A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer,
is a
computer program
A computer program is a sequence or set of instructions in a programming language for a computer to execute. Computer programs are one component of software, which also includes documentation and other intangible components.
A computer program ...
or
computer hardware
Computer hardware includes the physical parts of a computer, such as the computer case, case, central processing unit (CPU), Random-access memory, random access memory (RAM), Computer monitor, monitor, Computer mouse, mouse, Computer keyboard, ...
such as a
packet capture appliance
A packet capture appliance is a standalone device that performs packet capture. Packet capture appliances may be deployed anywhere on a network, however, most commonly are placed at the entrances to the network (i.e. the internet connections) and i ...
, that can intercept and log traffic that passes over a
computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
or part of a network. Packet capture is the process of intercepting and logging traffic. As
data stream
In connection-oriented communication, a data stream is the transmission of a sequence of digitally encoded coherent signals to convey information. Typically, the transmitted symbols are grouped into a series of packets.
Data streaming has bec ...
s flow across the network, the analyzer captures each
packet
Packet may refer to:
* A small container or pouch
** Packet (container), a small single use container
** Cigarette packet
** Sugar packet
* Network packet, a formatted unit of data carried by a packet-mode computer network
* Packet radio, a form ...
and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate
RFC
RFC may refer to:
Computing
* Request for Comments, a memorandum on Internet standards
* Request for change, change management
* Remote Function Call, in SAP computer systems
* Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...
or other specifications.
A packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer or WiFi analyzer. While a packet analyzer can also be referred to as a
network analyzer or
protocol analyzer
A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication usi ...
these terms can also have other meanings. Protocol analyzer can technically be a broader, more general class that includes packet analyzers/sniffers. However, the terms are frequently used interchangeably.
Capabilities
On wired
shared-medium network
In telecommunication, a shared medium is a transmission medium, medium or channel (communications), channel of information transfer that serves more than one user at the same time.
In order for most channels to function correctly, no more than on ...
s, such as
Ethernet
Ethernet () is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...
,
Token Ring
Token Ring network
IBM hermaphroditic connector with locking clip. Screen contacts are prominently visible, gold-plated signal contacts less so.
Token Ring is a computer networking technology used to build local area networks. It was introduc ...
, and
FDDI
Fiber Distributed Data Interface (FDDI) is a standard for data transmission in a local area network.
It uses optical fiber as its standard underlying physical medium, although it was also later specified to use copper cable, in which case it m ...
, depending on the network structure (
hub or
switch
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
),
it may be possible to capture all traffic on the network from a single machine. On modern networks, traffic can be captured using a network switch using
port mirroring
Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitor ...
, which mirrors all packets that pass through designated ports of the switch to another port, if the switch supports port mirroring. A
network tap
A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.
The network tap has (at least) three ports: an ''A port ...
is an even more reliable solution than to use a monitoring port since taps are less likely to drop packets during high traffic load.
On
wireless LAN
A wireless LAN (WLAN) is a wireless computer network
A wireless network is a computer network that uses wireless data connections between network nodes.
Wireless networking is a method by which homes, telecommunications networks and bus ...
s, traffic can be captured on one channel at a time, or by using multiple adapters, on several channels simultaneously.
On wired broadcast and wireless LANs, to capture
unicast
Unicast is data transmission from a single sender (red) to a single receiver (green). Other devices on the network (yellow) do not participate in the communication.
In computer networking, unicast is a one-to-one transmission from one point in ...
traffic between other machines, the
network adapter
A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network.
Ear ...
capturing the traffic must be in
promiscuous mode
In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rathe ...
. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the
service set the adapter is configured for are usually ignored. To see those packets, the adapter must be in
monitor mode
Monitor or monitor may refer to:
Places
* Monitor, Alberta
* Monitor, Indiana, town in the United States
* Monitor, Kentucky
* Monitor, Oregon, unincorporated community in the United States
* Monitor, Washington
* Monitor, Logan County, West Vi ...
. No special provisions are required to capture
multicast
In computer networking, multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with ...
traffic to a multicast group the packet analyzer is already monitoring, or
broadcast
Broadcasting is the distribution of audio or video content to a dispersed audience via any electronic mass communications medium, but typically one using the electromagnetic spectrum ( radio waves), in a one-to-many model. Broadcasting began ...
traffic.
When traffic is captured, either the entire contents of packets or just the
headers are recorded. Recording just headers reduces storage requirements, and avoids some
privacy legal issues, yet often provides sufficient information to diagnose problems.
Captured information is decoded from raw digital form into a
human-readable format
A human-readable medium or human-readable format is any encoding of data or information that can be naturally read by humans.
In computing, ''human-readable'' data is often encoded as ASCII or Unicode text, rather than as binary data. In most c ...
that lets engineers review exchanged information. Protocol analyzers vary in their abilities to display and analyze data.
Some protocol analyzers can also generate traffic. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the
device under test A device under test (DUT), also known as equipment under test (EUT) and unit under test (UUT), is a manufactured product undergoing testing, either at first manufacture or later during its life cycle as part of ongoing functional testing and calibra ...
's ability to handle errors.
Protocol analyzers can also be hardware-based, either in probe format or, as is increasingly common, combined with a disk array. These devices record packets or packet headers to a disk array.
Uses
Packet analyzers can:
* Analyze network problems
* Detect
network intrusion
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
attempts
* Detect network misuse by internal and external users
* Documenting regulatory compliance through logging all perimeter and endpoint traffic
* Gain information for effecting a network intrusion
* Identify data collection and sharing of software such as operating systems (for strengthening
privacy
Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The domain of privacy partially overlaps with security, which can include the concepts of a ...
