What is a Network Analyzer or Protocol Analyzer?
Discover how to choose the right network analyzer for your needs. Get practical tips and insights to make an informed decision.
- Contents
- Types of Network Analyzers or Protocol Analyzers
- Network Analyzers (RF) - or Vector Network Analyzer.
- Protocol Analyzers (Logic)
- Network Analyzers (Data Communications)
- Network Protocol Analyzer
- Network Protocol Analysis with Wireshark
- What is Tshark? Are Wireshark and Tshark the same thing?
- Where can I get hold of Wireshark?
- How can I get started with Protocol Analysis?
- Watch the “Real World Packet Analysis” Videos here
- Where Can I Find Good PCAP Example Files to Practise On?
- Other Useful Wireshark Resources
- Are there other Network Protocol Analyzers apart from Wireshark?
- Last, but not least
Types of Network Analyzers or Protocol Analyzers
Somewhat confusingly, there are broadly three categories of Network or Protocol Analyzers: Network Analyzers, Protocol Analyzers and Network Protocol Analyzers.
Network Analyzers (RF) - or Vector Network Analyzer.
Confusingly, the term Network Analyzer has several different intents.
One common category of Network Analyzer describes tools that are designed to measure specific characteristics of Radio Frequency Electronic Devices. These tools are often referred to as a Scalar Network Analyzer or Vector Network Analyzer and are used by Electronics Engineers who are designing RF electronic circuits.
Endace doesn’t focus on this type of Electrical Network Analyzer. However, if this is what you are interested in, our partners at Keysight Technologies have a great description of these types of Network Analyzers here.
Protocol Analyzers (Logic)
Designers of computer systems use a special class of Protocol Analyzer (sometimes called Logic Analyzers) that analyze communication bus protocols such as PCIe, Fiber Channel (FC) and USB. These Protocol Analyzers are often used by developers of computer systems to debug problems involving communication and control of computer peripherals or storage systems. These are not the sort of protocol analyzer that Endace focuses on either. Again, Keysight Technologies has a good description of these here.
Network Analyzers (Data Communications)
Another common category of Network Analyzer describes tools that analyze data communication networks such as IP/Ethernet LANs or WANs. These tools may use direct or indirect methods to analyze one or many links in a network. Analysis may be at any layer of the 7 layer OSI model, but most commonly they focus on Layer 2 (data link layer), Layer 3 (network layer) , Layer 4 (transport layer) and Layer 7 (application layer).
The main purposes of network analysis is troubleshooting issues, investigating security events, and monitoring the health, utilization, performance, and status of the network.
- Direct Network Analysis involves using a TAP (Test Access Point) or SPAN (Switch Port Analyser also known as Port Mirror) to analyze a copy of the signals or data traversing a network. For Ethernet networks these tools derive their analysis from the packet data seen on the network, including the examination of IP addresses (both IPv4 and IPv6) associated with specific protocols and their statistics. Wireshark could be considered a directly attached Network Analyzer. This category is also known as Protocol Analyser (Network), described in more detail below.
- Indirect Network Analysis involves using Meta-Data to analyze the activity on a network. Metadata can be sources such as NetFlow, IPFIX, network device logs, SNMP, or other sources that summarise the activity on a network. A NetFlow collector would fit this category of indirect Network Analysis. Metadata such as NetFlow is often based on sampling rather than examining every flow and packet traversing the network.
Direct and Indirect Network Protocol Analysis provide very different insights into network activity, so it’s important to use the appropriate tool for the task at hand. Direct Protocol Analysis provides a high level of detail that can show you exactly what’s going on in your network based on actual packet data, while Indirect Protocol Analysis provides a less accurate summary view of what’s happening across your infrastructure.
For a deeper dive, check out our learn article on NetFlow vs Full PCAP.
Network Protocol Analyzer
Network Protocol Analyzer is another name for a directly attached Network Analyzer (also called a Packet Analyzer). Let’s call this group of products Network Protocol Analyzers. These are products that are used to monitor performance, and diagnose problems, on directly attached data networks such as the typical IP-protocol based LAN/WAN networks that we’re all familiar with.
