Wireshark
Wireshark Wireshark's dissectors unpack protocols from Ethernet to QUIC, revealing packet innards like HTTP2 frames or TLS handshakes for deep traffic forensics. Capture with its GUI or tshark CLI, apply filters like tcp.port==443 for targeted views, and export stats for protocol-specific reports. Open-source from Wireshark Foundation, it's the protocol peeler for network sleuths exposing hidden layers in captures.
Explore →Zeek
Zeek Zeek scripts protocol events from DNS queries to SMTP attachments, logging semantic details like MIME types or JA3 fingerprints for behavioral network analysis. Deploy its C++ core on taps, replay PCAPs with zeek -r for retro-inspection, and query logs with custom analyzers. Open-source from corelight, it's the event extractor for analysts templating protocol insights into threat hunts.
Explore →Suricata
Suricata Suricata's protocol parsers dissect TLS1.3 or HTTP/3 for anomalies, matching rules against payloads like encrypted SNI for stealthy traffic classification. Configure YAML for custom dissectors, run in IPS mode for inline inspection, and export EVE JSON for feeds. Open-source from OISF, it's the payload parser for defenders decoding encrypted protocols in high-volume streams.
Explore →Scapy
Scapy Scapy's layer dissectors let you peel protocols like ICMP or BGP in Python scripts, inspecting fields with custom sniffers for protocol-specific fuzzing or replay. Import layers to parse PCAPs, forging packets for inspection loops in analysis chains. Open-source from secdev, it's the layer librarian for scripters inspecting protocols programmatically.
Explore →tshark
tshark tshark's protocol filters extract fields like http.request.method or dns.qry.name from captures, scripting dissections with -T fields for structured outputs in batch jobs. Pipe PCAPs through it for JSON exports, automating protocol queries in forensics. Open-source from Wireshark, it's the CLI carver for analysts templating field extractions from traffic.
Explore →PcapPlusPlus
PcapPlusPlus PcapPlusPlus's dissectors parse protocols from ARP to DNS in C++, enabling custom analyzers for field extractions like TCP options or UDP payloads in high-perf apps. Link its headers for live sniffing, processing streams with protocol-specific callbacks. Open-source from seladb, it's the C++ composer for devs building protocol inspectors from the ground up.
Explore →Snort
Snort Snort's protocol rules match patterns in HTTP or ICMP, dissecting payloads for signatures like shellcode in traffic for rule-based anomaly detection. Tune rulesets in text files, run in NIDS mode for alerts on dissected events. Open-source from Cisco, it's the rule reader for network guardians templating protocol matches into defenses.
Explore →Netdissector
Netdissector Netdissector is the Python-based protocol dissector for custom fields in UDP/TCP, scripting parsers for proprietary formats in network forensics or RE. Define layers in code, dissect PCAPs for structured views, and export for reports. Open-source from community, it's the field finder for researchers templating dissections for unknown protocols.
Explore →Pyshark
Pyshark Pyshark wraps Wireshark's dissectors in Python for scripted protocol inspection, extracting layers like SSL or SMB with filters for automated traffic mining. Import for live captures, querying fields in loops for custom analytics. Open-source from KimiNewt, it's the Pythonic parser for analysts templating protocol queries in notebooks.
Explore →PcapXray