Packet Sniffers

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

The term sniffer became part of the networking world via NAI's Sniffer Pro (originally Network General's Sniffer Pro ). Its definitely the cadillac of sniffers. Microsoft makes available netmon.exe which ships with NT and Windows 2000 server. It is a restricted packet sniffer that will only capture packets inbound to the server. There is an unlimited version which ships with SMS.

There are many sniffers available as freeware or shareware. Some of these are heavily used in the hacker or penetration team communities.

  • Wireshark is the best known freeware sniffer.
  • NGSSniff is a network packet capture and analysis program. It requires Windows 2000 or XP, and allows users to capture, save and analyse traffic on their network. The current version of NGSSniff is a BETA test version, and is thus provided free of charge.
  • Snort packet sniffer is the basis of many tools include IDSs. Key tool. This links to my snort resource page.
  • One of the better sniffers from the Unix world is dsniff. It requires libpcap, a packet driver. Dsniff thus has to be installed using a process that requires a reboot. Its worth the effort. Dnsiff's primary advantage is its ability to automatically detect and parse application protocols, capturing only authenication packets. There is a windows version of dsniff available. Because of its focus, dsniff is definitely a hacker or penetration testing team tool.
  • Sniffing FAQ
  • sniffing networks for passwords penetration testing. unix, freeware
  • Ettercap : freeware multipurpose sniffer/interceptor/logger for switched LAN (Oct 2001)
    It's possible to sniff in four modes using ettercap:
    • IP Based, the packets are filtered on IP source and dest
    • MAC Based, packets filtered on mac address, useful to sniff connections through gateway
    • ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex)
    • PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex).
  • Sniffer.pl: detect the presence of the WinPcap packet capture device driver
    snort, WinDump, Ethereal, and L0phtCrack3 require the use of the device driver
  • Sniffit: packet sniffer for TCP/UDP/ICMP packets
      The above is a decent small list of sniffers with some focus on Windows. For an extensive encompassing list, I would check Packetstorm's Sniffer page.

      Also check out Javvin’s Map of Communication Protocols

    • See Also

      Featured Links