Original: 8 best packet sniffers and network analyzers
Author: Jon Watson
Publication date: November 22, 2017
Translation: A. Krivoshey
Date of transfer: December 2017
Packet sniffing is a colloquial term that refers to the art of sniffing network traffic. Contrary to popular belief, things like emails and web pages don't go through the Internet in one piece. They are broken into thousands of small data packets and thus sent over the Internet. In this article, we'll take a look at the best free network analyzers and packet sniffers.
There are many utilities that collect network traffic, and most of them use pcap (on Unix-like systems) or libcap (on Windows) as their kernel. Another kind of utility helps analyze this data, since even a small amount of traffic can generate thousands of packets that are difficult to navigate. Almost all of these utilities differ little from each other in data collection, the main differences are in how they analyze the data.
Analyzing network traffic requires understanding how the network works. There is no tool that magically replaces an analyst's knowledge of basic networking, such as the TCP "3-way handshake" that is used to initiate a connection between two devices. Analysts also need to have some understanding of the types of network traffic on a normally functioning network, such as ARP and DHCP. This knowledge is important because analytics tools will simply show you what you ask them to. It's up to you to decide what to ask for. If you don't know what your network usually looks like, it can be hard to know that you've found what you're looking for in the mass of packages you've compiled.
The best packet sniffers and network analyzers
industrial tools
Let's start at the top and then go down to the basics. If you're dealing with an enterprise level network, you'll need a big gun. While almost everything uses tcpdump at its core (more on that later), enterprise-level tools can solve certain tricky problems, such as correlating traffic from multiple servers, providing intelligent queries to identify problems, alerting you to exceptions, and creating good graphs, which bosses always demand. .
Enterprise-level tools tend to focus on streaming network traffic rather than evaluating the contents of packets. By this I mean that the main focus of most system administrators in an enterprise is to ensure that the network does not have performance bottlenecks. When such bottlenecks occur, the goal is usually to determine whether the problem is caused by the network or an application on the network. On the other hand, these tools can usually handle so much traffic that they can help predict when a network segment will be fully loaded, which is a critical point in network bandwidth management.
This is a very large set of IT management tools. In this article, the Deep Packet Inspection and Analysis utility, which is its integral part, is more appropriate. Collecting network traffic is quite simple. With tools like WireShark, basic analysis is also not a problem. But the situation is not always completely clear. On a very busy network, it can be difficult to determine even very simple things, such as:
What application on the network is generating this traffic?
- if the application is known (say, a web browser), where do its users spend most of their time?
- which connections are the longest and overload the network?
Most network devices use the metadata of each packet to make sure that the packet goes where it needs to go. The contents of the packet are unknown to the network device. Another thing is deep packet inspection; this means that the actual content of the package is checked. In this way, critical network information that cannot be gleaned from metadata can be discovered. Tools like those provided by SolarWinds can provide more meaningful data than just traffic flow.
Other data-intensive network management technologies include NetFlow and sFlow. Each has its own strengths and weaknesses,
You can learn more about NetFlow and sFlow.
Network analysis in general is an advanced topic that is based both on the basis of acquired knowledge and on the basis of practical work experience. It is possible to train a person in detailed knowledge about network packets, but if this person does not have knowledge of the network itself, and has no experience in detecting anomalies, he will not do very well. The tools described in this article should be used by experienced network administrators who know what they want but are not sure which tool is best. They can also be used by less experienced system administrators to gain day-to-day networking experience.
Basics
The main tool for collecting network traffic is
It is an open source application that is installed on almost all Unix-like operating systems. Tcpdump is a great data collection utility that has a very sophisticated filtering language. It is important to know how to filter data as you collect it so that you end up with a normal data set for analysis. Capturing all the data from a network device, even on a moderately busy network, can generate too much data that will be very difficult to analyze.
In some rare cases, it will be enough to print the data captured by tcpdump directly to the screen to find what you need. For example, while writing this article, I collected traffic and noticed that my machine is sending traffic to an IP address that I don't know. Turns out my machine was sending data to the Google IP address 172.217.11.142. Since I didn't have any Google products and didn't have Gmail open, I didn't know why this was happening. I checked my system and found the following:
[ ~ ]$ ps -ef | grep google user 1985 1881 0 10:16 ? 00:00:00 /opt/google/chrome/chrome --type=service
It turns out that even when Chrome is not running, it remains running as a service. I wouldn't have noticed this without packet sniffing. I captured a few more data packets, but this time I had tcpdump write the data to a file, which I then opened in Wireshark (more on that later). Here are the entries:
Tcpdump is a favorite tool of system administrators because it is a command line utility. tcpdump does not require a GUI to run. For production servers, the graphical interface is rather harmful, as it consumes system resources, so command-line programs are preferred. Like many modern utilities, tcpdump has a very rich and complex language that takes some time to master. A few of the most basic commands include selecting a network interface to collect data from and writing that data to a file so that it can be exported for analysis elsewhere. The -i and -w switches are used for this.
# tcpdump -i eth0 -w tcpdump_packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C51 packets captured
This command creates a file with captured data:
File tcpdump_packets tcpdump_packets: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
The standard for such files is the pcap format. It is not text, so it can only be parsed by programs that understand this format.
3. Windump
Most useful open source utilities end up being cloned into other operating systems. When this happens, the application is said to have been migrated. Windump is a port of tcpdump and behaves in a very similar way.
The most significant difference between Windump and tcpdump is that Windump needs the Winpcap library installed before running Windump. Even though Windump and Winpcap are provided by the same maintainer, they need to be downloaded separately.
Winpcap is a library that must be pre-installed. But Windump is an exe file that doesn't need to be installed, so you can just run it. This is something to keep in mind if you are using a Windows network. You don't have to install Windump on every machine as you can just copy it as needed, but you will need Winpcap to support Windup.
As with tcpdump, Windump can display network data for analysis, filter in the same way, and write the data to a pcap file for later analysis.
4 Wireshark
Wireshark is the next best known tool in the sysadmin suite. It not only allows you to capture data, but also provides some advanced analysis tools. In addition, Wireshark is open source and has been ported to almost every existing server operating system. Called Etheral, Wireshark now works everywhere, including as a standalone portable application.
If you are analyzing traffic on a GUI server, Wireshark can do everything for you. He can collect data and then analyze it all right there. However, the GUI is rare on servers, so you can collect network data remotely and then examine the resulting pcap file in Wireshark on your computer.
When first launched, Wireshark allows you to either load an existing pcap file or run a traffic capture. In the latter case, you can additionally set filters to reduce the amount of data collected. If you don't specify a filter, Wireshark will simply collect all network data from the selected interface.
One of the most useful features of Wireshark is the ability to follow the stream. It's best to think of a thread as a chain. In the screenshot below, we can see a lot of captured data, but I was most interested in Google's IP address. I can right click and follow the TCP stream to see the whole chain.
If the traffic was captured on another computer, you can import the PCAP file using the Wireshark File -> Open dialog. The same filters and tools are available for imported files as for captured network data.
5.shark
Tshark is a very useful link between tcpdump and Wireshark. Tcpdump excels at data collection and can only surgically extract the data you need, however its data analysis capabilities are very limited. Wireshark does a great job of both capturing and analyzing, but it has a heavy user interface and cannot be used on non-GUI servers. Try tshark, it works on the command line.
Tshark uses the same filtering rules as Wireshark, which should come as no surprise since they are essentially the same product. The command below only tells tshark to grab the destination IP address and some other fields of interest from the HTTP part of the packet.
# tshark -i eth0 -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/styles/phoenix.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack.js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico
If you want to write the traffic to a file, use the -W option to do so, and then the -r (read) switch to read it.
Capture first:
# tshark -i eth0 -w tshark_packets Capturing on "eth0" 102 ^C
Read it here, or move it to another place for analysis.
# tshark -r tshark_packets -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /contact 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /reservations/ 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100100 57.0 /reservations/styles/styles.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack. js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/images/title.png
This is a very interesting tool that falls into the category of network forensic analysis tools rather than just sniffers. The field of forensic science is typically investigative and evidence gathering, and Network Miner does this job just fine. Just as wireshark can follow a TCP stream to recover the entire chain of packet transfers, Network Miner can follow a stream in order to recover files that have been transferred over the network.
Network Miner can be strategically placed on the network to be able to observe and collect the traffic you are interested in in real time. It will not generate its own traffic on the network, so it will work in secret.
Network Miner can also work offline. You can use tcpdump to collect packets from a network point of interest and then import the PCAP files into Network Miner. Next, you can try to restore any files or certificates found in the recorded file.
The Network Miner is made for Windows, but with Mono it can be run on any OS that supports the Mono platform, such as Linux and MacOS.
There is a free version, entry-level, but with a decent set of features. If you need additional features such as geolocation and custom scenarios, you will need to purchase a professional license.
7Fiddler (HTTP)
It's not technically a network packet capture utility, but it's so incredibly useful that it's on this list. Unlike the other tools listed here, which are designed to capture network traffic from any source, Fiddler is more of a debugging tool. It captures HTTP traffic. While many browsers already have this capability in their developer tools, Fiddler is not limited to browser traffic. Fiddler can capture any HTTP traffic on your computer, including non-web applications.
Many desktop applications use HTTP to connect to web services, and other than Fiddler, the only way to capture such traffic for analysis is to use tools like tcpdump or Wireshark. However, they work at the level of packets, so for analysis it is necessary to reverse engineer these packets into HTTP streams. It can be a lot of work to do simple research, and this is where Fiddler comes in. Fiddler can help detect cookies, certificates, and other useful data sent by applications.
Fiddler is free and, like Network Miner, it can be run in Mono on almost any operating system.
8 Capsa
The Capsa Network Analyzer has several editions, each with different capabilities. At the first level, Capsa is free, and essentially allows you to simply capture packets and do some basic graphical analysis of them. The dashboard is unique and can help the inexperienced system administrator quickly identify network problems. The free tier is for people who want to learn more about packages and build up their analysis skills.
The free version allows you to control more than 300 protocols, suitable for email monitoring as well as saving email content, it also supports triggers that can be used to trigger alerts when certain situations occur. In this regard, Capsa can be used as a support tool to some extent.
