BLOG     |     FORUM
Feat Detail

Unsniff Network Analyzer Features

Unsniff takes a radically different approach to network analysis. Starting with new capture file format, to visualizations, to PDU and Stream analysis, to extensibility - Unsniff introduces a new way of looking at the network. Unsniff also contains all the good things you have come to expect of any network analyzer - such as filtering and full packet analysis.


At a glance

General Features

  • New more capable file format, multiple capture providers, efficient capture engine, import/export to other formats, excellent support for printing, clipboard operations, and online help

Architecture

  • Plugin architecture, install only the modules you want, override standard protocol handlers, fully configurable access points, full Unicode support, and extensible by third party developers

User Interface

  • Totally new frame based display results in instant understanding of packets, online field level bubble help for all protocols, real time displays of statistics, packets, PDUs, and streams + more

Analysis

  • PDU, full stream analysis, ladder diagrams for TCP analysis, decompression, defragmentation, decryption supported, protocol detail analysis

Filtering & Searching

  • Search based on text or binary, capture and display filters supported, user friendly wizards enable you to create display filters in seconds, match strings using powerful regular expressions, match numbers using numeric expressions, markers allow you to run multiple display filters in the background

Statistics

  • A single panel groups all statistics in a easy to use display. Protocol heirarchy, Top-N conversations, and Traffic statistics

Scripting

  • First network analyzer that fully supports scripting. Ruby and FX-Ruby can be used to add new visual analysis capabilities, also supports VBScript, JScript, script console provides rich output options. Unsniff DevZone features new scripts created by network professionals

Unsniff Developers API

  • Add new protocols using C++ or XML, many samples provided in the Unsniff API Developers Pack, add new user interface elements, or custom sheets to Unsniff


[Back to Top]

General

Brand new capture formatUnsniff takes an entirely different approach to capture file storage. Some features :
  • Store different link layers in the same capture file
  • Can store bookmarks and annotations
  • Supports nano-second timestamps
  • Designed to load quickly and consume less memory
  • Command line scriptable via Ruby
Works with multiple providersUnsniff can work with many different "capture providers". Currently, we support capturing using the excellent Winpcap library or Windows Raw Sockets. Unleash Networks is working on a Wireless Capture Provider which will be available in a few months.
Extremely efficientA innovative "copyless" buffering system minimizes packet drops by boosting performance. You can adjust the buffer parameters for your network environment.
Import/ExportUnsniff can import and export capture files from the popular open source Ethereal and from Tcpdump/Windump.
Multiple capture optionsThree capture modes are supported
  • Live capture (default)
  • Frozen display capture (the user interface is not updated)
  • Direct 2 Disk (packets are streamed directly from the provider to disk, analysis happens only when the capture is stopped)
Names and AddressesUnsniff supports a comprehensive name database. Currently MAC, IPv4, IPv6 names are supported. The major difference is that Unsniff capture files store names locally, so they can be read by another copy of Unsniff on a different machine. This way if your system test team sends you a capture file, you will see the same names they see.
  • Supports name resolution via reverse DNS (disabled by default)
  • Can listen to DNS and NetBIOS-NS exchanges and build a name database in the background
  • Hundreds of MAC manufacturers names preset
  • Can prefix IPv6 addresses with useful link-local or site-local tags
PrintingExcellent printing facility with special support for grayscale printers. You can select a variety of printing options. Annotations attached to a packet also appear in the printed output. You can also do a "Print Preview" before sending packets to the printer.
Clipboard operationsOne great limitation of current generation tools is the complete lack of clipboard support. Unsniff changes all that.
  • Copy-and-paste packets from one capture file to another
  • Copy-and-paste entire streams (eg TCP Sessions)
  • Copy-and-paste in multiple formats (eg, if you paste into Unsniff you add new packets to the capture file. If you paste into Notepad - you get text view of the packets)
  • Cool new "text-diagram" view of packets supported (like the ones you see in IETF documents)
Context Sensitive HelpA full-fledged help system is at your finger tips. If you are stuck somewhere - just press F1 to access context sensitive help
Stop ConditionsYou can configure to stop Unsniff to automatically stop when :
  • A certain time has elapsed
  • When a certain number of packets or bytes have been captured


[Back to Top]

