Network analyzers. The best pen tester tools: sniffers and working with packages
OVERVIEW OF NETWORK TRAFFIC ANALYSIS AND MONITORING PROGRAMS
A.I. KOSTROMITSKY, Ph.D. tech. Sciences, V.S. DRILL
Introduction
Traffic monitoring is vital for effective network management. It is a source of information about the functioning of corporate applications, which is taken into account when allocating funds, planning computing power, identifying and localizing failures, and resolving security issues.
In the not-too-distant past, traffic monitoring was a relatively simple task. As a rule, computers were networked based on a bus topology, i.e., they had a shared transmission medium. This allowed a single device to be connected to the network, with which all traffic could be monitored. However, demands for increased network capacity and the development of packet switching technologies, which caused the price of switches and routers to fall, led to a rapid transition from shared media to highly segmented topologies. The overall traffic can no longer be seen from one point. To get a complete picture, you need to monitor each port. Using point-to-point connections makes connecting devices inconvenient and would require too many devices to listen to all ports, which becomes a prohibitively expensive task. In addition, switches and routers themselves have complex architectures, and the speed of packet processing and transmission becomes an important factor in determining network performance.
One of the current scientific tasks currently is the analysis (and further prediction) of the self-similar traffic structure in modern multiservice networks. To solve this problem, it is necessary to collect and subsequently analyze various statistics (speed, volumes of transmitted data, etc.) in existing networks. Collection of such statistics in one form or another is possible using various software tools. However, there is a set of additional parameters and settings that turn out to be very important when using various tools in practice.
Various researchers use the most various programs to monitor network traffic. For example, in , researchers used a program - an analyzer (sniffer) of Ethreal network traffic (Wireshark).
The review included free versions of programs that are available on , , .
1. Overview of network traffic monitoring programs
We reviewed about ten traffic analyzer programs (sniffers) and more than a dozen programs for monitoring network traffic, from which we selected four of the most interesting, in our opinion, and offer you an overview of their main capabilities.
1) BMExtreme(Fig. 1).
This is the new name of the well-known Bandwidth Monitor program. Previously, the program was distributed free of charge, but now it has three versions, and only the basic one is free. This version does not provide any features other than traffic monitoring itself, so it can hardly be considered a competitor to other programs. By default, BMExtreme monitors both Internet traffic and traffic on the local network, but monitoring on the LAN can be disabled if desired.
Rice. 1
2) BWMeter(Fig. 2).
This program has not one, but two traffic tracking windows: one displays activity on the Internet, and the other on the local network.
Rice. 2
The program has flexible settings for traffic monitoring. With its help, you can determine whether you need to monitor the reception and transmission of data on the Internet only from this computer or from all computers connected to the local network, set the range of IP addresses, ports and protocols for which monitoring will or will not be carried out. In addition, you can disable traffic tracking during certain hours or days. System administrators will certainly appreciate the ability to distribute traffic between computers on a local network. Thus, for each PC you can set the maximum speed for receiving and transmitting data, and also prohibit network activity with one click.
Despite its very miniature size, the program has a huge variety of capabilities, some of which can be represented as follows:
Monitoring any network interfaces and any network traffic.
A powerful filter system that allows you to estimate the volume of any part of the traffic - up to a specific site in a specified direction or traffic from each machine on the local network in specified time days.
Unlimited number of customizable network connection activity graphs based on selected filters.
Control (limit, pause) traffic flow on any of the filters.
Convenient statistics system (from an hour to a year) with an export function.
Ability to view statistics remote computers with BWMeter.
Flexible system of alerts and notifications upon reaching a certain event.
Maximum customization options, incl. appearance.
Possibility to run as a service.
3) Bandwidth Monitor Pro(Fig. 3).
Its developers paid a lot of attention to setting up the traffic monitoring window. Firstly, you can determine what information the program will constantly display on the screen. This can be the amount of data received and transmitted (both separately and in total) for today and for any specified period of time, average, current and maximum connection speed. If you have multiple network adapters installed, you can monitor statistics for each of them separately. Wherein, necessary information for each network card can also be displayed in the monitoring window.
Rice. 3
Separately, it is worth mentioning the notification system, which is implemented very successfully here. You can set the behavior of the program when specified conditions are met, which may be the transfer of a certain amount of data over a specified period of time, achievement maximum speed downloads, changing the connection speed, etc. If several users work on the computer and you need to monitor the overall traffic, the program can be run as a service. In this case, Bandwidth Monitor Pro will collect statistics of all users who log into the system under their logins.
4) DUTraffic(Fig. 4).
DUTraffic is distinguished from all review programs by its free status.
Rice. 4
Like its commercial counterparts, DUTraffic can perform a variety of actions when certain conditions are met. For example, it can play an audio file, display a message, or disconnect the Internet connection when the average or current download speed is less than a specified value, when the duration of an Internet session exceeds a specified number of hours, when a certain amount of data has been transferred. In addition, various actions can be performed cyclically, for example, every time the program detects the transfer of a given amount of information. Statistics in DUTraffic are maintained separately for each user and for each Internet connection. The program shows both general statistics for the selected period of time and information about the speed, amount of transmitted and received data and financial costs for each session.
5) Cacti monitoring system(Fig. 5).
