Cisco Networking: Network Protocol Analyzer Basics
Formerly Ethereal, Wireshark is network protocol analyzer, which is a tool that can view the details of network traffic. Before the prevalence of network switching, a tool like this could view all traffic that is flowing on your network.
In switched environments, you see only the traffic destined for your computer or broadcast traffic on the network unless you have enabled a monitoring port on the network switch, allowing you to see all traffic on that switch.
Many products are in this category — some that you can purchase, and some that are free. As free products go, Wireshark is a fairly full-featured product and can be downloaded from Wireshark. Wireshark is free under the GNU General Public License (GPL) and is available for Windows, Mac OS X, and Linux. Linux users typically find this application in their distribution by default.
Other products that you may also consider include:
Microsoft Network Monitor from Microsoft
TCPDump from Tcpdump
Capsa Network Analyzer from Colasoft
ClearSight Analyzer from Fluke Networks
Network protocol analyzers are also called network sniffers. Any of these tools will capture any data off of your network, regardless of the manufacturer of your routers or switches. Of course, they work great with Cisco network equipment as well.
Wireshark allows you to capture and analyze network traffic on your network, which can be critical to network troubleshooting efforts. One example involves Dynamic Host Configuration Protocol (DHCP) servers on your network. Typically, you will only have one DHCP server, but sometimes a network user will install a rogue (unauthorized and unknown) DHCP server on your network.
This rogue DHCP server may then start to issue Negative Acknowledgments (NACKs) — a refusal — to all DHCP requests on your network. You could spend hours troubleshooting this issue, but within a few seconds of starting a network capture (to collect and view traffic on your network), you have easily identified the problem and the IP address of the offending system (the rogue DHCP server).
Although you could use the captured data for other purposes, such as viewing telnet sessions or other clear text traffic, Wireshark is great at viewing which systems are talking, who is sending the most traffic, and how to diagnose network issues from a very low level.