Looking for the absolute best protocol analyzer out there? My favorite by far is none other than Wireshark, an awesome program that allows deep inspection into hundreds of protocols in real-time.
The program runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and just about any other OS platform out there. There are a host of other great features about this packet sniffer, so here are a few:
- Capture everything live and analyze when offline
- Has the usual three-pane packet browser interface you’re already used to
- Powerful display filters for finding exactly what you are looking for
- Extensive support for VOIP analysis
- Read/write lots of different capture file formats including tcpdump, Microsoft Network Monitor, Network General Sniffer, Visual Networks Visual UpTime, and many more.
- Live data can be read from Ethernet, Bluetooth, USB, EEE 802.11, PPP/HDLC, ATM, Token Ring, Frame Relay, FDDI, and others
- Support for decryption on many protocols including IPsec, Kerberos, ISAKMP, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Export output to CSV, plain text, XML, or PostScript
You can also search for packets and colorize packets for easy viewing. Note that Wireshark is not an intrusion detection system. It will not prevent someone from attacking your computer or doing strange things to it. You can use it, however, to find out exactly what is going on.
Note also that you have to install WinPcap (Windows Packet Capture) on Windows in order to capture live network traffic.
Actually using a packet sniffer properly to analyze your network is not superbly easy! If you don’t know how to use a packet sniffer or network protocol analyzer, don’t worry! I’ll be writing a series of posts in the future on how to use Wireshark to do all kinds of cool stuff on your network! Stay tuned!