IM Analysis Tools

Effetech

www.effetech.com
Commercial
OS: Win9x/ME/NT4/2000/XP
EffeTech develops a series of Internet security software. The purpose of these analysis software is to monitor Internet abuse and to unveil information inside packets, such as URL of HTTP, instant messages of MSN messenger, AIM and ICQ, password of http, FTP, SMTP, POP3, and telnet.

EtherBoss

http://www.etherboss.com
Commercial
OS: Win
EtherBoss MSN Messenger Conversation Monitor & Sniffer is a handy network utility to capture and log MSN Messenger chat on network. All intercepted messages will be saved on the disk automatically. It also provides rich-features report and finding system to locate and export captured MSN conversations as HTML files for later analyzing and reference.

Close

HTTP Analysis

HTTP Watch

http://www.httpwatch.com/
Commercial
OS: Win
HttpWatch is an HTTP viewer and debugger that integrates
with Internet Explorer to provide seamless HTTP and HTTPS
monitoring without leaving the browser window.

Web Scarab

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Open Source
OS: Win, Linux, UNIX, Mac
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarabis designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

iWatchHTTP

http://exact-solutions.com
Puchase
OS: Win, Linux, UNIX
iWatch is the only tool that lets you see every HTTP transaction with it's parameters and performance tokens in real-time. iWatch's unique feature of being able to capture and display every HTTP call along with all its parameters and relevant performance tokens such as the transactions, server processing time, average network round trip, lets HTTP application developers and administrators address the exact performance problems.

Close

Web Reporting

iWatchWeb Reporting

http://exact-solutions.com
Commercial
OS: Win, Linux, UNIX
Currently, there are no applications that have taken on the mantle to analyze user behavior. iWatch applies traditional marketing approaches to data usage. User decisions can be based on content and delivery of the content, for example, how long the user had to wait to receive the data.

iWatch IQ

http://exact-solutions.com
Puchase
OS: Win, Linux, UNIX
Mapping HREF’s to business centric views
The problem boils down to the simple question mark. In technical parlance, the question mark in a URL signals the separation between an actual page or program on the left and a set of parameters that the program needs to know about on the right. This may seem both trivial and technical. In a sense it is. Except that innocent-looking question mark can prevent traffic analysis software from producing a report that makes any sense.

Close

Packet Analysis Tools

ClearSight

www.clearsightnet.com
Commercial
OS: Win
Analyzer is anadvanced network monitoring and troubleshooting tool that shows you all the activity on your network via a simple and intuitive user interface. The latest CSA 6.0 release offers IPTV support, and a complete Triple-Play analyzer solution. It adds new MSN application; updates existing application support with feature enhancements, including VoIP, Codecs, Report, Filter, Multicast, etc. The user interface and toolbar are also improved

EtherPeek

www.wildpackets.com
Commercial
OS: Win
EtherPeek VX (VoIPanalysis)
EtherPeek NX (Network analysis)
EtherPeek SE (Standard edition)
EtherPeek VX offers both Ethernet and VoIP diagnostics in real time. EtherPeekVX provides real-time expert analysis, Application Response Time (ART)analysis, full 7-layer decodes, alarms, triggers, comprehensive graphs and reports, and more. EtherPeek VX offers per-call analysis and supports multiple signaling protocols. The media plane analysis looks at packet-level details of RTP and RTCP streams and evaluates packet delay variations, packet loss, jitter, and provides MOS scores as well as R-Factor values for each call.
EtherPeek NX offers a breadth of features and technological innovation no other tool can offer, including real-time Expert analysis on multiple adapters, Application Response Time (ART) analysis, extensive application protocol decoding, packet generation, alarms, triggers, notifications, monitoring, and reporting.
EtherPeek SE Ethernet protocol analyzer is an intuitive, powerful network and protocol analyzer for troubleshooting Ethernet networks. It provides decoding, filtering and diagnostics of a high-end analyzer

Sniff-em

www.sniff-em.com
Commercial
OS: Win
Sniff'em™ detects a wide range of low-level protocols as well as high-level protocols such as IP protocols. Real-time Ethernet fingerprinting is supported as well with over 4700 fingerprints in the database.
All protocols can be easily added or changed by using a graphical interface inside the settings dialog; besides decoding an entire range of protocols, Sniff'em™ does currently advanced decoding of Netbios and DNS packets.

