Network Monitoring and Packet Sniffing Tools

Modified 23 March 2009

Sections of this page, jump to a topic:

LAN Monitoring Tools
- For UNIX / Linux / BSD / MacOS X
- For Windows
Switch Security Issues
Wireless LAN/WAN Monitoring and Attacks on WEP and WPA
Tapping Optical Fibre
Eavesdropping Via Light, Audio, and Other Unusual Means
Detecting Packet Sniffing Attacks

Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user!

I cannot imagine how you could claim to do LAN troubleshooting without capturing packets at times. At the same time, protocols that move sensitive data as cleartext are commonly used (POP and IMAP with the user's account name and password, and FTP and even TELNET are still used a surprising amount), and the bad guy could easily capture user authentication information (login and password) or other sensitive data (complete contents of shared files, copies of every print job submitted, and so on).

So, you have to use these to maintain your networks, and you need to realize that the bad guys could use these against you.

There are various categories of network monitoring tools:

Capture all packets on wire, provide very nice analysis of protocols (e.g., Wireshark, formerly called Ethereal)
Show general characteristics of traffic on the LAN (e.g., EtherApe or ntop)
Only show counts of packets to/from the host itself (e.g., iptraf)

Packetstorm has a wonderful archive of network monitoring tools: http://packetstormsecurity.org/sniffers/

LAN Monitoring Tools

UNIX / Linux / BSD / MacOS X LAN Monitoring Tools

Wireshark, formerly called Ethereal, is really the very best tool, short of a dedicated piece of hardware costing US$ 20,000 or more — http://www.wireshark.org/
- My biggest complaint with Wireshark is the difficulty of building filter strings, particularly for new users. Note that Wireshark uses the same filter syntax as tcpdump, and that is well-documented: See the tcpdump manual page
- Another problem is that Wireshark can be difficult to build from source. See my OpenBSD page for details of how to build Wireshark on BSD.
Other tools include:
- ntop is included with Linux, BSD, and addable to others. It shows the general characteristics of traffic on the network, showing the packet and byte rate broken out by application layer protocols. Get it if you don't already have it from: — http://www.ntop.org/
- EtherApe is another tool to characterize general traffic characteristics: http://etherape.sourceforge.net/
- iptraf shows you counts of packets to/from the host where you run it, broken out by protocol type: http://iptraf.seul.org/
- Clownix — Linux-specific — http://clownix.net/
- Esniff — ftp://coombs.anu.edu.au/pub/net/log
- SniffIt — http://sniffit.sourceforge.net/
- solsniff (For Solaris) — http://www.packetstormsecurity.com/sniffers/
- Etherfind (for SunOS 4.1.X)
- Snoop (Comes with Solaris)

DOS/Windows LAN Monitoring Tools

Wireshark works on Windows as well — http://www.wireshark.org/ — although you'll also need the WinPcap port of libpcap — http://www.winpcap.org/
Other tools include:
- ETHDUMP captures packets, then ETHLOAD loads them up and lets you browse. See http://alpha.hec.be/~evyncke/utilities/ethload/index.htm
- Commercial tools are available:
  - Netscout's products (formerly Network General, bought for a while by Network Associates) are top-of-the-line in function and price — http://www.netscout.com/company/acquisition.asp?site=ng/
  - Lancope makes security and network monitoring tools: http://www.lancope.com/
  - Network Observer — also supports WLAN — http://www.networkinstruments.com/
  - Klos Technologies, Inc. has PacketView. http://www.klos.com/ +1-603-714-4305.
  - Frontline Test Equipment, +1-800-359-8570.
  - Microsoft's Net Monitor. http://www.microsoft.com

Beware a false sense of security based on switches

A switch can improve LAN throughput immensely, but it does not really provide security. The dsniff toolkit includes arpspoof, which uses ARP trickery to confuse hosts about the mappings between IP and MAC addresses. The attacker can use arpspoof to have all datagrams between specified pairs of hosts sent to a sniffing host. The sniffer grabs copies and possibly modifies contents before sending the frames back through the switch to the legitimate hardware addresses.
- http://naughty.monkey.org/~dugsong/dsniff/
- http://www.packetstormsecurity.com/sniffers/dsniff/
Also be aware that some tools (dsniff, mailsnarf, webspy) understand application-layer protocols and make it easy to capture and analyze telnet and FTP logins and passwords, web traffic, mail, etc. Dsniff is a great tool for password capture. You must understand that your attackers all know this and will use it if possible. Legitimate uses by the infosec person include:
- An easy but very impressive demonstration of just how insecure things are when cleartext protocols like POP, IMAP, HTTP and so on are used.
- A test to see how bad things are, or if the new user tools really do enforce use of encrypted connections only.

