Wireshark is a powerful network analyzer that can be used to analyze the traffic passing through your computer's network interface. You may need it to detect and solve network problems, debug your web applications, network programs or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at a low level.
All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the right packages. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers began working on the second branch of the Wireshark 2.0 program, many changes and improvements were made to it, especially for the interface. This is what we will use in this article.
Before moving on to considering ways to analyze traffic, you need to consider what features the program supports in more detail, what protocols it can work with and what it can do. Here are the main features of the program:
- Capture packets in real time from wired or any other type of network interfaces, as well as read from a file;
- The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
- Packets can be filtered based on many parameters using filters;
- All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
- Support for capturing VoIP call traffic;
- Decryption of HTTPS traffic is supported if a certificate is available;
- Decryption of WEP and WPA traffic of wireless networks with a key and handshake;
- Displaying network load statistics;
- View package contents for all network layers;
- Displays the time of sending and receiving packages.
The program has many other features, but these were the main ones that might interest you.
How to use Wireshark
I assume that you already have the program installed, but if not, you can install it from the official repositories. To do this, type the command in Ubuntu:
sudo apt install wireshark
After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or via the terminal using the command for KDE:
And for Gnome/Unity:
The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.
Network traffic analysis
To start analysis, select a network interface, for example eth0, and click the button Start.
After this, the following window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:
- Top part- these are menus and panels with various buttons;
- List of packages- then the flow of network packets that you will analyze is displayed;
- Package Contents- just below is the contents of the selected package, it is divided into categories depending on the transport level;
- Real performance- at the very bottom the contents of the package are displayed in real form, as well as in HEX form.
You can click on any package to analyze its contents:
Here we see a DNS request packet to get the site's IP address, in the request itself the domain is sent, and in the response packet we receive our question as well as the answer.
For more convenient viewing, you can open the package in a new window by double-clicking on the entry:
Wireshark filters
Manually going through packages to find the ones you need is very inconvenient, especially with an active thread. Therefore, for this task it is better to use filters. There is a special line under the menu for entering filters. You can click Expression to open the filter designer, but there are a lot of them, so we’ll look at the most basic ones:
- ip.dst- target IP address;
- ip.src- sender's IP address;
- ip.addr- IP of the sender or recipient;
- ip.proto- protocol;
- tcp.dstport- port of destination;
- tcp.srcport- sender port;
- ip.ttl- TTL filter, determines the network distance;
- http.request_uri- the requested site address.
To specify the relationship between a field and a value in a filter, you can use the following operators:
- == - equals;
- != - not equal;
- < - less;
- > - more;
- <= - less or equal;
- >= - more or equal;
- matches- regular expression;
- contains- contains.
To combine multiple expressions you can use:
- && - both expressions must be true for the package;
- || - one of the expressions may be true.
Now let's take a closer look at several filters using examples and try to understand all the signs of relationships.
First, let's filter all packets sent to 194.67.215.. Type a string in the filter field and click Apply. For convenience, Wireshark filters can be saved using the button Save:
ip.dst == 194.67.215.125
And in order to receive not only sent packets, but also those received in response from this node, you can combine two conditions:
ip.dst == 194.67.215.125 || ip.src == 194.67.215.125
We can also select transferred large files:
http.content_length > 5000
By filtering the Content-Type, we can select all the pictures that have been uploaded; Let's analyze Wireshark traffic, packets that contain the word image:
http.content_type contains image
To clear the filter, you can press the button Clear. It happens that you do not always know all the information necessary for filtering, but just want to explore the network. You can add any field of a package as a column and view its contents in the general window for each package.
For example, I want to display the TTL (time to live) of a packet as a column. To do this, open the package information, find this field in the IP section. Then call the context menu and select the option Apply As Column:
In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then click Apply as filter or Prepare as filter, then select Selected to display only the selected values, or Not selected to remove them:
The specified field and its value will be applied or, in the second case, inserted into the filter field:
In this way, you can add a field of any package or column to the filter. There is also this option in the context menu. To filter protocols, you can use simpler conditions. For example, let's analyze Wireshark traffic for the HTTP and DNS protocols:
Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.
