What packet sniffer would you recommend using, especially in a 50+ workstation environment? I am a fan of Wireshark but it's got quite a bit of security history. Is there something better?
What packet sniffer would you recommend using, especially in a 50+ workstation environment? I am a fan of Wireshark but it's got quite a bit of security history. Is there something better?
I use Wireshark on Windows all the time - with a SPAN session or similar, plus cunning use of capture/display filters, you can get it to tell you pretty much anything you need. And you can make pretty graphs for your boss, too. What did you mean by 'security history'?
I haven't run into anything free that is better. My work it too cheap to pay for a sniffer when Wireshark is so good at what it does. Yes, it seems Wireshark has a new vuln against a decoder every other day or so, but that kind of thing happens when you're by far the top package in a field like this. Yes, I'd like them to update a bit more often. But the sheer utility of Wireshark makes me keep using it.
I don't use this stuff nearly as much as I used to, but I always liked Microsoft Network Monitor when I needed a free protocol analyzer to track down a problem. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f
(Disclosure: My name is at the top of Wireshark's list of authors.)
Wireshark's security record is one of the very few aspects of the project that I've been unhappy with. The good news is that we have a talented team of developers and a solid architecture. One of the reasons you hear about Wireshark's security is that we actively look for flaws and report them. We're usually the first to discover them, and I try to push out updates and advisories as quickly as possible when they are found. The bad news is that eliminating every flaw in 1.7 million lines of code is Really Damn Hard.
Something to keep in mind if you're looking at a commercial analyzer: many of them use older versions Wireshark (or Ethereal) as a back-end for decoding.
get windows version of tcpdump and analyze traces later with anything [ including wireshark ] on separate desktop box.
or use network switch with port mirroring and attach linux [ or - in worst case - virtual machine with linux and bridging to separate ethernet interface ] and perform all sniffing on it.
I use Wireshark and would still recommend the same, but an alternative to pQd's suggestion of two-stepping the actual packet capture (presumably Windump) and analysis (Wireshark) would be using the updated first-party Microsoft Network Monitor or checking out the array of "WinPcap-based Tools and Programs" at the WinPcap site (the underlying support for many packet analyzers including WinDump and Wireshark). I've used "Analyzer" in the past.
If you know python, scapy is great. Here is how to install it one windows. You can use to sniff traffic, and even craft packets. Conceptually it breaks everything down into OSI layers.
Netmon 3.3 is definitly your best bet. The best new feature is experts functionality
I would agree with RainyRat, (that's an awesome username, BTW dude) and express my own incredulity with your anti-wireshark sentiments. (I also don't know of any security vulnerabilities in it either, and I use it quite a bit.) That being said, I'd love to know if there are any.
In the interim, there's always LanHound
If you have some bucks to spend, try Wildpacket's OmniPeek. It has enormous analysis features and decoders, session/flow based views, easy-to-build filters and great support for real NICs with hardware filtering.
I often use it for my daily work to analyze problems in chatty customer networks - you can drop some small linux-boxes with tcpdump and use them as remote-NIC for larger setups.
You can download a trial version and give it a shot.