BLOG     |     FORUM

The Unsniff "Unfair" Advantage

Unsniff is designed from the ground up with ease of use, new visualizations, advanced analysis, and extensibility in mind. You will find that Unsniff empowers you to analyze deeper - easier.

By Feature (click on the feature for more detail)
VisualizationsUnsniffs radical new visualization scheme called "The Visual Breakout". Find out how this visualization can help you design, teach, and analyze better.
PDU AnalysisAre you still looking at link layer packets ? Find out how Unsniff allows you to monitor Protocol Data Units (PDUs).
Stream AnalysisCut down your analysis time dramatically. Monitor entire streams in real time - just like packets or PDUs.
User ObjectsUser Objects are entities of interest to you. Sometimes you are not interested in raw data at all. Find out how Unsniff allows you to monitor HTML pages served, Flash, Audio, Video, RTP audio, files and more.
Filter WizardsConstructing display and capture filters has never been easier. You never have to remember a "filter language syntax" or field names and types.
Roll your ownWrite your own analysis tools using Ruby or VBScript. Finally - freedom from canned analysis tools. Find out how Unsniff empowers you.
ExtendNew proprietary protocol ? No problem. Find out how you can add new protocols and other types of plugins.

[Back to top]
Unsniff Network Analyzer Stylized LogoNew Visualizations
Easy on your eyes and brain
More Detail about the Visual Breakout
What others offer: Network protocol analysis has so far been about reading hex dumps with the help of a text tree. The text tree is used to navigate the hex dump. As fields are selected from the tree - the corresponding hex bytes are highlited. We found that this scheme is inherently painful and requires a two-level correlation between the tree and raw view. In addition, this scheme is useless in printed form or when embedded in another document.

The Unsniff Advantage: Based on our experiences with leading network equipment vendors and educational institutions - we found that network protocols were both taught and designed using a graphical approach. Never once did we see anyone use a tree + raw approach to develop or teach network protocols. Unleash Networks decided to use this as a basis for its new visualization scheme. Unsniff introduces the enhanced, interactive packet frame view (called a Visual Breakout) - a first in the network analyzer world.


  • Design, develop, test, and analyze using the same visual methodology
  • Design,Teaching, and learning can be fun because the Unsniff Visual Breakout is more approachable
  • Flexible and Customizable
  • Self Documenting. Hover your mouse over each field for instant help about that field
  • Crystal clear printed and embedded output
  • The classic tree + raw bytes view is also available

[Back to top]
Unsniff Network Analyzer Stylized LogoPDUs
Beyond plain link layer analysis
What others offer: All network analysis tools in the market today offer only link layer (the lowest non-physical layer) packet analysis. Network protocols are layered - a top layer usually depends on some funtionality provided by the lower layers. If you only perform link layer packet analysis - you cannot see the right picture from the upper layers. Upper layer protocols usually communicate in terms of protocol data units (or PDUs) - which have little or no respect for packet boundaries. For example : If you have a 5000+ byte LDAP PDU carried over 5 ethernet packets, it will be almost impossible for you to meaninfully analyze this PDU by just looking at Ethernet packets. If your network is experiencing packet loss - your agony is much greater.

The Unsniff Advantage: Unsniff is the first and only network analyzer to monitor PDUs as a first class entity (just like link layer packets). If you work with stream based protocols - you will at last have never-before visibility into PDUs.


  • Unsniff monitors PDUs in real time
  • PDUs are first class entities in Unsniff (they are stored and displayed like packets)
  • No time wasted trying to dig through link layer packets
  • Advanced reassembly routines take care of lossy networks
  • LDAP,BGP,HTTP,SMB,TLS,SSL,LDP, and countless other protocols instantly benefit
  • Accurate timestamping of PDUs

[Back to top]
Unsniff Network Analyzer Stylized LogoStreams
Full stream analysis
A stream represents connection oriented data such as TCP/IP sessions. A typical traffic profile of a network will consist of hundreds of independent 'streams' of data. If you want to analyze this data, your first task is to identify the stream you want to look at. This can be a bewildering experience if you are working with a busy network.

What others offer: Most network analyzers today offer a feature known as "go to stream". To use this feature - you typically select a link layer packet - then select "go to stream" from a menu. This is a bottom-up approach that rarely works well. This is due to the fact that it is rather difficult to select a link layer packet without any high-level visibility into streams.

The Unsniff Advantage: Unsniff is the first and only network analyzer to monitor streams in real-time. Streams (like link layer packets and PDUs) are first class entities in Unsniff. This makes your task of identifying your stream of interest real easy - you just have to pick your stream from a list. This top-down approach will save you hours.


  • Track each stream in real time in the "Streams Sheet"
  • State changes (eg. TCP/IP states) are updated in real time
  • Observe the latest data on all streams
  • It is quite a learning experience to have the "Streams Sheet" open and visiting a few websites
  • Expand each stream to get the individual link layer packets in that stream
  • Full reassembly, analysis, and save payload in each direction supported
  • Write powerful stream analysis scripts
  • TCP/IP ladder diagram with inline analysis (will mark lost packets, retransmission, dup acks, etc)

[Back to top]
Unsniff Network Analyzer Stylized LogoNetwork User Objects
Monitor higher level objects
Unsniff is the first network analyzer to introduce this concept.
For some users, the most interesting thing on the network is not packets, or PDUs, or streams; rather some other higher level object such as HTML pages served, flash content, quality of RTP audio, files transferred using FTP or SMB, etc. This can be useful for web developers, security administrators, or just curious users.