A window will then open in which you will find all the data transferred between the server and the client:
Diagnosing Wireshark problems
You may be wondering how to use Wireshark 2.0 to detect problems on your network. To do this, there is a round button in the lower left corner of the window; when you click on it, a window opens Expet Tools. In it, Wireshark collects all error messages and network problems:
The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.
Wireshark traffic analysis
You can very easily understand what users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.
To do this, you first need to stop traffic capture using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:
Sniffers- these are programs that intercept
all network traffic. Sniffers are useful for network diagnostics (for administrators) and
to intercept passwords (it’s clear for whom :)). For example, if you gained access to
one network machine and installed a sniffer there,
then soon all the passwords from
their subnets will be yours. Sniffers set
network card in listening
mode (PROMISC). That is, they receive all packets. Locally you can intercept
all sent packets from all machines (if you are not separated by any hubs),
So
How is broadcasting practiced there?
Sniffers can intercept everything
packages (which is very inconvenient, the log file fills up terribly quickly,
but for a more detailed network analysis it’s perfect)
or only the first bytes from all sorts of
ftp, telnet, pop3, etc. (this is the fun part, usually in about the first 100 bytes
contains username and password :)). Sniffers now
divorced... There are many sniffers
both under Unix and under Windows (even under DOS there is :)).
Sniffers can
support only a specific axis (for example linux_sniffer.c, which
supports Linux :)), or several (for example Sniffit,
works with BSD, Linux, Solaris). Sniffers have gotten so rich because
that passwords are transmitted over the network in clear text.
Such services
a lot. These are telnet, ftp, pop3, www, etc. These services
uses a lot
people :). After the sniffer boom, various
algorithms
encryption of these protocols. SSH appeared (an alternative
telnet supporting
encryption), SSL (Secure Socket Layer - a Netscape development that can encrypt
www session). All sorts of Kerberous, VPN (Virtual Private
Network). Some AntiSniffs, ifstatuses, etc. were used. But this is fundamentally not
changed the situation. Services that use
passing the password using plain text
are used to the fullest :). Therefore, they will be sniffing for a long time :).
Windows sniffer implementations
linsniffer
This is a simple sniffer to intercept
logins/passwords. Standard compilation (gcc -o linsniffer
linsniffer.c).
Logs are written to tcp.log.
linux_sniffer
Linux_sniffer
required when you want
study the network in detail. Standard
compilation. Gives out all sorts of extra crap,
like isn, ack, syn, echo_request (ping), etc.
Sniffit
Sniffit - advanced model
sniffer written by Brecht Claerhout. Install(need
libcap):
#./configure
#make
Now let's launch
sniffer:
#./sniffit
usage: ./sniffit [-xdabvnN] [-P proto] [-A char] [-p
port] [(-r|-R) recordfile]
[-l sniflen] [-L logparam] [-F snifdevice]
[-M plugin]
[-D tty] (-t
(-i|-I) | -c
Plugins Available:
0 - Dummy
Plugin
1 - DNS Plugin
As you can see, sniffit supports many
options. You can use the sniffak interactively.
Sniffit though
quite a useful program, but I don't use it.
Why? Because Sniffit
big problems with protection. A remote root and a dos for Sniffit have already been released
Linux and Debian! Not every sniffer allows itself to do this :).
HUNT
This
my favorite sniff. It is very easy to use,
supports a lot of cool
chips and currently has no security problems.
Plus not much
demanding of libraries (such as linsniffer and
Linux_sniffer). He
can intercept current connections in real time and
clean dump from a remote terminal. IN
in general, Hijack
rulezzz:). I recommend
everyone for enhanced use :).
Install:
#make
Run:
#hunt -i
READSMB
The READSMB sniffer is cut from LophtCrack and ported to
Unix (oddly enough :)). Readsmb intercepts SMB
packages.
TCPDUMP
tcpdump is a fairly well-known packet analyzer.
Written
even more famous person - Van Jacobson, who invented VJ compression for
PPP and wrote a traceroute program (and who knows what else?).
Requires a library
Libpcap.
Install:
#./configure
#make
Now let's launch
her:
#tcpdump
tcpdump: listening on ppp0
All your connections are displayed on
terminal. Here is an example of ping output
ftp.technotronic.com:
02:03:08.918959
195.170.212.151.1039 > 195.170.212.77.domain: 60946+ A?
ftp.technotronic.com.
