Help!

Hi All,

Exam is in a few days and I have a bit of confusion which I need assistance with.

I have seen an overlap of the differences between a Packet Sniffer, Port Scanner, IDS and an Protocol Analyzer.

As far as im aware you would use a Protocol analyzer to decode and read network traffic, A packet sniffer is used to eavesdrop on the packets sent across the network, a Port Scanner is used to identify the states of Ports on the system (IE are they open and listening) and an IDS is used to monitor and report any malicious activity on the network.

Which 2 would you use to see what protocols are being used on the network, Also please correct me if any of the above is incorrect.

Regards

R

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

kingloki

Isn't a packet sniffer the same thing as a protocol analyzer? I think with a packet sniffer/ protocol analyzer you can see the packets that traverse through your network. On the other hand, a port scanner shows the open ports on a host or server. I think you would use a port scanner + protocol analyzer to see the protocols being used.

NetworkVeteran

rejaz wrote: »

I have seen an overlap of the differences between a Packet Sniffer, Port Scanner, IDS and an Protocol Analyzer.

Which 2 would you use to see what protocols are being used on the network, Also please correct me if any of the above is incorrect.

I would go with a Sniffer + Protocol Analyzer. In many cases these are combined into one package! For example, Wireshark can do both roles. However, sometimes these roles are separated. For example, your favorite protocol analyzer may not support a particular interface type. You then end up sniffing with one tool and analyzing with another.

An IDS is completely wrong. That's a security device that monitors for malicious activity.

A port scanner is also completely wrong. Just because you have a particular service running on port 23 of server 10.1.1.4, does not mean it's being used or that protocol's PDUs are traversing the network. This often occurs with unhardened servers.

NetworkVeteran

PS - "ip nbar protocol-discovery" for the win!!!

Darril

You might like to check out this blog which describes common network tools including a sniffer and a protocol analyzer (which kingloki correctly identifies is the same thing)
Network+ Hardware Tools. Many years ago, a protocol analyzer was primarily a hardware device and a packet sniffer was a software program but the terms are mixed today. You can think of them as synonymous and as NetworkVeteran mentions, these are the best choice to identify protocols used on network.

This article talks about ports: Ports for Network+, Security+, and SSCP Exams | Get Certified Get Ahead. Essentially a port scanner identifies which ports are open on individual host systems. Indirectly, this can identify what protocols are being used because ports are related to protocols.

This article talks about an IDS which is designed to detect attacks (not detect protocols in use).
Intrusion Detection Systems and Intrusion Prevention Systems | Get Certified Get Ahead

Good luck.