Packet sniffing is a deep type of network analysis in which details of the network traffic are decoded to be analyzed. It is one of the most important troubleshooting skills any network administrator should possess. Analyzing network traffic is a complicated task. In order to cope with unreliable networks, data is not sent in one continuous stream. Instead, it is chopped up in fragments sent individually. Analyzing network traffic involves being able to collect these packets of data and reassemble them into something meaningful. This is not something that you can do manually so packet sniffers and network analyzers were created. Today, we’re having a look at seven of the best packet sniffers and network analyzers.
We’re starting off today’s journey by giving you some background information on what packet sniffers are. We’ll try to figure what the difference is–or if there is a difference–between a packet sniffer and a network analyzer. We’ll then proceed to the core of our subject and not only list but also briefly review each of our seven picks. What we have for you is a combination of GUI tools and command-line utilities that run on various operating systems.
A Few Words About Packet Sniffers and Network Analyzers
Let’s begin by settling something. For the sake of this article, we’ll assume that packet sniffers and network analyzers are one and the same. Some will argue that they are different and they may be right. But in the context of this article, we’ll look at them together, mainly because even though they might operate differently–but do they really?–they serve the same purpose.
Packet Sniffers usually do three things. First, they capture all data packets as they enter or exit a network interface. Secondly, they optionally apply filters to ignore some of the packets and save others to disk. They then perform some form of analysis of the captured data. It is in that last function of packet sniffers that they differ the most.
For the actual capture of the data packets, most tools use an external module. The most common are libpcap on Unix/Linux systems and Winpcap on Windows. You typically won’t have to install these tools as they are usually installed by the different tools installers.
Another important thing to know is that Packet Sniffers–even the best one–won’t do everything for you. They are just tools. It’s just like a hammer that won’t drive any nail by itself. So, you need to make sure you learn how to best use each tool. The packet sniffer will just let you see the traffic but it is up to you to use that information to find issues. There have been whole books on using packet capture tools. I, myself, once took a three-day course on the subject. I’m not trying to discourage you. I’m only trying to set your expectations straight.
How To Use A Packet Sniffer
As we’ve explained, a packet sniffer will capture and analyze traffic. So, if you’re trying to troubleshoot a specific issue–which is typically why you’d use such a tool–you first need to make sure that the traffic your capturing is the right traffic. Imagine a situation where all users are complaining that a particular application is slow. In that type of situation, your best bet would probably be to capture traffic at the application server’s network interface. You might then realize that requests arrive at the server normally but that the server takes a long time to send out responses. That would indicate a server problem.
If, on the other hand, you see the server responding in a timely manner, it possibly means that the issue is somewhere on the network between the client and the server. You would then move your packet sniffer one hop closer to the client and see if responses are delayed. If it’s not, you move more hop closer to the client, and so on and so forth. You’ll eventually get to the spot where delays occur. And once you’ve identified the location of the problem, you are one big step closer to solving it.
Now you may be wondering how we manage to capture packets at a specific point. It’s pretty simple, we take advantage of a feature of most network switches called port mirroring or replication. This is a configuration option that will replicate all traffic in and out of a specific switch port to another port on the same switch. Let’s say your server is connected to port 15 of a switch and that port 23 of that same switch is available. You connect your packet sniffer to port 23 and configure the switch to replicate all traffic from port 15 to port 23. What you get as a result on port 23 is a mirror image–hence the port mirroring name–of what’s going through port 15.
The Best Packet Sniffers and Network Analyzers
Now that you better understand what packet sniffers and network analyzers are, let’s see what are the seven best we could find. We’ve tried to include a mix of command-line and GUI tools as well as include tools running on various operating systems. After all, not all network administrators are running Windows.
SolarWinds is well-known for its many useful free tools and its state of the art network management software. One of its tools is called the Deep Packet Inspection and Analysis Tool. It comes as a component of SolarWinds’ flagship product, the Network Performance Monitor. Its operation is quite different from more “traditional” packet sniffers although it serves a similar purpose.
To summarize the tool’s functionality: it will help you find and resolve the cause of network latencies, identify impacted applications, and determine if slowness is caused by the network or an application. The software will also use deep packet inspection techniques to calculate response time for over twelve hundred applications. It will also classify network traffic by category, business vs. social, and risk level, helping you identify non-business traffic that may need to be filtered or otherwise eliminated.
And don’t forget that the SolarWinds Deep Packet Inspection and Analysis Tool comes as part of the Network Performace Monitor. NPM, as it is often called is an impressive piece of software with so many components that a whole article could be dedicated to it. At its core, it is a complete network monitoring solution that combines the best technologies such as SNMP and deep packet inspection to provide as much information about the state of your network as possible. The tool, which is reasonably priced comes with a 30-day free trial so you can make sure it really fits your needs before committing to purchasing it.
