Your devices talk with each other every day and a packet capture tool can tell you a lot about the content of those conversations.
Whether it’s malicious communications or non-essential applications consuming lots of bandwidth, or high latency, a packet sniffer can tell you.
Here is our list of the best packet capture tools:
- Paessler PRTG Network Monitor (FREE TRIAL) An infrastructure monitoring system with strong network supervision modules. Includes four packet capture sensors out of the box and users can also create customized packet sniffing methods. Start a 30-day free trial.
- Wireshark Open-source packet analyzer that can capture and filter packets.
- SolarWinds Network Performance Monitor Network monitoring tool with a packet analyzer, quality of experience (QoE) dashboard and custom alerts.
- ManageEngine NetFlow Analyzer NetFlow analyzer tool with reports and a threshold-based alerts system.
- Colasoft Capsa Network analyzer that supports over 1800 different protocols.
- Tcpdump Free command-line packet capture tool for UNIX that supports TCP, UDP, and ICMP.
- Kismet Wireless network detector, packet sniffer, and intrusion detection tool with 802.11 monitoring.
- Alluvio Packet Analyzer Plus Packet sniffing tool with customizable views, an alerts system, and reports.
What is Packet Capture?
Packet capture involves copying segments of network traffic. Traffic travels in packets that include a data payload and a header. Full packet capture takes the whole packet. If all of the packets passing over a network are captured, the resulting storage file can become very large very quickly.
As a lot of data in transit gets encrypted before it is sent, there is not much value in copying the data payload. In cases where the contents of the payload aren’t encrypted, the business’s management and users might not want IT department technicians to read that data in transit. Therefore, it is more usual to store just the packet headers. Another technique samples traffic by capturing only every nth packet rather than all of them.
For more information on this topic check out our comprehensive what is packet capture guide.
See Also: Best Packet Sniffers
The best packet capture tools
Our methodology for selecting a packet capture tool for your network
We reviewed the market for packet capture systems and analyzed the tools based on the following criteria:
- The ability to sample every nth packet
- The option to extract just the packet headers
- Filters for packet capture
- A packet viewer with data analysis tools
- The option to store packets to file
- A free trial or a free tool that enables the system to be tested without having to pay
- Good value for money from a tool that works well and is offered at a fair price or a free tool that is worth installing.
With these selection criteria in mind, we looked for reputable packet capture tools that include methods to reduce the amount of data that needs to be stored.
1. Paessler PRTG Network Monitor (FREE TRIAL)
Paessler PRTG Network Monitor is a network monitoring tool that has a packet sniffer/bandwidth monitoring function. For bandwidth monitoring, the software can monitor the availability, bandwidth usage, and upload/download speeds in real-time with SNMP and WMI.
Key Features:
- Diverse Monitoring Sensors: Equipped with a packet sniffer and bandwidth monitoring functions, alongside other sensors.
- Flexible Alert Options: Supports a wide range of alert mediums, including SMS, email, and integrations with platforms like Slack.
- Customizable Dashboard: Features a user-friendly, drag-and-drop editor for building custom views and reports.
Why do we recommend it?
Paessler PRTG Network Monitor is a package of many monitoring tools. Among the sensors in the bundle is a packet sniffer. This tool allows you to filter which packets should be captured. It will only collect packet headers and you can decide whether the system should store those headers or just calculate metrics about them.
There is a range of sensors you can use to monitor performance including the Packet Sniffer sensor. The Packet Sniffer sensor analyses IRC AIM, Citrix, FTP/P2P, Mail, WWW, RDP, SSH, Telnet, and VNC.
The sensor includes a break down of the Top Talkers, Top Connections, and Top Protocols. Each of these can be viewed as pie charts, making it easy to see how network resources are consumed between devices. Other statistics are broken down with charts and dials so that you can read them easily from a distance.
Configurable alerts let you know when network traffic usage is behaving unusually. The user can configure alerts to be sent by email, SMS, slack message, push notification, Syslog message, SNMP trap, and more. You can also use automated responses such as executing a program or HTTP action.
