What is a network analyzer (protocol analyzer or packet analyzer)?
A network analyzer -- also called a network protocol analyzer or packet analyzer -- is a software application, dedicated appliance or feature set within a network component used in network performance troubleshooting or to enhance protection against malicious activity within a corporate network. Network analyzers accomplish this by collecting packet data traversing a network.
Network analyzers can be installed and run directly on a device to provide packet capture data, or the analyzer can be inserted within the network -- typically a network uplink -- to simultaneously monitor packet capture data for multiple devices.
Placement of a packet analyzer largely depends on analysis goals and the location of devices administrators wish to monitor and analyze. For example, a laptop running Wireshark, a free open source network protocol analyzer, can be used in an ad-hoc way to analyze packets to find out why a particular web server is running slow. Alternatively, an analyzer might be deployed as a standalone appliance or as part of a firewall, intrusion detection system/intrusion prevention system (IDS/IPS) or network detection and response tools to monitor all traffic at the internet edge to help identify malicious activity.
Network analyzers can:
- Provide detailed packet capture data that specifies who specific devices are communicating with -- source and destination -- and which protocol or port is being used.
- Identify devices or parts of the network that are causing traffic flow bottlenecks.
- Detect unusual levels of network traffic.
- Detect unusual packet characteristics.
- Monitor traffic to identify suspicious data communications or malware.
- Configure alarm triggers and alerts for defined threats.
- Search for specific data strings in unencrypted packet payloads.
- Monitor bandwidth utilization as a function of time.
- Create application-specific plugins.
- Display all statistics on a user-friendly control panel.
Network analyzers are not intended to replace network monitoring tools, firewalls, antivirus programs, or spyware detection programs. However, the use of a network analyzer in addition to network health, performance and security tools can provide deeper insights when troubleshooting a performance issue or investigating a security incident.
What are the types of network analyzers?
Network analyzers come in several different flavors and their use depends on what goals must be met. Examples include:
- Ad-hoc network analyzer software applications such as Wireshark and Savvius Omnipeek.
- Protocol and packet capture functionality within broader network performance monitoring tools such as SolarWinds NPM and Paessler PRTG Packet Sniffer.
- Network analysis functionality within artificial intelligence for IT operations (AIOps) tools that include AI-backed analysis and performance remediation suggestions.
- Security-focused network detection and response tools to identify malware, denial-of-service attacks and command-and-control threats.
- Network analysis features built-into routers, switches, firewalls and IPS/IDS appliances.
In addition to packet capture techniques that collect all packet headers and payloads, ManageEngine NetFlow Analyzer is another type of network analysis tool that collects similar data flow information -- but without capturing the entire packet. This significantly reduces the amount of captured data that must be stored. Tools that capture the entire packet are referred to as deep packet inspection (DPI) network analyzers. NetFlow tools differ from DPI analyzers in a couple ways.
First, packet capture devices connect to the network and simply record all the data that is being transmitted or received on a physical or wireless network. NetFlow data, on the other hand, is typically collected by network switches or purpose-built probe appliances that in turn send data flow summary information to a centralized NetFlow collection server. Because NetFlow summary data uses far less storage and bandwidth in the collection process, it can be deployed at a much broader level across the network. NetFlow data can show administrators who a specific device is talking to, the times the communications occurred, protocol and port information as well as how much data was sent or received. For many IT enterprises, NetFlow is commonly deployed across the entire network for wider visibility, while DPI data captures are deployed in smaller, targeted locations or in an ad-hoc manner.
What do network analyzers collect and measure?
The job of a network analyzer is to collect relevant communication data which can be analyzed for any number of performance or data security purposes. Network analyzers generally collect the following:
- source and destination Internet Protocol address
- protocol type
- packet length
- source and destination ports used
- time-to-live or hop limit
- packet length
- packet type
- information within the packet payload if it is unencrypted
In addition to capturing network analysis data that can be analyzed manually by a trained network administrator, some tools come with built-in analysis and AI capabilities to help automate the performance or data security analysis process.
Learn what network monitoring challenges IT teams must overcome to support the remote workforce.