Things doesn’t get much more specialised than protocol analysis. Protocol analysis involves the study of the packets flowing through a computer network.
There are many tools that can be used to analyse packets on a network. From very expensive dedicated hardware to commercial software and open source solutions.
WinPcap is the major open source packet sniffing library for Microsoft Windows, Unfortunately it is no longer under active maintenance and hasn’t been for quite a while. But, fear not, Npcap have picked up the baton. Sort of.
Wireshark is a wonderful tool, no doubt about it. But, on Microsoft Windows, there is one thing it isn’t so good at.
Microsoft decided to remove the local loopback interface in Windows 7. So capturing loopback traffic is rather difficult without modifying your system. Something I try to avoid if at all possible.
There are ways to install the loopback interface if you want, as documented here. There are also other means to achieve the same effect, also documented in the previous link.
Great post by Chris Sanders on ARP poisoning for protocol analysis. Well worth a read.
Sometimes you fall over a product and it blows you away. Network taps have until now been exotic hardware affordable only by large IT departments with the budget to match.
Not any more! nmon have brought out a range of low cost network taps and network traffic analysers with NetFlow support. Looks like network taps just got affordable to the masses.
Why should you be interested? They’re just enterprise doodads aren’t they?
One of the big problems in a switched network is to access reliably network traffic for analysis or monitoring purposes. Many solutions require changes either to the hosts being monitored or require modifications to your network infrastructure.
Many managed switches have the ability to mirror the traffic on one or more ports. Mirroring simply involves the switch copying network traffic from one or more ports to another designated port. The switch still sends the network traffic to its original destination.
WinPCap is a great Windows based, open source driver for packet sniffing wire-based networks using a bog standard network interface card. WinPCap is licensed under the General Public License (GPL).
From a commercial software developers perspective, the GPL can be quite intimidating. Consequently, a lot of commercial developers won’t touch GPL’ed code with a very long barge pole.
Fortunately, the developers of WinPCap have come up with a commercial developer friendly version of WinPCap, WinPCap Professional.
Tools like the Test-Um Wi-Net are great for trouble shooting wireless networks. But, Wi-Net falls a long way short of giving you real technical insight into your wireless network. What do you do if you need more? Say, you need to capture packets and the like.
One solution is to use the WireShark + AirPcap combination.
WireShark I’m sure most of you have heard of. Formerly known as Ethereal, it is a very capable open source packet capture tool for a variety of platforms including Microsoft Windows.
One of the tools recommended in Chris Sander’s Practical Packet Analysis book is called Rumint.
Rumint is a free, open source packet visualization tool available for Microsoft Windows (written in Visual Basic.)
Roomint’s author, Greg Conti, has a book to be published by No Starch Press called Security Data Visualization.
One problem I’ve run into with Rumint is that it doesn’t work on my setup. I run Windows XP and I’ve got WinPCap 4.
FYI there is an interesting interview with Chris Sanders, author of “Practical Packet Analysis: Using Wireshark to solve real-world network problems”.
If you are new to packet analysis, you can do a lot worse than read the book.
Just found an interesting book…if you’re a blood ‘n guts comms bod then I think this book should find a place in your bookshelf. The book can be found here on the publisher’s website.
The author, Chris Sanders, also has a good blog too. Well worth adding to your feed reader.