Transcription
International Journal of Computer Networks and Communications SecurityCVOL. 2, NO. 5, MAY 2014, 179–187Available online at: www.ijcncs.orgISSN 2308-9830NCSPacket Sniffer – A Comparative StudyDr. Charu Gandhi1, Gaurav Suri2, Rishi P. Golyan3, Pupul Saxena4, Bhavya K. Saxena51Assistant professor, Department of computer science, JIIT, Noida-2013072, 3, 4, 5Student, Department of computer science, JIIT, Noida-201307E-mail: 1charu.kumar@jiit.ac.in, 2 gaurav.jiit128@gmail.com, 3 , 5 bhavya.jiit128@gmail.comABSTRACTPacket Sniffer is a tool which captures all the packets on the network irrespective of the final destination ofthe packet. Packet Sniffer could be used to monitor the bottlenecks in the network, alarm the irregularbehaviour in the network, capture passwords and VoIP from any system in that network. This paper gives abrief introduction of what is a packet sniffer, its structure and what is its working. Then key features of toppacket sniffing tools (i.e. Wireshark, TCPdump and Colasoft Capsa) are discussed. Further, the above toolsare compared on the basis of characteristic behaviour and quantitative parameters. Finally, one gets the besttool amongst these three in a particular situation.Keywords: Packet Sniffer, Wireshark, Colasoft Capsa, TCPdump, Packet capture, Network monitoringtools.1INTRODUCTIONPacket sniffing is a technology which capturesthe packets passing through the network in which itis installed. Packet sniffer is a tool which monitorsall the network data. Furthermore, it can interceptand log incoming and outgoing traffic across thenetwork.The information that travels across a network istransmitted in form of "packets." For example, in anetwork, the packet is sent from one computer toanother, initially the packet is broken up intosmaller segments with destination and sourceaddress attached, and other useful information. But,if packet sniffer is installed in any of the node ofthe networks (either source or destination), then onecan analyze the performance of network or couldfind out bottleneck in the network.Packet sniffers are mostly used by networkadministrators as they help to troubleshoot thenetwork problems, network intrusion detectionsystem to monitor attackers, finding bottlenecks innetworks and converting binary network data inhuman readable form such as collecting clearusernames and passwords, VoIP communications,mapping network, etc. These are some illegal usesof packet sniffer, unless the administrators have thepermission for that particular network in yourorganization. Packet sniffer can also be referred asnetwork analyzer or protocol analyzer.Packet sniffers are of two types: Active andPassive. Passive packet sniffers do not respondback, i.e. they only collect data and are impossibleto detect them. Passive sniffers are useful in areassuch as telecommunication,. Radar systems,medical equipments, etc. Colasoft Capsa,TCPDUMP and Wireshark are examples of passivepacket sniffers. Active packet sniffers can send thedata in the network and hence could be detected byother systems through different techniques. Forexample, active packet sniffer can fake replies tothe broadcast or can forward it to a legitimate host.Scapy, smart RF and network ACTIV protocolpacket sniffer are some of the active packet sniffers.
180Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 2014Fig. 1. structure of packet snifferThe structure of packet sniffer consists of twoparts:- packet analyser and packet capture(pcap).Packet analyser works on application layer whereaspcap captures packet from all other layers such asphysical layer, link layer, IP and transport layer.Packet analyser communicates with the pcap whichfurther captures packets from the applicationsrunning on the network. Figure 1 shows the basicstructure of packet sniffer [1].2WORKINGFig. 2. data encapsulation in a packetMost of the packet sniffers work as a pcapapplication. The normal flow in a pcap applicationis to initialize network interface, then further set thefilter, to filter the packets to be accepted andrejected. Packets are accepted and log is maintainedcontinuously until the interface is closed, andfurther processes the packets captured.Fig. 3. normal program flow of a pcap applicationTo capture the information in these packets itdoes the following steps [2]:Step 1: Initially a socket is created. To deal withraw binary data, raw sockets are created. For eachsocket created it have a socket handle, socket type,local and remote address.Step 2: Then the NIC (network interface card) isset to a promiscuous mode. Dictionary meaning ofpromiscuous mode is demonstrating an unselectiveapproach. All packets moving in a network reachesthe NIC of all the nodes and then further checks IPaddress of the destination node and IP address ofthe current node. Hence, when promiscuous modeis active it accepts all the packets arriving on itsNIC irrespective of the destination address.Step 3: Final step is protocol interpretation.Protocol interpretation means the data to be fetchedfor the protocols mentioned such as TCP, IP, UDP,ICMP, etc.3KEY FEATURES OF POPULARSNIFFERSIncreasing computer networks increase thedemand of network administrators which furtherincrease the demands of packet sniffers. Top 5passive packet sniffers used are: - Wireshark,TCPdump, Colasoft packet sniffer - ColasoftCapsa, etherdetect and ettercap[3]. In this section,key features of top 3 passive packet sniffers arediscussed in detail i.e. Wireshark, TCPdump andColasoft Capsa.3.1 TCPdumpTCPdump[4] is a tool used for packet capturing,network monitoring and protocol debugging. It isthe oldest and most commonly used command linetool, which works only on the Linux based mp is a free and open sourcesoftware. It can be used to read live capture oralready captured log file. It can be run remotely byTelnet or SSH login. It gives the least overhead as itdoes not use any graphical interface and capturesdata in libpcap formats, which is used in most ofthe tools [5]. It uses a large range of packet filters.At the end of the communication or wheneverTCPdump is stopped, it displays number of packetsdisplayed and numbers of packets dropped [6]. Itdoes not have any graphical display. Whereas, thirdparty tools can be used such as xplot[7] orgnuplot[8] to display the graphs regarding thetransaction. Major advantage of TCPdump overother packet sniffers is that it can be used remotelywith giving the least overhead and hence, preferredby those administrators who like to work from adifferent network.
181Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 20143.2 WiresharkSimilar to TCPdump, Wireshark[9] is an opensource tool which has much more filtering andsorting options, including ,the GUI, which lacks inTCPdump. As seen in Figure 4, first part shows thepacket capture, second one shows packet detail andthe last one is the raw data of that particular packet.Wireshark could be used by command line versioncalled Tshark. It works on more than 1100protocols.VoIP can be captured and if and only if properlydecoded then it could even be played. It supportsLinux based, windows and Mac operating systems.Wireshark supports geolocalisation of MaxMind,which means that cities and localities could be seenby given IPs giving the information of origin ofpackets [10]. Wireshark is not for layman as itinvolves a lot of network layer filtering options.Fig. 5. Colasoft CapsaIt diagnoses the network problems by detectingand locating suspicious hosts, causing the problemand alerts computer against network anomalies.One of the demerits of Colasoft Capsa is that it isquite expensive. Whereas, a free version isavailable with limited features[12]. Anotherdisadvantage of Colasoft Capsa is that, it worksonly on windows platform. Further, it covers onlyabout 300 protocols which is very less whencompared to Wireshark’s 1100 protocols.4Fig. 4. Wireshark3.3 Colasoft CapsaColasoft Capsa[11] supports most of the featuresof Wireshark with powerful TCP flow analysis andits easier interpretation. It has versatile networktraffic, bandwidth and utilization analysis. It has indepth packet decoding feature with multiplenetwork behaviour monitoring. It has a matrixrepresentation and eclipse visualisation of thenetwork. Colasoft Capsa extends the networksecurity analysis with notifying alerts only by emailand audio.CHARACTERISTIC EVALUATIONTo compare the above tools qualitatively weneed to finalize some parameters. These can be OSsupport, disk usage, cost, number of protocolssupported, etc.4.1 TCPdump vs. Wireshark4.1.1SimilaritiesBoth, TCPdump and Wireshark, have wide rangeof packet filters to filter the incoming trafficthrough NIC. Neither TCPdump nor Wireshark hasintrusion detection function. They cannot generatealarms for attacks or hints when a passive attack oranything strange happens in the network. Ifsomeone is looking to manipulate data on network,then he should above both tools fail in the area ofmanipulation. None of them can send message inthe network or do active things. Both tools capturefile in libpcap format. Both can act as commandline tool (Tshark in place of Wireshark).
182Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 20144.1.2 DifferencesWireshark has a user friendly interfacedisplaying the information inside packets in ameaningful manner. On the other hand, TCPdumpdoes not have a graphical interface. Graphicalinterface helps in better understanding of the toolsand it’s working. Better the interface, more will beits users. It’s harder to learn TCPdump and itsfiltering rules rather than Wireshark, because therules of TCPdump may first appear completelycryptic. Colasoft Capsa has the best interfaceincluding the packet flow in the network showngraphically via matrix, whereas in Wireshark wecan analyse the packet capture and makecomparative graphs with the constraints ofprotocols, destination IP, etc. but in TCPdump, onecannot draw a single graph without the use of thirdparty tool. The user gets information only in formof text words. Further, more the tool is graphicalmore will it be its system requirements. Hence,TCPdump has the least overhead when compared toothers. Moreover, TCPdump is the only toolamongst the above discussed tools to be usedremotely, because of its very least load on thesystem. TCPdump is less intrusive than Wireshark,as TCPdump displays only the data on the packetheaders whereas Wireshark displays all theinformation inside the packets. TCPdump showsonly TCP/IP based packets whereas Wiresharkworks for more than 1100 protocols. TCPdump hassome problem with IPV6 commands. Hence, IPV6users should go for Wireshark. TCPdump output isuncontrolled whereas in Wireshark, we can sortthem up or do manipulations accordingly.TCPdump works on UNIX based operating systemswhereas Wireshark works on UNIX basedoperating system as well as on windows. TCPdumpworks on most Unix-like operating systems such asFedora, RHEL, Solaris, BSD, Mac OS, etc.TCPdump uses the libpcap library to captureincoming and outgoing packets. TCPdump can beused on Windows and is called WinDump; whichuses WinPcap, the Windows port of libpcap.4.2 Tcpdump VS. Wireshark VS. Colasoft CapsaThe following table, Table 1 summarizes howpacket sniffers are differentiated on the propertiessuch as their features for different operatingsystems, including cost, identification of abnormalprotocols, disk usage, etc.Table. 1. Characteristic comparison of TCPdump, Wireshark and Colasoft Capsas. no.PropertyTCPdumpWiresharkColasoft Capsa1Os supportedUnix basedWindows and unix basedWindows2Disk usage448kb81mb (windows) & 449mb(unix)32mb3CostFreeFree 9994Open sourceYesYesNo5No. of protocols supportedTcp/ipMore than 10003006Libpcap basedYes*YesNo7Multiple interfaces at a singleinstanceNoNoYes8Alarms on traffic, protocolsNoNoYes
183Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 20149Decode protocoL (Hex, ASCIIEBCDIC)Only hex andASCIIOnly hex and ASCIIYes10Identify abnormal protocolNoNo(only creates a warning)Yes11Identify packets with forged dataNoYesYes12Display protocol in OSI 7 layerstructureNoYesYes13Locate hosts running a specificserviceNoYesYes14Network communicationmatrix mapNoNoYes15Evaluate critical business trafficand non-business trafficYes(by filters)Yes(by creating CPflow)Yes (but not formatted)Yes17UDP trafficYesYes5inTCPbyNoEXPERIMENTAL SCENARIO ANDPARAMETER SELECTIONFrom the above discussion, one can find out thebest tool on the behaviour or the characteristicsrequired. For example, if a person wants to seeeverything graphically, then he should preferWireshark or Colasoft Capsa. Whereas if someonewants to work remotely with least bandwidth usage,then he should prefer TCPdump over Wiresharkand Caspa. Many more similar cases could be madeby one or combination of properties mentionedabove.But, it can be seen that in many cases Wiresharkand Colasoft Capsa have similar characteristics.Hence, there is a need to find out distinctparameters which may define the internal load andperformance of the tool. To compare the tools,there is a need of common scenario in which admincould compare the working of the tools and theirperformances. One of the sample scenarios taken isexplained: Start one of the tool, clear its all historycaptures. As new capture file captures all thecommunication with the network, hence,stop all other communications with thenetwork.Now open internet explorer and go to Gmailand sign in with your accountCompose a new mail which includes a modelattachment file (this file is common for alltools).Send the mail to yourself and sign out.Stop capture procedure in the tool.Continue the same procedure with samemodel attachment file for the rest of the toolsAfter one has the common scenario for thecomparison, one needs the parameters on which thetools need to be compared. Following are theparameters on which Colasoft Capsa and Wiresharkare compared (TCPdump could not be comparedhere because it does not have any graphicalinterface to show the bounded output)
184Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 20145.1 Packet size distributionTheoretically, there is no ideal packet for acommunication in a network or for maximum/optimal throughput. But there could be division inpacket size as short packets, medium packets andlong packets. Short packets consists of packetswhose length is 88 bytes or less. Packets with size1518 bytes or more belong to long packets.Whereas packets of size between short and longpackets refer to medium sized packets. There is noright answer to the question which packet size givesbest result [13].Short packets increase load on device and hence,more short packets is a good way to stress device.On the other hand, long packets increase load onthe network which means less the long packets, lesswill be the stress on network. Further, dealing withlong packets means dealing with high ratio ofpacket payload and packet headers. Hence, packetsize distribution should be one of the benchmarksto evaluate performance of networking tools.5.2 ThroughputThroughput or bits per second (bps) is theamount of data which a system processes. Thesystem throughput means the aggregate of all theterminals with sum of the data rates [14]. This isgenerally measured in bits/bytes per second. Moreis the throughput of a system, better is theperformance of the tool involved in packet sniffing.Hence, Throughput is a key concept forprofessional performance testers to understand, andthroughput is one of the top metrics used to observehow well a tool is performing.5.3 Packets per second (PPS)Packets per second (PPS), refers to the number ofpackets transferred in one second. When packetsper second are multiplied with average packet size,we can get a Figure which could be similar tothroughput. But, there is difference between bpsand PPS. Bps is number of bits of data per secondthat can be processed without dropping datawhereas PPS is the number of packets of data persecond that can be processed before dropping data.PPS is used instead of bps only when we have tolook inside the packet header. Hence, whencompared to bps, PPS is equally importantperformance benchmark.some packets are dropped. Dropping of packetscould be due to many reasons including, firewalls.But here due to similar scenario for comparison oftools, the packet loss in one tool should also bethere in the other. If it is not same, then one of thereasons for excessive packet loss could be that allpackets coming to the NIC could not be saved tothe capture file due to lack in buffer of the tool.This leads to the amount of dropped packets andhence gives you the performance benchmark.5.5 Response timeIn a network, there is a three way communicationwhen one system asks for the packet from the othersystem. Then the system sends the packet to formersystem and finally, when the former systemreceives the packet, it further sends anacknowledgement signal to show that it hasreceived the packet. Time taken in the aboveprocess is called response time. In short, Responsetime means the length of time taken to respond agiven stimulus or event [15]. It is one of thebenchmark for performance because less responsetime indicates less number of retransmissionsoccurred in the communication. Hence, lesser theresponse time, better the performance.6QUANTITATIVE COMPARISONIn the previous section, the benchmarks werechosen to compare the tools. Now, the toolsperformance is compared on decided parameters asfollows:6.1 Packet size distributionInferred from previous section, tool whichsupports maximum medium sized packets is abetter tool on this benchmark. As it can be seenfrom Figure,5.4 Dropped packetsIn the given scenario, the results are analyzedafter completing the transactions in all the tools.After the communication is over, it is seen thatFig. 6. Wireshark packet distribution
185Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 2014Wireshark does about 44% work with shortpackets, 20-25% work with long packets and 3035% work with medium sized packets.In Colasoft Capsa, the table infers that it works25-30% with short packets, 15.13% with longpackets and about 50-55% with medium sizedpackets. Hence, Colasoft Capsa neither stresses thenetwork nor does it stress the system by sending toomany small sized or medium sized packets.Whereas, in the same graph, Wireshark (black) isranging in a pattern which is good for the networkand shows a constant behaviour.Table. 2. packet size distribution in Colasoft CapsaItemStatistical valuePercentage 385.06512-15174479.51 151872915.23Fig. 7. bps of Wireshark (black) and Colasoft Capsa(brown)RESULT: Average bps in Colasoft Capsa is 6.34Kbps whereas in Wireshark it is 115.398 kbpsAs we know more the bps, better would be thepacket sniffer’s performance. Hence, hereWireshark has a edge over Colasoft Capsa due toconstant variation and not showing high cut- offs.6.3 Packets per second (PPS)On comparison we get the following result:1)Number of Short packets are more inWireshark2) In the case of average length packets, inColasoft Capsa, around half of the work isdone in average length packet size, whereasin Wireshark, it is less.3) In Colasoft Capsa, 15% and in Wireshark,roughly 20% work is done in long lengthpackets.Packets per second means the number of packetsprocessed per second by the system. But thepackets per second alone could lead to a deludedresult. Hence, combine it with the average packagelength. As seen from Figure, the range of PPS ismore in Colasoft Capsa, whereas in Wiresharkthere is a pattern followed which is good for thenetwork to handle the traffic. Further, PPS inColasoft Capsa has higher variations, on the otherhand, Wireshark is stable throughout.RESULT- To summarize, the average lengthpacket size measured in Wireshark is 558.76 B andin Colasoft Capsa is 434B.Colasoft Capsa gets a slight edge over Wireshark6.2 ThroughputAs throughput refers to the system’s ability tohandle the number of bits per second, the tool withhigher throughput would give better performance.It can be seen in the Figure 7, that Colasoft Capsa(brown) has large range of throughput and ischanging swiftly. These random changes in thethroughput are not good as it hinders the systemsperformance and is not good with respect to anetwork performance.Fig. 8. PPS of Wireshark (black) and Colasoft Capsa(brown)PPS is more in Colasoft Capsa but in ColasoftCapsa average length packet size is 417 B whereasin Wireshark average length packet size is 558.760BBandwidth average packet size * average PPSBWColasoft Capsa 417 * 8 * 7 23,352bps
186Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 2014BWWireshark 558.76 *8 * 25.809 1,15,372bpsRESULT - Wireshark is ahead on comparing withColasoft Capsa, because the bandwidth calculatedhere is more than that of Colasoft Capsa and issimilar to that in previous case.6.4 Packets per second (PPS)As it is seen, there could be packet loss due tomany reasons. But if the scenario is similar for boththe cases then excess packet loss shows that the toolwas not able to read all the packets and before thepackets could be read, the NIC drops the packets.Fig. 11. Colasoft Capsa packet lossRESULT: In Wireshark, the Figure shows the no.ofdroppedpacketsasthefilterisTCP.analysis.lost segment which gives us 53 outof 4638 packets I.e. 1.1%. And in Colasoft Capsa,Figure shows 24% packet loss. Clearly, Wiresharkhas lesser packet loss than Colasoft Capsa andhence is preferred over Colasoft Capsa for lesspacket retransmissions.6.5 Response timeFig. 9. Wireshark packet lossIn Wireshark, one needs to set the filter to filterall the dropped packets from the captured file. Ifone has already have a conversation filter open,then one could just put that filter in brackets andadd "tcp.analysis.lost segment". This will show thelost packets when compared.Response time means the time taken to respond astimulus. The tool which gives lesser response timein similar conditions has performed better than theother one.Here, we compared the response time as shownbelow:Fig. 12. compared response time of Wireshark (black)and Colasoft Capsa (blue).Fig. 10. graph of packets loss per second.In Colasoft Capsa, if administrator wants to justsee the ratio of packet loss then Colasoft ping toolcould be used. But if administrator wants tomonitor the packet loss then diagnosis tab could beused and then by going to the “TCP retransmission”tab one can monitor the lost packets and diagnosethem for network management. Follow is theFigure obtained from Colasoft ping tool:As Figure shows, here again Colasoft Capsa isvolatile and has higher range than Wireshark.Maximum response time in Colasoft Capsa is 130milliseconds whereas in Wireshark maximumresponse time is 95 milliseconds. Clearly it can beseen that response time of Colasoft Capsa is muchhigher than Wireshark. Hence, in this benchmarktoo, Wireshark is better than Colasoft Capsa.
