ENSIKLOPEDIA

Kembali ke Ensiklopedia Arsip Wikipedia Indonesia

Sniffer (protocol analyzer)

Sniffer


Original authors	Harry Saal Len Shustek
Developer	Network General
Initial release	December 1986
Written in	C, 8086 assembler
Operating system	MS-DOS
Type	protocol analyzer

The Sniffer^[1] was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation^[2] of Mountain View, CA. By 1994, the Sniffer had become the market leader^[3] in high-end protocol analyzers. According to SEC 10-K filings^[4]^[5]^[6] and corporate annual reports,^[7] between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.

The Sniffer was the predecessor of several generations of network protocol analyzers, of which the current most popular is Wireshark.

Background

The Sniffer was the first product of Network General Corporation, founded on May 13, 1986^[8]^[9] by Harry Saal and Len Shustek to develop and market network protocol analyzers. The inspiration was an internal test tool that had been developed within Nestar Systems,^[10] a personal computer networking company founded in October 1978 by Saal and Shustek along with Jim Hinds and Nick Fortis. In 1982, engineers John Rowlands and Chris Reed at Nestar’s UK subsidiary Zynar Ltd developed an ARCNET promiscuous packet receiver and analyzer called TART (“Transmit and Receive Totaliser”) for use as an internal engineering test tool. It combined an IBM PC with custom hardware and software written in a combination of BASIC and 8086 assembly code. When Nestar was acquired by Digital Switch Corporation (now DSC Communications) of Plano, Texas in 1986,^[11] Saal and Shustek received the rights to TART.

At Network General, Saal and Shustek initially sold TART as the “R-4903 ARCNET Line Analyzer (‘The Sniffer’)”.^[12] They then reengineered TART for IBM’s Token Ring network hardware, created a different user interface with software written in C, and began selling it as The Sniffer™ in December 1986.^[13] The company had four employees at the end of that year.

In April 1987 the company released an Ethernet version of the Sniffer,^[14]^[15] and in October, versions for ARCNET, StarLAN, and IBM PC Network Broadband. Protocol interpreters were written for about 100 network protocols at various levels of the protocol stack, and customers were given the ability to write their own interpreters. The product line gradually expanded to include the Distributed Sniffer System^[16] for multiple remote network segments, the Expert Sniffer^[17] for advanced problem diagnosis, and the Watchdog^[18] for simple network monitoring.

Development

Nestar ARCNET Sniffer

The ARCNET Sniffer developed as an internal test tool by Zynar, used the IBM PC ARCNET Network Interface Card developed by Nestar for the PLAN networking systems. That board used the COM9026 integrated ARCNET controller from Standard Microsystems Corporation, which had been developed in collaboration with Datapoint.

There was no promiscuous mode in the SMC chip that would allow all packets to be received regardless of the destination address. So to create the Sniffer, a daughterboard^[19] was developed that intercepted the receive data line to the chip and manipulated the data so that every packet looked like a broadcast and was received by the chip.

Since the ability to receive all packets was viewed as a violation of network privacy, the circuitry implementing it was kept secret, and the daughterboard was potted in black epoxy to discourage reverse-engineering.

The source code of the original TART/Sniffer BASIC and assembler program is available on GitHub.^[20]

Network General Sniffer

The Sniffer was a promiscuous mode packet receiver, which means it received a copy of all network packets without regard to what computer they were addressed to. The packets were filtered, analyzed using what is now sometimes called deep packet inspection, and stored for later examination.

The Sniffer was implemented above Microsoft’s MS-DOS operating system, and used a 40-line 80-character text-only display. The first version, the PA-400 protocol analyzer for Token-Ring networks,^[21] was released on a Compaq Portable II “luggable” computer that had an Intel 80286 processor, 640 KB of RAM, a 20 MB internal hard disk, a 5+1⁄4-inch floppy disk drive, and a 9” monochrome CRT screen. The retail price of the Sniffer in unit quantities was $19,995.^[22]

The two major modes of operation^[13] were:

“capture”, in which
- packets are captured, stored, counted, and summarized
- filters control which packets are captured
- triggers control when capture should stop, perhaps because a sought-after network error condition had occurred
“display”, in which
- packets are analyzed and interpreted
- filters control which packets are displayed
- options control which aspects of the packets are displayed

Navigation of the extensive menu system on the character-mode display was through a variation of Miller columns that were originally created by Mark S. Miller at Datapoint Corporation for their file browser. As the Sniffer manual described, “The screen shows you three panels, arranged from left to right. Immediately to the left of your current (highlighted) position is the node you just came from. Above and below you in the center panel are alternative nodes that are also reachable from the node to your left… To your right are nodes reachable from the node you're now on.”

Pressing F10 initiated capture and a real-time display of activity.^[21]

When capture ended, packets were analyzed and displayed in one or more of the now-standard three synchronized vertical windows: multiple packet summary, single packet decoded detail, and raw numerical packet data. Highlighting linked the selected items in each window.

