Network sniffing is a method to monitor and analyze data packets being communicated over a network. It is also called snooping, packet sniffing, network probing, etc. Network sniffing can be done for both ethical (security) and unethical (data theft) reasons. There are several network sniffing tools available, also known as network sniffers, such as Wireshark, Tcpdump, Snort, etc., which take snapshots of data packets on the network to diagnose for any network issues or to determine packet health in general.
What is a data packet?
Communication over a network requires an exchange of data. However, data files (e.g. email attachments) can be huge and if sent as it is, can cause congestion on the network. Sending all the data at once can also risk its integrity.
So, the communication is made by dividing the data into small chunks, padding them with a header and a footer and transmitting them. Each division, thus obtained, is called a packet.
The receiver’s side reconstructs the data file after removing the header and footer. Information stored in header and footer depends on the protocol used in transmission but generally contain the address of the source, size of data, number of total packets, packet number and address of the destination.
How does network sniffer work?
A packet or network sniffer software intercepts and logs the network traffic and converts it into a user-friendly form. This information can then be used to ensure if the packets are healthy and diagnose any problem with the network.
The same information can also be used by unethical hackers to launch “man in the middle” attack and giving them access to important information.
If the data is not encrypted, hackers can also change data in the packet also known as packet injection attacks. Information such as email addresses, contact information, passwords is highly susceptible to such attacks.
What are different types of network sniffers?
Based on the filter used to find the right packets to sniff, a network sniffer can be of different types. Let us see network sniffer types in detail.
This method is used if you want to snoop on data that is coming from a specific IP address or is going towards a specific IP address. This method can be used both for diagnosing communication problems between two nodes or to steal information from a specific IP address.
MAC sniffers use MAC address of a device to filter out data packets beings transmitted on the network. MAC address stands for Media Access Control address.
It is a unique identifier assigned to a network adapter or network interface card at the time of manufacture. When connected to a network, IP address may keep on changing depending on the protocol used. However, MAC address of the adapter does not change and is reliable.
LAN sniffers are deployed on an internal network, for example, a university network or an office network. These sniffers can scan the complete IP range of a network.
These sniffers are primarily employed to assess the health of the intranet or local area network and diagnose any connectivity problem.
ARP stands for address resolution protocol. In this type of sniffing, the data is first transmitted to ARP cache of the hosts and then forwarded to the network administration. The sniffing is done while the data is still in the cache.
Along the with data, this also provides a mapping of data with the source/destination IP addresses making it easy for hackers to search for any vulnerabilities and launch packet-spoofing attacks.
Network Sniffing Tools
Wireshark is a freely available network sniffer software available for both Windows and Unix systems. Wireshark allows you to explore both live networks and captured files on disk.
Wireshark has an interactive interface where you can view summary and detailed information for network packets. Wireshark also comes with a feature to visualise a reconstructed stream of a TCP session.
SolarWinds Bandwidth Analyzer
This tool offers two distinct features: a network performance manager and a traffic analyzer. The network performance manager allows you to detect, diagnose and resolve any issues with the network’s performance.
It also allows you to track uptime, response time and availability of the routers and switches. With traffic analyzer, you can monitor bandwidth and analyze traffic patterns. It allows you to visualize a hop-by-hop analysis for devices along the route of a packet. This is a paid software that comes with a free 30 days trial.
Tcpdump is a command-line based network sniffing tool which means it doesn’t have a graphical user interface (GUI). It is a clean tool that with minimal footprint and ideal for machines that cannot run GUIs.
Tcpdump has origins in Linux environment but there are several ports available for Windows as well. This tool can be used on Windows using the command prompt. However, the data is not very readable and difficult to analyze on the terminal. This tool is also freely available.
Snort is another lightweight network sniffer software, which is used to detect intrusion in your system. It is capable of performing real-time traffic analysis on networks using internet protocol (IP).
Snort can do the content searching and can be used to detect many attacks such as buffer overflows, CGI (Common Gateway Interface) attacks, OS fingerprinting attempts, etc. Snort is designed with a modular plugin architecture and uses a flexible language to analyse traffic. Snort can be used on both UNIX and Windows machines and is available for free.