What's the difference between packet sniffers and protocol analyzers? The analyzer sounds much more sophisticated,...
but is it? A "sniffer" is the original trademark from the "old" Network General that dates back to their DOS-based protocol analyzer (Network General has been recently re-born as a sell-off from McAfee, formerly Network Associates). Sometimes the word sniffer is generically used to mean any protocol analyzer.
The degree of sophistication depends on what other features the analyzer offers beyond basic packet capturing and decoding. For instance, more advanced analyzers have expert systems that can dramatically cut troubleshooting time. Unfortunately, like automobiles, the quality of the expert system varies dramatically from vendor-to-vendor.
Another more advanced feature is distributed analysis. Enterprise-grade analyzers offer remote 24 x 7 packet capture, expert analysis, security, and management and control features. Some analyzers also support distributed 802.11 wireless "sensors."
Finally, if you work with very high speed networks like Gigabit Ethernet, the protocol analyzer will need to support specialized hardware such as Gigabit Ethernet NICs with an on-board CPU for precision timestamping of packet arrival (OS timestamping is not accurate at high speeds), support for on-board packet triggering and filtering, and the ability to merge two streams together from a full duplex connection. An alternative but low performance option is to use off the shelf hardware and connect to a SPAN (mirror) port on a switch.
Dig Deeper on Network Security Monitoring and Analysis
Related Q&A from Scott Haugdahl
How can I make better use of my protocol analyzer when analyzing TCP? I want to go beyond just looking at TCP decodes. Continue Reading
What does Power over Ethernet (PoE) have going for it? Continue Reading
Is there any downside to PoE? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.