Packet Sniffer/Network Analyzer

Posted on 2006-03-22
Last Modified: 2007-12-19
Can anyone recommend a very good Commercial Sniffer/Analyzer that works well on a Switched Network...

It should be able to :

1. Collect all traffic from various switched and routed networks onto a central consolse..
2. Alert triggers
3. Network Analyzer


Any guidance in the correct direction greatly appreciated..


Question by:jmergulhao
    LVL 42

    Assisted Solution

    here is a free network scanner:

    the same company offers a network analyzer:
    LVL 9

    Expert Comment

    LVL 32

    Expert Comment

    How either of these are going to sniff through a switch is beyond me...
    LVL 3

    Assisted Solution


    I good Network based analyzer is the Iris from eEye:

    "The Iris Network Traffic Analyzer is eEye's award-winning vulnerability forensics solution addressing the network traffic analysis and reporting needs that security professionals face today. Iris provides the technology for continuous, automated problem identification, reporting, and integrated filtering capabilities that go beyond the capture, filter, and decode capabilities of traditional network analysis.

    Iris captures network traffic and can automatically reassemble it to its native format, making it much easier to analyze the data going across the network. Security and IT professionals can read the actual text of an email exactly as it was sent, or reconstruct exact HTML pages that a user has visited. Iris also provides a variety of statistical measurements allowing companies to proactively identify — and take the steps to eliminate — performance issues before they can result in downtime."

    Iris yet allow you to create filters that will detect rules that you choose and highligh it. It also have the guard function that can be used to create filters and alert users about a attack.

    Iris also can inject spoofed packets to test firewalls, IDS, etc.

    Check this features:

    "Iris® Network Traffic Analyzer

    Protocol Decoding
    Iris organizes captured packets and categorizes them by protocols such as HTTP, PPoE, and SNMP, providing a list of all web-browsing sessions, all email grouped by incoming and outgoing, and more.

    Continuous Traffic Capture
    Iris’ Traffic Capture Engine™ (TCE) runs as a service, allowing security professionals to gather forensic information while performing other tasks in parallel. This approach ensures that all targeted traffic is captured, regardless of whether the user is logged in to the actual Iris application or not.

    Create Custom Filters
    Develop specialized packet filters to help pinpoint the existence of specific network traffic (such as Code Red and Nimda). Different configurations allow you to capture only the traffic matching the applied filter, or to capture all network traffic and flag the sessions containing the filtered words.

    Complete Packet Reconstruction
    Reconstruct files into their original format. Reconstruct Web-browsing sessions on a local network, even simulating cookies for entry into password protected Web sites, thus capturing a clear and concise image of the integrity of an organization's network.

    Powerful Sniffing and Spoofing Engine
    Iris can handle as much traffic as your network generates and still write logs and decode traffic in real time. The Iris engine can handle up to 9,000 packets per second.

    Screen Traffic by Key Criteria or Time Frame
    Monitor network traffic by setting numerous screening criteria, including specific MAC address, IP address, keyword, port, protocol layer or hardware layer. Additionally, Iris is easily configured to automatically run and capture packets in specific time frames.

    Alerting Capabilities
    Proactively guard against illegal program usage on your network by creating alerts to notify you when a specific connection is detected on your network.

    Reconstruct TCP Sessions
    Iris support several Protocol Decoders through an open plugin-based architecture, including: ARP, CIFS, DNS, Ethernet II, 802.3, 802.2, ICMP, IP, TCP, UDP, Novell NetBIOS (IPX), SAP (IPX), RIPX (IPX), BCAST (IPX), NBDGM, NBNS, NBSS, NetBIOS, SMTP, AOL AIM, MSN Messenger, BOOTP/DHCP, RARP, POP3, SMTP, LCP (Link Control Protocol) (PPP), PAP (Password Authentication Protocol (PPP), PPPoE (PPP over Ethernet) (PPP), SMB, NNTP.

    Packet Manipulation/Forging
    Create custom packets or spoof packets and send them across the Internet or your network. Test firewalls to ensure they are blocking and filtering packets correctly. You can also test the load-bearing capabilities of a system or server.

    Log Foreign Connection Attempts
    Capture evidence of network intrusions, reconstructing every keystroke and movement an attacker has made, creating a complete log of any malicious attempt.

    Comprehensive Reporting
    Generate comprehensive traffic reports that can be viewed in a browser window, printed out or copied into another program, such as Crystal Reports or SAS, maximizing your software investments. Graphing functionality helps you understand the happenings of your network and generate reports detailing network activity for management review.

    Monitor Web-Based Email and Instant Messenger Services
    Monitor non-encrypted Web-based email traffic and instant messages. This greatly complements normal email control, audit and monitoring procedures"

    Iris is a product from eEye one of the most respected Security company in the world.

    Related to analyze data in a Switch, the correct mode is you use the "port mirroring" feature of your switch.

    off: You can even redirect traffic in switches with some poison(s) like Arp-Poison, but it's definity the WRONG approach, since it cause problems in network, connection get slow, etc.

    Hope this help,

    LVL 57

    Expert Comment

    All network packet capturing tools work the same on switched networks.  If the switches are managed and allow for port mirroring, the work well.  If the switches are unmanaged, they won't see a thing but the traffic on the port they are connected to, unless of course you have taps.

    For simple things I use Ethereal, jabiii already posted the link

    For complex or doing tracing for more that a few minutes things I use Network Observer Suite (
    LVL 27

    Expert Comment

    1) 'Collect all traffic from various switched and routed networks onto a central consolse.'
    It's possible only if your switch supports  port 'tapping', but it works for  switched port only (not for all).
    Cisco Catalists supports such feature.
    2) Alert triggers.
    Triggers on what? On amount of traffic data? On collision errors? On some malicios network patterns?
    3) Network analyzer. Read previuos post of 'giltjr'
    LVL 19

    Assisted Solution

    LVL 2

    Accepted Solution

    We use Colasoft Capsa 5.5 - Enterprise Edition $349 w/No Subscription ( for our detailed stuff and Ethereal - Free ( for quick captures.  Here is a brief description of Colasoft Capsa:

    What can you do with Colasoft Capsa?

    View detailed statistics for IP connections: IP addresses, ports, sessions, etc.
    Reconstruct TCP Streams.
    Analyze application packets.
    Capture network error packets in real time.
    Analyze network traffic and find out high network occupation.
    View protocols distribution, bandwidth utilization, and packet size distribution both in charts and tables.
    Generate comprehensive statistic reports.
    Monitor and logs HTTP requests, email messages and FTP transfers.
    Browse decoded packet information of network nodes.
    View TCP connection status.
    Define advanced filters with logical rules and multiple parameters
    Import and export packets to the files in multiple formats.
    Capture traffic from multiple adapters simultaneously.
    Capture loopback traffic

    Hope that helps.
    LVL 3

    Expert Comment

    Helped? Problem solved ?

    LVL 2

    Assisted Solution

    IMO ethereal is just as good as some commercial products

    but if you really want the more advanced features, depending on how large your network is, check out Network General's Sniffer-
    or WildPackets EtherPeek (also make airopeek for your wlan and another for voip traffic.

    If you have unmanged switches and cannot do port mirroing, a tap would be needed
    LVL 9

    Expert Comment

    port spanning/mirroring what ever you like to call it, where 1 port can basically see all other ports or specific other ports on a managed switch. unmanaged your hosed, use a hub :p

    probably best to stick the sniffer between your switches and routers so it catches all traffic between network segments.

    Author Comment

    Thanks for all your advice and solutions



    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now