Wireshark, which was previously known as Ethereal, has been around for 20 years. If not the best, it is certainly the most popular network sniffing tool. Whenever a need for packet analysis arises, this is often the go-to tool of most administrators. However, as good as Wireshark can be, there are many alternatives available out there. Some of you may be wondering what’s wrong with Wireshark that would justify replacing it. To be totally honest, there’s absolutely nothing wrong with Wireshark and if you’re already a happy user, I see no reason why you’d need to change. On the other hand, if you’re new to the scene, it might be a good idea to look at what’s available before choosing a solution. To help you, we’ve assembled this list of some of the best Wireshark alternatives.
We’ll begin our exploration by having a look at Wireshark. After all, if we want to suggest alternatives, we might as well get to know the product at least a little. We’ll then briefly discuss what packet sniffers—or network analyzers, as they are often called—are. Since packet sniffers can be relatively complex, we’ll then spend some time discussing how to use them. This is by no means a complete tutorial but it should give you enough background information to better appreciate the upcoming product reviews. Talking about product reviews, this is what we’ll have next. We’ve identified several products of widely different types which could be a good alternative to Wireshark and we’ll introduce the best features of each.
Before Wireshark, the market had essentially one packet sniffer which was aptly called Sniffer. It was an excellent product that suffered from one major drawback, its price. Back in the late 90’s the product was about $1500 which was more than many could afford. This prompted the development of Ethereal as a free and open-source packet sniffer by a UMKC graduate named Gerald Combs who is still the primary maintainer of Wireshark twenty years later. Talk about serious commitment.
Today, Wireshark has become THE reference in packet sniffers. It is the de-facto standard and most other tools tend to emulate it. Wireshark essentially does two things. First, it captures all traffic it sees on its interface. But it doesn’t stop there, the product also has quite powerful analysis capabilities. The tool’s analysis capabilities are so good that it’s not uncommon for users to use other tools for packet capture and do the analysis using Wireshark. This is such a common way of using Wireshark that, upon startup, you’re prompted to either open an existing capture file or start capturing traffic. Another strength of Wireshark is all the filters it incorporates which allow you to zero in on precisely the data you’re interested in.
About Network Analysis Tools
Although the matter has been open for debate for a while, for the sake of this article, we’ll assume that the terms “packet sniffer” and “network analyzer” are one and the same. Some will argue that they are two different concepts and, although they may be right, we’ll look at them together, if only for the sake of simplicity. After all, even though they may operate differently—but do they really?—they serve a similar purpose.
Packet Sniffers essentially do three things. First, they capture all data packets as they enter or exit a network interface. Secondly, they optionally apply filters to ignore some of the packets and save others to disk. They then perform some form of analysis of the captured data. It is in that last function that most of the differences between products are.
Most packet sniffers rely on an external module for the actual capture of the data packets. The most common are libpcap on Unix/Linux systems and Winpcap on Windows. You typically won’t have to install these tools, though, as they are usually installed by the packet sniffer’s installers.
Another important thing to know is that as good and useful as they are, Packet Sniffers won’t do everything for you. They are just tools. You can think of them as a hammer which simply won’t drive a nail by itself. You need to make sure you learn how to best use each tool. The packet sniffer will let you analyze the traffic it captures but it is up to you ensure it captures the right data and to use it to your advantage. There have been whole books written on using packet capture tools. I once took a three-day course on the subject.
Using a Packet Sniffer
As we’ve just stated, a packet sniffer will capture and analyze traffic. Therefore, if you’re trying to troubleshoot a specific issue—a typical use for such a tool, the first thing you need to do is make sure that the traffic your capturing is the right traffic. Imagine a case where every single user of a given application are complaining that it is slow. In such a situation, your best bet would probably be to capture traffic at the application server’s network interface since every user seems to be affected. You might then realize that requests arrive at the server normally but that the server takes a long time to send out responses. That would indicate a delay on the server rather than a networking issue.
On the other hand, if you see the server responding to requests in a timely manner, it could mean that the issue is somewhere on the network between the client and the server. You would then move your packet sniffer one hop closer to the client and see if responses are delayed. If not, you would move more hop closer to the client, and so on and so forth. You’ll eventually get to the spot where delays occur. And once you’ve identified the location of the problem, you are one big step closer to solving it.
Let’s see how we can manage to capture packets at a specific point of a network. One simple way of accomplishing that is to take advantage of a feature of most network switches called port mirroring or replication. This configuration option will replicate all traffic in and out of a specific switch port to another port on the same switch. For example, if your server is connected to port 15 of a switch and port 23 of that same switch is available. You connect your packet sniffer to port 23 and configure the switch to replicate all traffic to and from port 15 to port 23.
The Best Wireshark Alternatives
Now that you better understand what Wireshark and other packet sniffers and network analyzers are, let’s see what alternative products there are. Our list includes a mix of command-line and GUI tools as well as tools running on various operating systems.
SolarWinds is well-known for its state-of-the-art network management tools. The company has been around for about 20 years and has brought us several great tools. Its flagship product called the SolarWinds Network Performance Monitor is recognized by most as one of the best network bandwidth monitoring tools. SolarWinds is also famous for making a handful of excellent free tools, each addressing a specific need of network administrators. Two examples of those tools are the SolarWinds TFTP Server and the Advanced Subnet Calculator.
As a potential alternative to Wireshark—and perhaps as the best alternative since it’s such a different tool—SolarWinds proposes the Deep Packet Inspection and Analysis Tool. It comes as a component of the SolarWinds Network Performance Monitor. Its operation is quite different from more “traditional” packet sniffers although it serves a similar purpose.