Capsa is only available for Windows 2008/Vista/7/8 and 10.
Conclusion
It is easy to see how, using the tools we have described, a system administrator can create a network monitoring infrastructure. Tcpdump or Windump can be installed on all servers. A scheduler, such as cron or the Windows scheduler, starts a packet collection session at the right time and writes the collected data to a pcap file. The system administrator can then send these packets to the central machine and analyze them using wireshark. If the network is too large for this, there are enterprise-grade tools such as SolarWinds to turn all network packets into a manageable dataset.
Read other articles about network traffic interception and analysis :
- Dan Nanni, Command Line Utilities for Monitoring Network Traffic in Linux
- Paul Cobbaut, Linux Systems Administration. Interception of network traffic
- Paul Ferrill, 5 Linux Network Monitoring Tools
- Pankaj Tanwar, Capturing Packets with the libpcap Library
- Riccardo Capecchi, Using Wireshark Filters
- Nathan Willis, Network Analysis with Wireshark
- Prashant Phatak,
The need to analyze network traffic can arise for several reasons. Monitoring computer security, debugging the local network, monitoring outgoing traffic to optimize the operation of a shared Internet connection - all these tasks are often on the agenda of system administrators and ordinary users. To solve them, there are many utilities called sniffers, both specialized, aimed at solving a narrow area of \u200b\u200btasks, and multifunctional "combines" that provide the user with a wide choice of tools. This article introduces one of the representatives of the latter group, namely the CommView utility manufactured by the company. The program allows you to visually see the full picture of traffic passing through a computer or a segment of a local network; a customizable alarm system allows you to warn about the presence of suspicious packets in traffic, the appearance of nodes with abnormal addresses on the network, or an increase in network load.
CommView provides the ability to keep statistics on all IP connections, decode IP packets to a low level and analyze them. The built-in filtering system for several parameters allows you to configure tracking only of the necessary packets, which makes their analysis more efficient. The program can recognize packets from more than seven dozen of the most common protocols (including DDNS, DHCP, DIAG, DNS, FTP, HTTP, HTTPS, ICMP, ICQ, IMAP, IPsec, IPv4, IPv6, IPX, LDAP, MS SQL, NCP, NetBIOS, NFS, NLSP, POP3, PPP, PPPoE, SMB, SMTP, SOCKS, SPX, SSH, TCP, TELNET, UDP, WAP, etc.) and save them to files for later analysis. Many other tools, such as network adapter manufacturer detection by MAC address, HTML reconstruction, and remote packet capture with the optional CommView Remote Agent utility, can also be useful in certain cases.
Working with the program
First you need to select the network interface on which traffic will be monitored. 
CommView supports almost any type of Ethernet adapter - 10, 100 and 1000 Mbps, as well as analog modems, xDSL, Wi-Fi, etc. By analyzing the traffic of an Ethernet adapter, CommView can intercept not only incoming and outgoing, but also transit packets addressed to any of the computers on the local network segment. It is worth noting that if the task is to monitor all traffic on a local network segment, then it is required that the computers in it be connected through a hub, and not through a switch. Some modern switch models have a port mirroring feature, which also allows them to be configured for network monitoring using CommView. You can read more about this. After selecting the desired connection, you can start capturing packets. Capture start and stop buttons are located near the interface selection line. To work with the remote access controller, VPN and PPPoE, when installing the program, you must install the appropriate driver.
The main window of the program is divided into several tabs that are responsible for a particular area of work. The first one, "Current IP Connections", displays detailed information about the computer's valid IP connections. Here you can see the local and remote IP address, the number of transmitted and received packets, the direction of transmission, the number of established IP sessions, ports, the host name (if the DNS resolution function is not disabled in the program settings), and the name of the process that receives or transmits the packet of this sessions. The latest information is not available for transit packets or on computers running Windows 9x/ME. 
Current IP Connections tab
Right-clicking on a connection will open a context menu where you can find tools to help you analyze the connections. Here you can see the amount of data transferred within the connection, the full list of ports used, detailed information about the process that receives or transmits packets of this session. CommView allows you to create aliases for MAC and IP addresses. For example, by specifying their aliases instead of cumbersome digital addresses of local network machines, you can get easily readable and memorable computer names and thus facilitate the analysis of connections. 
To create an alias for an IP address, you need to select "Create an alias" and "using local IP" or "using remote IP" from the context menu. In the window that appears, the IP address field will already be filled in, and all that remains is to enter a suitable name. If a new IP name entry is created by right-clicking on a packet, the name field is automatically populated with the host name (if available) and can be edited. The same goes for MAC aliases.
From the same menu, by selecting SmartWhois, you can send the selected source or destination IP address to SmartWhois, a stand-alone Tamosoft application that collects information about any IP address or hostname, such as network name, domain, country, state, or province, city, and provides it to the user.
second tab, "Packages", displays all packets captured on the selected network interface and detailed information about them. 
Packages tab
The window is divided into three areas. The first one displays a list of all captured packets. If you select one of the packages in it by clicking on it with the mouse pointer, then the remaining windows will show information about it. It displays the packet number, protocol, Mac and IP addresses of the transmitting and receiving host, ports used, and when the packet appeared.