Architecture

Plugin architectureUnleash Networks recognizes the fact that the number of network protocols are limitless. Unsniff organizes protocols into plugin modules. You can install only those modules that address your specific need. This results in much lighter and faster application. You do not need to lug around several megabytes of code - that deal with protocols you do not care about.
Access PointsAccess Points dictate how protocols / messages are layered on top of each other. For example : The IP Protocol attaches to the access point "Ethertype 0x0800". Unsniff allows you to customize TCP/IP/UDP/Ethertype/PPP access points. The settings will be persistent until you decide to change them. Dynamic access points (short lived) are supported for protocols such as RTP and FTP.
Multi User SupportUnsniff works with Windows User Profiles. Multiple users on the same machine can configure Unsniff differently.
Benefits to Third Party DevelopersThe benefits of this architecture is available to all third party developers. Your plugins can be just as powerful as any written by Unleash Networks.
UnicodeThe entire Unsniff system is fully Unicode. This means that a Japanese client server application can continue to define fields with Japanese names and help text. A beta Japanese language version of Unsniff is available (The strings have not been verified by a professional). Unicode applications also run much faster on Windows 2000, XP, 2003 platforms.
Multiple CapturesYou can have multiple captures running simultaneously. They can capture from different or the same network interface.
Multiple Protocol HandlersYou can install multiple protocol handlers for the same protocol. You can then select which one of the handlers is the "active" handler.
An example : You find the supplied TELNET handler inadequate. You can either write or buy an enhanced TELNET handler, then you activate the new handler from within Unsniff. Voila ! You have replaced the handler supplied by Unleash Networks.


[Back to Top]

User Interface

The Visual Breakout

Click for more detail
We believe Unsniff is about to change the way packets are visualized. The visual breakout displays the contents of the packet inside a frame. Each frame can be collapsed. Bit fields are displayed in a separate mini frame. The classic tree + hex dump is now the network analysts second best friend
Some key features :
  • Fully customizable
  • Supports labels (shown on either side of the breakout)
  • Records can be marked by color or hue adjustment
  • Can display complex bitfields in a mini-breakout
  • Intelligent layout algorithm optimized for this purpose
  • Frames can be offset relative to the previous layer
  • Large fields can be shown compressed
  • 2, 4, 8 , or 16 bytes per row
  • Zoom In , Out, Fit to page, and normal sizes available
  • Field level bubble help
  • Prints as it is displayed
Enhanced Tree ViewFor many protocols, the tree view is very important. Most protocol analyzers today feature a simple tree view with field names and values. The values are typically separated from the name by a colon or a hyphen. Unsniff raises the bar higher. The Unsniff tree view is :
  • Highly readable variable width font
  • Uses a hybrid tree-list display
  • Field names are completely separated from values
  • Each protocol layer is identified by a icon
  • Multiple options for display of bit fields
  • Enhanced options for displaying records
  • Linked to the raw view by hiliting corresponding bytes
Flexible layoutYou can adjust the screen layout to be stacked or side-by-side.
Docking optionsYou can undock the details view (visual, tree, raw) from the indexes. This is a useful arrangement for a two-monitor setup.
SheetsUnsniff uses sheets to present various views of captured data. The default sheets are :
  • Packets Sheet
  • Packet Details Sheet (for viewing important fields for a protocol)
  • PDU Sheet
  • Streams Sheet
  • Statistics Sheet
  • User Objects Sheet
Unsniff allows you to create your own sheets. You must write an ActiveX control using ATL/COM to do this. It is fairly straightforward. The Unsniff Developers API Pack has three sample custom sheets.
Stream DisplayUnsniff is the first network analyzer to monitor streams. Currently the only type of stream is a TCP session. All TCP Sessions are shown in the streams sheet in real time. You can see the state changes as they happen. Each stream can be expanded to reveal an inner-list of segments that constitute the stream. Unsniff also displays raw stream data showing each direction in a different color.
User Objects DisplayUser Objects are entities that might be of interest to the user. The User Objects sheet features a panel that is used to render the user objects in-line (if applicable). Images, HTML, Flash, Media are all shown in this area. You can also undock this panel, if you want to see multiple user objects at the same time.
ColoringUnsniff uses coloring to mark protocol layers in the packet view. Each protocol is asked for its preferred color.
Script Output ConsoleIf you are writing a script activated within Unsniff using a language like VBScript, you have very limited output options. To address the gap, Unsniff supplies a console that can display formatted text.