(38)
02:03:09.456780 195.170.212.77.domain > 195.170.212.151.1039: 60946*
1/3/3 (165)
02:03:09.459421 195.170.212.151 > 209.100.46.7: icmp: echo
request
02:03:09.996780 209.100.46.7 > 195.170.212.151: icmp: echo
reply
02:03:10.456864 195.170.212.151 > 209.100.46.7: icmp: echo
request
02:03:10.906779 209.100.46.7 > 195.170.212.151: icmp: echo
reply
02:03:11.456846 195.170.212.151 > 209.100.46.7: icmp: echo
request
02:03:11.966786 209.100.46.7 > 195.170.212.151: icmp: echo
reply
In general, sniff is useful for debugging networks,
troubleshooting and
etc.
Dsniff
Dsniff requires libpcap, ibnet,
libnids and OpenSSH. Records only entered commands, which is very convenient.
Here is an example of a connection log
on unix-shells.com:
02/18/01
03:58:04 tcp my.ip.1501 ->
handi4-145-253-158-170.arcor-ip.net.23
(telnet)
stalsen
asdqwe123
ls
pwd
who
last
exit
Here
dsniff intercepted the login and password (stalsen/asdqwe123).
Install:
#./configure
#make
#make
install
Protection against sniffers
The surest way to protect against
sniffers -
use ENCRYPTION (SSH, Kerberous, VPN, S/Key, S/MIME,
SHTTP, SSL, etc.). Well
and if you don’t want to give up plain text services and install additional
packages :)? Then it’s time to use anti-sniffer packets...
AntiSniff for Windows
This product was released by a famous group
Loft. It was the first product of its kind.
AntiSniff as stated in
Description:
"AntiSniff is a Graphical User Interface (GUI) driven tool for
detecting promiscuous Network Interface Cards (NICs) on your local network
segment". In general, it catches cards in promisc mode.
Supports huge
number of tests (DNS test, ARP test, Ping Test, ICMP Time Delta
Test, Echo Test, PingDrop test). Can be scanned as one car,
and the grid. There is
log support. AntiSniff works on win95/98/NT/2000,
although recommended
NT platform. But his reign was short-lived and would soon
time, a sniffer called AntiAntiSniffer appeared :),
written by Mike
Perry (Mike Perry) (you can find him at www.void.ru/news/9908/snoof.txt). He
based on LinSniffer (discussed below).
Unix sniffer detect:
Sniffer
can be found with the command:
#ifconfig -a
lo Link encap:Local
Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
U.P.
LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:2373 errors:0
dropped:0 overruns:0 frame:0
TX packets:2373 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
ppp0 Link
encap:Point-to-Point Protocol
inet addr:195.170.y.x
P-t-P:195.170.y.x Mask:255.255.255.255
UP POINTOPOINT PROMISC
RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3281
errors:74 dropped:0 overruns:0 frame:74
TX packets:3398 errors:0
dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
How
you see the ppp0 interface is in PROMISC mode. Either operator
uploaded sniff for
network checks, or they already have you... But remember,
that ifconfig can be done safely
spoof, so use tripwire to detect
changes and all sorts of programs
to check for sniffs.
AntiSniff for Unix.
Works for
BSD, Solaris and
Linux. Supports ping/icmp time test, arp test, echo test, dns
test, etherping test, in general an analogue of AntiSniff for Win, only for
Unix:).
Install:
#make linux-all
Sentinel
Also a useful program for
catching sniffers. Supports many tests.
Easy to
use.
Install: #make
#./sentinel
./sentinel [-t
Methods:
[ -a ARP test ]
[ -d DNS test
]
[ -i ICMP Ping Latency test ]
[ -e ICMP Etherping test
]
Options:
[ -f
[ -v Show version and
exit ]
[ -n
[ -I
]
The options are so simple that no
comments.
