Best Packet Sniffers and Network Analyzers – Top 7 Reviewed in 2018

Packet sniffing is a deep type of network analysis in which details of the network traffic are decoded to be analyzed. It is one of the most important troubleshooting skills any network administrator should possess. Analyzing network traffic is a complicated task. In order to cope with unreliable networks, data is not sent in one continuous stream. Instead, it is chopped up in fragments sent individually. Analyzing network traffic involves being able to collect these packets of data and reassemble them into something meaningful. This is not something that you can do manually so packet sniffers and network analyzers were created. Today, we’re having a look at seven of the best packet sniffers and network analyzers.

We’re starting off today’s journey by giving you some background information on what packet sniffers are. We’ll try to figure what the difference is–or if there is a difference–between a packet sniffer and a network analyzer. We’ll then proceed to the core of our subject and not only list but also briefly review each of our seven picks. What we have for you is a combination of GUI tools and command-line utilities that run on various operating systems.

A Few Words About Packet Sniffers and Network Analyzers

Let’s begin by settling something. For the sake of this article, we’ll assume that packet sniffers and network analyzers are one and the same. Some will argue that they are different and they may be right. But in the context of this article, we’ll look at them together, mainly because even though they might operate differently–but do they really?–they serve the same purpose.

Packet Sniffers usually do three things. First, they capture all data packets as they enter or exit a network interface. Secondly, they optionally apply filters to ignore some of the packets and save others to disk. They then perform some form of analysis of the captured data. It is in that last function of packet sniffers that they differ the most.

For the actual capture of the data packets, most tools use an external module. The most common are libpcap on Unix/Linux systems and Winpcap on Windows. You typically won’t have to install these tools as they are usually installed by the different tools installers.

Another important thing to know is that Packet Sniffers–even the best one–won’t do everything for you. They are just tools. It’s just like a hammer that won’t drive any nail by itself. So, you need to make sure you learn how to best use each tool. The packet sniffer will just let you see the traffic but it is up to you to use that information to find issues. There have been whole books on using packet capture tools. I, myself, once took a three-day course on the subject. I’m not trying to discourage you. I’m only trying to set your expectations straight.

How To Use A Packet Sniffer

As we’ve explained, a packet sniffer will capture and analyze traffic. So, if you’re trying to troubleshoot a specific issue–which is typically why you’d use such a tool–you first need to make sure that the traffic your capturing is the right traffic. Imagine a situation where all users are complaining that a particular application is slow. In that type of situation, your best bet would probably be to capture traffic at the application server’s network interface. You might then realize that requests arrive at the server normally but that the server takes a long time to send out responses. That would indicate a server problem.

If, on the other hand, you see the server responding in a timely manner, it possibly means that the issue is somewhere on the network between the client and the server. You would then move your packet sniffer one hop closer to the client and see if responses are delayed. If it’s not, you move more hop closer to the client, and so on and so forth. You’ll eventually get to the spot where delays occur. And once you’ve identified the location of the problem, you are one big step closer to solving it.

Now you may be wondering how we manage to capture packets at a specific point. It’s pretty simple, we take advantage of a feature of most network switches called port mirroring or replication. This is a configuration option that will replicate all traffic in and out of a specific switch port to another port on the same switch. Let’s say your server is connected to port 15 of a switch and that port 23 of that same switch is available. You connect your packet sniffer to port 23 and configure the switch to replicate all traffic from port 15 to port 23. What you get as a result on port 23 is a mirror image–hence the port mirroring name–of what’s going through port 15.

The Best Packet Sniffers and Network Analyzers

Now that you better understand what packet sniffers and network analyzers are, let’s see what are the seven best we could find. We’ve tried to include a mix of command-line and GUI tools as well as include tools running on various operating systems. After all, not all network administrators are running Windows.

1. SolarWinds Deep Packet Inspection and Analysis tool (FREE TRIAL)

SolarWinds is well-known for its many useful free tools and its state of the art network management software. One of its tools is called the Deep Packet Inspection and Analysis Tool. It comes as a component of SolarWinds’ flagship product, the Network Performance Monitor. Its operation is quite different from more “traditional” packet sniffers although it serves a similar purpose.

SolarWinds Deep Packet Analysis Dashboard

To summarize the tool’s functionality: it will help you find and resolve the cause of network latencies, identify impacted applications, and determine if slowness is caused by the network or an application. The software will also use deep packet inspection techniques to calculate response time for over twelve hundred applications. It will also classify network traffic by category, business vs. social, and risk level, helping you identify non-business traffic that may need to be filtered or otherwise eliminated.

And don’t forget that the SolarWinds Deep Packet Inspection and Analysis Tool comes as part of the Network Performace Monitor. NPM, as it is often called is an impressive piece of software with so many components that a whole article could be dedicated to it. At its core, it is a complete network monitoring solution that combines the best technologies such as SNMP and deep packet inspection to provide as much information about the state of your network as possible. The tool, which is reasonably priced comes with a 30-day free trial so you can make sure it really fits your needs before committing to purchasing it.

Official download link: https://www.solarwinds.com/topics/deep-packet-inspection

2. tcpdump

Tcpdump is probably THE original packet sniffer. It was created back in 1987. Since then, it has been maintained and improved but remains essentially unchanged, at least it the way it is used. It is pre-installed in virtually every Unix-like operating system and has become the de-facto standard when one needs a quick tool to capture packets. Tcpdump uses the libpcap library for the actual packet capture.

TCPDump Screenshot

By default. tcpdump captures all traffic on the specified interface and “dumps” it–hence its name–on the screen. The dump can also be piped to a capture file and analyzed later using one–or a combination–of several available tools. A key to tcpdump’s strength and usefulness is the possibility to apply all sorts of filters and to pipe its output to grep–another common Unix command-line utility–for further filtering. Someone with a good knowledge of tcpdump, grep and the command shell can get it to capture precisely the right traffic for any debugging task.

3. Windump

Windump is essentially just a port of tcpdump to the Windows platform. As such, it behaves in much the same way. It is not uncommon to see such ports of successful utility programs from one platform to another. Windump is a Windows application but don’t expect a fancy GUI. This is a command-line only utility. Using Windump, therefore, is basically the same as using its Unix counterpart. The command-line options are the same and the results are also almost identical. The output from Windump can also be saved to a file for later analysis with a third-party tool.

WinDump Help

One major difference with tcpdump is that Windump is not built into Windows. You’ll have to download it from the Windump website. The software is delivered as an executable file and requires no installation. However, just like tcpdump uses the libpcap library, Windump uses Winpcap which, like most Windows libraries, needs to be separately downloaded and installed.

4. Wireshark

Wireshark is the reference in packet sniffers. It has become the de-facto standard and most other tools tend to emulate it. This tool will not only capture traffic, it also has quite powerful analysis capabilities. So powerful that many administrators will use tcpdump or Windump to capture traffic to a file then load the file into Wireshark for analysis. This is such a common way of using Wireshark that upon startup, you’re prompted to either open an existing pcap file or start capturing traffic. Another strength of Wireshark is all the filters it incorporates which allow you to zero in on precisely the data you’re interested in.