Wireless LAN/WAN Monitoring and Attacks on WEP and WPA

Here is a useful introduction to wireless networking and the security issues: http://en.wikipedia.org/wiki/IEEE_802.11

Note that wireless monitoring tools can be extremely dependent on chipset — make sure that your planned software and WLAN card will get along.

The Trifinite Group has information on wireless security, including RFIDiot and other RFID security tools and information: http://trifinite.org/

Also see the COMSEC section of another page for details on how GSM encryption can be broken.

Free sniffers for UNIX / Linux / BSD —
- Kismet is great for WLAN surveillance. It displays all wireless access points (WAPs) and WLAN nodes it detects, showing channel, use of encryption, signel strength and more: http://freshmeat.net/projects/kismet/ and http://www.kismetwireless.net/
- AirSnort captures wireless LAN packets and then recovers the encryption keys — http://freshmeat.net/projects/airsnort/ and http://airsnort.shmoo.com/
- BSD-Airtools — BSD-specific 802.11 auditing toolkit — http://www.freshports.org/net-mgmt/bsd-airtools/ and http://freshmeat.net/projects/bat/ and http://www.dachb0den.com/projects/bsd-airtools.html
- WaveStumbler — http://www.cqure.net/wp/?id=08
- Aircrack-ng — http://www.aircrack-ng.org/
- Aircrack —
  - http://www.cr0.net:8040/code/network/aircrack/
  - http://wirelessdefence.org/Contents/AircrackMain.htm
- Wellenreiter — http://freshmeat.net/projects/wellenreiter/ and http://www.remote-exploit.org/
Free sniffers for Mac OS —
- KisMAC — looks to be the most powerful utility, all the features of the other MacOS ones and even more — http://trac.kismac-ng.org/
- MacStumbler — http://www.macstumbler.com
- iStumbler — http://www.istumbler.net/
Free sniffers for Windows —
- Net Stumbler — http://www.netstumbler.com/
- Aircrack —
Commercial tools — divided into categories:
- Packet Sniffing and War-Driving Tools
  - Security System War Driving Kit from AirTouch Network includes sniffing software, 802.11b adapter, and antenna — http://www.airtouchnetworks.com/
- Vulnerability Assessment Tools — more than just sniffing
  - ISS Wireless Scanner — http://www.iss.net/ — displays access point information, identified wireless clients.
  - AirMagnet Handheld/Laptop Analyzer — http://www.airmagnet.com/
  - WaveSecurity's WaveScanner — http://www.wavesecurity.com/
- Traffic Monitoring and Analysis Tools — and also consider the free tool Wireshark and
  - Sniffer Wireless — http://www.sniffer.com/
  - AiroPeek — real-time analyzer for 802.11a and 802.11b, Windows XP/2000 — http://www.wildpackets.com/
- WLAN Intrusion Detection Tools
  - Air Defense — http://www.airdefense.net/
  - StillSecure Border Guard — 802.11 gateway with intrusion detection and content filtering — http://www.stillsecure.com/
WLAN attack tools:
- WEP is, of course, well known to be weak. In 2007 three researchers announced an attack that required just 1 minute of WLAN data collection and 3 seconds of cryptanalysis on a 1.75 GHz Pentium:
  — The announcement and
  — The paper at http://eprint.iacr.org/2007/120.pdf
- A WPA attack was announced in late 2008. It does not recover the key (allowing the decryption of all data) but just allows the decryption of individual short packets.
- Black Alchemy's Fake AP "generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables." http://www.blackalchemy.to/project/fakeap/
- Josh Wright's file2air
- Void11, which implements some basic 802.11 attacks. Network DOS: flood WLAN with de-authentication packets and spoofed BSSIDs. Access point DOS: flood APs with authentication packets and random station addresses. http://www.wirelessdefence.org/Contents/Void11Main.htm
Hotspot directories — among many others see:
Antennas, access point modification, building your own WLAN hardware, etc.
- A great collection of antenna pages: http://www.wlan.org.uk/antenna-page.html
- Loads more info: http://www.wlan.org.uk/page2.html
- Connecting to Orinoco WLAN cards: http://www.chem.hawaii.edu/uham/hnet.html
- Many antenna designs: http://www.seattlewireless.net/index.cgi/AntennaHowTo
- Much more on waveguide/can antennas, complete with engineering data and calculators:
  - http://flakey.info/antenna/waveguide/
  - http://www.turnpoint.net/wireless/cantennahowto.html
- Cantenna comparisons: http://www.turnpoint.net/wireless/has.html
- Helical antenna: http://www.hfun.org/antenna/index.shtml
- Trevor Marshall's slot waveguide antennas: http://trevormarshall.com/waveguides.htm
- Trevor Marshall's tiny biquad antenna, which can be used as a feed for a surplus satellite TV dish: http://trevormarshall.com/biquad.htm
- The "cakepan" 2.3 GHz antenna design: http://www.saunalahti.fi/~elepal/antenna1.html
- Several more 2.3 GHz antenna designs: http://6mt.com/2304tech.htm
- Ham radio info, including 802.11 antennas: http://www.wb8erj.com/

