Protocol Analyzers

Network protocol analyzers provide a great deal of detail about information flowing through a network, by allowing you to inspect individual packets. For wired networks, you can inspect packets at the data-link layer or above. For wireless networks, you can inspect information all the way down to individual

802.11 frames. Here are several popular (and free) network protocol analyzers:

• Ethereal (www.ethereal.com). Ethereal is probably the most popular protocol analyzer available. It works with Linux, Windows, Mac OS X, and the various BSD systems. Ethereal will capture packets directly “from the wire” and display them in an intuitive graphical interface. It can decode over 750 different protocols, everything from 802.11 frames to HTTP packets. It will reassemble fragmented packets and follow entire TCP sessions easily, even if other data has broken up the sample. Ethereal is very valuable for troubleshooting tricky network problems, and figuring out exactly what is happening when two computers converse “on the wire”.

• Kismet (www.kismetwireless.net). Kismet is a powerful wireless protocol analyzer for Linux, Mac OS X, and even the embedded OpenWRT Linux distribution. It works with any wireless card that supports passive monitor mode. In addition to basic network detection, Kismet will passively log all 802.11 frames to disk or to the network in standard PCAP format, for later analysis with tools like Ethereal. Kismet also features associated client information, AP hardware fingerprinting, Netstumbler detection, and GPS integration.

Since it is a passive network monitor, it can even detect “closed” wireless networks by analyzing traffic sent by wireless clients. You can run Kismet on several machines at once, and have them all report over the network back to a central user interface. This allows for wireless monitoring over a large area, such as a university or corporate campus. Since it uses the passive monitor mode, it does all of this without transmitting any data.

• KisMAC (kismac.binaervarianz.de). Exclusively for the Mac OS X platform, KisMAC does much of what Kismet can do, but with a slick Mac OS X graphical interface. It is a passive scanner that will log data to disk in PCAP format compatible with Ethereal. It does not support passive scanning with AirportExtreme cards (due to limitations in the wireless driver), but it supports passive mode with a variety of USB wireless cards.

• Driftnet and Etherpeg. These tools decode graphical data (such as GIF and JPEG files) and display them as a collage. As mentioned earlier, tools such as these are of limited use in troubleshooting problems, but are very valuable for demonstrating the insecurity of unencrypted protocols. Ether-peg is available from www.etherpeg.org, and Driftnet can be downloaded at www.ex-parrot.com/~chris/driftnet/.