MORE
Here are a few more
utilities to check your network (for
Unix):
packetstorm.securify.com/UNIX/IDS/scanpromisc.c -remote
PROMISC mode detector for ethernet cards (for red hat 5.x).
http://packetstorm.securify.com/UNIX/IDS/neped.c
- Network Promiscuous Ethernet Detector (requires libcap & Glibc).
http://packetstorm.securify.com/Exploit_Code_Archive/promisc.c
- scans system devices to detect sniffs.
http://packetstorm.securify.com/UNIX/IDS/ifstatus2.2.tar.gz
— ifstatus tests network interfaces in PROMISC mode.
Network packet analyzers, or sniffers, were originally developed as a means of solving network problems. They are able to intercept, interpret and store packets transmitted over the network for subsequent analysis. On the one hand, this allows system administrators and technical support engineers to observe how data is transferred over the network, diagnose and fix problems that arise. In this sense, packet sniffers are a powerful tool for diagnosing network problems. On the other hand, like many other powerful tools that were originally intended for administration, over time, sniffers began to be used for completely different purposes. Indeed, a sniffer in the hands of an attacker is a rather dangerous tool and can be used to obtain passwords and other confidential information. However, you should not think that sniffers are some kind of magical tool through which any hacker can easily view confidential information transmitted over the network. And before we prove that the danger posed by sniffers is not as great as is often presented, let us consider in more detail the principles of their functioning.
Operating principles of packet sniffers
Further in this article we will consider only software sniffers designed for Ethernet networks. A sniffer is a program that operates at the NIC (Network Interface Card) network adapter level (link layer) and secretly intercepts all traffic. Because sniffers operate at the data link layer of the OSI model, they do not have to play by the rules of higher-layer protocols. Sniffers bypass the filtering mechanisms (addresses, ports, etc.) that Ethernet drivers and the TCP/IP stack use to interpret data. Packet sniffers capture from the wire everything that comes through it. Sniffers can store frames in binary format and later decrypt them to reveal higher-level information hidden inside (Figure 1).
In order for the sniffer to capture all packets passing through the network adapter, the network adapter driver must support promiscuous mode. It is in this mode of operation of the network adapter that the sniffer is able to intercept all packets. This mode of operation of the network adapter is automatically activated when the sniffer is launched or is set manually by the corresponding sniffer settings.
All intercepted traffic is passed to a packet decoder, which identifies and splits packets into the appropriate hierarchy levels. Depending on the capabilities of a particular sniffer, the provided packet information can subsequently be further analyzed and filtered.
Limitations of using sniffers
Sniffers posed the greatest danger in those days when information was transmitted over the network in clear text (without encryption), and local networks were built on the basis of concentrators (hubs). However, these days are irrevocably gone, and nowadays using sniffers to gain access to confidential information is by no means an easy task.
The fact is that when building local networks based on hubs, there is a certain common data transmission medium (network cable) and all network nodes exchange packets, competing for access to this medium (Fig. 2), and a packet sent by one network node is transmitted to all ports of the hub and this packet is listened to by all other nodes on the network, but only the node to which it is addressed receives it. Moreover, if a packet sniffer is installed on one of the network nodes, then it can intercept all network packets related to a given network segment (the network formed by the hub).
Switches are more intelligent devices than broadcast hubs and isolate network traffic. The switch knows the addresses of the devices connected to each port and transmits packets only between the necessary ports. This allows you to offload other ports without having to forward every packet to them, as a hub does. Thus, a packet sent by a certain network node is transmitted only to the switch port to which the packet recipient is connected, and all other network nodes are not able to detect this packet (Fig. 3).
Therefore, if the network is built on the basis of a switch, then a sniffer installed on one of the network computers is capable of intercepting only those packets that are exchanged between this computer and other network nodes. As a result, in order to be able to intercept packets that the computer or server of interest to the attacker exchanges with other network nodes, it is necessary to install a sniffer on this particular computer (server), which is actually not so simple. However, you should keep in mind that some packet sniffers are launched from the command line and may not have a graphical interface. Such sniffers, in principle, can be installed and launched remotely and unnoticed by the user.
Additionally, you should also keep in mind that while switches isolate network traffic, all managed switches have port forwarding or port mirroring functionality. That is, the switch port can be configured in such a way that all packets arriving on other switch ports are duplicated on it. If in this case a computer with a packet sniffer is connected to such a port, then it can intercept all packets exchanged between computers on a given network segment. However, as a rule, the ability to configure the switch is available only to the network administrator. This, of course, does not mean that he cannot be an attacker, but a network administrator has many other ways to control all users of the local network, and it is unlikely that he will monitor you in such a sophisticated way.
