Packet analysis has been around in some form for over 20 years as a diagnostic tool, to observe data and other information traveling across the network. Packet analysis is also referred to as sniffing. The term refers to early packet sniffers, which sniffed or captured traffic as it traveled across the network. In the 1990s, Novell, a software company, developed the Novell LANalyzer, which had a graphical UI and a dashboard feature, as shown in the following diagram:
At the same time, Microsoft introduced its network monitor. Over the last 20 years, there have been many other packet analyzers and tools to sniff traffic that include the following:
Tool |
Description |
Cain and Abel |
Can gather passwords and can record VoIP conversations |
NarusInsight |
Formerly Carnivore, can monitor all internet traffic |
dSniff |
Passively monitors a network for interesting traffic |
Ettercap |
Eavesdrops to capture passwords, emails, and files |
Tcpdump |
Protocol analyzer that runs from the command line |
Security Onion |
Open source tool that combines packet capture with an Intrusion Detection System (IDS) |
Wireshark |
Packet sniffer used to analyze network traffic |
Most packet analyzers have similar features. They capture the data, decode the raw bits in the headers to field values according to the appropriate Request for Comment (RFC) or other specifications, and present the data in a meaningful fashion.
The packet analysis tools range from very simple text-based analysis, such as terminal based Wireshark (tshark), as shown in the screenshot below, or tools that have a rich graphical UI with advanced AI-based expert systems that guide the analyst through a more targeted evaluation:
In the next section, we'll take a look at the various devices in use today that use packet analysis.