Protocol Analyzer
A protocol analyzer is a utility that can parse the header fields and payloads of protocols in captured frames for display and analysis.
- aka packet analyzer
- works in conjunction with a sniffer
- can analyze:
- live capture from sniffer
- saved capture file
- usually bundle analyzer and sniffer in one
- functions:
- parse each frame in a stream of traffic to reveal its header fields and payload contents in a readable format
- perform traffic analysis
- monitor statistics related to communications flows
- e.g., bandwidth consumed by each protocol or host, identifying most active network hosts, monitoring link utilization and reliability, etc.
- monitor statistics related to communications flows
- Analyzing protocol data at the frame or packet level helps:
- identify protocol or service misconfigurations
Wireshark is an open source graphical packet capture and analysis utility.
- how it works
- choose an interface to listen on
- output is displayed in 3-pane window
- top pane shows each frame
- middle pane shows fields from selected frame
- bottom pane shows raw data from the frame in hex and ASCII
- can use display filters to filter frames
- Follow > TCP Stream context command reconstructs the packet contents for a TCP session
Tools
- Wireshark
- NetworkMiner (netresec.com)
- NetWitness Investigator (netwitness.com)