In this article, we will talk about the importance of protocol monitoring, the benefits it may bring, what to look for before selecting a tool, and present some of the best options available, with the hope of helping you choose the best one for your needs. Faq's on Protocol Monitoring Best protocol monitoring tools available Since the advent of the electrical telegraph in the early 1800s, communication networks have drastically reshaped our world, shortened distances, and turned our planet into a "global village. They have put the whole of humanity's knowledge at our fingertips, changed how (and from where) we work, and enabled commerce between distant countries to be as easy as buying from your neighborhood store. Of course, those valuable networks have to be properly maintained. Modern businesses have become so dependent on them that even a split-second outage may cause thousands of dollars in damages and affect millions of workers and users. We have already talked about the many network monitoring tools available on the market that are up to this task. However, sometimes you need to "go deeper" and monitor not the network, but the communication protocols that define how information flows between its hosts, to diagnose an issue, tune performance, or even uncover (and follow) leads on a criminal investigation. For this, you need protocol monitoring tools. And again, there are many options available. Frequently Asked Questions About Protocol Monitoring What are Protocol Monitoring Tools? Data transmission between the members of a network is done using communication protocols that determine a set of rules for how information should be represented, how messages should be formatted, the behavior when errors occur, etc. Examples are the TCP protocol used on TCP/IP networking, the HTTP protocol for communication between web servers and clients (web browsers), the FTP protocol for file transfers, VoIP protocols like SIP for phone calls over the internet, and much more. Protocol monitoring tools are the ones that can capture, decode and analyze the information sent using these communication protocols, giving you valuable information that can be used to solve communication issues, enhance network performance, or even be used for forensic analysis, helping in the solution of crimes like cyberattacks and data theft. These tools can range from the very specific, with a feature set geared towards one protocol, to ones supporting hundreds or thousands of different protocols and use cases. Many try to be universal solutions, but which is the "best one" for you depends on your specific requirements. Why Should You Invest in Protocol Monitoring? There are many reasons to invest in protocol monitoring. Here are five of them, in no particular order. Performance optimization: continuous monitoring can help you pinpoint issues and identify opportunities for optimization that will improve the performance of your network, sometimes without the need for upgrades. Security: monitoring allows you to spot early signs of uncommon behavior or usage patterns indicative of an intrusion attempt or ongoing attack. This will give you time to react and deploy countermeasures before a data breach occurs. Resource allocation: find out where resources are being underutilized or over utilized, allowing you to redistribute them according to real needs to ensure the most effective usage of your systems. Proactive maintenance: monitoring allows you to detect and fix potential issues before they become critical and result in outages that may affect your applications' performance or even your business's profitability. Regulatory compliance: businesses that handle sensitive information, like financial or healthcare data, need to meet strict regulatory standards that specify how this information is stored and handled. Monitoring will allow you to prove compliance with these standards and secure approvals that may be crucial to keep your business running. What to Look for When Choosing a Protocol Monitoring Tool? Broadly speaking, there are 5 main features you need to look out for when choosing a protocol monitoring tool. Keep in mind that this may vary according to your specific needs. The capability to monitor many aspects of your network connections and protocols at once. A centralized display of information from many sensors for better observability. Customizable alerts and automated notifications when alerts are triggered. Native and automated reporting features, so you can keep co-workers and management "in the loop". A free trial period, so you can attest to how the tool works with your network infrastructure. How to do Protocol Monitoring? There are many protocol monitoring tools, from as many different vendors, which may focus solely on a single aspect of the task or offer this capability as a subset of a broader range of features. We present a few of them below, in no particular order. The Best Protocol Monitoring Tools PRTG Paessler PRTG is known as the Swiss army knife of the monitoring world. PRTG is based on basic monitoring elements called "sensors". One sensor usually monitors one measured value in your network, e.g. the traffic of a switch port, the CPU load of a server, the free space of a disk drive, and so on. PRTG comes with more than 250 built-in sensors for various tasks, device types, and use cases, so you would be hard-pressed to find something you can't monitor. Plus, you can mix and match sensors, and even deploy custom ones, to create monitoring solutions specific to your needs. There are many built-in sensors that can be used for protocol monitoring and traffic analysis, using packet export protocols such as Netflow, sFlow, jFlow or IPFIX. You can also deploy the Packet Sniffer sensor, to monitor the headers of data packets that pass a local network card. Dashboard showing data captured by the Packet Sniffer sensor on PRTG Regardless of which sensor is used, information gathered by PRTG is shown on a centralized dashboard with all the relevant metrics. You can set alerts based on threshold values, with notifications delivered by text (SMS) or email if those values are exceeded. There is also an automatic reporting feature, so you can keep management and co-workers informed. PRTG runs on Windows Server 2012 R2, 2016, 2019, 2022, or Windows 11. There is a 30-day free trial of PRTG, with