[Back to Top]

Analysis

PDU analysisIs your current network analyzer showing you only link layer packets ? Does your network analyzer choke when PDUs do not start or end exactly at packet boundaries ? Many protocols run on a stream layer such as TCP. These protocols defined arbitrary message sizes that are totally independent of the link layer MTU (maximum size of a packet). Unsniff shows all PDUs in real time, just like it shows link-layer packets. Once you have seen the power of PDU analysis - you will look at network analysis from a whole new perspective.
Stream analysisUnsniff is the first (and till date only) network analyzer that can monitor streams in real time. Streams are treated as first-class entities to be monitored just like packets and PDUs.
  • All TCP streams tracked and stored in real time
  • TCP States updated in real time
  • Find out what is happening on any stream in real time
  • Advanced reassembly built - in
  • View stream data color coded by direction
  • Save reassembled data (either direction)
  • TCP analysis
Ladder diagramOnce you have identified a stream you want to probe into. You can open a TCP ladder diagram. This diagram has a very unique feature. It tries to show TCP Segments while maintaining a realistic time scale.
  • Advanced layout shows segments on a time scale
  • Round trip time calculation based on initial 3-way handshake
  • Long periods of silence are suppressed in a unique way
  • TCP Analysis (retransmissions, out of order early, out of order late, zero window, duplicate acks, and more) are marked in-line
  • Advanced printing and print preview (can print multiple pages)
Packet analysisUnsniff features several advanced capabilities in packet analysis.
  • Unlimited packet description length
  • Supports custom name resolvers
  • Works with third party protocol plugins (XML and C++)
  • Each packet presented to user as protocol layers
  • Supports tunneling (example MAC in MAC) upto 4 levels
Defragment, Decompress, DecryptThis is a facility provided by the packet analysis function. Various plugins have taken advantage of this. PPP (Van Jacobsen) - Decompress; IP (Defragment); SSLv3/TLS (Application Data) - Decrypt. These packets are called synthetic packets because Unsniff has manipulated them. These packets are then fed back into the analysis process. Synthetic packets are specially marked by Unsniff for instant recognition.
Protocol DetailOne of the biggest problems with existing network analyzers is that the information shown on the packet list is mostly insufficient. If you are a wireless administrator, you want to see the BSSID column, if you are a web admin you would like to see the HTTP Error, Server Type, Client Type columns. Unsniff is the first and only network analyzer that can make all of them happy. The protocol details view shows all standard fields + important fields from the selected protocol for all packets.
User Object AnalysisUser Objects are the highest level entities monitored by Unsniff. They are user defined objects of interest. Unsniff can monitor images, flash, multimedia, RTP audio streams in either direction, files transferred.
  • Monitor several types of objects of interest
  • Bulk save multiple objects to directory
  • Automatically assigns meaningful filenames in most cases
  • Supports inline rendering of images, HTML
  • Supports one-click playback of RTP audio channels


[Back to Top]

Filtering

SearchingSeveral advanced search features.
  • Plain text and hex search in payload data
  • Matched pattern automatically hilited in raw view
  • Find-Next will continue where it left off, even if it is in the middle of a packet
  • Match Word and Case Insensitive options
FilteringUnsniff features unbeatable filtering facilities.
  • Capture filter (only available to BPF enabled providers)
  • Display filter
Capture FilterA capture filter is a powerful tool to monitor busy networks. Yet current generation tools scare you away due to the impossible to remember syntax of the BPF capture filter. Unsniff features the first easy to use capture filter wizard - you can create very complex, syntactically correct capture filters, in seconds.
  • The Wizard allows experts to directly enter BPF expressions
  • For the rest of us : the wizard allows you to filter by hosts, gateways, subnet, protocols, ports, or broadcast options.
  • A port selector shows IANA standard port numbers to make it easy to specify a port
  • You can test a filter on the spot for correctness
  • The filters created are stored in a database for future use
  • One-click selection of capture filters while capturing
Display FilterA display filter really helps you get unwanted packets out of the way while analyzing a capture file. Most network analyzers today either do not have a similar mechanism or it is extremely tedious to use. Unsniff makes it child s play to create display filters - thanks to the display filter wizard.
  • Select the protocols from a list - Step 1
  • Set the values for the fields - Step 2
  • You do not have to remember any field names, all filterable fields are automatically shown to you
  • Enumerated fields are shown using a drop down combo box. You can check which values you want to see
  • You can AND / OR expressions
  • Complex Numeric expressions can be used (eg, "TCP Port" >= 10000 && < 11000 || in { 1,2,4} ) to match all ports 1,2,4 and all ports between 10K and 11K
  • Full regular expressions can be matched for string fields. (eg. "HTTP Server Name" *ap??he*mod*") to match apache servers
  • The filters created are stored in a database for future use and sharing
  • One-click application of display filters
  • Display Filter Invert function allows you to apply an inverse filter
MarkersIf you want to color your captured packets using many display filters, you can use markers. A marker consists of a number of display filters with a coloring rule for each filter. You can run a marker in parallel with an active capture. The marking process runs at a low priority and will not interfere with the packet capture process.
Script FiltersUnleash Networks recognizes the need for stateful filtering. A simple example is : "Show me all the TCP Segments where the sequence number did not increase relative to the previous segment"
If you want to perform such stateful filtering, Unsniff offers the scripting interface. You can perform any type of filtering you want limited only by your imagination.