The middle area displays the contents of the package - in hexadecimal or text form. In the latter case, non-printable characters are replaced by dots. If several packages are selected at the same time in the upper area, then the total number of selected packages, their total size, as well as the time interval between the first and last package will be shown in the middle window.
The lower window displays the decoded detailed information about the selected packet.
By clicking on one of the three buttons in the lower right part of the window, you can choose the location of the decoding window: in the lower part, or align to the left or right. The other two buttons allow you to automatically jump to the last received packet and save the selected packet in the visible list area.
The context menu allows you to copy MAC-, IP-addresses and entire packets to the clipboard, assign aliases, apply a quick filter to select the required packets, and also use the TCP Session Reconstruction and Packet Generator tools.
The TCP Session Reconstruction tool allows you to view the exchange process between two hosts via TCP. In order to make the contents of the session look more understandable, you need to select the appropriate "display logic". This feature is most useful for restoring textual information such as HTML or ASCII. 
The resulting data can be exported as a text, RTF, or binary file.
Log files tab. Here you can configure the settings for saving captured packets to a file. CommView saves log files in native NCF format; to view them, a built-in utility is used, which can be launched from the File menu. 
It is possible to enable autosave of captured packets as they arrive, keep HTTP session logs in TXT and HTML formats, save, delete, merge and split log files. Keep in mind that a package is not saved as soon as it arrives, so when you view the live log it will most likely not contain the most recent packages. In order for the program to immediately send the buffer to a file, you need to click the "Finish Capture" button.
In the tab "Rules" you can set the conditions for intercepting or ignoring packets. 
To facilitate the selection and analysis of required packages, filtering rules can be used. This will also greatly reduce the amount of system resources used by CommView.
In order to enable any rule, you need to select the appropriate section on the left side of the window. In total, seven types of rules are available: simple ones - “Protocols and direction”, “Mac addresses”, “IP addresses”, “Ports”, “Text”, “TCP flags”, “Process”, as well as the universal rule “Formulas ". For each of the simple rules, it is possible to select individual parameters, such as the choice of direction or protocol. The Formula universal rule is a powerful and flexible mechanism for creating filters using boolean logic. A detailed reference on its syntax can be found.
tab "Warnings" will help you configure the settings for notifications about various events occurring in the network segment under study. 
The Alerts tab allows you to create, modify, delete alert rules, and view current events that match those rules
In order to set a warning rule, by clicking the "Add..." button, in the window that opens, select the necessary conditions, upon occurrence of which the notification will work, as well as the method of notifying the user about it. 
CommView allows you to set the following types of events to monitor:
- "Detection of a package" that matches the specified formula. Formula syntax is described in detail in the user manual;
- "Bytes per second". This warning will be triggered when the specified network load level is exceeded;
- Packets per second. Triggered when the specified packet rate level is exceeded;
- Broadcasts per second. The same, only for broadcast packets;
- "Multicasts per second" - the same for multicast packets.
- "Unknown MAC address". This warning can be used to detect connections of new or unauthorized equipment to the network by pre-setting a list of known addresses using the "Configure" option;
- the "Unknown IP address" warning will be triggered when packets are intercepted with unknown source or destination IP addresses. If you pre-specify a list of known addresses, this warning can be used to detect unauthorized connections through the corporate firewall.
CommView has a powerful tool for visualizing the statistics of the studied traffic. In order to open the statistics window, you need to select the item of the same name from the "View" menu. 
Statistics window in General mode
In this window, you can see the network traffic statistics: here you can see the number of packets per second, bytes per second, distribution of Ethernet, IP and subprotocols. Diagrams can be copied to the clipboard, which will help in case of need for reporting. 
Availability, cost, system requirements
The current version of the program is CommView 5.1. From the Tamosoft website, you can, which will function for 30 days.
The developer offers buyers two license options:
- Home License (home license), worth 2000 rubles, gives the right to use the program at home on a non-commercial basis, while the number of hosts available for monitoring in your home network is limited to five. This type of license does not allow you to work remotely using the Remote Agent.
- Enterprise License (corporate, cost - 10,000 rubles) provides the right to commercial and non-commercial use of the program by one person who personally uses the program on one or more machines. The program can also be installed on one workstation and used by several people, but not simultaneously.
The application runs on Windows 98/Me/NT/2000/XP/2003 operating systems. Requires an Ethernet, Wireless Ethernet, Token Ring network adapter with NDIS 3.0 support, or a standard remote access controller.
Pros:
- localized interface;
- excellent help system;
- support for different types of network adapters;
- advanced packet analysis and protocol definition tools;
- statistics visualization;
- functional warning system.
Minuses:
- too high cost;
- lack of presets for interception rules and warnings;
- not very convenient package selection mechanism in the "Packages" tab.
Conclusion
With its excellent functionality and user-friendly interface, CommView can become an indispensable tool for local network administrators, Internet service providers and home users. I was pleased with the developer's thorough approach to the Russian localization of the package: both the interface and the reference manual are made at a very high level. The high cost of the program somewhat darkens the picture, but a thirty-day trial version will help a potential buyer decide on the advisability of buying this utility.
