Monitoring Network Traffic Using Packet Sniffing Tools

Sunday, 17 July 2011

Monitoring Network Traffic Using Packet Sniffing Tools

Network traffic is the flow of data across the network (Wired and Wireless Network)

Packet sniffer or Network analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.

Who uses packet sniffers?
Packet sniffers are used by both White Hat Hacker (Legal) and Black Hat Hacker (Illegal) activity.
Legal packet sniffer is a commercial device used to assist with network management and maintenance and to provide network security. It is also used as a diagnostic tool for network backup systems and to examine the network system for any security breaches.
Illegal packet sniffer is used to gain unauthorized access to sensitive information and data on a network. An illegal packet sniffer is installed without the knowledge of the IT administrator and hides in different areas of the network for the purpose of spying on and stealing the information packets that pass over the network.

How packet Sniffer works?
When a computer sends a data in the network it sends in the form of packets. These packets are the chunks of data are actually directed to the certain designated system. Actually every sent data has a predefined receiving point. So, all the data are directly directed to a particular computer. Normally a system in a network is designed to receive and read only those data which are intended for it, but when we install a packet sniffer on a network, it looks out for all the data traveling across the network.

The packet-sniffing process involves a cooperative effort between software and hardware. This process can be broken down into three steps such as
  • Packet sniffer collects raw binary data from the wire. Typically, this is done by switching the selected network interface into promiscuous mode
  • Captured binary data is converted into a readable form.
  • Analysis of the captured and converted data. The packet sniffer takes the captured network data, verifies its protocol based on the information extracted, and begins its analysis of that protocol’s specific features.

Packet Sniffing Tools
Some popular to tools for network analyzing and packet sniffing are given below.

Wireshark - It is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.

Tcpdump - It is one of the oldest network packet sniffer. It was originally written in 1987. Tcpdump works primarily on Unix like operating systems, but there is a port of it that works on Windows as well. tcpdump  is meant for experienced users only, as this packet sniffer is a command line utility. tcpdump can analyze network behavior, and monitor applications that generate network traffic.
Microsoft Network Monitor - Microsoft Network Monitor is a free network packet sniffer. This works on Windows PCs, and provides expert capability to see all the network traffic in real time on an intuitive GUI. Microsoft Network Monitor  is actively maintained by Microsoft, is available for a completely free download, and has a dedicated support site here. Microsoft Network Monitor can be used by beginners just to analyze their home network traffic, or by network administrators to analyze complete organization network by sniffing network packets.

Kismet - Kismet is an console  based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing and can even decloak hidden networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps.

Capsa - It is a very comprehensive network packet sniffer that comes in both free version as well as paid version. Free version comes with tons of features, and is good enough for home use, as well as use in small business. Capsa  does effective network analysis in real time by sniffing network packets, and analyze them. Free version of Capsa lets you monitor 50 IP addresses together, which makes this free packet sniffer especially useful for network administrators.

SniffPass - SniffPass is a very specific type of packet sniffer that focuses on capturing passwords from network traffic. When you turn on Sniffpass password sniffer, it keeps on monitoring network traffic, and as soon as it intercepts a password, it instantly shows that on screen. This is a great way to find forgotten passwords of websites.

Ettercap - Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Dsniff - Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

EtherApe - EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.

Cain and Abel - Enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.

Ntop - Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.

Network Miner - NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.