Network Protocol Analyzers
SNo Tool Tool Description Open Platform Functions
1 Nessus The premier Open Yes Windows Nessus is plug-in-based, has a GTK interface, and
Source vulnerability *NIX performs over 1200 remote security checks. It allows
assessment tool for reports to be generated in HTML, XML etc. If a
host runs the same service twice or more, Nessus will
test all of them.
Nmap ("Network Mapper") is a free open source
2 NMap Network Mapper Yes Windows utility for network exploration or security auditing. It
*NIX was designed to rapidly scan large networks, although
http://www.insecure.org/nmap/index.h Mac OS X it works fine against single hosts. Nmap uses raw IP
tml more packets in novel ways to determine what hosts are
available on the network, what services (application
name and version) those hosts are offering, what
operating systems (and OS versions) they are
running, what type of packet filters/firewalls are in
use, and dozens of other characteristics. Nmap runs
on most types of computers and both console and
graphical versions are available.
It allows to examine data from a live network or from
3 Network Protocol Yes Windows a capture file on disk & can interactively browse the
Ethereal Analyzer *NIX capture data, viewing summary for each packet. It
includes a rich display filter language and the ability
http://www.ethereal.com/ to view the reconstructed stream of a TCP session.
GFI LANguard automatically detects security
vulnerabilities on your network. It scans your entire
4 GFI LANguard Network Security No Windows network, IP by IP, and provides information such as
Scanner service pack level of the machine, missing security
http://www.gfi.com/lannetscan/ patches, wireless access points, USB devices, open
ports, services/applications active on the computer,
key registry entries, weak passwords and more. It is
also a complete patch management solution.
It can be used to print out the headers of packets on a
5 TCPDump / WinDump The classic sniffer Yes Windows network interface that matches a given expression.
for network *NIX You can use this tool to track down network
http://www.tcpdump.org/ monitoring and data problems or to monitor network activities. Tcpdump
http://www.winpcap.org/windump/ acquisition. is a wellknown text-based network packet analyzer.
If the TCP/IP sessions are "hanging," EtherPeek can
6 EtherPeek Ethernet network No Windows show you which system sent the last packet, and
traffic and protocol which system failed to respond. If you are
analyzer experiencing slow screen updates, EtherPeek can
display delta time stamps and show which system is
waiting for packets, and which system is slow to
7 Retina Retina discovers networked devices – through wired
http://www.eeye.com/html/Products/R Commertial No Windows and wireless connections – and will identify which
etina/index.html vulnerability operating systems, applications, databases and
assessment scanner wireless access points are present. Any unauthorized
applications, such as P2P, malware, will be detected
8 NetCat The network swiss No Windows A simple Unix utility which reads and writes data
http://www.atstake.com/research/tools army knife *NIX across network connections, using TCP or UDP
Interface. It is Cheops Organizes network by mapping which shows
9 designed to be the the routes taken to access area of your network,
network equivalent Yes Linux detects OS running on each system.
of a swiss-army Has a generalized TCP port scanner.
knife, unifying your
1. Network management tool for mapping and
Next generation monitoring your network
10 Cheops-ng Cheops – The 2. It has host/network discovery functionality as
network Swiss Army Yes Linux well as OS detection of hosts
http://cheops-ng.sourceforge.net/ Knife. 3. On some services, cheops-ng is actually able to
see what program is running for a service and the
version number of that program
11 DSniff Dsniff, Filesnarf, mailsnarf, msgsnarf, urlsnarf &
A Collection of tools Yes Windows webspy are the tools used to monitor a network for
for network auditing *NIX interesting data. Arpspoof, DNSpoof & Macof
and penetration facilitate the interception of network traffic.
Advanced Research's philosophy relies heavily on
SARA Security Auditor’s Windows software re-use. Rather than inventing a new module,
12 Research Assistant No *NIX SARA is adapted to interface to other community
- The third Mac OS X products. For instance, SARA interfaces with the
generation network popular NMAP package for superior "Operating
security analysis tool System fingerprinting". Also, SARA provides a
transparent interface to SAMBA for SMB security
Network Sniffer /
13 EtterCap Interceptor for Windows Ettercap is a suite for man in the middle attacks on
Ethernet LANs. Yes *NIX LAN. It features sniffing of live connections, content
http://ettercap.sourceforge.net/ Mac OS X filtering on the fly and many other interesting tricks.
Samspade was designed with tracking down
Sam Spade Freeware Windows No Windows spammers in mind. It is also useful for many other
http://www.samspade.org/ssw/w2k.ht network query tool NT, 98, network exploration, administration, and security
ml 2000 tasks. It includes tools such as ping, nslookup, whois,
dig, traceroute, finger etc.
