Sniffer (protocol analyzer)

Last updated
Sniffer
Original author(s)
Developer(s) Network General
Initial releaseDecember 1986
Written inC, 8086 assembler
Operating system MS-DOS
Type protocol analyzer

The Sniffer [1] was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation [2] of Mountain View, CA. By 1994 the Sniffer had become the market leader [3] in high-end protocol analyzers. According to SEC 10-K filings [4] [5] [6] and corporate annual reports, [7] between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.

Contents

The Sniffer was the antecedent of several generations of network protocol analyzers, of which the current most popular is Wireshark.

Background

The Sniffer was the first product of Network General Corporation, founded on May 13, 1986 [8] [9] by Harry Saal and Len Shustek to develop and market network protocol analyzers. The inspiration was an internal test tool that had been developed within Nestar Systems, [10] a personal computer networking company founded in October 1978 by Saal and Shustek along with Jim Hinds and Nick Fortis. In 1982 engineers John Rowlands and Chris Reed at Nestar’s UK subsidiary Zynar Ltd developed an ARCNET promiscuous packet receiver and analyzer called TART (“Transmit and Receive Totaliser”) for use as an internal engineering test tool. It used custom hardware, and software for an IBM PC written in a combination of BASIC and 8086 assembly code. When Nestar was acquired by Digital Switch Corporation (now DSC Communications) of Plano, Texas in 1986, [11] Saal and Shustek received the rights to TART.

At Network General, Saal and Shustek initially sold TART as the “R-4903 ARCNET Line Analyzer (‘The Sniffer’)”. [12] They then reengineered TART for IBM’s Token Ring network hardware, created a different user interface with software written in C, and began selling it as The Sniffer™ in December 1986. [13] The company had four employees at the end of that year.

In April 1987 the company released an Ethernet version of the Sniffer, [14] [15] and in October, versions for ARCNET, StarLAN, and IBM PC Network Broadband. Protocol interpreters were written for about 100 network protocols at various levels of the protocol stack, and customers were given the ability to write their own interpreters. The product line gradually expanded to include the Distributed Sniffer System [16] for multiple remote network segments, the Expert Sniffer [17] for advanced problem diagnosis, and the Watchdog [18] for simple network monitoring.

Development

Nestar ARCNET Sniffer

IBM PC ARCNET Sniffer board Nestar IBM PC ARCNet Network Interface Card.jpg
IBM PC ARCNET Sniffer board

The ARCNET Sniffer developed as an internal test tool by Zynar used the IBM PC ARCNET Network Interface Card developed by Nestar for the PLAN networking systems. That board used the COM9026 integrated ARCNET controller from Standard Microsystems Corporation, which had been developed in collaboration with Datapoint.

There was no promiscuous mode in the SMC chip that would allow all packets to be received regardless of the destination address. So to create the Sniffer, a daughterboard [19] was developed that intercepted the receive data line to the chip and manipulated the data so that every packet looked like a broadcast and was received by the chip.

IBM PC ARCNET Sniffer daughterboard potted module Nestar ARCNET Sniffer board back.jpg
IBM PC ARCNET Sniffer daughterboard potted module

Since the ability to receive all packets was viewed as a violation of network privacy, the circuitry implementing it was kept secret, and the daughterboard was potted in black epoxy to discourage reverse-engineering.

The source code of the original TART/Sniffer BASIC and assembler program is available on GitHub. [20]

Network General Sniffer

Token-Ring Sniffer, 1986 Network General Token-Ring Sniffer photo.jpg
Token-Ring Sniffer, 1986

The Sniffer was a promiscuous mode packet receiver, which means it received a copy of all network packets without regard to what computer they were addressed to. The packets were filtered, analyzed using what is now sometimes called Deep Packet Inspection, and stored for later examination.

The Sniffer was implemented above Microsoft’s MS-DOS operating system, and used a 40 line 80-character text-only display. The first version, the PA-400 protocol analyzer for Token-Ring networks, [21] was released on a Compaq Portable II “luggable” computer that had an Intel 80286 processor, 640 KB of RAM, a 20 MB internal hard disk, a 5 ¼” floppy disk drive, and a 9” monochrome CRT screen. The retail price of the Sniffer in unit quantities was $19,995. [22]

Sniffer data flow Sniffer data flow.jpg
Sniffer data flow

The two major modes of operation [13] were:

Navigation of the extensive menu system on the character-mode display was through a variation of Miller Columns that were originally created by Mark S Miller at Datapoint Corporation for their file browser. As the Sniffer manual described, “The screen shows you three panels, arranged from left to right. Immediately to the left of your current (highlighted) position is the node you just came from. Above and below you in the center panel are alternative nodes that are also reachable from the node to your left… To your right are nodes reachable from the node you're now on.”

