The Ins and Outs of Network Analyzers (Part 2)


A tool of the trade.


If you are responsible for network security, Network topology, network troubleshooting or network communications a network analyzer is the Swiss army knife that will help you fix, view or layout the network.  A network analyzer is a tool of the trade and if used as intended it can prove to be a most valuable tool that you possess in your tool box.  Intruders always look for ways to misuse tools and like any other tool a network analyzer in the wrong hands can have catastrophic consequences.  The latest trend is detection of IDS and network analyzing devices.  Once the intruder knows that these devices exists the attack the device, disabling them and then continuing the attack on the network.  A sniffer probes the network with an active set of tools that simulates traffic, measures response times and troubleshoots problems. In this article I will focus on what you should look at when selecting your network sniffer.


What to look for in the sniffer as a tool.


The sniffer or protocol Analyzer is a powerful versatile network visibility tool. Most good sniffers boast a number of integrated functions that enhance your x-ray abilities. 


1.       Ensure that the sniffer has the capability to Capture network traffic for comprehensive analysis at a later stage this feature will help you to analyze the network problem, when there is too much happening on your network at any given time.  It allows you to take a snapshot of a designated period of time.  The advantages of this feature are that you will be able to scroll through large amounts of data at your own pace and be able to use it as forensic evidence. 


2.       Look for the ability to monitor network activity in real time. This feature will also help you in making quick statistical analysis of the running collected data that the sniffer application may have composed since you enabled that feature.  Monitoring in real time is also important as sometimes you pick up things that you would not have seen in the more comprehensive “Capture mode”  If the problem is more superficial you will be able to fix it by just looking at real-time monitoring data. 


3.       Look for features that may assist you in diagnosing problems using the specialized filters or analysis software that is built into the sniffing application.  Some protocol analyzers have built in filters that alert administrators when specific conditions are met.  These tools can prove to be quite useful when trying to analyze random events that have no explanation.  By collecting these alerts and tabulating them you will be able to discover tends that will help you in solving that illusive “midnight” network problem 


4.       Comprehensive logging capabilities. Good sniffer applications have the ability to collect detailed utilization, error statistics and conversations for all or individual stations on a segment of your network.  This is not to be confused with the capture function as this does is not but represents a more logging and filter based function that displays specific requested information in report format, which may be able to be presented in a technical analysis report to management. 


5.       Get a sniffer that saves historical, statistical utilization and error information for comparative baseline analysis. Using this information it will enable you to produce management reports and comparative analysis of your network for management.  This type of analysis will assist you in producing motivational information that will be instrumental in encouraging new hardware upgrades or network changes if required.  


6.       Pick a protocol analyzer that will be able to generate real-time alarms that will notify network administrators when designated circumstances occur on the network.  This is especially useful when you have setup traps within your network such as honey pots and you know that no-one should be accessing those!




Figure 3a: The diagram above represents a filter that has been applied to real-time buffered data that can be saved and exported for later analysis.  This particular filter represents the top ten talkers on the network an in this particular scenario a machine was broadcasting information onto the network and is designated by the tallest green bar.



Figure 3b: The diagram above depicts a protocol distribution, and is representing in percentage the breakdown of protocols on the network.


7.       Ensure that the sniffer takes advantage of Windows 32-bit multitasking features and that it can run multiple instances of the program and its individual tools. This is a very important feature as some older sniffers have the lack of 32-bit multitasking ability and this can cause you to use multiple machines for one basic type of concurrent analysis.


 


8.       Ensure that the network analyzer that you have selected will be able to display network load statistics, like traffic over a defined time interval, the percentage of utilization, network error statistics.


 


9.       Ensure that the drivers provided with the sniffer are compatible with your NIC and that your NIC is supported by the sniffer application.  Some sniffers may require proprietary NICs.



Figure 2a: The diagram below represents a traffic matrix this real time tool is something that I defiantly look for in a sniffer.  By using this tool I can see the machines connecting to each other.  If any traffic is transmitted on the network then I will pick it up instantly in the matrix.  The matrix has been set to show MAC addresses in the picture but you can also set it to view IP addresses or you can set the sniffer to resolve the host names so that it is easy to identify the machines and to what node they are connecting to.



A good sniffer …




  1. Identifies traffic misuse and inconsistencies by doing this it helps to troubleshoot bottlenecks


  2. It will also facilitate the location and identification of faulty equipment, this is very difficult without a sniffer.


  3. Helps you to ascertain routine baselines so that comparative statistical reports will make sense when presenting them to management.


  4. Will help you identify antiquated hardware that is underperforming for the task and will improve your ability to plan for network expansion and will allow you to ascertain a structured network environment for maximum efficiency

Summary


In this article I have focused on the ideas and workings of most well know industry sniffers.  The article is written to assist you in making a more educated decision when picking the sniffer of your choice and will defiantly aid you when it comes to hunting for value features.  It is recommended that when choosing a sniffer that most of the features described above are present and that the software is tested in a controlled environment before going live.  This strategy will minimize risks and cons that may be associated with the application that may otherwise not be noticed.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top