A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755

A Methodical Review on Network

Traffic Monitoring & Analysis Tools
Prabhjot Kaur1, Neeti Misra2
1
Department of Computer Science
2
Department of Management Studies
Uttaranchal University
Dehradun, India
Email address: {info.prabh, neeti.cm}@gmail.com

Abstract - Network traffic monitoring is observation of
the inflow and outflow of traffic moving in-across the
network. The continuous monitoring is required for
various purposes such as intrusion detection, congestion
control, traffic redirection, network management and
many more. There are varieties of Network traffic
monitoring tools used for these purposes. This paper
reviews the network traffic monitoring and analysis
tools, along with the pros and cons of each tool are
highlighted. This paper can help the prospective
researchers in selection of respective tool based on
particular network scenario.
Keyword Network traffic, tools, monitoring
I. INTRODUCTION
Network traffic is defined as something arisen from
the redirection flow from Origin to Destination [1].
Network traffic monitoring is observation of the
inflow and outflow of traffic moving in-across the
network. Network traffic analysis is the technique of
extracting the features from the traffic to understand
its behaviour. Various patterns are generated while its
analysis to conclude meaningful judgments. Network
traffic is analysed to detect anomaly [2] [3].
Anomalies are unfamiliar plus important deviations
in a network traffic levels straddling across several
links [4]. A subspace method usually applied to the
flow traffic is used to count the number of feature
occurrences for features such as number of packets,
byte count of multivariate time series etc. to detecting
anomalies such as network outrage, flash crowds,
worm propagation etc. This technique provided a
threshold to determine the anomaly at the initial
phase as defined by [1].
[5] Barford have performed traffic analysis using
signals study to detect four categories of attacks on
collected SNMP traffic using wavelet filters as
defined by [6] proposed an approach called k-ary
sketch which is a modified version of sketch data
structure usages a lesser amount of memory, and has
constant per-record etc. to summarize traffic at
various levels and then forecast them using
autoregressive moving averages model etc. to
determine significant forecast errors. Some of the
examples of network traffic monitoring and analysis
tools are: wireshark, TCPDump, snort, bro, Xplico
etc. These are the sniffing tools and some of them
also help in intrusion prevention. There is wide
variety of upcoming network sniffing tools.
FlowScan is a network flow analysis and
visualization tool that is used for network traffic
report generation as well. Iris is a network traffic
analysis technique that can help the investigators in
iterative investigation of intrusions.
A typical network traffic monitoring tool
displays the decoded data in atleast three parts as
stated by Shimonski: Summary: This displays
information regarding protocol details, traffic/packet
capture time, and the source and destination
addresses; Detail: This displays information
regarding complete layer, sub-layer details; Hex: The
data is stored in hexadecimal format [7]. The
captured packet is dissected to obtain even the
smallest available therein [8]. This paper carefully
reviews the network monitoring and analysis tools
widely in use these days. This paper also explicitly
shows the new tools which can be encapsulated with
existing tools to upgrade the performance. Further
section in this paper reviews the existing network
monitoring tools along with the pros and cons of each
tool.
II. NETWORK TRAFFIC MONITORING TOOLS

