Packet Sniffers

NT Admin Tip #338: Packet Sniffers

Hits: Failed to execute CGI : Win32 Error Code = 3

Consider making a direct contribution to help keep is-it-true.org on the Net by clicking on my Amazon honor system contribution paybox.

FYI if you click on any of my Amazon book, movie, or music links and purchase anything from Amazon, is-it-true.org will get a small percentage. Consider coming back to my site and getting into Amazon from one of my Amazon links, if you are going to purchase an item. It will help keep my site on the Net.

The term sniffer became part of the networking world via NAI's Sniffer Pro (originally Network General's Sniffer Pro ). Its definitely the cadillac of sniffers. Microsoft makes available netmon.exe which ships with NT and Windows 2000 server. It is a restricted packet sniffer that will only capture packets inbound to the server. There is an unlimited version which ships with SMS.

There are many sniffers available as freeware or shareware. Some of these are heavily used in the hacker or penetration team communities.

Ethereal free network protocol analyzer for Unix and Windows is the best known freeware sniffer.
NGSSniff is a network packet capture and analysis program. It requires Windows 2000 or XP, and allows users to capture, save and analyse traffic on their network. The current version of NGSSniff is a BETA test version, and is thus provided free of charge.
Snort packet sniffer is the basis of many tools include IDSs. Key tool. This links to my snort resource page.
One of the better sniffers from the Unix world is dsniff. It requires libpcap, a packet driver. Dsniff thus has to be installed using a process that requires a reboot. Its worth the effort. Dnsiff's primary advantage is its ability to automatically detect and parse application protocols, capturing only authenication packets. There is a windows version of dsniff available. Because of its focus, dsniff is definitely a hacker or penetration testing team tool.
Sniffing FAQ
sniffing networks for passwords penetration testing. unix, freeware

Ettercap : freeware multipurpose sniffer/interceptor/logger for switched LAN (Oct 2001)
It's possible to sniff in four modes using ettercap:

IP Based, the packets are filtered on IP source and dest
MAC Based, packets filtered on mac address, useful to sniff connections through gateway
ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex)
PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex).

Sniffer.pl: detect the presence of the WinPcap packet capture device driver
snort, WinDump, Ethereal, and L0phtCrack3 require the use of the device driver
Sniffit: packet sniffer for TCP/UDP/ICMP packets

The above is a decent small list of sniffers with some focus on Windows. For an extensive encompassing list, I would check Packetstorm's Sniffer page.

Also check out Javvin’s Map of Communication Protocols