Network Protocol Analyzers

Network Protocol Analyzers

SNo

/ Tool /

Tool Description

/ Open Source
? / Platform / Functions
1 / Nessus
/ The premier Open Source vulnerability assessment tool / Yes / Windows
*NIX / Nessus is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML etc. If a host runs the same service twice or more, Nessus will test all of them.
2 / NMap
/ Network Mapper / Yes / Windows
*NIX
Mac OS X
more / Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.
3 /

Ethereal

/

Network Protocol Analyzer

/ Yes / Windows
*NIX / It allows to examine data from a live network or from a capture file on disk & can interactively browse the capture data, viewing summary for each packet. It includes a rich display filter language and the ability to view the reconstructed stream of a TCP session.
4 / GFI LANguard
/ Network Security Scanner / No / Windows / GFI LANguard automatically detects security vulnerabilities on your network. It scans your entire network, IP by IP, and provides information such as service pack level of the machine, missing security patches, wireless access points, USB devices, open ports, services/applications active on the computer, key registry entries, weak passwords and more. It is also a complete patch management solution.
5 / TCPDump / WinDump

/ The classic sniffer for network monitoring and data acquisition. / Yes / Windows
*NIX / It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems or to monitor network activities. Tcpdump is a wellknown text-based network packet analyzer.
6 / EtherPeek / Ethernet network traffic and protocol analyzer / No / Windows / If the TCP/IP sessions are "hanging," EtherPeek can show you which system sent the last packet, and which system failed to respond. If you are experiencing slow screen updates, EtherPeek can display delta time stamps and show which system is waiting for packets, and which system is slow to respond.
7 / Retina
/ Commertial vulnerability assessment scanner / No / Windows / Retina discovers networked devices – through wired and wireless connections – and will identify which operating systems, applications, databases and wireless access points are present. Any unauthorized applications, such as P2P, malware, will be detected and identified.
8 / NetCat
/ The network swiss army knife / No / Windows
*NIX / A simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.
9 / Cheops
/ Network User Interface. It is designed to be the network equivalent of a swiss-army knife, unifying your network utilities. / Yes / Linux / Cheops Organizes network by mapping which shows the routes taken to access area of your network, detects OS running on each system.
Has a generalized TCP port scanner.
10 / Cheops-ng
/ Next generation Cheops – The network Swiss Army Knife. / Yes / Linux /

1. Network management tool for mapping and monitoring your network
2. It has host/network discovery functionality as well as OS detection of hosts
3. On some services, cheops-ng is actually able to see what program is running for a service and the version number of that program

11 / DSniff
/ A Collection of tools for network auditing and penetration testing. / Yes / Windows
*NIX / Dsniff, Filesnarf, mailsnarf, msgsnarf, urlsnarf & webspy are the tools used to monitor a network for interesting data. Arpspoof, DNSpoof & Macof facilitate the interception of network traffic.
12 / SARA
/ Security Auditor’s
Research Assistant
- The third generation network security analysis tool / No / Windows
*NIX
Mac OS X / Advanced Research's philosophy relies heavily on software re-use. Rather than inventing a new module, SARA is adapted to interface to other community products. For instance, SARA interfaces with the popular NMAP package for superior "Operating System fingerprinting". Also, SARA provides a transparent interface to SAMBA for SMB security analysis.
13 / EtterCap
/ Network Sniffer/ Interceptor for Ethernet LANs. / Yes / Windows
*NIX
Mac OS X / Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
14 / Sam Spade
/ Freeware Windows network query tool
/ No / Windows
NT, 98,
2000 / Samspade was designed with tracking down spammers in mind. It is also useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger etc.
15 / EtherApe
bind/index.php/ / Graphical network monitor for Unix / Yes / *NIX /  User may select what level of the protocol stack to concentrate on.
 You may either look at traffic within your network, end to end IP, or even port to port TCP.
 Data can be captured "off the wire" from a live network connection, or read from a tcpdump capture file.
 Live data can be read from ethernet, FDDI, PPP and SLIP interfaces.
16 / Hping2
/ A network probing utility like ping on steroids / Yes / *NIX / Hping2 assembles and sends custom ICMP/UDP/TCP packets and displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful for Firewall testing, Remote OS fingerprinting,
TCP/IP stacks auditing and Advanced port scanning.
17 / Super Scan
/ Powerful TCP port scanner, pinger, resolver. / No / Windows / Support for unlimited IP ranges. TCP SYN scanning. UDP scanning (two methods). Source port scanning. A selection of useful tools (ping, traceroute, Whois etc). Extensive Windows host enumeration capability.
18 / Fragroute / IDS systems' worst nightmare / Yes / Windows
Linux
BSDs / Fragroute intercepts, modifies, and rewrites egress traffic, implementing most of the attacks described in the Secure Networks IDS Evasion paper
19 / SAINT
/ Security Administrator's Integrated
Network Tool / No / *NIX / SAINT detect and fix possible weaknesses in the network’s security before they can be exploited by intruders. Anticipate & prevent common system vulnerabilities.SAINTwriter software allows network administrators to design and generate vulnerability assessment reports quickly and easily.
20 / Fport
/ Foundstone's enhanced netstat
/ Windows / Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same as 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.
21 / Tcptraceroute
/ Traceroute implementation using TCP packets. / Yes / Linux / By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
22 / IpTraf
/ IP Network Monitoring Software / Yes / Linux / Gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
23 / NTop
/ A network traffic usage monitor / No / Windows
*NIX / Ntop shows network usage. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.
24 / Solar Winds
Tool Sets
/ A plethora of network discovery / monitoring / attack tools / No / Windows / SolarWinds has created and sells dozens of special-purpose tools targetted at systems administrators. Security related tools include many network discovery scanners and an SNMP brute-force cracker.
25 / Ngrep
/ A pcap-aware tool / Yes / Windows
*NIX / Ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP, ICMP, IGMP and Raw protocols across Ethernet, PPP, SLIP, FDDI, Token Ring 802.11 and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
26 / Snort
/ A free intrusion detection system (IDS) / Yes / Windows
*NIX / Snort is capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks etc.
27 / Arpwatch
/ Ethernet monitor program. / Yes / Windows
Linux / Written in C.
Keeps track of ethernet/ip address pairings and can detect certain monkey business
28 / Tcpreplay
/ It provides the ability to use previously captured traffic in libpcap format to test a variety of network devices / Yes / *NIX /

• tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite.
• tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers
• tcpreplay - replays pcap files at arbitrary speeds onto the network
• tcpbridge - bridge two network segments with the power of tcprewrite

29 / Net Filter
/ kernel packet filter/firewall / Yes / Linux / Netfilter is a powerful packet filter which is implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering and packet mangling. Netfilter allows kernel modules to register callback functions with the network stack.
30 / Zirewalk
/ Advanced trace route / Yes / *NIX / Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. It is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway.
31 / Hunt / An advanced packet sniffing and connection intrusion tool / No / Linux / Hunt can watch TCP connections, intrude into them, or reset them. Hunt is meant to be used on _thernet, and has active mechanisms to sniff switched connections. Advanced features include selective ARP relaying and connection synchronization after attacks.
32 / Fragroute
/ IDS systems' worst nightmare / Yes / Windows
*NIX / Fragroute intercepts, modifies, and rewrites egress traffic. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host. This tool was written to test intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.
33 / KSniffer
/ A network statistics collector, i.e., Sniffer / Ksniffer allows a user to watch all network traffic over any network interfaces connected to a host machine. It supports most TCP/IP protocols and collects the number of packets as well as the number of bytes for each protocol. Activity is displayed in terms of protocol, bytes/protocol, kbits/sec, packets/sec etc.
34 / Shadow Network Spy
/ An ICQ Sniffer / ICQ Sniffer is a handy network utility to capture and log ICQ chat from computers within the same LAN. It supports messaging through ICQ server with format of plain text, RTF, or HTML. It is easy to run the Shadow Network Spy on any computer on your network. Click the start button to capture. It will record any conversation from any PC within the same LAN.
35 / Pf
pf.html / The innovative packet filter in OpenBSD / Yes / OpenBSD, NetBSD, FreeBSD / Filters network packets
36 / Network Security Scanner / Network vulnerability scanner / No / All /

• Scans servers built practically on any platform.
• Because of a fully open (ActiveX-based) architecture any professional with knowledge of VC++, C++ Builder or Delphi may easily expand the capabilities of the Scanner.
• Detailed scan session log in HTML, XML, PDF, RTF and CHM (compiled HTML) formats.

37 / Fping
/ A parallel ping scanning program. / Yes / Linux /

• Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.
• Can be used in scripts and the output is easy to parse.

38 / TCP Wrappers
ftp://ftp.porcupine.org/pub/security/index.html / A classic IP-based access control and logging mechanism / Yes / Solaris
BSD / Can monitor and filter incoming requests for the
SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
network services.
39 / Paketto Kerietso
/ Extreme TCP/IP / No / Linux
BSD / The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks.They tap functionality within existing infrastructure and stretch protocols beyond what they were originally intended for.
40 / Stunnel
/ Allows you to encrypt arbitrary TCP connections inside SSL / Yes / Windows
*NIX / Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
41 / Honeyd
/ Your own personal Honeynet. / Yes / Windows
Linux
BSD / A small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. It is also possible to proxy services to another machine rather than simulating them