Home » Data Protection » Network Security

Protocol analyzers: How to compare and use them

Protocol analyzers and their big brother, enterprise-grade monitoring tools, can help maintain the health of modern networks

By Neil Roiter

May 24, 2011 — CSO —

Protocol analyzers are the indispensable tools that your IT staff deploys on the network when it's not behaving properly. Sharp, experienced admins can examine the live network data or a saved packet-capture file and figure out why connections are intermittent, why users are complaining that the network is slow or they can't get to their file server, or why voice over IP isn't working in a branch office.

There's much more. While network gurus still run portable analyzers from their laptops to troubleshoot and debug issues as they crop up, enterprise-grade tools have emerged to continuously monitor the health and security of your network and the complex, latency-sensitive applications that are your business.

This Toolbox explains the role of protocol analyzers and the monitoring, analysis and visibility tools that help keep your networks and the applications they deliver running smoothly and securely. Read more implementation tips in Protocol analyzers: Dos and Don'ts (free Insider registration required).

Protocol Analysis in the Trenches

What we know as protocol analyzers were commonly referred to as (and are still sometimes called) packet sniffers, but Sniffer is actually a brand name for NetScout Systems products. (It's much like Band-Aid is used generically for adhesive bandages.) Further, protocol analyzers have evolved to a level that goes beyond just the packet-capture capabilities the term implies.

[Read about How to stress-test your network | Vulnerability management tools]

"The change in name is significant," says Mike Chapple, senior adviser to the executive vice president at the University of Notre Dame, because the tools become very protocol-aware. He draws an analogy between protocol analyzers and the evolution in firewalls. "You had packet-filtering firewalls, then stateful inspection and application proxy. Network analysis tools have had the same evolution, from just packets one at a time without any context, without understanding what came before and what came after. Now tools are context-aware."

Protocol analyzers capture data off a particular port or network segment using a spanning tool, reproduce it in something approaching readable form, and provide some level of analysis to highlight key information. They are primarily network troubleshooting and debugging tools to figure out what is causing performance issues, why protocol errors are popping up, why DHCP isn't working, why your virtual network isn't routing traffic properly, and related issues.

They are often used when a new service is introduced or an existing one is changed, which is when implementation and configuration errors are most likely to occur. In some cases, poorly written or incomplete documentation may be the culprit, so admins have to take a close look at the traffic to figure out exactly what is happening.

"We can't necessarily trust that the configuration you think is running is the actual configuration running, so actually grabbing the packets and looking at them tells you exactly what's happening," says Joel Snyder, senior partner at IT consultancy Opus One. "These are very, very important tools and are used constantly by the network manager and the people debugging and troubleshooting."

Portable protocol analyzers are primarily network tools but are also useful for troubleshooting and fine-tuning security products such as firewalls and intrusion-detection systems. For example, Chapple said he has regularly used the ubiquitous free analyzer Wireshark to troubleshoot firewall rules. With systems running an analyzer on either side of a firewall, one can see exactly which packets are passing through and determine what's causing access issues—authorized traffic that's not getting through, or unauthorized or potentially malicious traffic that is.

• Print