Network Monitoring/Sniffing Tools

Modified 14 March October 2008

There's a variety of general types:

• Capture all packets on wire, provide very nice analysis of protocols (e.g., Wireshark, formerly called Ethereal)
• Show general characteristics of traffic on the LAN (e.g., EtherApe or ntop)
• Only show counts of packets to/from the host itself (e.g., iptraf)

A wonderful archive is: http://packetstormsecurity.org/sniffers/

Also see my wireless LAN security section

On with my lists. First, wireful LAN monitoring and analysis tools, divided by operating system: Then, wireless LAN/WAN monitoring, discovery, and analysis tools.

LAN Monitoring Tools

UNIX / Linux / BSD LAN Monitoring Tools

• Wireshark, formerly called Ethereal, is really the very best tool, short of a dedicated piece of hardware costing US$ 20,000 or more — http://www.wireshark.org/
• My biggest complaint with Wireshark is the difficult of building filter strings, particularly for new users. Note that Wireshark uses the same filter syntax as tcpdump, and that is well-documented if you have an Internet connection: See the tcpdump manual page
• Other tools include:
  • ntop — included with Linux, BSD, and addable to others — http://www.ntop.org/
  • Clownix — Linux-specific — http://clownix.net/
  • EtherApe — http://etherape.sourceforge.net/
  • tcpview — ftp://ftp.digital.com/pub/net/misc/tcpview/
  • Esniff — ftp://coombs.anu.edu.au/pub/net/log
  • RealSecure — http://www.iss.net/RealSecure
  • SniffIt — http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
  • solsniff (For Solaris) — http://www.packetstormsecurity.com/sniffers/
  • iptraf — http://cebu.mozcom.com/riker/iptraf/
  • Etherfind (for SunOS 4.1.X)
  • Snoop (Comes with Solaris)
  • Packetman, Interman, Etherman, and Loadman — ftp://ftp.cs.curtin.edu.au:/pub/netman/

DOS/Windows LAN Monitoring Tools

• Wireshark works on Windows as well — http://www.wireshark.org/ — although you'll also need the WinPcap port of libpcap — http://netgroup-serv.polito.it/winpcap/
• Other tools include:
  • The Unix-based tcpdump has been ported to Windows: http://netgroup-serv.polito.it/windump/
  • There's a GUI-based sniffer Analyzer http://netgroup-serv.polito.it/analyzer/
  • ETHDUMP captures packets, then ETHLOAD loads them up and lets you browse. See http://www.ping.be/ethload or else ftp://ftp.germany.eu.net/pub/networking/inet/ethernet/ethdp103.zip and ftp://ftp.germany.eu.net/pub/networking/monitoring/ethload/ethld104.zip
  • Commercial tools are available:
    • Network Associates's products (formerly Network General) are top-of-the-line — http://www.sniffer.com/ or +1-800-SNIFFER.
    • Lancope makes security and network monitoring tools: http://www.lancope.com/
    • Network Observer — also supports WLAN — http://www.networkinstruments.com/
    • Klos Technologies, Inc. has PacketView. http://www.klos.com/ +1-603-714-4305.
    • Frontline Test Equipment, +1-800-359-8570.
    • Microsoft's Net Monitor. http://www.microsoft.com

Beware a false sense of security based on switches

• A switch does not provide security by partitioning a LAN. The dsniff toolkit includes arpspoof, which uses ARP trickery to confuse hosts about the mappings between IP and MAC addresses. The attacker can get all datagrams sent to a sniffing host, which grabs copies and possibly modifies contents before sending them to the legitimate hardware addresses.
  • http://naughty.monkey.org/~dugsong/dsniff/
  • http://www.packetstormsecurity.com/sniffers/dsniff/
• ALso be aware that some tools (dsniff, mailsnarf, webspy) understand application-layer protocols and make it easy to capture and analyze telnet and FTP logins and passwords, web traffic, mail, etc.

Wireless LAN/WAN Monitoring and Security

Here is a useful introduction to wireless networking and the security issues: http://en.wikipedia.org/wiki/802.11b

Note that wireless monitoring tools can be extremely dependent on chipset — make sure that your planned software and WLAN card will get along.

The Trifinite Group has information on wireless security, including RFIDiot and other RFID security tools and information: http://www.trifinite.org/

