Many of us know Wireshark as a free and powerful protocol analyzer, allowing us to capture and analyze traffic when we need to and where we need to. Wireshark is great in the way of flexibility especially with its recent v2.0 release.
- Newly reformed UI
- Enhanced correlation with TCP Analysis between protocols, eg. when choosing an ACK Packet we see a checkmark next to the packet that is being acknowledged.
- More detailed scroll bar, to quickly find trouble spots within a capture
- A much more simplified and easier way to navigate graphs (Notice now we can easily switch graphs using the same window.)
All of these are great reasons to run Wireshark, however Wireshark works best in small doses. What if we need to step up our protocol analysis game and start capturing & analyzing 100’s and of MBs or GB’s of data? If this is something you have tried to do in the past with Wireshark then you probably know how difficult that is to perform. Well that is where a few additional tools from come in.
The NetShark Appliance is a niftly appliance that hangs off the network and accepts packets at high speeds with no loss for analysis later. At first glance the appliance the appliance itself can appear simple & basic, which at some level it is. After the all at the end of the day the physical NetShark appliance is a storage appliance with a very fancy NIC Card. However in my experience with the NetShark appliance, it is that level simplicity which makes the device most useful and beneficial.
See the steps below for navigating the NetShark and creating a capture job:
To start using the device you simply need to create capture jobs (see above), and just like when capturing traffic with Wireshark you can apply capture filters using BPF (Berkeley Packet Filter) syntax. Allowing you to have complete control and capture the traffic you need. This paired with Tera-bytes of storage make the NetShark appliance a very important tool for any network professional that needs to perform packet analysis in high performance environments.
When it comes to exporting those packets outside of the NetShark it is as easy as access the capture job and exporting the packets you want, you can even export specific timeframes.
I imagine the next question you might have is, “Now that I have all these large packet files how can I easily analyze these files.” After all, Wireshark tends to struggle with large capture files; well that is where the next tool comes in.
Think of this tool as Wireshark on steroids. This is a commercial level tool also sold by Riverbed and accelerates in many areas where Wireshark tends to lack. To name a few:
- The ability to quickly filter through large pcap files that stop Wireshark in its tracks.
- A host of protocol specific filters allowing you to analyze anything from Citrix to SQL
- Easily identify tough to find problems by quickly filtering through timestamp information.
- Simple integration with SteelCentral NetShark so you can slice packets live from the NetShark directly from the Packet Analyzer application itself.
The one qualm I have with Packet Analyzer is that there is still some reliance on Wireshark. Once you have filtered through the packets and found the area in question you may still need to export the packets to Wireshark to see the raw packet data. However, it does show how closely knit the two applications are. One reason these applications I so closely tied is because the creator of Wireshark Gerald Combs is also employed with RiverBed working on Enterprise level tools while also supporting the OpenSource market.
For anyone that needs to perform protocol analysis in large environments, these tools will be detrimental to your success. While each of these tools might not be perfect and have their own flaws it’s when we start pairing up these tools do they really start to shine.