Network Packet Analyzers

Network Packet Analyzers

In this week’s application you will be downloading and using a free Network Packet Analyzer, “Wireshark”. This free package has several good features; however there are many different Packet Analyzers available. To prepare for this Discussion, search the Internet and locate a Network Package Analyzer and compare the features to WireShark.

By Day 3, provide a comparison of the features found in the Network Package Analyzer from your search to the features included in WireShark.

——————————————————————————————————————

Answer these students:

Respond two of your colleagues’ postings in one or more of the following ways:

• Ask a probing question.
• Share an insight from having read your colleague’s posting.
• Offer and support an opinion.
• Validate an idea with your own experience.
• Make a suggestion.
• Expand on your colleague’s posting.

Student # 1

The Internet, according to the Internet Society (2017), isn’t easy to define, because it can be whatever we make it; we can mold it, shape it, and above all, we can use it to connect to communities, people, and countries around the world. The Internet works because open standards allow every network to connect to every other network. Everyone is in charge of this global network of networks which consists of millions of interconnected networks run by service providers, universities, individual companies, government, etc. Operators, engineers, and vendors that provide network infrastructure services (NIS) such as Domain Name Service (DNS) providers, Internet Exchange Points (IXPs), and network operators help make the internet work and evolve. These technology professionals who are responsible for network performance and security, listen to and analyze network traffic in a process referred to as Network analysis or Protocol analysis. Network analysis enlightens the technologists on how to identify performance problems, locate security breaches, analyze application behavior, and perform capacity planning. The higher layer, Transmission Control Protocol (TCP) and the lower layer, Internet Protocol (IP) – TCP/IP as noted by Kurose & Ross (2013), are the most traditional two-layer communication protocols used to control the connection of computer systems to the Internet in the form of packets.

Network analyzers are often referred to as “sniffers” and may be distributed or sold as a hardware-plus-software solution or as a software-only solution. There are many software-only solutions available today, and Wireshark is a network packet analyzer, distributed as an open source software-only solution. This packet analyzer is used to capture network packets and then provide a comprehensive report of the packet data. Wireshark is predominantly used by Network administrators to troubleshoot network problems; Network security engineers to examine security issues; Developers to debug protocol implementations;  People in general to learn network protocol internals. Wireshark.org (n.d.), listed some of the features of this very powerful Network Analyzer tool, Wireshark. The features as listed by Wireshark (n.d.), include: “Available for UNIX and Windows; Capture live packet data from a network interface; Open files containing packet data captured with TCPdump/WinDump, Wireshark, etc; Import packets from text files containing hex dumps of packet data; Display packets with very detailed protocol information; Save packet data captured; Export some or all packets in a number of capture file formats; Filter packets on many criteria; Search for packets on many criteria; Colorize packet display based on filters; Create various statistics.” However, there are also add-on adapters such as the AirPcap adapter from Riverbed Technology that can enhance Wireshark’s capabilities. Windows hosts running Wireshark use the AirPcap adapter to listen in to wireless traffic in Monitor Mode.

Security is of utmost importance in many organizations because Network threats and cyber criminals are getting smarter. Cisco (2016), agrees that the need to have network visibility and the ability to respond to advanced threats promptly has never been greater. Based on a recent network forensic on an actual customer issue, where a user noticed that their system was behaving rather strangely – as the machine could neither be shut down nor placed into hibernation mode; I would like to compare the features of Cisco Security Packet Analyzer 2400 Appliance which I used to analyze their network with the features of Wireshark. The Cisco Security Packet Analyzer 2400 Appliance is not open source like Wireshark; it is sold as a hardware-plus-software solution. Cisco Security Packet Analyzer helps security professionals speed up incident response by collecting and storing all of the information that traverses the network and then using it to investigate the unusual activity. According to Cisco (2016), the Cisco Security Packet Analyzer works in conjunction with Cisco Stealthwatch. It applies the Stealthwatch NetFlow and context security analytics capabilities to the captured data packets. Cisco (2016), stated that the Security Packet Analyzer works by attaching to the network using a Switched Port Analyzer (SPAN), a feature also called port mirroring, or a Network Test Access Point (TAP). From that point in the network, a copy of the packet traffic is created. The Cisco Security Packet Analyzer is based on technology developed for the Cisco Network Analysis Module (NAM), and it inherits the features and improvements delivered in NAM version 6.2. These features as stated by Cisco (2016), include: High-performance packet capture to aid in capturing all frames including those typically discarded by standard network interface cards (NICs); On-premises appliance which provides safe and highly secure on-premise capture and storage to maintain the confidentiality of data; application programming interfaces (API) which helps simplify fast operationalization of threat intelligence with existing security and network infrastructure; A built-in cost-effective analyzer software with a powerful graphical user interface that makes network operations such as troubleshooting and traffic monitoring easy and efficient; Industry-standard storage for storing industry standard packet captured formatted data to enable the use of high-performance through packet capture or WinPcap (Sniffer).

