Packet analyzer

Last updated

Screenshot of Wireshark network protocol analyzer Wireshark 3.6 screenshot.png
Screenshot of Wireshark network protocol analyzer

A packet analyzer (also packet sniffer or network analyzer) [1] [2] [3] [4] [5] [6] [7] [8] is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. [9] Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

Contents

A packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer - those designed specifically for Wi-Fi networks are Wi-Fi analyzers. [lower-alpha 1] While a packet analyzer can also be referred to as a network analyzer or protocol analyzer these terms can also have other meanings. Protocol analyzer can technically be a broader, more general class that includes packet analyzers/sniffers. [10] However, the terms are frequently used interchangeably. [11]

Capabilities

On wired shared-medium networks, such as Ethernet, Token Ring, and FDDI, depending on the network structure (hub or switch), [12] [lower-alpha 2] it may be possible to capture all traffic on the network from a single machine. On modern networks, traffic can be captured using a network switch using port mirroring, which mirrors all packets that pass through designated ports of the switch to another port, if the switch supports port mirroring. A network tap is an even more reliable solution than to use a monitoring port since taps are less likely to drop packets during high traffic load.

On wireless LANs, traffic can be captured on one channel at a time, or by using multiple adapters, on several channels simultaneously.

On wired broadcast and wireless LANs, to capture unicast traffic between other machines, the network adapter capturing the traffic must be in promiscuous mode. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set the adapter is configured for are usually ignored. To see those packets, the adapter must be in monitor mode.[ citation needed ] No special provisions are required to capture multicast traffic to a multicast group the packet analyzer is already monitoring, or broadcast traffic.

When traffic is captured, either the entire contents of packets or just the headers are recorded. Recording just headers reduces storage requirements, and avoids some privacy legal issues, yet often provides sufficient information to diagnose problems.

Captured information is decoded from raw digital form into a human-readable format that lets engineers review exchanged information. Protocol analyzers vary in their abilities to display and analyze data.

Some protocol analyzers can also generate traffic. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the device under test's ability to handle errors. [13] [14]

Protocol analyzers can also be hardware-based, either in probe format or, as is increasingly common, combined with a disk array. These devices record packets or packet headers to a disk array.

Uses

Packet analyzers can:

Packet capture can be used to fulfill a warrant from a law enforcement agency to wiretap all network traffic generated by an individual. Internet service providers and VoIP providers in the United States must comply with Communications Assistance for Law Enforcement Act regulations. Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and can use the same device for internal security purposes. Collecting data from a carrier system without a warrant is illegal due to laws about interception. By using end-to-end encryption, communications can be kept confidential from telecommunication carriers and legal authorities.

Notable packet analyzers

See also

Notes

  1. The term Wi-Fi analyzer is also used to describe the instruments/software for wireless site surveys.
  2. Some methods avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., ARP spoofing).

Related Research Articles

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these for normal operation, but use of the second header is normally considered to be shallow packet inspection despite this definition.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

<span class="mw-page-title-main">Ettercap (software)</span> Network traffic analysis and interception software

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

<span class="mw-page-title-main">Bus analyzer</span>

A bus analyzer is a type of a protocol analysis tool, used for capturing and analyzing communication data across a specific interface bus, usually embedded in a hardware system. The bus analyzer functionality helps design, test and validation engineers to check, test, debug and validate their designs throughout the design cycles of a hardware-based product. It also helps in later phases of a product life cycle, in examining communication interoperability between systems and between components, and clarifying hardware support concerns.

Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master, Managed, Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

<span class="mw-page-title-main">Wireshark</span> Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.

Microsoft Network Monitor (Netmon) is a deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. Microsoft Network Monitor 1.0 was originally designed and developed by Raymond Patch, a transport protocol and network adapter device driver engineer on the Microsoft LAN Manager development team.

Packet injection in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

<span class="mw-page-title-main">EtherApe</span> Network traffic monitoring tool

EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

CommView is an application for network monitoring, packet analysis, and decoding. There are two editions of CommView: the standard edition for Ethernet networks and the wireless edition for 802.11 networks named CommView for WiFi. The application runs on Microsoft Windows. It is developed by TamoSoft, a privately held New Zealand company founded in 1998.

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer.

Sniffing attack in context of network security, corresponds to theft or interception of data by capturing the network traffic using a packet sniffer. When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer. Using a sniffer application, an attacker can analyze the network and gain information to eventually cause the network to crash or to become corrupted, or read the communications happening across the network.

