6 Network Protocol Analyzers

A network protocol analyzer is a vital part of a network administrator's toolkit. Network protocol analysis is the truth serum of network communications. If you want to find out why a network device is functioning in a certain way, use a protocol analyzer to sniff the traffic and expose the data and protocols that pass along the wire. You can use a network protocol analyzer to

If you manage a network and don't yet have a protocol analyzer, you need one. To help you find the network protocol analyzer that suits your environment, I first survey some typical features of software-based protocol analyzers. Then, I examine and compare these features in six popular network protocol analyzers.

Typical Features
Most software-based network protocol analyzers work in about the same way as Figure 1 shows. and display, at least initially, the same basic information. The analyzer runs on a host system. When you start the analyzer (in promiscuous mode), the host NIC's software driver intercepts all traffic that passes through the NIC. The protocol analyzer passes the intercepted traffic to the analyzer's packet-decoder engine, which identifies and splits packets into their respective layers. The protocol analyzer software analyzes the packets and displays packet information on the analyzer host's screen. Depending on the product's capabilities, you can then analyze and filter the traffic further.

A protocol analyzer window typically consists of three panes, which the sample window from the Ethereal product in Figure 2 shows. The top pane displays a summary of the captured packets. Typically, this pane shows at minimum the following fields: date; time (in milliseconds) that the packet was captured; source and destination IP addresses; source and destination port addresses; protocol type (network, transport, or application layer); and a summary of the captured data. The middle pane shows the logical breakout of a selected packet, and the bottom pane shows the packet in hexadecimal or ASCII-character form.

Analyzing packet decodes is a network protocol analyzer's most important job. The analyzer organizes captured packets by layer and protocol. The best packet analyzers can recognize a protocol by its most definitive layer—the upper layer—and display the captured information on a field-by-field basis. This type of information is typically displayed in the analyzer window's second pane. For example, any protocol analyzer can recognize TCP traffic. A good analyzer will note that the traffic is Microsoft Exchange Server running over the remote procedure call (RPC) protocol and will show you the email message's text. Most protocol analyzers recognize more than 300 distinct protocols and define and decode them by name. The more information the analyzer decodes and presents, the less manual decoding work you'll have to do yourself. Accurate packet decodes separate the best analyzers from the also-rans.

Be wary of vendors that claim to provide more than 4000 protocol decoders in their protocol analyzers; 300 to 400 is a more realistic range. Most products provide a similar number of decoders, notwithstanding what the marketing hype might suggest. For instance, one product might dissect a simple Ping process into several different protocols (e.g., Internet Control Message Protocol—ICMP, echo request, ICMP echo reply), whereas another product might decode the Ping process as only one protocol—although both products measure and decode the same information.

A common problem I've seen with many protocol analyzers, including those I review here, is the inability to accurately identify—and consequently decode—a protocol that runs over a nondefault port number. In today's security-conscious computer world, running well-known applications on not-so-well-known ports is a common defense against malicious hackers. Some decoders recognize traffic regardless of the port over which it runs, whereas others don't and will define the protocol simply by its lower layer (i.e., TCP or UDP), which also means that the decoder doesn't provide the more useful field-specific decode information. Some analyzers let you modify the decoder to recognize more than the default port for particular protocols.

Protocol-analyzer vendors often brag about their product's expert-analysis capabilities—whereby the analyzer reads a packet or series of packets and reports useful information about the captured packets. Expert analysis might report traffic anomalies or malicious packets or fully decode a data stream series between two hosts. The decoding option is invaluable because you can see an entire communications stream of data simply by clicking a packet. For example, you can click an HTTP packet and see the Web page it represents as an end user might see it when the underlying HTML code is rendered. Other common features include pre- and post-capture filtering (the ability to find certain packets that meet specific criteria), triggers (initiation of a secondary action when a predefined packet pattern occurs), replay (the ability to play back captured packets over the network), traffic statistics, reporting, and management of multiple sensors from one console.