Wireshark Screenshot

To be perfectly honest, this tool has a steep learning curve but it is well-worth learning. It will prove invaluable time and time again. And once you’ve learned it, you’ll be able to use it everywhere as it has been ported to almost every operating system and it is free and open-source.

5. tshark

Tshark is sort of like a cross between tcpdump and Wireshark. This is a great thing as they are some of the best packet sniffers out there. Tshark is like tcpdump in that it is a command-line only tool. But it is also like Wireshark in that it not only captures but also analyzes traffic. Tshark is from the same developers as Wireshark. It is, more or less, the command-line version of Wireshark. It uses the same type of filtering as Wireshark and can therefore quickly isolate just the traffic you need to analyze.

Tshark Results

But why, you may ask, would anyone want a command-line version of Wireshark? Why not just use Wireshark; with its graphical interface, it’s got to be simpler to use and to learn? The main reason is that it would allow you to use it on a non-GUI server.

6. Network Miner

Network Miner is more of a forensic tool more than a true packet sniffer. Network Miner will follow a TCP stream and reconstruct an entire conversation. It is truly one powerful tool. It can work in offline mode where you’d import some capture file to let Network Miner work its magic. This is a useful feature as the software runs only on Windows. You could use tcpdump on Linux to capture some traffic and Network Miner on Windows to analyze it.

NetworkMiner Screenshot

Network Miner is available in a free version but, for the more advanced features such as IP-based geolocation and scripting, you’ll need to purchase a Profesional license. Another advanced function of the professional version is the possibility to decode and playback VoIP calls.

7. Fiddler (HTTP)

Some of our more knowledgeable readers might argue that Fiddler is not a packet sniffer nor is it a network analyzer. They are probably right but we felt we should include this tool on our list as it is very useful in many situations. Fiddler will actually capture traffic but not any traffic. It only works with HTTTP traffic. You can imagine how valuable it can be despite its limitation when you consider that so many applications today are web-based or use the HTTP protocol in the background. And since Fiddler will capture not only browser traffic but just about any HTTP, it’s very useful in troubleshooting

Fiddler Debugging Screenshot

The advantage of a tool like Fiddler over a bona fide packet sniffer like, for example, Wireshark, is that Fiddler was built to “understand” HTTP traffic. It will, for instance, discover cookies and certificates. It will also find actual data coming from HTTP-based applications. Fiddler is free and it’s available for Windows only although beta builds for OS X and Linux (using the Mono framework) can be downloaded.

Conclusion

When we publish lists like this one, we’re often asked which one is the best. In this particular situation, if I were asked that question, I’d have to answer “all of them”. They are all free tools and all have their value. Why not have them all at hand and familiarize yourself with each one. When you get to a situation where you need to use them, it will be much easier and efficient. Even command-line tools have a tremendous value. For instance, they can be scripted and scheduled. Imagine you have an issue that happens at 2:00 am daily. You could schedule a job to run tcpdump of Windump between 1:50 and 2:10 and analyze the capture file the next morning. No need to stay up all night.

Read Best Packet Sniffers and Network Analyzers – Top 7 Reviewed in 2018 by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

Best VM Monitoring Tools to Keep a Watchful Eye On Your Virtual Machines

Virtualization is getting more and more common. Once reserved for experimentation and development, virtual machines have found their way to the server room where they can optimize resource usage. Nowadays, some organizations have completely virtualized their server farm. Both VMware and Microsoft HyperV are at the forefront of the technology with a handful of other players. And while monitoring the virtual servers themselves is no different from monitoring physical servers, the physical machines where they run need to be monitored as well. And the type of monitoring they need could be very different from physical servers. This is why we are presenting you our top ten list of the best VM monitoring tools.

Some of the parameters that we need to monitor on virtual hosts are the same as what we’d monitor on physical servers and likewise, many server monitoring platforms will also work with Virtual Environments. But for the best VM monitoring, you need a specialized product. One that can monitor all the uniquely important parameters of VM hosts.

Before We Begin

There’s a reason why virtualization is so popular. It offers organizations a way to get the most out of their resources. A computer operates so fast that it spends most of its time doing nothing and just waiting for something to happen. This is why multi-user computers–that we now call servers–were introduced. They allowed several users to share a computer’s resources. Virtualization works in a similar way but instead of offering separate operating context to each user, virtual hosts allow multiple operating systems to share the host’s resource pool. They will allocate disk storage, memory, and processing time to each virtual instance. And while they do that, they also need to ensure that no virtual device can access the resources of another. Each virtual computer running on a VM host must think that it is the only thing running on that computer.

In order to allow virtualization, a host must have lots of resources to share between virtual machines. With the multi-core architectures od today where it’s not at all uncommon to see servers with dozens of computing cores, it’s even easier to figure out why virtualization is so common considering the available power. VM monitoring tools provide some invaluable assistance to administrators. They not only monitor resource usage, some can also verify that resources are shared equitably, often rearranging their allocation on the fly to adapt to the changing need of each virtual machine.

Our Top 10 Best VM Monitoring Tools

On our quest to find the best VM monitoring tools, we’ve found a multitude of products. There are a few generic monitoring platforms that support VM specific parameters but many are dedicated VM monitoring systems. Some of our top products are free and/or open-source while others are commercial software, most with a free trial.

1. SolarWinds VM Monitor (Free Download)

SolarWinds is a well-known name in the network management arena. The company makes some of the best tools. It offers several free tools that serve specific purposes. The SolarWinds VM Monitor is on such tool. It can be downloaded for free from the SolarWinds website.

This free tool from SolarWinds is somewhat limited yet it will continuously monitor a VMware vSphere or Microsoft Hyper-V host and associated virtual machines in real-time. The tool can only monitor one host so it might not be suitable in your environment. However, many small businesses don’t have more than one host server in which case, the tools would be perfectly adapted to their needs.

SolarWinds VM Monitor

The SolarWinds VM Monitor focuses mainly on two parameters: memory and CPU utilization. It makes sense as those are the most important parameter to watch. It will also let you set warning and critical thresholds for each parameter so you can be alerted whenever they reach them. The tool will also report on network usage, the number of virtual machines (VM) configured on the host and the number of running virtual machines. For each running VM, details including VM name, guest OS, and VM state are displayed. VM Monitor runs on Windows servers as an application and can be minimized to the system tray once it’s started.

Official download link: https://www.solarwinds.com/free-tools/vm-monitor

2. SolarWinds Virtualization Manager (FREE TRIAL)

If your environment has more than one host, the SolarWinds Virtualization Manager might be just what you need. It takes the monitoring of your virtualization infrastructure to the next level. First, the tool will let you monitor more than one host and it will monitor many more parameters than SolarWinds’ free offering. Also, it is not limited to physical hosts, It will also monitor cloud-based hosts such as those from Amazon or Microsoft Azure.

