Packet sniffer
Encyclopedia
A packet analyzer is a computer program
or a piece of computer hardware
that can intercept
and log traffic passing over a digital network
or part of a network. As data stream
s flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC
or other specifications.
s, depending on the network structure (hub or switch
), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., ARP spoofing
). For network monitoring
purposes, it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch when systems (computers) are connected to a switch port. To use a network tap
is an even more reliable solution than to use a monitoring port
, since taps are less likely to drop packets during high traffic loads.
On wireless LAN
s, one can capture traffic on a particular channel.
On wired broadcast and wireless LANs, to capture traffic other than unicast
traffic sent to the machine running the sniffer software, multicast
traffic sent to a multicast group to which that machine is listening, and broadcast
traffic, the network adapter being used to capture the traffic must be put into promiscuous mode
; some sniffers support this, others do not. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set
for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in monitor mode
.
The captured information is decoded from raw digital form into a human-readable format that permits users of the protocol analyzer to easily review the exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine the root causes of errors, generate timing diagrams, etc.
Some protocol analyzers can also generate traffic and thus act as the reference device; these can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test for the DUT's ability to deal with error conditions.
Protocol Analyzers can also be hardware-based, either in probe format or, as is increasingly more common, combined with a disk array. These devices record packets (or a slice of the packet) to a disk array. This allows historical forensic analysis of packets without the user's having to recreate any fault.
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
or a piece of computer hardware
Computer hardware
Personal computer hardware are component devices which are typically installed into or peripheral to a computer case to create a personal computer upon which system software is installed including a firmware interface such as a BIOS and an operating system which supports application software that...
that can intercept
Intercept
Intercept may refer to:*X-intercept, the point where a line crosses the x-axis*Y-intercept, the point where a line crosses the y-axis*Interception *The Mona Intercept, a 1980 thriller novel by Donald Hamilton...
and log traffic passing over a digital network
Telecommunications network
A telecommunications network is a collection of terminals, links and nodes which connect together to enable telecommunication between users of the terminals. Networks may use circuit switching or message switching. Each terminal in the network must have a unique address so messages or connections...
or part of a network. As data stream
Data stream
In telecommunications and computing, a data stream is a sequence of digitally encoded coherent signals used to transmit or receive information that is in the process of being transmitted....
s flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
or other specifications.
Capabilities
On wired broadcast LANLocal area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
s, depending on the network structure (hub or switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., ARP spoofing
ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...
). For network monitoring
Network monitoring
The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator in case of outages...
purposes, it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch when systems (computers) are connected to a switch port. To use a network tap
Network tap
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...
is an even more reliable solution than to use a monitoring port
Port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system...
, since taps are less likely to drop packets during high traffic loads.
On wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
s, one can capture traffic on a particular channel.
On wired broadcast and wireless LANs, to capture traffic other than unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
traffic sent to the machine running the sniffer software, multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
traffic sent to a multicast group to which that machine is listening, and broadcast
Broadcasting (networks)
right|250pxIn telecommunication and information theory, broadcasting refers to a method of transferring a message to all recipients simultaneously...
traffic, the network adapter being used to capture the traffic must be put into promiscuous mode
Promiscuous mode
In computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
; some sniffers support this, others do not. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set
Service set identifier
A service set is all the devices associated with a local or enterprise IEEE 802.11 wireless local area network .-Service set identifier :...
for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in monitor mode
Monitor mode
Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an...
.
The captured information is decoded from raw digital form into a human-readable format that permits users of the protocol analyzer to easily review the exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine the root causes of errors, generate timing diagrams, etc.
Some protocol analyzers can also generate traffic and thus act as the reference device; these can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test for the DUT's ability to deal with error conditions.
Protocol Analyzers can also be hardware-based, either in probe format or, as is increasingly more common, combined with a disk array. These devices record packets (or a slice of the packet) to a disk array. This allows historical forensic analysis of packets without the user's having to recreate any fault.
Uses
The versatility of packet sniffers means they can be used to:- Analyze network problems
- Detect network intrusionNetwork intrusion detection systemA Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
attempts - Detect network misuse by internal and external users
- Documenting regulatory compliance through logging all perimeter and endpoint traffic
- Gain information for effecting a network intrusion
- Isolate exploited systems
- Monitor WAN bandwidth utilization
- Monitor network usage (including internal and external users and systems)
- Monitor data-in-motion
- Monitor WAN and endpoint security status
- Gather and report network statistics
- Filter suspect content from network traffic
- Serve as primary data source for day-to-day network monitoring and management
- Spy on other network users and collect sensitive information such as passwords (depending on any content encryptionEncryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
methods that may be in use) - Reverse engineerReverse engineeringReverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
proprietary protocolProprietary protocolIn telecommunications, a proprietary protocol is a communications protocol owned by a single organization or individual.-Enforcement:Proprietors may enforce restrictions through patents and by keeping the protocol specification a trade secret...
s used over the network - Debug client/server communications
- Debug network protocol implementations
- Verify adds, moves and changes
- Verify internal control system effectiveness (firewalls, access control, Web filter, Spam filter, proxy)
Notable packet analyzers
- CapsaCapsaCapsa is the name for a family of packet analyzer developed by Colasoft for network administrators to monitor, troubleshoot and analysis wired & wireless networks...
