Network Monitoring and Packet Sniffing Tools
Gregory Evans simply copied and pasted this entire page of
mine to make up a large section of Chapter Two of his book
How To Become The World's Number 1 Hacker.
He included a couple of misspellings or wording errors
that I hadn't happened to notice (now fixed here), and,
most clumsily, the sentence
the COMSEC section of another page of mine
for details on how GSM encryption can be broken."
That book contains a lot of plagarized text in addition
to untrue claims about the background and experience
of its "author".
See the detailed analysis of his plagarism
and an investigation of his background
Meanwhile, you can enjoy my original version with its
corrections and updates for free!
Sections of this page, jump to a topic:
This page has been clumsily copied and pasted into this book.
tools are like many other infosec tools.
They can be used for good or evil,
it all depends on the intent of the user!
I cannot imagine how you could claim to do LAN troubleshooting
without capturing packets at times.
At the same time, protocols that move sensitive data
as cleartext are commonly used (POP and IMAP with the
user's account name and password, and FTP and even TELNET
are still used a surprising amount),
and the bad guy could easily capture user authentication
information (login and password) or other sensitive data
(complete contents of shared files, copies of every
print job submitted, and so on).
So, you have to use these to maintain your networks,
and you need to realize that the bad guys could use
these against you.
There are various categories of network monitoring tools:
Capture and analyze in detail all the packets
on the wire or in the air
(e.g., Wireshark, formerly called
Wireshark is a serious protocol analyzer.
And it's free!
Show general characteristics of the network traffic
(e.g., EtherApe or ntop).
Only show counts of packets to/from the host itself
Packetstorm has a wonderful
archive of network monitoring tools.
UNIX / Linux / BSD / MacOS X LAN Monitoring Tools
is really the very best tool
short of a dedicated piece of hardware costing
US$ 20,000 or more.
Get it from
My biggest complaint with Wireshark is
the difficulty of building filter strings,
particularly for new users.
Note that Wireshark uses the same filter
syntax as tcpdump, and that syntax
is well documented on
the tcpdump manual page.
Also check out the books on packet analysis
Another problem is that Wireshark can be
difficult to build from source.
See my OpenBSD page
for details of
how to build Wireshark on BSD.
Other tools include:
included with Linux, BSD, and
addable to others (click here).
It shows the general characteristics of
traffic on the network,
showing the packet and byte rate broken
out by application layer protocols.
is another tool to
characterize general traffic characteristics.
shows you counts of packets
to/from the host where you run it,
broken out by protocol type.
is a Linux-specific tool.
Other classic tools include
Etherfind (for ancient SunOS 4.1.X),
and Snoop (comes with Solaris).
If you capture traffic with snoop, you can
use Wireshark to decode and display it.
But why not just use Wireshark in the
DOS/Windows LAN Monitoring Tools
Beware a false sense of security based on switches
A switch can improve LAN throughput immensely,
but it does not really provide security.
The dsniff toolkit
which uses ARP trickery to confuse hosts about the
mappings between IP and MAC addresses.
The attacker can use arpspoof to have
all datagrams between specified pairs of hosts
sent to a sniffing host.
The sniffer grabs copies and possibly modifies
contents before sending the frames back through
the switch to the legitimate hardware addresses.
Get the dsniff toolkit from
Also be aware that some tools (dsniff,
mailsnarf, webspy, for example)
understand application-layer protocols and make it
easy to capture and analyze telnet and
FTP logins and passwords,
web traffic, mail, etc.
Dsniff is a great tool for password capture.
You must understand that your attackers all know
this and will use it if possible.
Legitimate cybersecurity applications of password
or other sensitive information captuer and display
An easy but very impressive demonstration
of just how insecure things are when
cleartext protocols like POP, IMAP, HTTP
and so on are used.
A test to see how bad things are,
or to test whether the new user tools really
enforce use of encrypted connections only
or if they silently roll back to insecure
Wireless LAN/WAN Monitoring
and Attacks on WEP and WPA
a very useful introduction to wireless networking
and the security issues.
running in an
xterm window, sniffing packets and observing wireless network
activity at the Greyhouse coffeeshop in West Lafayette,
And yes, they really want you to use their WLAN, so you'll
hang out there and buy more coffee.
Note that wireless monitoring tools can be extremely
dependent on chipset.
Make sure that your planned software and WLAN card
will get along!
The Trifinite Group
has information on wireless security, including
and other RFID security tools and information at
the COMSEC section of another page of mine
for details on how GSM encryption can be broken.
