The Unsniff "Unfair" Advantage
Unsniff is designed from the ground up with ease of use, new
visualizations, advanced analysis, and extensibility in mind. You will
find that Unsniff empowers you to analyze deeper - easier.
By
Feature (click on the feature for more detail)
| Visualizations |
Unsniffs
radical new
visualization
scheme called "The Visual Breakout". Find out how this
visualization can help you design, teach, and analyze better. |
| PDU
Analysis |
Are you still looking at
link layer packets ? Find out how Unsniff allows you to monitor
Protocol Data Units (PDUs). |
| Stream
Analysis |
Cut
down your analysis
time dramatically. Monitor entire streams in real time - just like
packets or PDUs. |
| User
Objects |
User Objects are entities
of interest
to you. Sometimes you are not interested in raw data at all. Find out
how Unsniff allows you to monitor HTML pages served, Flash, Audio,
Video, RTP audio, files and more. |
| Filter
Wizards |
Constructing
display and
capture
filters has never been easier. You never have to remember a "filter
language syntax" or field names and types. |
| Roll
your own |
Write your own analysis
tools using
Ruby or VBScript. Finally - freedom from canned analysis tools. Find
out how Unsniff empowers you. |
| Extend |
New
proprietary protocol ?
No problem. Find out how you can add new protocols and other
types of plugins. |
[Back
to top]
 New Visualizations
Easy on your eyes and brain
More Detail
about the Visual Breakout
What others offer: Network
protocol analysis has so far been about reading hex dumps with the help
of a text tree. The text tree is used to navigate the hex
dump.
As fields are selected from the tree - the corresponding hex bytes are
highlited. We found that this scheme is inherently painful and requires
a two-level correlation between the tree and raw view. In addition,
this scheme is useless in printed form or when
embedded in
another document.
The Unsniff Advantage: Based
on our experiences with leading network equipment vendors and
educational institutions - we found that network protocols were both
taught and designed using a graphical approach. Never once did we see
anyone use a tree + raw approach to develop or teach network protocols.
Unleash Networks decided to use this as a basis for its new
visualization scheme. Unsniff introduces the enhanced, interactive
packet frame view (called a Visual Breakout) - a first in the network
analyzer world.
- Design, develop, test, and analyze using the same
visual methodology
- Design,Teaching, and learning can be fun because the
Unsniff Visual Breakout
is more approachable
- Flexible and Customizable
- Self Documenting. Hover your mouse over each field for
instant help about that field
- Crystal clear printed and embedded output
- The classic tree + raw bytes view is also available
[Back
to top]
PDUs
Beyond plain link layer analysis
What others offer: All network
analysis tools in the market today offer only link layer (the lowest
non-physical layer) packet
analysis. Network protocols are layered - a top layer usually depends
on some funtionality provided by the lower layers. If you
only
perform link layer packet analysis - you cannot see the right
picture from the upper layers. Upper layer protocols usually
communicate in terms of protocol data units (or PDUs) - which have
little or no respect for packet boundaries. For example : If
you
have a 5000+ byte LDAP PDU carried over 5 ethernet packets, it will be
almost impossible for you to meaninfully analyze this PDU by just
looking at Ethernet packets. If your network is experiencing packet
loss - your agony is much greater.
The Unsniff Advantage:
Unsniff
is the first and only network analyzer to monitor PDUs as a first class
entity (just like link layer packets). If you work with
stream
based protocols - you will at last have never-before visibility into
PDUs.
- Unsniff monitors PDUs in real time
- PDUs are first class entities in Unsniff (they
are stored and displayed like packets)
- No time wasted trying to dig through link layer packets
- Advanced reassembly routines take care of lossy networks
- LDAP,BGP,HTTP,SMB,TLS,SSL,LDP, and countless other
protocols instantly benefit
- Accurate timestamping of PDUs
[Back
to top]
Streams
Full stream analysis
A stream represents connection oriented data such as TCP/IP sessions. A
typical traffic profile of a network will consist of hundreds of
independent 'streams' of data. If you want to analyze this data, your
first task is to identify the stream you want to look at. This can be a
bewildering experience if you are working with a busy network.
What others offer:
Most network analyzers today offer a feature known as "go
to stream". To use this feature - you typically select a link
layer packet - then select "go to stream" from a menu. This is a
bottom-up approach that rarely works well. This is due to the fact that
it is rather difficult to select a link layer packet without any
high-level visibility into streams.
The Unsniff Advantage: Unsniff
is the first and only network analyzer
to monitor streams in real-time. Streams (like link layer packets and
PDUs) are first class entities in Unsniff. This makes your
task
of identifying your stream of interest real easy - you just have to
pick your stream from a list. This top-down approach will save you
hours.
- Track each stream in real time in the "Streams
Sheet"
- State changes (eg. TCP/IP states) are updated in real time
- Observe the latest data on all streams
- It is quite a learning experience to have the "Streams
Sheet" open and visiting a few websites
- Expand each stream to get the individual link layer
packets in that stream
- Full reassembly, analysis, and save payload in each
direction supported
- Write powerful stream analysis scripts
- TCP/IP ladder diagram with inline analysis (will mark
lost packets, retransmission, dup acks, etc)
[Back
to top]
Network
User Objects
Monitor higher level objects
Unsniff is the first network analyzer to introduce this concept.
