Sniffer (protocol analyzer)
Original author(s) | Len Shustek |
---|---|
Initial release | December 1986 |
Written in | C, 8086 assembler |
Operating system | MS-DOS |
Type | protocol analyzer |
The Sniffer[1] was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation[2] of Mountain View, CA. By 1994 the Sniffer had become the market leader[3] in high-end protocol analyzers. According to SEC 10-K filings[4][5][6] and corporate annual reports,[7] between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.
The Sniffer was the antecedent of several generations of network protocol analyzers, of which the current most popular is Wireshark.
Sniffer history[]
The Sniffer was the first product of Network General Corporation, founded on May 13, 1986[8][9] by Harry Saal and Len Shustek to develop and market network protocol analyzers. The inspiration was an internal test tool that had been developed within Nestar Systems,[10] a personal computer networking company founded in October 1978 by Saal and Shustek along with Jim Hinds and Nick Fortis. In 1982 engineers John Rowlands and Chris Reed at Nestar’s UK subsidiary Zynar Ltd developed an ARCNET promiscuous packet receiver and analyzer called TART (“Transmit and Receive Totaliser”) for use as an internal engineering test tool. It used custom hardware, and software for an IBM PC written in a combination of BASIC and 8086 assembly code. When Nestar was acquired by Digital Switch Corporation (now DSC Communications) of Plano, Texas in 1986,[11] Saal and Shustek received the rights to TART.
At Network General, Saal and Shustek initially sold TART as the “R-4903 ARCNET Line Analyzer (‘The Sniffer’)”.[12] They then reengineered TART for IBM’s Token Ring network hardware, created a different user interface with software written in C, and began selling it as The Sniffer™ in December of 1986.[13] The company had four employees at the end of that year.
In April 1987 the company released an Ethernet version of the Sniffer,[14][15] and in October, versions for ARCNET, StarLAN, and IBM PC Network Broadband. Protocol interpreters were written for about 100 network protocols at various levels of the protocol stack, and customers were given the ability to write their own interpreters. The product line gradually expanded to include the Distributed Sniffer System[16] for multiple remote network segments, the Expert Sniffer[17] for advanced problem diagnosis, and the Watchdog[18] for simple network monitoring.
Corporate history[]
Between inception and the end of 1988, Network General sold $13.7M[7] worth of Sniffers and associated services. Financing was initially provided only by the founders until an investment of $2M by TA Associates in December 1987. On February 6, 1989 the company, which had 29 employees at the time, raised $22M with a public stock offering of 1,900,000 shares[19] on NASDAQ as NETG. On August 3, 1989, they sold an additional 1,270,000 shares[20] in a secondary offering, and on April 7, 1992 an additional 2,715,000 shares[21] in a third offering.
In December 1989, Network General bought Legend Software, a one-person company in New Jersey that had been founded by Dan Hansen. Their product was a network monitor called LAN Patrol, which was enhanced, rebranded, and sold by Network General as WatchDog.[18]
By 1995 Network General had sold Sniffer-related products totaling $631M[7] at an average gross margin of 77%. It had almost 1000 employees and was selling about 1000 Sniffers a month.
In December 1997 Network General merged with McAfee Associates (MCAF) to form Network Associates, in a stock swap deal valued at $1.3B.[22] Weeks later, Network Associates bought Pretty Good Privacy, Inc. (“PGP”) , the encryption company founded in 1991 by Phil Zimmerman, for $35M in cash.[23] Saal and Shustek left the company shortly thereafter.
In 2002, much of the PGP product line was sold to the newly formed PGP Corporation for an undisclosed amount.[24] It was subsequently acquired by Symantec in 2010.
In mid-2004, Network Associates sold off the Sniffer technology business to investors led by Silver Lake Partners and Texas Pacific Group for $275M in cash, creating a new Network General Corporation.[25] That same year, Network Associates readopted its founder’s name and became McAfee Inc. In September 2007, the new Network General was acquired by NetScout Systems for $205M.[26] Netscout marketed "Sniffer Portable"[27] in 2013, and in 2018 they divested[28] their handheld network test tool business, including the Sniffer, to StoneCalibre.