  • Monitor "interesting things" (User Objects) on the network in real time
  • You get to define what these "interesting things" are ( via Unsniff plugins)
  • Currently, HTML pages, Flash, Audio,Video, SIP calls, RTP audio, files are supported
  • Play back RTP Audio (G.711 a-law, G.711 u-law, GSM) in a single click
  • View entire HTML pages (including inline images/flash) in a single window
  • Some of our users even use Unsniff as a web archiving tool !!
  • Fully scriptable - For example: You can write scripts to extract all JPG images > 70K to a folder

[Back to top]
Unsniff Network Analyzer Stylized Logo Wizards
You dont have to memorize a difficult syntax or field names
Capture filters are used to cut down the number of packets by dropping unwanted packets at a very low level. Display filters are used in a variety of ways to match various field level criteria.

What others offer: Most network analyzers support filtering both at the capture level or at the display level. At the capture filter level, many use the excellent mechanisms offered by the BPF (Berkeley Packet Filter) library. Some analyzers offer rudimentary help at these levels - but not enough for complex expressions. The biggest drawback is usually the need to remember the syntax of the BPF capture filter - or even worse to remember field names while constructing display filters. You need to have access to documentation to lookup names on the side.

The Unsniff Advantage : Unsniff features two wizards dedicated to filters. The Capture filter wizard allows you to construct complex BPF expressions in a snap. The Display filter wizard is really powerful - you can specify field matching expressions in a simple way without having to remember or lookup field names or types.


  • Unsniff can provide full range of BPF capture filters (Only with the Winpcap provider)
  • Display filter wizards - can be used with any provider (Winpcap, Windows Raw Sockets)
  • Step 1 : Choose Protocols -> Step 2: Specify expression -> Done
  • String fields can match any regular expressions (Eg. "ap??he" )
  • Numeric fields can match any numeric expression (Eg. "> 100 || in {255,300,512}" )
  • Apply multiple display filters (markers)
  • Both filters can be saved to a file and reused

[Back to top]
Unsniff Network Analyzer Stylized LogoRoll your own
You now have the power to write your own analysis tools

Today, it is tough being a talented network analysis professional. There are plenty of network / protocol analyzers but they do not provide you with an environment to write your own tools. You have to contact their "services department" to get them to include simple functionality. For example : Recently we talked to a talented web network administrator - he wanted his network analyzer to simply print out which countries were hitting what resources on one of his websites. So a simple report of : URL -> list of countries was all he needed. With Unsniff, he was able to write a simple script in Ruby to accomplish this.

The Current State : We do not know of any network or protocol analyzer that offers a scripting or extensible environment. You have to depend on "canned" reports (such as Top-10 talkers, by protocol, packet size etc). These canned statistics are cute and all, but usually fall way short of what you want to do in your particular network.

The Unsniff Advantage : Unsniff provides you with a complete scripting environment. You can script the user interface or write command line scripts that work with capture files directly. You will be surprised how productive you can be.


  • Ruby : Unsniff supports the Ruby scripting language. It is fully object oriented. You can even write powerful user interfaces using Fx-Ruby (the Ruby interface to the Fox toolkit)
  • Look for other scripts - or share yours in the Unleash Networks DevZone.
  • Script the user interface. You can attach scripts to custom menu items and use the current application context.
  • VBScript - Unsniff also supports VBScript, JScript. We include many samples in VBScript.
  • Script Console - Unsniff provides a rich script console where you can output your results.
  • Object Model - Comprehensive object model provides access to all entities

[Back to top]
Unsniff Network Analyzer Stylized LogoExtend it
Custom protocols or entire user interfaces

Does your company have a proprietary protocol ? Is the protocol you need not supported in Unsniff ? Do you want additional features ? Unsniff already supports 40+ protocols we think are highly used. We are adding new ones at a rapid rate - and you can access them free of cost. There will still be cases where you want to write your own protocol handlers.


  • Your protocol is proprietary
  • You cannot wait for Unleash Networks to add support
  • You are running a legacy or futuristic network
  • You want to improve or replace the standard handlers
Today, there are a few network / protocol analyzers that allow you to write simple message handlers. This mechanism will support only the simplest of protocols and are pretty much useless for complex proprietary ones. Some open source analyzers are quite good - but you have to agree to their licensing terms. These licensing terms might force you to make your protocols public.

The Unsniff Advantage : Unsniff provides you with a powerful API to write your own plugins. In addition to protocol handlers, you can also write custom name resolvers, user interfaces, eavesdroppers and more.


  • You have full rights to your custom plugin. You can even sell them independently of Unleash Networks
  • Leverage the power of XML to define your messages
  • All advantages of Unsniff available to your custom protocol (including scripting)
  • Eavesdroppers allow you to tap raw packet data at any layer
  • Custom name resolvers (examples : OIDs to names, SIP telephone numbers to tester names, etc)
  • UI plugins (add dialogs, menus, toolbar to Unsniff)
  • Custom Sheets - full blown ActiveX controls that appear as another sheet within Unsniff
  • Microsoft Visual Studio Wizards and lots of samples included
  • Comprehensive Unsniff Developers Guide and Scripting Guide available in PDF form