Packet analyzer

A sniffer (of English. Sniff sniff for ) is a software that can check the data traffic on a network abnormalities. It is a tool ( Tool) network analysis.

Origin of the term

Sniffer is the English word for snooper. The manufacturer Network General designated so that a software for the analysis of networks on traffic anomaly. As the name of this product, the function of the software described applicable and was catchy, it has established itself on the concept of software of this kind.

Technology

A sniffer knows the so-called non- promiscuous mode, and promiscuous mode. In non- promiscuous mode, the incoming and outgoing traffic on your own computer " sniffed ". In promiscuous mode, the sniffer collects all the traffic to the connected in this mode network interface. Not only frames addressed to it that is received will, but also the not addressed to him. The addressee of a frame is defined in Ethernet networks based on the MAC address.

Furthermore, it is dependent on the network structure, which data a sniffer can see. If the computer is connected to hubs, all traffic can be intercepted by other hosts. If a switch is used, little or no traffic is seen, which is not intended for the sniffende system itself. However, there are several options in this case such as ARP spoofing, ICMP redirects, DHCP spoofing or MAC flooding, in order to still receive the frames can. A switch may therefore not be seen as a safety feature.

There are several reasons to use a sniffer:

  • Diagnosing network problems
  • Intrusion discover (Intrusion Detection Systems )
  • Network traffic analysis and filtering for suspicious content
  • Data espionage

Known Sniffer products and their classification

( Product Overview: see below )

Since the late 1980s there are LAN Analyzer, commonly known as " sniffer " known ( named after the oldest and most widely used long product). Therefore, it is often commonly spoken in the environment of LAN analysis of the " sniffer application " without referring specifically to the product of the same name would be meant, but just simply any product of this type.

Generally, a distinction is made ​​between:

  • Local Analyzer ↔ Remote Analyzer / Distributed Analyzer - Local Analyzer are classic PC programs. Remote Analyzer are standing in distant LAN segments agents that are controlled by a central station - how long common in the network management area. This is called Distributed Analysis. In heavily by switching / routing segmented networks, this type of analysis is ultimately indispensable.
  • Hardware Software Analyzer Analyzer ↔ - If set to mid -1990s still very much on hardware analyzer, have now become widely accepted software analyzer, which operate on a PC basis. While in high-performance networks, the use of hardware analyzers is still indispensable; their high cost compared to software analyzers moderate rate of development and the capital risk in the event of errors, however, have let the clientele proceed to only there to utilize hardware where it is really completely indispensable. The result is that hardly any manufacturers of hardware analyzers are active in the market.
  • Commercial Analyzer ↔ Non- Commercial ( " open source " ) Analyzer - By the end of the 1990s, there has been virtually only proprietary Analyzer. This has changed with Wireshark ( formerly Ethereal ) from 1998 gradually.

History of development

By the end of the 1990s, the users were almost completely dependent on commercial products. Their deficiency was less that they cost money, but rather that the manufacturer on the market worked over and important needs are not recognized or too late. The result was that users resorted to self-help (see Wireshark ). The result is a crisis many commercial manufacturers.

Since about 2002, the adoption and dissemination of the GPL analyzer Wireshark (formerly Ethereal) has increased immensely. The main reasons are that this software can be obtained free of charge via the Internet, their thickness, constant updating and their practical relevance. Even at the end of the 1990s, around ten major commercial manufacturer of LAN analyzers were employed (smaller not included) on the market worldwide; meanwhile, the number of significant producers has fallen to around five.

The extremely large programmer community that Wireshark was able to bind to in the meantime may, on the side of most commercial manufacturers no longer be opposed. Also, now mobilizes large companies that use their own LAN protocols, in the development. That Wireshark is an open platform, for example, helps Siemens to analyze their own protocols of the machine control or medical technology.

The four manufacturers who can supply you with powerful hardware LAN Analyzer, are (as of 2007 ) NetScout through the acquisition of Network General ( sniffer), Network Instruments ( Observer ) and WildPackets ( EtherPeek NX, OmniPeek ) and the German company consistec with their PA2010e solutions as an interesting niche solution for telecom network operators, a modified Ethereal's / Wire Sharks operate on its own hardware. (Whose hardware Analyzer was largely withdrawn or on the market in Europe have become more meaningless the manufacturer Agilent (Hewlett -Packard), Acterna ( Wavetec - convertible Goltermann ) and Siemens K1100 set in the 1990s, now committed to Siemens in Wireshark environment ).

Expert systems

A characteristic of all products is that the editor must have usually well advanced knowledge to recognize protocol procedures and protocol errors and be able to reliably assess. At the latest when it comes to liability issues, the statements must ultimately able to withstand judicial or experts' review, thus must be beyond doubt. Only a few specialists are able to provide this level. This bottleneck is a problem in itself dar.

Attempts to overcome this bottleneck have about expert systems, although causes a lot of progress, but could only achieve very limited, that even laymen could help themselves effectively.

Product Overview

Important products of the LAN analysis in alphabetical order:

Free products:

  • Cain & Abel
  • Ettercap
  • NETCORtools (TCP trace based )
  • Network Miner
  • Tcpdump
  • Wireshark (formerly known as Ethereal)

Proprietary Products:

  • Caplon ( consistec )
  • ClearSight Analyzer ( ClearSight Networks)
  • EtherPeek, OmniPeek, GigaPeek ( WildPackets )
  • LANdecoder32 ( Triticom )
  • Microsoft Network Monitor
  • NetSpector ( INAT )
  • NetVCR ( Niksun )
  • Network PIAFCTM
  • Observer (Network Instruments)
  • OptiView ( Fluke Networks)
  • Sniffer ( NetScout, after the acquisition of Network General )
  • TraceCommander (Synapse Networks)
  • WebSensor and webProbe ( Moniforce )
Frame (networking) Ethernet hub Host (network) ARP-Spoofing Internet Control Message Protocol MAC-Flooding Ettercap (software) Integrated Authority File
598548
de