> Agreed. It is something that a box dedicated to the task can
> do that freeware on standard-issue boxes cannot.
>
> It may not have sounded like it, but it was really quite
> a compliment to Ethereal that there aren't more reasons
> to shell out serious change for a sniffer or the like.
> A compliment to the people that write the software and
> the decodes, allowing Ethereal to produce new decodes
> at a rate that companies have trouble matching.
True. A revised list then:
Sniffer can (Ethereal can't):
1) Monitor mode (collect statistics over time). This is actually more
useful that one might think, not so much with problem-solving, but with link
usage analysis and the creation/modification of network policy. In fact, if
Ethereal had this, we wouldn't need Sniffer Pro at all.
Can you say, "Ethereal monitoring Internet link via X Windows through SSH
tunnel"? :-) Works pretty well...
2) Capture mangled *frames* (runts, FCS errors, etc.), by virtue of being
bundled with proprietary drivers (and sometimes, proprietary NICs). Not
that interesting - in our case anyway - because most network devices will
tell you which port is receiving mangled frames. Most useful in a shared
(hub-based) environment where it's the repeater itself or a patch cord that
is the problem.
3) Decode certain proprietary or esoteric protocols. Nifty, but hardly
essential. We're about to turn Bay Autotopology and Cisco Discovery
Protocol off...
Ethereal can (Sniffer can't):
1) X Windows.
2) Linux
3) Follow TCP streams.
4) Tethereal! Woo hoo!
And personally, I like Ethereal's capture/display filter syntax MUCH better
than Sniffer Pro's.
--J