For some users, the most interesting thing on the network is not
packets, or PDUs, or streams; rather some other
higher level
object such as HTML pages served, flash content, quality of RTP audio,
files transferred using FTP or SMB, etc. This can be useful
for
web developers, security administrators, or just curious users.
- Monitor "interesting things" (User Objects) on
the network in real time
- You get to define what these "interesting things" are (
via Unsniff plugins)
- Currently, HTML pages, Flash, Audio,Video, SIP calls, RTP
audio, files are supported
- Play back RTP Audio (G.711 a-law, G.711 u-law, GSM) in a
single click
- View entire HTML pages (including inline images/flash) in
a single window
- Some of our users even use Unsniff as a web archiving
tool !!
- Fully scriptable - For example: You can write
scripts to extract all JPG images > 70K to a folder
[Back
to top]
Wizards
You dont have to memorize a difficult syntax or field names
Capture filters are used to cut down the number of packets by
dropping unwanted packets at a very low level. Display filters are used
in a variety of ways to match various field level criteria.
What others offer:
Most
network analyzers support filtering both at the capture level or at the
display level. At the capture filter level, many use the excellent
mechanisms offered by the BPF (Berkeley Packet Filter)
library.
Some analyzers offer rudimentary help at these levels - but not enough
for complex expressions. The biggest drawback is usually the need to
remember the syntax of the BPF capture filter - or even worse to
remember field names while constructing display filters. You need to
have access to documentation to lookup names on the side.
The Unsniff Advantage : Unsniff features two wizards
dedicated to
filters. The Capture filter wizard allows you to construct complex BPF
expressions in a snap. The Display filter wizard is really powerful -
you can specify field matching expressions in a simple way without
having to remember or lookup field names or types.
- Unsniff can provide full range of BPF capture filters (Only with the Winpcap provider)
- Display filter wizards - can be used with any provider
(Winpcap, Windows Raw Sockets)
- Step 1 : Choose Protocols -> Step 2: Specify
expression -> Done
- String fields can match any regular expressions (Eg. "ap??he" )
- Numeric fields can match any numeric expression
(Eg. ">
100 || in {255,300,512}" )
- Apply multiple display filters (markers)
- Both filters can be saved to a file and reused
[Back
to top]
Roll
your own
You now have the power to write your own analysis tools
Today, it is tough being a talented network analysis professional.
There are plenty of network / protocol analyzers but they do not
provide you with an environment to write your own tools. You have to
contact their "services department" to get them to include simple
functionality. For example : Recently we talked to a talented web
network administrator - he wanted his network analyzer to simply print
out which countries were hitting what resources on one of his websites.
So a simple report of : URL -> list of countries was all he
needed.
With Unsniff, he was able to write a simple script in Ruby to
accomplish this.
The Current State : We do not know of any network or
protocol analyzer
that offers a scripting or extensible environment. You have to depend
on "canned" reports (such as Top-10 talkers, by protocol, packet size
etc). These canned statistics are cute and all, but usually fall way
short of what you want to do in your particular network.
The Unsniff Advantage : Unsniff provides you with a
complete scripting environment. You can
script the user interface or write command line scripts that work with
capture files directly. You will be surprised how productive you can be.
- Ruby : Unsniff supports the Ruby scripting language. It
is
fully object oriented. You can even write powerful user interfaces
using Fx-Ruby (the Ruby interface to the Fox toolkit)
- Look for other scripts - or share yours in the Unleash
Networks DevZone.
- Script the user interface. You can attach scripts to
custom menu items and use the current application context.
- VBScript - Unsniff also supports VBScript, JScript. We
include many samples in VBScript.
- Script Console - Unsniff provides a rich script console
where you can output your results.
- Object Model - Comprehensive object model provides access
to all entities
[Back
to top]
Extend
it
Custom protocols or entire user interfaces
Does your company have a proprietary protocol ? Is the protocol you
need not supported in Unsniff ? Do you want additional features ?
Unsniff already supports 40+ protocols we think are
highly
used. We are adding new ones at a rapid rate - and you can access them
free of cost. There will still be cases where you want to
write
your own protocol handlers.
- Your protocol is proprietary
- You cannot wait for Unleash Networks to add
support
- You are running a legacy or futuristic network
- You want to improve or replace the standard
handlers
Today, there are a few network / protocol analyzers that allow you to
write simple message handlers. This mechanism will support only the
simplest of protocols and are pretty much useless for complex
proprietary ones. Some open source analyzers are quite good - but you
have to agree to their licensing terms. These licensing terms might
force you to make your protocols public.
The Unsniff Advantage : Unsniff provides you with a
powerful API to
write your own plugins. In addition to protocol handlers, you can also
write custom name resolvers, user interfaces, eavesdroppers and more.
- You have full rights to your custom plugin. You can even
sell them independently of Unleash Networks
- Leverage the power of XML to define your messages
- All advantages of Unsniff available to your custom
protocol (including scripting)
- Eavesdroppers allow you to tap raw packet data at any
layer
- Custom name resolvers (examples : OIDs to
names, SIP telephone numbers to tester names, etc)
- UI plugins (add dialogs, menus, toolbar to Unsniff)
- Custom Sheets - full blown ActiveX controls that appear
as another sheet within Unsniff
- Microsoft Visual Studio Wizards and lots of samples
included
- Comprehensive Unsniff Developers Guide and Scripting
Guide available in PDF form
|
|
|