Who is it recommended for?
PRTG is a scaleable tool because you don’t have to activate all of the sensors in the bundle. So, you only have to pay for the monitors that you need. You also get a discovery feature that creates an asset inventory and a network topology map. If you only activate 100 sensors, the system is free.
Pros:
- Scalable Monitoring Solution: Adaptable to different business sizes, offering a free version for limited sensor use.
- Comprehensive Coverage: Monitors VoIP and other specific applications with dedicated sensors for detailed insights.
- Versatile Deployment: Compatible with various network technologies, making it hardware-agnostic.
Cons:
- Learning Curve: Requires time to learn and leverage its comprehensive features effectively.
PRTG Network Monitor is a good place to start if you want a packet capture tool that’s easy to use. The software is free for less than 100 sensors. Paid versions start at $1,600 (£1,211). You can download the 30-day free trial.
Paessler PRTG is a powerful packet capture tool because it provides four alternative methods for extracting packets from a network. The ability to create custom packet capture rules and apply different alert thresholds creates a great deal of flexibility, while the out-of-the-box sensors and alerts provide instant insights that are easy to set up.
Get a 30-day free trial: paessler.com/download/prtg-download
Operating System: Windows Server
2. Wireshark
Wireshark is a free open-source packet analyzer you can use to inspect network traffic in real-time. You can launch a scan and view the captured packet data on the screen in a table format. Once you’ve finished the scan you can press the stop button.
Key Features:
- Open-Source Platform: Widely respected and free packet analyzer with extensive community support.
- Advanced Filtering Language: Features a proprietary language for precise packet filtering and analysis.
Why do we recommend it?
Wireshark is a free packet capture tool and it is the first choice for network professionals because it is used extensively in network management courses. You can filter the packets that are captured to reduce the quantity of the data that you capture and then use the same query language to filter and search captured data.
To help you navigate you can use capture and display filters to cut down on the amount of traffic you see on screen. Once you’ve finished the scan you can export the results in plain text, XML, CSV, or PostScript.
Color coding also helps you to distinguish different types of traffic. Different traffic types are shown in different colors. For example, TCP traffic is a different color to UDP traffic. You can change the color of different packet rights by creating your own color rules to customize the traffic colors.
Who is it recommended for?
On the face of it, Wireshark makes packet examination easy because it shows all packets in color-coded records. However, the query language of Wireshark is complicated and takes time to learn, so it isn’t for casual use because it has a steep learning curve. Once you master the language, you will use Wireshark a lot.
Pros:
- Strong Community Support: Benefits from a large, active community for continuous development and support.
- Integrated Packet Collection and Analysis: Combines capture and analysis functionalities in one platform.
Cons:
- Complex Interface: Presents a steep learning curve, particularly for users not familiar with network analysis.
Wireshark is worth a look if you’re looking for a free traffic analyzer that’s accessible. The GUI and filter system make the tool hassle-free to use. The software is available for Windows, Linux, Mac OS, Solaris, FreeBSD, NetBSD, and more. You can download the program for free.
3. SolarWinds Network Performance Monitor
SolarWinds Network Performance Monitor is a network monitoring platform with a network packet analyzer that can capture data from over 1,200 applications out-of-the-box. With SolarWinds Network Performance Monitor you can measure packet transfer in real-time through the Quality of Experience (QoE) dashboard.
Key Features:
- Comprehensive Packet Analysis: Captures and analyzes network traffic from over 1,200 applications.
- Quality of Experience Dashboard: Visualizes real-time packet transfer, enhancing network performance insights.
- Dynamic Baseline Alerting: Utilizes floating baseline analysis to minimize false positives and accurately track performance changes.
Why do we recommend it?
SolarWinds Network Performance Monitor is known for its device status checks that are implemented with the Simple Network Management Protocol. However, the tool also includes a packet analyzer, which gathers data about packets rather than storing them. Particularly, this service acts as a protocol analyzer.
