Sniffer (protocol analyzer)

Sniffer

Original author(s)	Len Shustek
Initial release	December 1986
Written in	C, 8086 assembler
Operating system	MS-DOS
Type	protocol analyzer

The Sniffer^[1] was a computer network packet and protocol analyzer developed and first sold in 1986 by Network General Corporation^[2] of Mountain View, CA. By 1994 the Sniffer had become the market leader^[3] in high-end protocol analyzers. According to SEC 10-K filings^[4][5][6] and corporate annual reports,^[7] between 1986 and March 1997 about $933M worth of Sniffers and related products and services had been sold as tools for network managers and developers.

The Sniffer was the antecedent of several generations of network protocol analyzers, of which the current most popular is Wireshark.

Sniffer history[]

The Sniffer was the first product of Network General Corporation, founded on May 13, 1986^[8][9] by Harry Saal and Len Shustek to develop and market network protocol analyzers. The inspiration was an internal test tool that had been developed within Nestar Systems,^[10] a personal computer networking company founded in October 1978 by Saal and Shustek along with Jim Hinds and Nick Fortis. In 1982 engineers John Rowlands and Chris Reed at Nestar’s UK subsidiary Zynar Ltd developed an ARCNET promiscuous packet receiver and analyzer called TART (“Transmit and Receive Totaliser”) for use as an internal engineering test tool. It used custom hardware, and software for an IBM PC written in a combination of BASIC and 8086 assembly code. When Nestar was acquired by Digital Switch Corporation (now DSC Communications) of Plano, Texas in 1986,^[11] Saal and Shustek received the rights to TART.

At Network General, Saal and Shustek initially sold TART as the “R-4903 ARCNET Line Analyzer (‘The Sniffer’)”.^[12] They then reengineered TART for IBM’s Token Ring network hardware, created a different user interface with software written in C, and began selling it as The Sniffer™ in December of 1986.^[13] The company had four employees at the end of that year.

In April 1987 the company released an Ethernet version of the Sniffer,^[14][15] and in October, versions for ARCNET, StarLAN, and IBM PC Network Broadband. Protocol interpreters were written for about 100 network protocols at various levels of the protocol stack, and customers were given the ability to write their own interpreters. The product line gradually expanded to include the Distributed Sniffer System^[16] for multiple remote network segments, the Expert Sniffer^[17] for advanced problem diagnosis, and the Watchdog^[18] for simple network monitoring.

Corporate history[]

Between inception and the end of 1988, Network General sold $13.7M^[7] worth of Sniffers and associated services. Financing was initially provided only by the founders until an investment of $2M by TA Associates in December 1987. On February 6, 1989 the company, which had 29 employees at the time, raised $22M with a public stock offering of 1,900,000 shares^[19] on NASDAQ as NETG. On August 3, 1989, they sold an additional 1,270,000 shares^[20] in a secondary offering, and on April 7, 1992 an additional 2,715,000 shares^[21] in a third offering.

In December 1989, Network General bought Legend Software, a one-person company in New Jersey that had been founded by Dan Hansen. Their product was a network monitor called LAN Patrol, which was enhanced, rebranded, and sold by Network General as WatchDog.^[18]

By 1995 Network General had sold Sniffer-related products totaling $631M^[7] at an average gross margin of 77%. It had almost 1000 employees and was selling about 1000 Sniffers a month.

In December 1997 Network General merged with McAfee Associates (MCAF) to form Network Associates, in a stock swap deal valued at $1.3B.^[22] Weeks later, Network Associates bought Pretty Good Privacy, Inc. (“PGP”) , the encryption company founded in 1991 by Phil Zimmerman, for $35M in cash.^[23] Saal and Shustek left the company shortly thereafter.

In 2002, much of the PGP product line was sold to the newly formed PGP Corporation for an undisclosed amount.^[24] It was subsequently acquired by Symantec in 2010.

In mid-2004, Network Associates sold off the Sniffer technology business to investors led by Silver Lake Partners and Texas Pacific Group for $275M in cash, creating a new Network General Corporation.^[25] That same year, Network Associates readopted its founder’s name and became McAfee Inc. In September 2007, the new Network General was acquired by NetScout Systems for $205M.^[26] Netscout marketed "Sniffer Portable"^[27] in 2013, and in 2018 they divested^[28] their handheld network test tool business, including the Sniffer, to StoneCalibre.

Intellectual property rights[]

Network General, prior to the merger with McAfee, had filed no patents on the Sniffer. The source code and some of the hardware designs were protected by trade secrets. Most of that was eventually acquired by NetScout in the 2007 acquisition.

Network General Corporation applied for a trademark to “Sniffer” used in the context of “analyzing and testing digital traffic operations in local area networks” on May 30, 1989.^[29] It was accepted and registered on May 28, 1991.^[30] Network General protected its use with, for example, a full-page ad in the Wall Street Journal on October 4, 1995.^[31] As of 2021 that trademark registration is still active, and is now owned by NetScout Systems Inc. Network General also owned the trademarks to “Expert Sniffer”,^[32] “TeleSniffer”,^[33] and “Distributed Sniffer System”,^[34] all of which have expired.

IBM PC ARCNET Sniffer board

The original Nestar ARCNET Sniffer[]

The ARCNET Sniffer developed as an internal test tool by Zynar used the IBM PC ARCNET Network Interface Card developed by Nestar for the PLAN networking systems. That board used the COM9026 integrated ARCNET controller from Standard Microsystems Corporation, which had been developed in collaboration with Datapoint.