General information
Tools called network analyzers are named after Sniffer Network Analyzer. This product was released in 1988 by Network General (now Network Associates) and was one of the first devices that allowed managers to literally know what was happening on a large network from the comfort of their desk. The first parsers read the headers of messages in data packets sent over the network, thus providing administrators with information about sender and recipient addresses, file sizes, and other low-level information. And all this is in addition to checking the correctness of packet transmission. Using graphs and text descriptions, the analyzers helped network administrators diagnose servers, network links, hubs and switches, and applications. Roughly speaking, a network sniffer listens or "sniffs" packets on a specific physical network segment. This allows you to analyze traffic for some patterns, fix certain problems, and identify suspicious activity. A network intrusion detection system is nothing more than an advanced analyzer that matches every packet on the network against a database of known malicious traffic patterns, much like an antivirus program does with files on a computer. Unlike the tools described earlier, parsers operate at a lower level.
If we turn to the OSI reference model, then the analyzers check the two lower layers - the physical and the channel.
|
OSI model layer number |
Level name |
Protocol examples |
|
Level 7 |
Application layer |
DNS, FTP, HTTP, SMTP, SNMP, Telnet |
|
Level 6 |
Presentation Layer |
|
|
Level 5 |
session level |
|
|
Level 4 |
transport layer |
NetBIOS, TCP, UDP |
|
Level 3 |
network layer |
ARP, IP, IPX, OSPF |
|
Level 2 |
Link layer |
Arcnet, Ethernet, Token ring |
|
Level 1 |
Physical layer |
Coaxial cable, optical fiber, twisted pair |
The physical layer is the actual physical wiring or other medium used to create the network. At the link layer, the initial encoding of data for transmission through a specific medium occurs. Link layer networking standards include 802.11 wireless, Arcnet, coaxial cable, Ethernet, Token Ring, and more. Analyzers are usually dependent on the type of network they operate on. For example, to analyze traffic on an Ethernet network, you must have an Ethernet analyzer.
There are commercial grade analyzers available from manufacturers such as Fluke, Network General and others. These are usually special hardware devices that can cost tens of thousands of dollars. While this hardware is capable of deeper analysis, it is possible to build an inexpensive network analyzer using open source software and an inexpensive Intel-based PC.
Types of analyzers
Now many analyzers are produced, which are divided into two types. The first includes standalone products that are installed on a mobile computer. The consultant can take it with him when visiting the client's office and connect it to the network to collect diagnostic data.
Initially, portable devices designed to test the operation of networks were designed solely to check the technical parameters of the cable. However, over time, manufacturers have endowed their equipment with a number of protocol analyzer functions. Modern network analyzers are able to detect the widest range of possible problems - from physical damage to the cable to overloaded network resources.
The second type of analyzer is part of a broader category of network monitoring hardware and software that allows organizations to control their local and global network services, including the Web. These programs give administrators a holistic view of the health of the network. For example, with the help of such products, you can determine which applications are running at the moment, which users are registered on the network, and which of them generates the bulk of traffic.
In addition to identifying low-level network characteristics, such as the source of packets and their destination, modern analyzers decode the information received at all seven layers of the Open System Interconnection (OSI) network stack and often issue recommendations for resolving problems. If the analysis at the application level does not allow to give an adequate recommendation, the analyzers perform a study at a lower, network level.
Modern analyzers typically support remote monitoring standards (Rmon and Rmon 2) that provide automatic retrieval of key performance data, such as information about the load on available resources. Analyzers that support Rmon can regularly check the status of network components and compare the received data with the previously accumulated. If necessary, they will issue a warning that traffic levels or performance exceed the limits set by network administrators.
NetScout Systems has introduced the nGenius Application Service Level Manager, a system designed to monitor the response time in certain sections of the access channel to the Web site and determine the current performance of the servers. This application can analyze public network performance in order to recreate the overall picture on the user's computer. Danish firm NetTest (formerly GN Nettest) has begun offering Fastnet, a network monitoring system that helps e-business companies plan link capacity and troubleshoot network problems.
Analysis of converged (multiservice) networks
The spread of multi-service networks (converged networks) can have a decisive impact on the development of telecommunications and data transmission systems in the future. The idea to combine in a single network infrastructure based on a packet protocol, the ability to transfer both data, voice streams, and video information, turned out to be very tempting for providers specializing in the provision of telecommunication services, because it can significantly expand the range of services they provide in an instant.
As corporations begin to realize the efficiency and cost advantages of IP-based converged networks, network tool vendors are actively developing appropriate analyzers. In the first half of the year, many firms introduced components for their network administration products designed for voice over IP networks.
"Convergence has created new challenges for network administrators to deal with," said Glenn Grossman, director of product management at NetScout Systems. -- Voice traffic is very sensitive to time delays. Analyzers can look at every bit and byte on the wire, interpret the headers, and automatically prioritize the data.”