Cacti is an open-source web application (there is no installation file). Cacti collects statistical data for certain time intervals and allows you to display them graphically. The system allows you to build graphs using RRDtool. Mainly used standard templates to display statistics on processor load, RAM allocation, number of running processes, use of incoming/outgoing traffic.
Interface for displaying statistics collected from network devices, is presented in the form of a tree, the structure of which is specified by the user himself. As a rule, graphs are grouped according to certain criteria, and the same graph can be present in different branches of the tree (for example, traffic through the server’s network interface - in the one dedicated to the overall picture of the company’s Internet traffic, and in the branch with parameters of this device). There is an option to view a pre-compiled set of charts, and there is a preview mode. Each of the graphs can be viewed separately, and it will be presented for the last day, week, month and year. It is possible to independently select the time period for which the schedule will be generated, and this can be done either by specifying calendar parameters or simply by selecting a certain area on it with the mouse.
Table 1
|
Settings/Programs |
BMExtreme |
BWMeter |
Bandwidth Monitor Pro |
DUTraffic |
Cacti |
|
Installation file size |
473 KB |
1.91 MB |
1.05 MB |
1.4 MB |
|
|
Interface language |
Russian |
Russian |
English |
Russian |
English |
|
Speed graph |
|||||
|
Traffic graph |
|||||
|
Export/Import (export file format) |
–/– |
(*. csv) |
–/– |
–/– |
(*.xls) |
|
Min -time step between data reports |
5 minutes. |
1 sec. |
1 min. |
1 sec. |
1 sec. |
|
Possibility of change min |
|||||
2. Review of network traffic analyzer programs (sniffers)
Traffic analyzer, or sniffer - network analyzer traffic, a program or hardware-software device designed to intercept and subsequently analyze, or only analyze, network traffic intended for other nodes.
Analysis of traffic passed through the sniffer allows you to:
Intercept any unencrypted (and sometimes encrypted) user traffic in order to obtain passwords and other information.
Locate a network fault or network agent configuration error (sniffers are often used for this purpose by system administrators).
Since in a “classic” sniffer traffic analysis is carried out manually, using only the simplest automation tools (protocol analysis, TCP stream restoration), it is suitable for analyzing only small volumes.
1) Wireshark(formerly Ethereal).
Traffic analyzer program for computer networks Ethernet and some others. Has a graphic user interface. Wireshark is an application that “knows” the structure of a wide variety of network protocols, and therefore allows you to parse a network packet, displaying the meaning of each protocol field at any level. Since pcap is used to capture packets, it is possible to capture data only from networks that are supported by this library. However, Wireshark can handle a variety of input data formats, so you can open data files captured by other programs, expanding your capture capabilities.
2) IrisNetworkTrafficAnalyzer.
In addition to the standard functions of collecting, filtering and searching for packages, as well as generating reports, the program offers unique capabilities for reconstructing data. Iris The Network Traffic Analyzer helps to reproduce in detail user sessions with various web resources and even allows you to simulate the sending of passwords to access secure web servers using cookies. The unique data reconstruction technology implemented in the decode module converts hundreds of collected binary network packets into ones that are familiar to the eye emails, web pages, ICQ messages, etc. eEye Iris allows you to view unencrypted messages from web mail and instant messaging programs, expanding the capabilities of existing monitoring and audit tools.
The eEye Iris packet analyzer allows you to capture various details of the attack, such as the date and time, IP addresses and DNS names of the hacker and victim's computers, and the ports used.
3) EthernetInternettrafficStatistic.
Ethernet Internet traffic Statistic shows the amount of data received and received (in bytes - total and for the last session), as well as the connection speed. For clarity, the collected data is displayed in real time on a graph. It works without installation, the interface is Russian and English.
A utility for monitoring the degree of network activity - shows the amount of received and accepted data, keeping statistics for the session, day, week and month.
4) CommTraffic.
This is a network utility for collecting, processing and displaying Internet traffic statistics via a modem (dial-up) or dedicated connection. When monitoring a local network segment, CommTraffic shows Internet traffic for each computer in the segment.
CommTraffic includes an easily customizable, user-friendly interface that displays network performance statistics in the form of graphs and numbers.
table 2
|
Settings/Programs |
Wireshark |
Iris The Network Traffic Analyzer |
Ethernet Internet traffic Statistic |
CommTraffic |
|
Installation file size |
17.4 MB |
5.04 MB |
651 KB |
7.2 MB |
|
Interface language |
English |
Russian |
English Russian |
Russian |
|
Speed graph |
||||
|
Traffic graph |
||||
|
Export/Import (export file format) |
+/– (*.txt, *.px, *.csv, *.psml, *.pdml, *.c) |
–/– |
–/– |
–/– |
|
Run on-demand monitoring |
||||
|
Min -time step between data reports |
0.001 sec. |
1 sec. |
1 sec. |
1 sec. |
|
Possibility of change min -th step between data reports |
Conclusion
Overall, we can say that most home users will be satisfied with the capabilities that Bandwidth Monitor Pro provides. If we talk about the most functional program for monitoring network traffic, this is, of course, BWMeter.
Among the network traffic analyzer programs reviewed, I would like to highlight Wireshark, which has more functionality.
The Cacti monitoring system maximally meets the increased requirements that are imposed in the case of conducting research of network traffic for scientific purposes. In the future, the authors of the article plan to use this particular system for collecting and preliminary analysis of traffic in the corporate multiservice network of the Department of Communication Networks of the Kharkov National University of Radio Electronics.
