Problem solve Get help with specific problems with your technologies, process and projects.

What's the difference between packet sniffers and protocol analyzers?

Learn the difference between packet sniffers and protocol analyzers in this Ask the Expert response with our networking fundamentals expert.

What's the difference between packet sniffers and protocol analyzers? The analyzer sounds much more sophisticated, but is it?
A "sniffer" is the original trademark from the "old" Network General that dates back to their DOS-based protocol analyzer (Network General has been recently re-born as a sell-off from McAfee, formerly Network Associates). Sometimes the word sniffer is generically used to mean any protocol analyzer.

The degree of sophistication depends on what other features the analyzer offers beyond basic packet capturing and decoding. For instance, more advanced analyzers have expert systems that can dramatically cut troubleshooting time. Unfortunately, like automobiles, the quality of the expert system varies dramatically from vendor-to-vendor.

Another more advanced feature is distributed analysis. Enterprise-grade analyzers offer remote 24 x 7 packet capture, expert analysis, security, and management and control features. Some analyzers also support distributed 802.11 wireless "sensors."

Finally, if you work with very high speed networks like Gigabit Ethernet, the protocol analyzer will need to support specialized hardware such as Gigabit Ethernet NICs with an on-board CPU for precision timestamping of packet arrival (OS timestamping is not accurate at high speeds), support for on-board packet triggering and filtering, and the ability to merge two streams together from a full duplex connection. An alternative but low performance option is to use off the shelf hardware and connect to a SPAN (mirror) port on a switch.

This was last published in August 2004

Dig Deeper on Network services