Packet Sniffer/Network Analyzer

Can anyone recommend a very good Commercial Sniffer/Analyzer that works well on a Switched Network...

It should be able to :

1. Collect all traffic from various switched and routed networks onto a central consolse..
2. Alert triggers
3. Network Analyzer


Any guidance in the correct direction greatly appreciated..


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zephyr_hex (Megan)DeveloperCommented:
here is a free network scanner:

the same company offers a network analyzer:
How either of these are going to sniff through a switch is beyond me...
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!


I good Network based analyzer is the Iris from eEye:

"The Iris Network Traffic Analyzer is eEye's award-winning vulnerability forensics solution addressing the network traffic analysis and reporting needs that security professionals face today. Iris provides the technology for continuous, automated problem identification, reporting, and integrated filtering capabilities that go beyond the capture, filter, and decode capabilities of traditional network analysis.

Iris captures network traffic and can automatically reassemble it to its native format, making it much easier to analyze the data going across the network. Security and IT professionals can read the actual text of an email exactly as it was sent, or reconstruct exact HTML pages that a user has visited. Iris also provides a variety of statistical measurements allowing companies to proactively identify — and take the steps to eliminate — performance issues before they can result in downtime."

Iris yet allow you to create filters that will detect rules that you choose and highligh it. It also have the guard function that can be used to create filters and alert users about a attack.

Iris also can inject spoofed packets to test firewalls, IDS, etc.

Check this features:

"Iris® Network Traffic Analyzer

Protocol Decoding
Iris organizes captured packets and categorizes them by protocols such as HTTP, PPoE, and SNMP, providing a list of all web-browsing sessions, all email grouped by incoming and outgoing, and more.

Continuous Traffic Capture
Iris’ Traffic Capture Engine™ (TCE) runs as a service, allowing security professionals to gather forensic information while performing other tasks in parallel. This approach ensures that all targeted traffic is captured, regardless of whether the user is logged in to the actual Iris application or not.

Create Custom Filters
Develop specialized packet filters to help pinpoint the existence of specific network traffic (such as Code Red and Nimda). Different configurations allow you to capture only the traffic matching the applied filter, or to capture all network traffic and flag the sessions containing the filtered words.

Complete Packet Reconstruction
Reconstruct files into their original format. Reconstruct Web-browsing sessions on a local network, even simulating cookies for entry into password protected Web sites, thus capturing a clear and concise image of the integrity of an organization's network.

Powerful Sniffing and Spoofing Engine
Iris can handle as much traffic as your network generates and still write logs and decode traffic in real time. The Iris engine can handle up to 9,000 packets per second.

Screen Traffic by Key Criteria or Time Frame
Monitor network traffic by setting numerous screening criteria, including specific MAC address, IP address, keyword, port, protocol layer or hardware layer. Additionally, Iris is easily configured to automatically run and capture packets in specific time frames.

Alerting Capabilities
Proactively guard against illegal program usage on your network by creating alerts to notify you when a specific connection is detected on your network.

Reconstruct TCP Sessions
Iris support several Protocol Decoders through an open plugin-based architecture, including: ARP, CIFS, DNS, Ethernet II, 802.3, 802.2, ICMP, IP, TCP, UDP, Novell NetBIOS (IPX), SAP (IPX), RIPX (IPX), BCAST (IPX), NBDGM, NBNS, NBSS, NetBIOS, SMTP, AOL AIM, MSN Messenger, BOOTP/DHCP, RARP, POP3, SMTP, LCP (Link Control Protocol) (PPP), PAP (Password Authentication Protocol (PPP), PPPoE (PPP over Ethernet) (PPP), SMB, NNTP.

Packet Manipulation/Forging
Create custom packets or spoof packets and send them across the Internet or your network. Test firewalls to ensure they are blocking and filtering packets correctly. You can also test the load-bearing capabilities of a system or server.

Log Foreign Connection Attempts
Capture evidence of network intrusions, reconstructing every keystroke and movement an attacker has made, creating a complete log of any malicious attempt.

Comprehensive Reporting
Generate comprehensive traffic reports that can be viewed in a browser window, printed out or copied into another program, such as Crystal Reports or SAS, maximizing your software investments. Graphing functionality helps you understand the happenings of your network and generate reports detailing network activity for management review.

Monitor Web-Based Email and Instant Messenger Services
Monitor non-encrypted Web-based email traffic and instant messages. This greatly complements normal email control, audit and monitoring procedures"

Iris is a product from eEye one of the most respected Security company in the world.

Related to analyze data in a Switch, the correct mode is you use the "port mirroring" feature of your switch.

off: You can even redirect traffic in switches with some poison(s) like Arp-Poison, but it's definity the WRONG approach, since it cause problems in network, connection get slow, etc.

Hope this help,

All network packet capturing tools work the same on switched networks.  If the switches are managed and allow for port mirroring, the work well.  If the switches are unmanaged, they won't see a thing but the traffic on the port they are connected to, unless of course you have taps.

For simple things I use Ethereal, jabiii already posted the link

For complex or doing tracing for more that a few minutes things I use Network Observer Suite (
Artysystem administratorCommented:
1) 'Collect all traffic from various switched and routed networks onto a central consolse.'
It's possible only if your switch supports  port 'tapping', but it works for  switched port only (not for all).
Cisco Catalists supports such feature.
2) Alert triggers.
Triggers on what? On amount of traffic data? On collision errors? On some malicios network patterns?
3) Network analyzer. Read previuos post of 'giltjr'
We use Colasoft Capsa 5.5 - Enterprise Edition $349 w/No Subscription ( for our detailed stuff and Ethereal - Free ( for quick captures.  Here is a brief description of Colasoft Capsa:

What can you do with Colasoft Capsa?

View detailed statistics for IP connections: IP addresses, ports, sessions, etc.
Reconstruct TCP Streams.
Analyze application packets.
Capture network error packets in real time.
Analyze network traffic and find out high network occupation.
View protocols distribution, bandwidth utilization, and packet size distribution both in charts and tables.
Generate comprehensive statistic reports.
Monitor and logs HTTP requests, email messages and FTP transfers.
Browse decoded packet information of network nodes.
View TCP connection status.
Define advanced filters with logical rules and multiple parameters
Import and export packets to the files in multiple formats.
Capture traffic from multiple adapters simultaneously.
Capture loopback traffic

Hope that helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Helped? Problem solved ?

IMO ethereal is just as good as some commercial products

but if you really want the more advanced features, depending on how large your network is, check out Network General's Sniffer-
or WildPackets EtherPeek (also make airopeek for your wlan and another for voip traffic.

If you have unmanged switches and cannot do port mirroing, a tap would be needed
port spanning/mirroring what ever you like to call it, where 1 port can basically see all other ports or specific other ports on a managed switch. unmanaged your hosed, use a hub :p

probably best to stick the sniffer between your switches and routers so it catches all traffic between network segments.
jmergulhaoAuthor Commented:
Thanks for all your advice and solutions


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.