Bibliography
Platov V.V., Petrov V.V. Study of the self-similar structure of teletraffic in a wireless network // Radio engineering notebooks. M.: OKB MPEI. 2004. No. 3. pp. 58-62.
Petrov V.V. Teletraffic structure and algorithm for ensuring quality of service under the influence of the self-similarity effect. Dissertation for the scientific degree of Candidate of Technical Sciences, 05.12.13, Moscow, 2004, 199 p.
Original: 8 best packet sniffers and network analyzers
Author: Jon Watson
Date of publication: November 22, 2017
Translation: A. Krivoshey
Transfer date: December 2017
Packet sniffing is a colloquial term that refers to the art of analyzing network traffic. Contrary to popular belief, things like emails and web pages do not travel across the Internet in one piece. They're broken into thousands small packages data and are thus sent via the Internet. In this article, we will look at the best free network analyzers and packet sniffers.
There are many utilities that collect network traffic, and most of them use pcap (in Unix-like systems) or libcap (on Windows) as the kernel. Another type of utility helps analyze this data, since even a small amount of traffic can generate thousands of packets that are difficult to navigate. Almost all of these utilities differ little from each other in collecting data, the main differences being in how they analyze the data.
Analyzing network traffic requires understanding how the network works. There is no tool that can magically replace an analyst's knowledge of network fundamentals, such as the TCP "3-way handshake" that is used to initiate a connection between two devices. Analysts also need to have some understanding of the types of network traffic on a normally functioning network, such as ARP and DHCP. This knowledge is important because analytics tools will simply show you what you ask them to do. It's up to you to decide what to ask for. If you don't know what your network typically looks like, it can be difficult to know that you've found what you need in the mass of packages you've collected.
The best packet sniffers and network analyzers
Industrial tools
Let's start at the top and then work our way down to the basics. If you're dealing with an enterprise-level network, you'll need a big gun. While almost everything uses tcpdump at its core (more on that later), enterprise-grade tools can solve certain complex problems, such as correlating traffic from multiple servers, providing intelligent queries to identify problems, alerting about exceptions, and creating good graphs, which is what bosses always demand .
Enterprise-level tools are typically geared toward streaming network traffic rather than assessing the contents of packets. By this I mean that the main focus of most system administrators in the enterprise is to ensure that the network does not have performance bottlenecks. When such bottlenecks occur, the goal is usually to determine whether the problem is caused by the network or an application on the network. On the other hand, these tools can usually handle such high traffic that they can help predict when a network segment will be fully loaded, which is a critical point in managing network capacity.
This is a very large set of IT management tools. In this article, the Deep Packet Inspection and Analysis utility, which is its integral part. Collecting network traffic is quite simple. With tools like WireShark, basic analysis is also not a problem. But the situation is not always completely clear. On a very busy network, it can be difficult to determine even very simple things, such as:
What application on the network is generating this traffic?
- if an application is known (say a web browser), where do its users spend most of their time?
- which connections are the longest and overload the network?
Most network devices use each packet's metadata to make sure the packet goes where it needs to go. The contents of the packet are unknown to the network device. Another thing is deep packet inspection; this means that the actual contents of the package are checked. In this way, critical network information that cannot be gleaned from metadata can be discovered. Tools like those provided by SolarWinds can provide more meaningful data than just traffic flow.
Other technologies for managing data-intensive networks include NetFlow and sFlow. Each has its own strengths and weaknesses,
You can learn more about NetFlow and sFlow.
Network analysis in general is an advanced topic that is based on both acquired knowledge and practical work experience. You can train a person to have detailed knowledge of network packets, but unless that person has knowledge of the network itself and experience identifying anomalies, they won't do very well. The tools described in this article should be used by experienced network administrators who know what they want but are not sure which utility is best. They can also be used by less experienced system administrators to gain day-to-day networking experience.
Basics
The main tool for collecting network traffic is
This is an open source application that installs on almost all Unix-like systems. operating systems Oh. Tcpdump is an excellent data collection utility that has a very sophisticated filtering language. It is important to know how to filter data when collecting it in order to end up with a normal set of data for analysis. Capturing all the data from a network device, even on a moderately busy network, can generate too much data that is very difficult to analyze.
In some rare cases, it will be enough to print tcpdump captured data directly to the screen to find what you need. For example, while writing this article, I collected traffic and noticed that my machine was sending traffic to an IP address that I didn't know. It turns out that my machine was sending data to the Google IP address 172.217.11.142. Since I didn't have any Google products and Gmail wasn't open, I didn't know why this was happening. I checked my system and found the following:
[ ~ ]$ ps -ef | grep google user 1985 1881 0 10:16 ? 00:00:00 /opt/google/chrome/chrome --type=service
It turns out that even when Chrome is not running, it remains running as a service. I wouldn't have noticed this without packet analysis. I captured a few more data packets, but this time I gave tcpdump the task of writing the data to a file, which I then opened in Wireshark (more on this later). These are the entries:
Tcpdump is a favorite tool of system administrators because it is a utility command line. Running tcpdump does not require a GUI. For production servers, the graphical interface is rather harmful, as it consumes system resources, so command line programs are preferable. Like many modern utilities, tcpdump has a very rich and complex language that takes some time to master. Several of the most basic commands involve selecting network interface to collect data and record that data in a file so that it can be exported for analysis elsewhere. The -i and -w switches are used for this.
