1. Overview of Network Analysis Software
Since the emergence of networks, network failures have been a constant issue. Quickly and accurately pinpointing failures to ensure stable network operation has always been a goal. To analyze the causes of network failures, a category of professional network analysis software was developed. Network analysis software acts as a diagnostic tool for network program errors, enabling developers to discover bugs in protocol development. Many people use it to monitor network data, and it also serves as an auxiliary tool for security checking software.
Network analysis software has gone through three stages from its inception to the present:
The first stage was the packet capture and decoding phase. In the early days, networks were relatively small and simple, so network analysis software primarily captured network data packets and then decoded them to help protocol designers analyze communication faults.
The second stage was the expert system phase. Network analysis software used captured data packets to determine if there was a problem with network data flow, the layer of the problem, and its severity, based on their characteristics and timestamps relationships. Expert systems not only decode but more importantly, help maintenance personnel analyze network failures, offering advice and solutions.
The third stage involves developing network analysis tools into network management tools. As network management tools, network analysis software can be deployed at the network center for long-term monitoring, proactive management of the network, and elimination of potential problems.
2. Features of Three Software
1.Wireshark
Wireshark is an efficient, free network packet capture and analysis tool. It can capture and describe data transmitted via network cables, visually displaying it like using a multimeter to measure voltage. In the field of network analysis software, most programs are either complicated or expensive, but Wireshark has changed this situation. Its most notable features include being free, open-source, and supporting multiple platforms.
Wireshark can run on almost all popular operating platforms, such as MS Windows, Mac OS, Linux, FreeBSD, HP-UX, NetBSD, Solaris/i386, Solaris/sparc, and more. Although Wireshark is available on many operating platforms, its supported transmission media are mainly Ethernet. Only on the Linux platform does Wireshark support 802.11, Token Ring, FDDI, and ATM.
Wireshark can parse most LAN protocols and offers a simple interface with user-friendly operation and real-time data capture display. However, Wireshark lacks analysis functions; it simply records data when a network anomaly occurs. It is merely a measurement tool and does not operate on the network, nor does it send data packets or perform other active actions.
Wireshark currently has a known critical bug that can terminate its operation when there is a buffer overflow while running. This bug is due to initial interface and platform design constraints, which cannot be resolved in the short term.
2.NAISniffer Portable
NAIâs Sniffer has been the flagship network analysis software for a long time. It has both long-term accumulated experience and issues due to the continuation of outdated systems. This extensive development has conferred Sniffer with strong professional analytical capabilities, but it maintains elements from the DOS and WIN95 era, making it usable only on the Windows platform. Sniffer has simple packet-sending functions and includes several auxiliary testing tools such as ping, finger, trace, dnslookup, etc.
Sniffer has three main functionalities: 1. Protocol Decoding (Decode) 2. Network Activity Monitoring (Monitor) 3. Expert Analysis System (Expert).
Like Wireshark, Sniffer can parse network protocols and supports protocols extending from LANs to WANs and even wireless networks. Snifferâs protocol decoding is very detailed, with highly layered protocol descriptions. Despite its strong decoding capabilities, Sniffer cannot display captured data packets in real-time, which might inconvenience protocol developers in troubleshooting.
Snifferâs protocol decoding function can be used to learn various protocols and troubleshoot network faults. However, many issues are not as apparent as faults, such as network slowness or packet loss, which are difficult to detect solely through protocol decoding. At such times, Snifferâs network activity monitoring can directly observe current network operations, allowing for quick problem detection when issues arise. Sniffer vividly displays network traffic, session, protocol, packet size, errors, and other information in real-time with intuitive graphics.
The expert functionality is Snifferâs highlight and standout feature. Snifferâs expert system works silently in the background, enacting corresponding actions whenever trigger conditions occur, and then notifying us through audiovisual signals.
Through the expert system, Sniffer can help us evaluate network performance, such as network utilization, performance trends, applications consuming the most bandwidth, users within the network consuming the most bandwidth, traffic statuses of different protocols, and more.
Through the expert system, Sniffer assists in evaluating operational status, such as application response times, the time required for operations, application bandwidth consumption, behavioral characteristics, performance bottlenecks, etc.
The expert system allows Sniffer to quickly detect abnormal traffic and network attacks, providing early intervention support. Sniffer can assist in traffic trend analyses, revealing network traffic development trends through long-term monitoring, advising amendments or upgrades for future network planning.
