Protocol analyzer
Hardware or software used for monitoring and analyzing digital traffic over a network. Protocol analyzers go by other names, such as packet sniffers, packet analyzers, network analyzers, network sniffers, or network scanners
Promiscuous mode
A mode in which the NIC processes every frame it sees, not just those addressed to it.
Port mirroring
A switch mode in which all frames sent to all other switch ports will be forwarded on the mirrored port.
Network administrator
A network administrator can use the protocol analyzer to assist in the management of the network and employee usage. The protocol analyzer can help to:
- Monitor and log network traffic as it is transmitted over the network.
- Check for specific protocols on the network, such as SMTP, DNS, POP3, and ICMP. Identifying the specific protocols helps to:
->Identify devices that might be using unallowed protocols, such as ICMP, or legacy protocols, such as IPX/SPX or NetBIOS.
-> Identify traffic that might be sent by attackers. - Examine the data contained within a packet. For example, by looking at the packet data, the network administrator can identify users connecting to unauthorized websites.
- Analyze network performance
- Troubleshoot communication problems or investigate the source of heavy network traffic
Security operations
The network SecOps team can use the protocol analyzer during a vulnerability assessment. The protocol analyzer can help the SecOps team to:
*Identify frames that might cause errors. For example, the network administrator can:
->Determine which flags are set in a TCP handshake
->Detect any malformed or fragmented packets. This would indicate that someone is trying to get around the firewall.
*Discover passwords and other sensitive data being sent in cleartext.
*Find any open network ports that should not be open.
Malicious user/hacker
A malicious user can use the protocol analyzer to find the same information as the network administrator and SecOps teams.
By themselves, protocol analyzers cannot be used to perform an attack. However, protocol tools can be used with protocol analyzers for active interception of network traffic to perform attacks, such as:
Spoofing
Man-in-the-middle attacks
Replay attacks
TCP/IP session hijacking
MAC flooding
A hacker can also use the analyzer to perform system fingerprinting. System fingerprinting identifies which operating system the system is running based on how it responds to different types of network traffic.