SolarWinds Virtualization Manager Dashboard

A great feature of this tool is its simulation module. You can use it to test the effects of adding more users or applications to the hosting environment. CPU and memory usage, storage requirements and network load will be evaluated for any given scenario. Another nice feature is called the sprawl monitor. It will show which VMs are using up unnecessary resources, letting you limit resource allocation to those. It is a good starting point when investigating problems.

Of course, the Virtualization Manager has a much more polished and intuitive interface than the VM monitor has. You interact with the system through its dashboard which gives you an instant view of the status of your virtualization environment. Pricing for the SolarWinds Virtualization Manager starts at $2995. A free 30-day trial can be downloaded from SolarWinds’ website. For more details, the Evaluation Guide will give you detailed information about the product and its suitability for your needs.

Official download link (30-day FREE trial): https://www.solarwinds.com/virtualization-manager

3. LogicMonitor

LogicMonitor is a complete monitoring system. It will not only handle virtual hosts and machines. It is a system-wide solution that is built to be your universal solution. The system will cover pretty much any type of virtual environment from VMware or Microsoft but also most cloud-based virtual environments such as those offered by Amazon Web Service or Microsoft Azure.

Logic Monitor Dashboard

LogicMonitor itself is a cloud-based solution although its implementation requires some on-site components. It is actually a two-component system with the main infrastructure residing in the cloud and communicating with collectors installed on the monitored hosts. This is an interesting approach which kind of gives you the best of both worlds. And since the communication between the cloud and the collectors is encrypted, none of your operational data is at risk.

LogicMonitor will monitor virtual hosts but also the virtual servers running on them. It comes with an autodiscovery feature that makes setting it up an easier task. The system also features configurable alerts so you can be notified when something abnormal happens without always having to keep an eye on the system’s dashboard

4. Veeam ONE

Veeam has been around since 2006. The company does just one thing: VM management tools. And Veeam ONE is its flagship product. In one sentence, Veeam ONE gives you total visibility into your IT environment, including virtual, physical and cloud-based systems. It supports the management of VMware vSphere and Microsoft Hyper-V environments and offers proactive monitoring and alerting. Veeam ONE will warn you of potential problems with VMs, physical servers, PCs and cloud-based resources before they impact your operations. Veeam ONE will also allow you to optimize your hosts for better performance.

Veeam ONE Free Edition

Veeam ONE current version–9.5–is available in a regular and a free edition. While the free edition is not as feature rich, it is still a very interesting product. The main limitation of the free version is that it will only support VMware vSphere and Microsoft Hyper-V implementations. It also lacks some of the most advanced features but it is still an excellent option if you only have these types of hosts to manage.

5. Foglight

Foglight from Quest advertises itself as a direct competitor to SolarWinds Virtualization Manager. Let’s begin by clarifying something. Foglight is not one product but rather a suite of product. The one that’s interesting in the context of monitoring Virtualized environments is called Foglight for Virtualization.

Foglight for Virtualization handles more than just the monitoring of VMware and Hyper-V. It also delivers controlled optimization and promotes capacity planning. Foglight will expose the impact of planned, VMware-initiated and user-invoked changes. And Foglight, which runs on Windows, Linux or Solaris won’t just monitor VMware or Microsoft Environments. It can also handle OpenStack, KVM, Citrix XenApp, and Citrix NetScaler.

Quest Foglight

The product integrates all the managed environments into a single, integrated dashboard, making it easy to keep an eye on everything. Furthermore, it will integrate with Active Directory and Exchange for performance monitoring and it also integrates flawlessly with other products in the Foglight family such as Foglight APM, Foglight for database performance, and Foglight for Storage Management.

Foglight is paid software and pricing can be obtained by contacting the sales team. However, a free 30-day trial version can be downloaded from Quest’s website.

6. eG Enterprise

Eg Innovations, the maker of EG Enterprise might not be the best-known company but eG Enterprise offers network administrators a complete virtualization monitoring solution. And it claims to go deeper than other competing products and to not just look at the hypervisors and VMs resource usage. It provides a 360° view of virtualized server and their VMs and analyzes virtualization performance within the context of the business services it supports. Administrators will be able to proactively discover, diagnose, and fix issues quickly.

eG Enterprise Screenshot

eG Enterprise features the only automatic root-cause diagnosis solution for virtualized infrastructures. Its patented correlation engine analyzes and correlates performance across every component of the infrastructure, helping administrators identify the exact cause of performance issue. Administrators can get to the exact root-cause of an application performance problem with just one click. eG Enterprise can handle almost every imaginable virtualized environment from most vendors.

eG Innovations offers both a free trial and a live demo of its software. There’s no pricing information on the company’s website so you’ll have to contact them to get a customized quote.

7. Paessler PRTG

Many network administrators know PRTG as a traffic monitoring solution. What they might not know–unless they are PRGT users–is that it is much more than that. PGRT includes several advanced functionalities such as the ability to act as a flow collector and analyzer. But of particular interest in the context of this article is PRTG’s ability to monitor several important parameters of virtual environments.

The VM performance monitoring capabilities of PRTG cover a handful of popular virtual infrastructures such as Citrix Xen, Microsoft Hyper-V, VMWare, Parallels Virtuozzo Containers, and Amazon EC2. When monitoring servers, PRTG focuses on CPU load, disk usage, and network usage. As for virtual hosting machines, PRTG monitors temperature, current power consumption, battery voltage, and fan speed.

PRTG Device Overview

PRTG’s monitoring will warn you of overloaded servers, allowing administrators to redistribute VMs across servers to equalize the load and get better performance. The alerting thresholds are adjustable to your exact need and alerts can be transmitted by SMS or email in addition to showing up on the dashboard.

PRTG is available in a free version which is limited to 100 sensors or a commercial version for which a 30-day free trial is available. Each monitored parameter counts as a sensor so the 100 limit of the free version can quickly be reached.

8. Aptare Virtualization Manager

Aptare’s primary mission is “helping customers adapt their data centers for future technologies and keep pace with ever-changing IT trends“. One of this changing trend is virtualization and the company’s Virtualization Manager is a very interesting product. The tool’s primary focus is storage which makes sense as this is one of the most important aspects of virtualization.

Aptare Virtualization Manager

The Aptare Virtualization Manager and help you with determining the usage of physical resources in virtual environments by mapping usage to the storage array. It will let you see which virtual machines are over or underutilizing their allocated storage. Furthermore, you can use the tool’s predictive analysis engine to forecast storage capacity needs based on current usage and expected growth. The tool will provide a better understanding of how storage changes at a virtual machine level. It is also an excellent tool to optimize performance and proactively manage resource consumption in real time.

The product supports most VMware products and while a free trial is not advertised, a custom live demo can be scheduled by contacting Aptare.

9. Turbonimic

Turbonimic‘s primary focus is cloud environments. Considering the important shift towards cloud-based solutions, this is no big surprise. Organizations rely more and more on cloud environments for their virtual infrastructure. But Turbonimic will also monitor your on-premises systems. The system continuously analyzes the real-time workload demand, matching it to compute, storage and network resources.

