1. Overview of Network Analysis Software
Since the emergence of the Internet, network failures have never stopped. How to quickly and accurately locate faults and maintain stable network operation has always been the goal pursued by people. In order to analyze the causes of network failures, a type of professional network analysis software has emerged. Network analysis software serves as a tool for troubleshooting network program errors. Developers use it to find bugs in protocol development. Many people use it to monitor network data. It is also an auxiliary tool for checking security software.
Network analysis software has gone through three stages since its inception:
The first stage is the packet capture and decoding stage. In the early days, the network was small in scale and simple in structure, so the network analysis software mainly captured the data packets on the network and then decoded them to help protocol designers analyze software communication failures.
The second stage is the expert system stage. The network analysis software uses the captured data packets, their characteristics and the relationship between the previous and next timestamps to determine whether there is a problem with the network data flow , which layer the problem is, and how serious it is. The expert system is not limited to decoding, but more importantly, it helps maintenance personnel analyze network failures and gives suggestions and solutions.
The third stage is to develop network analysis tools into network management tools. As a network management tool, network analysis software is deployed in the network center, which can monitor the network over a long period of time, actively manage the network, and eliminate potential problems.
2. Features of the three software
2.1. Wireshark
Wireshark is an efficient and free network packet capture and analysis tool. It can capture and describe the data in the network cable, and display it intuitively just like using a multimeter to measure voltage. In the field of network analysis software, most software is either obscure or expensive. Wireshark has changed this situation. Its biggest feature is that it is free, open source and supports multiple platforms.
Wireshark can run on almost all popular operating platforms, such as MSWindows, Mac OS, Linux , FreeBSD , HP-UX, NetBSD , Solaris /i386, Solaris/sparc, etc. Although Wireshark can be used on many operating platforms, the transmission medium it supports is mainly Ethernet. Only on the Linux platform does Wireshark support 802.11, TokenRing, FDDI and ATM.
Wireshark can parse most LAN protocols, and has the advantages of simple interface, easy operation, and real-time display of captured data. However, Wireshark does not have the analysis function. When a network is abnormal, Wireshark will only record data. It is just a measurement tool and cannot operate the network, send data packets or take other active actions.
Wireshark currently has a known serious BUG, ââwhen Wireshark runs, the buffer will overflow and the system will terminate. This BUG is determined by the original design of the interface and platform, and cannot be solved in the short term.
2.2. NAISniffer Portable
NAIâs network analysis tool Sniffer has long been the trump card of network analysis software. Sniffer has both long-term accumulated experience and problems caused by the long-term continuation of the old system. Long-term development has enabled Sniffer to have strong professional analysis capabilities, but it has continued the elements and earlier technologies of the DOS and WIN95 eras, making it only usable on the Windows platform. Sniffer has a simple function of sending packets outward, and also has several auxiliary test tools such as: ping, finger, trace, dnslookup, etc.
Sniffer has three main functions: 1. Protocol analysis (Decode) 2. Network activity monitoring (Monitor) 3. Expert analysis system (Expert)
Sniffer can be used to analyze network protocols just like Wireshark, and the supported protocols are extended from LAN to WAN, and wireless networks are also supported to a certain extent. Snifferâs protocol analysis is very detailed, and the description of the protocol is very layered. Although Snifferâs protocol analysis ability is very strong, it cannot display the captured data packets in real time, which may cause inconvenience to protocol developers when they use it to find problems.
Snifferâs protocol analysis function can be used to learn various protocols and find network faults. But in fact, many problems are not as obvious as faults, such as slow network or packet loss, which are difficult to find by protocol analysis alone. At this time, Snifferâs network activity monitoring function can directly see the current operation status of the network, and once a problem occurs in the network, it can be quickly discovered. Sniffer uses intuitive graphics to display network traffic, sessions, protocols, packet size, errors and other information in real time.
Snifferâs expert function is its most important function and also its most outstanding function. Snifferâs expert system works for us in the background. Once the trigger conditions are generated, it will take corresponding actions and then notify us through audio-visual signals.
Through the expert system, Sniffer can help us evaluate the performance of the network, such as network utilization, network performance trends, which applications in the network consume the most bandwidth, which users on the network consume the most bandwidth, traffic conditions of different protocols, etc.
Through the expert system, Sniffer can help us evaluate the business operation status, such as the response time of each application, the time required for an operation, the application bandwidth consumption, the application behavior characteristics, the application performance bottleneck, etc.
