Windows packet sniffer

Question

What packet sniffer would you recommend using, especially in a 50+ workstation environment? I am a fan of Wireshark but it's got quite a bit of security history. Is there something better?

it must be quite scarry to have network of so hostile workstations. hostile up to the point that they might craft packets that can exploit some vulnerabilities in network traffic analyzers ;-] — pQd, Jun 15 '09 at 21:43

score 16 · Answer 1 · answered Jun 15 '09 at 21:43

16

I use Wireshark on Windows all the time - with a SPAN session or similar, plus cunning use of capture/display filters, you can get it to tell you pretty much anything you need. And you can make pretty graphs for your boss, too. What did you mean by 'security history'?

answered Jun 15 '09 at 21:43

RainyRat

3,700
1
23
29

Wireshark is packed with features and its free. +1 – cop1152 Jun 15 '09 at 21:46
+1 for Wireshark (used to be Ethereal) – KPWINC Jun 15 '09 at 21:47
I still use wireshark, but do a quick lookup of wireshark on Packetstorm – Terry Jun 15 '09 at 21:52
+1 for wireshark too.. – Greg Meehan Jun 15 '09 at 21:52
1

How is it that this is voted to the top when the question clearly states that he doesn't want the security issues associated with wireshark? – Jim B Jun 17 '09 at 05:05

score 5 · Accepted Answer · answered Jun 15 '09 at 21:57

5

I haven't run into anything free that is better. My work it too cheap to pay for a sniffer when Wireshark is so good at what it does. Yes, it seems Wireshark has a new vuln against a decoder every other day or so, but that kind of thing happens when you're by far the top package in a field like this. Yes, I'd like them to update a bit more often. But the sheer utility of Wireshark makes me keep using it.

answered Jun 15 '09 at 21:57

sysadmin1138

131,083
18
173
296

+1 Exactly what I was looking for – Terry Jun 15 '09 at 22:02
and may I say you have restored my faith in this community. – Terry Jun 15 '09 at 22:04

score 4 · Answer 3 · answered Jun 15 '09 at 22:18

I don't use this stuff nearly as much as I used to, but I always liked Microsoft Network Monitor when I needed a free protocol analyzer to track down a problem. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

score 4 · Answer 4 · answered Jul 14 '09 at 22:04

(Disclosure: My name is at the top of Wireshark's list of authors.)

Wireshark's security record is one of the very few aspects of the project that I've been unhappy with. The good news is that we have a talented team of developers and a solid architecture. One of the reasons you hear about Wireshark's security is that we actively look for flaws and report them. We're usually the first to discover them, and I try to push out updates and advisories as quickly as possible when they are found. The bad news is that eliminating every flaw in 1.7 million lines of code is Really Damn Hard.

Something to keep in mind if you're looking at a commercial analyzer: many of them use older versions Wireshark (or Ethereal) as a back-end for decoding.

score 3 · Answer 5 · answered Jun 15 '09 at 21:39

3

get windows version of tcpdump and analyze traces later with anything [ including wireshark ] on separate desktop box.

or use network switch with port mirroring and attach linux [ or - in worst case - virtual machine with linux and bridging to separate ethernet interface ] and perform all sniffing on it.

answered Jun 15 '09 at 21:39

pQd

29,561
5
64
106

Yes, tcpdump/windump is a great light tool if you just need to capture. – radius Jun 15 '09 at 22:22

score 2 · Answer 6 · answered Jun 15 '09 at 22:15

I use Wireshark and would still recommend the same, but an alternative to pQd's suggestion of two-stepping the actual packet capture (presumably Windump) and analysis (Wireshark) would be using the updated first-party Microsoft Network Monitor or checking out the array of "WinPcap-based Tools and Programs" at the WinPcap site (the underlying support for many packet analyzers including WinDump and Wireshark). I've used "Analyzer" in the past.

score 1 · Answer 7 · answered Jun 15 '09 at 22:18

1

If you know python, scapy is great. Here is how to install it one windows. You can use to sniff traffic, and even craft packets. Conceptually it breaks everything down into OSI layers.

answered Jun 15 '09 at 22:18

Kyle Brandt

82,107
71
302
444

score 1 · Answer 8 · answered Jun 16 '09 at 05:10

1

Netmon 3.3 is definitly your best bet. The best new feature is experts functionality

answered Jun 16 '09 at 05:10

Jim B

23,938
4
35
58

score 0 · Answer 9 · answered Jun 15 '09 at 21:48

I would agree with RainyRat, (that's an awesome username, BTW dude) and express my own incredulity with your anti-wireshark sentiments. (I also don't know of any security vulnerabilities in it either, and I use it quite a bit.) That being said, I'd love to know if there are any.

In the interim, there's always LanHound

score 0 · Answer 10 · answered Jul 14 '09 at 21:03

If you have some bucks to spend, try Wildpacket's OmniPeek. It has enormous analysis features and decoders, session/flow based views, easy-to-build filters and great support for real NICs with hardware filtering.

I often use it for my daily work to analyze problems in chatty customer networks - you can drop some small linux-boxes with tcpdump and use them as remote-NIC for larger setups.

You can download a trial version and give it a shot.

score 0 · Answer 11 · answered Nov 30 '16 at 17:49

0

The Netmon appliance from netmon.com (not affiliated with the Windows software) does a good job of capturing packets. It is also a full featured network monitoring tool.

answered Nov 30 '16 at 17:49

James

1
2

Windows packet sniffer

11 Answers11