# tcpdump -i eth0 -w tcpdump_packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C51 packets captured
This command creates a file with the captured data:
File tcpdump_packets tcpdump_packets: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
The standard for such files is the pcap format. It is not text, so it can only be analyzed using programs that understand this format.
3.Windump
Most useful open source utilities end up being cloned into other operating systems. When this happens, the application is said to have been migrated. Windump is a port of tcpdump and behaves in a very similar way.
The most significant difference between Windump and tcpdump is that Windump needs the Winpcap library installed before Windump runs. Even though Windump and Winpcap are provided by the same maintainer, they must be downloaded separately.
Winpcap is a library that must be pre-installed. But Windump is an exe file that doesn't need to be installed, so you can just run it. This is something to keep in mind if you are using a Windows network. You don't have to install Windump on every machine as you can just copy it as needed, but you will need Winpcap to support Windup.
As with tcpdump, Windump can display network data for analysis, filter it in the same way, and also write the data to a pcap file for later analysis.
4. Wireshark
Wireshark is the next most famous tool in a system administrator's toolbox. It not only allows you to capture data but also provides some advanced analysis tools. Additionally, Wireshark is open source and has been ported to almost all existing server operating systems. Called Etheral, Wireshark now runs everywhere, including as a standalone, portable application.
If you're analyzing traffic on a server with a GUI, Wireshark can do everything for you. It can collect data and then analyze it all right there. However, GUIs are rare on servers, so you can collect network data remotely and then examine the resulting pcap file in Wireshark on your computer.
When you first launch Wireshark, you can either load an existing pcap file or run a traffic capture. In the latter case, you can additionally set filters to reduce the amount of data collected. If you don't specify a filter, Wireshark will simply collect all network data from the selected interface.
One of the most useful features Wireshark is the ability to follow a stream. It's best to think of a thread as a chain. In the screenshot below we can see a lot of data captured, but what I was most interested in was Google's IP address. I can right click and follow the TCP stream to see the entire chain.
If the traffic was captured on another computer, you can import the PCAP file using the Wireshark File -> Open dialog. The same filters and tools are available for imported files as for captured network data.
5.tshark
Tshark is a very useful link between tcpdump and Wireshark. Tcpdump is superior at data collection and can surgically extract only the data you need, however its data analysis capabilities are very limited. Wireshark is great at both capture and analysis, but has a heavy user interface and cannot be used on servers without a GUI. Try tshark, it works on the command line.
Tshark uses the same filtering rules as Wireshark, which should not be surprising since they are essentially the same product. The command below only tells tshark to capture the destination IP address, as well as some other fields of interest from the HTTP portion of the packet.
# tshark -i eth0 -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/styles/phoenix.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack.js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /images/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico
If you want to write the traffic to a file, use the -W option to do so, and then the -r (read) switch to read it.
First capture:
# tshark -i eth0 -w tshark_packets Capturing on "eth0" 102 ^C
Read it here, or move it to another place for analysis.
# tshark -r tshark_packets -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox /57.0 /contact 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /reservations/ 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/2010 0101 Firefox/ 57.0 /reservations/styles/styles.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack. js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/2010 0101 Firefox/57.0 /res/images/title.png
This is a very interesting tool that falls more into the category of network forensic analysis tools rather than just sniffers. The field of forensics typically deals with investigations and evidence collection, and Network Miner does this job just fine. Just as wireshark can follow a TCP stream to reconstruct an entire packet transmission chain, Network Miner can follow a stream in order to recover files that have been transferred over a network.
Network Miner can be strategically placed on the network to be able to observe and collect traffic that interests you in real time. It will not generate its own traffic on the network, so it will operate stealthily.
Network Miner can also work in offline mode. You can use tcpdump to collect packets at a network point of interest and then import the PCAP files into Network Miner. Next, you can try to recover any files or certificates found in the recorded file.
Network Miner is made for Windows, but with Mono it can be run on any OS that supports the Mono platform, such as Linux and MacOS.
There is a free version entry level, but with a decent set of functions. If you need additional features, such as geolocation and custom scripts, you will need to purchase a professional license.
7. Fiddler (HTTP)
It's not technically a network packet capture utility, but it's so incredibly useful that it makes it onto this list. Unlike the other tools listed here, which are designed to capture network traffic from any source, Fiddler is more of a debugging tool. It captures HTTP traffic. While many browsers already have this capability in their developer tools, Fiddler is not limited to browser traffic. Fiddler can capture any HTTP traffic on a computer, including non-web applications.
Many desktop applications use HTTP to connect to web services, and in addition to Fiddler, the only way Capturing such traffic for analysis is to use tools such as tcpdump or Wireshark. However, they operate at the packet level, so analysis requires reconstructing these packets into HTTP streams. It can be a lot of work to do simple research, and that's where Fiddler comes in. Fiddler will help you detect cookies, certificates, and other useful data sent by applications.
Fiddler is free and, like Network Miner, it can be run in Mono on almost any operating system.
8. Capsa
The Capsa network analyzer has several editions, each with different capabilities. At the first level, Capsa is free, and it essentially allows you to simply capture packets and perform basic graphical analysis on them. The dashboard is unique and can help an inexperienced system administrator quickly identify network problems. Free level is designed for people who want to learn more about packages and build their analysis skills.
