A network packet analyzer, also called Protocol Analyzer, Sniffer, Network Analyzer and Network Sniffing Tool, is well known as a great tool for troubleshooting network problems and monitoring network traffic. It can actually be used to detect and analyze the security threats, along with keeping track of network devices and uptime. Certain features of a network packet analyzer can be set to monitor for virus and attack signatures and offer quick ways of isolating infected systems.

Network packet analyzers Working with IDS, Firewalls and Anti-virus systems

A typical network packet analyzer can capture all packets, decode the different protocols, and presenting the results in human-readable form. Most mature analyzers also include some statistical reporting functionality. By watching network traffic, understanding bandwidth utilization, and reviewing connection dynamics, administrators can easily determine what station is causing the problem and why.

The network packet analyzer can be used as a supplementary tool to your Anti-virus and IDS systems. Why? Anti-virus and IDS systems are designed to prevent the incursion of known viruses and attacks. The hackers have the same access to all the threat bulletins and Windows patches that you have, and are always looking for the new vulnerabilities. In other words, your firewalls and operating systems often won’t get a patch until the damage is already done. On the other hand, threats coming from inside are not well protected by the firewall and IDS systems which are designed and deployed to protect attacks coming from outside. Actually, more than 75% threats are caused by internals through imported disks, deliberate actions by employees, and visitors bringing infected laptops.

Using a Network packet analyzer to Find and Isolate Infected Systems

A network packet analyzer can save valuable amounts of time in locating a virus because Viruses and hacker attacks typically generate a recognizable pattern or “signature” of packets. A network packet analyzer can identify these packets using a packet filter and alert the administrator. Of course, this assumes that the virus and its signature have been incorporated the analyzer’s list of packet filters.

New viruses and worms have different signatures, but once systems have been successfully breached, there hackers may do the following things with your network:

• Use your systems in a Denial of Service (DoS) on a third party. A good network packet analyzer can easily identify such systems by the traffic they generate.
• Use your system as an FTP server to distribute “warez” and other illegal files. You can configure an analyzer to look for FTP traffic or traffic volume where it is unexpected.
• The very nature of viruses and worms is to produce unusual levels of network traffic whcih are logged in the analyzer’s record, allowing the administrator to follow up on suspicious traffic patterns.

What are key features of an Analyzer used as a security supplementary tool?

To be useful as a network security tool, the analyzer must have the following characters:

• Application analysis: This feature allows you to analyze network traffic at the application level and allow you to view the whole message such as a complete email. This is important because that email is one of the main sources of many viruses.
• Capture and decode all of the protocols from your network
• Flexible filtering that allows triggered notification
• Have as much visibility as possible by deploying the network packet analyzers in each network segment or have a distributed analyzer with probes deployed in each segment.