or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data
streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content
to gain access to all data crossing the network at that point. Sniffers are also called Network Monitors/Analyzers,
Protocol Analyzers, etc.
[Sniffer® is a registered trademark of Network General Corporation. The word "sniffer" is also commonly referred to as the software
tool for auditing and identifying network traffic packets] See Network General Corp Business Info
Sniffer Defined
Sniffers Compared
Sniffer FAQ
About Free Sniffer Downloads
More Free Network Analyzers
_______________________________________________________________________________________________
Sniffers Compared
Sniffer FAQ
About Free Sniffer Downloads
More Free Network Analyzers
Wireshark
License Info (GPL)Home Page
Free Download (vendor)
Free Download (Sourceforge)
Wireshark Wiki
Sample Captures
Wireshark FAQ
Ethereal?
_______________________________________________________________________________________________
Kismet (wireless)
License Info (GPL)Home Page/Free Download
Cygwin Download
AirPcap Downloads (Windows packet capture drivers)
Kismet on Windows
Kismet Explained
_______________________________________________________________________________________________
Tcpdump/WinDump
Home Page (Tcpdump for Unix/Linux)Home Page (WinDump for Windows)
Free Tcpdump Download (Unix/Linux)
Free Libpcap Download
Free WinDump Download (Windows)
Free WinPcap Download
_______________________________________________________________________________________________
Sniffer Detection/Prevention
How do you know if somebody is "sniffing" packets on the network? Sniffers tend to be passive devices, thereforethey don't really transmit any data, they only capture (receive) data. How can you prevent unauthorized usage of
sniffers? Bad guys use these network analyzers with malicious intent and they can be very difficult to detect, so
what can you do to protect your network?
Although detection tools can provide automated methods of detecting the presence of a sniffer on the network,
they are limited and may provide a false sense of security. As in many other parts of life, the best solution is
prevention. If a bad guy is not able to introduce a sniffer into the network, it won't be a problem. If he (or she)
does manage to install a sniffer and actually captures packets, you want to be assured that any confidential data
captured by the network analyzer cannot be read by unauthorized individuals.
Some basic guidelines:
1) Enforce security on all desktop PCs so normal users don't have admin rights to install sniffers and modify
network card (NIC) settings to operate in promiscuous mode (allows card to receive all packets it "sees")
2) Enforce facility security so that only authorized personnel have access to network gear such as switches
and routers. If a bad guy can physically access the switch and connect to a port, there is a potential for sniffing.
3) Never use hubs... always use switches! Hubs broadcast traffic on all ports, making it easy to sniff packets!
4) Ensure that switch configurations are locked down so that no port is mirrored; meaning that each port is set
to only listen for traffic destined specifically for that port and not all traffic on the entire switch. Also, make sure
that passwords are changed from the defaults and are complying with strong password rules so that nobody can
easily crack them, especially root level passwords. See Port Mirroring.
5) Make sure to always use encryption when transmitting confidential data across a network. Most bank sites
and other legitimate transaction-based sites already use strong encryption (most commonly SSL), but always be
sure before sending any private data. This includes local network applications that require passwords in addition
to any data being sent to remote networks, especially across the Internet. Remember, you may have the most
secure network ever, but if it relies on public networks such as the Internet, then it also relies on the security of
those networks. See Network encryption page on this site and How to tell if a site is using SSL.
Sniffer Basics
Whitepaper PDF (Unverified PDF)
AntiSniff Whitepaper (Outdated PDF?)
Sniffdet (Unix/Linux-based detection tool that I haven't tested yet)