. The product's UNIX roots are evident because many Windows-standard transport and application-level decoders (such as Exchange, Microsoft SQL Server, and RDP) either aren't available or aren't installed in the default configuration. However, Ethereal is one of the few protocol analyzers that provides decoders for the MetaMachine eDonkey 2000, Jabber, and Quake protocols. Most Ethereal decoders don't explicitly recognize protocols that run over nondefault ports, but if you recognize a particular protocol in a packet, you can right-click the packet and choose to decode it by using a particular protocol decoder.
Ethereal is a great network protocol analyzer for beginning to immediate users. For such users, Ethereal's capabilities are sufficient, although some enterprises might have concerns about the prod-uct's lack of dedicated technical support. Advanced users who want more accurate decodes, better expert analysis, and distributed architectures will find commercially available network protocol analyzers a better choice.
PRICE: Free DECISION SUMMARY PROS: Great for beginners and users without complex requirements
Free
Easy-to-navigate GUI
Support for hundreds of protocol decoders
Performs TCP stream analysis CONS: Less-detailed protocol decodes than those of commercial products
Not enterprise-ready
No guaranteed technical support
Fluke Networks' OptiView Protocol Expert
Fluke Networks, long known for its handheld protocol analyzers, is trying to create a similar reputation with its OptiView software analyzers, a suite of products that sniff traffic on Ethernet, token-ring, and fiber-tapped networks. (For more information about hardware protocol analyzer products, see the sidebar "Hardware Protocol Analyzers.") Fluke Networks' OptiView Protocol Expert provides protocol analysis for packets captured by Protocol Expert or other products in the OptiView suite, including OptiView Integrated Network Analyzer, OptiView Link Analyzer, and OptiView Workgroup Analyzer. OptiView Protocol Expert runs on Windows 2000 Professional and Windows 98 but not on Windows Server 2003 or Win2K Server. I reviewed Protocol Expert 4.0—which was the most current release of the product available when I evaluated it. (Fluke Networks released Protocol Expert 5.0 as an upgrade to some existing customers but didn't make it available as a trial product.) The vendor says it will release the latest production version of Protocol Expert—6.1—in late June.
Protocol Expert is a capable analyzer console, but its UI needs improvement. (Fluke Networks says it's improved the product's UI in version 6.1.) I found Protocol Expert's GUI awkward to navigate. I spent too much time trying to figure out how to enable or disable basic features, such as turning on and off packet capturing or printing reports. Although step-by-step assistance is available under the Help menu, first-time users shouldn't have to search for help with features whose operation should be readily apparent. In addition, I found the display difficult to read and to customize. Gray border areas took up valuable screen real estate, and the default font was hard to read at a resolution of 800x600. On the packet-decoding window, I couldn't rearrange packet-detail columns. After I got used to Protocol Expert's GUI, however, I found that the product performed reliably. Fluke Networks offers 1- to 5-day training classes (5-day classes are $2750) to help shorten the learning curve.
Another good low cost product for the budget minded admin is LinkFerret from Baseband technologies. According to their website, they write most of the code for the other analyzer vendors.
Randall Ader July 06, 2004
Another good sniffer is LanRaptor from www.shakti-software.com.
You can define your own protocols, so if they dont provide support, you can still fully decode any protocol that is important to you.
Anonymous User October 08, 2004 (Article Rating: )
One thing not touched on in the article is the major difference between a software and a hardware analyzer. Only good packets can be seen by a software analyzer. If the packet cannot make it up to the top layer of the OSI 7 Layer model, you won't see it. Also the quality of the network driver is important. Some LAN cards and drivers won't work or work properly in a promiscuous mode.
Anonymous User November 23, 2004 (Article Rating: )
Anonymous User January 04, 2005 (Article Rating: )
This article is worthless
Anonymous User February 14, 2005 (Article Rating: )
Good overview of some of the more popular protocol analyzers and their features. A matrix with comparison criteria and ratings would have been helpful. The posting made by the Anonymous user from Feb 14th, 2005 is worthless, not this article.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
)
)
)
Randall Ader July 06, 2004