Using a packet sniffer for network packet analysis

A packet sniffer may seem like a humble addition to a network professional's toolkit, but when used correctly, packet sniffers (also known as protocol analyzers) can hone in on any number of network problems. "Practical Packet Analysis: Using Wireshark to solve real-world network problems" author Chris Sanders uses protocol analyzer Wireshark for packet analysis almost daily for his network administration job, where he manages nearly 5,000 users (plus 20 servers and more than 1,800 workstations).

To learn from Sanders' experiences and to help you troubleshoot your network, SearchNetworking.com interviewed Sanders by email. Here, Sanders explains how packet sniffers sniff and analyze network traffic.
_____________________________
By Tessa Parmenter
29 Oct 2007 | SearchNetworking.com

What are the main things a sniffer can detect on a network?
I think that network admins, much of the time, are only as good as the collection of tools they have at their disposal. A packet sniffer is just that, a tool. With computer networks, we often have to rely for our troubleshooting on what interfaces tell us is happening. A packet sniffer is a tool that allows you to get past all of the fancy interfaces and misleading error messages to see what exactly is going on at the lowest levels of network communication. Packet sniffers can show you all sorts of things going on behind the scenes, including unknown communication between network devices, actual detailed error codes provided by layer-specific protocols, and even poorly designed programs going crazy. As [radio broadcaster] Paul Harvey would say, a packet sniffer is a tool that lets you find "the rest of the story." It is essential for any network admin's toolkit.

When you're selecting a packet sniffer, what should you be looking for?
There are several considerations, but some of the biggest are the supported protocols of a sniffer, the platforms the sniffer runs on, the support provided for the software, and the cost. However, the most important thing is your level of comfort with using the software. Some packet sniffers are totally command-line based. Many people just aren't comfortable with that; others wouldn't want to use anything else. Once you get past all of the technical considerations, it is really just a matter of what you feel comfortable using. I typically find that once people get into packet analysis, they usually spend a lot of time doing it. I like to think of it like decorating your office. If you are going to be spending a lot of time in it, you want it to be a place where you are comfortable. The same goes for selecting a packet sniffing application!

What are the commercial products that compare with Wireshark? Are there similar open source and/or free tools, and how do these compare with Wireshark and one another?
Some of the alternatives to Wireshark include commercial products such as Etherpeek, Colasoft Capsa and Sniff'Em, as well as free products such as Ettercap and Tcpdump. What sets Wireshark apart from most of these is that it is the most widely used, so it provides a larger number of supported protocols and has a user-driven support base that is unrivaled. The only thing the commercial products typically offer special is their ability to produce reports that are more suited to less technical users.

How does a packet sniffer relate to the OSI model?
In order to really understand what is going on when you try to analyze things at the packet level, you have to have a very thorough understanding of what the OSI model is and how data moves through it. Trying to sniff packets without understanding the basic concepts of the OSI model is like trying to drive a race car without knowing how to drive a stick shift.

Is packet sniffing one of the causes of a slow network?
The only time packet sniffing can cause a network to run slow is when it is placed improperly on a network. One of the most crucial parts of the packet sniffing process is placing your sniffer in an appropriate location on the network. Not only will this ensure you get the exact data you need, but it will also make absolutely certain that your presence on the network doesn't affect its performance. I devote a whole chapter of my book to analyzer placement.

How is sniffing wireless any different from sniffing any wired network traffic?
Wireless sniffing is a completely different animal from that of a wired network. You have to employ different strategies of analyzer placement, put extra consideration into wireless-specific things such as signal strength, and deal with all kinds of extra wireless management packets. It is usually a good idea to understand basic packet sniffing before moving into the realm of wireless sniffing. My book includes an entire chapter devoted to the particulars of wireless packet sniffing.

How can you prevent someone with a packet sniffer from hacking your network?
Unfortunately, hackers are always going to be one step ahead. There is no such thing as an unbreakable network, and if a hacker wants in badly enough, he will probably get in. The most a network admin can hope to do is take steps to prevent this type of thing from happening. This starts and ends with the most overlooked aspect of security: physical security. It is amazing how easily a stranger can walk into a company, plug a laptop into an empty port in a vacant room, and begin to sniff network secrets. The key here is to focus on your organization's front door as much as you do on its firewall doors.