[Last Call] Learn how to a build a cloud-first strategyRegister Now


Packet Sniffer/Network Analyzer

Posted on 2006-03-22
Medium Priority
Last Modified: 2007-12-19
Can anyone recommend a very good Commercial Sniffer/Analyzer that works well on a Switched Network...

It should be able to :

1. Collect all traffic from various switched and routed networks onto a central consolse..
2. Alert triggers
3. Network Analyzer


Any guidance in the correct direction greatly appreciated..


Question by:jmergulhao
LVL 44

Assisted Solution

by:zephyr_hex (Megan)
zephyr_hex (Megan) earned 400 total points
ID: 16261325
here is a free network scanner:

the same company offers a network analyzer: http://www.softperfect.com/products/networksniffer/

Expert Comment

ID: 16262382
LVL 32

Expert Comment

ID: 16262584
How either of these are going to sniff through a switch is beyond me...
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

zgrp earned 400 total points
ID: 16262750

I good Network based analyzer is the Iris from eEye:


"The Iris Network Traffic Analyzer is eEye's award-winning vulnerability forensics solution addressing the network traffic analysis and reporting needs that security professionals face today. Iris provides the technology for continuous, automated problem identification, reporting, and integrated filtering capabilities that go beyond the capture, filter, and decode capabilities of traditional network analysis.

Iris captures network traffic and can automatically reassemble it to its native format, making it much easier to analyze the data going across the network. Security and IT professionals can read the actual text of an email exactly as it was sent, or reconstruct exact HTML pages that a user has visited. Iris also provides a variety of statistical measurements allowing companies to proactively identify — and take the steps to eliminate — performance issues before they can result in downtime."

Iris yet allow you to create filters that will detect rules that you choose and highligh it. It also have the guard function that can be used to create filters and alert users about a attack.

Iris also can inject spoofed packets to test firewalls, IDS, etc.

Check this features:

"Iris® Network Traffic Analyzer

Protocol Decoding
Iris organizes captured packets and categorizes them by protocols such as HTTP, PPoE, and SNMP, providing a list of all web-browsing sessions, all email grouped by incoming and outgoing, and more.

Continuous Traffic Capture
Iris’ Traffic Capture Engine™ (TCE) runs as a service, allowing security professionals to gather forensic information while performing other tasks in parallel. This approach ensures that all targeted traffic is captured, regardless of whether the user is logged in to the actual Iris application or not.

Create Custom Filters
Develop specialized packet filters to help pinpoint the existence of specific network traffic (such as Code Red and Nimda). Different configurations allow you to capture only the traffic matching the applied filter, or to capture all network traffic and flag the sessions containing the filtered words.

Complete Packet Reconstruction
Reconstruct files into their original format. Reconstruct Web-browsing sessions on a local network, even simulating cookies for entry into password protected Web sites, thus capturing a clear and concise image of the integrity of an organization's network.

Powerful Sniffing and Spoofing Engine
Iris can handle as much traffic as your network generates and still write logs and decode traffic in real time. The Iris engine can handle up to 9,000 packets per second.

Screen Traffic by Key Criteria or Time Frame
Monitor network traffic by setting numerous screening criteria, including specific MAC address, IP address, keyword, port, protocol layer or hardware layer. Additionally, Iris is easily configured to automatically run and capture packets in specific time frames.

Alerting Capabilities
Proactively guard against illegal program usage on your network by creating alerts to notify you when a specific connection is detected on your network.

Reconstruct TCP Sessions
Iris support several Protocol Decoders through an open plugin-based architecture, including: ARP, CIFS, DNS, Ethernet II, 802.3, 802.2, ICMP, IP, TCP, UDP, Novell NetBIOS (IPX), SAP (IPX), RIPX (IPX), BCAST (IPX), NBDGM, NBNS, NBSS, NetBIOS, SMTP, AOL AIM, MSN Messenger, BOOTP/DHCP, RARP, POP3, SMTP, LCP (Link Control Protocol) (PPP), PAP (Password Authentication Protocol (PPP), PPPoE (PPP over Ethernet) (PPP), SMB, NNTP.

