Protocol analyser (packet sniffer)

A packet analyzer or packet sniffer is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications. A packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer or WiFi analyzer. A packet analyzer can also be referred to as a network analyzer or protocol analyzer though these terms also have other meanings.

A packet sniffer also known as a packet analyzer, protocol analyzer is a piece of hardware or software used to monitor network traffic. Sniffers work by examining streams of data packets that flow between computers on a network as well as between networked computers and the larger Internet. These packets are intended for and addressed to specific machines, but using a packet sniffer in "promiscuous mode" allows IT professionals, end users or malicious intruders to examine any packet, regardless of destination. It's possible to configure sniffers in two ways. The first is "unfiltered," meaning they will capture all packets possible and write them to a local hard drive for later examination. Next is "filtered" mode, meaning analyzers will only capture packets that contain specific data elements.

Packet sniffers can be used on both wired and wireless networks their efficacy depends on how much they are able to "see" as a result of network security protocols. On a wired network, sniffers might have access to the packets of every connected machine or may be limited by the placement of network switches. On a wireless network, most sniffers can only scan one channel at a time, but the use of multiple wireless interfaces can expand this capability.

Prevalence and Risk Factors

Using a sniffer, it's possible to capture almost any information for example, which websites that a user visits, what is viewed on the site, the contents and destination of any email along with details about any downloaded files. Protocol analyzers are often used by companies to keep track of network use by employees and are also a part of many reputable antivirus software packages. Outward-facing sniffers scan incoming network traffic for specific elements of malicious code, helping to prevent computer virus infections and limit the spread of malware.

It's worth noting, however, that these analyzers can also be used for malicious purposes. If a user is convinced to download malware-laden email attachments or infected files from a website, it's possible for an unauthorized packet sniffer to be installed on a corporate network. Once in place, the packet sniffer can record any data transmitted and send it to a command and control (C&C) server for further analysis. It's then possible for hackers to attempt packet injection or man-in-the-middle attacks, along with compromising any data that was not encrypted before being sent.

Proper use of packet sniffers can help clean up network traffic and limit malware infections; to protect against malicious use, however, intelligent security software is required.

Protocol analyzers

Protocol analyzers work by capturing the data across an the communication bus in embedded systems. With the help of protocol analyzers, engineers and developers can design, debug and test their designs through the entire development life-cycle of a hardware product. A protocol analyzer is intended for use with specific serial or parallel bus architecture. Quite often, these devices are also known as bus analyzers or network analyzers. They can also be used for analyzing network traffic on LAN, PAN, and even wireless networks. With the help of protocol analyzers, you can monitor bus data continuously and decode it. The captured data can then be interpreted to generate actionable reports and display useful information to the embedded engineer.

What does a protocol analyzer look like?

Protocol analyzers come in the form of dedicated hardware that can be connected to an embedded device. However, to interpret the data captured by the hardware, you need a user interface that displays the bus data in a human-readable form. So, in a nutshell, a protocol analyzer is a combination of dedicated hardware and software working in tandem with each other. Working together, the hardware captures the data, and the software displays the captured data. But not all interfaces are the same. Some only display the data capture, while others allow you to search, define filters, identify patterns and decode, in real-time.

Types of Network Protocols

USB Protocol

USB protocol is by far the most common communication protocol in the consumer market today. Anyone with a computer, cell phone or tablet has used USB protocol knowingly or unknowingly in the form of Flash drives, data cards, USB cables, chargers, etc. USB stands for Universal Serial Bus. As the name suggests, USB protocol is used to transmit data serially with one bit after another. USB is essentially a polled bus where all the data transmissions are initiated by the host.

CAN Protocol

The CAN (Controller Area Network) Protocol is used to facilitate communication between microcontrollers and associated devices in an embedded environment. It is particularly helpful in scenarios where a host computer is not present.

I2C Protocol

I2C protocol has been around for over four decades, and even today, it enjoys a considerable amount of popularity. I2C, which is also known as I2C OR IIC stands for Inter-Integrated Circuit. You can use I2C to establish short distance communication within two ICs located on the same circuit board. I2C protocol’s major unique selling proposition lies in its simple design, adaptable features, superior chip addressing and a robust error handling mechanism. However, I2C is also marred with drawbacks such as slow transfer rates and the amount of real estate it takes on the circuit board.

SPI protocol

Similar to I2C, SPI (Serial Peripheral Interface) is also used for short distance communication in embedded systems. It is a serial communication protocol that operates in full duplex mode with the help of master-slave architecture. You can connect multiple slave devices through SPI protocol. However, keep in mind that, SPI supports a single master device only.

eSPI Protocol

The eSPI (Enhanced Serial Peripheral Interface) bus was developed by Intel which is essentially an SPI bus with a fewer number of pins. The working voltage of the eSPI bus has also been set at a low 1.8V to support the newer manufacturing processes.

Uses

Analyze network problems
Detect network intrusion attempts
Detect network misuse by internal and external users
Documenting regulatory compliance through logging all perimeter and endpoint traffic
Gain information for effecting a network intrusion
Aid in gathering information to isolate exploited systems
Monitor WAN bandwidth utilization
Monitor network usage (including internal and external users and systems)
Monitor data in transit
Monitor WAN and endpoint security status
Gather and report network statistics
Identify suspect content in network traffic
Troubleshoot performance problems by monitoring network data from an application
Serve as the primary data source for day-to-day network monitoring and management
Spy on other network users and collect sensitive information such as login details or users cookies (depending on any content encryption methods that may be in use)
Reverse engineer proprietary protocols used over the network
Debug client/server communications
Debug network protocol implementations
Verify adds, moves, and changes
Verify internal control system effectiveness (firewalls, access control, Web filter, spam filter, proxy)