In the multiple-packet summary, the default display was of information at the highest level of the protocol stack present in that packet. Other displays could be requested using the “display options” menu.

The translation of data at a particular level of the network protocol stack into user-friendly text was the job of a protocol interpreter (PI). Network General provided over 100 PIs^[23] for commonly used protocols of the day:

3COM 3+
AppleTalk ADSP
AppleTalk AFP
AppleTalk ARP
AppleTalk ASP
AppleTalk ATP
AppleTalk DDP
AppleTalk ECHO
AppleTalk KSP
AppleTalk LAP
AppleTalk NBP
AppleTalk PAP
AppleTalk RTMP
AppleTalk ZIP
ARP
AT&T
Banyan VINES AFRP
Banyan VINES Echo
Banyan VINES File Svc
Banyan VINES FRP
Banyan VINES FTP
Banyan VINES IP
Banyan VINES LLC
Banyan VINES Loopback
Banyan VINES Matchmaker
Banyan VINES Ntwk Mgr
Banyan VINES SPP
Banyan VINES StreetTalk
Banyan VINES Svr Svc
Banyan VINES Talk
BOOTP
Bridge bridge mgmt
Bridge CS-1
Bridge terminal srvr
Chaosnet
ComDesign
Cronus direct
Cronus VLN
Datapoint DLL
Datapoint RCL
Datapoint RIO
Datapoint RMS
DEC 911
DEC bridge mgmt
DEC LAN monitor
DEC LAST
DEC LAVC
DEC NetBIOS
DECNET CTERM
DECNET DAP
DECNET DRP
DECNET FOUND
DECNET LAT
DECNET LAVC
DECNET MOP
DECNET NICE
DECNET NSP
DECNET SCP
DNS
ECMA internet
EGP
Excelan
FTP
GGP
IBM SMB
IBM SNA
ICMP
IONET VCS
IONET VCS CMND
IONET VCS DATA
IONET VCS TRANS
IP
ISO ACSE
ISO ASN.1
ISO CMIP
ISO Network
ISO PPP
ISO ROSE
ISO Session
ISO SMTP
ISO Transport
LOOP
Loopback
Micom test
NBS internet
Nestar ARCnet
Nestar PlanSeries
NetBIOS
NetBIOS TCP
Novell Netware
PUP address translation
RPL
RUnix
SMTP
SNAP
Sun MOUNT
Sun NFS
Sun PMAP
Sun RPC
Sun RSTAT
Sun YP
Symbolics private
TCP
Telnet
TFTP
TRING DLC
TRING LLC
TRING MAC
TRING RI
U-B
Vitalink bridge mgmt
X.25
X.25 level 3
X.75 internet
Xerox BOOTP
Xerox EGP
Xerox GGP
Xerox ND
Xerox PUP
Xerox PUP ARP
Xerox RIP
Xerox TFTP
Xerox XNS
Xyplex

Decoding higher protocol levels often required the interpreter to maintain state information about connections so that subsequent packets could be properly interpreted. That was implemented with a combination of locally cached data within the protocol interpreter and the ability to look back at earlier packets stored in the capture buffer.

Sniffer customers could write their own protocol interpreters to decode new or rare protocols not supported by Network General. Interpreters were written in C and linked with the rest of the Sniffer modules to create a new executable program. The procedure for creating new PIs was documented in April 1987 as part of Sniffer version 1.20.^[24]

In addition to supporting many network protocols, there were versions of the Sniffer that collected data from the major local area networks in use in the 1980s and early 1990s:

IBM Token-Ring
Token Bus
Ethernet (thick, thin, twisted pair)
Datapoint ARCnet
Starlan
AppleTalk
Corvus Omninet
FDDI
ISDN
Frame Relay
Synchronous Data Link Control (SDLC)
Asynchronous Transfer Mode (ATM)
X.25
IBM PC Network (Sytek)

Competitors

Even in the early years, the Sniffer had competition,^[25] at least for some aspects of the product. Several were, like the Sniffer, ready-to-use packaged instruments:

Excelan's 1984 Nutcracker,^[26] and its 1986 LANalyzer^[27]
Communications Machinery Corporation's DRN-1700 LanScan Ethernet Monitor
Hewlett-Packard's HP-4972A LAN Protocol Analyzer^[28]
Digital Equipment Corporation's LAN Traffic Monitor^[29]
Tektronix's TMA802 Media Analyzer^[30]

There were also several software-only packet monitors and decoders, often running on Unix, and often with only a command-line user interface:

tcpdump, using the Berkeley Packet Filter^[31] and other capture mechanisms provided by the operating system
snoop, originally from Sun Microsystems
LANWatch,^[32] originally from FTP Software

