The packet analyzer is computer software, and sometimes hardware, that can intercept and also log digital network traffic. As data streams flow through the network, the packet analyzer captures each information packet and will decode and analyze the content (according to the appropriate RFC or other specifications). Packet analyzers are sometimes referred to as network analyzers, protocol analyzers, and sniffers.
Packet sniffers are versatile applications. For network maintenance, you can use packet sniffers to monitor network usage, gather and report network statistics, and debug client/ server communications and network protocol implementations. Security uses include the ability to analyze network problems and detect network intrusion attempt. In an offensive mode, packet sniffers allow you to gather information for effecting a network intrusion and spy on other network users. More controversial uses include the ability to collect sensitive information, such as passwords (depending on any content encryption methods which may be in use, and reverse engineer proprietary protocols used over the network.
Tcpdump is a popular packet analyzer with a command-line interface. It is used to capture and display TCP/IP packets (as well as other protocols) on the monitoring system’s network segment. This program is frequently used to troubleshoot network applications, but it can also be used to debug problems with the network itself, usually by detecting problems with the network routing configuration. Tcpdump can also be used to intercept network communications originating from another computer. By running tcpdump on a computer acting as a router or gateway, the user can display unencrypted information (such as that sent with TELNET or HTTP) including login IDs, passwords, URL requests, website content, and any other unencrypted data.
Wireshark, which was originally known as Ethereal, was renamed in May 2006 because of trademark issues. Wireshark is used for network troubleshooting, analysis, software and communications development and education. Even though Wireshark is similar to tcpdump, it has much more information sorting and filtering options as well as a graphical front end. The user is able to see all of the traffic that is being sent over the network, which is usually Ethernet, even though support is being added for other networks.
Ettercap is a network protocol analyzer and security auditing tool for Windows and UNIX. Ettercap can capture traffic, including passwords, on a network segment and it can be used to perform active eavesdropping. The software supports active and passive analysis of a number of common protocols, including encrypted protocols, and provides other network and host analysis features as well. Ettercap has four operating modes: 1) IP-based monitoring, in which packets are filtered by IP source and destination; 2) MAC-based monitoring, where packets are filtered by MAC address (this mode is useful for analyzing connections through a gateway); 3) ARP-based, which uses ARP poisoning to monitor a full-duplex switched LAN connection between two hosts; 4) PublicARP-based, which also uses ARP poisoning on a switched LAN, but is intended for monitoring half-duplex traffic between a victim host and other servers.