Last Friday I posted a list of free packet sniffers. There, I promised to write about my favorite tool. You might have guessed that it is Ethereal since it probably is the most popular free network packet sniffer. It has many feature which its free rivals lack. This is also true for the free sniffer SmartSniff which is a much simpler tool. However, SmartSniff has some features which are quite useful for system administrators that Ethereal lacks. Its founder, Gerald Combs, recently transferred to a new company and had to rename Ethereal to Wireshark. There might be two different packet sniffers in the future. At the moment the two tools have the same features though.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
1. Ease of use
I use a packet sniffer maybe once or twice a year. Usually, I want to analyze the network behavior of a malfunctioning application or network device. Sometimes, one of our computers shows suspicious behavior, and I want to know what is going on in our network. So, in most cases, I have to use a packet sniffer under time pressure. Although I have known Ethereal already for some time, it always takes me quite a while to remember how to configure Ethereal to get the information I want. Whereas when I used SmartSniff the first time, I was able to work with it immediately.
2. Real time display
Both tools are able to display the captured packets in real time. This is useful if you are testing an application, since you see immediately the network traffic, when you change its configuration. The problem with Ethereal is that it displays all captured packets in the order they arrive on the network interface. SmartSniff is a bit smarter here. It counts the packets of the same type, i.e. with the same ports and IP addresses, and displays them in one row. This way, you get a much faster overview of the network traffic than with Ethereal. With SmartSniff, I often even don't have to configure a filter to get the information I need.
3. Standalone application
SmartSniff is a standalone application. You can run its executable everywhere without installing the tool. This is quite useful if you have to manage several subnets. You can connect by RDP to a machine in this subnet, start SmartSniff, and here you go. Quite smart, isn't it?
4. Raw socket support
Now you might object that you have to install WinPcap first, anway. WinPcap is a driver that most packet sniffers need to capture the network packets bypassing the protocol stack. SmartSniff works best if you use WinPcap, but it also does its job without it. So you can indeed use it without installing anything on the computer, in most cases. SmartSniff can use the raw socket feature of Windows 2000/XP. There are two limitations, though. You can't capture outgoing ICMP and UDP packets, and if you only have SP1 on a Windows XP machine, SmartSniff won't be able to capture any outgoing packets. This is due to a bug in SP1 which was fixed in SP2.
So all in all, i think, SmartSniff is the better choice than Ethereal/Wireshark for the average system administrator. Of course, Ethereal/Wireshark is a much more sophisticated tool. I still use it when I need statistics about the network traffic. However, in most cases, I get the information needed faster with SmartSniff.