Sniffer menu navigation Sniffer menu navigation.jpg
Sniffer menu navigation

Pressing F10 initiated capture and a real-time display of activity. [21]

Example sniffer screen during packet capture Sniffer example capture screen.jpg
Example sniffer screen during packet capture

When capture ended, packets were analyzed and displayed in one or more of the now-standard three synchronized vertical windows: multiple packet summary, single packet decoded detail, and raw numerical packet data. Highlighting linked the selected items in each window.

In the multiple-packet summary, the default display was of information at the highest level of the protocol stack present in that packet. Other displays could be requested using the “display options” menu.

The translation of data at a particular level of the network protocol stack into user-friendly text was the job of a “protocol interpreter”, or PI. Network General provided over 100 PI’s [23] for commonly-used protocols of the day:

  • 3COM 3+
  • AppleTalk ADSP
  • AppleTalk AFP
  • AppleTalk ARP
  • AppleTalk ASP
  • AppleTalk ATP
  • AppleTalk DDP
  • AppleTalk ECHO
  • AppleTalk KSP
  • AppleTalk LAP
  • AppleTalk NBP
  • AppleTalk PAP
  • AppleTalk RTMP
  • AppleTalk ZIP
  • ARP
  • AT&T
  • Banyan VINES AFRP
  • Banyan VINES Echo
  • Banyan VINES File Svc
  • Banyan VINES FRP
  • Banyan VINES FTP
  • Banyan VINES IP
  • Banyan VINES LLC
  • Banyan VINES Loopback
  • Banyan VINES Matchmaker
  • Banyan VINES Ntwk Mgr
  • Banyan VINES SPP
  • Banyan VINES StreetTalk
  • Banyan VINES Svr Svc
  • Banyan VINES Talk
  • BOOTP
  • Bridge bridge mgmt
  • Bridge CS-1
  • Bridge terminal srvr
  • Chaosnet
  • ComDesign
  • Cronus direct
  • Cronus VLN
  • Datapoint DLL
  • Datapoint RCL
  • Datapoint RIO
  • Datapoint RMS
  • DEC 911
  • DEC bridge mgmt
  • DEC LAN monitor
  • DEC LAST
  • DEC LAVC
  • DEC NetBIOS
  • DECNET CTERM
  • DECNET DAP
  • DECNET DRP
  • DECNET FOUND
  • DECNET LAT
  • DECNET LAVC
  • DECNET MOP
  • DECNET NICE
  • DECNET NSP
  • DECNET SCP
  • DNS
  • ECMA internet
  • EGP
  • Excelan
  • FTP
  • GGP
  • IBM SMB
  • IBM SNA
  • ICMP
  • IONET VCS
  • IONET VCS CMND
  • IONET VCS DATA
  • IONET VCS TRANS
  • IP
  • ISO ACSE
  • ISO ASN.1
  • ISO CMIP
  • ISO Network
  • ISO PPP
  • ISO ROSE
  • ISO Session
  • ISO SMTP
  • ISO Transport
  • LOOP
  • Loopback
  • Micom test
  • NBS internet
  • Nestar ARCnet
  • Nestar PlanSeries
  • NetBIOS
  • NetBIOS TCP
  • Novell Netware
  • PUP address translation
  • RPL
  • RUnix
  • SMTP
  • SNAP
  • Sun MOUNT
  • Sun NFS
  • Sun PMAP
  • Sun RPC
  • Sun RSTAT
  • Sun YP
  • Symbolics private
  • TCP
  • Telnet
  • TFTP
  • TRING DLC
  • TRING LLC
  • TRING MAC
  • TRING RI
  • U-B
  • Vitalink bridge mgmt
  • X.25
  • X.25 level 3
  • X.75 internet
  • Xerox BOOTP
  • Xerox EGP
  • Xerox GGP
  • Xerox ND
  • Xerox PUP
  • Xerox PUP ARP
  • Xerox RIP
  • Xerox TFTP
  • Xerox XNS
  • Xyplex

Decoding higher protocol levels often required the interpreter to maintain state information about connections so that subsequent packets could be property interpreted. That was implemented with a combination of locally cached data within the protocol interpreter, and the ability to look back at earlier packets stored in the capture buffer.

Sniffer customers could write their own protocol interpreters to decode new or rare protocols not supported by Network General. Interpreters were written in C and linked with the rest of the Sniffer modules to create a new executable program. The procedure for creating new PIs was documented in April 1987 as part of Sniffer version 1.20. [24]

In addition to supporting many network protocols, there were versions of the Sniffer that collected data from the major local area networks in use in the 1980s and early 1990s:

Competitors

Even in the early years, the Sniffer had competition, [25] at least for some aspects of the product. Several were, like the Sniffer, ready-to-use packaged instruments:

There were also several software-only packet monitors and decoders, often running on Unix, and often with only a command-line user interface:

See also

Related Research Articles

AppleTalk is a discontinued proprietary suite of networking protocols developed by Apple Computer for their Macintosh computers. AppleTalk includes a number of features that allow local area networks to be connected with no prior setup or the need for a centralized router or server of any sort. Connected AppleTalk-equipped systems automatically assign addresses, update the distributed namespace, and configure any required inter-networking routing.