all features available during this period, no credit card is needed. SolarWinds Network Performance Monitor The Deep Packet Inspection Tool built into SolarWinds Network Perfomance Monitor (NPM) claims to be able to analyze over "1,200 applications right out of the box", including Skype, SQL Server, Facebook, and more. By measuring the network path latency, the time a packet takes to travel from the sender to the receiver, it can help admins determine the cause behind slowdowns and point to the affected applications even before users start feeling the impact. This information, alongside metadata pulled from sensors across physical and virtual servers, is used to calculate a "Quality of Experience" index representing "an actual assessment of current end-user impact." And since the tool relies on this metadata instead of stored network packets, it requires less space in your databases. The Quality of Experience (QoE) dashboard in SolarWinds Network Performance Monitor The packet analyzer tool can classify network traffic based on data such as destination IP addresses, ports used, and volumes of traffic to determine a risk level. It can also uncover excess levels of non-business traffic, and help with capacity management by identifying traffic to specific servers or applications. SolarWinds NPM can be deployed in the cloud (on Amazon Web Services, Azure, or Google Cloud) or on-premises. For an on-premises deployment, you will need Windows Server 2016, 2019, or 2022. There is a 30-day free trial available. Azure Network Watcher The Azure Network Watcher is geared toward those who have already adopted Microsoft's IaaS (Infrastructure-as-a-Service) solutions, including virtual machines (VMs), virtual networks, and more. It offers a packet capture feature that can be triggered by setting alerts, giving you access to real-time performance information about your infrastructure. The connection monitoring feature can monitor the communication between a VM and an endpoint and alert about reachability, latency, and network topology changes. It can also provide the minimum, average, and maximum latency observed in the connection over time, helping you take measures to improve response times, like moving your resources to a different region. Setting an alert condition on Azure Network Watcher CAPTION: Setting an alert condition on Azure Network Watcher Using Network Flow Logs, admins can get a better understanding of network traffic patterns, which can be useful for auditing, compliance, and network security monitoring. The tool can also generate network topology maps showing all the resources in the network and the relationship between them. Azure IoT Hub is SaaS (Software as a Service), with prices based on usage tiers and varying according to geographic region. A free plan is available, which includes up to 5 GB of log data collected and 1,000 network diagnostic checks per month. NetworkMiner NetworkMiner is a network forensics tool popular among incident response teams and law enforcement, designed to "extract artifacts, such as files, images, emails, and passwords, from captured network traffic" like PCAP (Packet Capture) files. It can be used to sniff a network interface and capture (and analyze) live network traffic, and capture and display user credentials (usernames and passwords) in supported protocols and popular services like Gmail and Facebook. Not only that, but it is also possible to search stored data for specific string or byte patterns. The main interface for NetworkMiner CAPTION: The main interface for NetworkMiner. Since every IP address found in network traffic is automatically added to a Network Host Inventory, this tool can also be used for passive asset discovery, or to generate a list of devices in your network that are communicating. NetworkMiner is an Open Source tool designed to be run on Windows, but can also be used on Linux with the help of Mono, an Open Source .NET framework. It can be run from removable media, like a USB flash drive, without the need to install anything on the machine being analyzed. Two versions are available, Free and Professional, with the Professional one offering a host of extra features, including the capture and playback of audio in VoIP calls and command line scripting. Omnipeek Network Protocol Analyzer The Omnipeek Network Protocol Analyzer combines "visual packet intelligence" with packet capture and analysis features, allowing you to record network data and generate visualizations to diagnose network performance and security issues. It can analyze traffic from Ethernet or 802.11 (wireless) connections, and perform live capture of data as it travels through your network, including the capture of data from multiple wireless channels simultaneously. Packet data can be grouped into flows (conversation pairs) and visualized in graphical displays. Analytics Overview in Splunk App for Stream CAPTION: The Compass dashboard on Omnipeek. VoIP and video calls can be monitored and analyzed in real-time, with the ability to play back recorded calls. Other features include real-time analysis of common network problems, accelerating your MTTR (Mean Time to Resolution), and a configurable alert system that can sound the alarm when thresholds or network policies are violated. Omnipeek requires a supported network or wireless adapter, and Windows Server (2008 R2 64-Bit, 2012, 2012 R2, 2016 or 2019), 64-Bit versions of Windows 7 or 8.1, Windows 10 or Windows 11. There is a 5-day free trial available. Splunk Splunk is a security and observability platform that can be used for threat detection, application modernization, incident investigation, digital forensics, and much more. It is modular, with many apps that expand its capabilities available in an online catalog called Splunkbase. When combined, the apps Splunk App for Stream, Splunk Add-on for Stream Forwarders and Splunk Add-on for Stream Wire Data become a purpose-built wire data collection and analytics solution that can "passively capture packets, dynamically detect applications, parse protocols, and send metadata back to your Splunk environment for over 30 protocols and 300 commercial applications". Analytics Overview in Splunk App for Stream CAPTION: Analytics Overview in Splunk App for Stream. PCAP files can be ingested in real-time or on-demand, and raw packet data can be directed to