There was no promiscuous mode in the SMC chip that would allow all packets to be received regardless of the destination address. So to create the Sniffer, a daughterboard^[35] was developed that intercepted the receive data line to the chip and manipulated the data so that every packet looked like a broadcast and was received by the chip.

IBM PC ARCNET Sniffer daughterboard potted module

Since the ability to receive all packets was viewed as a violation of network privacy, the circuitry implementing it was kept secret, and the daughterboard was potted in black epoxy to discourage reverse-engineering.

The source code of the original TART/Sniffer BASIC and assembler program is available on GitHub.^[36]

The 1986 Network General Sniffer[]

Token-Ring Sniffer, 1986

The Sniffer was a promiscuous mode packet receiver, which means it received a copy of all network packets without regard to what computer they were addressed to. The packets were filtered, analyzed using what is now sometimes called Deep Packet Inspection, and stored for later examination.

The Sniffer was implemented above Microsoft’s MS-DOS operating system, and used a 40 line 80-character text-only display. The first version, the PA-400 protocol analyzer for Token-Ring networks,^[37] was released on a Compaq Portable II “luggable” computer that had an Intel 80286 processor, 640 KB of RAM, a 20 MB internal hard disk, a 5 ¼” floppy disk drive, and a 9” monochrome CRT screen. The retail price of the Sniffer in unit quantities was $19,995^[38]

Sniffer data flow

The two major modes of operation^[13] were:

• “capture”, in which
  • packets are captured, stored, counted, and summarized
  • filters control which packets are captured
  • triggers control when capture should stop, perhaps because a sought-after network error condition had occurred
• “display”, in which
  • packets are analyzed and interpreted
  • filters control which packets are displayed
  • options control which aspects of the packets are displayed

Navigation of the extensive menu system on the character-mode display was through a variation of Miller Columns that were originally created by Mark S Miller at Datapoint Corporation for their file browser. As the Sniffer manual described, “The screen shows you three panels, arranged from left to right. Immediately to the left of your current (highlighted) position is the node you just came from. Above and below you in the center panel are alternative nodes that are also reachable from the node to your left… To your right are nodes reachable from the node you're now on.”

Sniffer menu navigation

Pressing F10 initiated capture and a real-time display of activity.^[37]

Example sniffer screen during packet capture

When capture ended, packets were analyzed and displayed in one or more of the now-standard three synchronized vertical windows: multiple packet summary, single packet decoded detail, and raw numerical packet data. Highlighting linked the selected items in each window.

In the multiple-packet summary, the default display was of information at the highest level of the protocol stack present in that packet. Other displays could be requested using the “display options” menu.

The translation of data at a particular level of the network protocol stack into user-friendly text was the job of a “protocol interpreter”, or PI. Network General provided over 100 PI’s^[39] for commonly-used protocols of the day:

Decoding higher protocol levels often required the interpreter to maintain state information about connections so that subsequent packets could be property interpreted. That was implemented with a combination of locally cached data within the protocol interpreter, and the ability to look back at earlier packets stored in the capture buffer.

Sniffer customers could write their own protocol interpreters to decode new or rare protocols not supported by Network General. Interpreters were written in C and linked with the rest of the Sniffer modules to create a new executable program. The procedure for creating new PIs was documented in April 1987 as part of Sniffer version 1.20.^[40]

In addition to supporting many network protocols, there were versions of the Sniffer that collected data from the major local area networks in use in the 1980s and early 1990s:

• IBM Token-Ring
• Token Bus
• Ethernet (thick, thin, twisted pair)
• Datapoint ARCnet
• Starlan
• AppleTalk
• Corvus Omninet
• FDDI
• ISDN
• Frame Relay
• Synchronous Data Link Control (SDLC)
• Asynchronous Transfer Mode (ATM)
• X.25
• IBM PC Network (Sytek)

Competitors[]

Even in the early years, the Sniffer had competition,^[41] at least for some aspects of the product. Several were, like the Sniffer, ready-to-use packaged instruments:

• Excelan's 1984 Nutcracker,^[42] and its 1986 LANalyzer^[43]
• Communications Machinery Corporation's DRN-1700 LanScan Ethernet Monitor
• Hewlett-Packard's HP-4972A LAN Protocol Analyzer^[44]
• Digital Equipment Corporation's LAN Traffic Monitor^[45]
• Tektronix's TMA802 Media Analyzer^[46]

There were also several software-only packet monitors and decoders, often running on Unix, and often with only a command-line user interface:

• tcpdump, using the Berkeley Packet Filter^[47] and other capture mechanisms provided by the operating system
• LANWatch,^[48] originally from FTP Software

See also[]

• Comparison of packet analyzers
• Wireshark
• tcpdump

References[]

External links[]

• "The Ancient History of Computers and Network Sniffers" (Sharkfest 2021 keynote talk) - SF16 - Len Shustek Keynote, retrieved 2021-08-17
• Haugdahl, J. S. (October 1988). "Benchmarking LAN protocol analyzers". Proceedings [1988] 13th Conference on Local Computer Networks: 375–384. doi:10.1109/LCN.1988.10251. ISBN 0-8186-0891-9. S2CID 336848.
• Chartoff, Marvin (1987-12-14). "LAN management: What's the right tool for the job?". Network World. Vol. 4, no. 50. International Data Group. p. 37.