Through the dashboard, you can view services with the top response times on a graph. You can also view traffic types as categories such as destination IP address, port usage, and application type.
Custom alerts allow you to determine when you receive a notification on packet status. You can opt to receive alerts via email or SMS. To avoid false positives, the platform uses dynamic baselines to detect genuine performance deviations without overwhelming you with fake alerts.
Who is it recommended for?
The SolarWinds system is a service that is designed to monitor large networks. The software package installs on Windows Server – there isn’t a cloud version. So, if you are more interested in a SaaS package or software that you can run on your cloud account, you will need to look elsewhere.
Pros:
- User-Friendly Interface: Offers an intuitive dashboard with customizable widgets, simplifying network management.
- Versatile Alerting System: Allows for customized alerts through various channels like SMS and email, ensuring prompt notifications.
- Robust Data Analysis: Focuses on protocol and traffic analysis, providing deep insights without storing packets.
Cons:
- Technical Complexity: Demands a certain level of expertise for full utilization, potentially challenging for beginners.
SolarWinds Network Performance Monitor is a formidable network analyzer that’s easy to navigate and configure. The price of the program starts at $2,995 (£2,268). You can download a 30-day free trial.
4. ManageEngine NetFlow Analyzer
ManageEngine NetFlow Analyzer is a NetFlow analysis tool that supports NetFlow, sFlow, IPFIX, Netstream, J-Flow, and AppFlow. The tool allows you to view network traffic in real-time with graphs. To help make sense of the data more easily you can measure bandwidth by user, device, or application to see which entities are consuming the most resources. The top consumers can be viewed as pie charts.
Key Features:
- Extensive Protocol Support: Includes NetFlow, sFlow, IPFIX, Netstream, J-Flow, and AppFlow for comprehensive analysis.
- Intuitive User Interface: Offers a clear, uncluttered interface suitable for high-volume network monitoring.
Why do we recommend it?
ManageEngine NetFlow Analyzer collects packet statistics from routers and switches by querying them with NetFlow, J-Flow, sFlow, IPFIX, Netstream, and AppFlow. The system also includes a NeFlow generator, which captures passing packets and generates its own NetFlow statistical data without storing the packets. The system will also scan packet headers for deep packet inspection.
Threshold-based alerts can be configured to notify you whenever traffic usage matches certain trigger conditions. Create alert profiles to determine when you receive alerts by email and SMS. Having notifications allows you to automatically be notified when your end-users experience performance issues.
To follow up on performance issues you can create reports. When creating reports you can select the report type, data points used, report options, time period, device, and more. Creating reports allows you to reflect back on network usage over time.
Who is it recommended for?
This package performs extensive traffic analysis, which can involve actually looking at each passing packet. However, it doesn’t store packets. It just generates packet statistics and then discards the actual packets. This software can be installed on Windows Server, Linux, and AWS.
Pros:
- Enterprise-Ready Features: Tailored for large organizations, offering SLA tracking and advanced monitoring capabilities.
- Cross-Platform Compatibility: Installs on multiple operating systems including Windows and Linux, enhancing flexibility.
Cons:
- Not Ideal for Small Networks: More suited for enterprise environments rather than small LANs or home users.
ManageEngine NetFlow Analyzer is an excellent packet capture tool, that’s suitable for SME’s and midsize organizations. It’s accessible with a straightforward user interface. ManageEngine NetFlow Analyzer is available on Windows and Linux. You can download a free trial.
5. Colasoft Capsa
Colasoft Capsa is a network analyzer for Windows that can monitor packets in real-time. The software supports over 1800 different protocols that you can monitor through the dashboard. On the dashboard, you can view network usage as visual components like graphs and charts. For example, you can view graphs on Top Application Protocols by Bytes or Top IP Total Traffic by Bytes.
Key Features:
- Advanced Protocol Analysis: Supports over 1800 protocols, enabling detailed network monitoring.
