Re: Difference between Protocol Analyzers -> Packet Sniffers
From: Joel Snyder (Joel.Snyder_at_Opus1.COM)
Date: 03/27/04
- Previous message: Vincent Bieri: "Re: Difference between Protocol Analyzers -> Packet Sniffers"
- In reply to: Eric Hines: "Difference between Protocol Analyzers -> Packet Sniffers"
- Next in thread: Seymour, Keith E.: "RE: Difference between Protocol Analyzers -> Packet Sniffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Mar 2004 09:19:34 -0700 To: Eric Hines <eric.hines@appliedwatch.com>
Well, it's a pretty simple point and I think you've pretty much hit the
nail on the head. The problem, of ourse, is that "Sniffer" is a
registered trademark of NAI for a very very good protocol analyzer. So
when you throw the word "sniffer" in, you're not only confusing the
issue, but also bringing in people's past experience with Sniffer, the
product.
I guess I don't know why it's important to make the distinction with a
term. Each product is what it is. If you really want to make a
distinction, then you should differentiate between packet CAPTURE and
protocol ANALYSIS. Things like tcpdump used to be very very very simple
protocol analyzers; they are actually good enough for a great deal of
debugging. But they don't really break out protocols above layer 4.
The same thing is true of Snort---you can use it as a perfectly good
packet CAPTURE tool, but it's not really a protocol analyzer unless you
come at it from the IDS side of the house.
However, many of the protocol analyzer companies (WildPackets, the old
AG Group, comes to mind) sell you the analyzer but give you the capture
tool. The idea is that you can have lots of capture things going on,
but the protocol analysis is what happens later on. RMON probes fall
into that category.
You'll probably get no argument if you differentiate that way: capture,
versus analysis. You can draw a spectrum from a pure-capture tool that
doesn't even show you packets through things like tcpdump towards better
products like EtherPeek and Ethereal all the way to more general purpose
tools (i.e., not just Ethernet; not just IP) like the Sniffer.
Then, you can go one step FURTHER into "network" analysis, beyond just
protocol analysis, where you use this information to analyze the whole
network: usage patterns, etc. Most of the protocol analyzers also offer
some (or a lot) of network analysis features in them. Other tools drop
out the protocol analysis and concentrate only on network
analysis---things like Lancope's StealthWatch fall into that category,
as do many of the SLA tools.
At the same time, there's a branch of tools which are more specialized,
things like protocol-specific products. You get super-specialized tools
like AirMagnet, the best wireless network analyzer (which is a pretty
poor protocol analyzer) in that category; there are also VoIP-specific
things that come to mind.
I have also for many years claimed that IDS is itself a specialization
of the protocol and network analyzer tool kit. An IDS is really a
"security-specific" protocol/network analyzer; it has a huge amount in
common with protocol analyzers. In fact, it's a bit surprising that the
protocol analyzer teams haven't started selling their products as IDS
more heavily... "An IDS is a really really good protocol analyzer with
lots of sophisticated triggers."
So you could draw a nice branching tree. Or maybe do it on two axes and
make "magic quadrants" like Gartner.
In the end, it's a question of "what do you need this tool to do?"
Or maybe it's "where do you want to go today?" I can't remember;
haven't had my morning coffee.
jms
Eric Hines wrote:
> All,
>
> Once upon a time I had a pretty heated argument between myself and another
> individual on the topic of distinction between protocol analyzers and packet
> sniffers, and that they are not one in the same.
>
> Can anyone provide me some good points on supporting this argument. E.g.
> Ethereal is a protocol analyzer and Tcpdump is not...
>
> I've only been able to articulate that Protocol Analyzers can conduct protocol
> decoding, whereas Tcpdump can not... Ethereal can provide information on the
> different fields of the HTTP header and SSL fields.... stuff like that.. Anyone
> care to jump in here and provide more meat to this argument than this?
>
> BRDS,
> Eric Hines, GCIA
> CEO, President
> Applied Watch Technologies, Inc.
>
>
> -------------------------------------------
> Eric Hines, GCIA
> CEO, Chairman
> Applied Watch Technologies, Inc.
> web: http://www.appliedwatch.com
> email: eric.hines@appliedwatch.com
> -------------------------------------------
> Direct: (877) 262-7593 - Toll Free x327
> Fax: (815) 425-2173
> General: (877) 262-7593 (9am-5pm CST)
> -------------------------------------------
>
>
>
>
>
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
>
-- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms@Opus1.COM http://www.opus1.com/jms Opus One --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Vincent Bieri: "Re: Difference between Protocol Analyzers -> Packet Sniffers"
- In reply to: Eric Hines: "Difference between Protocol Analyzers -> Packet Sniffers"
- Next in thread: Seymour, Keith E.: "RE: Difference between Protocol Analyzers -> Packet Sniffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
