QUESTION & ANSWER

Using a packet sniffer for network packet analysis

By Tessa Parmenter 07 Aug 2007 | SearchNetworking.com

Digg This!     StumbleUpon     Del.icio.us

Why should a network admin or manager consider using a packet sniffer? What are the main things a sniffer can detect on a network?

Chris Sanders: I think that network admins, much of the time, are only as good as the collection of tools they have at their disposal. A packet sniffer is just that, a tool. With computer networks, we often have to rely for our troubleshooting on what interfaces tell us is happening. A packet sniffer is a tool that allows you to get past all of the fancy interfaces and misleading error messages to see what exactly is going on at the lowest levels of network communication. Packet sniffers can show you all sorts of things going on behind the scenes, including unknown communication between network devices, actual detailed error codes provided by layer-specific protocols, and even poorly designed programs going crazy. As [radio broadcaster] Paul Harvey would say, a packet sniffer is a tool that lets you find "the rest of the story." It is essential for any network admin's toolkit.

When you're selecting a packet sniffer, what should you be looking for?

Sanders: There are several considerations, but some of the biggest are the supported protocols of a sniffer, the platforms the sniffer runs on, the support provided for the software, and the cost. However, the most important thing is your level of comfort with using the software. Some packet sniffers are totally command-line based. Many people just aren't comfortable with that; others wouldn't want to use anything else. Once you get past all of the technical considerations, it is really just a matter of what you feel comfortable using. I typically find that once people get into packet analysis, they usually spend a lot of time doing it. I like to think of it like decorating your office. If you are going to be spending a lot of time in it, you want it to be a place where you are comfortable. The same goes for selecting a packet sniffing application!

What are the commercial products that compare with Wireshark? Are there similar open source and/or free tools, and how do these compare with Wireshark and one another?

Sanders: Some of the alternatives to Wireshark include commercial products such as Etherpeek, Colasoft Capsa and Sniff'Em, as well as free products such as Ettercap and Tcpdump. What sets Wireshark apart from most of these is that it is the most widely used, so it provides a larger number of supported protocols and has a user-driven support base that is unrivaled. The only thing the commercial products typically offer special is their ability to produce reports that are more suited to less technical users.

More on packet sniffing and network analysis Read Common Protocols, Chapter 6 of 'Practical Packet Analysis.' View Chris Sanders' blog on packet analysis, network security and network administration. Learn how to gain greater insight into your network with this tip: What Ping doesn't tell you. Read this article to understand basic packet filtering. Advanced packet filtering shows you how to build an advanced filter.

How does a packet sniffer relate to the OSI model?

Sanders: In order to really understand what is going on when you try to analyze things at the packet level, you have to have a very thorough understanding of what the OSI model is and how data moves through it. Trying to sniff packets without understanding the basic concepts of the OSI model is like trying to drive a race car without knowing how to drive a stick shift.

Is packet sniffing one of the causes of a slow network?

Sanders: The only time packet sniffing can cause a network to run slow is when it is placed improperly on a network. One of the most crucial parts of the packet sniffing process is placing your sniffer in an appropriate location on the network. Not only will this ensure you get the exact data you need, but it will also make absolutely certain that your presence on the network doesn't affect its performance. I devote a whole chapter of my book to analyzer placement.

How is sniffing wireless any different from sniffing any wired network traffic?

Sanders: Wireless sniffing is a completely different animal from that of a wired network. You have to employ different strategies of analyzer placement, put extra consideration into wireless-specific things such as signal strength, and deal with all kinds of extra wireless management packets. It is usually a good idea to understand basic packet sniffing before moving into the realm of wireless sniffing. My book includes an entire chapter devoted to the particulars of wireless packet sniffing.

How can you prevent someone with a packet sniffer from hacking your network?

Sanders: Unfortunately, hackers are always going to be one step ahead. There is no such thing as an unbreakable network, and if a hacker wants in badly enough, he will probably get in. The most a network admin can hope to do is take steps to prevent this type of thing from happening. This starts and ends with the most overlooked aspect of security: physical security. It is amazing how easily a stranger can walk into a company, plug a laptop into an empty port in a vacant room, and begin to sniff network secrets. The key here is to focus on your organization's front door as much as you do on its firewall doors.

Tags: Network Security Monitoring and Analysis,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary