What Network Sniffing Tools Do You Use?

network-nose asks: "I work as a Network Administrator in a 500 user manufacturing facility in southeastern Wisconsin. My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software. As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets. I am wondering what tools the rest of you network guys and gals out there use in a corporate environment for analyzing packets. Of course, the more reasonbly priced the better, but I know you usually get what you pay for."

Ethereal

That's it.

Re:Ethereal

[G27+Radio]

Ethereal is my favorite. tcpdump is ok for quickly figuring out where packets are coming from, but Ethereal makes things a lot easier beyond that. For example, the ability to follow TCP streams is great for diagnosing problems. It works great in Linux and Windows, however I haven't tried it on other platforms.

Re:Ethereal

I use pflog on my openbsd box. I am not too smart when it comes to this kinda stuff so I installed hatchet and it is working like a charm.

Re:Ethereal

[great_flaming_foo]

btw, for the google impaired: tcpdump

Re:Ethereal

[Mr+Pippin]

Agreed. However, this mostly depends on you having at least some managed switches that can do port mirroring. Of course, that assumes you are using switches.

Re:Ethereal

[interiot]

Tcpdump is definitely complementary to ethereal:

• it's what runs underneath ethereal, so it's good to be aware of it
• its filtering syntax is extremely flexible
• it's lightweight and only needs text or file output, so you could run it on an iPaq or whatnot
• you can record streams with tcpdump, move the log to another machine, and load it into ethereal to do the packet analysis / stream reconstruction at a later point.
• in library form (aka libpcap), lots of languages can hook to it, so you can easily do on-the-fly custom statistics calculations, instead of eating IO and disk space writing a huge log out and only processing it later. For example, even Perl + Net::Pcap running on a pentium machine is fast enough to keep up with a T3.

Re:Ethereal

[MrBlue+VT]

I'm an idiot, it's Ettercap that does the ARP poisoning, not sure about Etherape.

Re:Ethereal

[ComputerSlicer23]

Unless I missed something, Ethereal and tcpdump use the same library (libpcap), but tcpdump isn't the "underneath" ethereal. Ethereal is very good at breaking down any Ethernet Frame, where as TCP dump as far as I know, only deals with TCP/UDP/IP packets.

Ethereal is my tool of choice. However, if you have a Linux router, there are a number of interesting tools you can use to monitor stuff that is crossing your routing points.

iptraf is pretty interesting. If you can get that installed on critical points in your network you can watch traffic flows, and see who the major badwidth hogs are, and what services they are using. The one truely annoying this is that if you run it via an SSH session, it constantly counts SSH traffic it is generating. I wish it did a better job of accumulating UDP totals for me.

Kirby

Re:Ethereal

Agreed. However, this mostly depends on you having at least some managed switches that can do port mirroring.

If you just want to monitor one link at a time for short periods of time, I think a laptop and a cheap hub would be the easiest way. Unplug the connection, connect it (and the laptop) through the hub, and run any software sniffer. The link would drop for a few seconds, but this shouldn't disrupt any connections.

You could also use a laptop with two network cards and bridging support - then you could actively manipulate the traffic.

Re:Ethereal

[CvD]

As far as I know you can install a filter on SSH traffic with iptraf. So it won't show up any more in any rates or tallies. The filter setup is a little obscure, but it seems to work.

Cheers.

Re:Ethereal

I only use ethereal when I need eye candy to show somebody...I usually use ngrep

Re:Ethereal

[wellard1981]

Another tool that compliments Ethereal, is EtherApe. It's a graphical network monitor that tells you what's talking to what. Useful to find out what's sucking up most of the bandwidth.

Re:Ethereal

[Guy+Harris]

Unless I missed something, Ethereal and tcpdump use the same library (libpcap)

True.

...but tcpdump isn't the "underneath" Ethereal.

True.

Ethereal is very good at breaking down any Ethernet frame, where as TCP dump, as far as I know, only deals with TCP/UDP/IP packets.

Ethereal has dissectors for more protocols than tcpdump does; however, tcpdump has dissectors for more than just TCP/UDP/IP (some protocols atop them, such as NFS, as well as non-IP-based protocols, including 802.11 management frames).

Re:Ethereal

[pimpin+apollo]

-f not port 22

or something down those lines

Re:Ethereal

[rob_kg]

Yep,

tcpdump is good for two things:

1) doing some fast checking of what's going.. small jobs
2) reading the source to see how to use libpcap.. case example (people who made tcpdump also made libpcap)

So which one is better.. the one with the more features (ethereal) or tcpdump? Depends on the situation..

ethereal, tcpdump

[morelife]

and on Windows, never mind.

ethereal, tcpdump

Re:ethereal, tcpdump

[Motherfucking+Shit]

and on Windows, never mind.

Actually, there's a Win32 build of Ethereal that works just fine. And yes, you can tally up my vote for Ethereal.

Re:ethereal, tcpdump

[EverDense]

Analyzer: a public domain protocol analyzer

does a good job under Windows.

Re:ethereal, tcpdump

[superpulpsicle]

Windows 2000 also has a network monitoring tool.

c:\system32\system\netmon\netmon.exe.

It's not going to support 500 protocols like ethereal. But hey, it comes default with windows 2000 without you having to install anything separately.

Re:ethereal, tcpdump

[Sepper]

I can vouch for the win32 build... altouhg I could not check the packets in realtime... (network too fast, computer too slow)

you can try it with Knoppix STD Bootable Linux-ON-CD

with comes with all this:

aimSniff : sniff AIM traffic
driftnet : sniffs for images
dsniff : sniffs for cleartext passwords (thanks Dug)
ethereal 0.10.0 : the standard. includes tethereal
ettercap 0.6.b : sniff on a switched network and more.
filesnarf : grab files out of NFS traffic
mailsnarf : sniff smtp/pop traffic
msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
ngrep : network grep, a sniffer with grep filter capabilities
tcpdump : the core of it all
urlsnarf : log all urls visited on the wire
webspy : mirror all urls visited by a host in your local browser

Re:ethereal, tcpdump

But hey, it comes default with windows 2000 without you having to install anything separately.

Server, that is - it's not in 2K pro.

You can make it work on 2K pro but you need to install extra drivers (they're in a KB or something).

Sniffing Tools...

[danielrm26]

I tend to use tcpdump when I am watching a box using a specific filter and expecting very little traffic, i.e. when I want to know if a certain host is communicating on some arbitrary port or protocol. Ethereal I use when I want to capture tons of data and sift through it later (although you can do this with tcpdump and import it into ethereal as well).

Tcpdump is generally considered the superior learning tool, while ethereal is considered the more refined choice. In other words, ethereal does a lot of the work for you, while you are getting pretty raw stuff when you use tcpdump.

In general, tcpdump and ethereal are the tools of choice if you don't have tons of money to spend. Fancy looking enterprise applications essentially do the same thing as the apps mentioned above -- they just add a nice GUI to the mix.

Re:Sniffing Tools...

[AftanGustur]

I tend to use tcpdump when I am watching a box using a specific filter and expecting very little traffic,

Having a fancy machine with X running isn't always an option. We have a old 200Mhz Celeron machine attached to our 8Mb Internet link (With a Network interface that doesn't have a IP) and that machine can captured whatever traffic I am looking for with just tcpdump.

There are options to exclude and include whatever traffic you want..

For example, we had a problem with a governament agency in Canada that couldn't send us emails.. Their connections didn't get anywhere..
So, on that machine I wrote:
tcpdump -i eth1 host our-IP and host Canadian-IP

Similarly, if you have only 1 network card on the machine you are connected to and you want to collect traffic to a file for later analysis except that you don't want to include your own SSH/whatever traffic:
tcpdump -w DumpFile -s 1500 not host My-IP

Ethereal

[stevens]

• ethereal
• tcpdump

Ethereal.

[Shoten]

I've used Sniffer Pro, Observer Pro, and Ethereal, and I always, ALWAYS prefer Ethereal. It's free, it's open source, and it's hands down the best of the lot. Sniffer Pro may have the pretty gauges and the map that shows what's talking to what (utterly useless, IMHO), and Observer Pro comes with buttloads of tools for things like SNMP configuration and whatnot, but as a sniffer, nothing has ever beated Ethereal in ease of use, capability, or packet decodes.

Re:Ethereal.

[XaXXon]

Etherapeis a free pretty picture of who's talking to whom and what language (protocol) they're talking.

Works great.

Re:Ethereal.

[interiot]

The best text version of etherape is iftop, in case you don't have X handy (or if you just have a spare dumb terminal and want your pad to look more geeky).

The best web-based version is ntop, which is another one of those "Oh my god, this is SOOO cool" tools, similar to ethereal. It lets you drill-down through a fair bit of data, and pages load fast and it's virtually real-time, so you can bang on the reload key and see a similar sort of data that etherape/iftop would give you. It has a daemon piece and a CGI piece, so installing it via a package (eg. apt-get install ntop) may be much prefered to installing it by hand.

Ethereal!

[FsG]

Ethereal! It's a very high-end multi-platform sniffer with numerous features, as well as excellent GUI and command-line interfaces that are a joy to use. It has all the features you'd expect in high-end commercial network sniffers, and it's free!

zasniff

[Hemos+on]

Two college kids wrote an interesting interpretive packet sniffer called ZAsniffer (I gather the Z and A are from their respective last names).

I found it to be quite nice for monitoring telnet usage and I use it a lot.

Sounds like an NT/XP...Use Linux/Unix

[Fallen+Kell]

Personally I prefer Solaris's snoop. Linux has built in sniffers as well. And they are free (as in GPL).

sniffing, etc.

[bendsley]

Hands down, Fluke.

http://www.flukenetworks.com/us/default.htm

Great tools.

[bwhaley]

• Ethereal
• hping
• tcpdump
• tcpflow

Ahh, the staples of my diet. What my roommates don't know won't hurt 'em ;-)

I use ettercap

[weekendwarrior1980]

From their website:
Cool Features: Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
Remote traffic through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it
PPTP broker: you can perform man in the middle attack against PPTP tunnels
Plug-ins support : You can create your own plugin using the ettercap's API. List of available plugins
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter
Kill a connection: from the connections list you can kill all the connections you want
Passive scanning of the LAN: you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop.
Check for other poisoners: ettercap has the ability to actively or passively find other poisoners on the LAN
Bind sniffed data to a local port: you can connect to that port with a client and decode unknown portocols or inject data to it (only in arp based mode)
Port Stealing: a new method to sniff on switched LAN without ARP poisoning...
http://ettercap.sourceforge.net/

Fluke meters

[grub]

we have been having quite a few network problems that can only really be resolved by sniffing packets.

By "packets" I hope you mean "Ethernet frames". Looking only at layer 3+ information can be useless for many network problems. Anyhow, brain dump:

Do your switches and LAN router(s) have statistic counters (# of frames of various sizes, undersided/oversized frames, flooded frames, deferred frames, etc)?

If you don't have a LAN router for 500 users: why?

What's the most amount of hops (switches) your packets will travel from one end of the LAN to the other? Any more than 3 and you should be putting a LAN router in there (ideally)

Do you have hubs? If so, destroy them all right now. Hubs are pure, unadulterated evil.

My point of that is simple: not all LAN problems are computer problems. Looking at the IP traffic doesn't always cut it. Re: the subject: At my workplace we have a nice LAN meter from Fluke. They aren't cheap but if you have that many users your company should damn well pay for the right tools for you to do your job.

dsniff, ntop

[bahamat]

Don't forget the eternally useful.

Argus

[Squeamish+Ossifrage]

I was recently clued-in to the existence of Argus.

It's really good for summarizing flow information in quasi-realtime, so it fills the niche of being more detailed than NetFlow, but more big-picture than tcpdump or ethereal.

Re:Argus

[2starr]

Take a look at NEXVU. It also does flow correlation in quasi-realtime, but is probably a good bit friendly to use. It's got some nice network overview views that make finding a lot of problems pretty trivial. Some nice reports too.

It's not open source or free, but is a really useful tool at work, IMHO.

Tcpflow

[ChiralSoftware]

It has already been mentioned here, but tcpflow is great. It captures a tcp session into a file. Sometimes if I just can't figure out what is going on with a web application, the best way to really see what the client is getting in real life is to tcpflow it and capture a session. Sometimes that shows up the bug. Tcpdump is good but it puts out individual packets which are hard to piece together. Tcpflow does all of that. Of course, it isn't so useful for protocols other than tcp.

-------
Create a WAP server

ngrep

[G27+Radio]

ngrep is pretty handy if you like grep and want to scan network traffic. from their website:

ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Ethereal + other tools works nicely

[LinuxParanoid]

I use tcpdump UNIX-side, and Ethereal Windows-side. Personally? I find Ethereal hard to use, but it gets the job done. I've traced down bugs in OpenBSD TCP stacks with it on my production servers. I've tried half a dozen other packages but they didn't add enough value to make them worth trying to hit my boss up for cash.

To install Ethereal, you will need to download and install the low-level WinPcap driver.

And you may find the Ethereal packet analysis plug-in Packetyzer helpful; sometimes reading raw logs gets a bit annoying.

--LP

Re:Ethereal + other tools works nicely

[VonGuard]

Watch out for that IRC overflow that allows users you're sniffing to take over yer box. I wish Ethereal didn't run as root.

Re:Ethereal + other tools works nicely

Running tcpdump -w some.pcap and then loading some.pcap in ethereal will let you use ethereal as a non-privileged user, but there is still the potential for vulns in tcpdump or libpcap itself. A better approach is to only sniff hostile environments with a system you don't care about (ie a x86 laptop booted from a KNOPPIX disc, or the gentoo live cd for ppc users like you and I).

