Tuesday, August 29, 2006

WildPackets OmniPeek Personal

Three years ago I attended a WildPackets traffic analysis seminar, which I liked. In June WildPackets announced the availability of the free (as in beer) OmniPeek Personal product. I learned of it from Average Admins.

After using OmniPeek personal for a short time, I have to say I still prefer Wireshark for straightforward packet analysis. I'm sure I'm going to hear from diehard WildPackets fans that OmniPeek is the cat's meow, but hear me out.

I realize that the power of OmniPeek lies in its network analysis features. OmniPeek and other WildPackets products are like "network troubleshooters in software." That's great, since Wireshark doesn't support many of those features. That is not a daily issue I face, however.

My first problem with OmniPeek is that it runs on Windows. Why didn't I complain about that with NetWitness? Well, NetWitness is a network forensics product, like EnCase is a host forensics product. I'm willing to deal with a Windows interface when I have no Unix alternative. With OmniPeek on Windows, I can turn to Wireshark on Windows or Unix. I prefer Unix when possible.

Second, I don't really like the OmniPeek interface. There are too many windows which need managing. I like the fact that I can highlight a packet in the top Wireshark pane and see corresponding details below. Oh, you can do that in OmniPeek, you might say. Well, why do I have a separate pane for every packet upon which I double-click? Can that be changed to emulate Wireshark's behavior? Argh, annoying.

Furthermore, the packet content highlight feature doesn't work as I would expect. I expect to highlight any part of the decode and see the corresponding hex and ASCII contents highlighted, and vice-versa. That is not the default behavior in OmniPeek, or at least it doesn't work reliably.

I admit a certain level of inertia is at play here. I have been using Wireshark and its predecessor for years, and I am familiar with the interface. I'm sure there's a lot of power available with OmniPeek if I am willing to put some time into learning how to use the product. For example, I think OmniPeek has some helpful visualization tools built into it. I am always looking for tools with statistics and other traffic summarization features. OmniPeek offers those.

In the short term I will continue to use Wireshark for normal packet analysis tasks. I will probably try to learn about the features in OmniPeek that could complement those in Wireshark. I do not plan to perform per-packet analysis with OmniPeek though.

If you care to see more, I've uploaded some screen shots.

Incidentally, it appears I am not the only blogger with these sentiments.

1 comment:

Anonymous said...

Yeah, I like Wireshark and will continue to use it. But Omnipeek decrypts 802.11 WPA-PSK traffic if you know the passphrase and capture the 4-way handshake. Wireshark can't do that.

Andrew Queisser