Packet Capture

A protocol analyzer allows inspection of traffic received by a host or passing over a network link.

A packet sniffer records data from frames as they pass over network media.

Info

sniffer and protocol analyzer are often used interchangeably

but may be implemented separately

a software-based sniffer installed to a host will simply interrogate the frames received by the network adapter by installing a special driver
- allows the frames:
  - to be read from the network stack
  - saved to a file on disk
- support filters to reduce the amount of data captured

Methods For Implementing Sniffers

Span (switched port analyzer)/port mirroring
- the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all other ports)
- not completely reliable
  - frames with errors are not mirrored
  - frames may be dropped under heavy load
Passive test access point (TAP)
- is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port
- types for copper and fiber optic cabling
- no logic decisions are made
  - so monitor port receives every frame
    - corrupt or not
    - unaffected by load
  - unlike SPAN
Active TAP
- is a powered device that performs signal regeneration
- may be necessary in some circumstances
  - gigabit signaling over copper wire is too complex for a passive tap to monitor
  - some types of fiber links may be adversely affected by optical splitting
- are copper and fiber optic variants
- because it performs an active function
  - becomes a point of failure for links in event of power loss
TAP will usually output two streams to monitor a full-duplex link
- one channel for upstream
- one channel for downstream
Aggregation TAPs rebuild the streams into a single channel
- can drop frames under very heavy load