Network protocol analysis is a process for a program or a device to decode network protocol headers and trailers to understand the data and information inside the packet encapsulated by the protocol.To conduct protocol analysis, packets must be captured in real time for line speed analysis or later analysis. Such a program or device is called a Protocol Analyzer.

In the typical network architecture, a layered approach is used to design network protocols and communications. The most popular network architecture reference model is called the OSI model. The protocols at one layer should communicate with protocols at the same layer. The key function of a protocol analyzer is to decode the protocol at each layer. Protocol information of multiple layers may be used by the protocol analyzer to identify possible problems in the network communication. This protocol analysis is called Expert Analysis and is deployed by many leading protocol analyzer products, such as Network General Sniffer Pro, for advanced network troubleshooting. Some other protocol analyzers decode multiple layer protocols and packets to re-construct lower level packets (such as IP or TCP level) into higher level (such as application level) messages to make network traffic easy to view and understand. This technique is used in protocol analyzers when network traffic monitoring for user surveillance is the primary goal. The Javvin Packet Analyzer is an example of this type of tool.

Protocol Analyzers can be used both for legitimate network management functions and for stealing information off a network. Network operations and maintenance personnel use Protocol Analyzers to monitor network traffic, analyze packets, watch network resource utilization, conduct forensic analysis of network security breaches and troubleshoot network problems. Unauthorized protocol analyzers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal.

There are many protocol analyzer products on the market. The market size for this is nearly one billion dollars. There are two basic types of protocol analyzers: portable and distributed.

Portable protocol analyzers are stand-alone devices or software that can be installed in a PC. Portable protocol analyzers can perform data capture and have both real-time and play-back data analysis functions. The price of portable protocol analyzers ranges from a few hundred dollars to tens of thousands of dollars, depending on the vendor, the network (Ethernet, Gigabit Ethernet, Optical media WAN links, etc.) to monitor and the types of data analysis that are done. A portable protocol analyzer is typically used by small companies or field engineers of larger companies.

Distributed protocol analyzers have two parts: a Monitoring Probe, which is a device or software program deployed at various points in the network; and a Consol, which is a software package installed in the Network Operation Center (NOC) to centrally monitor all Probes. The Distributed protocol analyzer is typically deployed by large enterprises to monitor their networks from a centralized location such as a NOC. The cost of deploying the distributed protocol analyzer ranges from tens of thousands of dollars to millions of dollars. In addition to packet capturing and analysis, the distributed protocol analyzer also retrieves and uses SNMP and RMON data for additional network information.

The leading vendors in the portable protocol analyzer include: Network General, Agilent Technologies, Wildpackets and Javvin Technologies. The leading vendors in the distributed protocol analyzer include Network General and Netscout. There are also open source programs, such as Ethereal, available for public usage.

The network protocol analyzer is also called a network sniffer, packet analyzer, network sniffing tool, network analyzer, etc.

Related Terms: Sniffer, Packet Analyzer, Packet Analysis

Reference Links:
http://www.javvin.com/packet.html: Packet Analyzer