The free version allows you to monitor over 300 protocols, is suitable for email monitoring as well as storing email content, and it also supports triggers that can be used to trigger alerts when certain situations occur. In this regard, Capsa can be used as a support tool to some extent.
Capsa is only available for Windows 2008/Vista/7/8 and 10.
Conclusion
It is easy to understand how a system administrator can create a network monitoring infrastructure using the tools we have described. Tcpdump or Windump can be installed on all servers. A scheduler such as cron or Windows scheduler in right moment starts a packet collection session and writes the collected data to a pcap file. Then the system administrator can transfer these packages central machine and analyze them using wireshark. If the network is too large for this, there are enterprise-grade tools such as SolarWinds to turn everything network packets into a managed dataset.
Read other articles about intercepting and analyzing network traffic :
- Dan Nanni, Command Line Utilities for Monitoring Network Traffic on Linux
- Paul Cobbaut, Linux System Administration. Intercepting network traffic
- Paul Ferrill, 5 Tools for Network Monitoring on Linux
- Pankaj Tanwar, Packet capture using libpcap library
- Riccardo Capecchi, Using filters in Wireshark
- Nathan Willis, Network Analysis with Wireshark
- Prashant Phatak,
Many network administrators often encounter problems that can be resolved by analyzing network traffic. And here we come across such a concept as a traffic analyzer. So what is it?
NetFlow analyzers and collectors are tools that help you monitor and analyze network traffic data. Network process analyzers allow you to accurately identify devices that are reducing channel throughput. They know how to find problem areas in your system and improve the overall efficiency of the network.
The term " NetFlow" refers to a Cisco protocol designed to collect IP traffic information and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.
NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.
Several other network equipment vendors have their own protocols for monitoring and data collection. For example, Juniper, another highly respected network device vendor, calls its protocol " J-Flow". HP and Fortinet use the term " s-Flow". Although the protocols are called differently, they all work in a similar way. In this article, we'll look at 10 free network traffic analyzers and NetFlow collectors for Windows.
SolarWinds Real-Time NetFlow Traffic Analyzer
Free NetFlow Traffic Analyzer is one of the most popular tools available for free download. It provides the ability to sort, tag and display data different ways. This allows you to conveniently visualize and analyze network traffic. The tool is great for monitoring network traffic by type and time period. As well as running tests to determine how much traffic various applications consume.
This free tool is limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow analyzer is a powerful tool that is worth using.
Colasoft Capsa Free
This free LAN traffic analyzer identifies and monitors over 300 network protocols and allows you to create custom reports. It includes email monitoring and sequence charts TCP synchronization, all of this is collected in one customizable panel.
Other features include network security analysis. For example, tracking DoS/DDoS attacks, worm activity and ARP attack detection. As well as packet decoding and information display, statistical data about each host on the network, packet exchange control and flow reconstruction. Capsa Free supports all 32-bit and 64-bit versions of Windows XP.
Minimum system requirements for installation: 2 GB of RAM and a 2.8 GHz processor. You must also have an Ethernet connection to the Internet ( NDIS 3 compliant or higher), Fast Ethernet or Gigabit with mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.
Angry IP Scanner
It is an open source Windows traffic analyzer that is fast and easy to use. It does not require installation and can be used on Linux, Windows and Mac OSX. This tool works by simply pinging each IP address and can determine MAC addresses, scan ports, provide NetBIOS information, determine the authorized user on Windows systems, discover web servers, and much more. Its capabilities are expanded using Java plugins. Scan data can be saved to CSV, TXT, XML files.
ManageEngine NetFlow Analyzer Professional
A fully featured version of ManageEngines' NetFlow software. It's powerful software With full set functions for analysis and data collection: real-time monitoring of channel throughput and alerts when threshold values are reached, which allows you to quickly administer processes. In addition, it provides summary data on resource usage, monitoring of applications and protocols, and much more.
The free version of the Linux traffic analyzer allows unlimited use of the product for 30 days, after which you can monitor only two interfaces. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for minimum thread speed from 0 to 3000 threads per second: 2.4 GHz dual-core processor, 2 GB RAM and 250 GB free space on your hard drive. As the speed of the flow to be monitored increases, the requirements also increase.
The Dude
This application is a popular network monitor developed by MikroTik. It automatically scans all devices and recreates a network map. The Dude monitors servers running on various devices, and warns in case of problems. Other features include automatic discovery and display of new devices, the ability to create custom maps, access to tools for remote device management, and more. It runs on Windows Linux Wine and MacOS Darwine.
JDSU Network Analyzer Fast Ethernet
This traffic analyzer program allows you to quickly collect and view network data. The tool provides the ability to view registered users, determine the level of network bandwidth usage separate devices, quickly find and fix errors. And also capture data in real time and analyze it.
The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large volumes of data, and much more. This tool for entry-level professionals, as well as experienced administrators, allows you to take complete control of your network.
Plixer Scrutinizer
This network traffic analyzer allows you to collect and comprehensively analyze network traffic, and quickly find and fix errors. With Scrutinizer, you can sort your data in a variety of ways, including by time interval, host, application, protocol, and more. The free version allows you to control an unlimited number of interfaces and store data for 24 hours of activity.
