Packet analysis, often referred to as packet sniffing or protocol analysis, describes the process of capturing and interpreting live data as it flows across a network in order to better understand what is happening on that network. Packet analysis is typically performed by a packet sniffer, a tool used to capture raw network data going across the wire.
Packet analysis can help with the following:
1. Understanding network characteristics
2. Learning who is on a network
3. Determining who or what is utilizing available bandwidth
4. Identifying peak network usage times
5. Identifying possible attacks or malicious activity
6. Finding unsecured and bloated applications
There are various types of packet-sniffing programs, including both free and commercial ones. Each program is designed with different goals in mind. A few popular packet-analysis programs are tcpdump, Unicorn and OmniPeek. tcpdump is a command-line program. OmniPeek and Unicorn have graphical user interfaces (GUIs).
- Evaluating a Packet Sniffer
You need to consider a number of factors when selecting a packet sniffer, including the following:
Supported protocols All packet sniffers can interpret various protocols. Most can interpret common network protocols (such as IPv4 and ICMP), transport layer protocols (such as TCP and UDP), and even application layer protocols (such as DNS and HTTP). However, they may not support nontraditional or newer protocols (such as IPv6, SMBv2, and SIP). When choosing a sniffer, make sure that it supports the protocols you’re going to use.
User-friendliness Consider the packet sniffer’s program layout, ease of installation, and general flow of standard operations. The program you choose should fit your level of expertise. If you have very little packet analysis experience, you may want to avoid the more advanced command line packet sniffers like tcpdump. On the other hand, if you have a wealth of experience, you may find an advanced program more appealing. As you gain experience with packet analysis, you may even find it useful to combine multiple packet-sniffing programs to fit particular scenarios.
Cost The great thing about packet sniffers is that there are many free ones that rival any commercial products. The most notable difference between commercial products and their free alternatives is their reporting engines. Commercial products typically include some form of fancy report-generation module, which is usually lacking or nonexistent in free applications.
Program support Even after you have mastered the basics of a sniffing program, you may occasionally need support to solve new problems as they arise. When evaluating available support, look for developer documentation, public forums, and mailing lists. Although there may be a lack of developer support for free packet-sniffing programs like Wireshark,
the communities that use these applications will often fill the gap. These communities of users and contributors provide discussion boards, wikis, and blogs designed to help you to get more out of your packet sniffer.
Operating system support Unfortunately, not all packet sniffers support every operating system. Choose one that will work on all the operating systems that you need to support. If you are a consultant, you may be required to capture and analyze packets on a variety of operating systems, so you will need a tool that runs on most operating systems. Also keep in mind that you will sometimes capture packets on one machine and review them on another. Variations between operating systems may force you to use a different application for each device.
- How Packet Sniffers Work
The packet-sniffing process involves a cooperative effort between software and hardware. This process can be broken down into three steps:
Collection In the first step, the packet sniffer collects raw binary data from the wire. Typically, this is done by switching the selected network interface into promiscuous mode. In this mode, the network card can listen to all traffic on a network segment, not only the traffic that is addressed to it.
Conversion In this step, the captured binary data is converted into a readable form. This is where most advanced command-line packet sniffers stop. At this point, the network data is in a form that can be interpreted only on a very basic level, leaving the majority of the analysis to the end user.