When diagnosing networking problems, it can be useful to have two tools on hand:
- A "Top Talker" tool that will show what connections/hosts are using the most bandwidth.
- A "Network Analyzer" that will capture and decode raw packets that are sent/received.
I recently tried out a few and here's my quick take. Really I was looking for a "network debugger" to help figure things out when things go bad.
Note: Many of these tools use the WinPcap kernel mode device driver. I'm typically pretty paranoid of kernel mode device drivers, but the WinPcap guys seem like they know what they're doing. If you ever want to turn off their driver, just run "net stop npf".
OmniPeek Personal
Powerful free version of WildPackets' commercial network analyzer. Has a lot of different, useful analysis views and "experts" to dig into packets, plus all analysis can be done while a capture is in progress. If you're going to only install one tool, this is probably it. OmniPeek installs its own kernel mode device driver, but at least it doesn't run unless you're actively using OmniPeek.
Wireshark
Formerly known as Ethereal, this is a popular Open Source network analyzer. Very feature filled, but I found the UI to be somewhat rougher than OmniPeek. Lots of nice features though, especially reconstruction of TCP conversations and a few Top Talker views. It did seem slower to analyze than OmniPeek, even for a surprisingly small capture. Uses WinPcap.
SmartSniff
Very clean UI with only one view of complete conversations (as opposed to individual packets). No real protocol decoding. Small and light, but not really meant to be used to dig into problems. Still, the conversation view is very easy to use. Uses WinPcap.
PRTG Traffic Grapher
PRTG's main focus is bandwidth consumption, so it handily solves the Top Talker scenario and has the most bandwidth reporting of all the tools I tried. Unfortunately, it has some quirks: it runs two separate processes on your machine (plus causes some Service Control Manager Event Log warnings due to this odd behavior); and, it doesn't use the regular WinPcap driver, but another instance of the driver under another name, WOEM_3_2. Ultimately, I think the OS integration could use a little more polish.
Show Traffic
Simple, straightforward UI to show Top Talkers. Small, lightweight tool, but the UI appears to update too often, slowing things down. Uses WinPcap.
ntop
Lots of powerful web-based bandwidth reports. The Windows version is only a limited-demo, unless you recompile it from source code or if you register the software (I couldn't exactly tell whether a donation is required or merely suggested). Or maybe this version doesn't have these requirements (but do you really want to run a non-official version?). Uses WinPcap.
Conclusion
For now I'm going to go with OmniPeek Personal as a real swiss-army knife to investigate any problem. As a backup, I'll install WinPcap ahead of time in case I want to run one of the other tools. :-)