A network sniffer (also known as a network analyzer, protocol analyzer or packet analyzer) is a software or hardware tool that can intercept and log traffic on a digital network.
As data flows across the network, the sniffer captures each packet and, if necessary, decode the packet’s raw data. Once captured the sniffer can produce the values of various fields, analyze its content and flag potentially anything potentially malicious as defined by the system administrator’s specifications or security best practices.
The functionality of protocol analyzers vary in several ways including their ability to display data in multiple views, automatically detect errors, determine an error’s root cause, generation of timing diagrams, etc.
Besides analyzing input, certain protocol analyzers can also generate output for testing purposes, that can be fed back to the device being analyzed. In this way, the device can be checked for functionality and if it recovers gracefully from errors in the protocol.
Packet sniffers are very versatile. They can be used for a number of things including:
- Analyzing problems with the network, detecting attempts at network intrusion, as well as detecting misuse of the network by both internal and external users.
- Packet sniffers are able to document regulatory compliance by logging all of the perimeter traffic and the endpoint traffic.
- Prevent or rebuff unauthorized network intrusions
- Isolate the exploited systems
- Monitor unusual spikes in WAN bandwidth utilization, network usage (including internal and external users and systems) and data-in-motion
- Monitor the status of WAN and endpoint security systems
- Filtering and flagging of suspicious content
- Acting as a day-to-day network monitoring and management tool
- Spy on network users and collect sensitive information such as login credentials (depending on the content encryption method in use)
- Reverse engineering proprietary network communication protocols
- Debugging of client/server software communications and network protocol implementations
- Verification of network changes
- Verification of the effectiveness of internal security tools: firewalls, access control, web filter, spam filter, proxy, etc.
Popular Free Sniffer Software
Wireshark(once known as Ethereal) is an open source network protocol analyzer for Unix and Windows. It allows you to interactively browser data from a live network or from a capture file saved on disk. It has powerful features including a rich display filter language and the ability to view TCP session streams from hundreds of protocols and media types. A console version named tethereal is included as well. Stay up to date however, as outdated versions can cause a security vulnerability.
Kismet is a console-based (ncurses) 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It finds networks by passive “sniffing;” more active network-finding tools include NetStumbler. Kismet can also find in-use hidden networks (those that do not beacon). The program can automatically find nework IP blocks by sniffing TCP, UDP, ARP, and DHP packets; log traffic in Wireshark/TCPDump-compatible formats; plot detected networks; and estimate ranges on downloaded maps. These capabilities make Kismet a common tool for wardriving (searching for Wi-Fi wireless networks from a moving vehicle).
Tcpdump is the grandaddy of Unix packet sniffers, and still in many ways the foundation for a whole host of newer, sometimes shinier tools, being the source of the ever-present libpcap packet capture library. This classic utility is a great choice when you just need something simple and stable with low overhead and don’t want to waste time messing with a GUI or an overly-sophisticated parser. Tcpdump is actively maintained, with a real focus on bug-fixing, stability, and portability instead of adding flashy features. There’s even a Windows port called “WinDump.”
Cain and Abel
Cain and Abel is a free, sophisticated, broadly-capable password recovery program for Windows operating systems. This tool can do everything related to recovering passwords, from sniffing networks, to cracking encrypted ones with brute-force, dictionary, or cryptanalytic attacks, to recording VoIP traffic in the hopes of finding them spoken. Cain and Abel can also discover and make plain cached or scrambled passwords and password entry boxes, and comes with many more network- and workstation-focused features all of which are described in the thorough documentation.
Ettercap is a terminal-based network sniffer, interceptor, and logger that provides extra security for your computer and for Ethernet LANs. Ettercap supports active and passive dissection of important data and protocols. The important data is injected into an established connection that can keep a connection synchronized to the current time. Many modes in Ettercap are implemented to give you the most powerful security suite for your computer. Other plug-ins are supported for the program. Ettercap has the ability to check if you’re connected to an LAN other than your original. In short, Ettercap can use fingerprints to let you know about the LAN’s geometry.
Dsniff is a suite of network auditing and penetration-testing tools from Dug Song. These tools include dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy, which passively monitor networks for data such as passwords, e-mail, and files. arpspoof, dnsspoof, and macof allow interception of network traffic normally inaccessible to an attacker. sshmitm and webmitm exploit weak bindings in ad hoc PKI to create active monkey-in-the-middle attacks. This is a fantastic suite that handles almost all of your password sniffing needs.
NetStumbler is the most widely-used Windows-based “wardriving” tool. This active sniffer is more obtrusive than passive sniffers such as Kismet, but also may be more successful at finding open access points. Although the program is closed-source, it is available free of charge, as is a WinCE version for PDAs called “Ministumbler.”
Ntop is a network traffic usage monitor that shows network usage in much the same way that top shows processes. Interactive mode shows the network status on the user’s terminal. When used in Web mode, it acts as a Web server and creates an HTML dump of the network status. It also includes a NetFlow/sFlow emitter/collector, an HTTP-based client interface for making ntop-centric monitoring applications, and RRD for persistent storage of traffic statistics.
As the name suggests, ngrep is like grep for networks. Specify regular expressions or hexadecimal strings, and ngrep will search through packets, whether TCP, UDP, or ICMP, for matches. Ngrep can be used on traffic over just about any kind of network interface, from PPP, SLIP, FDDI, Token Ring, and null interfaces to the ubiquitous Ethernet. Ngrep is built upon the familiar libpcap, and recognizes Berkely Packet Filter logic, so it’s especially easy to come to grips with for users of tools like tcpdump or snoop.
EtherApe, inspired by the etherman utility, is a graphical network monitor for Unix systems with a color-coded network protocol display. EtherApe supports all common network interfaces (or will read traffic dumps from files), and can operate at the link layer, IP, or TCP level, displaying host and link activity in with real-time size changes according to volume, and users can apply filters to the traffic to be displayed.
KisMac is a GUI passive wireless stumbler for Mac OS S. KisMac has many of the features of Kismet, albeit with a completely different codebase. KisMac has an attractive GUI and existed before Kismet was ported to OS X. Kismet also offers mapping, Pcap-format import and logging, and some decryption and deauthentication attacks.
It is one of our goals, at Monitis, to provide system and network administrators with utilities that can make their networks more secure and minimize their downtime. If you want to be sure that your networks are up, one of the best ways to do this is by using a round the clock monitoring service. We can provide this for you with our hosted internal and external network monitoring service. In catastrophic scenarios like firewall or network failure, in-house monitoring can be ineffective. Monitis’ monitoring services will notify you of network issues even if the network itself is completely dark.