- Scheduled Packet Capture: Allows setting up regular packet capture schedules for continuous monitoring.
Why do we recommend it?
Colasoft Capsa is a packet capture and protocol analyzer tool that presents insightful graphs on traffic data. The system provides you with statistics on traffic by application and other factors such as source and destination. The system also includes an email scanner.
You can schedule packet capture scans to run at a specific time period, whether daily or weekly. Regular scans make sure that you don’t miss out on any evolving performance concerns. In the event that you do miss something, email and audio alerts keep you notified when a networking event needing your attention occurs.
Who is it recommended for?
This tool is quite expensive, so it is unlikely to appeal to small businesses. The most likely buyer of this tool will be a large department with a network security analyst on staff or a consultancy. Those not willing to pay should look at Capsa Free, which provides packet capture functions. This is an on-premises package that runs on Windows.
Pros:
- VoIP Traffic Specialization: Particularly adept at monitoring VoIP traffic, tracking key metrics efficiently.
- User-Friendly Interface: Simplifies network analysis with visual components like graphs and charts.
Cons:
- Outdated Interface: The visual design and user experience can feel clunky and less modern compared to competitors.
Colasoft Capsa is recommended for enterprises that want a competitively priced network analyzer for Windows. The software starts at $995 (£753). You can download the free trial version.
6. tcpdump
Tcpdump is an open-source packet analysis tool based in the command line and capture protocols including TCP, UDP, and ICMP. The tool is included by default with a number of different Linux distributions and can be used to capture packets and view packet contents on the screen.
Key Features:
- CLI-Based Analysis: Offers packet capture and analysis through a command-line interface for flexibility and automation.
- Extensive Protocol Support: Captures a wide range of protocols including TCP, UDP, and ICMP, suitable for diverse network environments.
- Advanced Filtering Options: Allows for detailed packet filtering, aiding in targeted analysis.
Why do we recommend it?
Tcpdump is a traffic analysis tool. It relies on libpcap to actually capture packets from the network and tcpdump processes them, applying filters and writing packets to files. Usually, whenever a system uses libpcap for packet capture on Linux, you can just substitute WinPcap to use the system on Windows instead. However, Tcpdump is only available for Linux.
Once you start scanning your network, the software will continue to generate results until you send it an interrupt signal or it reaches the packet limit you specified. The tool can report counts of packets captured, received by the filter, and dropped by kernel. You can also filter captured packets by source, destination, and protocol to help navigate.
Who is it recommended for?
Although it is highly respected, tcpdump is difficult to use because it doesn’t have a graphical user interface. Instead, people tend to use Wireshark. Like Wireshark this tool is free to use. One advantage that this tool has over the GUI-based Wireshark is that its commands can be integrated into task automation scripts.
Pros:
- Open-Source and Community-Backed: Continuously improved and supported by a dedicated community.
- Lightweight and Versatile: Efficient for use in various environments due to its command-line nature and small footprint.
- Free to Use: Offers a cost-effective solution for network packet analysis without license fees.
Cons:
- User-Friendly GUI Lacking: Not as accessible for beginners or those uncomfortable with command-line tools.
Tcpdump isn’t as modern as some of the other tools on this list but its packet monitoring capabilities still hold up. Tcpdump is available on Unix. There is also a version of the tool available for Windows called WinDump. You can download the program for free, and you get get a jump start on using it with our downloadable tcpdump cheat sheet.
7. Kismet
Kismet is a wireless network detector, packet-sniffing, and intrusion detection tool. Kismet supports 802.11 monitoring and can monitor network traffic without leaving behind any fingerprints. In addition, the tool can also discover hidden networks that don’t broadcast an SSID.
Key Features:
- Wireless Network Focus: Specializes in 802.11 monitoring, perfect for analyzing Wi-Fi networks.
- Intrusion Detection Capabilities: Offers tools for detecting unauthorized network access and hidden networks.
- Signal Mapping: Includes features for mapping wireless signal coverage, aiding in network optimization.