Turbonimic Screenshot

Turbonimic comes in three versions: Essentials, Advanced, and Premier with each successive version having some additional features or automating manual features of the previous version. For instance, the Advanced version features manual compute fabric and storage sizing action while the Premier version automates those two functions.

Turbonomic covers your whole environment. It works with multiple hypervisors, applications, cloud orchestration, public cloud providers and change management systems and also with storage, compute fabric, converged and hyper-converged infrastructures. It does all its magic through APIs so no agents are required. One excellent feature of this tool is its ability to map relationships and resource usage from application to virtual machines, compute, storage, storage controller, network, fabric interconnects and more.

10. 5Nine Manager

The 5Nine Manager is also more than just a VM monitoring tool. As its name implies, it’s a whole management solution. It only works with Microsoft hosts so if you’re in a VMware environment, this is not for you. But the tool does an excellent job of integrating Azure cloud-based infrastructures into its management system.

5Nine Manager

Of of the product’s best features is its highly customizable dashboard. There are also user accounts that can be created at will with different access rights. If you’re reselling services–like, for instance, hosting client’s websites–this feature will let you give a limited dashboard to customers and enable them to manage their own VMs. Different access level can be awarded to different users according to their needs. You can also give some read-only access. This is a useful feature when you want executives to be able to see reports and dashboard but not to modify the setup. And talking about reports, the product’s customizable reports are another of its strengths.

Conclusion

Choosing the right VM monitoring solution is not an easy task. And it mostly depends on your precise needs. Don’t forget to factor in evolution, though. Especially if you’re just starting in the world of virtualization, chances are you’ll use it more and more. You will need a tool that can grow with you. Fortunately, most of those packages we’ve just reviewed will require that you contact the vendor’s sales department before you make a purchase. This is a good thing and it will ensure that the solution you acquire will be adequately sized for your current and future needs.

Read Best VM Monitoring Tools to Keep a Watchful Eye On Your Virtual Machines by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

5 Best DDI / IPAM Systems to Solve Your IP addressing Blues

DNS, DHCP, IPAM — together, they form what we often refer to as DDI. They all work together at managing, assigning and resolving IP addresses and form an important part of any network. Read on as we explain what each of these components is, what it is used for and why you need it.

Today, we’ll start our journey by discussing IP addresses, what they are and why we use them. We will then introduce the DHCP system, how it works and what its different components are. After then, we’ll discuss the interaction between DNS and DHCP and why it is so important. And we’ll complete this sort of “crash course” by explaining what DDI is and why it is so important. And after we’re done learning all the basics, we’ll proceed to review the five best DDI/IPAM systems we could find.

IP Addresses 101

IP addresses are at the very core of the Internet. They uniquely identify each device connected to a network. An important distinction must be made between public IP addresses and private IP addresses. The former are those that are used on devices connected to the public Internet. For example, a web server will often have a public IP address. The Internet router installed by your ISP in your home also has a public IP address. Private IP addresses, on the other hand, are those we use on home and corporate networks. They must also be unique but only within a given network.

IP Address

Back in the prehistory of the Internet, when the IP protocol was defined, each connected device was manually configured with a distinct IP address. We called it static or fixed IP addressing. This was cumbersome but OK as the number of connected hosts was low. As networks (both public and private) grew bigger, it became increasingly difficult to manually configure IP addresses as the process was error-prone and often resulted in duplicate IP addresses within a network. It took until the early 1990’s before a durable solution was brought forward in the form of the DHCP protocol.

The DHCP System

The Dynamic Host Configuration Protocol–or DHCP, as we usually call it–was invented to dynamically assign IP addresses and allow connected hosts to configure themselves. With DHCP, the need to manually configure IP addresses is eliminated. And DHCP does not only configure IP addresses, it can configure most network parameter of a connected host such as IP address, subnet mask, name server(s), WIND server(s) in a Windows environment, and several other parameters. All the parameter are dynamically configured each time a host is started on the network.

How It Works

No matter what exact parameters are configured by the DHCP system, the process of configuring a host is always the same. It is a four-step process referred to as DORA which stands for Discovery, Request, Offer, and Acknowledgement. Here’s what happens when a host starts.

In the discovery phase, the host sends out a broadcast message–that is a message that will be received by any host connected to the network–called DHCPDISCOVERY. The message has to be broadcast because, at this point, the host has no idea of the DHCP server’s address.

In the second phase, the server responds with a DHCP offer. The offer contains all the configuration parameters of the host’s network interface. Now, this is where things get a bit trickier. Since there could be several DHCP servers on a network, the host could receive several offers. When this happens, the host will simply pick one of the offers and proceed to the next step. Which one will it pick? Normally, it will pick the first offer it gets.

In the next phase, the host sends out the DHCP request. It includes the offer it picks and will instruct the server that whose offer it chose to proceed while informing other servers that sent offers that theirs was declined and that they can free the offered IP addresses.

In the final phase, the server sends a DHCP acknowledgment to the host, confirming that it has correctly reserved the offered IP address for that host.

The DHCP Client Component

The DHCP configuration information acquired by the client and used to configure the network interface is not valid forever. In fact, it is leased rather than assigned by the DHCP server. And this lease has an expiration date.

It is one of the DHCP client’s most important task to ensure that the interface configuration remains valid. It does this by periodically trying to renew its lease before it expires. The renewal process uses the same DORA sequence. The only difference is that during the discovery phase, the client specifically requests the same IP address it already has.

Another important function of the DHCP client is the release mechanism. Whenever a client no longer requires its IP address–as it could happen when it’s shutting down–it will notify the DHCP server to release the IP address so it can be reused by the server.

The DHCP Server Component

As for the DHCP server, its main task is to send configuration information to any host that request it and to make sure that it sends unique parameters to each individual host. IP addresses can be assigned by the DHCP server in one of three ways: dynamic, automatic, or static.

In dynamic allocation, a new IP address is given to each host that request one. Automatic allocation is similar except that the server will keep track of what IP address was assigned to each host and will try to give it the same address the next time it connects.

And finally, with manual allocation, an administrator needs to manually associate a given host–identified by its MAC address–to a specific IP address. This is also referred to as DHCP reservation because it reserves a specific address for a specific host.

The Interaction Between DHCP and DNS

The Domain Name Service–or DNS–is used to map hostnames to IP addresses. In a private network using dynamic DHCP allocation, there is often some integration between DNS and DHCP. That way, the DNS is always aware of the current IP address of each host.

This is why many DHCP servers also include a DNS server. It is the case, for example of the Microsoft DHCP server which is totally integrated with the DNS server.

In Comes DDI

DDI is the acronym for DHCP, DNS, and IPAM or IP Address Management. We haven’t much discussed the latter just yet. IPAM refers to any software used to assist in managing IP addresses. Such systems can usually be used to manage both DHCP assigned addresses and statically assigned addresses that are manually configured on hosts.

With the close integration that is required between the three, it is only normal that many suppliers have the three products built into one another or that they offer all three products separately

Our Top 5 best DDI/IPAM Systems

We’ve searched the Internet for the five best DDI/IPAM systems we could find. Some of the products we found include all three functions in one and can truly be considered DDI systems. Other might not include DNS or DHCP functionalities but they will often integrate with many popular DNS and DCHP server such as those we find on Windows and Linux.

