Editing Packet analyzer (section)

==Capabilities==
On wired [[shared-medium network]]s, such as [[Ethernet]], [[Token Ring]], and [[FDDI]], depending on the network structure ([[Ethernet hub|hub]] or [[network switch|switch]]),<ref>{{Cite web |title = Network Segment Definition |url = http://www.linfo.org/network_segment.html |website = www.linfo.org |access-date = January 14, 2016 |archive-date = June 7, 2023 |archive-url = https://web.archive.org/web/20230607181215/http://www.linfo.org/network_segment.html |url-status = live }}</ref>{{efn|Some methods avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., [[ARP spoofing]]).}} it may be possible to capture all traffic on the network from a single machine. On modern networks, traffic can be captured using a network switch using [[port mirroring]], which mirrors all packets that pass through designated ports of the switch to another port, if the switch supports port mirroring. A [[network tap]] is an even more reliable solution than to use a monitoring port since taps are less likely to drop packets during high traffic load.

On [[wireless LAN]]s, traffic can be captured on one channel at a time, or by using multiple adapters, on several channels simultaneously.

On wired broadcast and wireless LANs, to capture [[unicast]] traffic between other machines, the [[network adapter]] capturing the traffic must be in [[promiscuous mode]]. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the [[Service set (802.11 network)|service set]] the adapter is configured for are usually ignored. To see those packets, the adapter must be in [[monitor mode]].{{Citation needed|date=January 2012}} No special provisions are required to capture [[multicast]] traffic to a multicast group the packet analyzer is already monitoring, or [[Broadcasting (networking)|broadcast]] traffic.

When traffic is captured, either the entire contents of packets or just the [[header (computing)|header]]s are recorded. Recording just headers reduces storage requirements, and avoids some [[Privacy law|privacy legal issues]], yet often provides sufficient information to diagnose problems.

Captured information is decoded from raw digital form into a [[human-readable format]] that lets engineers review exchanged information. Protocol analyzers vary in their abilities to display and analyze data.

Some protocol analyzers can also generate traffic. These can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test the [[device under test]]'s ability to handle errors.<ref>{{Cite web |title=Lab Protocol Analyzers |url=https://www.amilabs.com/labanalyzers.htm |access-date=2023-06-30 |website=www.amilabs.com |archive-date=June 30, 2023 |archive-url=https://web.archive.org/web/20230630023940/https://www.amilabs.com/labanalyzers.htm |url-status=live }}</ref><ref>{{Cite web |last=shivakumar |date=2020-12-18 |title=Where is Protocol analyzer used? |url=https://prodigytechno.com/where-protocol-analyzer-is-used/ |access-date=2023-06-30 |website=Prodigy Technovations |language=en-US |archive-date=June 30, 2023 |archive-url=https://web.archive.org/web/20230630025446/https://prodigytechno.com/where-protocol-analyzer-is-used/ |url-status=live }}</ref>

Protocol analyzers can also be hardware-based, either in probe format or, as is increasingly common, combined with a disk array. These devices record packets or packet headers to a disk array.