Another reason why sniffers are no longer as dangerous as they once were is that most sensitive data is now transmitted encrypted. Open, unencrypted services are rapidly disappearing from the Internet. For example, when visiting websites, the SSL (Secure Sockets Layer) protocol is increasingly used; SFTP (Secure FTP) is used instead of open FTP, and virtual private networks (VPNs) are increasingly used for other services that do not use encryption by default.
So, those concerned about the potential for malicious use of packet sniffers should keep the following in mind. First, to pose a serious threat to your network, sniffers must be located within the network itself. Secondly, today's encryption standards make it extremely difficult to intercept sensitive information. Therefore, at present, packet sniffers are gradually losing their relevance as hacker tools, but at the same time they remain an effective and powerful tool for diagnosing networks. Moreover, sniffers can be successfully used not only for diagnosing and localizing network problems, but also for auditing network security. In particular, the use of packet analyzers allows you to detect unauthorized traffic, detect and identify unauthorized software, identify unused protocols to remove them from the network, generate traffic for penetration testing (penetration test) in order to check the security system, work with intrusion detection systems ( Intrusion Detection System (IDS).
Overview of software packet sniffers
All software sniffers can be divided into two categories: sniffers that support launch from the command line, and sniffers that have a graphical interface. However, we note that there are sniffers that combine both of these capabilities. In addition, sniffers differ from each other in the protocols they support, the depth of analysis of intercepted packets, the ability to configure filters, and the possibility of compatibility with other programs.
Typically, the window of any sniffer with a graphical interface consists of three areas. The first of them displays the summary data of intercepted packets. Typically, this area displays a minimum of fields, namely: packet interception time; IP addresses of the packet sender and recipient; MAC addresses of the sender and recipient of the packet, source and destination port addresses; protocol type (network, transport or application layer); some summary information about the intercepted data. The second area displays statistical information about the individual selected package, and finally the third area displays the package in hexadecimal or ASCII character form.
Almost all packet sniffers allow you to analyze decoded packets (which is why packet sniffers are also called packet analyzers, or protocol analyzers). The sniffer distributes intercepted packets across layers and protocols. Some packet sniffers are capable of recognizing the protocol and displaying the captured information. This type of information is usually displayed in the second area of the sniffer window. For example, any sniffer can recognize the TCP protocol, and advanced sniffers can determine which application generated this traffic. Most protocol analyzers recognize over 500 different protocols and can describe and decode them by name. The more information a sniffer can decode and display on the screen, the less will have to be decoded manually.
One problem that packet sniffers may encounter is the inability to correctly identify a protocol using a port other than the default port. For example, to improve security, some well-known applications may be configured to use ports other than the default ports. So, instead of the traditional port 80, reserved for the web server, this server can be forcibly reconfigured to port 8088 or any other. Some packet analyzers in this situation are not able to correctly determine the protocol and display only information about the lower-level protocol (TCP or UDP).
There are software sniffers that come with software analytical modules as plugins or built-in modules that allow you to create reports with useful analytical information about intercepted traffic.
Another characteristic feature of most packet analyzer software is the ability to configure filters before and after traffic is captured. Filters select certain packets from the general traffic according to a given criterion, which allows you to get rid of unnecessary information when analyzing traffic.
Traffic analysis is a process whose importance is known to any IT professional, regardless of whether he works for a small company or a large corporation. After all, identifying and correcting network problems is a real art, which directly depends both on the instinct of the specialist himself and on the depth and quality of the data he operates. And the traffic analyzer is exactly the tool that provides you with this data. A wisely chosen network traffic analysis solution can not only help you figure out how packets are sent, received, and securely transmitted across your network, but it can also do much, much more!
There are now a large number of variations of software for analyzing network traffic on the market. Moreover, some of them are capable of evoking nostalgic memories among “old school” specialists; they use a terminal font and command line interface, and at first glance appear difficult to use. Other solutions, on the contrary, stand out for their ease of installation and are aimed at an audience with visual perception (they are literally oversaturated with various graphics). The price range of these solutions also differs quite significantly - from free to solutions with a very expensive corporate license.