The use of voice and data convergence technologies may spark a new wave of interest in analyzers as support for traffic prioritization at the IP packet level becomes essential to the operation of voice and video services. For example, Sniffer Technologies has released Sniffer Voice, a toolkit designed for multiservice network administrators. This product not only provides traditional diagnostic services for managing email, Internet, and database traffic, but also detects network problems and provides recommendations for their resolution in order to ensure that voice traffic is correctly transmitted over IP networks.
The downside of using analyzers
It should be remembered that there are two sides of the coin associated with analyzers. They help keep the network up and running, but they can also be used by hackers to look up usernames and passwords in data packets. To prevent password interception by analyzers, packet headers are encrypted (for example, using the Secure Sockets Layer standard).
In the end, there is no alternative to a network analyzer in those situations when it is necessary to understand what is happening in a global or corporate network. A good analyzer allows you to understand the state of the network segment and determine the amount of traffic, as well as determine how this volume varies throughout the day, which users create the largest load, in which situations there are problems with traffic distribution or lack of bandwidth. Thanks to the use of the analyzer, it is possible to obtain and analyze all data fragments in the network segment for a given period.
However, network analyzers are expensive. If you plan to purchase it, then first clearly articulate what you expect from it.
Features of the use of network analyzers
To use network analyzers ethically and productively, the following guidelines should be followed.
Permission is always needed
Network analysis, like many other security features, has the potential for misuse. intercepting everything data transmitted over the network, you can spy on passwords for various systems, the contents of email messages and other critical data, both internal and external, since most systems do not encrypt their traffic on the local network. If such data falls into the wrong hands, it can obviously lead to serious security breaches. In addition, it can become a violation of the privacy of employees. First of all, you should obtain written permission from the management, preferably a higher one, before starting such an activity. Consideration should also be given to what to do with the data once it is received. In addition to passwords, this may be other sensitive data. As a general rule, network analysis protocols should be purged from the system unless they are needed for criminal or civil prosecutions. There are documented precedents where well-meaning system administrators have been fired for unauthorized interception of data.
Need to understand network topology
Before setting up the analyzer, you need to fully understand the physical and logical organization of this network. By conducting analysis in the wrong place in the network, you can get erroneous results or simply not finding what you need. It is necessary to check the absence of routers between the analyzing workstation and the place of observation. Routers will only forward traffic to a network segment if it is accessing a host located there. Similarly, on a switched network, you will need to configure the port you are connected to as a "monitor" or "mirror" port. Different manufacturers use different terminology, but in essence, you want the port to act as a hub, not a switch, because it needs to see all the traffic that goes through the switch, not just that directed to the workstation. Without this configuration, the monitor port will only see what is directed to the port it is connected to and network broadcast traffic.
Strict search criteria must be used
Depending on what you want to find, using an open filter (that is, showing everything) will make the data output voluminous and difficult to analyze. It's better to use special search criteria to shorten the output that the parser produces. Even if you don't know exactly what to look for, you can still write a filter to limit the search results. If you want to find an internal machine, it is correct to set criteria to look only for source addresses within a given network. If you want to monitor a specific type of traffic, say FTP traffic, you can limit the results to only what comes in on the port used by the application. By doing so, significantly better analysis results can be achieved.
Setting the network reference state
Using a network analyzer during normal operation , and by recording the final results, a reference state is reached, which can be compared with the results obtained during attempts to isolate the problem. The Ethereal analyzer, discussed below, creates several convenient reports for this. Some data will also be obtained to track network usage over time. Using this data, you can determine when the network is saturated and what are the main reasons for this - an overloaded server, an increase in the number of users, a change in the type of traffic, etc. If there is a starting point, it is easier to understand who is to blame and for what.
tcpdump
The main tool for almost all network traffic collection is tcpdump . It is an open source application that is installed on almost all Unix-like operating systems. Tcpdump is a great data collection tool and comes with a very powerful filtering engine. It is important to know how to filter data during collection so that you end up with a manageable piece of data for analysis. Capturing all data from a network device, even on a moderately busy network, can generate too much data for simple analysis.
In some rare cases, tcpdump allows you to output the output directly to your screen, and this may be enough to find what you are looking for. For example, when writing an article, some traffic was captured and it was noticed that the machine was sending traffic to an unknown IP address. It turns out that the machine was sending data to the Google IP address 172.217.11.142. Since no Google products have been launched, the question arose as to why this is happening.
The system check showed the following:
[ ~ ]$ ps -ef | grep googleLeave your comment!
OVERVIEW OF NETWORK TRAFFIC ANALYSIS AND MONITORING PROGRAMS
A.I. KOSTROMITSKY, Ph.D. tech. Sciences, V.S. VOLOTKA
Introduction
Traffic monitoring is vital to effective network management. It is a source of information about the functioning of enterprise applications, which is taken into account when allocating funds, planning computing capacities, identifying and localizing failures, and resolving security issues.
In the recent past, traffic monitoring was a relatively simple task. As a rule, computers were networked on the basis of a bus topology, i.e., they had a shared transmission medium. This allowed a single device to be connected to the network with which all traffic could be monitored. However, demands for increased network bandwidth and advances in packet switching technology, which caused the price of switches and routers to drop, have led to a rapid transition from shared media to highly segmented topologies. The total traffic can no longer be seen from one point. To get the full picture, you need to monitor each port. The use of point-to-point connections makes it inconvenient to connect devices, and it would take too many of them to listen on all ports, which becomes too expensive a task. In addition, the switches and routers themselves are complex architectures, and the speed at which packets are processed and transmitted becomes an important factor in determining network performance.