In conclusion, Wireshark and Cisco security packet analyzer are both excellent network analyzer tools. However, on comparing the two, Cisco security packet analyzer has more degree of sophistication and the features offered are beyond basic packet capturing, reporting, and decoding. For instance, the analyzer dramatically cuts troubleshooting time, remote 24 x 7 packet capture, expert analysis, security, distributed 802.11 wireless “sensors,” advanced management and control features and support for high-speed networks like Gigabit EthernetNICs with an onboard CPU for precision timestamping of packet arrival.

References

Cisco (2016). Cisco Security Packet Analyzer 2400 Appliance. Retrieved from http://www.cisco.com/c/en/us/products/collateral/security/security-packet-

analyzer/datasheet-c78-737589.pdf

Cisco (2016). Cisco Security Packet Analyzer 2400 Appliance Data Sheet. Retrieved from http://www.cisco.com/c/en/us/products/collateral/security/security-packet-

analyzer/datasheet-c78-737589.html

Internet Society (2017). What Is the Internet? Retrieved from http://www.internetsociety.org/internet/what-internet?gclid=CPH-vpCmmNMCFdgTgQodgbkBQA

Kurose, J. F., & Ross, K. W. (2013). Computer networking: A top-down approach (6th ed.). Upper Saddle River, NJ: Pearson.

Wireshark.org. (n.d.). What is Wireshark? Retrieved from https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntro

 

Student # 2

A packet sniffer is a passive receiver that collects the information contained within packets that are sent over a wired, wireless or cable network (Kurose & Ross, 2013). The packets may contain sensitive data and the sniffer allows analysis of that data (Kurose & Ross, 2013). This discussion analyzes two sniffers: Wireshark and tcpdump. The analysis is based on a general comparison of the features and capabilities of both tools.

Both Wireshark and tcpdump are free, open source, and regularly maintained; the latest versions of each were released in Fall 2016. Both tools work in multiple operating systems – Linux, Windows, macOS, and Solaris (About Wireshark, 2017; TCPdump, 2017). Tcpdump is older than Wireshark and provides only a command line interface (TCPdump, 2017). Wireshark has a GUI and a custom command line interface (About Wireshark, 2017). Both tools provide documentation, blogs, and mailing lists to support developers.

Wireshark has experienced remotely exploitable security holes (Shaikh, 2010). Tcpdump has fewer security problems and uses fewer system resources (Shaikh, 2010). Due to the way in which data is displayed in tcpdump, analysis of the data falls on the user as opposed to the application (Miessler, 2017). This could be viewed as a benefit in that careful analysis may be more accurate than that provided by Wireshark.

Wireshark provides many features. It provides both live data capture and offline analysis of files (About Wireshark, 2017). It supports hundreds of protocols and media types with deep levels of packet detail (About Wireshark, 2017; Shaikh, 2010). It has a rich filter language, allows data to be exported to formats such as XML and CSV, and provides decryption support for a variety of protocols (About Wireshark, 2017).

Wireshark does provide a rich feature set with many options for analysis of packet information. It is more user friendly, especially for those new to packet analysis. Tcpdump requires a thorough understanding of packet analysis and is more suited to advanced users. My research suggests that while Wireshark is currently the industry leader, experienced network analysts may prefer tcpdump due to familiarity with the program, fewer security holes, and the human analysis required when using the tool.

References

About Wireshark. (2017, March 3). Retrieved from https://www.wireshark.org/#learnWS

Kurose, J. F., & Ross, K. W. (2013). Computer networking: A top-down approach (6th ed.). Upper Saddle River, NJ: Pearson.

Miessler, D. (2017). A tcpdump tutorial and primer with examples. Retrieved from https://danielmiessler.com/study/tcpdump/#gs.B8G7zGw

Shaikh, A. (2010, October 20). Top 10 Data/Packet Sniffing and Analyzer Tools for Hackers Retrieved from http://www.internetgeeks.org/tech/hacking/top-10-data-packet-sniffing-analyzer-tools-hackers/

TCPdump. (2017, February 2). Retrieved from http://www.tcpdump.org/manpages/tcpdump.1.html