Wireshark
Wireshark is a powerful network analyzer that can run on Linux, Windows, MacOS X, Solaris and other platforms. Wireshark allows you to view captured data using a GUI, or use the TTY-mode TShark utilities. Its features include VoIP traffic collection and analysis, real-time display of Ethernet, IEEE 802.11, Bluetooth, USB, Frame Relay data, XML, PostScript, CSV data output, decryption support, and more.
System requirements: Windows XP and higher, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free space disk space. Wireshark NetFlow Analyzer is powerful tool, which can significantly simplify the work of any network administrator.
Paessler PRTG
This traffic analyzer provides users with many useful features: support for monitoring LAN, WAN, VPN, applications, virtual server,QoS and environment. Multi-site monitoring is also supported. PRTG uses SNMP, WMI, NetFlow, SFlow, JFlow and packet analysis, as well as uptime/downtime monitoring and IPv6 support.
The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.
nProbe
It is a full-featured open source NetFlow tracking and analysis application.
nProbe supports IPv4 and IPv6, Cisco NetFlow v9 / IPFIX, NetFlow-Lite, contains functions for VoIP traffic analysis, flow and packet sampling, log generation, MySQL/Oracle and DNS activity, and much more. The application is free if you download and compile the traffic analyzer on Linux or Windows. Executable file The setting limits the capture volume to 2000 packets. nProbe is completely free for educational institutions, as well as non-profit and scientific organizations. This tool will work on 64-bit versions of operating systems Linux systems and Windows.
Traffic analysis is a process whose importance is known to any IT professional, regardless of whether he works for a small company or a large corporation. After all, identifying and correcting network problems is a real art, which directly depends both on the instinct of the specialist himself and on the depth and quality of the data he operates. And the traffic analyzer is exactly the tool that provides you with this data. A wisely chosen network traffic analysis solution can not only help you figure out how packets are sent, received, and securely transmitted across your network, but it can also do much, much more!
Currently on the market a large number of variations of software for analyzing network traffic. Moreover, some of them are capable of evoking nostalgic memories among “old school” specialists; they use a terminal font and command line interface, and at first glance appear difficult to use. Other solutions, on the contrary, stand out for their ease of installation and are aimed at an audience with visual perception (they are literally oversaturated with various graphics). The price range of these solutions also differs quite significantly - from free to solutions with a very expensive corporate license.
So that you, depending on your tasks and preferences, can choose The best decision for network traffic analysis, we present to you a list of the most interesting traffic analysis software products currently available on the market, as well as a brief overview of the functionality built into them for extracting, processing and visually presenting various network information. Some of these functions are similar for all the solutions for analyzing network traffic presented in this review - they allow you to see sent and received network packets with one or another level of detail - but almost all of them have some characteristic features that make them unique when used in certain applications. situations or network environments. Ultimately, we turn to network traffic analysis when we have a network problem, but we cannot quickly narrow it down to a specific machine, device or protocol, and we have to conduct more deep search. We will help you choose the most suitable one for these purposes. software solution for traffic analysis.
SolarWinds Network Bandwidth Analyzer
This solution is positioned by the manufacturer as a software package of two products - Network Performance Monitor ( basic solution) and NetFlow Traffic Analyzer (modular extension). As stated, they have similar, but still different functionality for analyzing network traffic, complementing each other when sharing two products at once.
Network Performance Monitor, as the name suggests, monitors network performance and is a tempting choice if you want to get an overview of what's happening on your network. By purchasing this solution, you are paying for the ability to monitor the overall health of your network: based on a wealth of statistics, such as the speed and reliability of data and packet transmission, in most cases you will be able to quickly identify problems in the operation of your network. And the program’s advanced intellectual capabilities for identifying potential problems and extensive capabilities for visually presenting results in the form of tables and graphs with clear warnings about possible problems will make this work even easier.
The NetFlow Traffic Analyzer modular extension is more focused on analyzing the traffic itself. While the functionality of the basic Network Performance Monitor software solution is more designed to provide an overview of network performance, NetFlow Traffic Analyzer focuses on a more detailed analysis of the processes occurring in the network. In particular, this part of the software package will analyze congestion or abnormal surges in bandwidth and provide statistics sorted by user, protocol or application. Please note that this program is only available for the Windows environment.
Wireshark
Is a relatively new tool in a large family of solutions for network diagnostics, but during this time he has already managed to win recognition and respect from IT professionals. WireShark does an excellent job of analyzing traffic, doing its job perfectly for you. The developers were able to find a middle ground between the source data and the visual representation of this data, so in WireShark you will not find biases in one direction or another, which are common in most other solutions for analyzing network traffic. WireShark is simple, compatible and portable. With WireShark, you get exactly what you expect, and you get it fast.
WireShark has a great user interface, plenty of filtering and sorting options, and, as many of us will appreciate, WireShark traffic analysis works great with any of the three most popular operating system families—*NIX, Windows, and macOS. Add to all of the above the fact that WireShark is open source and free, and you have a great tool for conducting quick diagnostics your network.
tcpdump
The tcpdump traffic analyzer looks like some kind of ancient tool, and, to be completely honest, in terms of functionality it works too. Despite the fact that he copes with his work and does it well, using a minimum system resources, to the extent possible, many modern specialists will find it difficult to understand a huge number“dry” tables with data. But there are situations in life when the use of such cut-off and resource-intensive solutions can be useful. In some environments or on barely-performing PCs, minimalism may be the only viable option.
