- Windows 95/98/NT traffic monitors
(free), uses WINDUMP [use -i name according to what's shown in winipcfg
or listed as *.sys in windows/system; modem card is PPPMAC; ELPC3R is
3Com PC card; WVLAN41 is WaveLAN card; windump -D lists devices]
- LANMON from Precision Guesswork
- netmon (Part of Windows NT server; rumored to be similar in
functionality to tcpdump.)
- "Ethereal is a network protocol analyzer for Unix and Windows. It
allows you to examine data from a live network or from a capture file on
disk. You can interactively browse the capture data, viewing summary
and detail information for each packet. Ethereal has several powerful
features, including a rich display filter language and the ability to
view the ASCII contents of a TCP connection."
- "EtherApe is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays network
activity graphically. Hosts and links change in size with traffic.
Color coded protocols display. It supports Ethernet, FDDI, Token Ring,
ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can
read traffic from a file as well as live from the network." (For Linux
- ntop shows network statistics such as source and destination
distribution via an embedded web server.
- NetFlow Monitor
- NetFlow Monitor (NF) is tool for processing and evaluating NetFlow
Exports from CISCO routers, now commercialized by Caligare.
- "Scapy is a powerful interactive packet manipulation program. It is
able to forge or decode packets of a wide number of protocols, send them
on the wire, capture them, match requests and replies, and much more. It
can easily handle most classical tasks like scanning, tracerouting,
probing, unit tests, attacks or network discovery (it can replace hping,
85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
It also performs very well at a lot of other specific tasks that most
other tools can't handle, like sending invalid frames, injecting your
own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning,
VOIP decoding on WEP encrypted channel, ...), etc."
- "NIM software is a tool for processing and evaluating network
traffic, using network packet export statistics from the router. It is
also a user-friendly application used for network diagnostics."
- cflowd is a flow analysis tool currently used for analyzing Cisco's
NetFlow enabled switching method. The current release (described below)
includes the collections, storage, and basic analysis modules for cflowd
and for arts++ libraries. This analysis package permits data collection
and analysis by ISPs and network engineers in support of capacity
planning, trends analysis, and characterization of workloads in a
network service provider environment. Other areas where cflowd may
prove useful include usage tracking for Web hosting, accounting and
billing, network planning and analysis, network monitoring, developing
user profiles, data warehousing and mining, as well as security-related
- "STAB is a new active probing tool for locating thin links on a
network path. A thin link is a link with less available bandwidth than
all links preceding it on the path. The last thin link on the path is
the link with the minimum available bandwidth or tight link. STAB
combines the concept of "self-induced congestion", the probing technique
of "packet tailgating", and special probing trains called "chirps" to
efficiently locate the thin links."
- FlowScan is a network analysis and reporting tool. It processes IP
flows recorded cflowd-format raw flow files and reports on
what it finds.
Factory security tools
- router config check, network scanner, IP stack integrity checker,
portable IP stack, GNU grep for the network, next-generation traceroute,
- "dsniff is a collection of tools for network auditing and
penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf,
and webspy passively monitor a network for interesting data (passwords,
e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the
interception of network traffic normally unavailable to an attacker
(e.g, due to layer-2 switching). sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected SSH and HTTPS sessions
by exploiting weak bindings in ad-hoc PKI."
- Robostats is a program for computing so-call robust statistics (in
particular, order statistics) on a set of data such as median, the
interquartile range (IQR), the 10th percentile, the 90th percentile. It
uses a novel algorithm which allows it to scale in the number of values
in the data set without using overly excessive amounts of memory (it
uses O(log N) memory). These order statistics are useful when looking
at measurements from the Internet. Included in the distribution is a
programmatic library, as well as a small tutorial.
- MGEN provides programs for sourcing and sinking real-time
multicast/unicast UDP/IP traffic flows with optional support for RSVP
operation with ISI's rsvpd. The MGEN tools transmit and
receive (and log) time-stamped, sequence numbered packets. Post-test
analyses of the log files can be performed to assess network or network
component ability to support the given traffic load in terms of packet
loss, delay, delay jitter, etc. Transmitted traffic patterns, receiver
group joins/leaves, and RSVP operations can be dynamically controlled
via a simple script file format.
