reference

Home

Shopping

Articles

Local

News

Packet analyzer

Capabilities

On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch. When systems (computers) are connected to a switch port.

On wireless LANs, one can capture traffic on a particular channel.

On wired broadcast and wireless LANs, to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in monitor mode.

Uses

The versatility of packet sniffers means they can be used to:

Analyze network problems

Detect network intrusion attempts

Gain information for effecting a network intrusion

Monitor network usage

Gather and report network statistics

Filter suspect content from network traffic

Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)

Reverse engineer proprietary protocols used over the network

Debug client/server communications

Debug network protocol implementations

Notable packet analyzers

Carnivore

dSniff

Ettercap

Fluke Lanmeter

Microsoft Network Monitor

OPNET Technologies ACE Analyst

NetScout Sniffer Global Analyzer

NetScout Sniffer Portable Professional Analyzer

Network Instruments Observer

NetworkMiner packet analyzer

PacketTrap pt360 Tool Suite

snoop (part of Solaris)

tcpdump

WildPackets OmniPeek (old name AiroPeek, EtherPeek)

Wireshark (formerly known as Ethereal)

NetworkActiv PIAFCTM

Capsa

Cain and Abel

Clarified Analyzer

Example uses

A packet sniffer:

can be used in education to demonstrate how network protocols work

is often used in the development and debugging of networking software

for a token ring network, can detect that the token has been lost or the presence of too many tokens (verifying the protocol)

can detect that messages are being sent to a network adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter

can detect excessive messages being sent by a port, detecting an error in the implementation

can collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method

can be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse engineered

can be used to diagnose operating system connectivity issues such as HTTP, FTP, SQL, Active Directory, etc.

can be used to analyse data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities

can passively capture data going between a web visitor and the web servers, decode it at the HTTP and HTML level and create web log files as a substitute for server logs and page tagging for web analytics