Since we wouldn’t want to keep you waiting any longer than necessary, Here’s the list of our five best DDI/IPAM servers:

  1. SolarWinds IP Address Manager (*winner*)
  2. Blue Cat IPAM
  3. ManageEngine OpUtils IPAM 200 – 1800
  4. Infoblox IPAM
  5. GestióIP

1. SolarWinds IP Address Manager (FREE TRIAL)

SolarWinds is one of the best-known names in network management. The company makes some of the best tools to assist administrators. It is also known for its free utilities and trials. The SolarWinds IP Address Manager is one such software that you can try for free for a full thirty days.

The SolarWinds IP Address Manager lets you use its built-in DHCP and DNS servers–making it a full DDI system, alternatively, the software can also interact with DHCP and DNS server from Microsoft and Cisco so you won’t have to replace your whole infrastructure.

SolarWinds IPAM

The software lets you use multiple allocation methods for IP addresses. You can, for example, use reservations for servers and other equipment and dynamically allocated addresses for workstations. Everything gets seamlessly integrated into the DNS. Furthermore, a setup wizard is included to assist in configuring DHCP scopes.

The SolarWinds IP Address Manager uses user accounts with various access levels. You could give only partial access to some junior admins or only let managers view the reports. There is also a good logging system the records every change with a time stamp and the username of the operator making the change. This can help with compliance issues. Visit SolarWinds’ website for more information and to download your free 30-day trial of the SolarWinds IP Address Manager.

OFFICIAL DOWNLOAD LINK: https://www.solarwinds.com/ip-address-manager (30-day FREE trial)

2. Blue Cat Address Manager

Our second entry is from BlueCat, one of the industry leaders in the field. Their Address Manage is best suited to large corporations with a network management team. Ther IPAM system is actually a full DDI system that includes DHCP and DNS. It can also interoperate with DHCP and DNS servers from Microsoft.

The BlueCat AddressManager is a dual stack system, meaning it can work with IPv4 and IPv6 at the same time. It’s actually a great tool to use when migrating from one to the other. Security-wise, they system has workflows and approval chains as well as user accounts with hierarchical rights.

BlueCat Address Manager

The system makes use of network templates. They enable the administrator to use information layouts that ensure essential tasks cannot be overlooked and that all important data is present. In a nutshell, the BlueCat system automates as many network administration tasks as possible. As a result, problems caused by human error are less frequent.

The BlueCat Address Manager is a premium package so you can expect to pay premium prices but if you’re managing a large network, it is well-worth the investment. You may head to BlueCat’s website for more information about this product.

3. ManageEngine OpUtils IP Address Manager

Our next entry is from ManageEngine, another company that is famous for its network management tools.

The OpUtils IP Address Manager offers a centralized management of the IP address space. It can handle both IPv4 and IPv6 addresses. The built-in IP manager software assists network administrators in identifying whether an IP Address is currently available or not. The IP Address Manager tool does periodical scans of subnets and keeps up to date the availability status of IP addresses in each subnet.

ManageEngine IP Address Manager

Users can use the IP manager tools to quickly and easily verify whether a particular IP is reserved or available. The tool accepts multiple subnet inputs, which helps in scanning the entire network to get the status of all IP addresses.

A free version is available but it is limited to a single subnet. It is enough to give the product a test run. It might even be all you need if you’re managing a smaller network. Visit ManageEngine’s website for more information.

4. Infoblox IPAM & DHCP

Perhaps you know Cricket Liu, he’s the author of the O”Reilly book DNS and BIND. This makes him THE  authority on the subject. He works at Infoblox as their Chief DNS architect. Infoblox’s DDI suite is a great piece of software.

Infoblox IPAM

The Infoblox IPAM & DHCP system is another software that’s better suited for larger networks. Like other larger systems, it has templates to automate routine tasks. It also comes with some excellent standard reports. And if you don’t find the existing templates or reports to your liking, you can customize them at will.

The Infoblox IPAM & DHCP allows managers to track the usage of key resources. It also has tracking functions to help manage DHCP usage effectively. Security-wise, this is great as it also includes the ability to identify out-of-scope addresses and isolate rogue devices. This is quite a unique feature that you won’t find on other systems. It shows how Infoblox is as concerned with security as it is with IPAM and has built safeguards right into the system.

New nodes can be integrated into the network centrally through the DDI user interface and comparison of usage for each node is also made easier by effective MAC address records as well as IP tracking.

5. GestióIP

Our last entry is from a company that is not as famous as the previous four but don’t let that fool you. GestióIP is an excellent DDI suite. And it is the only open-source entry in our top 5 list of the best DDI/IPAM systems.

As per their website, “GestióIP is an automated, web-based IPv4/IPv6 address management (IPAM) software. It features powerful network discovery functions and offers search and filter functions for both networks and host, permitting Internet Search Engine equivalent expressions. This lets you find the information that administrators frequently need easily and quickly.”

GestioIP Address Management

Concretely, this is a great system, especially for smaller businesses that might not be able to afford the large systems such as Infoblox or BlueCat. It is a feature-rich piece of software that has all the functionalities a network administrator might need without the price. And it also comes with a few unique features such as a subnet calculator and an IP address plan builder. This is certainly a package worth looking into.

In Conclusion

There are many more DDI/IPAM systems out there than we can list in a single article. The five we’ve reviewed here are those we consider to be the best you can find. We’ve tried to give you a good variety of software for larger and for smaller networks. Some of them are free other are (very) expensive. All of them work great and are well-worth looking into.

Read 5 Best DDI / IPAM Systems to Solve Your IP addressing Blues by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

10 Best Port Scanners and Checkers that Are Free

You might not know it yet but open ports–unlike most open software–are not good. In fact, you should avoid them at all costs. Let’s clarify something right off the bat. When we talk about open ports, we’re talking about potential open doors to your equipment. And when malicious people find these doors, that can use them to gain access. This is certainly not something you want. This is why port scanners were invented and we’re about to introduce you to the ten best free port scanners we could find.

We’ll begin today’s article by giving you a crash course on network ports. We’ll tell you what they are and what they are not. We’ll also explain the difference between well-known ports and other ports. We will then sidetrack a little and talk about security. We’ll let you know why you should keep unused ports closed and secure those that you do use. We will then proceed with our top 10 list of the best free port scanners. For each entry on our list, we’ll give you a brief review of the product and some of its main features.

What Is A Port Anyways?

In one sentence, ports are the network gateways into equipment. Let’s explain. Computers can do many different things at once. And several of these things may require access to the network. But typically, computers have only one network interface. Ports were invented to let different processes share a common network interface.

For example, thinks of a server that’s running both a web server and an FTP server, a very common combination. When a request comes in, how does the operating system know if it should send it to the web or FTP servers? Using ports. A request for the web server will use port 80 while a request for FTP server will use port 22.

Ports are not a physical thing, they’re just numbers from 0 to 65535 that are added to the header of data packets transmitted on a network. And they are not random either. Well, actually they are sometimes. More about his later.