[Back to Top]

Statistics

Protocol distributionUnsniff displays real-time protocol heirarchy statistics. You can expand each protocol to see statistics for sub-protocols.
Top-N ConversationsUnsniff keeps track of conversations between end-station in real time. The Top-N chart features.
  • Current Top-N (which conversations are top at this moment
  • Historical Top-N (top conversations over the course of the capture)
  • Ethernet , IPv4, and IPv6 conversations are supported
  • Relative traffic is shown in an integrated bar chart
TrafficA unique LCD Panel shows the current traffic usage on the system.
  • Monitor stop conditions, number of packets, captured, file size
  • Monitor Unsniff internal buffer state and performance


[Back to Top]

Scripting

LanguagesUnsniff supports the excellent Ruby scripting language. Ruby combines the power of scripting with ease of maintenance. You can even write GUI applications using FxRuby (in the ruby gems package). Unleash Networks supplies a number of sample ruby scripts in the DevZone.

  • You can also use VBScript, JScript, PerlScript or any scripting language that supports the Windows OLE Scripting technology
  • Unleash Networks provides several VBScript samples in addition to Ruby
Powerful script capabilitiesThe Unsniff Scripting interface features some really powerful methods. You can work directly with PDUs, Streams, and User Objects. Some examples are : "Save all images greater than 70K to a directory", "Create a new capture file with only TCP Streams with more than 20 segments". The possibilities are endless.
DevZoneUnleash Networks has created the "Unsniff DevZone" for sharing network analysis information. It will be constantly updated with many network analysis scripts written by professionals. We urge you to participate in this process.
Script inside UnsniffUnsniff also supports scripting from within the user interface. This provides for a highly interactive environment. Some features :
  • You can attach custom scripts to many popup menus
  • You can access the current selection context for Packet, PDUS, UserObjects, Streams
  • You can output your results graphically (if using Ruby with FxRuby)
Some example scripts are : "You can write a script to print out the X.509 certificate in a readable form used in a selected TLS connection"
Script ConsoleUnsniff also provides a rich console component. This supports multiple font sizes, styles, colors, and hilites. You can create great reports even with a scripting language like VBScript.
High speedYou can use scripting to scan through large capture files at high speed. Both the Unsniff Capture File and the Scripting Components are designed for optimum performance.


[Back to Top]

Unsniff Developers API

New ProtocolsUnsniff allows you to write "full-featured" custom protocols. You can write your protocols in C++ or XML or a combination of both. This depends on the level of complexity involved in your protocol.
  • You can write a pure XML protocol handler. The XML specification is full-featured and can handle even the most complex beasts.
  • You can write a pure C++ protocol handler. If your protocol is highly stateful or you have other complex requirements.
  • A combination of C++ and XML. You can define your fields in XML , this is the most tedious and verbose part of the whole process. You can then access these fields from C++
Visual Studio WizardsUnsniff provides two Visual Studio Wizards to make your job really easy if you are writing a C++ plugin.
  • A custom AppWizard for generating the DLL Server
  • A custom ATL COM Object Wizard for generating the actual plugin
The wizards place extensive comments in the generated cod and is ready to be compiled. You are not expected to be an expert on ATL/COM or C++.
Within MinutesYou can usually write protocol plugins in a matter of minutes. Whether you choose the XML route or the C++ route, your protocol handler will take only a fraction of your time compared to other options.
SecurityUsing the Unsniff Developers API, you have instant access to many security features. Unsniff provides a stack-frame model and automatically traps any illegal overruns due to incorrect lengths. Other security features.
  • Trap infinite loops due to bad packet data
  • Trap memory underrun or overrun
  • Trap bad alignment
  • over 40 more error conditions are trapped
Developers API PackThe Unsniff Developers API pack consists of.
  • A comprehensive Developers Guide (PDF)
  • Required libraries and header files
  • Samples of all types of plugins
  • API Documentation
DevZone / SupportThe Unleash Networks DevZone contains information and tips for developers. Registered users can ask any development related questions in the support forum.
Custom SheetsIF you are really ambitious - you can even build complete custom applications on top of Unsniff. These will appear as a separate sheet in the capture window.
Other pluginsUnsniff allows you to extend its capabilities by writing the following types of plugins.
  • Custom name resolvers (eg. SNMP OID -> Name)
  • Custom UI Elements (Dialogs, Menu Items, Toolbars)
  • Eavesdroppers (allows a plugin to peek at real time raw capture data)
  • Custom User Objects and Renderers
  • Custom Sheets (a full blown ActiveX control that appears as a sheet)