Network General Sniffer Portable 4.90 (Decode Engine 1.06) and Sniffer Portable Field Service

Network General's Sniffer Portable was a bit difficult to install, but when we conquered the demons (incorrect host-processor speed detection and WLAN network interface-card driver problems), we found that there have been numerous changes to the product.

On the surface, it looked like the same Sniffer GUI that we've seen for 20 years, and underneath, the Sniffer filters still included packet filtering for such long-lost protocols as Banyan Vines and Apollo Systems. Added inside, however, are extensive WLAN protocol components that can be identified, and the optional (but not tested) "Application Intelligence Option" can see packets from SAP, Oracle and PeopleSoft.

The Sniffer decode engine lies at the heart of Sniffer Portable, and digests packets whether wireline or WLAN. Optional versions allow for mobile phone decodes and diagnoses, but these weren't tested as we stuck strictly to WLAN environments. Like WildPackets' OmniPeek, distributed Sniffers can be used, but also like the OmniPeek version we tested, the data from distributed units isn't easily amalgamated for examination. What differs is that the reporting done by Sniffer is a couple of steps ahead of OmniPeek (lacking the OmniReports Service), just by adding simple headers to reports annotating what's on the printout/report and a date.

We subjected Sniffer Portable to our suite of tests (man-in-the-middle and dictionary attack). While the man-in-the-middle attack was detected, the dictionary attack was seen as a critical error but was identified as a Physical Layer Convergence Protocol threshold error -- a packet rate problem, rather than the multicasting alarm thrown by OmniPeek. Traffic issues were also shown in the Alarm Log when we ran the dictionary attack. Sniffer Portable has a limit on how alarm conditions are communicated when it's used as a monitoring device (rather than a field service diagnostic unit) compared with OmniPeek. When it's in monitoring mode, only e-mail or VB script can be used to deliver alarms.

Sniffer Portable doesn't include a spectrum-analyzer option, unlike the other three WLAN analyzers we tested. It also has a very traditional (hasn't changed in decades) user interface that's difficult to maneuver if you're a novice or unsure of how protocols relate to each other. Defining filters are more difficult to perform, and has been traditionally. (OmniPeek was much easier to manipulate filters visually). Both products require a working knowledge of TCP/IP and the 802.11 basics, but assembling filters with Sniffer Portable was more difficult, while filled with all the correct options. The user interface is growing long in the tooth, despite the advanced decodes possible with the venerable Sniffer Portable.

The Expert Diagnosis portion of Sniffer Portable divides captured/seen packets into different levels, relating to views of the analyzed data. These views, in turn, can be drilled down into other views relating to statistics associated with, as an example, 802.11 problems, application problems (such as DNS errors, which we simulated), or global network errors (multicasting errors, as an example). By tabbing back and forth, a matrix of conversations between IP/MAC pairs can be seen, as well as a distribution-by-protocol chart, and even a packet decode relating to the observation made by Sniffer Expert. This portion of Sniffer Portable wasn't quite as good or as rich in detail as OmniPeek.

Overall, Sniffer Portable advanced from the last time we looked at it. WildPackets has made a good attempt at trumping Sniffer Portable by offering a better user interface, and we'd guess that the the company's advancements are on the backs of deficiencies we found with Sniffer Portable.