Why do we recommend it?
Kismet is a packet capture and analysis tool for wireless networks. This is a free tool and if you use Kali Linux, you have Kismet already. It is possible to collect data from several sensors around a building and send them over the network to a server for analysis.
The software has a substantial amount of documentation and an active user community behind it, providing newbies with enough information to learn more about the program. There is also a range of plugins that you can use to extend the core features. For example, the Kestrel plugin provides you with live mapping so you can view the location of devices in the network.
Who is it recommended for?
The tool can capture packets and analyze their headers. It is a more useful tool for intrusion detection than network monitoring. It is used by penetration testers and it can also be used by hackers to perform recon. This software is available for Windows, macOS, and Linux.
Pros:
- Versatile Wireless Analysis: Capable of scanning for Bluetooth and other wireless protocols beyond Wi-Fi.
- Extensible Through Plugins: Offers additional functionalities through a range of available plugins.
- Free and Open-Source: Provides a cost-free solution with strong community support.
Cons:
- Suited for Smaller Networks: May not be the best fit for large-scale enterprise networks.
Kismet is ideal for enterprises that want packet sniffing software with extra functions and a range of configuration options (although it isn’t the easiest tool to use!) Kismet is available on Linux, macOS, and Windows 10 (under the WSL framework). You can download the program for free.
8. Alluvio Packet Analyzer Plus
Alluvio Packet Analyzer Plus is a packet analysis tool that allows you to monitor network traffic. The user can draft-and-drop views onto virtual interfaces to monitor network traffic through graphs and charts. You can switch between views of bandwidth usage, talkers and conversations, user activity, and more.
Key Features:
- Graphical Filter Assembler: Simplifies the creation of complex filters for targeted traffic analysis.
- Customizable Alerts: Enables setting up of specific conditions for notifications to monitor network performance effectively.
Why do we recommend it?
Alluvio Packet Analyzer Plus is a packet analyzer that works on packet capture files or trace files that are generated by other applications. Analysis can be further enhanced by integrating the tool with Wireshark. This tool comes bundled with Alluvio AppResponse, which captures packets.
If you spot any problematic traffic then you can isolate it to take a closer look. However, if you don’t spot a problem you can rely on alerts. The alerts system allows you to set trigger conditions for notifications. Alerts can be configured for issues such as high bandwidth or round-trip time. You can also generate reports on network traffic in PDF, Word, and Excel formats.
Who is it recommended for?
Alluvio is a product line of network management, security analysis, and traffic monitoring tools from Riverbed Technology. So, if you are interested in these Riverbed products or if you already monitor your network with Alluvio, this package will attract you. Small businesses with no budget will probably be better off just using Wireshark for packet analysis.
Pros:
- Intuitive Interface Design: Offers an easy-to-navigate interface, ideal for quick glance-over of network traffic.
- Wireshark Integration: Enhances packet analysis capabilities by integrating with the widely-used Wireshark tool.
Cons:
- Integration Limitations: Could benefit from more third-party integration options for extended functionality.
- Pricing Transparency: Pricing details are not readily available, requiring potential users to contact sales for information.
Alluvio Packet Analyzer Plus is a good tool for those who want a simple GUI-based packet sniffer. Alluvio Packet Analyzer Plus integrates with Wireshark and Riverbed Steel Center Transaction Analyzer. If you want to view pricing information you will have to contact the sales team. You can request a free trial.
Which packet capture tool is best for you?
Regularly monitoring your network traffic is a must for making sure that your resource usage is being optimized. Packet analysis tools can be tremendously valuable for examining network conversations and finding inefficient communications and malicious cyber attacks.
With the range of options on the market, you have complete control over the type of monitoring experience you can go for. If you’re looking for a GUI-based tool then we recommend PRTG Network Monitor, because of its user-friendly interface and low price point.
Wireshark also stands up as a viable open-source alternative for less experienced users. Other tools like Tcpdump and Kismet are a good fit for those who are comfortable working with the command line.