187Dr. Charu Gandhi1 et. al / International Journal of Computer Networks and Communications Security, 2 (5), May 20147CONCLUSION AND FUTURE SCOPEThe proposed comparison of packet sniffers onqualitative and quantitative parameters shows noneof the tool leads all the parameters. On the onehand, TCPdump has least overhead, but on theother Colasoft Capsa has maximum networksecurity. The following table shows frequent casesrequired and the best tool in that scenario.The present study has been made to suggest bestpacket sniffing tool, according to the user’srequirements. The advantages and disadvantageswould help to develop a new packet sniffer whichcould hide all the -disadvantages of the most usedpacket sniffers and could outperform them onquantitative and qualitative parameters.Table 2: ConclusionsS.CaseNo.Best tool1Packets droppedWireshark2Network securityColasoft Capsa3Response timeWireshark4Network alarmsColasoft Capsa5bps(throughput)Wireshark6Packet sizeColasoft Capsa7PPSWireshark8User interfaceColasoft Capsa9Number of protocolsWireshark10NetworkcommunicationColasoft Capsa8REFERENCES[1] bridgew.edu/sattar/CS430/HW/LABS/wireshark.htm [Oct. 10,2013].[2] L. Garcia,”programming with libpcap,” inHacking- Practical protection hard core ITmagazine, Vol 3, 2008, pp. 38-46.[3] K. zhou, “Top 5 Most Welcomed ffers.html.[4] All about TCPdump [Online] Availablehttp://www.TCPdump.org/.[5] H. styn, “TCPdump fu,” Linux /content/TCPdump-fu?page 0,1 .[6] TCPdump Command, Command nfocenter/pseries/v5r3/index.jsp?topic /com.ibm.aix.cmds/doc/aixcmds5/TCPdump.htm[7] /[8] All about Gnuplot [Online] Availablehttp://www.gnuplot.info/[9] All about Wireshark [Online] Availablehttp://www.Wireshark.org/.[10] How to Use GeoIP With eshark.org/HowToUseGeoIP[11] All about Colasoft Capsa [Online] Availablewww.colasoft.com[12] Colasoft Capsa- Compare Editions, www.colasoft.com/ColasoftCapsa/editions.php[13] A. Shah, D. Bhatt, P. Agarwal, and P.Agarwal, “Effect of Packet-Size over NetworkPerformance”, International Journal ofElectronicsandComputerScienceEngineering, Vol. 1, pp. 762-766, 2012.[14] J. Colantonio, ”Performance testing performance-testing-what-is-throughput , 2011.[15] Stating Response Time Requirements, .au/Terminology/ResponseTime.htm
Finally, one gets the best tool amongst these three in a particular situation. Keywords: Packet Sniffer, Wireshark, Colasoft Capsa, TCPdump, Packet capture, Network monitoring tools. 1 INTRODUCTION Packet sniffing is a technology which capture