a NAS for storage and later analysis, with support for flow records in formats like Netflow (v5 and v9), jFlow, sFlow and IPFIX. Files can be extracted from the network data and stored for forensics, and even SQL statements can be intercepted and analyzed. The apps require Splunk Enterprise, Splunk Cloud Platform Version 9.0, 8.2, 8.1, or 8.0, and Common Information Model (CIM) version 3.x or 4.x. Splunk itself can be run in the cloud or on-premises, where it requires a 64-Bit version of Linux (on x86), AIX, ARM Linux, FreeBSD (x86_64), Solaris (x86_64 or SPARC) or macOS (Intel or M1). There is a 14-day free trial available. Snort Developed by Cisco Systems, Snort is an Open Source tool that can be used as a packet sniffer, packet logger, or full-blown intrusion prevention system (IPS). It uses sets of rules to analyze packets, detect malicious network activity, and alert users. Those rules are divided into two sets: a "Community Ruleset", developed by the user community, and a "Subscriber Ruleset" developed, tested, and approved by Cisco Talos. Users can also write custom detection rules that can be applied to specific ports, IP addresses or protocols. Snort is a command-line tool, but third-party GUIs, like Snowl, are available CAPTION: Snort is a command-line tool, but third-party GUIs, like Snowl, are available. Keep in mind that Snort is a command-line tool. This makes it easy to integrate into scripts and automation workflows, but may scare away less seasoned admins. There are third-party GUIs, like Snowl, that give Snort a more user-friendly interface, making this powerful tool much more accessible. Snort can be compiled from source code, or installed from pre-built binaries, available for Windows and Linux distributions like CentOS and Red Hat Enterprise Linux (RHEL). There are two kinds of licenses: Personal for "students and home networks" and Business, with different feature sets and prices. Capsa Portable Network Analyzer Capsa Portable Network Analyzer is a tool that can capture and analyze data packets on wired or wireless (802.11a/b/g/n) networks. It supports more than 1,800 network protocols and can do TCP Flow Analysis, in-depth packet decoding, VoIP analysis, and much more. It is also useful as a security tool, since it can detect Distributed Denial of Service (DDoS) attacks, worm activity, ARP attacks, TCP port scanning, and suspicious "conversations" in your network, and is capable of locating both the source and target of a connection in real-time. TCP Flow Analysis on Capsa This tool can also do real-time packet capture, store e-mail, and instant messaging traffic for later analysis, and log complete statistics for each host in your network. All this information is displayed on an overview dashboard, that "allows you to view network statistics at a single glance". Capsa runs on 64-bit versions of Windows (7 SP1, 8.1, 10, or 11) or Windows Server (2012, 2012 R2, 2016, or 2019) and is available as a free download or as an Enterprise edition, with a 30-day free trial available. Wireshark Wireshark bills itself as the "world's most popular network protocol analyzer". This multi-platform, Open Source tool can perform deep inspection of "hundreds" of protocols, VoIP analysis, and decrypt IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, WPA/WPA2, and other protocols. It can perform live captures from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others, or perform offline analysis of captured data in many formats. Compressed capture files can be decompressed on the fly, and data can be browsed on a standard three-pane graphical interface or with a command line utility. The main window on Wireshark displays a list of captured packets and packet details CAPTION: The main window on Wireshark displays a list of captured packets and packet details. Powerful display filters (with support for over 285,000 fields in 3,000 protocols) with coloring rules allow a quick and intuitive analysis of data. Results can be exported to many formats, like XML, PostScript, CSV, or plain text. Wireshark is free to use, even in commercial settings. There are pre-built binary packages available for Windows (on Intel processors) and macOS (both ARM and Intel), but it can also be built from source code on operating systems like Linux, FreeBSD, NetBSD, and others. ManageEngine OpManager ManageEngine OpManager is a full-featured network monitoring system. The Network Management module can monitor device availability, WAN performance, errors & discards (which may indicate a problem with a network switch or a device interacting with it), and do traffic analysis using NetFlow, jFlow, sFlow and IPFIX. OpManager is able to perform Intelligent Event Processing, correlate raw network events, and filter unwanted ones. Notifications can be sent by SMS or email whenever an alarm is triggered, and it is also possible to automatically run an external program or script. ManageEngine OpManager displaying packet loss and response time of a Wi-Fi network The information gathered by this tool is presented in customizable dashboards with various visualization options. Each user can choose widgets and customize their dashboard based on their specific needs. ManageEngine OpManager is available for Windows (Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019, 2022) or Linux (Red Hat version 7 to 8.4 / CentOS Stream 8/ CentOS 7 to 8.5). There are also mobile clients for Android and iOS, so you can take your monitoring on the go. There is a 30-day free trial available. Conclusion Among all these, our favorite protocol monitoring tool is Paessler PRTG. The built-in sensors cover many of the primary use cases, without the need to purchase extras. It is also extensible, which means you can deploy third-party sensors, or even develop your own, to cover specific needs. And PRTG can be used for protocol monitoring, but also monitor your network, services, servers, IoT devices, cloud infrastructure, databases, and much more. This enables you to monitor all of your infrastructure with a single tool, without having to rely on a variety of individualized solutions, which can carry potential risks such as conflict with your current workflow and even network security issues. It really is the Swiss army knife of the monitoring tools, and it "ticks all the boxes" in our list of desired characteristics.