Volume XII Issue IX SEPTEMBER 2019 Page No: 1964

A JOURNAL OF COMPOSITION THEORY
There are numerous network traffic collection and
monitoring tools available these days. Some of these
include: wireshark, TcpDump, NfDump, PcapWT,
Xplico, NetworkMinor, NetIntercept, Snort, PyFlag ,
Fig. 1. Network Traffic Monitoring Tools
Wireshark: This is the most widespread network
traffic analyzer. It has the capability to implement
real time capturing of network traffic in libpcap
(packet capture) format. Like many other tools it can
scrutinize, inspect and dissect packets data and
perform analysis. It is compatible with multiple
platforms including Windows, Linux variants etc.
This captures the network traffic in the form of
packets and stores them on to packet buffer for later
examination and analysis [7]. It has many filters
predefined filters such as: Wireshark Capture Filter,
Wireshark Protocol Filters etc. and alongwith one can
create new filters as per requirement [11]. The user
can make sure that the incoming network traffic
passes through these filters before getting stored into
packet buffer. [8] Besides network traffic monitoring
this tool also helps to analyse the traffic to determine
the security concerns in the network. Another feature
of this tool is the ability to display interaction among
OSI layers i.e. which layer of OSI model interacts
with which other layer. It provides filters to look into
port numbers in layer 4 and IP address in layer 3 of
OSI model. The traffic related to conversation can be
stored and searched based on keyword wherever
required. The list of endpoints from a security zone
can be determined using its end point correlation tool
to graphically display the end points which is easy to
visualize and understand [11].
One of the limitations of wireshark if
installed in the open environment is password
leakage i.e. it clearly displays the username and
Volume XII Issue IX SEPTEMBER 2019
ISSN : 0731-6755
Iris, Bro are to name a few [9][10] [3]. Fig. 1 displays
different types of network monitoring tools discussed
further in this section.
password of the account holders whose network
traffic data is being captured [12]. It is also
inefficient in handling large voluminous data.
TcpDump: The origin of tcpdump dates back in
1990‘s at Lawrence Berkeley National Laboratory.
This is a typical packet sniffer and analyser that work
in command line. It examines and provides output of
the incoming/outgoing packets in the network. It
displays the packet contents such as timestamp of the
packet, protocol used, source address and destination
hosts and ports etc. TCPDump uses CUI for better
user-system interaction and preinstalled on Kali
Linux [11]. It is used primarily when mode of
operation to be used is promiscuous [12][13]. One of
the application areas of tcpdump include in firewall
construction e.g. for McAfee and Juniper deploy
tcpdump in their toolset to easily debug or report a
problem [7]. TCPdump is reaches to the data faster in
comparison to wireshark tool [8].
One of the limitations of Tcpdump is its
inefficiency to handle large packet traces. Tcpdump
writes each captured data or packet to the terminal by
displaying the minimal information including the
type of packet e.g. tcp, udp, icmp etc. In order to
increase the display of information on the output
terminal a special tag named verbose ‗-v‘ can be
used by increasing it upto three times as ‗-vvv‘. It
can even capture data from the lowest stream line.
One of the main drawbacks of tcpdump is its inability
to translate the application layer data [8].
Page No: 1965
A JOURNAL OF COMPOSITION THEORY
Xplico: It is a kind of sniffing tool that captures
network traffic, manipulated in forms by normalizing
it to be used by manipulators [14]. This tool is
primarily used to extract audio sessions from a
stream [15]. It is used to reconstruct the data
generated from other network traffic collector tools
such as wireshark, tcpdump etc. [16]. It can extract
webpages from the web data, similarly, specific data
extraction i.e. images, audio from web data. Xplico is
by default available with Linux Kali distribution
which is best suited for penetration testing [17].
One of the limitations in Xplico is the access
time to access hard disk drive in while extracting data
in real time [18]. On account of pros is its ability to
support multi-user environment. It can also support
cloud NFAT.
Snort: It is a network sniffing tool capable of
detecting intrusion in the network. It also provides
network and system intrusion prevention
mechanisms. It can perform packet logging and real-
time traffic analysis. Likewise wireshark it also
captures the network traffic data in libpcap format.
This format can further be converted into other
formats for further analysis [19]. The snort work
somewhat similar to tcpdump and differs in the fact
that the former does packet payload inspection [20].
One of the limitations of snort is that it does
not lookup host names or port names while running
as it quickly focuses on maximum packet collection
[20]. The pros of snort includes its capability to filter
the packets based on specific category such as
protocol type that primarily makes use of Berkeley
Packet Filter (BPF) commands [19].
PyFlag: The origin of PyFlag dates back in year
2007 by a team at Australian Department of Defence
and then released under GPL. Along with network
traffic monitoring, this provides an advance network
forensic framework for intrusion detection [21]
which in contrary was designed as database driven
analysis tool for digital forensic. Its implementation
schemes are used by various areas including
reconstruction of webpages and mail analysis etc.
[22].
One of the limitations found by Farrell is in
the database schema and source file organization
Volume XII Issue IX SEPTEMBER 2019
ISSN : 0731-6755
[23]. The pros of PyFlag is its ability to examine
nested data/file structure and to recursively examine
data at several levels.
NfDump: The origin of Nfdump dates back to late
1990‘s. This tool helps to collect packet information
such as IP address etc. as it passes through the nodes
in the network. This tool provides command line
interface to the user in synonym to tcpdump [24].
This tool displays the output on command line
interface.
One of the limitations of NfDump is its