- FREE Trial: SolarWinds Network Performance Monitor
- Official download link: https://www.solarwinds.com/network-performance-monitor/registration
The Deep Packet Inspection and Analysis Tool is neither a packet sniffer nor a network analyzer yet it will help you find and resolve the cause of network latencies, identify impacted applications, and determine if slowness is caused by the network or an application. Since it serves a similar purpose as Wireshark, we felt it deserved to be on this list. The tool will use deep packet inspection techniques to calculate response time for over twelve hundred applications. It will also classify network traffic by category (eg. business vs. social) and risk level. This can help identify non-business traffic that might benefit from being filtered or somehow controlled or eliminated.
The Deep Packet Inspection and Analysis Tool is an integral component of the Network Performace Monitor or NPM as it is often called, which is in itself an impressive piece of software with so many components that a whole article could be written about it. It is a complete network monitoring solution that combines some of the best technologies like SNMP and deep packet inspection to provide as much information about the state of your network as possible.
Prices for the SolarWinds Network Performance Monitor which includes the Deep Packet Inspection and Analysis Tool start at $2 955 for up to 100 monitored elements and goes up according to the number of monitored elements. The tool has a 30-day free trial available so you can make sure it really fits your needs before committing to purchasing it.
Tcpdump is probably THE original packet sniffer. It was created back in 1987. That is over ten years before Wireshark and even before Sniffer. Since its initial release, the tool has been maintained and improved but it remains essentially unchanged. The way the tool is used has not changed much through its evolution. It is available to install on virtually every Unix-like operating system and has become the de-facto standard for a quick tool to capture packets. Like most similar products on *nix platforms, tcpdump uses the libpcap library for the actual packet capture.
The default operation of tcpdump is relatively simple. It captures all traffic on the specified interface and “dumps” it—hence its name—on the screen. Being a standard *nix tool, you can pipe the output to a capture file to be analyzed later using the analysis tool of your choice. In fact, it’s not uncommon for users to capture traffic with tcpdump for later analysis in Wireshark. One of the keys to tcpdump’s strength and usefulness is the possibility to apply filters and/or to pipe its output to grep—another common *nix command-line utility—for further filtering. Someone mastering tcpdump, grep and the command shell can get it to capture precisely the right traffic for any debugging task.
In a nutshell, Windump is a port of tcpdump to the Windows platform. As such, it behaves in much the same way. What this means is that it brings much of the tcpdump functionality to Windows-based computers. Windump may be a Windows application but don’t expect a fancy GUI. It really is tcpdump on Windows and as such, it is a command-line only utility.
Using Windump is basically the same as using its *nix counterpart. The command-line options are just about the same and the results are also almost identical. Just like tcpdump, the output from Windump can also be saved to a file for later analysis with a third-party tool. However, grep is not usually available on Windows computer, thereby limiting the filtering abilities of the tool.
Another important difference between tcpdump and Windump is that is as readily available from the operating system’s package repository. You’ll have to download the software from the Windump website. It is delivered as an executable file and requires no installation. As such, it is a portable tool which could be launched from a USB key. However, just like tcpdump uses the libpcap library, Windump uses Winpcap which needs to be separately downloaded and installed.
You can think of Tshark as a cross between tcpdump and Wireshark but in reality, it is, more or less, the command-line version of Wireshark. It is from the same developer as Wireshark. Tshark bears resemblance to tcpdump in that it is a command-line only tool. But it is also like Wireshark in that it won’t just capture traffic. It also has the same powerful analysis capabilities as Wireshark and uses the same type of filtering. It can, therefore, quickly isolate the exact traffic you need to analyze.
Tshark raises one question, though. Why would anyone want a command-line version of Wireshark? Why not just use Wireshark? Most administrators—in fact, most people—would agree that generally speaking, tools with graphical user interfaces are often easier to use and to learn and more intuitive and user-friendly. After all, isn’t that why graphical operating systems became so popular? The main reason why anyone would choose Tshark over Wireshark is when they just want to do a quick capture directly on a server for troubleshooting purposes. And if you suspect a performance issue with the server, you might want to prefer using a non-GUI tool as it can be less taxing on resources.
5. Network Miner
Network Miner is more of a forensic tool than a packet sniffer or network analyzer. This tool will follow a TCP stream and can reconstruct an entire conversation. It is a really powerful tool for in-depth analysis of traffic albeit one that can be hard to master. The tool can work in an offline mode where one would import a capture file—perhaps created using one of the other tools reviewed—and let Network Miner work its magic. Considering that the software runs only on Windows, the possibility to work from capture files is certainly a plus. You could, for instance, use tcpdump on Linux to capture some traffic and Network Miner on Windows to analyze it.
Network Miner is available in a free version but, for the more advanced features such as IP address-based geolocation and scripting, you’ll need to purchase a Professional license which will cost you $900. Another advanced function of the professional version is the possibility to decode and playback VoIP calls.
Some of our readers—specifically the more knowledgeable ones—will be tempted to argue that Fiddler, our last entry, is neither a packet sniffer nor a network analyzer. To be honest, they may very well be right but still, we felt we should include this tool on our list as it can be very useful in several different situations.
First and foremost, let’s set things straight, Fiddler will actually capture traffic. It won’t capture just any traffic, though. It will only work with HTTP traffic. Despite this limitation, when you consider that so many applications today are web-based or use the HTTP protocol in the background, it’s easy to see how valuable such as tool can be. And since the tool will capture not only browser traffic but just about any HTTP, it’s can very useful in troubleshooting different types of application.
The main advantage of a tool like Fiddler over a “true” packet sniffer like Wireshark, is that it was built to “understand” HTTP traffic. It will, for instance, discover cookies and certificates. It will also find actual data coming from HTTP-based applications. Fiddler is free and it’s available for Windows only. However, beta builds for OS X and Linux (using the Mono framework) can be downloaded.