Intellectual property rights[]
Network General, prior to the merger with McAfee, had filed no patents on the Sniffer. The source code and some of the hardware designs were protected by trade secrets. Most of that was eventually acquired by NetScout in the 2007 acquisition.
Network General Corporation applied for a trademark to “Sniffer” used in the context of “analyzing and testing digital traffic operations in local area networks” on May 30, 1989.[29] It was accepted and registered on May 28, 1991.[30] Network General protected its use with, for example, a full-page ad in the Wall Street Journal on October 4, 1995.[31] As of 2021 that trademark registration is still active, and is now owned by NetScout Systems Inc. Network General also owned the trademarks to “Expert Sniffer”,[32] “TeleSniffer”,[33] and “Distributed Sniffer System”,[34] all of which have expired.
The original Nestar ARCNET Sniffer[]
The ARCNET Sniffer developed as an internal test tool by Zynar used the IBM PC ARCNET Network Interface Card developed by Nestar for the PLAN networking systems. That board used the COM9026 integrated ARCNET controller from Standard Microsystems Corporation, which had been developed in collaboration with Datapoint.
There was no promiscuous mode in the SMC chip that would allow all packets to be received regardless of the destination address. So to create the Sniffer, a daughterboard[35] was developed that intercepted the receive data line to the chip and manipulated the data so that every packet looked like a broadcast and was received by the chip.
Since the ability to receive all packets was viewed as a violation of network privacy, the circuitry implementing it was kept secret, and the daughterboard was potted in black epoxy to discourage reverse-engineering.
The source code of the original TART/Sniffer BASIC and assembler program is available on GitHub.[36]
The 1986 Network General Sniffer[]
The Sniffer was a promiscuous mode packet receiver, which means it received a copy of all network packets without regard to what computer they were addressed to. The packets were filtered, analyzed using what is now sometimes called Deep Packet Inspection, and stored for later examination.
The Sniffer was implemented above Microsoft’s MS-DOS operating system, and used a 40 line 80-character text-only display. The first version, the PA-400 protocol analyzer for Token-Ring networks,[37] was released on a Compaq Portable II “luggable” computer that had an Intel 80286 processor, 640 KB of RAM, a 20 MB internal hard disk, a 5 ¼” floppy disk drive, and a 9” monochrome CRT screen. The retail price of the Sniffer in unit quantities was $19,995[38]
The two major modes of operation[13] were:
- “capture”, in which
- packets are captured, stored, counted, and summarized
- filters control which packets are captured
- triggers control when capture should stop, perhaps because a sought-after network error condition had occurred
- “display”, in which
- packets are analyzed and interpreted
- filters control which packets are displayed
- options control which aspects of the packets are displayed
Navigation of the extensive menu system on the character-mode display was through a variation of Miller Columns that were originally created by Mark S Miller at Datapoint Corporation for their file browser. As the Sniffer manual described, “The screen shows you three panels, arranged from left to right. Immediately to the left of your current (highlighted) position is the node you just came from. Above and below you in the center panel are alternative nodes that are also reachable from the node to your left… To your right are nodes reachable from the node you're now on.”
Pressing F10 initiated capture and a real-time display of activity.[37]
When capture ended, packets were analyzed and displayed in one or more of the now-standard three synchronized vertical windows: multiple packet summary, single packet decoded detail, and raw numerical packet data. Highlighting linked the selected items in each window.
In the multiple-packet summary, the default display was of information at the highest level of the protocol stack present in that packet. Other displays could be requested using the “display options” menu.
The translation of data at a particular level of the network protocol stack into user-friendly text was the job of a “protocol interpreter”, or PI. Network General provided over 100 PI’s[39] for commonly-used protocols of the day:
- 3COM 3+
- AppleTalk ADSP
- AppleTalk AFP
- AppleTalk ARP
- AppleTalk ASP
- AppleTalk ATP
- AppleTalk DDP
- AppleTalk ECHO
- AppleTalk KSP
- AppleTalk LAP
- AppleTalk NBP
- AppleTalk PAP
- AppleTalk RTMP
- AppleTalk ZIP
- ARP
- AT&T
- Banyan VINES AFRP
- Banyan VINES Echo
- Banyan VINES File Svc
- Banyan VINES FRP
- Banyan VINES FTP
- Banyan VINES IP
- Banyan VINES LLC
- Banyan VINES Loopback
- Banyan VINES Matchmaker
- Banyan VINES Ntwk Mgr
- Banyan VINES SPP
- Banyan VINES StreetTalk
- Banyan VINES Svr Svc
- Banyan VINES Talk
- BOOTP
- Bridge bridge mgmt
- Bridge CS-1
- Bridge terminal srvr
- Chaosnet
- ComDesign
- Cronus direct
- Cronus VLN
- Datapoint DLL
- Datapoint RCL
- Datapoint RIO
- Datapoint RMS
- DEC 911
- DEC bridge mgmt
- DEC LAN monitor
- DEC LAST
- DEC LAVC
- DEC NetBIOS
- DECNET CTERM
- DECNET DAP
- DECNET DRP
- DECNET FOUND
- DECNET LAT
- DECNET LAVC
- DECNET MOP
- DECNET NICE
- DECNET NSP
- DECNET SCP
- DNS
- ECMA internet
- EGP
- Excelan
- FTP
- GGP
- IBM SMB
- IBM SNA
- ICMP
- IONET VCS
- IONET VCS CMND
- IONET VCS DATA
- IONET VCS TRANS
- IP
- ISO ACSE
- ISO ASN.1
- ISO CMIP
- ISO Network
- ISO PPP
- ISO ROSE
- ISO Session
- ISO SMTP
- ISO Transport
- LOOP
- Loopback
- Micom test
- NBS internet
- Nestar ARCnet
- Nestar PlanSeries
- NetBIOS
- NetBIOS TCP
- Novell Netware
- PUP address translation
- RPL
- RUnix
- SMTP
- SNAP
- Sun MOUNT
- Sun NFS
- Sun PMAP
- Sun RPC
- Sun RSTAT
- Sun YP
- Symbolics private
- TCP
- Telnet
- TFTP
- TRING DLC
- TRING LLC
- TRING MAC
- TRING RI
- U-B
- Vitalink bridge mgmt
- X.25
- X.25 level 3
- X.75 internet
- Xerox BOOTP
- Xerox EGP
- Xerox GGP
- Xerox ND
- Xerox PUP
- Xerox PUP ARP
- Xerox RIP
- Xerox TFTP
- Xerox XNS
- Xyplex
Decoding higher protocol levels often required the interpreter to maintain state information about connections so that subsequent packets could be property interpreted. That was implemented with a combination of locally cached data within the protocol interpreter, and the ability to look back at earlier packets stored in the capture buffer.
Sniffer customers could write their own protocol interpreters to decode new or rare protocols not supported by Network General. Interpreters were written in C and linked with the rest of the Sniffer modules to create a new executable program. The procedure for creating new PIs was documented in April 1987 as part of Sniffer version 1.20.[40]
In addition to supporting many network protocols, there were versions of the Sniffer that collected data from the major local area networks in use in the 1980s and early 1990s:
- IBM Token-Ring
- Token Bus
- Ethernet (thick, thin, twisted pair)
- Datapoint ARCnet
- Starlan
- AppleTalk
- Corvus Omninet
- FDDI
- ISDN
- Frame Relay
- Synchronous Data Link Control (SDLC)
- Asynchronous Transfer Mode (ATM)
- X.25
- IBM PC Network (Sytek)
Competitors[]
Even in the early years, the Sniffer had competition,[41] at least for some aspects of the product. Several were, like the Sniffer, ready-to-use packaged instruments:
- Excelan's 1984 Nutcracker,[42] and its 1986 LANalyzer[43]
- Communications Machinery Corporation's DRN-1700 LanScan Ethernet Monitor
- Hewlett-Packard's HP-4972A LAN Protocol Analyzer[44]
- Digital Equipment Corporation's LAN Traffic Monitor[45]
- Tektronix's TMA802 Media Analyzer[46]
There were also several software-only packet monitors and decoders, often running on Unix, and often with only a command-line user interface:
- tcpdump, using the Berkeley Packet Filter[47] and other capture mechanisms provided by the operating system
- LANWatch,[48] originally from FTP Software
See also[]
References[]
- ^ Joch, Alan (2001-07-23). "Network Sniffers". Computerworld. Retrieved 2021-02-16.
- ^ "May 13: Network General Corporation Founded | This Day in History | Computer History Museum". www.computerhistory.org. Retrieved 2021-02-16.
- ^ Musthaler, Linda (1994-02-21). "Merger will hone net analysis focus". Network World. Vol. 11, no. 8. International Data Group. p. 35.
- ^ "Network General Corporation FY95 10-K". SEC Edgar database. June 28, 1995.
{{cite web}}
: CS1 maint: url-status (link) - ^ "Network General Corporation FY96 10-K". SEC Edgar database. July 25, 1996.
{{cite web}}
: CS1 maint: url-status (link) - ^ "Network General Corporation FY97 10-K". SEC Edgar database. June 27, 1997.
{{cite web}}
: CS1 maint: url-status (link) - ^ a b c "Network General Corp. annual reports 1989-1993, 1995, 1997" – via Internet Archive.
- ^ Petrosky, Mary (1987-06-22). "Network General smells success with Sniffer". Network World. Vol. 4, no. 25. International Data Group. p. 15.
- ^ "Presenting Network General Corporation", July 1992, retrieved 2021-11-17
- ^ Prins, G.A. (November–December 1979). "Distributing computing at the personal level". Electronics and Power. 25 (11): 765. doi:10.1049/ep.1979.0423. ISSN 0013-5127.
- ^ InfoWorld (1986-11-24). Nestar Says Firm's Acquisition To Improve LAN and PBX Links. InfoWorld Media Group, Inc.
- ^ Network General (1986-09-25). Network General R 4903 ARCNET Line Analyzer Manual Sep 1986.
- ^ a b Network General Corporation (December 1986). Network General Token Ring Sniffer V 1.0 Dec 1986.
- ^ Network General (1987-04-01). Network General Ethernet Sniffer Introduction Apr 1987.
- ^ Network General (1988-06-01). Network General Ethernet Sniffer Jun 1988.
- ^ Smalley, Eric (1991-04-01). "Sniffer Gains Distributed Management Capabilities". Network World. Vol. 8, no. 13. International Data Group. p. 4.
- ^ InfoWorld Media Group (1992-09-28). Expert Sniffer to Diagnose WANs. InfoWorld Media Group, Inc.
- ^ a b InfoWorld (1990-08-27). The Watchdog Sniffs Out LAN Traffic Statistics. InfoWorld Media Group, Inc.
- ^ Network General (1989-02-02). 1989 02 02 Network General IPO.
- ^ Network General (1989-08-02). 1989 08 02 Network General SPO.
- ^ Network General (1992-04-07). 1992 04 07 Network General TPO.
- ^ "McAfee, Network General to merge". CNET. Retrieved 2021-02-16.
- ^ Kerstetter, Jim. "Network Associates acquires PGP". ZDNet. Retrieved 2021-02-16.
- ^ Savage, Marcia (2002-08-19). "Network Associates Sells PGP Products To New Company". CRN. Retrieved 2021-02-16.
- ^ Roberts, Paul F. (2004-07-16). "Sniffer relaunched as Network General Corp". Network World. Retrieved 2021-02-16.