• Free sniffers for UNIX / Linux / BSD —
  • Kismet — http://freshmeat.net/projects/kismet/ and http://www.kismetwireless.net/
  • AirSnort — recover encryption keys from sniffed WLAN packets — http://freshmeat.net/projects/airsnort/ and http://airsnort.shmoo.com/
  • BSD-Airtools — BSD-specific 802.11b auditing toolkit — http://freshmeat.net/projects/bat/ and http://www.dachb0den.com/projects/bsd-airtools.html
  • WaveStumbler — http://www.cqure.net/tools.jsp?id=08
  • Aircrack —
    • Main page: http://www.cr0.net:8040/code/network/aircrack/
    • Software only: http://100h.org/wlan/aircrack/
  • Wellenreiter — http://freshmeat.net/projects/wellenreiter/ and http://www.remote-exploit.org/
• Free sniffers for Mac OS —
  • KisMAC — looks to be the most powerful utility, all the features of the other MacOS ones and even more — http://www.binaervarianz.de/projekte/programmieren/kismac/
  • MacStumbler — http://www.macstumbler.com
  • iStumbler — http://homepage.mac.com/alfwatt/istumbler/index.html
• Free sniffers for Windows —
  • Net Stumbler — http://www.netstumbler.com/
  • Aircrack —
    • Main page: http://www.cr0.net:8040/code/network/aircrack/
    • Software only: http://100h.org/wlan/aircrack/
• Commercial tools — divided into categories:
  • Packet Sniffing and War-Driving Tools
    • Security System War Driving Kit from AirTouch Network includes sniffing software, 802.11b adapter, and antenna — http://www.airtouchnetworks.com/
  • Vulnerability Assessment Tools — more than just sniffing
    • ISS Wireless Scanner — http://www.iss.net/ — displays access point information, identified wireless clients.
    • AirMagnet Handheld/Laptop Analyzer — http://www.airmagnet.com/
    • WaveSecurity's WaveScanner — http://www.wavesecurity.com/
  • Traffic Monitoring and Analysis Tools — and also consider the free tool Wireshark and
    • Sniffer Wireless — http://www.sniffer.com/
    • AiroPeek — real-time analyzer for 802.11a and 802.11b, Windows XP/2000 — http://www.wildpackets.com/
  • WLAN Intrusion Detection Tools
    • Air Defense — http://www.airdefense.net/
    • StillSecure Border Guard — 802.11 gateway with intrusion detection and content filtering — http://www.stillsecure.com/
• WLAN attack tools:
  • WEP is, of course, well known to be weak. In 2007 three researchers announced an attack that required just 1 minute of WLAN data collection and 3 seconds of cryptanalysis on a 1.75 GHz Pentium:
    — The announcement and
    — The paper at http://eprint.iacr.org/2007/120.pdf
  • Black Alchemy's Fake AP "generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables." http://www.blackalchemy.to/project/fakeap/
  • Josh Wright's file2air — http://home.jwu.edu/jwright/code/file2air-0.1.tar.bz2
  • Void11, which implements some basic 802.11 attacks. Network DOS: flood WLAN with de-authentication packets and spoofed BSSIDs. Access point DOS: flood APs with authentication packets and random station addresses. http://www.wlsec.net/void11/
• Hotspot directories — among many others see:
  • http://intel.jiwire.com/
  • http://www.wi-fihotspotlist.com/
  • http://www.wifinder.com/
  • http://www.hotspot-locations.com/
  • http://www.wifi411.com/
• Antennas, access point modification, building your own WLAN, etc.
  • A great collection of antenna pages: http://www.wlan.org.uk/antenna-page.html
  • Loads more info: http://www.wlan.org.uk/page2.html
  • Connecting to Orinoco WLAN cards: http://www.chem.hawaii.edu/uham/hnet.html
  • Many antenna designs: http://www.seattlewireless.net/index.cgi/AntennaHowTo
  • Much more on waveguide/can antennas, complete with engineering data and calculators:
    • http://flakey.info/antenna/waveguide/
    • http://www.turnpoint.net/wireless/cantennahowto.html
  • Cantenna comparisons: http://www.turnpoint.net/wireless/has.html
  • Helical antenna: http://www.hfun.org/antenna/index.shtml
  • Trevor Marshall's slot waveguide antennas: http://trevormarshall.com/waveguides.htm
  • Trevor Marshall's tiny biquad antenna, which can be used with a surplus satellite TV dish: http://trevormarshall.com/biquad.htm
  • Ham radio info, including 802.11 antennas: http://www.wb8erj.com/
• Other lists of tools:
  • http://home.jwu.edu/jwright/wireless.htm
  • http://www.networkintrusion.co.uk/wireless.htm
• 2002 U.S. NIST report on top ten 802.11b wireless LAN security problems —
  • Security features in vendor products frequently not enabled, poor in many cases even if enabled.
  • Initialization vectors are only 24 bits, causes generated keystream to repeat.
  • 40-bit cryptographic keys are inadequate, allow for relatively easy brute-force attack.
  • Cryptographic keys are shared, so easy to compromise.
  • Cryptographic keys cannot be updated automatically and frequently.
  • RC4 keystream is inappropriately used in Wired Equivalent Privacy (WEP) protocol, vulnerable to key-recovery attack.
  • Packet integrity-checking is poor, may allow undetected modification.
  • Only device authentication, no user authentication.
  • Only Service Set Identification (SSI) is done, vulnerable in wireless system.
  • Device authentication based on one-way challenge-response, vulnerable to "man in the middle" attack.

Tapping optical fibre no longer requires splicing. You can read the data by removing some of the sheath and gently bending the fibre in a bend coupler. You can supposedly buy them for a few hundred US$, even off eBay.

There are claims that optical taps have been found on police networks in the Netherlands and Germany, and the FBI investigated one discovered on Verizon's network in the US.

For more see:

• http://blogs.techrepublic.com.com/security/?p=222&tag=nl.e036
• Marketing material from companies selling expensive OSI Layer-1 encryption hardware or fiber monitoring hardware:
  • http://www.techworld.com/security/news/index.cfm?newsID=8686
  • http://www.networkintegritysystems.com/ http://www.networkintegritysystems.com/pdf/NIS-FiberOpticIntrusionDetectionSystems.pdf

The "ISS Sniffer FAQ" answers the Frequently-Asked Questions on LAN "sniffers" and then some. It points you to sniffer software, to sniffer detectors, and to other privacy and authentication tools.

For suggestions on spotting sniffer attacks, see http://www.cert.org/pub/advisories/CA-1994-01.html

Detecting interfaces in promiscuous mode

• The best tools would be:
  • AntiSniff — http://packetstormsecurity.nl/sniffers/antisniff/
  • The SecurityFriday tool — http://www.securityfriday.com/
• Two other tools require that they be run on the attacking host during an attack — not very likely!
  • ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/cpm
  • ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ifstatus

Back to the Security Page

© Bob Cromwell May 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here