We exclude Indirect Network Analysis such as NetFlow and other metadata-based solutions from this category because they are not directly analyzing the network, they operate from a summary only and cannot provide full detailed visibility of what’s occurring on the network.
Importantly, Network Protocol Analyzers provide amazing amounts of detail for troubleshooting issues or analyzing threats. They often capture and store full packet data to provide detailed analysis, allowing you to see every byte of every packet, in sequence with precise timing information, and decoded in human readable format. There are a myriad of problems that Network Protocol Analyzers solve, here’s a few of them:
- Investigating security alerts and threat activity
- Accurately reconstructing historical security events - such as data exfiltration
- Understanding performance issues - is the application or the network?
- Troubleshooting connectivity issues
- Accurately measuring network latency and application performance
- Measuring network utilization
- Understanding who’s hogging network bandwidth
- Figuring out why a user has bad QoE
- Finding the cause of outages
- Many other problems where you need to see exactly what’s going on
“Ad-hoc” (or post-event) Network Protocol Analysis involves attaching a protocol analyzer to a network after receiving a trouble ticket.
In this scenario it can be challenging to quickly resolve the issue, threat or fault when it’s occurring – particularly if it happens intermittently or infrequently. Ad-hoc analysis often requires analysts to connect a Network Protocol Analyzer and wait for the problem to occur again.
A much better approach is to continuously capture network traffic in key locations so you can go back analyze when something goes wrong. This is often referred to as “always-on” packet capture. EndaceProbe does exactly this, it continuously records days, weeks, or months of network packet data, then allows you to go back in time to perform Network Protocol Analysis at the time of the reported event.
Network Protocol Analysis with Wireshark
By far the most commonly used network analyzer tool used for protocol analysis is the free, open-source Wireshark project. Founded by Gerald Combs, the Wireshark project has been around for more than 20 years and in that time has become the pre-eminent graphical tool that virtually every network analyst and security analyst uses to examine packet data and decode protocols.
Wireshark provides the ability to graphically analyze packet data and understands the various protocols (it currently supports more than 3000 individual protocols). It can also capture traffic to a capture file, and analyze captured traffic, making it essential for network traffic investigation.
Wireshark can read packets from a file input – and supports a number of file formats, including Endace’s ERF format, as well as a pcapng file type (Wireshark’s native file format) and the earlier – and often still used – pcap format. Capture files can be saved and managed during network traffic analysis, enabling easier investigation and sharing of relevant packets for further analysis.
Wireshark provides many useful features for capturing and analyzing pcap files - including capture filters (to focus on what data you want to be captured), display filters (to manage what you view in the GUI - for instance focusing on traffic to or from specific port numbers or a specific source address) and custom Wireshark profiles (that let you save your preferred preferences into "sets" - for example you might have a Wireshark profile specifically for looking at HTTP or HTTPS traffic).
Wireshark decodes the packet data into human-readable format and sorts the packets sequentially giving each packet a unique packet number.
For more information about pcap files see this in-depth article What is a Pcap file?
Endace is a Platinum Sponsor of the Wireshark Foundation which manages the Wireshark project. You can watch a video interview below with Gerald Combs, by Endace’s Michael Morris, where Gerald talks about Wireshark’s history and where it’s heading next.
What is Tshark? Are Wireshark and Tshark the same thing?
Where Wireshark provides a graphical interface for analyzing packet data, Tshark is the command-line equivalent. It is typically installed as part of a default Wireshark install.
Tshark can be useful in situations where you need to be able to capture or analyze packets but cannot run – or don’t need – a GUI interface. It can also be called from scripts – so can be useful for performing automated processes such as pulling specific packet data from a larger pcap file or starting and stopping captures.
Where can I get hold of Wireshark?
Pre-built Wireshark packages are available for both MacOS and Windows and can be downloaded here: https://www.wireshark.org/download.html.
Many people also run Wireshark on Linux , FreeBSD and other ‘UN*X”-based operating systems. The full source code is available for download and there are many articles on the web about how to compile and run Wireshark on various flavours of UN*X”.
How can I get started with Protocol Analysis?