performance issue in large data. However, a case
study shows that its response time is better than
MySQL‘s response time [25]. The pros of this tool
are the ability to provide fast statistics of network
flow. Also this tool acts as backbone to many other
higher end sniffing tools such as NfSen which is used
to track hosts and automatic alerting [24].
PcapWT: The origin of PcapWT dates back to year
2014. One of the pros of this tool is its ability to work
on voluminous data. A recent case study showed that
it is hundred times faster than tcpdump [26]. It can
performs packet inspections using wavelet tree data
structure on long arrays of packet data which
otherwise has an extensive processing time with
traditional tools.
One of the limitations of PcapWT is that it
does not support fine granule filtering operation. This
tool works even better in comparison to other tools
even when the traffic complexity on the network
increases.
NetworkMiner: The origin of NetworkMiner dates
back to year 2007. This is network forensic analysis
tool that helps in packet sniffing and incident
response in case of threat is detected [27]. It can
identify ports, mapping, geo IP identification, audio
extraction from VoIP calls etc.
One of the limitations of this tool is its
performance degradation in active network traffic
sniffing. One of the case study shows that this tool
can be combined other applications to manage and
process the semantic information efficiently [14].
Page No: 1966
A JOURNAL OF COMPOSITION THEORY
NetIntercept: The origin of NetIntercept dates back
to year 2007. This is network monitoring and analysis
tool deployed at the interface of the network [28]. It
comes encapsulated with hardware to be ready for
deployment. This tool provides deep packet
inspection and analysis at decent speed.
One of the limitations of this tool is its high
cost incurred in deep packet inception and analysis
[29]. The pro of NetIntercept is its user friendly
interface that enables ease of access in performing
complex tasks. It helps in parsing IPv6 traffic along
with audio sniffing [30].
III. CONCLUSION
This paper carefully examines the tools and
techniques used for network traffic monitoring and
analysis used by network administrators, researchers
and scientists. Each tool differs from other tools by
significant feature and functionality which is
included in this paper. Like, one of the best features
of wireshark is ease of creation of new filters as per
user requirement while tcpdump writes commands to
do new activity. Wireshark, NetIntercept uses GUI
whereas TCPdump, Nfdump uses CUI interface. The
CUI capability enables tcpdump to quickly jump to
the data and debug/report the problem. Since
TCPdump is used only when mode of operation to be
used is promiscuous while Xplico on the other hand
supports multi-user environment but limiting the
factor of HD. The capability of packet payload
inspection makes snort a better choice than tcpdump,
while snort does not collect information of host name
and port names which is the usual activity routine for
tcpdump. PcapWT tool is efficient in handling
voluminous data along with better speed in analysing
data in comparison to tcpdump. These individual
tools when combined with other tools enhance the
features and performance. Like, the integration of
snort, NetIntercept or NetDetector can be helpful in
intrusion detection. One of the main drawbacks of
tcpdump tool is its inability to understand and
translate the application layer data. One of problems
related to these tools is false positives. The lesser the
false positive rate the better the network traffic tool.
The comparison is done between the tools to
understand the edge of one tool over the other. The
drawbacks of the existing tools are also highlighted
Volume XII Issue IX SEPTEMBER 2019
ISSN : 0731-6755
that can act as the basis for future research scope and
can help the prospective researcher in selection of a
particular tool for their study area.
REFERENCES
[1] A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, E. D.
Kolaczyk, and N. Taft, ―Structural Analysis of Network
Traffic Flows,‖ in SIGMETRICS ’04/Performance ’04
Proceedings of the joint international conference on
Measurement and modeling of computer systems, 2004,
vol. 6, pp. 61–72.
[2] A. Chahuhan, M. Chand, and P. Kaur, ―Retroactive
Analysis Of Denial Of Service‖ in Conference on Recent
Innovations in Emerging Technology & Science, 2018,
pp. 337–340.
[3] P. Kaur, P. Chaudhary, and A. Bijalwan, ―Network
Traffic Classification Using Multiclass Classifier,‖
Commun. Comput. Inf. Sci. - Springer, vol. 905, pp. 208–
217, 2018.
[4] A. Lakhina, M. Crovella, and C. Diot, ―Diagnosing
Network-Wide Traffic Anomalies,‖ 2004.
[5] P. Barford, J. Kline, D. Plonka, and A. Ron, ―A Signal
Analysis of Network Traffic Anomalies,‖ in Proceeding
IMW ’02 Proceedings of the 2nd ACM SIGCOMM
Workshop on Internet measurment, 2002, pp. 71–82.
[6] B. Krishnamurthy, S. Sen, Y. Zhang, F. Park, and Y.
Chen, ―Sketch-based Change Detection : Methods ,
Evaluation , and Applications,‖ in In Internet
Measurement Conference, IMC’03, 2003.
[7] R. Shimonski, ―About Wireshark,‖ in The Wireshark
Field Guide, 2013, pp. 1–15.
[8] C. Sanders and J. Smith, ―Packet Analysis 13,‖ in
Applied Network Security Monitoring Collection,
Detection, and Analysis, 2014, pp. 341–384.
[9] E. S. Pilli, R. C. Joshi, and R. Niyogi, ―Network
forensic frameworks: Survey and research challenges,‖
Digit. Investig., vol. 7, no. 1–2, pp. 14–27, 2010.
[10] P. Kaur, A. Bijalwan, R. C. Joshi, and A. Awasthi,
―Network Forensic Process Model and Framework : An
Alternative Scenario,‖ Adv. Intell. Syst. Comput., vol.
624, pp. 493–502, 2018.
[11] C. Chapman, ―Using Wireshark and TCP dump to
visualize traffic,‖ in Network Performance and Security,
2016, pp. 195–225.
[12] F. Fuentes and D. C. Kar, ―ETHEREAL VS .
TCPDUMP : A COMPARATIVE STUDY ON
PACKET SNIFFING TOOLS FOR EDUCATIONAL
PURPOSE *,‖ J. Comput. Sci. Coll., pp. 169–176, 2005.
[13] P. Arlos and M. Fiedler, ―A Comparison of
Measurement Accuracy for DAG , Tcpdump and
Windump A Comparison of Measurement Accuracy for,‖
in COST279 TD, 2016, no. August, pp. 1–23.
[14] R. Hunt and S. Zeadally, ―Network Forensics : An
Page No: 1967
A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755