One of the topical scientific tasks at present is the analysis (and further prediction) of the self-similar traffic structure in modern multiservice networks. To solve this problem, it is necessary to collect and then analyze various statistics (speed, volumes of transmitted data, etc.) in existing networks. The collection of such statistics in one form or another is possible by various software tools. However, there is a set of additional parameters and settings that are very important in the practical use of various tools.
Various researchers use a variety of programs to monitor network traffic. For example, in , researchers used the Ethreal (Wireshark) network traffic analyzer (sniffer) program.
The free versions of programs that are available on,,, were reviewed.
1. Overview of network traffic monitoring programs
About ten traffic analyzer programs (sniffers) and more than a dozen programs for monitoring network traffic were considered, of which we selected four of the most interesting, in our opinion, and offer you an overview of their main features.
1) BMExtreme(Fig. 1).
This is the new name of the well-known Bandwidth Monitor program. Previously, the program was distributed free of charge, but now it has three versions, and only the basic one is free. This version does not provide any features other than, in fact, traffic monitoring, so it can hardly be considered a competitor to other programs. By default, BMExtreme monitors both Internet traffic and traffic on the local network, but monitoring on the LAN can be disabled if desired.
Rice. one
2) BWMeter(Fig. 2).
This program has not one, but two traffic monitoring windows: one shows activity on the Internet, and the other shows activity on the local network.
Rice. 2
The program has flexible settings for traffic monitoring. With its help, you can determine whether it is necessary to monitor the reception and transmission of data on the Internet only from this computer or from all computers connected to the local network, set the range of IP addresses, ports and protocols for which monitoring will or will not be performed. In addition, you can disable traffic tracking during certain hours or days. System administrators will certainly appreciate the ability to distribute traffic between computers on a local network. So, for each PC, you can set the maximum speed for receiving and transmitting data, as well as disable network activity with one click.
With a very miniature size, the program has a huge variety of features, some of which can be represented as follows:
Monitoring of any network interfaces and any network traffic.
A powerful filter system that allows you to evaluate the volume of any part of the traffic - up to a specific site in a specified direction or traffic from each machine in the local network at a specified time of day.
Unlimited customizable network connection activity graphs based on selected filters.
Management (restriction, suspension) of the traffic flow on any of the filters.
Convenient statistics system (from an hour to a year) with an export function.
Ability to view statistics of remote computers with BWMeter.
Flexible system of alerts and notifications upon reaching a certain event.
Maximum customization options, incl. appearance.
Ability to run as a service.
3) Bandwidth Monitor Pro(Fig. 3).
Its developers paid a lot of attention to setting up the traffic monitoring window. First, you can determine what kind of information the program will constantly show on the screen. This can be the amount of received and transmitted data (both separately and in total) for today and for any specified period of time, average, current and maximum connection speed. If you have multiple network adapters installed, you can monitor the statistics for each of them separately. At the same time, the necessary information for each network card can also be displayed in the monitoring window.
Rice. 3
Separately, it is worth mentioning the notification system, which is implemented very well here. You can set the behavior of the program when certain conditions are met, which can be the transfer of a certain amount of data for a specified period of time, reaching the maximum download speed, changing the connection speed, etc. If several users work on the computer and you need to monitor the overall traffic, the program can be launched as service. In this case, Bandwidth Monitor Pro will collect statistics of all users who log into the system under their logins.
4) DUTraffic(Fig. 4).
What distinguishes DUTraffic from all review programs is its free status.
Rice. 4
Like commercial counterparts, DUTraffic can perform a variety of actions when certain conditions are met. So, for example, it can play an audio file, show a message, or disconnect the Internet connection when the average or current download speed is less than a specified value, when the duration of an Internet session exceeds a specified number of hours, when a certain amount of data has been transferred. In addition, various actions can be performed cyclically, for example, each time the program fixes the transmission of a given amount of information. Statistics in DUTraffic are maintained separately for each user and for each Internet connection. The program shows both general statistics for a selected period of time, as well as information about the speed, the amount of transmitted and received data, and financial costs for each session.
5) Monitoring system Cacti(Fig.5).
Cacti is an open-source web application (respectively, there is no installation file). Cacti collects statistical data for certain time intervals and allows you to display them in a graphical form. The system allows you to build graphs using RRDtool. Mostly standard templates are used to display statistics on processor load, RAM allocation, the number of running processes, and the use of incoming / outgoing traffic.
The interface for displaying statistics collected from network devices is presented in the form of a tree, the structure of which is set by the user. As a rule, graphs are grouped according to certain criteria, and the same graph can be present in different branches of the tree (for example, traffic through the server network interface - in the one that is dedicated to the overall picture of the company's Internet traffic, and in the branch with the parameters of this device) . There is an option to view a pre-compiled set of charts, and there is a preview mode. Each of the graphs can be viewed separately, and it will be presented for the last day, week, month and year. It is possible to independently select the time period for which the chart will be generated, and this can be done either by specifying calendar parameters or simply by selecting a certain area on it with the mouse.