, control and security)
* Aid in gathering information to isolate exploited systems
* Monitor WAN bandwidth utilization
* Monitor network usage (including internal and external users and systems)
* Monitor
data in transit
Data in transit, also referred to as data in motion and data in flight, is data en route between source and destination, typically on a computer network.
Data in transit can be separated into two categories: information that flows over the publi ...
* Monitor WAN and
endpoint security
Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, ...
status
* Gather and report network statistics
* Identify suspect content in network traffic
* Troubleshoot performance problems by monitoring network data from an application
* Serve as the primary data source for day-to-day network monitoring and management
* Spy on other network users and collect sensitive information such as login details or users cookies (depending on any content
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
methods that may be in use)
*
Reverse engineer
Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
proprietary protocol
In telecommunications, a proprietary protocol is a communications protocol owned by a single organization or individual.
Intellectual property rights and enforcement
Ownership by a single organization gives the owner the ability to place restricti ...
s used over the network
* Debug
client/server communications
* Debug network protocol implementations
* Verify adds, moves, and changes
* Verify internal control system effectiveness (
firewalls, access control, Web filter, spam filter, proxy)
Packet capture can be used to fulfill a warrant from a
law enforcement agency
A law enforcement agency (LEA) is any government agency responsible for the enforcement of the laws.
Jurisdiction
LEAs which have their ability to apply their powers restricted in some way are said to operate within a jurisdiction.
LEAs ...
to
wiretap
Telephone tapping (also wire tapping or wiretapping in American English) is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitorin ...
all network traffic generated by an individual.
Internet service provider
An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
s and
VoIP
Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
providers in the United States must comply with
Communications Assistance for Law Enforcement Act
The Communications Assistance for Law Enforcement Act (CALEA), also known as the "Digital Telephony Act," is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 ...
regulations. Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and can use the same device for internal security purposes. Collecting data from a carrier system without a warrant is illegal due to laws about interception. By using
end-to-end encryption
End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, malicious actors, and even ...
, communications can be kept confidential from telecommunication carriers and legal authorities.
Notable packet analyzers
* Allegro Network Multimeter
*
Capsa
Gafsa ( aeb, ڨفصة '; ar, قفصة qafṣah), originally called Capsa in Latin, is the capital of Gafsa Governorate of Tunisia. It lends its Latin name to the Mesolithic Capsian culture. With a population of 111,170, Gafsa is the ninth-la ...
Network Analyzer
*
Charles Web Debugging Proxy
*
Carnivore (software)
Carnivore, later renamed DCS1000, was a system implemented by the Federal Bureau of Investigation (FBI) that was designed to monitor email and electronic communications. It used a customizable packet sniffer that could monitor all of a target user ...
*
CommView
CommView is an application for network monitoring, packet analysis, and decoding. There are two editions of CommView: the standard edition for Ethernet networks and the wireless edition for 802.11 networks named CommView for WiFi. The application ...
*
dSniff
dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf ...
*
EndaceProbe Analytics Platform by Endace
*
ettercap
*
Fiddler
A fiddle is a Bow (music), bowed String instrument, string musical instrument, most often a violin. It is a colloquial term for the violin, used by players in all genres, including European classical music, classical music. Although in many ...
*
Kismet
*
Lanmeter
A LANMeter was a tool for testing Token Ring and Ethernet computer network, networks introduced by Fluke Corporation in 1993. It incorporated hardware testing (Electrical cable, cable and network Network interface controller, interface card) and ...
*
Microsoft Network Monitor
Microsoft Network Monitor is a Deprecation, deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot computer network, network problems and applications ...
*
NarusInsight
Narus Inc. was a Software industry, software company and Independent software vendor, vendor of big data analytics for cybersecurity.
History
In 1997, Ori Cohen, Vice President of Business and Technology Development for VDONet, founded Narus with ...
*
NetScout Systems nGenius Infinistream
*
ngrep
ngrep (network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.
ngrep supports Berkeley Packet Filter ( BPF) logic to select network sources ...
, Network Grep
*
OmniPeek
Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.
History
Savvius (formerly WildPackets) was ...
, Omnipliance by Savvius
*
SkyGrabber
SkyGrabber is a software from the Russian company ''SkySoftware'' which accepts input from a digital satellite tuner card for hard drive recording.
History
It was used by Iraqi insurgents from the group Kata'ib Hezbollah to intercept MQ-1 Predato ...
*The
Sniffer
*
snoop
*
tcpdump
tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distribut ...
*
Observer Analyzer
*
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
(formerly known as Ethereal)
*
Xplico
Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).
Unlike the protocol analyzer, whose main characteristic ...
Open source Network Forensic Analysis Tool
See also
*
Bus analyzer
A bus analyzer is a type of a protocol analysis tool, used for capturing and analyzing communication data across a specific interface bus, usually embedded in a hardware system. The bus analyzer functionality helps design, test and validation eng ...
*
Logic analyzer
A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, a ...
*
Network detector
Network detectors or network discovery software are computer programs that facilitate detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards.''Wireless Hacking for Dummies''. Discovering networks may be done through acti ...
*
pcap
In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...
*
Signals intelligence
Signals intelligence (SIGINT) is intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication ( ...
*
Traffic generation model
A traffic generation model is a stochastic model of the traffic flows or data sources in a communication network, for example a cellular network or a computer network. A packet generation model is a traffic generation model of the packet flows or ...
Notes
References
External links
*
{{Authority control
Network analyzers
Packets (information technology)
Wireless networking
Deep packet capture