- Cain and Abel
- dSniffDSniffDsniff is a password sniffer written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information....
- JustnifferJustnifferJustniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances ....
- ettercapEttercap (computing)Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows...
- Microsoft Network Monitor
- ngrepNgrepngrep is a network packet analyzer written by Jordan Ritter. It runs under the command line, and relies upon the pcap library and the GNU regex library....
Network Grep - snoopSnoop (software)snoop is a very flexible command line packet analyzer included as part of Sun Microsystems' Solaris operating system. Its source code is available via the OpenSolaris project.For command line arguments see the snoop manpage.-See also:...
- tcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
- WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
(formerly known as Ethereal) - Carnivore (FBI)Carnivore (FBI)Carnivore was a system implemented by the Federal Bureau of Investigation that was designed to monitor email and electronic communications. It used a customizable packet sniffer that can monitor all of a target user's Internet traffic...
- Clarified AnalyzerClarified NetworksClarified Networks is a company that is headquartered in Oulu, Finland. The company was acquired by Codenomicon in 2011, but continues to operate as a separate company under the Codenomicon Group....
- Congruity Inspector SoftwareCongruity Inspector SoftwareCongruity Inspector Software is a continuous packet analyzer-based network monitoring and reporting solution providing on-demand management access into all aspects of on-line activity and internal network operations...
- Fluke LanmeterLanmeterA LANMeter was a tool for testing token ring and Ethernet networks introduced by Fluke Corporation in 1993. It incorporated hardware testing and active network testing in a handheld, battery operated package. It was discontinued in 2003....
- NetScout nGenius Infinistream
- NetScout Sniffer Global Analyzer
- NetScout Sniffer Portable Professional Analyzer
- Network InstrumentsNetwork InstrumentsNetwork Instruments develops software and hardware solutions for analyzing and managing network and application performance, such as network analyzers. They were founded in 1994, and are headquartered in Minneapolis, Minnesota....
Observer - NiksunNiksunNIKSUN, Inc. is a privately-held multinational corporation headquartered in Princeton, New Jersey,USA, that delivers real-time, forensics-based cybersecurity and performance solutions. NIKSUN was established in 1997 by Dr. Parag Pruthi...
NetDetector - OPNET TechnologiesOPNETOPNET Technologies, Inc. is a software business that provides performance analysis for computer networks and applications.The company was founded in 1986 and went public in 2000. It is headquartered in Bethesda, Maryland and has offices in Cary, North Carolina; Nashua, New Hampshire; Dallas,...
ACE Analyst - SkyGrabberSkyGrabberSkyGrabber is a software that intercepts satellite data and downloads it.It was used by Iraqi insurgents from the group Kata'ib Hezbollah to intercept MQ-1 Predator drone video feeds....
- WildPackets OmniPeekOmniPeekOmniPeek is a packet analyzer software tool from WildPackets Inc.. It is used for network troubleshooting and protocol analysis. It supports a plugin API.- History :...
(old name AiroPeek, EtherPeek) - FiddlerFiddler (software)Fiddler is an HTTP debugging proxy server application written by Eric Lawrence of Microsoft. It captures HTTP traffic and logs it for the user to review. It can also be used to "fiddle" with HTTP traffic as it is being sent...
See also
- LanmeterLanmeterA LANMeter was a tool for testing token ring and Ethernet networks introduced by Fluke Corporation in 1993. It incorporated hardware testing and active network testing in a handheld, battery operated package. It was discontinued in 2003....
- Logic analyzerLogic analyzerA logic analyzer is an electronic instrument which displays signals in a digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, assembly language, or correlate assembly with source-level software.Presently, there are three...
- Network detectorNetwork detectorNetwork detectors or network discovery software are computer programs that facilitate detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Discovering networks may be done through active as well as passive scanning....
- Network Security ToolkitNetwork Security ToolkitThe Network Security Toolkit is a Linux-based Live CD that provides a set of open source computer security and networking tools to perform routine security and networking diagnostic and monitoring tasks. The distribution can be used as a network security analysis, validation and monitoring tool on...
- Network tapNetwork tapA network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...
- Packet generation model
- Packet capturePacket capturePacket capture is the act of capturing data packets crossing a computer network. Deep packet capture is the act of capturing, at full network speed, complete network packets crossing a network with a high traffic rate...
- Bus analyzerBus analyzerA bus analyzer is a computer bus analysis tool, often a combination of hardware and software, used during development of hardware or device drivers for a specific bus, for diagnosing bus or device failures, or reverse engineering....