User may select what level of the protocol stack to
c You may either look at traffic within your
EtherApe Graphical network Yes *NIX network, end to end IP, or even port to port TCP.
15 monitor for Unix n Data can be captured "off the wire" from a live
http://www.isc.org/index.pl?/sw/ bind/ network connection, or read from a tcpdump capture
f Live data can be read from ethernet, FDDI, PPP
and SLIP interfaces.
Hping2 assembles and sends custom
A network probing Yes *NIX ICMP/UDP/TCP packets and displays any replies. It
utility like ping on was inspired by the ping command, but offers far
steroids more control over the probes sent. It has a handy
http://www.hping.org/ traceroute mode and supports IP fragmentation. This
tool is particularly useful for Firewall testing, Remote
TCP/IP stacks auditing and Advanced port scanning.
17 Super Scan Support for unlimited IP ranges. TCP SYN scanning.
Powerful TCP port No Windows UDP scanning (two methods). Source port scanning.
http://www.foundstone.com/index.htm scanner, pinger, A selection of useful tools (ping, traceroute, Whois
? resolver. etc). Extensive Windows host enumeration capability.
18 Fragroute IDS systems' worst Yes Windows Fragroute intercepts, modifies, and rewrites egress
nightmare Linux traffic, implementing most of the attacks described in
BSDs the Secure Networks IDS Evasion paper
SAINT detect and fix possible weaknesses in the
Security No *NIX network’s security before they can be exploited by
Administrator's intruders. Anticipate & prevent common system
Integrated vulnerabilities. SAINTwriter software allows network
http://www.saintcorporation.com/prod Network Tool administrators to design and generate vulnerability
ucts/saint_engine.html assessment reports quickly and easily.
Fport reports all open TCP/IP and UDP ports and
Fport Foundstone's Windows maps them to the owning application. This is the
enhanced netstat same as 'netstat -an' command, but it also maps those
http://www.foundstone.com/index.htm ports to running processes with the PID, process
? name and path. Fport can be used to quickly identify
subnav=resources/navigation.htm&su unknown open ports and their associated applications.
21 Tcptraceroute Traceroute
implementation Yes Linux By sending out TCP SYN packets instead of UDP or
http://michael.toren.net/code/tcptracer using TCP packets. ICMP ECHO packets, tcptraceroute is able to bypass
oute/ the most common firewall filters.
22 IpTraf Gathers a variety of figures such as TCP connection
IP Network Yes Linux packet and byte counts, interface statistics and
Monitoring Software activity indicators, TCP/UDP traffic breakdowns, and
LAN station packet and byte counts.
Ntop shows network usage. In interactive mode, it
A network traffic No Windows displays the network status on the user's terminal. In
usage monitor *NIX Web mode, it acts as a Web server, creating an
HTML dump of the network status. It sports a
http://www.ntop.org/ntop.html NetFlow/sFlow emitter/collector, an HTTP-based
client interface for creating ntop-centric monitoring
applications, and RRD for persistently storing traffic
24 Solar Winds A plethora of SolarWinds has created and sells dozens of special-
network discovery / No Windows purpose tools targetted at systems administrators.
monitoring / attack Security related tools include many network
tools discovery scanners and an SNMP brute-force cracker.
Ngrep is a pcap-aware tool that will allow you to
specify extended regular or hexadecimal expressions
A pcap-aware tool Yes Windows to match against data payloads of packets. It currently
*NIX recognizes TCP, UDP, ICMP, IGMP and Raw
http://www.packetfactory.net/projects/ protocols across Ethernet, PPP, SLIP, FDDI, Token
ngrep/ Ring & 802.11 and understands bpf filter logic in the
same fashion as more common packet sniffing tools,
such as tcpdump and snoop.
Snort is capable of performing real-time traffic
A free intrusion Yes Windows analysis and packet logging on IP networks. It can
detection system *NIX perform protocol analysis, content
(IDS) searching/matching and can be used to detect a
http://www.snort.org/ variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks etc.
27 Arpwatch Ethernet monitor Yes Windows Written in C.
program. Linux Keeps track of ethernet/ip address pairings and can
detect certain monkey business
• tcpprep - multi-pass pcap file pre-processor
which determines packets as client or server
and creates cache files used by tcpreplay and
It provides the
28 Tcpreplay ability to use Yes *NIX • tcprewrite - pcap file editor which rewrites
previously captured TCP/IP and Layer 2 packet headers
http://tcpreplay.sourceforge.net/ traffic in libpcap
format to test a • tcpreplay - replays pcap files at arbitrary
variety of network speeds onto the network
• tcpbridge - bridge two network segments with
the power of tcprewrite
Netfilter is a powerful packet filter which is
kernel packet Yes Linux implemented in the standard Linux kernel. The
29 Net Filter
filter/firewall userspace iptables tool is used for configuration. It
now supports packet filtering and packet mangling.
http://www.netfilter.org/ Netfilter allows kernel modules to register callback
functions with the network stack.
