A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications. A telecommunications network is a network of telecommunications links arranged so that messages may be passed from one part of the network to another over multiple links. ... Software redirects here. ... Computer hardware is the physical part of a computer, including the digital circuitry, as distinguished from the computer software that executes within the hardware. ... Look up intercept in Wiktionary, the free dictionary. ... A telecommunications network is a network of telecommunications links arranged so that messages may be passed from one part of the network to another over multiple links. ... Look up Data stream in Wiktionary, the free dictionary. ... In information technology, a packet is a formatted block of information carried by a computer network. ... The German Lorenz cipher machine, used in World War II for encryption of very high-level general staff messages Cryptography (or cryptology; derived from Greek κρυπτός kryptós hidden, and the verb γράφω gráfo write or λεγειν legein to speak) is the study of message secrecy. ... In internetworking and computer network engineering, Request for Comments (RFC) documents are a series of memoranda encompassing new research, innovations, and methodologies applicable to Internet technologies. ...

Capabilities

On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the traffic from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch. When systems (computers) are connected to a switch port rather than a hub the analyzer will be unable to read the data due to the intrinsic nature of switched networks. In this case a shadow port must be created in order for the sniffer to capture the data. The word broadcast can refer to: Broadcasting, the transmission of audio and video signals. ... LAN redirects here. ... Bold text 4 port ethernet hub An Ethernet hub or concentrator is a device for connecting multiple twisted pair or fiber optic Ethernet devices together, making them act as a single segment. ... A network switch is a computer networking device that connects network segments. ... A typical Ethernet frame. ... The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. ...

On wireless LANs, one can capture traffic on a particular channel. The notebook is connected to the wireless access point using a PC card wireless card. ...

On wired broadcast and wireless LANs, in order to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored; in order to see those packets, the adapter must be put into monitor mode. In computer networks, unicast is the sending of information packets to a single destination. ... Routing Schemes anycast broadcast multicast unicast Multicast is sometimes also used to refer to a multiplexed broadcast, although that is a very different thing and should not be confused. ... Broadcasting in a computer network refers to transmiting a packet that will be received (conceptionally) by every device on the network. ... A transitional network card with both BNC Thinnet (left) and Twisted pair (right) connectors. ... Promiscuous mode, in computing, refers to a configuration of a network card wherein a setting is enabled so that the card passes all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for packet sniffing. ... In Wi-Fi Wireless LAN computer networking, a service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. ... Monitor mode aka rfmon mode is similar to promiscuous mode. ...

Uses

The versatility of packet sniffers means they can be used to:

• Analyze network problems.
• Detect network intrusion attempts.
• Gain information for effecting a network intrusion.
• Monitor network usage.
• Gather and report network statistics.
• Filter suspect content from network traffic.
• Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
• Reverse engineer protocols used over the network.
• Debug client/server communications.
• Debug network protocol implementations.

A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as denial of service attacks, port-scans or even attempts to crack into computers by monitoring network traffic. ... Encrypt redirects here. ... Reverse engineering (RE) is the process of taking something (a device, an electrical component, a software program, etc. ... This article concerns communication between pairs of electronic devices. ...

Example uses

• A packet sniffer for a token ring network could detect that the token has been lost or the presence of too many tokens (verifying the protocol).
• A packet sniffer could detect that messages are being sent to a network adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter.
• A packet sniffer could detect excessive messages being sent by a port, detecting an error in the implementation.
• A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method.
• A packet sniffer could be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse engineered.
• A packet sniffer could be used to diagnose operating system connectivity issues like web,ftp,sql,active directory,etc.
• A packet sniffer could be used to analyse data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities.
• A packet sniffer can passively capture data going between a web visitor and the web servers, decode it at the HTTP and HTML level and create web log files as a substitute for server logs and page tagging for web analytics.

Token-Ring local area network (LAN) technology was developed and promoted by IBM in the early 1980s and standardised as IEEE 802. ... A transitional network card with both BNC Thinnet (left) and Twisted pair (right) connectors. ... A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. ...

See also

The following tables compare general and technical information for several packet sniffer software utilities. ... A network tap is the common name for test access port (TAP), a hardware device which plugs directly into the network cable and sends a copy of the network traffic to another device. ... A logic analyzer displays signals in a digital circuit that are too fast to be observed by a human being and presents it to a user so that the user can more easily check correct operation of the digital system. ... dSniff is a packet sniffer and set of traffic analysis tools written by Dug Song, a computer security researcher at the University of Michigan. ... Ettercap is an open source software tool for computer network protocol analysis and security cracking. ... Kismet is a network detector, packet sniffer, and intrusion detection system for 802. ... Microsoft Network Monitor 3 is a protocol analyzer. ... NetStumbler is a tool for Windows that facilitates detection of Wireless LANs using the 802. ... Network Instruments develops software and hardware solutions for analyzing and managing network and application performance, such as network analyzers. ... The original packet sniffer was developed by Network General Corporation in the 1986. ... snoop (software) is a very flexible packet sniffer for Sun Microsystems Solaris Operating System. ... Solaris is a computer operating system developed by Sun Microsystems. ... tcpdump is a common computer network debugging tool that runs under the command line. ... OmniPeek is part of WildPackets Omni³ System. ... In computing, Wireshark (formerly known as Ethereal) is a free software protocol analyzer, or packet sniffer application, used for network troubleshooting, analysis, software and protocol development, and education. ...

External links

• Sniffer Installation Layouts
• Packet Sniffing FAQ by Robert Graham
• Video Tutorials on Sniffer Programming using Raw Sockets
• A Quick Intro to Sniffers
• Sniffer Introduction