A packet analyzer (also packet sniffer or network analyzer) is a

computer program A computer program is a sequence or set of instructions in a programming language for a computer to Execution (computing), execute. It is one component of software, which also includes software documentation, documentation and other intangibl ...

computer hardware Computer hardware includes the physical parts of a computer, such as the central processing unit (CPU), random-access memory (RAM), motherboard, computer data storage, graphics card, sound card, and computer case. It includes external devices ...

such as a packet capture appliance that can analyze and log traffic that passes over a

computer network A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...

or part of a network. Packet capture is the process of intercepting and logging traffic. As

data stream In connection-oriented communication, a data stream is the transmission of a sequence of digitally encoded signals to convey information. Typically, the transmitted symbols are grouped into a series of packets. Data streaming has become u ...

s flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. A packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer - those designed specifically for

Wi-Fi Wi-Fi () is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for Wireless LAN, local area networking of devices and Internet access, allowing nearby digital devices to exchange data by ...

networks are Wi-Fi analyzers. While a packet analyzer can also be referred to as a network analyzer or

protocol analyzer A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication u ...

these terms can also have other meanings. Protocol analyzer can technically be a broader, more general class that includes packet analyzers/sniffers. However, the terms are frequently used interchangeably.

Capabilities

On wired shared-medium networks, such as

Ethernet Ethernet ( ) is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...

Token Ring Token Ring is a Physical layer, physical and data link layer computer networking technology used to build local area networks. It was introduced by IBM in 1984, and standardized in 1989 as IEEE Standards Association, IEEE 802.5. It uses a sp ...

, and

FDDI Fiber Distributed Data Interface (FDDI) is a standard for data transmission in a local area network. It uses optical fiber as its standard underlying physical medium. It was also later specified to use copper cable, in which case it may be c ...

, depending on the network structure ( hub or

switch In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type o ...

), it may be possible to capture all traffic on the network from a single machine. On modern networks, traffic can be captured using a network switch using

port mirroring Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require moni ...

, which mirrors all packets that pass through designated ports of the switch to another port, if the switch supports port mirroring. A

network tap A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The network tap has (at least) three ports: an ''A port ...

is an even more reliable solution than to use a monitoring port since taps are less likely to drop packets during high traffic load. On

wireless LAN A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building ...

s, traffic can be captured on one channel at a time, or by using multiple adapters, on several channels simultaneously. On wired broadcast and wireless LANs, to capture

unicast Unicast is data transmission from a single sender (red) to a single receiver (green). Other devices on the network (yellow) do not participate in the communication. In computer networking, unicast is a one-to-one transmission from one point in ...

traffic between other machines, the

network adapter A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter and physical network interface) is a computer hardware component that connects a computer to a computer network. Early network interface ...

capturing the traffic must be in

promiscuous mode In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rath ...

. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set the adapter is configured for are usually ignored. To see those packets, the adapter must be in

monitor mode Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, ...

. No special provisions are required to capture

multicast In computer networking, multicast is a type of group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast differs from ph ...

traffic to a multicast group the packet analyzer is already monitoring, or

broadcast Broadcasting is the data distribution, distribution of sound, audio audiovisual content to dispersed audiences via a electronic medium (communication), mass communications medium, typically one using the electromagnetic spectrum (radio waves), ...

traffic. When traffic is captured, either the entire contents of packets or just the headers are recorded. Recording just headers reduces storage requirements, and avoids some privacy legal issues, yet often provides sufficient information to diagnose problems. Captured information is decoded from raw digital form into a human-readable format that lets engineers review exchanged information. Protocol analyzers vary in their abilities to display and analyze data. Some protocol analyzers can also generate traffic. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the

device under test A device under test (DUT), also known as equipment under test (EUT) and unit under test (UUT), is a manufactured product undergoing testing, either at first manufacture or later during its life cycle as part of ongoing functional testing and calibr ...

's ability to handle errors. Protocol analyzers can also be hardware-based, either in probe format or, as is increasingly common, combined with a disk array. These devices record packets or packet headers to a disk array.

Uses

Packet analyzers can: * Analyze network problems * Detect network intrusion attempts * Detect network misuse by internal and external users * Documenting regulatory compliance through logging all perimeter and endpoint traffic * Gain information for effecting a network intrusion * Identify data collection and sharing of software such as operating systems (for strengthening

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

, control and security) * Aid in gathering information to isolate exploited systems * Monitor WAN bandwidth utilization * Monitor network usage (including internal and external users and systems) * Monitor data in transit * Monitor WAN and

endpoint security Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices t ...

status * Gather and report network statistics * Identify suspect content in network traffic * Troubleshoot performance problems by monitoring network data from an application * Serve as the primary data source for day-to-day network monitoring and management * Spy on other network users and collect sensitive information such as login details or users cookies (depending on any content

encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

methods that may be in use) *

Reverse engineer Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompl ...

proprietary protocol In telecommunications, a proprietary protocol is a communications protocol owned by a single organization or individual. Intellectual property rights and enforcement Ownership by a single organization gives the owner the ability to place restricti ...

s used over the network * Debug client/server communications * Debug network protocol implementations * Verify adds, moves, and changes * Verify internal control system effectiveness ( firewalls, access control, Web filter, spam filter, proxy) Packet capture can be used to fulfill a warrant from a

law enforcement agency A law enforcement agency (LEA) is any government agency responsible for law enforcement within a specific jurisdiction through the employment and deployment of law enforcement officers and their resources. The most common type of law enforcement ...

wiretap Wiretapping, also known as wire tapping or telephone tapping, is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connecti ...

all network traffic generated by an individual.

Internet service provider An Internet service provider (ISP) is an organization that provides a myriad of services related to accessing, using, managing, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, no ...

s and

VoIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...

providers in the United States must comply with Communications Assistance for Law Enforcement Act regulations. Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and can use the same device for internal security purposes. Collecting data from a carrier system without a warrant is illegal due to laws about interception. By using

end-to-end encryption End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can ...

, communications can be kept confidential from telecommunication carriers and legal authorities.

Notable packet analyzers

* Allegro Network Multimeter * Capsa Network Analyzer * Charles Web Debugging Proxy *

Carnivore (software) Carnivore, later renamed DCS1000, was a system implemented by the Federal Bureau of Investigation (FBI) that was designed to monitor email and electronic communications. It used a customizable packet sniffer that could monitor all of a target use ...

CommView CommView is an application for network monitoring, packet analysis, and decoding. There are two editions of CommView: the standard edition for Ethernet networks and the wireless edition for 802.11 networks named CommView for WiFi. The applicati ...

* dSniff * EndaceProbe Packet Capture Platform * ettercap *

Fiddler A fiddle is a bowed string musical instrument, most often a violin or a bass. It is a colloquial term for the violin, used by players in all genres, including classical music. Although in many cases violins and fiddles are essentially syno ...

* Kismet * Lanmeter * Microsoft Network Monitor * NarusInsight * NetScout Systems nGenius Infinistream *

ngrep ngrep (Computer network, network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library. ngrep supports Berkeley Packet Filter (Berkeley Packet Fil ...

, Network Grep *

OmniPeek Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins. History Savvius (formerly WildPackets) was ...

, Omnipliance by Savvius * SkyGrabber *The Sniffer * snoop * tcpdump * Observer Analyzer *

Wireshark Wireshark is a Free and open-source software, free and open-source packet analyzer. It is used for computer network, network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, ...

(formerly known as Ethereal) * Xplico Open source Network Forensic Analysis Tool

Notes

References

External links