CommView/RA

www.tamos.com
Commercial
OS: Win 32/64 Bit
CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, homeusers... virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment. Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use.

Tcpdump/Windump:

http://www.tcpdump.org/
Open Source
OS: Win, Linux, UNIX, Mac
This application is used for general packet capture and analysis and the predecessor to Wireshark. It is installed as a stand alone software for raw capture. Once traffic is captured you can then perform analysis on the traffic in a historical manner. The data is presented in a very raw format. If you are not familiar with TCP-IP, Networking, or don’t know what a packet looks like then you should not be using this tool. You could see some IP addresses and maybe pick out some other information but over all there are more user friendly apps for the less network savvy guy.

WinPcap 4.0

http://www.winpcap.org/
Open Source
OS: Win
This is an industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

Wireshark

http://www.wireshark.org/
Open Source
OS: Win, Linux, UNIX, Mac
This is one of the more popular packet analysis tools on the market. This is a free application which will allow you to view IP packets on many different levels. It has filtering capabilities to see just the data you want as well as other interfaces that have been built for it that resemble TCPDUMP known as t-ethereal.

Ethereal

http://www.ethereal.com/
Open Source
OS: Win, Linux, UNIX
Ethereal is for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts inthe networking community to add enhancements.

EtherDetect

http://www.etherdetect.com
Commercial
OS: Win
EtherDetect Packet Sniffer and network protocol analyzer, provides a connection-oriented view for analyzing packets more effectively. All you need to do is to set up the filter, start capturing, and view connections, packets as well as data on the fly.

Ettercap

http://ettercap.sourceforge.net/
Open Source
OS: Win, Linux, UNIX, Mac
This is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. There are many sniffing modes to give a powerful and complete sniffing suite. Plugins are also supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Dsniff:

http://www.monkey.org/~dugsong/dsniff/
Open Source
OS: Win, Linux, UNIX, MAC
Overall, this is a great toolset. It handles pretty much all of your password sniffing needs. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to anattacker (e.g, due to layer-2 switching). “sshmitm” and “webmitm” implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings inad-hoc PKI. A separately maintained partial Windows port is available here.

Ntop:

http://www.ntop.org/
Open Source
OS: Win, Linux, UNIX, MAC
Ntop shows network usage. Ininteractive mode, it displays the network status on the user's terminal. In Webmode, it acts as a Web server, creating an HTML dump of the network status. Itsports a NetFlow/sFlow emitter/collector, anHTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.

Ngrep:

http://www.packetfactory.net/projects/ngrep/
Open Source
OS: Win, Linux, UNIX, Mac
Ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP andICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion asmore common packet sniffing tools, such as tcpdump and snoop.

EtherApe:

http://etherape.sourceforge.net/
Open Source
OS: Linux, UNIX, Mac
EtherApe is a graphical network monitor for UNIX modeled after etherman
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, FDDI, TokenRing, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

Close

Intrusion Detection Systems (IDS)

Snort

www.snort.org/
Open Source/Commercial
OS: Win, Linux, UNIX, Mac
Network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.

OSSEC HIDS

www.ossec.net/
Open Source
OS: Win, Linux, UNIX, Mac
An Open Source Host-based Intrusion Detection System
OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.

Arpwatch

www-nrg.ee.lbl.gov
Open Source
OS: Linux, UNIX, Mac
Keeps track of ethernet/IP address pairings and can detect certain monkey business
Arpwatch is the classic ARP man-in-the-middle attack detector from LBNL's Network Research Group. It syslogs activity and reports certain changes via email. Arpwatch uses LibPcap to listen for ARP packets on a local ethernet interface.