Firewalk employs traceroute-like techniques to
Advanced trace Yes *NIX analyze IP packet responses to determine gateway
route ACL filters and map networks. It is an active
reconnaissance network security tool that attempts to
http://www.packetfactory.net/projects/ determine what layer 4 protocols a given IP
firewalk/ forwarding device will pass. Firewalk works by
sending out TCP or UDP packets with a TTL one
greater than the targeted gateway.
Hunt can watch TCP connections, intrude into them,
An advanced packet No Linux or reset them. Hunt is meant to be used on _thernet,
sniffing and and has active mechanisms to sniff switched
connection intrusion connections. Advanced features include selective
tool ARP relaying and connection synchronization after
32 Fragroute Fragroute intercepts, modifies, and rewrites egress
IDS systems' worst Yes Windows traffic. It features a simple ruleset language to delay,
nightmare *NIX duplicate, drop, fragment, overlap, print, reorder,
segment, source-route, or otherwise monkey with all
outbound packets destined for a target host. This tool
was written to test intrusion detection systems,
firewalls, and basic TCP/IP stack behaviour.
Ksniffer allows a user to watch all network
33 KSniffer A network traffic over any network interfaces connected to
statistics collector, a host machine. It supports most TCP/IP
http://www.tucows.com/preview/3197 i.e., Sniffer protocols and collects the number of packets as
1 well as the number of bytes for each protocol.
Activity is displayed in terms of protocol,
bytes/protocol, kbits/sec, packets/sec etc.
ICQ Sniffer is a handy network utility to capture and
log ICQ chat from computers within the same LAN.
34 Shadow Network Spy
An ICQ Sniffer It supports messaging through ICQ server with
format of plain text, RTF, or HTML. It is easy to run
http://www.safety- the Shadow Network Spy on any computer on your
lab.com/en/products/imsniffer.htm network. Click the start button to capture. It will
record any conversation from any PC within the same
35 Pf The innovative Yes OpenBSD, Filters network packets
packet filter in NetBSD,
http://www.benzedrine.cx/ pf.html OpenBSD FreeBSD
• Scans servers built practically on any platform.
36 Network Security Scanner Network No All • Because of a fully open (ActiveX-based)
vulnerability scanner architecture any professional with knowledge of
VC++, C++ Builder or Delphi may easily expand
the capabilities of the Scanner.
• Detailed scan session log in HTML, XML, PDF,
RTF and CHM (compiled HTML) formats.
• Instead of trying one host until it timeouts or
replies, fping will send out a ping packet and
A parallel ping Yes Linux move on to the next host in a round-robin fashion.
scanning program. If a host replies, it is noted and removed from the
list of hosts to check. If a host does not respond
http://www.fping.com/ within a certain time limit and/or retry limit it will
be considered unreachable.
• Can be used in scripts and the output is easy to
38 TCP Wrappers A classic IP-based Yes Solaris Can monitor and filter incoming requests for the
ftp://ftp.porcupine.org/pub/security/in access control and BSD SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH,
dex.html logging mechanism EXEC, TFTP, TALK, and other
39 Paketto Kerietso Extreme TCP/IP No Linux The Paketto Keiretsu is a collection of tools that use
BSD new and unusual strategies for manipulating TCP/IP
networks.They tap functionality within existing
infrastructure and stretch protocols beyond what they
were originally intended for.
40 Stunnel Allows you to Yes Windows Stunnel can allow you to secure non-SSL aware
encrypt arbitrary *NIX daemons and protocols (like POP, IMAP, LDAP, etc)
TCP connections by having Stunnel provide the encryption, requiring
inside SSL no changes to the daemon's code.
A small daemon that creates virtual hosts on a
Your own personal Yes Windows network. The hosts can be configured to run arbitrary
Honeynet. Linux services, and their TCP personality can be adapted so
BSD that they appear to be running certain versions of
http://www.citi.umich.edu/u/provos/ho operating systems. Honeyd enables a single host to
neyd/ claim multiple addresses on a LAN for network
simulation. It is possible to ping the virtual machines,
or to traceroute them. Any type of service on the
virtual machine can be simulated according to a
simple configuration file. It is also possible to proxy
services to another machine rather than simulating