In order for you, depending on your tasks and preferences, to be able to choose the best solution for analyzing network traffic, we present to you a list of the most interesting software products currently available on the market for traffic analysis, as well as a brief overview of the functionality built into them for extracting, processing and visual presentation of various network information. Some of these functions are similar for all the solutions for analyzing network traffic presented in this review - they allow you to see sent and received network packets with one or another level of detail - but almost all of them have some characteristic features that make them unique when used in certain applications. situations or network environments. Ultimately, we turn to network traffic analysis when we have a network problem, but we cannot quickly narrow it down to a specific machine, device or protocol, and we have to conduct a deeper search. We will help you choose the most suitable traffic analysis software solution for these purposes.
SolarWinds Network Bandwidth Analyzer
This solution is positioned by the manufacturer as a software package of two products - Network Performance Monitor (basic solution) and NetFlow Traffic Analyzer (modular extension). As stated, they have similar, but still different functionality for analyzing network traffic, complementing each other when using two products together.
Network Performance Monitor, as the name suggests, monitors network performance and is a tempting choice if you want to get an overview of what's happening on your network. By purchasing this solution, you are paying for the ability to monitor the overall health of your network: based on a wealth of statistics, such as the speed and reliability of data and packet transmission, in most cases you will be able to quickly identify problems in the operation of your network. And the program’s advanced intellectual capabilities for identifying potential problems and extensive capabilities for visually presenting results in the form of tables and graphs with clear warnings about possible problems will make this work even easier.
The NetFlow Traffic Analyzer modular extension is more focused on analyzing the traffic itself. While the functionality of the basic Network Performance Monitor software solution is more designed to provide an overview of network performance, NetFlow Traffic Analyzer focuses on a more detailed analysis of the processes occurring in the network. In particular, this part of the software package will analyze congestion or abnormal surges in bandwidth and provide statistics sorted by user, protocol or application. Please note that this program is only available for the Windows environment.
Wireshark
It is a relatively new tool in the large family of network diagnostic solutions, but during this time it has already gained recognition and respect from IT professionals. WireShark does an excellent job of analyzing traffic, doing its job perfectly for you. The developers were able to find a middle ground between the source data and the visual representation of this data, so in WireShark you will not find biases in one direction or another, which are common in most other solutions for analyzing network traffic. WireShark is simple, compatible and portable. With WireShark, you get exactly what you expect, and you get it fast.
WireShark has a great user interface, plenty of filtering and sorting options, and, as many of us will appreciate, WireShark traffic analysis works great with any of the three most popular operating system families—*NIX, Windows, and macOS. Add to all of the above the fact that WireShark is open source and free, and you have an excellent tool for quickly diagnosing your network.
tcpdump
The tcpdump traffic analyzer looks like some kind of ancient tool, and, to be completely honest, in terms of functionality it works too. Despite the fact that it does its job and does it well, using as little system resources as possible, many modern specialists will find it difficult to understand the huge number of “dry” tables with data. But there are situations in life when the use of such cut-off and resource-intensive solutions can be useful. In some environments or on barely-performing PCs, minimalism may be the only viable option.
The tcpdump software solution was originally developed for the *NIX environment, but currently also works with several Windows ports. It has all the basic functionality you'd expect to see in any traffic analyzer - capturing, recording, etc. - but you can't ask for much more from it.
Kismet
The Kismet traffic analyzer is another example of open source software tailored to solve specific problems. Kismet doesn't just analyze network traffic, it provides you with much more advanced functionality. For example, it is capable of analyzing the traffic of hidden networks and even wireless networks that do not broadcast their SSID! A traffic analysis tool like this can be extremely useful when there is something on your wireless network that is causing problems, but you can't quickly find the source. Kismet will help you detect a rogue network or access point that is working but not configured correctly.
Many of us know firsthand that the task becomes more complex when it comes to analyzing wireless network traffic, so having a specialized tool like Kismet on hand is not only desirable, but often necessary. Kismet Traffic Analyzer is a great choice for you if you constantly deal with a lot of wireless traffic and wireless devices, and you need a good tool to analyze your wireless network traffic. Kismet is available for *NIX, Windows under Cygwin and macOS environments.
