Please see the FAQ item "Are there any tools available for debugging Winsock programs?" for more information on sniffers and shims.
Ratings: Packages are rated on a simple 5-point system. Features and usablility are rated on the following scale:
 |
5 points | This is a wonderful product and you should waste no time getting it, if price permits. |
| 4 points | Nearly perfect. Its features are competitive with others in its price class. | |
| 3 points | Adequate. This product may be mildly buggy, but it's tolerable. It does what the manual says it will, and it's reasonably usable. | |
| 2 points | Yick! This product is buggy, weak, and/or hard to use. Use only if there's no other choice. | |
| 1 points | This product is unusable. Stay away. |
Price also matters. A program with features comparable to higher-priced programs gets one extra point. So, a cheap program given 3 points on its own merits would get an extra point if its features were comparable to a more expensive product.
If the "Date tried" field is "Long, long ago", the review may well be sadly outdated. I don't have any information on when I last tried the product in question. One DayTM I'll get back to it.
Ethernet Sniffers:
| Package: | Sniffer Basic |
| Vendor: | Network Associates, Inc. |
| Platform(s): | Win32 |
| User interface: | GUI |
| Price: | $1000 |
| Licensing: | Commercial |
| Commentary: | Sniffer Basic (neé NetXRay) is a fine commercial sniffer for Windows 95/98 and Windows NT/2000. It is very configurable, allows you to write protocol decoder plugins for custom protocols, and has a very nice user interface. Like all analyzers of its class, it can also generate real-time traffic statistics, with alarms and such. If I had the cash, this is the product that I'd buy. |
| Date tried: | Long, long ago, version unknown |
| Rating: |  |
| Package: | EtherPeek |
| Vendor: | The AG Group |
| Platform(s): | Win32, Macintosh |
| User interface: | GUI |
| Price: | $900 |
| Licensing: | Commercial |
| Commentary: | EtherPeek is similar in functionality to Sniffer Basic, though having played with their demo some, I found that I liked Sniffer Basic better. Still, it is a bit cheaper, support is not an extra like it is with Sniffer, and it runs on more platforms. |
| Date tried: | Long, long ago, version unknown |
| Rating: |  |
| Package: | Observer |
| Vendor: | Network Instruments |
| Platform(s): | Win32 |
| User interface: | GUI |
| Price: | $1000 |
| Licensing: | Commercial |
| Commentary: | Observer is one of the "big boys" of network monitoring tools. However, between my initial passing review and a few reviews I've read in magazines, this package does not look as though it will dethrone the more popular packages any time soon. |
| Date tried: | Long, long ago, version unknown |
| Rating: |  |
| Package: | NetBoy Suite |
| Vendor: | NDG Software |
| Platform(s): | Win32 |
| User interface: | GUI |
| Price: | $1300 |
| Licensing: | Commercial |
| Commentary: |
A few years ago when I tried PacketBoy 1.0 the sniffer component of
the suiteit was essentially unusable. I've tried it twice since
then (versions 1.44 and 1.5) and although it is now usable, it still
has some bugs that should have been eradicated by now. (I crashed 1.5
hard after just five minutes of playing with it!) Be sure to download
a demo copy before you commit to buying it! This package gets another ding due to price. You used to be able to get just the packet sniffer for about $400, but now you must get the whole suite, making it more expensive than the big boys above. Unless you just gotta have their pretty network graphing modules, give this one a miss. You can get a better sniffer for free these days. |
| Date tried: | 4/23/2000, version 1.5 |
| Rating: |  |
| Package: | NetSniffer |
| Author: | A. Kaasik and T. Uudisaru |
| Platform(s): | Windows NT 4.0 |
| User interface: | GUI |
| Price: | $100 |
| Licensing: | Shareware |
| Commentary: | When I tried this package last, it was a workable but quirky program. The author says it works better now. Given the price, it's worth looking into. |
| Date tried: | July 31, 1998, version 1.0 |
| Rating: | |
| Package: | The Gobbler |
| Author: | Tirza van Rijn, University of Delft, The Netherlands |
| Platform(s): | DOS |
| User interface: | Text graphics |
| Licensing: | Freeware |
| Commentary: |
The Gobbler is perhaps the best freeware DOS Ethernet sniffer. It has
a few quirks, but it's fairly featureful. It can decode the Ethernet,
