Ethereal is absolutely incredible for analysis.. I like Iris, but it has two problems:
1. It costs a lot of money...
2. It doesn't scale well with large amounts of data.
As an example, I might use Iris for a quick look at the network, but when you're dealing with *large* traces... like maybe a 60 MB packet capture from
www.honeynet.org
, you just cant do any analysis in Iris.
Ethereal has TCP stream reassembly, session slicing, conversation lists at all layers.... etc etc..
Plus, as Chris said, ethereal decodes *many* more protocols.. If you ever look at the protocol decodes list.. you'll lose your mind.
Last but probably most important -- BPF -- the packet filtering capabilities.. you just don't get this anywhere else other than tcpdump... plus you get capture filters AND display filters.
If you want to breathe the wire... there is no substitute.
Cheers,
