Telephone: (215) 716-7373

Home » Application & NetAnalysis » Building a Simple Open-Source Distributed Packet-Sniffer

Building a Simple Open-Source Distributed Packet-Sniffer

Bookmark and Share

 Cutting Through Opinions
Diagnosing Facts
Providing Resolution

 Click Here to Listen to this topic as a "The ROOT Cause" podcast.  

Click Here to Subscribe through


Click Here to Subscribe through  


This is the way that Network General (the creator of Sniffer ®) has deployed Distributed Sniffer ® since the beginning.  While the product that you are using may be from another or Open-Source vendor,( i.e. Ethereal ®/ WireShark ®), this process is time honored and as such, is considered to be “Best Practice.”

This design is meant to assure that the NIC that is listening to the Monitor is not sending any packets itself.  The Monitor Card should have no protocols bound to itself and listens in promiscuous mode.  Additionally, the PC should be as passive as possible and not phoning home to vendors because of unnecessary software it has loaded.

One process is to take a company’s standard laptop and customize it by removing anything that is not needed to support the role of a Protocol Analyzer.  Any software that is not part of the laptops OS requirements should be uninstalled.  Once the laptop has been stripped down this way, load the Open Source Protocol Analyzer of your choice and test it.

Once testing is satisfactorily completed, save an Image of the laptop to be used to generate other Open Source Laptop Protocol Analyzers.

System Requirements:

  • Pentium 4 or higher.
  • 1GB Memory or higher.
  • 2 NICs.  One of which is 100Mbs (not Gigabit) to be used as the Monitor Card.  (NOTE:  This process is not appropriate for Gigabit Monitoring.)    
  • Remote Control Software (i.e. VNC) that supports File Transfers from the laptop acting as a Protocol Analyzer to the PC used by the Network Transaction Analyst.

Two NICs:

  • 1st NIC – Monitor Card – No IP bound to the card.  This card just listens in promiscuous mode.  It is the one that is attached to the Monitor Port in the Switch.  This should be a 100 Mbs NIC.
  • 2nd NIC – Transport Card – IP is bound (static) so that this card can be used on the Intranet to access the remote control function of the PC.  This can be Gigabit if that is all that is available.

Other Configuration Issues:

  • No Management Software (SMS, Radia, etc.) enabled.  No management of this device other than remote control.
  • Virus Protection (only if it is considered mandatory by company policy).  However, this laptop should have no email client or any other software that will want to connect to the Internet (with the possible exception of Time Services).  A Firewall rule can always be created to enforce its isolation from the public Internet except on approved sockets.
  • A Time Server should be in place to keep the various Protocol Analysis Laptops in sync.  This can be an Internet source if Company Policy permits or a local Intranet source.
  • The laptop should not be a member of the Company Domain.  One logs into the PC itself, locally or via remote control.
  • All Mirrors in switches are to be bi-directional.

Consider creating a shared folder to act as a Trace File depository.  This is not required, but can be helpful as these files can easily grow too large for many corporate email policy size limits. 

Use WinZip on the Laptop to allow compression of the large trace files to speed up transfer.


Related Topics:

Back to main topic: Application & NetAnalysis
The Application's Interpath
Network & Application Performance Analysis Fundamentals
Performance Tuning Is A Process -- Not A Tool
Excessive TCP Connections
Why Network Assessments Must Include Application Behavior
The 7 Most Common Mistakes Using Packet-Sniffers
Packet-Sniffer Filtering Concepts-01
Interpath Application Flow Diagrams-01
Baselining--Stress Testing--Performance Testing--Oh My--Part ONE
Baselining--Stress Testing--Performance Testing--Oh My--Part TWO
The Saturation Point
Multi-Tier Latency Concepts-01
Application Profiling Concepts - Part One

Subscribe to receive the latest news & specials on our products:

Quick Find
Use keywords to find the product you are looking for.
Advanced Search

New Articles
All Topics
 Application & NetAnalysis
 Case Studies .
 NetAnalysis Myth Series
 Team Building
Articles RSS Feed
Shipping & Returns
Privacy Notice
Conditions of Use
Contact Us
Catalog Feed

Copyright © 1999-2013 Barry Koplowitz