The Reviews
In a market space crowded with vendors and products, I was pleasantly surprised to find many strong contenders among network protocol analyzers. When you evaluate protocol analyzers, look closely at features such as packet-capturing accuracy, the range of protocols that the analyzer decodes (make sure it matches the protocols in your environment), decode detail, expert analysis, placement model (i.e., distributed or not), price, and technical support. Let's examine six general-purpose network protocol analyzers: Ethereal, Fluke Networks' OptiView Protocol Expert 4.0, Network Associates' Netasyst Network Analyzer WLX, Network Instruments' Observer 9.0, Sunbelt Software's LanHound 1.1, and WildPackets' EtherPeek NX 2.1.

Ethereal
Ethereal is one of the best open-source programs ever made. Although Ethereal was originally created as a UNIX/Linux program based on Libpcap (an open-source interface for capturing network packets), it has long been available for Windows. Unlike most open-source programs, Ethereal's GUI is easy to understand and navigate, and the product comes with a 400-page manual in PDF format—which beats the typical one-page man page (i.e., an online documentation page for UNIX/Linux) file that's associated with most open-source tools. You'll need to download and install the Windows version of Libpcap—WinPcap, a free packet-capture architecture for Windows systems—at http://winpcap.polito.it before you install and use Ethereal. The downloaded Ethereal product comes in both GUI and command-line versions. The command-line version is useful for scripting or activating Ethereal's packet-capturing features according to the occurrence of an event (think IDS or honeypot analysis). Because Ethereal is open-source software, the Ethereal Web site is the primary source of information about the product. The Web site provides information about Ethereal features, FAQs, and links to Ethereal developer and technical support mailing lists.

Ethereal includes all the features that you typically find in a protocol analyzer. You can capture or display all network traffic or only traffic that meets specific criteria. By default, you must stop packet capturing to display traffic, although you can tell Ethereal to display captured packets while capturing occurs (which incurs a performance penalty). You can print out packet traces in varying levels of detail and formats or save them to files so that you can analyze them later. You can tell Ethereal to convert captured information, such as IP and media access control (MAC) addresses, to its common names, rather than display raw numbers.

Ethereal also provides several windows that display summary information and statistics. Although Ethereal's displays aren't as handy as the dashboard displays and pie charts that some competing products—such as EtherPeek or Netasyst Network Analyzer—offer, the statistics that Ethereal provides are useful and include protocol spectrum spreads, protocol summaries, and conversation lists (i.e., which host was talking to which other host). One of Ethereal's most valuable features is its ability to pick one TCP packet and display all the payload data between the two communicating hosts over the duration of the session. Ethereal's implementation of this feature is the most user-friendly of any product in this review, although the feature tracks only TCP streams. Other protocol analyzers can perform stream analysis for protocols other than TCP. Figure 3 shows a decoded HTTP session in Ethereal that displays the basic HTTP GET request and the resulting Web site's reply.

Ethereal supports 512 different protocol decoders (according to http://www.ethereal.com/faq.html#q1.2), and more are being added all the time. Ethereal recognizes and decodes the familiar protocol types, including AOL Instant Messenger (AIM), Abstract Syntax Notation One (ASN.1), DNS, FTP, HTTP, Lightweight Directory Access Protocol (LDAP), POP, RPC, Session Initiation Protocol (SIP), and SMTP. The product's UNIX roots are evident because many Windows-standard transport and application-level decoders (such as Exchange, Microsoft SQL Server, and RDP) either aren't available or aren't installed in the default configuration. However, Ethereal is one of the few protocol analyzers that provides decoders for the MetaMachine eDonkey 2000, Jabber, and Quake protocols. Most Ethereal decoders don't explicitly recognize protocols that run over nondefault ports, but if you recognize a particular protocol in a packet, you can right-click the packet and choose to decode it by using a particular protocol decoder.

Ethereal is a great network protocol analyzer for beginning to immediate users. For such users, Ethereal's capabilities are sufficient, although some enterprises might have concerns about the prod-uct's lack of dedicated technical support. Advanced users who want more accurate decodes, better expert analysis, and distributed architectures will find commercially available network protocol analyzers a better choice.