Official download link: https://www.solarwinds.com/topics/deep-packet-inspection
Tcpdump is probably THE original packet sniffer. It was created back in 1987. Since then, it has been maintained and improved but remains essentially unchanged, at least it the way it is used. It is pre-installed in virtually every Unix-like operating system and has become the de-facto standard when one needs a quick tool to capture packets. Tcpdump uses the libpcap library for the actual packet capture.
By default. tcpdump captures all traffic on the specified interface and “dumps” it–hence its name–on the screen. The dump can also be piped to a capture file and analyzed later using one–or a combination–of several available tools. A key to tcpdump’s strength and usefulness is the possibility to apply all sorts of filters and to pipe its output to grep–another common Unix command-line utility–for further filtering. Someone with a good knowledge of tcpdump, grep and the command shell can get it to capture precisely the right traffic for any debugging task.
Windump is essentially just a port of tcpdump to the Windows platform. As such, it behaves in much the same way. It is not uncommon to see such ports of successful utility programs from one platform to another. Windump is a Windows application but don’t expect a fancy GUI. This is a command-line only utility. Using Windump, therefore, is basically the same as using its Unix counterpart. The command-line options are the same and the results are also almost identical. The output from Windump can also be saved to a file for later analysis with a third-party tool.
One major difference with tcpdump is that Windump is not built into Windows. You’ll have to download it from the Windump website. The software is delivered as an executable file and requires no installation. However, just like tcpdump uses the libpcap library, Windump uses Winpcap which, like most Windows libraries, needs to be separately downloaded and installed.
Wireshark is the reference in packet sniffers. It has become the de-facto standard and most other tools tend to emulate it. This tool will not only capture traffic, it also has quite powerful analysis capabilities. So powerful that many administrators will use tcpdump or Windump to capture traffic to a file then load the file into Wireshark for analysis. This is such a common way of using Wireshark that upon startup, you’re prompted to either open an existing pcap file or start capturing traffic. Another strength of Wireshark is all the filters it incorporates which allow you to zero in on precisely the data you’re interested in.
To be perfectly honest, this tool has a steep learning curve but it is well-worth learning. It will prove invaluable time and time again. And once you’ve learned it, you’ll be able to use it everywhere as it has been ported to almost every operating system and it is free and open-source.
Tshark is sort of like a cross between tcpdump and Wireshark. This is a great thing as they are some of the best packet sniffers out there. Tshark is like tcpdump in that it is a command-line only tool. But it is also like Wireshark in that it not only captures but also analyzes traffic. Tshark is from the same developers as Wireshark. It is, more or less, the command-line version of Wireshark. It uses the same type of filtering as Wireshark and can therefore quickly isolate just the traffic you need to analyze.
But why, you may ask, would anyone want a command-line version of Wireshark? Why not just use Wireshark; with its graphical interface, it’s got to be simpler to use and to learn? The main reason is that it would allow you to use it on a non-GUI server.
6. Network Miner
Network Miner is more of a forensic tool more than a true packet sniffer. Network Miner will follow a TCP stream and reconstruct an entire conversation. It is truly one powerful tool. It can work in offline mode where you’d import some capture file to let Network Miner work its magic. This is a useful feature as the software runs only on Windows. You could use tcpdump on Linux to capture some traffic and Network Miner on Windows to analyze it.
Network Miner is available in a free version but, for the more advanced features such as IP-based geolocation and scripting, you’ll need to purchase a Profesional license. Another advanced function of the professional version is the possibility to decode and playback VoIP calls.
7. Fiddler (HTTP)
Some of our more knowledgeable readers might argue that Fiddler is not a packet sniffer nor is it a network analyzer. They are probably right but we felt we should include this tool on our list as it is very useful in many situations. Fiddler will actually capture traffic but not any traffic. It only works with HTTTP traffic. You can imagine how valuable it can be despite its limitation when you consider that so many applications today are web-based or use the HTTP protocol in the background. And since Fiddler will capture not only browser traffic but just about any HTTP, it’s very useful in troubleshooting
The advantage of a tool like Fiddler over a bona fide packet sniffer like, for example, Wireshark, is that Fiddler was built to “understand” HTTP traffic. It will, for instance, discover cookies and certificates. It will also find actual data coming from HTTP-based applications. Fiddler is free and it’s available for Windows only although beta builds for OS X and Linux (using the Mono framework) can be downloaded.
When we publish lists like this one, we’re often asked which one is the best. In this particular situation, if I were asked that question, I’d have to answer “all of them”. They are all free tools and all have their value. Why not have them all at hand and familiarize yourself with each one. When you get to a situation where you need to use them, it will be much easier and efficient. Even command-line tools have a tremendous value. For instance, they can be scripted and scheduled. Imagine you have an issue that happens at 2:00 am daily. You could schedule a job to run tcpdump of Windump between 1:50 and 2:10 and analyze the capture file the next morning. No need to stay up all night.