<span class="mw-page-title-main">Ethernet</span> Computer networking technology

Ethernet is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 1983 as IEEE 802.3. Ethernet has since been refined to support higher bit rates, a greater number of nodes, and longer link distances, but retains much backward compatibility. Over time, Ethernet has largely replaced competing wired LAN technologies such as Token Ring, FDDI and ARCNET.

<span class="mw-page-title-main">Local area network</span> Computer network that connects devices over a limited area

A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger geographic distance, but also generally involves leased telecommunication circuits.

A network operating system (NOS) is a specialized operating system for a network device such as a router, switch or firewall.

Xerox Network Systems (XNS) is a computer networking protocol suite developed by Xerox within the Xerox Network Systems Architecture. It provided general purpose network communications, internetwork routing and packet delivery, and higher level functions such as a reliable stream, and remote procedure calls. XNS predated and influenced the development of the Open Systems Interconnection (OSI) networking model, and was very influential in local area networking designs during the 1980s.

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

DECnet is a suite of network protocols created by Digital Equipment Corporation. Originally released in 1975 in order to connect two PDP-11 minicomputers, it evolved into one of the first peer-to-peer network architectures, thus transforming DEC into a networking powerhouse in the 1980s. Initially built with three layers, it later (1982) evolved into a seven-layer OSI-compliant networking protocol.

<span class="mw-page-title-main">ARCNET</span>

Attached Resource Computer NETwork is a communications protocol for local area networks. ARCNET was the first widely available networking system for microcomputers; it became popular in the 1980s for office automation tasks. It was later applied to embedded systems where certain features of the protocol are especially useful.

<span class="mw-page-title-main">Datapoint</span> Computer company

Datapoint Corporation, originally known as Computer Terminal Corporation (CTC), was a computer company based in San Antonio, Texas, United States. Founded in July 1968 by Phil Ray and Gus Roche, its first products were, as the company's initial name suggests, computer terminals intended to replace Teletype machines connected to time sharing systems.

Banyan VINES is a discontinued network operating system developed by Banyan Systems for computers running AT&T's UNIX System V.

Local Area Transport (LAT) is a non-routable networking technology developed by Digital Equipment Corporation to provide connection between the DECserver terminal servers and Digital's VAX and Alpha and MIPS host computers via Ethernet, giving communication between those hosts and serial devices such as video terminals and printers. The protocol itself was designed in such a manner as to maximize packet efficiency over Ethernet by bundling multiple characters from multiple ports into a single packet for Ethernet transport.

In computer networking, an Ethernet frame is a data link layer protocol data unit and uses the underlying Ethernet physical layer transport mechanisms. In other words, a data unit on an Ethernet link transports an Ethernet frame as its payload.

<span class="mw-page-title-main">Network General</span>

Network General Corporation was an American technology company active between 1986 and 2007 and based in Silicon Valley. Founded in 1986 by Harry Saal and Len Shustek to develop and market network packet and protocol analyzers, the company's flagship product, the Sniffer was the market leader in its field for many years. In 1997, Network General was acquired by McAfee Associates (MCAF) for $1.3 billion, and the two companies merged to form Network Associates. In 2004, Network Associates sold off most of the patents originally belonging to Network General to a group of investors including Saal, who founded a new Network General Corporation. In 2007, NetScout Systems acquired the new Network General for $205 million.

Excelan was a computer networking company founded in 1982 by Kanwal Rekhi, Inder Singh and Navindra Jain. Excelan was a manufacturer of smart Ethernet cards, until the company merged with, and was acquired by Novell in 1989. The company offered a line of Ethernet "front end processor" boards for Multibus, VMEbus, Q-Bus, Unibus, and IBM AT Bus systems. The cards were equipped with their own processor and memory, and ran TCP/IP protocol software that was downloaded onto the cards from the host system. Excelan offered software like LAN Workplace that integrated the cards into a variety of operating system environments, including many flavors of UNIX, RSX-11, VMS, and DOS. The hardware and software were sold under the EXOS brand. In 1987, Excelan also acquired Kinetics, a small networking company that manufactured and sold a variety of Ethernet networking products for Apple Macintosh environments, most notably an AppleTalk-to-Ethernet gateway called the FastPath.

<span class="mw-page-title-main">Len Shustek</span> American computer scientist

Leonard J. "Len" Shustek is a founder of networking companies Nestar Systems and Network General and a former chairman of the board of trustees of the Computer History Museum located in Mountain View, California.