Fluke Networks' OptiView Protocol Expert
Fluke Networks, long known for its handheld protocol analyzers, is trying to create a similar reputation with its OptiView software analyzers, a suite of products that sniff traffic on Ethernet, token-ring, and fiber-tapped networks. (For more information about hardware protocol analyzer products, see the sidebar "Hardware Protocol Analyzers.") Fluke Networks' OptiView Protocol Expert provides protocol analysis for packets captured by Protocol Expert or other products in the OptiView suite, including OptiView Integrated Network Analyzer, OptiView Link Analyzer, and OptiView Workgroup Analyzer. OptiView Protocol Expert runs on Windows 2000 Professional and Windows 98 but not on Windows Server 2003 or Win2K Server. I reviewed Protocol Expert 4.0—which was the most current release of the product available when I evaluated it. (Fluke Networks released Protocol Expert 5.0 as an upgrade to some existing customers but didn't make it available as a trial product.) The vendor says it will release the latest production version of Protocol Expert—6.1—in late June.

Protocol Expert is a capable analyzer console, but its UI needs improvement. (Fluke Networks says it's improved the product's UI in version 6.1.) I found Protocol Expert's GUI awkward to navigate. I spent too much time trying to figure out how to enable or disable basic features, such as turning on and off packet capturing or printing reports. Although step-by-step assistance is available under the Help menu, first-time users shouldn't have to search for help with features whose operation should be readily apparent. In addition, I found the display difficult to read and to customize. Gray border areas took up valuable screen real estate, and the default font was hard to read at a resolution of 800x600. On the packet-decoding window, I couldn't rearrange packet-detail columns. After I got used to Protocol Expert's GUI, however, I found that the product performed reliably. Fluke Networks offers 1- to 5-day training classes (5-day classes are $2750) to help shorten the learning curve.

Protocol Expert supports more than 250 protocols, including Cisco, IBM Lotus Notes, SIP, Virtual LAN (VLAN), and Voice over IP (VoIP). The product offers more than 150 predefined, customizable alarms that can generate alerts to send over a LAN, in an email message, or to a pager. You can set alarms and triggers to launch predefined applications, such as antivirus scanners or IDSs. I found Protocol Expert's protocol decodes informative, though not quite as detailed as those of Netasyst Network Analyzer and Observer. Protocol Expert lets you display the usual set of summary reports, such as protocol distributions, conversation tables, top senders, and host matrixes, by clicking a menu bar icon. You can save captured data to bitmap (.bmp), comma-separated value (CSV), or Microsoft Excel file formats. Protocol Expert also lets you modify captured traffic and replay it over the network. This feature can be useful in testing firewalls, IDSs, and other network defenses.

Protocol Expert's Expert View is formatted in a welcoming Open System Interconnection (OSI) layer model, which Figure 4 shows. Different layers report different events, which can make troubleshooting easier. For example, the Data Link layer expert analysis might report spoofed MAC addresses or broadcast storms, and the Transport layer might report IP checksum errors or synchronous idle character (SYN) attacks. I found the product's Expert View useful for the most part, although the Application layer expert-analysis module needs more depth. This module covers only the basic applications, such as FTP, HTTP, and NetWare Core Protocol (NCP), and even those reported summary counters need improvement. Several competitors offer Exchange, SQL Server, and many other common applications and counters.

Network Associates' Netasyst Network Analyzer
Network Associates has a long history of providing network protocol analyzer products, including the InfiniStream Network Management, Netasyst Network Analyzer, and Sniffer product lines. Recently, Network Associates sold these lines to Silver Lake Partners and Texas Pacific Group, which will sell the products through a new company called Network General upon completion of the acquisition (expected in third quarter 2004). The InfiniStream Network Management and Sniffer product lines, which include a hardware appliance and software, are targeted at larger enterprises that need high-speed (i.e., gigabits per second—or Gbps) analysis, long-term storage and capturing, and the ability to replay captured traffic over the network. Netasyst Network Analyzer is targeted at small-to-midsized businesses that have fewer than 1000 nodes. The product comes in two versions—standard and expert (X)—with three options for each version: 10Mbps/100Mbps LAN (L), 802.11 wireless (W), or wireless and LAN (WL). The standard and expert versions have the same packet-decoding engine, but the expert version offers additional analysis automation and tools. Pricing varies depending on the version and options you buy.

