There are many sniffers available as freeware or shareware. Some of these are heavily used in the hacker or penetration team communities.
- Wireshark is the best known freeware sniffer.
- NGSSniff is a network packet capture and analysis program. It requires Windows 2000 or XP, and allows users to capture, save and analyse traffic on their network. The current version of NGSSniff is a BETA test version, and is thus provided free of charge.
- Snort packet sniffer is the basis of many tools include IDSs. Key tool. This links to my snort resource page.
- One of the better sniffers from the Unix world is dsniff. It requires libpcap, a packet driver. Dsniff thus has to be installed using a process that requires a reboot. Its worth the effort. Dnsiff's primary advantage is its ability to automatically detect and parse application protocols, capturing only authenication packets. There is a windows version of dsniff available. Because of its focus, dsniff is definitely a hacker or penetration testing team tool.
- Sniffing FAQ
- sniffing networks for passwords penetration testing. unix, freeware
It's possible to sniff in four modes using ettercap:
- IP Based, the packets are filtered on IP source and dest
- MAC Based, packets filtered on mac address, useful to sniff connections through gateway
- ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex)
- PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex).
snort, WinDump, Ethereal, and L0phtCrack3 require the use of the device driver
Also check out Javvin’s Map of Communication Protocols