Ont thing that is important for all of this to work is that everyone agrees on which port to use for what. For instance, the web server mentioned earlier expect requests to use port 80. Your web browser must then use port 80 to send the request to the web server.

Well-known Ports

The need for agreeing on which port was solved early on by standardizing ports. The Internet Assigned Numbers Authority (IANA, the same organization that also assigns IP addresses) is responsible for maintaining the official assignments of port numbers for specific uses.

Under the IANA’s control, the first 1024 ports were officially assigned to different services. Actually, this is not completely true. Some port assignments are not officially sanctioned by the IANA. They were available and some organization started using them for their purpose–often before the IANA started controlling their assignment–and, through use, their usage stuck.

Today, many of us are familiar with several of these ports. There’s port 80 for web and 21 for FTP, as mentioned earlier. We’re also familiar with port 22 for SSH or 53 for DNS. Not all of the first 1024 ports have been assigned and some are still available but their number is shrinking.

Other Ports

Well-known ports account for the first 1024, so what about the 64512 others? Well, ports 1024 to 49151 are what we call registered ports. Those are also controlled and assigned by the IANA. Any organization can request them for their specific purpose. This is how, for example, port 1433 became the port for Microsoft SQL server or port 47001 became the port for the Windows Remote Management Service. But the Internet being what it is, several ports in that range are used for specific purposes without having been registered with the IANA.

As for ports ranging from 49152 to 65535, they are referred to as ephemeral ports. They are temporarily used by applications to differentiate streams. Think of a web server. Several clients can connect to it at the same time. If they all used port 80, it could be hard for the server to make sure it sends responses to the right requestor. So, the initial connection is done on port 80 after which the server and client “agree” on an ephemeral port number that will be used for the remainder of their exchange.

You Should Keep Unused Ports Closed

On a computer, ports status can either be open, closed or stealth. An open port means that the computer is actively “listening” for connection requests on that port. It is an active port. A closed port, as its name implies, won’t accept incoming connections. Instead, it will respond to any request that the port is closed. Stealth ports are somewhat different. a device trying to connect to those ports won’t even get a response.

Any port that is open is an open door to the computer. And malicious users will certainly try to exploit these open doors to gain access to the computer. For instance, let’s say you have FTP port 21 open although you are not really using FTP. A hacker could then use that open port to exploit a vulnerability of the FTP software running o the computer to inject malicious software.

And if you’re not even using FTP, chance are you might not have updated the FTP server and it could very well contain exploitable vulnerabilities. This is why it is so important to ensure that unused ports are either closed or stealth.

And You Should Also Protect Those Ports You Use

As for the post you are actually using, they are still open doors and could be used for malicious activity. This is why you need to protect the open ports. It can be done in several ways, the most basic of which is keeping your operating system and other software up to date. Most software publishers release frequent patches to address discovered vulnerabilities. Another way you can protect yourself is by using firewalls and intrusion detection and/or prevention systems.

Our Top 10 Best Free Port Scanners

Port scanners are your first line of defense. They will help you discover what ports are open, closed and stealth on your equipment. Scanning a device for open ports will often reveal surprises. There will be ports you didn’t even know were open. The port scanner–or port checker–will tell you what needs to be done on each device. And keep in mind that hackers will also use port scanners to find open doors to the systems they want to access.

Port scanners come it two main form. The first is a software that you install on a computer and run from there. Alternatively, some scanners are run from a web page. There are advantages and disadvantages to both.

For instance, the web-based scanners are great because they can be used from anywhere without installing anything. They will report on what ports are open to the outside of your network. There’s a drawback to this. A port could be open on a device but appear closed or stealth from outside your network because a firewall is blocking it. In such a situation, you’d still be vulnerable to an inside attack. And rest assured that those are not uncommon at all.

Your best bet is likely to use a combination of web-based and installed software scanners. Combined, they will give you complete visibility over what’s open from the outside and from within your network.

Enough said; here’s our top 10 list of the best free port scanners:

  1. SolarWinds Free Port Scanner
  2. Zenmap
  3. PortChecker Port Scanner
  4. Open Port Scanner
  5. IP Fingerprints Network Port Checker
  6. Free Port Scanner
  7. Port Checker
  8. WhatIsMyIP Port Scanner
  9. TCPView
  10. Spiceworks IP Scanner

1. SolarWinds Free Port Scanner (FREE DOWNLOAD)

SolarWinds Port Scanner

SolarWinds is one of the major players in the networking tools field. It is also well-known for publishing quite a few very useful free tools. The SolarWinds free Port Scanner is one of them. The software is only available for Windows and will run through a GUI or as a command-line tool.

By default, the scanner will scan your network to detect all the IP address. You then select to scan on all the devices or change the range setting scan a subset of your devices. You can also specify the ports to test. By default, it will only test well-known ports but you can override this specify your own range or list of port numbers. More advanced settings will let you scan only TCP or UDP ports, do a ping check, a DNS resolution, or an OS identification test.

As a result, the software will return a list the status of all tested devices. You can imagine that this could be a long list. Fortunately, the system will let you apply filters and, for instance, only list devices with open ports. Clicking on a device reveals port detail panel. Again, it will list all of the ports in the scan range and again, you can apply a filter and only show the ports that are open.

Official download link: https://www.solarwinds.com/free-tools/port-scanner

2. Zenmap

Zenmap Screenshot

Zenmap is an open-source GUI front end to Nmap, a free network testing utility that’s been immensely popular for over 20 years. The software, which runs on Windows, Linux, BSD, and Mac OS will test much more than just ports.

Although its user interface is not very sophisticated, it does its job well. It will scan all the ports on all computers connected to your network. It will then perform follow-up tests on the open ports that it has discovered. You can also perform a complete scan, scan all TCP ports, or scan all UDP ports. There’s also an intense scan that uses a stealth methodology where the tests won’t be logged by the tested devices as a connection. Those can take a long time, though. Expect it to take over 90 minutes for one device.

3. PortChecker Port Scanner

PortChecker Port Scanner

The PortChecker Port Scanner is a web-based scanner. It’s a great tool although not all ports are checked. The service will test 36 of the most important–and vulnerable–well-known ports for accessibility from the internet. It will also test if a service is running on each open port. There’s also an option to run a shorter scan that will only test 13 ports.

The tested ports include FTP data and control, TFTP, SFTP, SNMP, DHCP, DNS, HTTPS, HTTP, SMTP, POP3, POP3 SSL, IMAP SSL, SSH, and Telnet, to name just the main ones. Scan results are displayed as a table on the web page.  If you need a quick and dirty test of the most common ports, the free PortChecker Port Scanner might be just the right tool for you.

4. Open Port Scanner

WebHubTool Open Port Scanner

The Open Port Scanner from WebToolHub is another free online port checker. The system requires that you enter an IP address and a list of ports to check. You can only enter 10 port numbers at a time so you’ll need to run it multiple times to test more. You don’t have to enter individual port numbers, though. The system will support a range–such as 21-29–as long as it is no longer than 10. It appears to be a better tool for a quick check of specific ports that as a complete vulnerability assessment tool.