Netasyst Network Analyzer is a solid network protocol analyzer, and its maturity is evident. Although the Netasyst Network Analyzer name is new, the product is backed by Network Associates' years of experience in the protocol analyzer market. When you install Netasyst Network Analyzer, you can catch glimpses of the filenames of Sniffer and Net X-Ray, upon which the product is based. Netasyst Network Analyzer requires Windows XP or Win2K, Microsoft Internet Explorer (IE) 6.0 or later, and Sun Microsystems' Java 2 Runtime Environment (JRE2), which is used to display graphics. Netasyst Network Analyzer is chock-full of features everywhere you look. The default statistics dashboard displays at start-up and is one of the product's most recognized features. The dashboard displays network utilization, the number of packets, and the number of errors.

Netasyst Network Analyzer decodes more than 280 different protocols. The product provides some of the most accurate and detailed decodes among the products in this review. It's hard not to be impressed. For example, the summary window, which Figure 5 shows, offers a wealth of information. HTTP packet summaries tell you what the packets are doing (e.g., which HTML command is being issued, what page or graphic is being downloaded). Each packet flag has a value and a short explanation right in the decode, which isn't unusual for any protocol analyzer product. However, Netasyst Network Analyzer conveys this information a degree better than most of its competitors. It analyzes packets and notes relationships among them; for example, fragmented packets or session data that's split up among multiple packets is readily identified as belonging together. The product highlights abnormal conditions, such as long acknowledges (ACKs), retransmissions, and out-of-sequence packets. None of the other products I review noted as many network problems as Netasyst Network Analyzer does. Although the immediate value of seeing retransmissions and TCP window locks is questionable to the ordinary administrator, such information is useful for determining a baseline view of your network. Developers and network de-signers should strongly consider using Netasyst Network Analyzer when they fine-tune application performance. When I tested the product, it picked up traffic running on nonstandard ports. Many of its Windows decodes were exceptional; the product explained most packet fields and converted binary information into information I could understand.

Another interesting feature of Netasyst Network Analyzer (probably influenced by its antivirus cousin, McAfee VirusScan) is its ability to download malware filters from the McAfee Web site, which you can then load into Netasyst Network Analyzer to detect malicious code. The McAfee Web site http://www.nai.com/us/security/resources/sv_home.htm#filters currently lists 20 malware filters, including filters for recent viruses, such as MyDoom and Netsky. Although Netasyst Network Analyzer isn't meant to be a full network IDS or antivirus scanner, its ability to download malware filters can come in handy.

Netasyst Network Analyzer has a full complement of features, including many statistics screens, graphical charts, SNMP traps, and triggers. The product also provides dozens of alarms with predefined thresholds, which you can set to generate alerts for various problems, such as slow servers, high-volume VoIP traffic, excessive logon failures, FTP logon attempts, WINS duplicate name errors, too many retransmissions, domain controller (DC) shutdown, Layer 2 errors, broadcast storms, and network topology changes. Although most protocol analyzers provide alarms, Netasyst Network Analyzer is unique in that its thresholds are predefined. In the wireless versions of the product, you can enable route AP or wireless node discovery. Netasyst Network Analyzer also provides more VoIP features than its competitors. On the downside, Netasyst Network Analyzer doesn't decode 802.11g, Kerberos, or RDP traffic and splits LAN and wireless functionality into different product versions.

Network Instruments' Observer
Network Instruments' Observer is another solid top performer and a contender for midsized-to-large networks. Observer is built to be distributed, designed to handle large volumes of data, and coded to run on more types of network interfaces than any of the other reviewed products. Distributed protocol analyzers provide two functions: a management station and a client packet-capturing component. Clients can be distributed throughout the enterprise, and all the distributed data is collected and analyzed on one management workstation. Network Instruments calls this distributed architecture Distributed Network Analysis (NI-DNA). When you install Observer, you can choose to install the complete Observer package, which includes the decoding and reporting console, or a probe—software that captures packets on local and remote networks and interacts with the Observer console. Network Instruments says that it's had as many as 350 probes reporting in one production environment. Data can be reported separately or in aggregate. Observer can reserve up to 4GB of memory for packet capturing coming from up to 64 different network interfaces. (Could anyone need that many interfaces?) Observer supports wired topologies from 10Mbps to full-duplex gigabit.

Although some protocol analyzer vendors differentiate their products between LAN and wireless capabilities, every version of Observer supports LAN, remote monitoring (RMON), WAN, and wireless. Network Instruments readily promotes WAN solutions involving DS3, E1, High-Speed Serial Interface (HSSI), and T1 interfaces. You can order prebuilt 4U (7") rack-mounted solutions, with or without the WAN kit. Observer also offers more wireless options than its competitors. It's one of the few LAN protocol analyzers that decodes the 802.11a, 802.11b, and 802.11g wireless protocols. Furthermore, all Observer probes sport the same look and feel. Competing protocol analyzers don't provide nearly as wide a spectrum of choices with the same interface as Observer does.

One of the first things you notice about Observer is that it provides Help windows with explanations during the setup and first use of the product (other products, such as EtherPeek, also provide this sort of help). Multiple 15-minute tutorial windows are available to help you learn to use the product. In Observer, Network Instruments seems to have considered the end-user experience a bit more than some of its competitors have. You can right-click any packet and create a quick filter that displays only packets that are related to that packet's IP address, only packets that are related to that packet's IP address and the other host involved, or only packets sent and received between the two related hosts and to the same or related IP port numbers. For example, with one click you can capture all traffic between a Web server and its back-end database and filter out unrelated traffic. Other protocol analyzers let you define the same types of filters, but most require more than a dozen clicks to accomplish what Observer does in one click.

Like other analyzers, Observer displays a wide spectrum of reports, summaries, and statistics, which Figure 6 shows. The product's filters include more than 30 malware filters, including filters for wireless Denial of Service (DoS) attacks, common malware, and what Observer calls hack filters (which is a subset of a larger filter set that Observer can use). Observer contains a full complement of alarms and triggers. The product also has a distinct network-mapping feature that you can use separately to convert IP and MAC addresses to DNS or NetBIOS names. In my testing, the product analyzed traffic to automatically determine which machines were servers and even which application functions they performed. Observer recognizes 14 different applications, such as Exchange, Oracle, SQL Server, and VoIP.

I found most of Observer's protocol decodes and the information shown at each layer to be among the best of the products I reviewed. Observer sometimes had problems recognizing well-known protocols on nondefault ports (e.g., HTTP, RDP); however, you can modify Observer's decoders to monitor traffic on other ports, as you can with other protocol analyzers. For certain protocols, Observer stood ahead of the pack. It was one of the few analyzers to recognize and properly decode my Kerberos and LDAP traffic each and every time. Other analyzers would note the UDP packets on port 88 and might label them Kerberos packets in the detail view, but Observer told me the difference between my Kerberos requests and tickets that were successfully granted. Observer can replay up to 5MB of data from the capture buffer over the network.

On the need-to-improve side, Observer's main UI is overly busy because it attempts to provide as much functionality as possible in one window. The window is a little crunched, tabs obscure one another somewhat, and the overall picture can be a bit daunting to new users. Also, when I changed malware filters, the window often resized itself, thereby undoing my custom settings. Despite these minor imperfections, Observer is a solid standalone performer and an obvious choice for distributed-networking environments with a wide range of needs.

Sunbelt Software's LanHound
Although Sunbelt Software might be best known for its iHateSpam product, the vendor provides many other useful products. Sunbelt Software markets LanHound specifically as a low-cost choice that provides many of the basic features that most network administrators need in a protocol analyzer. LanHound consists of two products: an administrative console and a remote packet-capturing agent (the console also captures packets). LanHound runs on any platform with Win98 or later installed, except for Windows 2003.

LanHound has an easy-to-use GUI, which Figure 7 shows, with most of the features you expect in a protocol analyzer, including capture filtering, name lookups, alarms, triggers, and a host of display reports. The alarm feature is limited; it notifies you only when a protocol session, such as FTP or POP, sends unencrypted passwords. LanHound provides little other expert analysis beyond the alarm feature. Reports include histograms, host tables, packet summaries, and traffic matrixes. As with other analyzer products, you can slice and dice the analysis data that LanHound provides just about any way you want, including as bar graphs and pie charts. I was surprised to find that LanHound can manipulate and replay captured traffic back over the network—a feature that isn't always available in lower-end products.

