Fog Creek Software
Discussion Board




Can anybody recommend a good packet sniffer?

There's been some complaint about performance, so were trying to take a look at exactly what gets downloaded by our ActiveX controls, and see if theres any duplication or redundancy happening.

Can anybody recommend a good tool for the job?

Ged Byrne
Wednesday, February 12, 2003

Ethereal and tcpdump - GUI or command line, tke your pick.

Nat Ersoz
Wednesday, February 12, 2003

Ethereal:  What a GREAT product name.

Brad Siemens
Wednesday, February 12, 2003

If you have MSDN or backoffice, look on the SMS disk for a folder called NMEXT (Network Monitor Extendeded?). It's fantastic, and if you already have the disk, free.

Troy King
Wednesday, February 12, 2003

Some time ago I used Etherscan Analyzer. You can find it at www.etherscan.com. Very easy to use. Only drawback is that it decodes only a handful of protocols.

nobady
Wednesday, February 12, 2003

I've used NAI Sniffer Pro and Ethereal, and I like Ethereal the best.  Windows setup takes a couple of extra steps, but once you get it running it is easy to use and very powerful (and free).

http://www.ethereal.com/

Colin Evans
Wednesday, February 12, 2003

Network monitor (from Microsoft) is good. I think it may also come with Win2k Server. Also, netcap comes as part of the Windows XP support tools (on the CD-ROM), it can only monitor but not display the results, but some other tools can display the results (like Netmon on your win2k machine).

mb
Wednesday, February 12, 2003

oh yeah, if you're using http, you can always point it to a http proxy server and use whatever logging the proxy server has.

mb
Wednesday, February 12, 2003

Also, for http, take a look at pcaptrace:

http://www.pocketsoap.com

Works great, and can't beat the price!

Chris Tavares
Wednesday, February 12, 2003

EtherPeek from WildPackets - can't live without it!

http://www.wildpackets.com/

pUnk
Thursday, February 13, 2003

ettercap http://ettercap.sourceforge.net/ is great when working in a switched environment (it can do effective arp poisoning)

Nice
Thursday, February 13, 2003

The network monitor on Win2K Server is limited to sniffing the machine its running on, though even that is often enough.  On the Systems Management Server there's a full copy of Network Monitor.

Simon Lucy
Thursday, February 13, 2003

Thanks for all the tips.  Ethereal is proving an excellent tool, though I'm having trouble understanding the filtering.

Ged Byrne
Thursday, February 13, 2003

The filtering is based on tcpdump syntax - and yes it is painful.

I was using this just the other day to watch our RTSP client/server converse.

Take a look at the tcpdump man page (ugly, yes, but useful)

http://www.tcpdump.org/tcpdump_man.html

Some protocols listed, don't filter (like RTSP), but they do parse, and you can sort by protocol once captured.

My filter yesterday was:
host xxx.xxx.xxx.xxx and not port 22

Removes ssh (port 22) from the capture, and only looks at the interface specified by "host" IP.  I often turn off "name resolution" (-n in tcpdump, a button in ethereal) because the capture doesn't have DNS resolution delays.

Its interesting that etehreal can parse many more protocols than it can filter on.  So, you often have to revert to filtering by port.

Hope that helps, even if its a simple example. 

Nat Ersoz
Thursday, February 13, 2003

*  Recent Topics

*  Fog Creek Home