IP, TCP and UDP layers, as well as a few low-level protocols like ARP
and ICMP. The interface is notable because it's surprisingly easy to
quickly browse a dump looking for interesting packetsmany
other sniffers's interfaces make it harder to maneuver, so you spend
more time fighting the tool than thinking about the data. The source code
is available, so in theory you could extend it to your own needs, though I
don't know if this is easy to do. If you can't afford a commercial sniffer and have a DOS box you can dedicate to sniffing, this is the one I'd recommend you get. |
| Date tried: | "Long, long ago", version 2.1 |
| Rating: | |
| Package: | Snooper |
| Vendor: | Crynwr |
| Platform(s): | DOS and Linux |
| User interface: | Text graphics |
| Price: | $350 |
| Licensing: | Commercial |
| Commentary: |
Of the "payware" DOS sniffers, this one is the best, because it has a
clean interface that makes it easy to quickly read a packet dump. The
other commercial DOS sniffers require significantly more futzing around:
move to next packet, re-adjust window to see the part of the packet you
want, move to next packet.... Snooper's gets additional points because it comes with source code. Crynwr actively hypes the source code as a way to add custom protocol decoders, so it should be straightforward. Crynwr also offers a similar product called EtherProbe, but it is more oriented towards network management and costs more than Snooper: $995 without source, $1495 with source. The demo version is limited to five seconds of continuous packet capturing which makes it a bit hard to evaluate. |
| Date tried: | Long, long ago, version unknown |
| Rating: | |
| Package: | PacketView |
| Vendor: | Klos Technologies |
| Platform(s): | DOS |
| User interface: | Text graphics |
| Price: | $300 |
| Licensing: | Commercial |
| Commentary: | PacketView is similar to Snooper, but it does not come with source code. Also, its interface and online help seem to be trapped in 1988. However, it is easier to evaluate than Snooper, as the demo will capture up to 64K of network data with the exception that every eighth packet is intentionally overwritten with garbage. |
| Date tried: | Long, long ago, version unknown |
| Rating: | |
| Package: | MONET LAN Analyzer |
| Vendor: | MG-SOFT |
| Platform(s): | DOS |
| User interface: | Text graphics |
| Price: | $90-120, depending on the version |
| Licensing: | Commercial |
| Commentary: |
MONET comes in three versions, a $90 LITE version which is
suitable for network developers and a $120 version aimed at network
administrators. The demo version of the LITE package is almost fully functional, but it does not appear able to save data to disk. The full version also has a demo version, but it can only work with the canned data that comes with it. The LITE package appears to be fairly featureful, though its relatively modern interface (think Borland C++ 3.1) is nevertheless somewhat clumsy. That pales in importance, however, in comparison to the product's stability, or lack thereof. I was able to easily lock the LITE demo up twice, and when I tried throwing a 58MB file transfer at it, the program crashed badly enough to cause the machine to reboot before I could walk back into the other room to see how MONET was handling the data! This could be because I was running it on an old 286, but Gobbler, Snooper and PacketView all ran without a hiccup on this machine under similar conditions. My advice: if you're really so strapped for cash that you can't afford one of the other two DOS payware offerings, you should save your nickles and go with Gobbler, or put Linux on that DOS box and load one of the many free Unix/Linux sniffers. |
| Date tried: | Long, long ago, version unknown |
| Rating: |  |
| Package: | tcpdump |
| Author: | Network Research Group, Lawrence Berkeley National Laboratory |
| Platform(s): | Unix |
| User interface: | Text |
| Licensing: | BSD |
| Commentary: | tcpdump does TCP-level decoding and precious little more. It is optimized for showing only "header-level" information like the TCP flags and such. Getting frame information out of TCP dump is not worth the effort. (See Ethereal below below for a better way.) tcpdump is good for ad-hoc debugging, especially if you've got easy access to a Unix box on the LAN. tcpdump depends on libpcap. |
| Date tried: | April 10, 2000, version 3.4 |
| Rating: | |
| Package: | Analyzer, WinDump and WinPCap |
| Author: | Piero Viano, Paolo Politano and Loris Degioanni |
| Platform(s): | Win32 |
| User interface: | GUI and text interfaces |
| Licensing: | Freeware |
| Commentary: |
Analyzer is a GUI built on top of WinPCap,
a port of libpcap to Windows. They have also ported tcpdump to Windows, calling it WinDump. The GUI is top-flight, both from a usability and a features standpoint. The only thing really lacking is that the documentation is still in Italian. The menu items and dialogs are translated into English, however. Source code is apparently only available for WinDump and WinPCap. See Ethereal, below, for a WinPCap-compatible sniffer whose code is available. WinPCap is a reasonable way to get low-level network access in your own programs, especially if you don't want to spend any money. Buying one of PCAUSA's kits is probably a better choice if your time isn't free, though. |
| Date tried: | 4/10/2000, version 2.02 |
| Rating: | |
| Package: | Ethereal |
| Author: | Many people! |
| Platform(s): | Unix, Win32 |
| User interface: | GUI |
| Licensing: | GPL |
| Commentary: |
Ethereal is the tcpdump GUI that we all knew the
Open Source community could develop. It still has a ways to go before
it can beat the best GUI sniffers in the Windows world but it has some
very big advantages. Feature-wise, it is roughly comparable to Analyzer, above. Analyzer has a more polished UI, but Ethereal understands more protocols, allows for user-written protocol dissectors, and comes with source code. It's also more portable. Ethereal can read raw tcpdump capture files. This is a really nice feature when you're remotely debugging a network problem: you can be dialed into to a Unix box at a remote customer site and run tcpdump to capture some network traffic to a file, then download it and look at it with Ethereal. I've used this feature a time or two, and it sure beats a $600 round-trip plane ticket to the customer's site! |
| Date tried: | January 2000, version 0.80 |
| Rating: | |
| Package: | FreeCap |
| Author: | arton@geocities.co.jp |
| Platform(s): | Windows NT 4.0 |
| User interface: | GUI |
| Licensing: | GPL |
| Commentary: |
FreeCap is the same sort of thing as Analyzer,
above: a free network driver and packet capture GUI. It was a good idea when it came out, but Analyzer's done the same thing, better: the GUI is far nicer, and its network driver offers the standard libpcap programming interface. Granted, Analyzer doesn't include source for its GUI, but if you need that, you can get Ethereal which also works with the WinDump driver. |
| Date tried: | Long, long ago, version unknown |
| Rating: | |
| Package: | Sniffit |
| Author: | Brecht Claerhout |
| Platform(s): | Unix |
| User interface: | Text |
| Licensing: | Freeware |
| Commentary: | Sniffit is a Unix packet sniffer similar to tcpdump. Sniffit differs in that it only dumps the data inside the TCP frames. It dumps this data to files, two per logical connection, one for each direction. Each file is just a raw data dump: there is no timing or sequencing information in the files. This makes Sniffit mainly useful for verifying that your program is sending the intended data, and that the remote machine is replying correctly. |
| Date tried: | Long, long ago, version 0.3.5 |
| Rating: | |
Winsock Shims:
| Package: | TracePlus/Winsock |
| Vendor: | Systems Software Technology, Inc. |
| Platform(s): | Win16, Win32 |
| User interface: | GUI |
| Price: | $150 for Win32 only, $210 for Win16 and Win32 |
| Licensing: | Commercial |
| Commentary: | TracePlus/Winsock is a Winsock shim for all combinations of Win32, Win16, Winsock 1.1 and Winsock 2. This appears to be the most powerful product of its kind, and seems like a good value as well. It is reportedly more powerful than a simple Winsock DLL replacement because it uses proprietary technology to hook into the existing DLL, allowing it to monitor a greater variety of network activities than a simple DLL replacement can. |
| Package: | SocktSpy |
| Vendor: | WinTECH |
| Platform(s): | Win32 and Win16 |
| User interface: | GUI |
| Price: | $60 |
| Licensing: | Commercial |
| Commentary: | SocketSpy is similar to TracePlus/Winsock, though it is cheaper and the license price gets you both the 16 and 32-bit versions. SocketSpy appears to work in much the same way as TracePlus, but since I haven't reviewed either product myself, I can't recommend one over the other. |