What is Network Protocol Analysis and Protocol Analyzer?

Network protocol analysis is a process for a program or a device to decode network protocol headers and trailers to understand the data and information inside the packet encapsulated by the protocol. To conduct protocol analysis, packets must be captured at real time for line speed analysis or later analysis. Such program or device is called a Protocol Analyzer.

In the typical network architecture, a layered approach is used to design network protocols and communications. The most popular network architecture reference model is called the OSI model.  The protocols at one layer should communicate with protocols at the same layer. The key function of a protocol analyzer is to decode the protocol at each layer. Protocol information of multiple layers may be used by protocol analyzer to identify possible problems in the network communication, which is called Expert Analysis. This critical function is deployed by many leading protocol analyzer products, such as Network General Sniffer Pro, for advanced network troubleshooting. Protocol analyzers may decode multiple layer protocols and packets to re-construct lower level packets (such as Link, IP or TCP level) into higher level (such as application level) messages for deep understanding of network traffic and user activities. This technique is used in protocol analyzers when network traffic monitoring and user surveillance are the primary goals. Javvin Packet Analyzer is a example of this type of tools.

Protocol Analyzer can be used both for legitimate network management or  for stealing information off a network. Network operations and maintenance personnel use Protocol Analyzer to monitor network traffic, analyze packets, watch network resource utilization, conduct forensic analysis of network security breaches and troubleshoot network problems. Unauthorized protocol analyzers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal.

There are many protocol analyzer products on the market. The market size for this tool is nearly one billion dollars. There are two basic types of protocol analyzers: portable and distributed. 

Portable protocol analyzer is a stand-alone device or software installed in a PC. Portable protocol analyzer can do data capturing and analysis real time or play back data for later analysis. The price of a portable protocol analyzer is ranged from a few hundred dollars to tens of thousands dollars, depends on who is the vendor, the network type (Ethernet, Gigabit Ethernet, Optical media WAN links etc.) to monitor and the types of data analysis are done. Portable protocol analyzer is typically used by engineers for network troubleshooting at certain point of a network or to monitor traffic of a single domain of LAN.

Distributed protocol analyzers have two parts: 1) Monitoring Probe, a device deployed at various point of the network; 2) Consol, a software package installed in the Network Operation Center (NOC) to centrally monitor all Probes. The Distributed protocol analyzers are typically deployed by large enterprises to monitor their network from a centralized location such as NOC. The cost of deploy the Distributed analyzer is ranged from tens of thousands of dollars to millions of dollars. In addition to packet capturing and analysis, the distributed analyzer also retrieves and uses SNMP and RMON data for additional network statistical information.

The leading vendors in the portable protocol analyzer include: Network General, Agilent Technologies, and Javvin Technologies etc.

The leading vendors in the distributed protocol analyzer include Network General, Netscout etc.

There are also open source programs such as Ethereal available for public usage.

Network protocol analyzer is also called network sniffer , Packet Analyzer, Network Sniffing Tool, Network Analyzer etc.

Packet Analyzer CAPSA vs. protocol analyzers by other vendors