EtherApe
EtherApe's functionality is similar to that of WireShark in many ways, and it is also open source and free. However, where it really stands out from other solutions is its focus on graphics. And if, for example, you view the results of WireShark traffic analysis in a classic digital form, then EtherApe network traffic is displayed using an advanced graphical interface, where each vertex of the graph represents a separate host, the sizes of the vertices and edges indicate the size of the network traffic, and are marked with color various protocols. For those people who prefer visual perception of statistical information, the EtherApe analyzer may be the best choice. Available for *NIX and macOS environments.
Cain and Abel
This software with a very interesting name has the ability to analyze traffic is more of an auxiliary function than the main one. If your tasks go far beyond simple traffic analysis, then you should pay attention to this tool. With it, you can recover Windows passwords, perform attacks to obtain lost credentials, examine VoIP data on the network, analyze packet routing, and much more. This is a truly powerful toolkit for a system administrator with broad powers. Works only in Windows environment.
NetworkMiner
NetworkMiner is another software solution whose functionality goes beyond basic traffic analysis. While other traffic analyzers focus on sending and receiving packets, NetworkMiner monitors those who are actually sending and receiving packets. This tool is more suitable for identifying problematic computers or users than for general diagnostics or network monitoring per se. NetworkMiner designed for OS Windows.
KisMAC
KisMAC - the name of this software product speaks for itself - this is Kismet for macOS. These days, Kismet already has a port to the macOS operating environment, so the existence of KisMAC may seem redundant, but it is worth noting the fact that the KisMAC solution actually has its own codebase and is not directly derived from the Kismet traffic analyzer. Of particular note is that KisMAC offers some capabilities, such as location mapping and deauthentication attacks on macOS, that Kismet itself does not provide. These unique features can tip the scales in favor of this particular software solution in certain situations.
Conclusion
Network traffic analysis software can be a vital tool for you when you periodically encounter network problems of various types - be it performance, dropped connections, or problems with network backups. Almost everything related to the transmission and reception of data on the network can be quickly identified and corrected thanks to the information obtained using the software from the above list.
The results that a qualitative analysis of network traffic will give you using proven specialized software tools will help you go much deeper than the top layer of the problem, and understand what is actually happening on your network, or is not happening, but should be happening.
Subscribe to the newsletter, share articles on social networks and ask questions in the comments!
Always in touch, Igor Panov.
05.23.16 45.3KMany network administrators often encounter problems that can be resolved by analyzing network traffic. And here we come across such a concept as a traffic analyzer. So what is it?
NetFlow analyzers and collectors are tools that help you monitor and analyze network traffic data. Network process analyzers allow you to accurately identify devices that are reducing channel throughput. They know how to find problem areas in your system and improve the overall efficiency of the network.
The term " NetFlow" refers to a Cisco protocol designed to collect IP traffic information and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.
NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.
Several other network equipment vendors have their own protocols for monitoring and data collection. For example, Juniper, another highly respected network device vendor, calls its protocol " J-Flow". HP and Fortinet use the term " s-Flow". Although the protocols are called differently, they all work in a similar way. In this article, we'll look at 10 free network traffic analyzers and NetFlow collectors for Windows.
SolarWinds Real-Time NetFlow Traffic Analyzer
Free NetFlow Traffic Analyzer is one of the most popular tools available for free download. It gives you the ability to sort, tag, and display data in a variety of ways. This allows you to conveniently visualize and analyze network traffic. The tool is great for monitoring network traffic by type and time period. As well as running tests to determine how much traffic various applications consume.
This free tool is limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow analyzer is a powerful tool that is worth using.
Colasoft Capsa Free
This free LAN traffic analyzer identifies and monitors over 300 network protocols and allows you to create custom reports. It includes email monitoring and sequence charts TCP synchronization, all of this is collected in one customizable panel.
Other features include network security analysis. For example, tracking DoS/DDoS attacks, worm activity and ARP attack detection. As well as packet decoding and information display, statistical data about each host on the network, packet exchange control and flow reconstruction. Capsa Free supports all 32-bit and 64-bit versions of Windows XP.
Minimum system requirements for installation: 2 GB of RAM and a 2.8 GHz processor. You must also have an Ethernet connection to the Internet ( NDIS 3 compliant or higher), Fast Ethernet or Gigabit with mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.