GSM salesmen don't want you to know this, but it's true.
D-Link TM-G5240 802.11g wireless router,
Cisco EZXS88W 8-port Ethernet switch,
and MFJ-1278 multi-mode data controller.
Free wireless sniffers for UNIX / Linux / BSD —
Free wireless sniffers for Mac OS —
Free wireless sniffers for Windows —
Commercial tools — divided into categories:
Packet Sniffing and War-Driving Tools
Vulnerability Assessment Tools —
more than just sniffing
Traffic Monitoring and Analysis Tools —
and also consider the free tool
WLAN Intrusion Detection Tools
WLAN attack tools:
WEP is, of course, well known to be weak.
In 2007 three researchers announced an
attack that required just 1 minute of WLAN
data collection and 3 seconds of cryptanalysis
on a 1.75 GHz Pentium.
A WPA attack was announced in late 2008.
It does not recover the key (allowing the
decryption of all data) but just allows the
decryption of individual short packets.
Black Alchemy's Fake AP
"generates thousands of counterfeit
802.11b access points.
Hide in plain sight amongst Fake AP's
cacophony of beacon frames.
As part of a honeypot or as an
instrument of your site security plan,
Fake AP confuses Wardrivers,
NetStumblers, Script Kiddies,
and other undesirables."
Josh Wright's file2air
implements some basic 802.11 attacks.
Network DOS: flood WLAN with
de-authentication packets and spoofed BSSIDs.
Access point DOS: flood APs with authentication
packets and random station addresses.
Hotspot directories —
among many others see:
Antennas, access point modification,
building your own WLAN hardware, etc.
WPA2 / 802.11i
Here's my page on setting up WPA2 / 802.11i
Tapping Optical Fiber
Optical fiber can be tapped without splicing.
You can read the data by removing some of the sheath
and gently bending the fiber in a bend coupler.
You can supposedly buy them for a few hundred US$,
There are claims that optical taps
have been found on police networks in the Netherlands
and the FBI investigated one discovered on Verizon's network
in the US.
For more see:
Eavesdropping Via Light, Audio, and
Other Unusual Means
Interactive keyboard use can be "eavesdropped" by means
you might not expect.
Consider the relative difficulty or ease of touch-typing
different character sequences on a standard QWERTY keyboard:
F-J would be very fast (home key on left hand then
home key on right hand, easy and fast) while 2-X
would be very slow
(extreme reaches for the same finger, awkward and slow).
So, a good typist may have a high aggregate rate of
characters per minute, but the inter-character spacings
are going to vary.
A given two-character or longer sequence is not always
going to be exactly the same, but over time the distribution
is going to be fairly distinctive.
Measure the inter-character times and you have the data
needed for bigram analysis.
You won't recover 100% of the cleartext, but with adequate
data and quality typing of large blocks of text, you will
So how can you measure the inter-character times?
Never send a human to do a machine's job.
But watch those reflections, Vladimir Vladimir'ich!
Like so much of information theory, this isn't entirely new.
operator might be recognized by a distinctive
or slight imperfection in their keying cadence.
There there are more "movie-style" threats.
of the University of North Carolina at Chapel Hill is the
head of the 3D Computer Vision Group there.
His group has developed their
system, which can identify text typed on touchscreens from
video footage of the screen itself or of its reflection in
windows or even in sunglasses.
Their system was described in New Scientist,
29 October 2011, pp 22-23.
They say that they can use video from an ordinary mobile phone
up to 3 meters away, but a digital SLR camera shooting
HD video could read screens up to 60 meters away.
Their approach takes advantage of the fact that the targeted
platforms magnify the virtual keys.
It isn't perfect, but they get over 90% copy of what is typed
on these ever more prevalent interfaces.
Detecting Packet Sniffing Attacks
For suggestions on spotting sniffer attacks, see
the discussion in an older CERT advisory.
One method would be to send out an Ethernet frame to
MAC destination address that is not in use on your network.
Inside of that is an IP datagram to which a typical host
The NIC would normally have filtered out (that is, ignored
or dropped) that frame because it was sent to some other
unicast MAC address.
But since its chipset is in promiscuous mode, the filtering
is turned off and the IP datagram is passed to the operating
The operating system then replies, and now you know that
host has its interface in promiscuous mode.
The sniffer detection relies on tricking the host with a
promiscuous interface into reporting itself.
To detect network interfaces in promiscuous mode:
The best tools would be:
Two other tools require that they be run on the
attacking host during an attack — not very likely!
Purdue's CERIAS research group
has two tools on their FTP server: