Protocol Analyzer

Protocol analyzers (also called sniffers) are versatile tools for a variety of tasks:

  • Debugging network problems

  • Verifying proper operation of cryptographic protocols

  • Diagnosing flawed protocol implementations

  • Identifying unwanted traffic

  • Replaying of stored traffic for testing purposes

  • Reverse-engineering protocol implementations

  • Performing security checks

  • Identifying network background noise (broadcast protocols, NetBIOS, Appletalk)

If you ever find yourself confronted with learning or reverse-engineering an unknown or unfamiliar protocol, equip yourself with a sniffer, a hex editor, test gear, and any RFCs or standard documents you can find and start investigating the behavior of the protocol, the types of headers involved, the state transitions, and so on. This is really the best way of understanding the internals of protocols, and probably the most efficient as well. If available, you can also compare your observations with open source implementations and derive additional clues from the sources. When debugging a real-life problem, it is always a good approach to start from the bottom and work your way to the top of the stack in a structured manner.

Most UNIX systems come with tcpdump installed, which is a standard text-based protocol analyzer. Several graphical front ends and ancillary tools exist for tcpdump. By the way, Solaris provides the snoop utility for sniffing. Most people's tool of choice is the ethereal graphical protocol analyzer, which also provides a text-only version called tethereal (see Figure 6-7). The ngrep tool enables you to apply the functionality of the well-known UNIX grep utility to the network layer. It is a practical tool as well.

Figure 6-7. GUI of the Ethereal Sniffer

[View full size image]