Kismet

www.kismetwireless.net
Open Source
OS: Linux and Windows
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of non-beaconing networks via data traffic.

Honeyd

www.citi.umich.edu/u/provos/honeyd/
Open Source
OS: Win, Linux, UNIX, Mac
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

ACID

http://acidlab.sourceforge.net/
Open Source
OS: Linux
The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

SecureNet:

www.intrusion.com/
Commercial
OS: Hardware-based solution
The Intrusion SecureNet System provides critical deep-packet analysis and application awareness, and can be deployed passively for intrusion detection (IDS) or actively for intrusion prevention (IPS).

Close

Password/Encryption Crackers

Cain and Abel:

http://www.oxid.it/cain.html
Open Source
OS: Win
This is a password recovery tool which handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks,recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

John the Ripper

http://www.openwall.com/john/
Open Source
OS: Win, Linux, UNIX, Mac
John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords. It supports several crypt(3) password hash types which are most commonly found on various UNIX flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some word lists, which you can find here, here, or here.

Close

OS Detection Tools

P0f

http://lcamtuf.coredump.cx/p0f.shtml
Open Source
OS: Win, Linux, UNIX, Mac
P0f is able to identify the operating system of a target host simply by examining captured packets even when the device in question is behind an overzealous packet firewall. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. In the hands of advanced users, P0f can detect firewall presence, NAT use, existence of load balancers, and more!

Close

Network/Application QOS

iWatchSQL

www.exact-solutions.com
Commercial
OS: Win, Linux, UNIX
Database: SQL, Oracle, DB2, Sybase
iWatch is the only tool that lets you see every SQL transaction with it's parameters and performance tokens in real-time. iWatch's unique feature of being able to capture and display every SQL call along with all its parameters and relevant performance tokens such as the transactions, server processing time, average network round trip, lets SQL application developers and administrators address the exact performance problems.

Network Stumbler

www.netstumbler.com
Open Source
OS: Windows 98 and above
NetStumbler (also known as Network Stumbler) is a tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. It runs on Microsoft Windows 98 and above. NetStumbler is commonly used for:

• Wardriving
• Verifying network configurations
• Finding locations with poor coverage in one’s WLAN
• Detecting causes of wireless interference
• Detecting unauthorized (”rogue”) access points
• Aiming directional antennas for long-haul WLAN links

Argus

http://argus.tcp4me.com/
Open Source
OS: Linux

• Argus is a system and network monitoring application.
• It will monitor nearly anything you ask it to monitor (TCP + UDP applications, IP connectivity, SNMP OIDS, Programs, Databases, etc).
• It presents a nice clean, easy to view web interface that will keep both the managers happy (Red Bad. Green Good.) and the techs happy ("Ah! that's what the problem is").
• It can send alerts numerous ways (such as via pager) and can automatically escalate if someone falls asleep.

Flow-tools

www.splintered.net/sw/flow-tools/
Open Source
OS: Linux
Flow-tools is library and a collection of programs used to collect, send, process, and generate reports from NetFlow data. The tools can be used together on a single server or distributed to multiple servers for large deployments. The flow-toools library provides an API for development of custom applications for NetFlow export versions 1,5,6 and the 14 currently defined version 8 subversions. A Perl and Python interface have been contributed and are included in the distribution.

Flow-extract, Flow Scripts

http://security.uchicago.edu/tools/net-forensics/
Open Source
OS: Linux
The flow-extract is used for selecting flows from a binary log file created by Flow-tools(1). The program uses the same syntax as the Netlogger extract program to select flows.

FLAG (Forensic and Log Analysis GUI)

http://sourceforge.net/projects/pyflag
Open Source
OS: Linux
FLAG was designed to simplify the process of log file analysis and forensic investigations. FLAG facilitates efficient analysis of large quantities of data within an interactive environment. PyFlag is the reimplementation of FLAG in Python.

Close