3.WildPacketsOmniPeek
OmniPeek is an emerging player in network analysis software due to its adoption of numerous Windows XP and 2000 elements and more popular software design techniques during its development. It pays greater attention to network software requirements, is internationally focused, and supports multiple languages. As a result, OmniPeek is simpler, more convenient, and more user-friendly. It supports more new technologies and applications. Utilizing new technologies, OmniPeek includes numerous plugins that allow easy functionality expansion. Like Sniffer, OmniPeek also possesses three major functionalities: 1. Protocol Decoding (Decode) 2. Network Activity Monitoring (Monitor) 3. Expert Analysis System (Expert).
OmniPeek effectively supports wireless networks, providing rich driver support for promiscuous mode packet capture with wireless adapters, making it a powerful tool for wireless protocol analysis. OmniPeek also demonstrates excellent performance in protocol analysis and network monitoring for gigabit networks.
Unlike Sniffer, OmniPeek places a greater emphasis on visualization, completing many operations graphically. OmniPeek focuses on overall phenomenon analysis, using âflows (TCP/UDP communication pairs)â as objects of study to produce easily understandable analysis results, thereby significantly improving efficiency. OmniPeekâs expert system is based on analyzing these âflows,â offering better session-wide analysis but lacking in specific details.
OmniPeek integrates Distributed Network Expert (DNX) system functionality. Its engine can be deployed across various network segments. The distributed expert system controls multiple engines via a console to obtain the entire network status; the operating interface is identical to that of a standard network analysis interface. Through OmniPeekâs distributed expert system, monitoring can be extended to areas the console cannot directly reach, providing a more comprehensive understanding of network operations.
3. Comparison of Three Software
Functionality Comparison
Wireshark is a typical network packet capture tool, embodying the characteristics of first-generation network analysis software. With continuous software updates, Wireshark has acquired some basic graphical monitoring functionality. The protocols it decodes are primarily LAN protocols, and the media it supports are predominantly Ethernet, resulting in single-functionality but high efficiency. Wireshark lacks network status analysis capabilities and cannot provide reference opinions on network issues.
NAIâs Sniffer encompasses protocol decoding, network monitoring, and intelligent management. Snifferâs protocol decoding is highly detailed, especially for WAN protocols, but its scalability is limited, with slow updates for new protocol support. Snifferâs network status monitoring is robust, capable of monitoring traffic, bandwidth, protocols, application response times, session hosts, and more, and displaying information graphically. Snifferâs expert functionality is meticulous, rigorously layered according to protocol tiers, considering every detail. Furthermore, it categorizes abnormal network conditions, making it easy to identify corresponding issues.
OmniPeekâs functionality is largely similar to Snifferâs, covering protocol decoding, network monitoring, and intelligent management. OmniPeek supports fewer protocols than Sniffer but outperforms Sniffer in wireless and voice protocol analysis. OmniPeekâs expert functionality is not as detailed as Snifferâs and is less powerful.
4. Summary
Wireshark is a compact, open-source packet capture tool usable on almost all popular operating systems. It is well-suited for general users learning network protocols and for protocol developers validating protocols. Given Wiresharkâs buffer overflow bug, it is advised not to use it for analyzing high-traffic hundred-megabit networks or gigabit networks.
Sniffer Portable has superb expert analysis capabilities and is expensive; using it for packet capture and protocol analysis is wasteful. For large networks with stringent security and stability requirements, Snifferâs expert analysis and forecast functions are a suitable choice. Additionally, Sniffer offers some report options and distributed hardware that, when used in combination, can form a complete security monitoring system, making such expenditure worthwhile.
OmniPeek represents a new force, offering excellent support for wireless networks, voice, and other technologies. OmniPeek can utilize many plugins to adapt quickly to new businesses and applications, making it suitable for environments where networks are not extensive, and applications frequently update. For wireless and gigabit environments, OmniPeek is also a viable choice.
Wireshark is suitable for Linux, capturing packets for protocol authentication.
Sniffer is typically pre-installed on Appleâs systems, and Appleâs network cards are quite good, making it convenient.
OmniPeek requires specialized network cards, making it more cumbersome to use, but it can analyze encrypted interactive data.
Enable Wireless Network Card Monitoring Mode and Capture Packets on Linux