Angry IP Scanner
It is an open source Windows traffic analyzer that is fast and easy to use. It does not require installation and can be used on Linux, Windows and Mac OSX. This tool works by simply pinging each IP address and can determine MAC addresses, scan ports, provide NetBIOS information, determine the authorized user on Windows systems, discover web servers, and much more. Its capabilities are expanded using Java plugins. Scan data can be saved to CSV, TXT, XML files.
ManageEngine NetFlow Analyzer Professional
A fully featured version of ManageEngines' NetFlow software. This is a powerful software with a full set of functions for analysis and data collection: monitoring of channel throughput in real time and alerts when threshold values are reached, which allows you to quickly administer processes. In addition, it provides summary data on resource usage, monitoring of applications and protocols, and much more.
The free version of the Linux traffic analyzer allows unlimited use of the product for 30 days, after which you can monitor only two interfaces. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for a minimum flow rate of 0 to 3000 threads per second are a 2.4 GHz dual-core processor, 2 GB of RAM, and 250 GB of available hard drive space. As the speed of the flow to be monitored increases, the requirements also increase.
The Dude
This application is a popular network monitor developed by MikroTik. It automatically scans all devices and recreates a network map. The Dude monitors servers running on various devices and alerts you if problems arise. Other features include automatic discovery and display of new devices, the ability to create custom maps, access to tools for remote device management, and more. It runs on Windows, Linux Wine and MacOS Darwine.
JDSU Network Analyzer Fast Ethernet
This traffic analyzer program allows you to quickly collect and view network data. The tool provides the ability to view registered users, determine the level of network bandwidth usage by individual devices, and quickly find and fix errors. And also capture data in real time and analyze it.
The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large volumes of data, and much more. This tool for entry-level professionals, as well as experienced administrators, allows you to take complete control of your network.
Plixer Scrutinizer
This network traffic analyzer allows you to collect and comprehensively analyze network traffic, and quickly find and fix errors. With Scrutinizer, you can sort your data in a variety of ways, including by time interval, host, application, protocol, and more. The free version allows you to control an unlimited number of interfaces and store data for 24 hours of activity.
Wireshark
Wireshark is a powerful network analyzer that can run on Linux, Windows, MacOS X, Solaris and other platforms. Wireshark allows you to view captured data using a GUI, or use the TTY-mode TShark utilities. Its features include VoIP traffic collection and analysis, real-time display of Ethernet, IEEE 802.11, Bluetooth, USB, Frame Relay data, XML, PostScript, CSV data output, decryption support, and more.
System requirements: Windows XP and higher, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free disk space. Wireshark NetFlow Analyzer is a powerful tool that can greatly simplify the work of any network administrator.
Paessler PRTG
This traffic analyzer provides users with many useful features: support for monitoring LAN, WAN, VPN, applications, virtual server, QoS and environment. Multi-site monitoring is also supported. PRTG uses SNMP, WMI, NetFlow, SFlow, JFlow and packet analysis, as well as uptime/downtime monitoring and IPv6 support.
The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.
nProbe
It is a full-featured open source NetFlow tracking and analysis application.
nProbe supports IPv4 and IPv6, Cisco NetFlow v9 / IPFIX, NetFlow-Lite, contains functions for VoIP traffic analysis, flow and packet sampling, log generation, MySQL/Oracle and DNS activity, and much more. The application is free if you download and compile the traffic analyzer on Linux or Windows. The installation executable limits the capture size to 2000 packets. nProbe is completely free for educational institutions, as well as non-profit and scientific organizations. This tool will work on 64-bit versions of Linux and Windows operating systems.
This list of 10 free NetFlow traffic analyzers and collectors will help you get started monitoring and troubleshooting a small office network or a large, multi-site corporate WAN.
Each application presented in this article makes it possible to monitor and analyze network traffic, detect minor failures, and identify bandwidth anomalies that may indicate security threats. And also visualize information about the network, traffic and much more. Network administrators must have such tools in their arsenal.
This publication is a translation of the article “ Top 10 Best Free Netflow Analyzers and Collectors for Windows", prepared by the friendly project team
Good bad
