Saturday, April 24, 2010

why I prefer wireshark to network monitor

Personally, I prefer wireshark to network monitor for:
  1. Wireshark runs on many platforms including windows, linux, mac os x, etc. I need to work both on linux and windows, and I'd like to keep my toolbox as compact as possible.
  2. Wireshark uses a widely adopted syntax for capture filters and disply filters which dare I call them de facto. The same syntax is used in windump and tcpdump. I don't need to remember additional syntax even work in a GUI-less environment.
  3. Filters in wireshark seems to be more powerful. For example, the filter "tcp.flags.syn==1" enables me to view tcp SYN messages only.  Based on my limited experience with network monitor, I'm not aware if it can filter at this granularity.

But network monitor has the advantage of being able to categorize network messages by processes. As shown in the image below:

It's a very convenient feature that helps me easily find out messages I'm interested in. Especially when I need to debug a process whose port numbers are picked at random or dynamically.

2 comments:

Anonymous said...

I have been using netmon for many years and the new versions have clearly taken over the dominance of wireshark. Netmon has great parsers and can do a lot lot better than wireshark now a days..its just a matter of saying yes to netmon..

Anonymous said...

I had to write a parser for a custom protocol and netmonitor was great and very easy to write a parser for.