Network traffic analysis for IR: Alternatives to Wireshark
It is almost impossible to leave a conversation with a cybersecurity professional, take an introductory networking class, or break into ethical hacking without hearing about Wireshark. Wireshark is arguably the most popular tool and likely the gold standard when it comes to network protocol capture and analysis.
From the moment the software runs, Wireshark presents to users a very detailed look at the activities occurring on a network and presents data ready for analysis across hundreds of protocols.
Learn Incident Response
However, without a proper introduction and training with the tool, Wireshark can be very daunting to decipher and understand. Similarly, it may be delivering you more data in an interface that may not always meet your particular needs. That is why this article will lay out some common alternatives to Wireshark that you could easily add to your information security toolbox.
Wireshark overview
While this article can serve as an introduction to several other powerful alternatives to Wireshark, there are arguably no other tools out there on the market — open-source and commercially available — that will tell you all of the information about a packet flying across your network like Wireshark does. Originally named Ethereal when it was released back in 1998, the open-source packet analyzer was renamed to Wireshark in 2006 and has since taken the computer science world by storm.
At its core, Wireshark puts its host’s network interface controllers into promiscuous mode so all the traffic passing by the interface is made visible to the user on its user interface. As it works, Wireshark’s dissectors break down what each packet is and the information that it is carrying (depending on the security protocols of the traffic), both over the air or off the wire. In other words, Wireshark works just like the native tcpdump command reading traffic off of the transport layer of the OSI model, but with a host of built-in tools and features.
Over the years, the Wireshark team and the larger cybersecurity and network engineering community have published many tutorials, how-to guides and references to assist users in taking advantage of the advanced features built into Wireshark. However, if you have a more specific goal or objective in mind for what you would like to accomplish in your network analysis, one of the following tools may fit your needs better.
Alternatives to Wireshark
Depending on your needs, working environment and level of expertise, the following alternatives to Wireshark are worth a closer look.
tcpdump
If a user is familiar with the command line or commonly works in network troubleshooting, network management or tcpdump is one of the tools that you may end up preferring more than Wireshark. The tcpdump command presents to a user the actual network packets that are running across a wire or wireless network without having to switch to a separate Windows or Linux environment while working within the command line.
Obviously, tcpdump is not as visually organized and feature-rich as Wireshark, but its data capture can be saved and exported for use by other programs and is a quick and simple way to monitor incoming or outgoing traffic without having to run a separate piece of software.
CloudShark
In addition to having a similar name, CloudShark is a very popular alternative to Wireshark because of its dashboard-based interface that gives users plenty of filtering, sharing and advanced analytical features. CloudShark is a commercially available tool installed on either an Apple of Windows device that uses a web-based platform to view, analyze and share packet capture files on public or private internal servers in a dropbox-like style.
CloudShark is a popular option because it allows network analysis to occur within a web browser, keeping the user in that environment to performance, network activity and other analysis can be conducted in real time. CloudShark’s interface can also be arranged and its data shared with others for ease-of-use and to enable collaboration with clients or colleagues.
Finally, unlike Wireshark, CloudShark is compatible with many application APIs to ease tool integration. Its output can also be shared with and viewed from multiple devices, including mobile, without special software.
Colasoft Capsa
Colasoft Capsa is known in the network engineering community for its intuitive dashboards packed with great visualizations of network traffic and packet activity. Capsa is available in both free and licensed editions, depending on the number of users and the scale of the network analysis required, but many believe it is worth the cost thanks to its ease of use, intuitive dashboard and ability to be integrated into server management.
Additionally, Capsa is favored for its ability to save and share large amounts of network and application traffic to support collaboration across multiple analysts, including the ability to replay traffic over periods of time. However, its large price tag per enterprise license and its ability to only run on Windows machines are notable drawbacks for some.
Sysdig
Back on the open-source side of the house, Sysdig is a tool created to monitor, secure and troubleshoot network traffic. It’s widely known for its ability to be flexible across Windows and Apple devices and its native integration with container technologies.
Sysdig also comes with its own command-line interface that gives users the ability to quickly navigate its features and handle network traffic in real time, which is very useful for system troubleshooting and debugging. Finally, Sysdig has built-in security features and alerts that can help organizations keep their network devices and data secure as part of a larger cybersecurity platform.
Mojo Packets
Mojo Packets is a nimble and tailored alternative to Wireshark, offering users simple packet trace capabilities across Wi-Fi networks. Great for use on small networks or for troubleshooting network errors, failures or performance issues, Mojo Packets can be used as a stand-alone tool or in conjunction with others thanks to its compatibility and file export and import features.
Mojo Packets can also be used to specifically track packets and analyze network performance on any remote network devices within a larger LAN that it is a part of and comes with a tagging feature to highlight events or flag items for follow-up action.
SolarWinds RMM
SolarWinds is a large name in network traffic analysis, offering a number of tools capable of advanced network monitoring at an enterprise or organizational-wide scale. SolarWinds’ Remote Monitoring and Management tools have, for example, the ability to handle multiple user views of the same network flow, a highly functional dashboard and interface designed to provide deep enterprise network visibility and other tools that support monitoring and troubleshooting.
Ultimately, SolarWinds is designed to help prevent network outages, improve network performance and aid in troubleshooting at a large scale, including the ability to integrate with other network monitoring tools.
Wrap-up
That wraps up a quick summary of some of the best alternatives to Wireshark. Which tool or suite of tools best fits your needs depends on your goals, skill level and the size of the network you are analyzing, with each tool bringing to the table their own advantages over the others as well as drawbacks.
In the end, becoming familiar with each and keeping an eye out for other alternatives we did not include is a great way to stay attuned to the latest in the network traffic analysis domain.
Learn Incident Response
Sources
- Wireshark
- Q&A; with the founder of Wireshark and Ethereal, Protocog
- lTCPDUMP/LIBCAP public repository, tcpdump.org
- Mojo Packets™ - Getting Started, app.mojopackets.com
- SolarWinds MSP
- Sysdig