The tcpdump software solution was originally developed for the *NIX environment, but this moment it also works with multiple Windows ports. It has all the basic functionality you'd expect to see in any traffic analyzer - capturing, recording, etc. - but you can't ask for much more from it.
Kismet
The Kismet traffic analyzer is another example of open source software tailored to solve specific problems. Kismet doesn't just analyze network traffic, it provides you with much more advanced functionality. For example, it is capable of analyzing the traffic of hidden networks and even wireless networks that do not broadcast their SSID! A traffic analysis tool like this can be extremely useful when there is something on your wireless network that is causing problems, but you can't quickly find the source. Kismet will help you detect a rogue network or access point that is working but not configured correctly.
Many of us know firsthand that the task becomes more complex when it comes to analyzing wireless network traffic, so having a specialized tool like Kismet on hand is not only desirable, but often necessary. Kismet Traffic Analyzer is a great choice for you if you constantly deal with a lot of wireless traffic and wireless devices, and you need a good tool to analyze your wireless network traffic. Kismet is available for *NIX, Windows under Cygwin and macOS environments.
EtherApe
According to their own functionality EtherApe is similar to WireShark in many ways, and it is also open source and free. However, where it really stands out from other solutions is its focus on graphics. And if, for example, you view the results of WireShark traffic analysis in a classic digital form, then EtherApe network traffic is displayed using an advanced graphical interface, where each vertex of the graph represents a separate host, the sizes of the vertices and edges indicate the size of the network traffic, and are marked with color various protocols. For those people who prefer visual perception of statistical information, the EtherApe analyzer may be the best choice. Available for *NIX and macOS environments.
Cain and Abel
This software with a very interesting name has the ability to analyze traffic is more of an auxiliary function than the main one. If your tasks go far beyond simple traffic analysis, then you should pay attention to this tool. With it, you can recover Windows passwords, perform attacks to obtain lost credentials, examine VoIP data on the network, analyze packet routing, and much more. This is a truly powerful toolkit for a system administrator with broad powers. Works only in Windows environment.
NetworkMiner
NetworkMiner is another software solution whose functionality goes beyond basic traffic analysis. While other traffic analyzers focus on sending and receiving packets, NetworkMiner monitors those who are actually sending and receiving packets. This tool is more suitable for identifying problematic computers or users than for general diagnostics or network monitoring per se. NetworkMiner designed for OS Windows.
KisMAC
KisMAC is the name of this software product speaks for itself - this is Kismet for macOS. These days, Kismet already has a port to the macOS operating environment, so the existence of KisMAC may seem redundant, but it is worth noting the fact that the KisMAC solution actually has its own codebase and is not directly derived from the Kismet traffic analyzer. Of particular note is that KisMAC offers some capabilities, such as location mapping and deauthentication attacks on macOS, that Kismet itself does not provide. These unique features can tip the scales in favor of this particular software solution in certain situations.
Conclusion
Network traffic analysis software can be a vital tool for you when you periodically encounter network problems different types- be it performance, dropped connections or problems with network backups. Almost everything related to the transmission and reception of data on the network can be quickly identified and corrected thanks to the information obtained using the software from the above list.
The results that a qualitative analysis of network traffic will give you using proven specialized software tools will help you go much deeper than the top layer of the problem, and understand what is actually happening on your network, or is not happening, but should be happening.
Subscribe to the newsletter, share articles on social networks and ask questions in the comments!
Always in touch, Igor Panov.
Network packet analyzers, or sniffers, were originally developed as a means of solving network problems. They are able to intercept, interpret and store packets transmitted over the network for subsequent analysis. On the one hand, this allows system administrators and service engineers technical support Observe how data is transferred over the network, diagnose and fix problems that arise. In this sense, packet sniffers are a powerful tool for diagnosing network problems. On the other hand, like many other powerful tools that were originally intended for administration, over time, sniffers began to be used for completely different purposes. Indeed, a sniffer in the hands of an attacker is a rather dangerous tool and can be used to obtain passwords and other confidential information. However, you should not think that sniffers are some kind of magical tool through which any hacker can easily view confidential information transmitted over the network. And before we prove that the danger posed by sniffers is not as great as is often presented, let us consider in more detail the principles of their functioning.
Operating principles of packet sniffers
Further in this article we will consider only software sniffers designed for Ethernet networks. Sniffer is a program that works at the NIC (Network Interface Card) level (link layer) and in a hidden way intercepts all traffic. Since sniffers work on link level OSI model, they don't have to play by protocol rules anymore high level. Sniffers bypass the filtering mechanisms (addresses, ports, etc.) that Ethernet drivers and the TCP/IP stack use to interpret data. Packet sniffers capture from the wire everything that comes through it. Sniffers can store frames in binary format and later decrypt them to reveal higher-level information hidden inside (Figure 1).
In order for the sniffer to capture all packets passing through the network adapter, the network adapter driver must support promiscuous mode. It is in this mode of operation of the network adapter that the sniffer is able to intercept all packets. This mode of operation of the network adapter is automatically activated when the sniffer is launched or is set manually by the corresponding sniffer settings.
All intercepted traffic is passed to a packet decoder, which identifies and splits packets into the appropriate hierarchy levels. Depending on the capabilities of a particular sniffer, the provided packet information can subsequently be further analyzed and filtered.
