Analyzer 3.0 (alpha)

What does Analyzer?

Analyzer is not a simple network sniffer. Here there is a brief summary of what it can do.

Network Sniffer

Analyzer can capture (and display) packets on both the local machine and remote probes, thanks to the full support of the Remote Capture functionality of WinPcap.
Additionally, one of the most valuable point is the ability to parse network packets according to the protocol description contained in external files, which can be modified at run-time by the user. These files are written in the new NetPDL language; for who is interested in that, please read the Protocol Dissectors Section.

Advanced sniffing capabilities

Due to the full support of the WinPcap remote capture capabilities, Analyzer is able to display packets currently being captured on another (remote) host. This can be done even if the remote host is behind a firewall, thanks to the support of the Active Mode remote capture. Additionally, Analyzer supports also sampling in order to reduce the amount of traffic generated by the remote host toward Analyzer. Sampling is available also when capturing from a local interface.

End-to-end Reachability Monitor

Analyzer can monitor the reachability (through a set of ICMP ECHO, aka PING, packets) of remote host, saving data into a database and making additional statistics. The user can later retrieve historical data to see how the reachability of some host changed over time.

Additionally the user can set some alarm (e.g. "send an e-mail") in case of some event (e.g. "host down").

Local Network Host Monitor

Analyzer can discover the presence of the active station on your local network and display their MAC, IPv4 and IPv6 addresses, and their canonical name.
This module can monitor the availability of the stations and signal whether an host is up, is down, and so on. Furthermore, it can detect address spoofing (e.g. when the same IPv4/IPv6 address appears to bind more than one MAC addresses).

Additionally the user can set some alarm (e.g. "send an e-mail") in case of some event (e.g. "possible spoofing").

Network Sessions Logger

Analyzer can monitor the presence of TCP/UDP/ICMP "sessions" over the network, saving a database record for each session detected within a time frame. A summary of the session is then saved into a database for later processing.

Network Data Mining

Analyzer is able to apply Data Mining techniques to the database of the sessions, created with the Network Sessions Logger (NetLogger). This module is able to find some relevant relationships over the data which may be unexpected and it is able to give an insight about how the network looks like (e.g. which are the servers, which are the clients, and more). Furthermore, it can compare the relationships that come out from two different NetLogger databases and display the differences (e.g. a new server has been added to the network).

Event Handling

Analyzer has a module that manages events associated to the other modules and it executes the appropriate actions. The number of events and the actions associated to them are customizable by the user.

WARNINGS

• Analyzer is a tool that is still under development. Please be patient when you use it.
• Analyzer could not work with earlier versions of Windows 95
• Analyzer does not work in Windows CE
• Some features could not be supported on all platforms

Analyzer Roadmap

The first step is to get the WinPcap 3.1 out. As soon as this library will be released, we will release a beta version of Analyzer.

A 3.0 final version of Analyzer should came in September 2005.

The 3.0 release will provide a first, affordable tool. For instance, a lot of users are pushing for getting the 3.0 final out, even if some of our objectives (in terms of functionalities) are not reached. Refinements are expected in the next minor releases.