References

↑ Joch, Alan (2001-07-23). "Network Sniffers". Computerworld. Retrieved 2021-02-16.
↑ "May 13: Network General Corporation Founded | This Day in History | Computer History Museum". www.computerhistory.org. Retrieved 2021-02-16.
↑ Musthaler, Linda (1994-02-21). "Merger will hone net analysis focus". Network World. Vol. 11, no. 8. International Data Group. p. 35.
↑ "Network General Corporation FY95 10-K". SEC Edgar database. June 28, 1995.
↑ "Network General Corporation FY96 10-K". SEC Edgar database. July 25, 1996.
↑ "Network General Corporation FY97 10-K". SEC Edgar database. June 27, 1997.
↑ "Network General Corp. annual reports 1989-1993, 1995, 1997" – via Internet Archive.
↑ Petrosky, Mary (1987-06-22). "Network General smells success with Sniffer". Network World. Vol. 4, no. 25. International Data Group. p. 15.
↑ "Presenting Network General Corporation", July 1992, 17 November 2021, retrieved 2021-11-17
↑ Prins, G.A. (November–December 1979). "Distributing computing at the personal level". Electronics and Power. 25 (11): 765. doi:10.1049/ep.1979.0422. ISSN 0013-5127.
↑ Flynn, Laurie (1986-11-24). "Nestar Says Firm's Acquisition To Improve LAN and PBX Links". InfoWorld. Vol. 8, no. 48. InfoWorld Media Group, Inc. p. 25.
↑ Network General R 4903 ARCNET Line Analyzer Manual Sep 1986. Network General. 1986-09-25.
1 2 Network General Token Ring Sniffer V 1.0 Dec 1986. Network General Corporation. December 1986.
↑ Network General Ethernet Sniffer Introduction Apr 1987. Network General. 1987-04-01.
↑ Network General Ethernet Sniffer Jun 1988. Network General. 1988-06-01.
↑ Smalley, Eric (1991-04-01). "Sniffer Gains Distributed Management Capabilities". Network World. Vol. 8, no. 13. International Data Group. p. 4.
↑ Busse, Torsten (1992-09-28). "Expert Sniffer to Diagnose WANs". InfoWorld. Vol. 14, no. 39. InfoWorld Media Group, Inc. p. 45.
↑ Taft, Peter (1990-08-27). "The Watchdog Sniffs Out LAN Traffic Statistics". InfoWorld. Vol. 12, no. 35. InfoWorld Media Group, Inc. p. 54.
↑ Nestar ARCNET Sniffer Internal Descriptions. Nestar Systems. 1982–1984.
↑ NestarSystems/ARCNET_Sniffer on GitHub
1 2 "1986 12 Network General Large Brochure: Free Download, Borrow, and Streaming". Internet Archive. December 1986. Retrieved 2021-06-03.
↑ "1987 03 16 Network General Price List End User : Free Download, Borrow, and Streaming". Internet Archive. Retrieved 2021-06-03.
↑ "The Network Is Your Business". Internet Archive. Network General Corp. April 1991. Retrieved 2021-06-04.
↑ Network General Token Ring Sniffer V 1.20 Addendum Apr 1987. Network General. 1987-04-01.
↑ Glass, Brett (1989-02-06). "LAN Analyzers: Powerful Tools Useful For Serious Network Analysis". InfoWorld. Vol. 11, no. 6. InfoWorld Media Group, Inc. p. S14.
↑ Satyanarayanan, M (September 22, 1984). "The Excelan Nutcracker: An Evaluation" (PDF).
↑ LANalyzer EX5000E Ethernet Network Analyzer (PDF). Excelan. 1986.
↑ HP Computer Museum. "4972A Protocol Analyzer". www.hpmuseum.net. Retrieved 2021-02-18.
↑ Pabrai, Uday. "Understanding and Using Computer Networks" (PDF). p. 3-26.
↑ "Quick and Accurate LAN Measurements" (PDF).
↑ McCann, Steven (December 19, 1992). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
↑ "LANWatch Version 3.0". InfoWorld. Vol. 15, no. 19. InfoWorld Media Group, Inc. 1993-05-10. p. 85.

External links

"The Ancient History of Computers and Network Sniffers" (Sharkfest 2021 keynote talk) - SF16 - Len Shustek Keynote, 25 June 2016, retrieved 2021-08-17
Haugdahl, J. S. (October 1988). "Benchmarking LAN protocol analyzers". Proceedings [1988] 13th Conference on Local Computer Networks. pp. 375–384. doi:10.1109/LCN.1988.10251. ISBN 0-8186-0891-9. S2CID 336848.
Chartoff, Marvin (1987-12-14). "LAN management: What's the right tool for the job?". Network World. Vol. 4, no. 50. International Data Group. p. 37.
Len Shustek (July 16, 2002). "Oral History of Len Shustek" (PDF). Computer History Museum (Interview). Interviewed by Gardner Hendrie.