Overall, I was pleased with LanHound's feature set, although as I expected, its decoding wasn't as strong and detailed across most protocols as that of competing products. For example, default packet details are displayed by default in hex instead of easier-to-read ASCII, which can make reading traffic such as HTTP difficult. LanHound's Server Message Block (SMB) traffic decoding was rather good, but the product completely missed identifying Exchange, RDP, and many other default Windows protocols. Like some other products I reviewed, LanHound missed classifying well-known protocols running over nondefault ports. LanHound is a low-end protocol analyzer that provides all the basics plus traffic replaying, but it lacks the decode support of other products in this review.

WildPackets' EtherPeek
WildPackets' product line includes protocol analyzers for a range of needs. EtherPeek is geared toward small-to-midsized businesses. I reviewed the NX 2.1 version of the product ("NX" means it provides expert analysis). EtherPeek offers a variation on the typical contents of the three-pane protocol analyzer window by providing a dashboard and a log window in two bottom panes, as Figure 8 shows. EtherPeek's UI is a bit softer on the eyes than the UIs of the other products and contains more default color differentiation. Although the purely technical side of me hated to admit it, EtherPeek's use of color does make analyzing protocols easier. Most other analyzers let you color-code packets, but EtherPeek does this automatically and thoughtfully. EtherPeek has the best UI, in terms of form and natural workflow, among the competitors.

Although EtherPeek is meant for smaller networks, it doesn't skimp on features. The product displays captured packets in real time by default (real-time display is turned off by default in most products because it affects performance), and still the display seems crisp and responsive. I didn't test EtherPeek under high network-utilization loads, but I'd be interested to see the results for display performance. Conventional wisdom says that the great-looking real-time interface, use of color, and default name resolution will slow the product down under larger packet loads, but you can disable these features if performance suffers. EtherPeek, like the other products in this review, can open multiple capture windows at the same time, each displaying different interfaces being captured or with different focuses. For instance, you could capture IP traffic in one window, IPX in another, and in another display RMON input (with the help of the WildPackets' RMONGrabber add-on).

EtherPeek decodes hundreds of protocols, and I found most of the decodes to be accurate. Netasyst Network Analyzer and Observer gave a few more decode details for several protocols, but EtherPeek held its own in most areas. The product showed TCP flags and whether they were on or off but not what they meant in practical terms. Or, EtherPeek noted that HTTP data was being downloaded but not that it was graphical. And just when I started to think that EtherPeek was a second-place product, I discovered that it recognized IM, Kerberos, and VoIP traffic correctly and surpassed some of its better-known competitors. In fact, on the network and application layers, EtherPeek came in just behind Netasyst Network Analyzer in its reporting capabilities. EtherPeek noted DNS errors, slow servers, POP logon errors, and unreachable hosts. Well-placed icons made these errors easy to notice. Unfortunately, making errors easy to see can be problematic. My EtherPeek testing revealed numerous bad TCP checksum false-positive errors, but WildPackets has promised to fix this problem soon.

EtherPeek contains many windows of data for each captured trace. You can display more than 90 different windows, summaries, and statistics and view the data from numerous angles. You perform most changes with one mouse click. Another unique feature of EtherPeek that I wish other products had is the ability to quickly filter out traffic you don't want to see in the display. I found this feature constantly useful, especially when trying to quickly filter out remote-monitoring traffic to concentrate on the real traffic problems.

Making a Choice
Rarely has a field been so full of worthy competitors as that of network protocol analyzers. Even the low-end open-source alternative, Ethereal, is feature-rich. You'd have a hard time going wrong by choosing any of these products. In a large,
distributed environment, Network Instruments' Observer appears to have the edge. Network Associate's Netasyst Network Analyzer has the best expert analysis, accurate decodes, and downloadable malware filters. Fluke Networks' OptiView Protocol Expert and WildPackets' EtherPeek are also solid choices for small-to-midsized networks and provide plenty of analysis features. LanHound is a solid protocol analyzer for the money but has stiff competition. My advice is to choose a product that has the feature set you're looking for in the price range your budget dictates.