If you’ve decided you want to learn how to do network analysis, a great first step is to download and install Wireshark:
The Wireshark.org website has a ton of useful learning resources available, including courses from the Wireshark University, and a very active (and friendly) user community which is always happy to answer questions. Wireshark runs annual “Sharkfest” conferences in USA and Europe which are also a great venue to meet Wireshark experts and learn advanced tips and tricks about network analysis.
Chis Greer (aka PacketPioneer) also has an excellent Introduction to Wireshark series on Youtube which is highly recommended. And it’s free!
Brad Duncan (Twitter: @malware_traffic) runs an excellent website which provides a wealth of pcap files related to cybersecurity exploits, combined with some great exercises, and some helpful training material on customising and using Wireshark.
If you are looking to start protocol analysis with a view to understanding how to analyze packets for cybersecurity, Endace and former SANS instructor “Malware” Jake Williams, combined to create a series called Real World Packet Analysis in which he describes how common protocols – including http/https, cifs/SMB, DNS, SMTP/IMAP -work, how they can be used by cyberattackers, and what to look out for.
Watch the “Real World Packet Analysis” Videos here
Where Can I Find Good PCAP Example Files to Practise On?
Here are some links to useful pcap repositories where you can download sample pcap files for analysis:
- Wireshark
- https://wiki.wireshark.org/SampleCaptures
- Netresec
- https://www.netresec.com/index.ashx?page=PcapFiles
- Github: there are several pcap repositories on Github. Here are a couple of useful ones:
- https://github.com/markofu/pcaps
- https://github.com/automayt/ICS-pcap - a collection of ICS/SCADA captures
- Malware Traffic Analysis: this is an excellent resource of pcaps from Brad Duncan https://www.malware-traffic-analysis.net/
Other Useful Wireshark Resources
Betty Dubois, has a great selection of Wireshark profiles that she makes available for download from her Packet Detectives site here. Betty has years of experience running Wireshark training courses, including at many Sharkfest conferences.
Comparitech has put together a useful Wireshark Cheat Sheet here which contains filter syntax examples, keyboard shortcuts and a host of other useful tips.
Are there other Network Protocol Analyzers apart from Wireshark?
Probably the best known alternative to Wireshark and Tshark is an open-source project called TCPDump. TCPDump is a command-line network protocol analysis tool which together with its sister project, libpcap, a packet capture library for UN*X systems, provide both packet capture and analysis capability.
For capturing packets on Windows hosts, the standard equivalent of TCPDump and libpcap used to be WinDump and WinPcap. These projects have not been developed for a number of years now. There is a recommended replacement for WinPcap – Npcap – which is actively being developed by the nmap project. According to the documentation, Npcap is compatible with programs that use the WinPcap library once they are recompiled with the Npcap SDK.
Note, however, that Npcap is not an open-source project. It is commercial and limited for use on up to five systems – unless it is used only with Wireshark, nmap, or Microsoft Defender for Identity, in which case it can be deployed on unlimited hosts. It cannot be redistributed without an OEM license.
NetworkMiner is another free open-source network protocol analysis tool, with a more feature-rich, commercial version NetworkMiner Professional also available. NetworkMiner is predominantly a Windows application but can run on Linux using Mono. Mac support is limited.
Fiddler is a protocol analysis tool designed specifically for debugging HTTP/HTTPS traffic. The free version, Fiddler Classic, is no longer under development. The commercial version, Fiddler Everywhere, is available via a monthly subscription.
Commview is another commercial product that provides both packet capture and network analysis.
Last, but not least
EndaceVision, the network analyzer built into our EndaceProbes, provides a web-based GUI tool that enables our customers to visually analyze the traffic recorded by their EndaceProbes. It lets you apply filters and views and zoom in or out on the timeline to identify packets-of-interest.
EndaceVision also provides the ability to send packets directly to a hosted instance of Wireshark running on the EndaceProbes for analysis. Selected traffic can also be sent to a hosted Zeek instance which generates rich log data and reassembles any file transfers contained in the selected data.
Who is Endace?
Endace specializes in scalable, high-speed, high-performance packet capture. Our solutions are used by some of world’s biggest organizations on some of the fastest networks on the planet.
If you are looking for a packet capture solution, we’d love to show you why Endace is the best choice. Contact us to book a demo or ask a question.