- ^ Dubie, Denise (2007-09-20). "NetScout buying Network General for $205 million". Network World. Retrieved 2021-02-16.
- ^ Netscout (2013). 2013 Netscout Sniffer.
- ^ "Support for Divested HNT Portfolio". NETSCOUT. Retrieved 2021-10-03.
- ^ "Trademark Electronic Search System (TESS)". tmsearch.uspto.gov. Retrieved 2021-06-03.
{{cite web}}
: CS1 maint: url-status (link) - ^ "Trademark Electronic Search System (TESS)". tmsearch.uspto.gov. Retrieved 2021-06-03.
{{cite web}}
: CS1 maint: url-status (link) - ^ Network General (1995-10-04). "Wall Street Journal advertisement". Retrieved 2021-02-16.
{{cite web}}
: CS1 maint: url-status (link) - ^ "USPTO TESS". tmsearch.uspto.gov. Retrieved 2021-06-03.
{{cite web}}
: CS1 maint: url-status (link) - ^ "USPTO TESS". tmsearch.uspto.gov. Retrieved 2021-06-03.
{{cite web}}
: CS1 maint: url-status (link) - ^ "USPTO TESS". tmsearch.uspto.gov. Retrieved 2021-06-03.
{{cite web}}
: CS1 maint: url-status (link) - ^ Nestar ARCNET Sniffer Internal Descriptions. Nestar Systems. 1982–1984.
{{cite book}}
: CS1 maint: date format (link) - ^ NestarSystems/ARCNET_Sniffer on GitHub
- ^ a b "1986 12 Network General Large Brochure : Free Download, Borrow, and Streaming". Internet Archive. December 1986. Retrieved 2021-06-03.
- ^ "1987 03 16 Network General Price List End User : Free Download, Borrow, and Streaming". Internet Archive. Retrieved 2021-06-03.
- ^ "1991 04 The Network Is Your Business : Network General Corp. : Free Download, Borrow, and Streaming". Internet Archive. April 1991. Retrieved 2021-06-04.
- ^ Network General (1987-04-01). Network General Token Ring Sniffer V 1.20 Addendum Apr 1987.
- ^ InfoWorld (1989-02-06). LAN Analyzers: Powerful Tools Useful For Serious Network Analysis. InfoWorld Media Group, Inc.
- ^ Satyanarayanan, M (September 22, 1984). "The Excelan Nutcracker: An Evaluation" (PDF).
{{cite web}}
: CS1 maint: url-status (link) - ^ Excelan (1986). LANalyzer EX5000E Ethernet Network Analyzer (PDF).
- ^ HP Computer Museum. "4972A Protocol Analyzer". www.hpmuseum.net. Retrieved 2021-02-18.
{{cite web}}
: CS1 maint: url-status (link) - ^ Pabrai, Uday. "Understanding and Using Computer Networks" (PDF). p. 3-26.
{{cite web}}
: CS1 maint: url-status (link) - ^ "Quick and Accurate LAN Measurements" (PDF).
{{cite web}}
: CS1 maint: url-status (link) - ^ McCann, Steven (December 19, 1992). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
{{cite web}}
: CS1 maint: url-status (link) - ^ InfoWorld Media Group (1993-05-10). LANWatch Version 3.0. InfoWorld Media Group, Inc.
External links[]
- "The Ancient History of Computers and Network Sniffers" (Sharkfest 2021 keynote talk) - SF16 - Len Shustek Keynote, retrieved 2021-08-17
- Haugdahl, J. S. (October 1988). "Benchmarking LAN protocol analyzers". Proceedings [1988] 13th Conference on Local Computer Networks: 375–384. doi:10.1109/LCN.1988.10251. ISBN 0-8186-0891-9. S2CID 336848.
- Chartoff, Marvin (1987-12-14). "LAN management: What's the right tool for the job?". Network World. Vol. 4, no. 50. International Data Group. p. 37.
- Network analyzers