Tapping Optical Fibre

Tapping optical fibre no longer requires splicing. You can read the data by removing some of the sheath and gently bending the fibre in a bend coupler. You can supposedly buy them for a few hundred US$, even off eBay.

There are claims that optical taps have been found on police networks in the Netherlands and Germany, and the FBI investigated one discovered on Verizon's network in the US.

For more see:

http://blogs.techrepublic.com.com/security/?p=222&tag=nl.e036
Marketing material from companies selling expensive OSI Layer-1 encryption hardware or fiber monitoring hardware:
- http://www.techworld.com/security/news/index.cfm?newsID=8686
- http://www.networkintegritysystems.com/ http://www.networkintegritysystems.com/pdf/NIS-FiberOpticIntrusionDetectionSystems.pdf

Eavesdropping Via Light, Audio, and Other Unusual Means

Interactive keyboard use can be "eavesdropped" by means you might not expect.

Consider the relative difficulty or ease of touch-typing different character sequences on a standard QWERTY keyboard: F-J would be very fast (home key on left hand then home key on right hand, easy and fast) while 2-X would be very slow (extreme reaches for the same finger, awkward and slow).

So, a good typist may have a high aggregate rate of characters per minute, but the inter-character spacings are going to vary. A given two-character or longer sequence is not always going to be exactly the same, but over time the distribution is going to be fairly distinctive.

Measure the inter-character times and you have the data needed for bigram analysis. You won't recover 100% of the cleartext, but with adequate data and quality typing of large blocks of text, you will recover some.

So how can you measure the inter-character times?

Shine a laser off the reflective surface of a laptop cover (that is, the surface opposite the display) or an external keyboard:
http://hackaday.com/2009/03/20/sniffing-keystrokes-via-laser-power-lines/
http://news.cnet.com/8301-1009_3-10200631-83.html?part=rss&subj=news&tag=2547-1_3-0-20
Detect electrical noise:
http://lasecwww.epfl.ch/keyboard/
http://hackaday.com/2009/03/20/sniffing-keystrokes-via-laser-power-lines/
http://hackaday.com/2008/10/20/eavesdrop-on-keyboards-wirelessly/
Detect keypresses acoustically — that is, listen to the clicking:
http://www.freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information
http://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html
If you can observe the packets of an SSH connection, even though they are encrypted you can get using timing information and recover some information that way. See the paper "Timing analysis of keystrokes and timing attacks on SSH" Also see the paper "Inter-Packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones" (2002)
Similarly, observe the network activity lights on router or Ethernet switch ports. Sit in the next building with a telescope.... See the paper "Information Leakage from Optical Emenations", http://applied-math.org/optical_tempest.pdf

Like so much of information theory, this isn't entirely new. A Morse code operator might be recognized by a distinctive "fist" or slight imperfection in their keying cadence.

Detecting Packet Sniffing Attacks

For suggestions on spotting sniffer attacks, see http://www.cert.org/pub/advisories/CA-1994-01.html

To detect network interfaces in promiscuous mode:

The best tools would be:
- AntiSniff — http://packetstormsecurity.nl/sniffers/antisniff/
- The SecurityFriday tool — http://www.securityfriday.com/
Two other tools require that they be run on the attacking host during an attack — not very likely!
- ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/cpm
- ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ifstatus

Back to the Security Page

Home Page

Unix/Linux

TCP/IP

Infosec

Travel

Radio

Site Map

Contact