Please see Question 2.9 for more information on sniffers and shims.
Ethernet Sniffers:The Gobbler is perhaps the best freeware Ethernet sniffer. It must be run in DOS and it has a few quirks, but it has a fairly nice "text graphics" user interface that allows you to set up filters (by Ethernet address only) and that will decode the Ethernet, IP, TCP and UDP layers, as well as a few low-level protocols like ARP and ICMP. The interface is notable because it's surprisingly easy to quickly browse a dump looking for interesting packets many other sniffers's interfaces make it harder to maneuver, so you spend more time fighting the tool than thinking about the data. Another bonus is that the source code available (sorry, I've lost track of it for the moment
a pointer would be very welcome), so in theory you could extend it to your own needs; I haven't tried this, however, so I don't know if this is easy to do. If you can't afford a real sniffer and can set up a spare DOS box for sniffing, this is the one I'd recommend you get.
tcpdump is a Unix packet dumper that does TCP-level decoding. It takes more work to get useful information out of tcpdump, but then, you don't have to dedicate a single-tasking machine to it as with Gobbler, and you can do all of the powerful Unix-style filtering with it, because its output is pure text. The package compiles natively for recent versions of Linux (2.0 kernel at minimum), essentially all pure BSD descendants, SunOS, Solaris, SCO Unix, AIX, HP-UX, IRIX, Ultrix, Digital Unix and probably others. Note that you will first need to compile and install libpcap, the packet capture interface that tcpdump uses.
Sniffit is another Unix packet sniffer, similar to tcpdump. Sniffit differs in that it only dumps the data inside the TCP frames. Also, it has the interesting feature that it dumps the data it captures to files, two per logical connection (one for each direction). Each file, however, is just a raw data dump, with no apparent file structure. Now honestly, this is because the package was written by crackers for crackers. Still, Sniffit can be useful for verifying that your program is sending the intended data, and that the remote machine is replying correctly. The package compiles on Linux, SunOS, Solaris, FreeBSD and IRIX.
NetXRay from Network General is a fine commercial sniffer for Windows 95 and Windows NT. It is very configurable, allows you to write protocol decoder plugins for custom protocols, and has a very nice user interface. If I had the cash ($1500 last I checked), this is the product that I'd buy.
EtherPeek from The AG Group is a product similar in functionality and price to NetXRay, though having played with their demo some, I found that I liked NetXRay better. Still, it is a bit cheaper (around $1000), and it appears to run on Macintosh systems in addition to Windows 95 and Windows NT.
PacketBoy from NDG Software is an inexpensive ($395) new packet capture tool that runs on Windows 95 and NT. I tried this package on a Windows 95 and a Windows NT box at work and was not able to make it work after more than half an hour of fighting with it. Your mileage may vary, but make sure you try a demo of it before you commit to buying it!
Snooper from Crynwr Software is a DOS-based packet capturing tool. Counterbalancing the DOS requirement is that it comes with source code, and costs only $350. Crynwr actively hypes the source code as a way to add custom protocol decoders, so it should be straightforward. (Crynwr also offers a similar product called EtherProbe, but it is more oriented towards network management and costs more than Snooper: $995 without source, $1495 with source.) Of the "payware" DOS packet capture tools, this one is the best, IMO, because it has a clean interface that makes it easy to quickly read a packet dump. The other commercial DOS sniffers require significantly more futzing around: move to next packet, readjust window to see the part of the packet you want, move to next packet.... The only downside to Snooper is that the demo version is limited to five seconds of continuous packet capturing which makes it a bit hard to evaluate.
PacketView from Klos Technologies is another DOS packet capturing tool. It retails for $299, but unlike Snooper it does not appear to come with source code. Also, its interface and online help seem to be trapped in 1988. However, it will capture up to 64K of network data in the demo version, with the exception that every eighth packet is intentionally overwritten with garbage.
MONET LAN Analyzer is an inexpensive DOS analyzer from MG-SOFT. It comes in three versions, a $60 LITE version which is suitable for network developers, a $90 regular version with more protocol decoders, and a $120 version aimed at network administrators. The demo version of the LITE package is almost fully functional, but it does not appear able to save data to disk, while the regular demo can only work with the canned data that comes with it. The LITE package appears to be fairly featureful, though its modern interface nevertheless is slightly clumsy. That pales in importance, however, in comparison to the product's stability, or lack thereof. I was able to easily lock the LITE demo up twice, and when I tried throwing a 58MB file transfer at it, the program crashed badly enough to cause a reboot before I could walk back into the other room to see how Monet was handling the data! This could be because I was running it on a slow machine, but Gobbler, Snooper and PacketView all ran without a hiccup on this machine under similar conditions. My advice: if you're really so strapped for cash that you can't afford one of the other two DOS payware offerings, you should save your nickles and go with Gobbler.
NetSniffer is a shareware packet sniffer for Windows NT. It's a workable but quirky 1.0 release as I write this (7/31/1998), but at $100, it's a fair value.
Network Instruments' Observer is one of the "big boys" of network monitoring tools. However, between my initial passing review and a few reviews I've read in magazines, this $995 package does not look as though it will dethrone the more popular packages any time soon.
FreeCap is a freeware packet capturing program, with complete source code availalble. The only problem with this program is that most of the text is in Japanese, which I can't read. I was able to install and use it a little bit, so I know it works, and it looks pretty good. Perhaps if someone translated the captions to English, I'd be able to give it a more thorough review.
TracePlus/Winsock is a Winsock shim for all combinations of Win32, Win16, Winsock 1.1 and Winsock 2. This appears to be the most powerful product of its kind, and for $150, it seems like a good value as well. It is reportedly more powerful than a simple Winsock DLL replacement because it uses proprietary technology to hook into the existing DLL, allowing it to monitor a greater variety of network activities than a simple DLL replacement can.
SocketSpy is a similar product to TracePlus/Winsock (though it is cheaper ($60) and unlike TracePlus, that price gets you both the 16 and 32-bit versions). SocketSpy appears to work in much the same way as TracePlus, but since I haven't reviewed either product myself, I can't recommend one over the other.
![]() |
Go to my home page |
![]() |
Go to my Important RFC Lists page |
![]() |
Go to the main Programming Resources page |
Please send updates and corrections to <tangent@cyberport.com>.