- Dumps selected packets, possibly parsed, to file or display. Windows
version, ASCII output
- TCP statistic and analysis tool which allows to collect network
performance metrics from passive traffic analysis. In particular, Tstat
allows to derive measurements at both the network (IP) layer and at the
transport (TCP/UDP/RTP/RTCP) layer. It can be used to monitor a link,
thanks to the integration with a RRD database.
- "ngrep strives to provide most of GNU grep's common features,
applying them to the network layer. ngrep is a pcap-aware tool that
will allow you to specify extended regular or hexadecimal expressions to
match against data payloads of packets. It currently recognizes TCP,
UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null
interfaces, and understands bpf filter logic in the same fashion as more
common packet sniffing tools, such as tcpdump and snoop."
- IPgrab is a verbose packet sniffer for UNIX hosts.
- Actively measures network performance.
- New version of ttcp, with enhancements.
- Measures TCP and UDP throughput.
- "FREEping is a free ping software utility which will ping all your
2003-XP-2000-NT servers (or any other IP address) in free-definable
intervals. FREEping will send you a popup when one of the
2003-XP-2000-NT servers stops responding. Take a look at the FREEping
overview window to view all important statistics."
- "TPing stands for TCP Ping or Turbo Ping. TPing is similar to the
ping tool, with two differences. First, TPing uses TCP technique to
figure out the round-trip time (RTT) to target hosts. Second, TPing can
ping more than one host at a time. The target hosts can be specified on
the command line or can be as a list in a file. TPing sends a probe to a
target host and moves to the next one in the list in a round-robin
fashion. If a target replies, it will be removed from the list (unless
you specify a number of probes for each target)."
- "HTPing stands for Hurricane TCP Ping. Unlike tping, this tool
directs probe packets to a single target, but with fine inter-probe
intervals (on the order of milliseconds). This tool uses the TCP
technique in measuring the RTT to a target host. So, you don't need any
super-user privileges to run this tool."
- "RTTometer is a measurement tool to estimate path minimum RTT along
with a measure of path condition. Similar to traditional ping(8), it
sends a set of probes and reports the RTT experienced by each probe.
Moreover, RTTometer makes use of all information gathered about the path
revealed in all probes to estimate path condition. It associates a
confidence measure with the captured minimum RTT."
- The sentinel project is an implementation of effective remote
promiscuous detection techniques. For portability purposes, the
sentinel application uses the libpcap and libnet libraries.
- mtr combines the functionality of the 'traceroute' and 'ping'
programs in a single network diagnostic tool. As mtr starts, it
investigates the network connection between the host mtr runs on and a
user-specified destination host. After it determines the address of
each network hop between the machines, it sends a sequence ICMP ECHO
requests to each one to determine the quality of the link to each
machine. As it does this, it prints running statistics about each
- VisualRoute is a visual, fast, and integrated ping, whois, and
traceroute program that automatically analyzes connectivity problems,
displaying the results on a world map.
- "NeoTrace Pro by NeoWorx, Inc. delivers a powerful tool for checking
information on Internet sites. You can trace any computer on the
internet simply by entering an email, IP address or URL. The display
shows you the route between you and the remote site including all
intermediate nodes and their registrant information."
- VisualPulse is a server-based ping engine and reporting tool
designed for network administrators, web-hosting companies, Applications
Service Providers (ASPs), and Internet Service Providers (ISPs) who need
a fast, visual way to see how their service offering is running, and
where problems occur.
- Portqry.exe is a command-line utility that you can use to help
troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows
2000-based computers, on Windows XP-based computers, and on Windows
Server 2003-based computers. The utility reports the port status of TCP
and UDP ports on a computer that you select.
- Summary of traceroute tools, including traceroute.org, a set of servers
for doing traceroute from various places.
- Distributed set of traceroute monitors.
- "tcptraceroute is a traceroute implementation using TCP packets.
The more traditional traceroute(8) sends out either UDP or ICMP ECHO
packets with a TTL of one, and increments the TTL until the destination
has been reached. By printing the gateways that generate ICMP time
exceeded messages along the way, it is able to determine the path
packets are taking to reach the destination."