John A. Murphy is an American inventor and computer engineer credited with inventing ARCNET, the first commercial networking system, in 1976. He was working for Datapoint Corporation at the time. His biography appeared in the IT History Society website.

<span class="mw-page-title-main">Nestar Systems</span> Pre-internet networking vendor

Nestar Systems, Inc., was an early independent manufacturer of pre-internet local area networks for personal computers from 1978 to 1986 and was considered "a pioneer in the industry". It produced three major generations of products:

Harry J. Saal is an American technology entrepreneur, executive, and philanthropist.

References

  1. Joch, Alan (2001-07-23). "Network Sniffers". Computerworld. Retrieved 2021-02-16.
  2. "May 13: Network General Corporation Founded | This Day in History | Computer History Museum". www.computerhistory.org. Retrieved 2021-02-16.
  3. Musthaler, Linda (1994-02-21). "Merger will hone net analysis focus". Network World. Vol. 11, no. 8. International Data Group. p. 35.
  4. "Network General Corporation FY95 10-K". SEC Edgar database. June 28, 1995.
  5. "Network General Corporation FY96 10-K". SEC Edgar database. July 25, 1996.
  6. "Network General Corporation FY97 10-K". SEC Edgar database. June 27, 1997.
  7. "Network General Corp. annual reports 1989-1993, 1995, 1997" via Internet Archive.
  8. Petrosky, Mary (1987-06-22). "Network General smells success with Sniffer". Network World. Vol. 4, no. 25. International Data Group. p. 15.
  9. "Presenting Network General Corporation", July 1992 , retrieved 2021-11-17
  10. Prins, G.A. (November–December 1979). "Distributing computing at the personal level". Electronics and Power. 25 (11): 765. doi:10.1049/ep.1979.0422. ISSN   0013-5127.
  11. Flynn, Laurie (1986-11-24). "Nestar Says Firm's Acquisition To Improve LAN and PBX Links". InfoWorld. Vol. 8, no. 48. InfoWorld Media Group, Inc. p. 25.
  12. Network General R 4903 ARCNET Line Analyzer Manual Sep 1986. Network General. 1986-09-25.
  13. 1 2 Network General Token Ring Sniffer V 1.0 Dec 1986. Network General Corporation. December 1986.
  14. Network General Ethernet Sniffer Introduction Apr 1987. Network General. 1987-04-01.
  15. Network General Ethernet Sniffer Jun 1988. Network General. 1988-06-01.
  16. Smalley, Eric (1991-04-01). "Sniffer Gains Distributed Management Capabilities". Network World. Vol. 8, no. 13. International Data Group. p. 4.
  17. Busse, Torsten (1992-09-28). "Expert Sniffer to Diagnose WANs". InfoWorld. Vol. 14, no. 39. InfoWorld Media Group, Inc. p. 45.
  18. Taft, Peter (1990-08-27). "The Watchdog Sniffs Out LAN Traffic Statistics". InfoWorld. Vol. 12, no. 35. InfoWorld Media Group, Inc. p. 54.
  19. Nestar ARCNET Sniffer Internal Descriptions. Nestar Systems. 1982–1984.
  20. NestarSystems/ARCNET_Sniffer on GitHub
  21. 1 2 "1986 12 Network General Large Brochure : Free Download, Borrow, and Streaming". Internet Archive. December 1986. Retrieved 2021-06-03.
  22. "1987 03 16 Network General Price List End User : Free Download, Borrow, and Streaming". Internet Archive. Retrieved 2021-06-03.
  23. "1991 04 The Network Is Your Business : Network General Corp. : Free Download, Borrow, and Streaming". Internet Archive. April 1991. Retrieved 2021-06-04.
  24. Network General Token Ring Sniffer V 1.20 Addendum Apr 1987. Network General. 1987-04-01.
  25. Glass, Brett (1989-02-06). "LAN Analyzers: Powerful Tools Useful For Serious Network Analysis". InfoWorld. Vol. 11, no. 6. InfoWorld Media Group, Inc. p. S14.
  26. Satyanarayanan, M (September 22, 1984). "The Excelan Nutcracker: An Evaluation" (PDF).
  27. LANalyzer EX5000E Ethernet Network Analyzer (PDF). Excelan. 1986.
  28. HP Computer Museum. "4972A Protocol Analyzer". www.hpmuseum.net. Retrieved 2021-02-18.
  29. Pabrai, Uday. "Understanding and Using Computer Networks" (PDF). p. 3-26.
  30. "Quick and Accurate LAN Measurements" (PDF).
  31. McCann, Steven (December 19, 1992). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
  32. "LANWatch Version 3.0". InfoWorld. Vol. 15, no. 19. InfoWorld Media Group, Inc. 1993-05-10. p. 85.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.