Limitations of using sniffers
Sniffers posed the greatest danger in those days when information was transmitted over the network in clear text (without encryption), and local networks were built on the basis of concentrators (hubs). However, these days are irrevocably gone, and nowadays using sniffers to gain access to confidential information is by no means an easy task.
The fact is that when building local networks based on hubs, there is a certain common data transmission medium ( network cable) and all network nodes exchange packets, competing for access to this medium (Fig. 2), and a packet sent by one network node is transmitted to all ports of the hub and this packet is listened to by all other network nodes, but is received only by the node to which it is addressed. Moreover, if a packet sniffer is installed on one of the network nodes, then it can intercept all network packets related to a given network segment (the network formed by the hub).
Switches are more intelligent devices than broadcast hubs and isolate network traffic. The switch knows the addresses of the devices connected to each port and transmits packets only between the necessary ports. This allows you to offload other ports without having to forward every packet to them, as a hub does. Thus, a packet sent by a certain network node is transmitted only to the switch port to which the packet recipient is connected, and all other network nodes are not able to detect this packet (Fig. 3).
Therefore, if the network is built on the basis of a switch, then a sniffer installed on one of the network computers is capable of intercepting only those packets that are exchanged between this computer and other network nodes. As a result, in order to be able to intercept packets that the computer or server of interest to the attacker exchanges with other network nodes, it is necessary to install a sniffer on this particular computer (server), which is actually not so simple. However, you should keep in mind that some packet sniffers are launched from the command line and may not have a graphical interface. Such sniffers, in principle, can be installed and launched remotely and unnoticed by the user.
Additionally, you should also keep in mind that while switches isolate network traffic, all managed switches have port forwarding or port mirroring functionality. That is, the switch port can be configured in such a way that all packets arriving on other switch ports are duplicated on it. If in this case a computer with a packet sniffer is connected to such a port, then it can intercept all packets exchanged between computers on a given network segment. However, as a rule, the ability to configure the switch is available only to the network administrator. This, of course, does not mean that he cannot be an attacker, but a network administrator has many other ways to control all users of the local network, and it is unlikely that he will monitor you in such a sophisticated way.
Another reason why sniffers are no longer as dangerous as they once were is that most sensitive data is now transmitted encrypted. Open, unencrypted services are rapidly disappearing from the Internet. For example, when visiting websites, the SSL (Secure Sockets Layer) protocol is increasingly used; instead of open FTP SFTP (Secure FTP) is used, and for other services that do not use encryption by default, virtual private networks (VPNs) are increasingly used.
So, those concerned about the potential for malicious use of packet sniffers should keep the following in mind. First, to pose a serious threat to your network, sniffers must be located within the network itself. Secondly, today's encryption standards make it extremely difficult to intercept sensitive information. Therefore, at present, packet sniffers are gradually losing their relevance as hacker tools, but at the same time they remain an effective and powerful tool for diagnosing networks. Moreover, sniffers can be successfully used not only for diagnosing and localizing network problems, but also for auditing network security. In particular, the use of packet analyzers allows you to detect unauthorized traffic, detect and identify unauthorized software, identify unused protocols to remove them from the network, generate traffic for penetration testing (penetration test) in order to check the security system, work with intrusion detection systems ( Intrusion Detection System (IDS).
Overview of software packet sniffers
All software sniffers can be divided into two categories: sniffers that support launch from the command line, and sniffers that have a graphical interface. However, we note that there are sniffers that combine both of these capabilities. In addition, sniffers differ from each other in the protocols they support, the depth of analysis of intercepted packets, the ability to configure filters, and the possibility of compatibility with other programs.
Typically, the window of any sniffer with a graphical interface consists of three areas. The first of them displays the summary data of intercepted packets. Typically, this area displays a minimum of fields, namely: packet interception time; IP addresses of the packet sender and recipient; MAC addresses of the sender and recipient of the packet, source and destination port addresses; protocol type (network, transport or application level); some summary information about the intercepted data. The second area displays statistical information about the individual selected package, and finally the third area displays the package in hexadecimal or ASCII character form.
Almost all packet sniffers allow you to analyze decoded packets (which is why packet sniffers are also called packet analyzers, or protocol analyzers). The sniffer distributes intercepted packets across layers and protocols. Some packet sniffers are capable of recognizing the protocol and displaying the captured information. This type of information is usually displayed in the second area of the sniffer window. For example, any sniffer can recognize TCP protocol, and advanced sniffers are able to determine which application generated this traffic. Most protocol analyzers recognize over 500 various protocols and are able to describe and decode them by name. How more information able to decode and display the sniffer on the screen, the less you have to decode manually.
One problem that packet sniffers may encounter is the inability to correctly identify a protocol using a port other than the default port. For example, to improve security, some well-known applications may be configured to use ports other than the default ports. So, instead of the traditional port 80, reserved for the web server, this server can be forcibly reconfigured to port 8088 or any other. Some packet analyzers in this situation are not able to correctly determine the protocol and display only information about the lower-level protocol (TCP or UDP).
There are software sniffers that come with software analytical modules as plugins or built-in modules that allow you to create reports with useful analytical information about intercepted traffic.
Other characteristic most software packet analyzers ability to configure filters before and after traffic capture. Filters select certain packets from the general traffic according to a given criterion, which allows you to get rid of unnecessary information when analyzing traffic.