Wireshark
Wireshark Wireshark is the premier open-source packet analyzer with dissectors for 3000+ protocols, enabling deep traffic flows from Ethernet to application layers for anomaly detection or protocol debugging. Capture live or offline with tshark CLI, apply display filters for targeted views, and export stats for reports. GitHub-forked from Wireshark Foundation, it's the traffic translator for network pentesters decoding conversations byte by byte.
Explore →Zeek (Bro)
Zeek (Bro) Zeek is the network security monitor that scripts traffic analysis with ZeekScript for protocol parsing, extracting logs like HTTP entities or DNS queries for behavioral baselines. Deploy its C++ core on interfaces, replay PCAPs for retro hunts, and correlate events in JSON feeds. Open-source from corelight, it's the scriptable sentinel for analysts templating custom traffic insights.
Explore →Suricata
Suricata Suricata is the high-performance traffic analyzer with multi-threaded dissection for HTTP/2 or TLS, logging EVE JSON for SIEM integration and rule-based anomaly flagging. Configure YAML rules for custom signatures, run in IPS mode for inline mitigation, and export stats for dashboards. Open-source from OISF, it's the protocol powerhouse for defenders dissecting threats in real-time streams.
Explore →tcpflow
tcpflow tcpflow reassembles TCP streams from captures into files, analyzing traffic for HTTP sessions or file carves without full protocol stacks for efficient flow forensics. Compile its C code, process PCAPs with -r for reconnections, and inspect outputs for embedded data. Open-source from simsong, it's the stream surgeon for pentesters stitching fragmented conversations.
Explore →ngrep
ngrep ngrep is the regex sniffer for traffic patterns like 'login' in payloads, filtering packets with pcap syntax for targeted protocol hunts in live or offline modes. Run its C binary on interfaces with -d for device views, piping to files for logs. Open-source from rurban, it's the pattern prowler for network explorers grep-ing deep into data streams.
Explore →Scapy
Scapy Scapy's sniff module captures and dissects traffic with Pythonic layers, enabling custom filters for protocol-specific analysis like DNS amplification or ARP spoofing. Import in scripts for live packet processing, replaying or forging for test scenarios. Open-source from secdev, it's the packet poet for scripters analyzing flows with programmatic flair.
Explore →Moloch
Moloch Moloch indexes full PCAPs for traffic queries, dissecting sessions with SPI views for HTTP or DNS, enabling timeline searches for incident reconstruction. Deploy its Node.js stack, ingest captures, and query via web UI for field spikes. Open-source from AOL, it's the session sorter for analysts templating traffic timelines from raw captures.
Explore →ntopng
ntopng ntopng is the web-based traffic monitor with flow analysis for top talkers, protocols, and anomalies, dissecting packets for L7 details like HTTP hosts. Run its C daemon on interfaces, viewing dashboards for real-time stats and alerts. Open-source from ntop, it's the flow forecaster for network ops templating visibility into bandwidth behaviors.
Explore →Bro (Zeek Legacy)
Bro (Zeek Legacy) Bro's legacy scripts analyze traffic for protocol anomalies, logging extracted fields like SMTP attachments for forensic feeds in scripted workflows. Compile from C++, replay PCAPs with bro -r for event streams, and customize analyzers. Open-source precursor to Zeek, it's the protocol parser for researchers templating legacy network insights.
Explore →PcapXray