Through the expert system, Sniffer can quickly detect abnormal traffic and network attacks, which helps us take measures as soon as possible. Sniffer can help us analyze traffic trends. Through long-term monitoring, we can find the development trend of network traffic and provide suggestions and basis for when to upgrade the network.
2.3. WildPacketsOmniPeek
OmniPeek is a rising star in network analysis software. It is designed with a large number of elements from Windows XP and 2000 and popular software design techniques, and pays more attention to the requirements of network software. It is international and supports multiple languages. Therefore, OmniPeek is more concise, convenient and user-friendly in use, and it supports more new technologies and applications. Due to the use of new technologies, OmniPeek has many plugins that can easily expand its functions. Like Sniffer, in addition to being able to send some simple data packets, OmniPeek also has three major functions: 1. Protocol parsing (Decode) 2. Network activity monitoring (Monitor) 3. Expert analysis system (Expert).
OmniPeek can well support wireless networks and provide a variety of drivers for promiscuous packet capture mode of wireless network cards, which is a powerful tool for wireless protocol analysis. OmniPeek also has good support for Gigabit networks, and has good performance in both protocol analysis and network monitoring.
Unlike Sniffer, OmniPeek pays more attention to visual images (Visualize), and many of its operations are completed in a graphical way. OmniPeek focuses on the analysis of overall phenomena, and studies âstreams ( TCP / UDP communication pairs)â as the object, making the analysis results easy to understand and greatly improving efficiency. OmniPeekâs expert system is based on âstreamâ analysis, and the overall analysis of the conversation is good, but it is slightly insufficient in specific details.
OmniPeek integrates the distributed expert (DNX) system function, and the Engine it provides can be deployed in various parts of the network. The distributed expert system controls multiple Engines through a console to obtain the status of the entire network. The console operation interface is the same as the ordinary network analysis interface. Through OmniPeekâs distributed expert system, we can expand monitoring to places that the console cannot directly reach, which can enable us to have a more comprehensive understanding of the operation of the network.
3. Comparison of the three software
Feature Comparison
Wireshark is a typical network packet capture tool, which mainly has the characteristics of the first generation of network analysis software. With the continuous update of the software, Wireshark also has some simple graphical monitoring functions. The protocols analyzed by Wirshark are mainly LAN protocols, and the media it supports are mainly Ethernet. It has relatively simple functions and high efficiency. Wireshark does not have the function of network status analysis and cannot provide reference opinions on network problems.
NAIâs Sniffer function covers several parts, including protocol analysis, network monitoring and intelligent management. Snifferâs protocol analysis is very detailed, especially the analysis of wide area network protocols is very comprehensive, but the scalability is not very strong, and the support for new protocols is updated slowly. Snifferâs network status monitoring function is also very powerful, which can monitor traffic, bandwidth, protocol, application response time, session host and other information, and display them in graphical form. Snifferâs expert function is very detailed, strictly layered according to the protocol, and every detail is considered. In addition, it classifies network abnormalities, so that we can easily find the corresponding problems.
OmniPeek has similar functions to Sniffer, including protocol analysis, network monitoring, and intelligent management. OmniPeek does not support as many protocols as Sniffer, but its wireless and voice analysis functions are stronger than Sniffer. OmniPeekâs expert functions are not as detailed as Snifferâs, and its functions are not as powerful as Snifferâs.
4. Conclusion
Wireshark is a small, open source packet capture tool that can be used in almost all popular operating systems. It is very suitable for general personnel to learn network protocols and is also a good tool for protocol developers to verify protocols. Due to the buffer overflow bug in Wireshark, it is recommended not to use it to analyze 100M networks with large traffic, nor to use it for Gigabit network analysis.
Sniffer Portable has super expert analysis capabilities, but it is expensive. It is a waste to use it to capture packets and analyze protocols. For large networks with high security and stability requirements, using Snifferâs expert analysis and warning functions is a good choice. In addition, Sniffer also has some Report options and distributed hardware to choose from. When used together, it can form a complete security monitoring system, and the cost is worth it.
OmniPeek represents a new force. It has good support for wireless networks, voice and other technologies. OmniPeek can use many plugins, so it can quickly adapt to emerging businesses and applications. Therefore, OmniPeek is very suitable for environments where the network is not very large and applications are frequently updated. OmniPeek can also be used in wireless environments and gigabit environments.
Wireshark is suitable for Linux and can capture data packets with protocol authentication.
Sniffer usually comes with Apple systems, and Apple computer network cards are better and more convenient.
Omnipeek requires a dedicated network card and is more difficult to use, but it can analyze encrypted interaction data.