Table 1
|
Options/Programs |
BMExtreme |
BWMeter |
Bandwidth Monitor Pro |
DUTraffic |
Cacti |
|
Installation file size |
473 KB |
1.91 MB |
1.05 MB |
1.4 MB |
|
|
Interface language |
Russian |
Russian |
English |
Russian |
English |
|
Speed Graph |
|||||
|
Traffic Graph |
|||||
|
Export/Import (Export File Format) |
–/– |
(*.csv) |
–/– |
–/– |
(*.xls) |
|
Min -th time step between reports of data |
5 minutes. |
1 sec. |
1 min. |
1 sec. |
1 sec. |
|
Possibility of change min |
|||||
2. Overview of network traffic analyzers (sniffers)
A traffic analyzer, or sniffer, is a network traffic analyzer, a program or a hardware and software device designed to intercept and then analyze, or only analyze network traffic destined for other nodes.
Analysis of the traffic passed through the sniffer allows you to:
Intercept any unencrypted (and sometimes encrypted) user traffic in order to obtain passwords and other information.
Locate a network failure or network agent configuration error (sniffers are often used for this purpose by system administrators).
Since the “classic” sniffer analyzes traffic manually, using only the simplest automation tools (analysis of protocols, recovery of a TCP stream), it is suitable for analyzing only small volumes of it.
1) Wireshark(formerly Ethereal).
Traffic analyzer program for Ethernet computer networks and some others. Has a graphical user interface. Wireshark is an application that "knows" the structure of a wide variety of network protocols, and therefore allows you to parse a network packet, displaying the value of each field of the protocol at any level. Because pcap is used to capture packets, it is possible to only capture data from networks that are supported by this library. However, Wireshark is able to work with a variety of input data formats, respectively, it is possible to open data files captured by other programs, which expands the possibilities of capture.
2) irisnetworkTrafficAnalyzer.
In addition to the standard functions for collecting, filtering and searching for packets, as well as building reports, the program offers unique opportunities for data reconstruction. Iris The Network Traffic Analyzer helps to reproduce in detail user sessions with various web resources and even allows you to simulate sending passwords to access secure web servers using cookies. The unique data reconstruction technology implemented in the decryption module (decode module) converts hundreds of collected binary network packets into familiar emails, web pages, ICQ messages, etc. eEye Iris allows you to view unencrypted web mail and instant messaging messages, expanding the capabilities of existing monitoring and auditing tools.
The eEye Iris packet sniffer captures various details of the attack, such as the date and time, IP addresses and DNS names of the hacker's and victim's computers, as well as the ports used.
3) ethernetInternettrafficstatistical.
Ethernet Internet traffic Statistic shows the amount of received and received data (in bytes - total and for the last session), as well as the connection speed. For clarity, the collected data is displayed in real time on a graph. Works without installation, interface - Russian and English.
A utility for monitoring the degree of network activity - shows the amount of received and received data, keeping statistics for the session, day, week and month.
4) CommTraffic.
This is a network utility for collecting, processing and displaying Internet traffic statistics through a modem (dial-up) or dedicated connection. When monitoring a LAN segment, CommTraffic shows the Internet traffic for each computer in the segment.
CommTraffic includes an easily customizable, user-friendly interface that displays network performance statistics in the form of graphs and numbers.
table 2
|
Options/Programs |
Wireshark |
Iris The Network Traffic Analyzer |
Ethernet Internet traffic Statistic |
CommTraffic |
|
Installation file size |
17.4 MB |
5.04 MB |
651 KB |
7.2 MB |
|
Interface language |
English |
Russian |
English Russian |
Russian |
|
Speed Graph |
||||
|
Traffic Graph |
||||
|
Export/Import (export file format) |
+/– (*.txt, *.px, *.csv, *.psml, *.pdml, *.c) |
–/– |
–/– |
–/– |
|
Start monitoring on demand |
||||
|
Min -th time step between data records |
0.001 sec. |
1 sec. |
1 sec. |
1 sec. |
|
Possibility of change min -th step between reports of data |
Conclusion
In general, we can say that most home users will be satisfied with the capabilities that Bandwidth Monitor Pro provides. If we talk about the most functional program for monitoring network traffic, this is, of course, BWMeter.
Among the considered network traffic analyzer programs, I would like to highlight Wireshark, which has more functionality.
The Cacti monitoring system maximally meets the increased requirements that are imposed in the case of network traffic research for scientific purposes. In the future, the authors of the article plan to use this particular system for collecting and preliminary analysis of traffic in the corporate multiservice network of the Communication Networks Department of the Kharkov National University of Radio Electronics.
Bibliography
Platov V.V., Petrov V.V. Study of the self-similar structure of teletraffic of a wireless network // Radio engineering notebooks. M.: OKB MEI. 2004. No. 3. pp. 58-62.
Petrov V.V. The structure of teletraffic and the algorithm for ensuring the quality of service under the influence of the self-similarity effect. Thesis for the degree of candidate of technical sciences, 05.12.13, Moscow, 2004, 199 p.