Once the scan completes, which is rather quickly, the results are displayed in a table format with the status of each port as well as service registered with that port. The results table can be exported to a CSV file. And while you’re on the WebToolHub site, you may want to have a look at some of the other free tools such as an IP location checker, a backlinks checker, a WHOIS lookup facility, and a Ping test.

5. IP Fingerprints Network Port Checker

IP Fingerprints Network Port Checker

IP FIngerprints is another website where you’ll find a certain number of free and useful tools, Amongst them is the Network Port Checker. To use it, you simply enter an IP address and a range of ports to check. Although the number of scanned ports is not limited, you are warned that a number of ports in excess of 500 might take a while to scan and that a large range will start a scan that may never end.

This tool claims to be able to work around firewalls. It is done by using SYN requests. A real connection is thus never opened and many firewalls will let the SYN request through. Whether it does go through the firewall or not is not totally relevant. This is still a very good test no matter what as it is a common method used by hackers.

6. Free Port Scanner

Free Port Scanner

The Free Port Scanner is a Windows freeware that can be downloaded from the Major Geeks website. You can use this tool to scan ranges of ports. The number of scanned ports is not restricted so you could decide to scan all ports if you have time to kill.

By default, the tool will want to scan your own IP address for open ports from its own default list of ports. As you’d expect, the duration of the scan is proportional to the number of ports scanned. And it is slower when testing ports on a different device. For example, testing for all ports on your router could very well take all day. Results can show open or closed ports or both. The tool has no documentation and it’s not clear what testing method is used. Also, it appears that it only tests TCP ports, not UDP.

7. Port Checker

Port Checker v1.0

 

Port Checker is a Windows tool that is best downloaded from Softpedia. The software has no installer. you simply download its zip file, extract the executable file and run it. The executable is small and not requiring installation means you can run it from a USB stick.

The tool’s user interface is plain and quite easy to use. You simply enter an IP address and select a port number from a drop-down list. The two main limitations of this tool are that you can’t scan any port, just those from the list and that it will only scan one port per run. Despite its limitations, Port Checker is a great tool when you just need to check whether a specific port is open or not.

8. WhatIsMyIP Port Scanner

WhatIsMyIP Port Scanner

Every network administrator knows WhatIsMyIP.com. The site is commonly used to check the public IP address of a host. What you may not know is that the site also has other tools. And one of them is its Port Scanner. The main asset of the WhatIsMyIP Port Scanner is its speed. Even a multiple-port scan will complete within seconds.

The web-based tool also as a quite unique feature, unlike all other similar tools: the ability to scan by “theme” They’re actually called packages rather than themes and each includes a certain number of related ports. For example, there’s a Games package that will scan ports usually used for online gaming or a Web package that includes the FTP (20 and 21), HTTP (80) and HTTPS (8080) ports. There’s even a Malicious package that includes ports commonly used by malware and hackers.

9. TCPView

TCPView Screenshot

TCPView–which you can download directly from Microsoft–is very different from the other scanners on our list. Instead of checking ports, it checks every process running on a computer and list what port is associated with what process. For each process, it also lists the number of bytes and packets in and out. The approach is more thorough than scanning ports and it will truly list every open port on a computer.

TCPView will display processes and matching ports and refresh every second, every other second or every five seconds. New processes are color-coded in green while processes that just stopped remain in the list color=coded in red of a few seconds. Processes whose statuses have changed are color-coded in yellow.

10. Spiceworks IP Scanner

Spiceworks IP Scanner Dashboard Screenshot

The Spiceworks IP Scanner is a two-component system. There’s the dashboard which is online and a small monitoring agent that you need to install on your computer. The agent sends the data it gathers to the cloud-based dashboard where you can see the scan results. Agents are available for Linux, Windows, and Mac OS. The tool is free but it is ad-supported.

The IP scanner will auto-discover all connected devices and will report will list the device’s MAC address, its IP address and hostname, the manufacturer’s name, the operating system, and–and this is the important part for us right now–a list of open ports.

Wrapping Up

There’s not really on clear winner when it comes to port scanners. We’ve shown you ten very different tools. Each has advantages and shortcomings. But with all these tools available free of charge, nothing stops you from using a combination of tools, depending on your precise needs at any given time. Personally, I’ve used them all and found that each one has some value and will be the perfect tool in certain situations.

Read 10 Best Port Scanners and Checkers that Are Free by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

6 Best Security Information and Event Management (SIEM) Tools Worth Checking Out in 2018

It’s a jungle out there! Ill-intentioned individuals are everywhere and they’re after you. Well, probably not you personally but rather your data. It’s no longer just viruses that we have to protect against but all sorts of attacks that can leave your network–and your organization–in a dire situation. Due to the proliferation of various protection systems such as antiviruses, firewalls, and intrusion detection systems, network administrators are now flooded with information that they have to correlate, trying to make sense of it. This is where Security Information and Event Management (SIEM) systems come in handy. They handle most of the gruesome work of dealing with too much information. To make your job of selecting a SIEM easier, we’re presenting you the best Security Information and Event Management (SIEM) tools.

Today, we begin our analysis by discussing the modern threat scene. As we said, it’s no longer just viruses anymore. Then, we’ll try to better explain what SIEM is exactly and talk about the different components that make a SIEM system. Some of them might be more important than other but their relative importance might be different for different people. And finally, we’ll present our pick of the six best Security Information and Event Management  (SIEM) tools and briefly review each one.

The Modern Threat Scene

Computer security used to be just about virus protection. But in recent years, several different kinds of attacks have been uncovered. They can take the form of denial of service (DoS) attacks, data theft, and many more. And they no longer just come from the outside. Many attacks originate from within a network. So, for the ultimate protection, various types of protection systems have been invented. In addition to the traditional antivirus and firewall, we now have Intrusion Detection and Data Loss Prevention systems (IDS and DLP), for example.

Of course, the more you add systems, the more work you have managing them. Each system monitors some specific parameters for abnormalities and will log them and/or trigger alerts when they are discovered. Wouldn’t it be nice if the monitoring of all these systems could be automated? Furthermore, some types of attacks could be detected by several systems as they go through different stages. Wouldn’t it be far better if you could then respond to all related events as one? Well, this is exactly what SIEM is all about.

What Is SIEM, Exactly?

The name says it all. Security Information and Event Management is the process of managing security information and events. Concretely, a SIEM system does not provide any protection. Its primary purpose is to make the life of network and security administrators easier. What a typical SIEM  system really do is collect information from various protection and detection systems, correlate all this information assembling related events, and reacts to meaningful events in various ways. Often, SIEM systems will also include some form of reporting and dashboards.

The Essential Components Of A SIEM System

We’re about to explore in deeper details each major component of a SIEM system. Not all SIEM system include all these components and, even when they do, they could have different functionalities. However, they are the most basic components that one would typically find, in one form or another, in any SIEM system.