Analysis of,‖ Computer (Long. Beach. Calif)., vol. 45, [30] E. Casey, ―Network traffic as a source of evidence :
no. 12, pp. 36–43, 2012. tool strengths , weaknesses , and future needs,‖ Digit.
Investig., vol. 1, pp. 28–43, 2004.
[15] N. Grant and J. W. ShawII, ―A Brief Introduction,‖ in
Unified Communications Forensics Anatomy of Common
UC Attacks, 2014, pp. 1–14.

[16] R. McRee, ―Xplico: Internet Traffic Decoder. Network

Forensic Analysis Tool (NFAT),‖ ISSA J. |, no. June, pp.
37–40, 2011.

[17] ―Kali Linux Bug Tracker: Xplico,‖ 2013. [Online].

Available:http://bugs.kali.org/view.php?id=61.
[Accessed: 10-Jun-2019].

[18] ―Xplico,‖ 2019. [Online]. Available:

https://www.xplico.org/about. [Accessed: 10-Jun-2019].

[19] M. Roesch, ―SNORT — LIGHT WEIGHT INTRUSION

Snort – Lightweight Intrusion Detection for Networks,‖ in
Proceedings of LISA ’99: 13th Systems Administration
Conference, 1999, pp. 228–238.

[20] H. Koike and K. Ohno, ―SnortView : Visualization

System of Snort Logs,‖ in Proceedings of the 2004 ACM
workshop on Visualization and data mining for computer
security, 2004, pp. 143–147.

[21] M. I. Cohen, ―PyFlag – An advanced network forensic

framework,‖ Digit. Investig., vol. 5, pp. 112–120, 2008.

[22] A. Byrski, W. Stryjewski, and B. Czechowicz,

―Adaptation of PyFlag to Efficient Analysis of Seized
Computer Data Storage,‖ J. Digit. Forensics, Secur. Law,
vol. 5, no. 1, pp. 49–62, 2010.

[23] P. F. Farrell, ―A framework for automated digital

forensic reporting,‖ 2009.

[24] P. Haag, ―Watch your Flows with NfSen and

NFDUMP,‖ 2005.

[25] R. Hofstede, A. Sperotto, T. Fioreze, and A. Pras, ―The

Network Data Handling War : MySQL vs . NfDump,‖
Networked Serv. Appl. - Eng. Control Manag. EUNICE
2010. Lect. Notes Comput. Sci., vol. 6164, pp. 167–176,
2010.

[26] Y.-H. Kim, R. Konow, D. Dujovne, T. Turletti, W.

Dabbous, and G. Navarro, ―PcapWT : An Efficient
Packet Extraction Tool for Large Volume Network
Traces,‖ Comput. NETWORKS, 2014.

[27] ―NetworkMiner,‖ 2007. [Online]. Available:

https://www.netresec.com/?page=networkminer.
[Accessed: 11-Jun-2019].

[28] Michele Mjordan, ―NIKSUN NetIntercept,‖ NIKSUN

Inc., 2010. [Online]. Available:
https://www.securitywizardry.com/index.php/products/fo
rensic-solutions/network-forensic-tools/niksun-
netintercept.

[29] P. Venezia, ―NetIntercept 2.0,‖ 2003. [Online].

Available:
https://www.infoworld.com/article/2679039/netintercept-
2-0-delivers-deep-data-scrutiny-for-less.html. [Accessed:
14-Jun-2019].

Volume XII Issue IX SEPTEMBER 2019 Page No: 1968