Packet Manipulation/Forging
Create custom packets or spoof packets and send them across the Internet or your network. Test firewalls to ensure they are blocking and filtering packets correctly. You can also test the load-bearing capabilities of a system or server.

Log Foreign Connection Attempts
Capture evidence of network intrusions, reconstructing every keystroke and movement an attacker has made, creating a complete log of any malicious attempt.

Comprehensive Reporting
Generate comprehensive traffic reports that can be viewed in a browser window, printed out or copied into another program, such as Crystal Reports or SAS, maximizing your software investments. Graphing functionality helps you understand the happenings of your network and generate reports detailing network activity for management review.

Monitor Web-Based Email and Instant Messenger Services
Monitor non-encrypted Web-based email traffic and instant messages. This greatly complements normal email control, audit and monitoring procedures"

Iris is a product from eEye one of the most respected Security company in the world.

Related to analyze data in a Switch, the correct mode is you use the "port mirroring" feature of your switch.

off: You can even redirect traffic in switches with some poison(s) like Arp-Poison, but it's definity the WRONG approach, since it cause problems in network, connection get slow, etc.

Hope this help,

LVL 57

Expert Comment

ID: 16265148
All network packet capturing tools work the same on switched networks.  If the switches are managed and allow for port mirroring, the work well.  If the switches are unmanaged, they won't see a thing but the traffic on the port they are connected to, unless of course you have taps.

For simple things I use Ethereal, jabiii already posted the link

For complex or doing tracing for more that a few minutes things I use Network Observer Suite (http://www.networkobserver.com).
LVL 27

Expert Comment

ID: 16266419
1) 'Collect all traffic from various switched and routed networks onto a central consolse.'
It's possible only if your switch supports  port 'tapping', but it works for  switched port only (not for all).
Cisco Catalists supports such feature.
2) Alert triggers.
Triggers on what? On amount of traffic data? On collision errors? On some malicios network patterns?
3) Network analyzer. Read previuos post of 'giltjr'
LVL 19

Assisted Solution

CoccoBill earned 400 total points
ID: 16267450

Accepted Solution

vertex_paul earned 400 total points
ID: 16271228
We use Colasoft Capsa 5.5 - Enterprise Edition $349 w/No Subscription (http://www.colasoft.com/) for our detailed stuff and Ethereal - Free (http://www.ethereal.com) for quick captures.  Here is a brief description of Colasoft Capsa:

What can you do with Colasoft Capsa?

View detailed statistics for IP connections: IP addresses, ports, sessions, etc.
Reconstruct TCP Streams.
Analyze application packets.
Capture network error packets in real time.
Analyze network traffic and find out high network occupation.
View protocols distribution, bandwidth utilization, and packet size distribution both in charts and tables.
Generate comprehensive statistic reports.
Monitor and logs HTTP requests, email messages and FTP transfers.
Browse decoded packet information of network nodes.
View TCP connection status.
Define advanced filters with logical rules and multiple parameters
Import and export packets to the files in multiple formats.
Capture traffic from multiple adapters simultaneously.
Capture loopback traffic

Hope that helps.

Expert Comment

ID: 16374772
Helped? Problem solved ?


Assisted Solution

ChristianJKoch earned 400 total points
ID: 16465549
IMO ethereal is just as good as some commercial products

but if you really want the more advanced features, depending on how large your network is, check out Network General's Sniffer- http://www.networkgeneral.com/
or WildPackets EtherPeek (also make airopeek for your wlan and another for voip traffic.

If you have unmanged switches and cannot do port mirroing, a tap would be needed


Expert Comment

ID: 16468999
port spanning/mirroring what ever you like to call it, where 1 port can basically see all other ports or specific other ports on a managed switch. unmanaged your hosed, use a hub :p

probably best to stick the sniffer between your switches and routers so it catches all traffic between network segments.

Author Comment

ID: 16469087
Thanks for all your advice and solutions



Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question