A wireless onion router is a router that uses Tor to connect securely to a network. The onion router allows the user to connect to the internet anonymously creating an anonymous connection. Tor works using an overlaid network which is free throughout the world, this overlay network is created by using numerous relay points created using volunteer which helps the user hide personal information behind layers of encrypted data like layers of an onion. Routers are being created using Raspberry Pi adding a wireless module or using its own inbuilt wireless module in the later versions.

<span class="mw-page-title-main">Sniffer (protocol analyzer)</span> Network packet and protocol analyzer

The Sniffer was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation of Mountain View, CA. By 1994 the Sniffer had become the market leader in high-end protocol analyzers. According to SEC 10-K filings and corporate annual reports, between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.

References

  1. Chapple, Mike; Stewart, James Michael; Gibson, Darril (2018). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons. ISBN   978-1-119-47587-3. Archived from the original on April 5, 2023. Retrieved March 23, 2023. A sniffer (also called a packet analyzer or protocol analyzer) is a software application that captures traffic traveling over the network.
  2. Rakibul, Hoque, Md; Edward, Bashaw, R. (2020). Cross-Border E-Commerce Marketing and Management. IGI Global. p. 186. ISBN   978-1-7998-5824-9. Archived from the original on April 5, 2023. Retrieved March 23, 2023. Packet Sniffing: It is also known as packet analyzer, protocol analyzer{{cite book}}: CS1 maint: multiple names: authors list (link)
  3. Trost, Ryan (2009). Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century. Pearson Education. ISBN   978-0-321-59188-3. Archived from the original on April 5, 2023. Retrieved March 23, 2023. A packet sniffer (also known as a packet analyzer, protocol analyzer, or networkanalyzer) monitors network traffic
  4. Cyber Law, Privacy, and Security: Concepts, Methodologies, Tools, and Applications. IGI Global. 2019. p. 58. ISBN   978-1-5225-8898-6. Archived from the original on April 6, 2023. Retrieved March 23, 2023. Packet Sniffing: A packet analyzer, also called as a network analyzer, protocol analyzer or packet sniffer
  5. Asrodia, Pallavi; Patel, Hemlata (2012). "Analysis of Various Packet Sniffing Tools for Network Monitoring and Analysis". International Journal of Electrical, Electronics and Computer Engineering: 55. CiteSeerX   10.1.1.429.567 . ISSN   2277-2626. Packet Sniffing... also known as Network or Protocol Analyzer or Ethernet Sniffer
  6. "What is a Packet Sniffer?". www.kaspersky.com. 2018. Archived from the original on August 30, 2023. Retrieved December 26, 2021.
  7. "What is Network Packet Capture?". www.endace.com. 2023. Archived from the original on July 30, 2023. Retrieved April 5, 2023.
  8. "Definition of network analyzer". PCMAG. Archived from the original on April 5, 2023. Retrieved December 26, 2021.
  9. Kevin J. Connolly (2003). Law of Internet Security and Privacy. Aspen Publishers. p. 131. ISBN   978-0-7355-4273-0.
  10. Sikos, Leslie F. (2020). "Packet analysis for network forensics: A comprehensive survey". Forensic Science International: Digital Investigation. 32: 200892. doi: 10.1016/j.fsidi.2019.200892 . ISSN   2666-2817. S2CID   212863330. Those protocol analyzers that are designed for packet analysis are called packet analyzers (packet sniffers, sometimes network analyzers).
  11. Poulton, Don (2012). MCTS 70-642 Cert Guide: Windows Server 2008 Network Infrastructure, Configuring. Pearson Education. ISBN   978-0-13-280216-1. Archived from the original on April 13, 2023. Retrieved March 23, 2023. protocol analyzer. Also known as a network analyzer or packet analyzer, a protocol analyzer is a hardware device or software program that enables you to capture, store, and analyze each packet that crosses your network
  12. "Network Segment Definition". www.linfo.org. Archived from the original on June 7, 2023. Retrieved January 14, 2016.
  13. "Lab Protocol Analyzers". www.amilabs.com. Archived from the original on June 30, 2023. Retrieved June 30, 2023.
  14. shivakumar (December 18, 2020). "Where is Protocol analyzer used?". Prodigy Technovations. Archived from the original on June 30, 2023. Retrieved June 30, 2023.