- Treno (Traceroute RENO) is a network testing tool designed to test
network performance under load similar to that of TCP, the most commonly
used Transport Protocol in the Internet today
- pchar is a reimplementation of Van Jacobson's pathchar utility for
characterizing the individual hops of a path between two network hosts.
pchar works on both IPv4 and IPv6 networks.
- Initial Gap Increasing
- IGI is an available bandwith measurement tool using active probing,
which can be used to measure the available bandwith between two end
points on Internet.
- sting, a new end-to-end loss measurement tool. Sting is unique
because it can estimate "one-way" loss rates through careful
manipulation and observation of TCP behavior. In addition, using TCP
allows it to leverage the existing Internet infrastructure -- any TCP
server can be used as a de facto measurement service -- and it avoids
increasing problems with ICMP-based network measurement (blocking,
spoofing, rate limiting).
- emulates packet loss
- Empirix PacketSphere
packet loss and delay
- RTP reflector that emulates loss, jitter and packet duplication.
- "The NIST Network Emulation Tool (NIST Net) is a general-purpose
tool for emulating performance dynamics in IP networks. The tool is
designed to allow controlled, reproducible experiments with network
performance sensitive/adaptive applications and control protocols in a
simple laboratory setting. By operating at the IP level, NIST Net can
emulate the critical end-to-end performance characteristics imposed by
various wide area network situations (e.g., congestion loss) or by
various underlying subnetwork technologies (e.g., asymmetric bandwidth
situations of xDSL and cable modems)." Runs on Linux 2.2 kernels.
- WANDS stands for Wide-Area Network Delay Simulator. The WANDS tools
allow document designers to view their documents locally while
experiencing realistic network delays similar to those their users may
experience if they are across the hall, across the country, or across an
ocean. The WANDS tools work by collecting statistics about real network
delays, processing the data, and using the results to drive an
instrumented WWW server.
- "netem provides Network Emulation functionality for testing protocols
by emulating the properties of wide area networks. The current version
emulates variable delay, loss, duplication and re-ordering.
If you run a current 2.6 distribution, (Fedora, OpenSuse, Gentoo,
Debian, Mandriva, Ubuntu), then netem is already enabled in the kernel
and a current version of iproute2 is included."
- "dummynet is a flexible tool for bandwidth management and for
testing networking protocols. It is implemented in FreeBSD but is
easily portable to other protocol stacks. There is also a one-floppy
version of FreeBSD which includes dummynet and a lot of other goodies,
see below. dummynet works by intercepting packets in their way through
the protocol stack, and passing them through one or more pipes which
simulate the effects of bandwidth limitations, propagation delays,
bounded-size queues, packet losses, etc."
- Simulation software
- simulators, emulators, ...
- Emulab, the Utah Network
Testbed, contains 128 PCs that can be configured into a test network
- "The Harvard TCP/IP network simulator, based on a simulation
methodology proposed by S.Y. Wang and H.T. Kung at INFOCOM'99, uses
existing real-world BSD code (including the TCP/IP stack, application
programs, utilities and tools, etc.) to provide high-fidelity and
extensible TCP/IP network simulation."
- "Part of the laboratory contribution to GO-NII is to establish a
local testbed based on the BBN Long Links Emulator. This provides up to
five circuits of programmable delay and error characteristics that will
be used to emulate nationwide networks within a more controlled testing
environment, eliminating the need for long-haul communication lines in
the early stages of testing and development. The Long-Link Emulator
(LLE) is a stand-alone VME-based system that emulates two or more
unidirectional SONET-compatible OC-3 fiber-optic links. Both delay and
error characteristics of the link may be controlled. Delays of over 200
milliseonds (800 ms with optional memory upgrade) can be programmed in
increments of approximately one microsecond. Various error patterns and
rates can be selected."
- pkt is a TCL based protocol test tool. Packets are defined using
ASCII strings and written directly to a network interface.
- Network probe daemon (based on work by Vern Paxson)
- estimates bottleneck bandwidth through packet spacing
- teletraffic analysis software package
- IPMA tools
- provider-oriented measurement tools
Internet Technical Notes and Resources
by Henning Schulzrinne