Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Is there a better PCAP analyzer than Wireshark?
6 points by salmaanp on Nov 17, 2020 | hide | past | favorite | 4 comments
Wireshark is great, it has all the bell and whistles. The one thing that is severely lacking is the experience when analyzing a capture. You can only follow one tcp/udp stream at a time which means most of the time spent is just going from one stream to another and no ability to clearly co-relate from multiple streams. Just having multiple tabs for various streams would make it so much better.

Is there any other tool which supports this?



If you don't need immediate access to the packet payload, I've been enjoying Brim Desktop [1]. It comes pre-packaged with Zeek (formerly Bro) and gives you a UI to view and query those Zeek logs, which will link flows together. It also supports opening specific flows in Wireshark for deeper analysis. It might not do everything you need, but it's improved my pcap analysis workflow. It's free at the moment, and this part of the demo [2] gives you an overview of processing a pcap.

[1] https://www.brimsecurity.com [2] https://youtu.be/InT-7WZ5Y2Y?t=382


I wouldn't be surprised if JaneStreet open sources an internal tool soon-ish. They've actually been writing a number of custom plugins and modules for WireShark to support internal custom protocols and seem to have a lot of features they'd like that aren't currently present in WireShark.


Surprised nobody has mentioned it yet, but some of the best network engineers I know will use a combination of `tcptrace` and `xplot`. It's on the command line of course, but graphs can still be generated and I think it's more performant over a GUI (for large pcaps).


Web-based, but may do what you want: https://arkime.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: