In this article we will take a look at the well know concept of packet sniffing, how do they work, what are their common uses and then we will look at the most widely used packet sniffers.

Note: Tools mentioned in this article should be used for education purpose only.

What is a Packet Sniffer?

To monitor the data transmitted over a network packet sniffers are used. It is used both by administrators for diagnostic or troubleshooting purposes and also by hackers to steal data transmitted over the network. In other very simple terms, a packet sniffer is a program that can see all traffic flowing over the network back and forth. Obviously, placement of packet sniffer in an environment is crucial. Another point to note is that packet sniffing applicable to both wired and wireless networks.

How does a Packet Sniffer work?

First, we need to understand that packet sniffing can be both passive and active and that totally depends on the sniffer capability and environment design (hub or switch). Since all the traffic on a computer is handled by network adapter (Ethernet/wireless), sniffers work by configuring the system’s NIC in promiscuous mode.

What information can be retrieved from a sniffer?

Any data that is passed over the network in clear text is vulnerable to sniffing. Imagine if you are visiting an http site and the site requires authentication. Username and password over the insecure http are vulnerable to packet sniffing. Now that might make less sense since most of the major websites are over https but imagine same if the end user is using same credentials for other sites like LinkedIn, Twitter, etc. To add more to this issue, imagine if an end user sends credit card information over an insecure protocol. This also calls for the secure storage of cryptographic keys because if the attacker manages to steal the private key, then it can be directly provided to sniffer to decrypt all the communication. Also, uses of weak standards like WEP are vulnerable to sniffing.

Common uses of Sniffer

Sniffers are used to:

  • Packet capturing helps to diagnose and investigate network problems like congestion
  • Helps to filter network traffic
  • Discovering network misuse, vulnerability, malware, etc.
  • Sniffers in an unethical way are used to steal confidential information exchanged between source and destination.

Top Sniffing Tools list

Below is a list of some popular sniffers that are meant for both wired and wireless. Also, there are download links along with their documentation.

Wireshark

Wireshark is one of the most popular tools used today (formerly known as Ethereal) for network traffic analysis. It works on the same concept of a sniffer that we discussed above i.e. it will sniff the packets destined for a NIC. It provides a coloring scheme to distinguish packets and can trace a full stream for a particular protocol. By default TCP traffic –green, DNS traffic-blue, UDP traffic-light blue, TCP with problems-black. It even gives you the option to specify the private key and let you decrypt the encrypted traffic on the fly. Filters are also provided to drill down for a specific keyword, protocol among the packet stream. It also gives you previously captured files for analysis at https://wiki.wireshark.org/SampleCaptures.

Documentation: https://www.wireshark.org/docs/

Download from: https://www.wireshark.org/download.html

Tcpdump

Tcpdump is a very common packet analyzer that is used under a command line for most Unix-like OS. It uses libpcap to capture packets. It can read network packets and write output to stdout or to a file over which a grep-like command can use to filter. Otherwise, we can also apply BPF based filter class to capture only packets for protocols we are interested in.

TcpDump MAN Page: http://www.tcpdump.org/manpages/pcap.3pcap.html

Download from: http://www.tcpdump.org/#latest-release

There is a windows version of it that is known as WinDump which uses WinPcap library.

Documentation: http://www.winpcap.org/windump/docs/manual.htm

Download from: http://www.winpcap.org/windump/install/default.htm

Kismet

Kismet is an open source wireless network sniffer, and it is capable of detecting 802.11 a/b/g wireless network around. Kismet is a passive sniffer which helps it to discover the hidden wireless networks while keeping itself under covers. It works with wireless cards that support monitor mode, and because it works in passive mode, the client adapter is put into rfmon mode and is not associated with any wireless Access Point (AP) which means that the end point Kismet client cannot maintain a network control. Some features of kismet include:

  • Logging standard compatible with tcpdump and Wireshark
  • 802.11 sniffing
  • Modular architecture- client/server
  • Lightweight remote sniffing

Documentation: https://www.kismetwireless.net/documentation.shtml

Download from: https://www.kismetwireless.net/download.shtml

Ethical Hacking Training – Resources (InfoSec)

Ettercap

It is one of the oldest tools but still very useful one. It is capable of intercepting traffic on a network segment, capturing passwords and is helpful in protocol eavesdropping. It supports features like sniffing of live connections, content filtering, etc. It supports both active and passive dissection of many protocols and includes many features for network and host analysis. It works in 2 main options:

  • Unified mode
  • Bridged mode

Download from: http://ettercap.github.io/ettercap/downloads.html

Dsniff

It is a collection of tools written by Dug Song. Some of the members of the toolset include:

  • Dsniff: It is a password sniffer which handles protocols such as FTP, HTTP, SMTP, etc. It uses Berkley DB as its output file format
  • Dnsspoof: It forges DNS responses for a DNS server on the local network.
  • Webmitm: It sniffs HTTP/HTTPS redirected by dnsspoof.
  • Sshmitm: It sniffs SSH traffic provided by dnsspoof.

Other members include filesnarf, macof, mailsnarf, sshow, tcpkill, tcpnice, urlsnarf, etc.

Documentation: http://linux.die.net/man/8/dsniff

Download from: https://www.monkey.org/~dugsong/dsniff/

inSSIDer

It is a wifi sniffer, and it is available now in commercial version only. It is available for both Windows and OS X (beta version). It scans for wireless networks with your WiFi adapter, and it also lists a lot of useful information about each network like their strengths, measures channel use, etc. It is very similar to operate on both Windows and OS X.

Download from: http://www.metageek.com/products/inssider/

Documentation: https://support.metageek.com/hc/en-us/articles/204158620-inSSIDer-Office-User-Guide

Cain and Abel

Many of you might wonder what Cain and Abel is doing in this list as it is a popular password cracking tool but we need to understand that it inherits the properties of a sniffing tool to obtain passwords. It is designed for Windows only. BPF filters are built into the tool by default though it is mainly built to sniff password and other authentication information from the network. It supports various protocols like FTP, HTTP, IMAP, etc.

Download from: http://www.oxid.it/cain.html

Documentation: http://www.oxid.it/ca_um/topics/features.htm

Caspa

Caspa comes both as a free and commercial version and is designed for Windows OS only. It works in 3 stages namely: Data capture, Data Analysis, and Data output. In Data capture, it captures the packet by its NDIS and TDI protocol driver. In Data analysis, it analyzes the packets though it’s various analyzers like HTTP analyzer, Email Analyzer, FTP analyzer, IM analyzer, etc. and output the analysis to GUI. Its features are:

  • Detection of DDoS, Worm Attack, TCP scanning, etc.
  • Supports multiple network monitoring behavior monitoring including HTTP,DNS,FTP etc.
  • Powerful conversion analysis.
  • In-depth packet decoding.

Documentation: http://www.colasoft.com/support/capsa-doc.php

Download from: http://www.colasoft.com/capsa-free/

Aircrack-ng

It is also a suite of tools used to capture wireless traffic and then crack weak keys such as WEP, WPA, WPA2-PSK. It follows following procedure:

  • With airmon-ng first wireless network interface is put into monitor mode
  • Then with airdump-ng, information about access points which are in range is collected.
  • Notice the BSSID and Channel of the AP to be sniffed.
  • Now use airodump-ng is used to dump data for AP listed above
  • The process can be speed up by aireplay-ng which injects and replay the packets from AP.
  • Once the captured data is above 50k, aircrack-ng can be used to crack the WEP keys.

Download from: https://www.aircrack-ng.org/downloads.html

Documentation: https://www.aircrack-ng.org/documentation.html

This article covered most popular sniffing tools and is not an exhaustive list.