Protocol analyzer extends your ability to troubleshoot enterprise networks by easily gathering trace files across the network, from the network core to the most isolated segments and everything in between. Once collected, these trace files can be automatically forwarded for expert analysis by Colasoft Capsa.


A Protocol Analyzer is today considered an essential part of the Network Manager's toolkit. The traditional view is that analyzers are useful for troubleshooting networks while SNMP tools are better for trending and service management. This document asks if a Protocol Analyzer has a role to play in the day to day management of a network? Protocol Analyzers may cost many thousands of dollars, or they may be completely free. Manufacturers, of course, all claim, sometimes extravagantly, that their products will sort out all your problems when used on real life networks. Are these claims justified? Are the costly products genuinely better than the free ones? Will you find out more if you use an expensive product? Are the sophisticated features useful enough to justify the cost? How do you decide which product best suits your needs?

Download Free Trial

What can Protocol Analyzers be used for?

Protocol Analyzers, often called "packet sniffers" after Network Associates market leading Sniffer product, capture packets and decode them into their component parts. Whether free or costly analyzers all do the same basic job. It's fairly obvious how analyzers can be used to troubleshooting network problems. Once a problem is detected packets are captured and analyzed and the details of the communication can be worked out. But analyzers can do more than this and, in fact, turn out to be surprisingly useful in many aspects of network management.

What to Look for?

Unexpected Traffic

The obvious thing to do is monitor the network for unexpected traffic. Most network managers know the types of application that they expect to see and can point out anything unusual. If anything unexpected is spotted then a capture of some of the traffic is usually sufficient to pinpoint the machines involved.

Unnecessary Traffic

It is common for machines to be set by default to run protocols that may not be required. Many printers broadcast using Novell's IPX protocol. Fine if you are using NetWare, but not always necessary. It's good housekeeping to remove any protocols that you do not need. You may be concerned about how your users are using the available bandwih4h. A good analyzer will allow you to filter specific types of traffic so that you can keep an eye on any traffic that may cause you a problem.

Unauthorized Program Use

Likewise it is useful to check the specific port numbers for services on your Servers. They may be offering services that you do not need, or unauthorized users may be accessing them. Most common services operate on defined port numbers, a packet capture on a Server will soon reveal what services are running. You can disable any services that you do not need. This has two benefits, one, it avoids unnecessary traffic on the network, and two it means that no unauthorized user can take advantage of that service. If anyone is using a service a packet capture will show you the address. Most analyzers allow filtering on specified port numbers so it is possible to monitor continuously for specified port numbers.

Email Problems

Email systems typically use standard port numbers, 25 for SMTP, 143 for IMAP, 110 for POP3. Setting filters for these ports will usually help to discover the cause of problems with email.

Virus Detection and Control

Anti virus software manufacturers offer updates services. Armed with the information on new threats it is often possible to build suitable filters to detect viruses. For example many analyzers allow you to specify a text pattern so a virus contained in a message containing a known text string could be detected. Analysis of the capture will show the source and destination of the packets.


Firewalls need to be checked for outgoing and incoming traffic. You will have to define a set of filters for traffic in both directions. Should the firewall begin to let unauthorized traffic through you need to be able to detect it.

Download Free Trial

How much should I spend on a Protocol Analyzer?

This is the crux of the problem. Will an expensive analyzer deliver more than a cheaper one? Will I get more value from a higher cost product? My advice is to consider it very carefully before you decide. You can spend a significant amount of money on an analyzer, but you may not have to.

Proprietary solutions vary enormously in price and functionality. Although most make use of open formats (or at least allow data to be exchanged between different systems) you should check carefully that you are not tied into proprietary formats. It is very inconvenient to capture packets and then to have to mess around converting from one format to another if you need to share the information. Open Source analysis products have the huge advantage of being completely free, use open formats, and often provide as much functionality as proprietary solutions.

Decide on the features that you really need. If, in addition to protocol analysis, trending and performance measurements are very important to you a proprietary solution may be the best, since integration of the two functions is often very good. Again open source alternatives do exist so you could go for both a performance monitor and a protocol analyzer.

If technical support and training are important these are generally better provided for by proprietary solutions, though normally at additional cost.

If full wire speed packet capture is a requirement then you may have to consider a hardware solution, but these are extremely expensive and are normally only justified in special cases.

It is worth trying as many analyzers as possible to see which suits you best. For the types of problems described above the really important feature is the sophistication of the filtering mechanism. Again look carefully at what is being offered.

The combination of an SNMP based Performance Manager and a well featured Protocol Analyzer will allow you to perform many of the fundamental tasks required for successful network management.

Go to Colasoft Online Store

Download Free Trial

Related Software:

HTTP Sniffer - Capture HTTP packets, monitor Internet web traffic, and show URL visited by LAN users.
Sniffer - A program and/or device that monitors data traveling over a network.
Packet Sniffer - Capture network packets and provide view for full TCP conversations and UDP threads.
MSN Sniffer & Monitor - Capture MSN messenger chat and conversations on your network.