Log Collection And Management

Log collection and management is the main component of all SIEM systems. Without it, there is no SIEM. The SIEM system has to acquire log data from a variety of different sources. It can either pull it or different detection and protection systems can push it to the SIEM. Since each system has its own way of categorizing and recording data, it is up to the SIEM to normalize data and make it uniform, no matter what its source is.

After normalization, logged data will often be compared against known attack patterns in an attempt to recognize malicious behavior as early as possible. Data will also often be compared to previously collected data to help build a baseline that will further enhance abnormal activity detection.

Event Response

Once an event is detected, something must be done about it. This is what the event response module fo the SIEM system is all about. The event response can take different forms. In its most basic implementation, an alert message will be generated on the system’s console. Often email or SMS alerts can also be generated.

But the best SIEM systems go a step further and will often initiate some remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized to provide exactly the response you want. And as one would expect, incident response does not have to be uniform and different events can trigger different processes. The best systems will give you complete control over the incident response workflow.

Reporting

Once you have the log collection and management and the response systems in place, the next building block you need is reporting. You might not know it just yet but you will need reports. The upper management will need them to see for themselves that their investment in a SIEM system is paying off. You might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX can be eased when your SIEM system can generate conformity reports.

Reports may not be at the core of a SIEM system but still, it is one essential component. And often, reporting will be a major differentiating factor between competing systems. Reports are like candies, you can never have too many. And of course, the best systems will let you create custom reports.

Dashboard(s)

Last but not least, the dashboard will be your window into the status of your SIEM system. And there could even be multiple dashboards. Because different people have different priorities and interests, the perfect dashboard for a network administrator will be different from that of a security administrator. And an executive will need a completely different one as well.

While we can’t evaluate a SIEM system by the number of dashboards it has, you need to pick one that has all the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. And just like with reports, the best systems will let you build customized dashboards to your liking.

Our top 6 SIEM Tools

There are lots of SIEM systems out there. Far too many, actually, to be able to review them all here. So, we’ve searched the market, compared systems, and build a list of what we found to be the six best security information and management (SIEM) tools. We’re listing them in order of preference and we’ll briefly review each one. But despite their order, all six are excellent systems that we can only recommend you try for yourself.

Here’s what our top 6 SIEM tools are

  1. SolarWinds Log & Event Manager
  2. Splunk Enterprise Security
  3. RSA NetWitness
  4. ArcSight Enterprise Security Manager
  5. McAfee Enterprise Security Manager
  6. IBM QRadar SIEM

1. SolarWinds Log & Event Manager (FREE 30-DAY TRIAL)

SolarWinds is a common name in the network monitoring world. Their flagship product, the Network Performance Monitor is one of the best SNMP monitoring tool available. The company is also known for its numerous free tools such as their Subnet Calculator or their SFTP server.

SolarWinds’ SIEM tool, the Log and Event Manager (LEM) is best described as an entry-level SIEM system. But it’s possibly one of the most competitive entry-level systems on the market. The SolarWinds LEM has everything you can expect from a SIEM system. It has excellent long management and correlation features and an impressive reporting engine.

SolarWinds LEM Dashboard

As for the tool’s event response features, they leave nothing to be desired. The detailed real-time response system will actively react to every threat. And since it’s based on behavior rather than signature, you’re protected against unknown or future threats.

But the tool’s dashboard is possibly its best asset. With a simple design, you’ll have no trouble quickly identifying anomalies. Starting at around $4 500,  the tool is more than affordable. And if you want to try it first, a free fully functional 30-day trial version is available for download.

2. Splunk Enterprise Security

Possibly one of the most popular SIEM system, Splunk Enterprise Security–or Splunk ES, as it is often called–is particularly famous for its analytics capabilities. Splunk ES monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity.

Security response is another of Splunk ES’ strong suits. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF perform automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.

Splunk ES Risk Analysis

Splunk ES is truly an enterprise-grade product and it comes with an enterprise-sized price tag. You can’t even get pricing information from Splunk’s web site. You need to contact the sales department to get a price. Despite its price, this is a great product and you might want to contact Splunk and take advantage of a free trial.

3. RSA NetWitness

Since 20016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. After being acquired by EMC which then merged with Dell, the Newitness business is now part of the RSA branch of the corporation. And this is good news RSA is a famous name in security.

RSA NetWitness is ideal for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioral analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid eradicate threats before they impact your business.

RSA NetWitness

One of the main drawbacks of RSA NetWitness is that it’s not the easiest to use and configure. However, there is comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and you’ll need to contact sales to get pricing information.

4. ArcSight Enterprise Security Manager

ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. Formerly sold under the HP brand, it has now merged with Micro Focus, another HP subsidiary.

Having been around for more than fifteen years, ArcSight is another immensely popular SIEM tools. It compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. To make it easy to identify threats quickly,  you can view the real0tme analysis results.

ArcSight Command Center

Here’s a rundown of the products main features. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is another enterprise-grade product–like pretty much all quality SIEM tools–that will require that you contact ArcSight’s sales team to get pricing information.

5. McAfee Enterprise Security Manager

McAfee is certainly another household name in the security industry. However, it is better known for its virus protection products. The Enterprise security manager is not just software. It is actually an appliance. You can get it in virtual or physical form.

In terms of its analytics capabilities, the McAfee Enterprise Security Manager is considered one of the best SIEM tool by many. The system collects logs across a wide range of devices. As for its normalization capabilities, it is also top notch. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen

McAfee Enterprise Security Manager

To be true, there’s more to the McAfee solution than just its Enterprise Security Manager. To get a complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. Fortunately, all products can be packaged in a single appliance. For those of you who may want to try the product before you buy it, a free trial is available.

6. IBM QRadar

IBM, possibly the best-known name in the IT industry has managed to establish its SIEM solution, IBM QRadar is one of the best products on the market. The tool empowers security analysts to detect anomalies, uncover advanced threats and remove false positives in real-time.

IBM QRadar boasts a suite of log management, data collection, analytics, and intrusion detection features. Together, they help keep your network infrastructure up and running. There is also risk modeling analytics that can simulate potential attacks.IBM QRadar Dashboard

 

Some of QRadar’s key features include the ability to deploy the solution on-premises or in a cloud environment. It is a modular solution and one can quickly and inexpensively add more storage of processing power. The system uses intelligence expertise from IBM X-Force and integrates seamlessly with hundreds of IBM and non-IBM products.

IBM being IBM, you can expect to pay a premium price for their SIEM solution. But if you need one of the best SIEM tools on the market, QRadar might very well be worth the investment.

In Conclusion

The only problem you risk having when shopping for the best Security Information and Event Monitoring (SIEM) tool is the abundance of excellent options. We’ve just introduced the best six. All of them are excellent choices. The one you’ll choose will largely depend on your exact needs, your budget and the time you’re willing to put into setting it up. Alas, the initial configuration is always the hardest part and this is where things can go wrong for if a SIEM tool is not properly configured, it won’t be able to do its job properly.

Text 50 – 2300

Read 6 Best Security Information and Event Management (SIEM) Tools Worth Checking Out in 2018 by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter