IDS mailing list archives
RE: Difference between Protocol Analyzers -> Packet Sniffers
From: "Adam Powers" <apowers () lancope com>
Date: Sat, 27 Mar 2004 17:51:44 -0500
I'm not all that sure this is worth arguing, but tcpdump and ethereal are actually very much alike. They both use pcap to capture and filter traffic and they both allow for varying degrees of post-capture decoding. The main difference being that Ethereal is much better equipped to decode than tcpdump. The example below clearly shows tcpdump decoding a dns query. Does this make tcpdump and "packet analyzer"? For those of us that use it on a day to day basis, I think it does... [root@S1 root]# tcpdump -i eth1 -vvv -c 20 port 53 tcpdump: listening on eth1 17:45:38.672298 10.242.0.170.1771 > pop3s.lancope.com.domain: [udp sum ok] 11+ A? yahoo.com. [|domain] (ttl 126, id 22989, len 55) 17:45:38.672647 pop3s.lancope.com.domain > 10.242.0.170.1771: 11 q: A? yahoo.com. 1/5/5 yahoo.com. A w1.rc.vip.scd.yahoo.com ns: yahoo.com. (213) (DF) (ttl 64, id 0, len 241) -----Original Message----- From: Eric Hines [mailto:eric.hines () appliedwatch com] Sent: Thursday, March 25, 2004 11:33 AM To: focus-ids () securityfocus com; lists () dshield org Subject: Difference between Protocol Analyzers -> Packet Sniffers All, Once upon a time I had a pretty heated argument between myself and another individual on the topic of distinction between protocol analyzers and packet sniffers, and that they are not one in the same. Can anyone provide me some good points on supporting this argument. E.g. Ethereal is a protocol analyzer and Tcpdump is not... I've only been able to articulate that Protocol Analyzers can conduct protocol decoding, whereas Tcpdump can not... Ethereal can provide information on the different fields of the HTTP header and SSL fields.... stuff like that.. Anyone care to jump in here and provide more meat to this argument than this? BRDS, Eric Hines, GCIA CEO, President Applied Watch Technologies, Inc. ------------------------------------------- Eric Hines, GCIA CEO, Chairman Applied Watch Technologies, Inc. web: http://www.appliedwatch.com email: eric.hines () appliedwatch com ------------------------------------------- Direct: (877) 262-7593 - Toll Free x327 Fax: (815) 425-2173 General: (877) 262-7593 (9am-5pm CST) ------------------------------------------- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Difference between Protocol Analyzers -> Packet Sniffers Eric Hines (Mar 27)
- Re: Difference between Protocol Analyzers -> Packet Sniffers Vincent Bieri (Mar 29)
- Re: Difference between Protocol Analyzers -> Packet Sniffers Joel Snyder (Mar 29)
- Re: Difference between Protocol Analyzers -> Packet Sniffers Adam Baldwin (Mar 29)
- Re: Difference between Protocol Analyzers -> Packet Sniffers Thomas Ptacek (Mar 29)
- Re: Difference between Protocol Analyzers -> Packet Sniffers Jim Matthews (Mar 30)
- <Possible follow-ups>
- RE: Difference between Protocol Analyzers -> Packet Sniffers Palmer, Paul (ISSAtlanta) (Mar 29)
- RE: Difference between Protocol Analyzers -> Packet Sniffers Seymour, Keith E. (Mar 29)
- RE: Difference between Protocol Analyzers -> Packet Sniffers Adam Powers (Mar 29)