Packet analyzer: Difference between revisions

A packet analyzer used for intercepting traffic on wireless networks is known as a '''wireless analyzer''' or '''WiFi analyzer'''. While a packet analyzer can also be referred to as a [[Network analyzer (disambiguation)|network analyzer]] or [[protocol analyzer]] these terms can also have other meanings. Protocol analyzer can technically be a broader, more general class that includes packet analyzers/sniffers.<ref>{{cite journal |last1=Sikos |first1=Leslie F. |title=Packet analysis for network forensics: A comprehensive survey |journal=Forensic Science International: Digital Investigation |date=2020 |volume=32 |page=200892 |doi=10.1016/j.fsidi.2019.200892 |s2cid=212863330 |issn=2666-2817 |quote=Those protocol analyzers that are designed for packet analysis are called packet analyzers (packet sniffers, sometimes network analyzers).|doi-access=free }}</ref> However, the terms are frequently used interchangeably.<ref>{{cite book |last1=Poulton |first1=Don |title=MCTS 70-642 Cert Guide: Windows Server 2008 Network Infrastructure, Configuring |date=2012 |publisher=Pearson Education |isbn=978-0-13-280216-1 |url=https://books.google.com/books?id=VQuWAAAAQBAJ&pg=PT1267 |quote=protocol analyzer. Also known as a network analyzer or packet analyzer, a protocol analyzer is a hardware device or software program that enables you to capture, store, and analyze each packet that crosses your network}}</ref>

On wired [[shared-medium networksnetwork]]s, such as [[Ethernet]], [[Token Ring]], and [[FDDI]], depending on the network structure ([[Ethernet hub|hub]] or [[network switch|switch]]),<ref>{{Cite web |title = Network Segment Definition |url = http://www.linfo.org/network_segment.html |website = www.linfo.org |access-date = January 14, 2016}}</ref>{{efn|Some methods avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., [[ARP spoofing]]).}} it may be possible to capture all traffic on the network from a single machine. On modern networks, traffic can be captured using a network switch using [[port mirroring]], which mirrors all packets that pass through designated ports of the switch to another port, if the switch supports port mirroring. A [[network tap]] is an even more reliable solution than to use a monitoring port since taps are less likely to drop packets during high traffic load.

On [[wireless LANsLAN]]s, traffic can be captured on one channel at a time, or by using multiple adapters, on several channels simultaneously.

On wired broadcast and wireless LANs, to capture [[unicast]] traffic between other machines, the [[network adapter]] capturing the traffic must be in [[promiscuous mode]]. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the [[Service set (802.11 network)|service set]] the adapter is configured for are usually ignored. To see those packets, the adapter must be in [[monitor mode]].{{Citation needed|date=January 2012}} No special provisions are required to capture [[multicast]] traffic to a multicast group the packet analyzer is already monitoring, or [[Broadcasting (networking)|broadcast]] traffic.

When traffic is captured, either the entire contents of packets or just the headers[[header (computing)|header]]s are recorded. Recording just headers reduces storage requirements, and avoids some [[Privacy law|privacy legal issues]], yet often provides sufficient information to diagnose problems.

Captured information is decoded from raw digital form into a [[human-readable format]] that lets engineers review exchanged information. Protocol analyzers vary in their abilities to display and analyze data.

Some protocol analyzers can also generate traffic. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the [[device under test]]'s ability to handle errors.{{Citation needed|date=January 2012}}