Sniffer Pro

[fishwaldo]

While it probably does suit the poster, I have to say for network diagnostics, Sniffer Pro is awesome. With the right network cards, it goes right down to the network layer, pulling out collision stats etc, and can even go and setup your switches for monitoring using rmon.
Got wan problems, Sniffer can work with a Y cable and hardware decoder to watch your WAN.
They even have long term trending and reporting tools. Its maybe the one tool that Network Associates does right.

Ethereal and TCPDump are good for protocol analysis, but most network problems I've delt with are not really at the application layer, but more the pysical layer. (Dodgy Network Cards, Flat network designs with hundreds of hosts, causing your collision rate to go through the roof etc)

The other thing that I like about sniffer, is its made for people that might not have degree's in network analysis. Its got that Expert System. It will throw at you all the errors it finds, and is good enough to tell you what those errors means.

Lastly, The export feature is great. Does my boss want to know what is the biggest talker on the network, Let sniffer run for a few hours, export to excell, and I can give him the top 10/20/50, I can break it down further by protocol or application, and can even tell him who the partners are.

I know there are other tools out there that can do all this, (ntop, ethereal, tcpdump, rrd's) but thats exactly my point. They are different tools, they don't work together, and imho, none of them are true network diagnostic tools.

I'm Ex NAI employee btw, so maybe a bit biased, but I still use Sniffer (legit copies) to this day. There are only a few reasons why I still have a windows drive for my laptop, and Sniffer is no. 1)

my tools....

[discogravy]

dsniff and ethereal. If you're talking windows, just install cygwin and you'll be able to build all your own tools from source. doesn't get cheaper than Free.

Re:I'm not a network admin

If you just want to see what sort of porn people are perusing (saving you the trouble of hunting for it yourself) EtherPEG is a neat hack.

Seriously? Sniffing is most useful to see where a bunch of traffic is coming from (or going to). But there are a million uses, far too many to list in response to your post. You know it when you need it.

Yeah, redundant - but concise:

[Avihson]

For windows get winpcap
then get ethereal for windows
and get windump

SANS.org has all the info: Packet capture apps

i prefer analyzer to ethereal on win32

[honold]

analyzer is a native win32 app that is directly associated with winpcap, the packet capture architecture on which most win32 sniffing-type freeware depends.

Re:I don't mean to flame, but...

[somethinghollow]

What about driftnet?! Who are YOU to point fingers if you don't even mention driftnet?

;)

Alternative

[z0ink]

Ettercap

snort

[circletimessquare]

http://www.snort.org/

Packetyzer

[ktakki]

I use tcpdump on Mac OS X and Linux/Unix, but when I'm at a client site and all I have is my WinXP laptop, Packetyzer is my sniffer of choice. One of my cow-orkers swears by Ethereal, but it's all good.

k.

Ethereal with ntop

[HockeyPuck]

Ethereal to pick up the packets and look at the fine details. But if you need graphs and treds (packets/sec... bytes/sec) source destination... ntop is great.

Plus you can use ethereal for fibrechannel/iscsi as well as traditional networking protocols (tcpip/eth)..

network traffic analysis tools vs sniffers

[porky_pig_jr]

I'm sure you are going to get plenty of responses like 'Snoop', 'Tcpdump', 'Ethereal', etc. The problem is that those tools are sniffers, and you have to perform quite extensive analysis to figure out what's wrong with network, just from the packet trace. Been there, done that.

A classic 'Sniffer' from Network General (which is currently 'Network Associates' attempts to perform some rudimentary analysis (which is called 'Expert whatever ...). It does some interesting analysis, if you can get it - get it!

If you are interested in pin-pointing the reason why some distributed applicaiton doesn't run well on your network, by all means get OPNET Application Doctor. it is fairly expensive tool, but this is probably the best you can get. Used it and love it.

Link

[kuwan]

Here's a link.

I haven't used it for a while (College) but it was the most impressive tool I've ever used for Network Sniffing. It's available for pretty much every major platform.

LanScaper

[torklugnutz]

I would advise you to get a LanScaper from Test-Um Inc. Retail is $419, shopping on Froogle will save you $70 or so. Anyway, the benefit of this device is that it will tell you all sorts of things about your infrastructure that any OS based tool will not. A defective cable, for instance, might work 80% of the time, maybe even more, but will lead to corrupt data (which is messy when you're dealing with some big database or something). This tool will weed out bad cables and links pretty quick. You can also find out length of runs, do pings, and many many other things. Totally worth its' weight in gold. (Which is about what it costs)

Re:Bitch, don't you know where you are?

[swankypimp]

Ironically, computer programs are the one area in life where free things are often better than expensive alternatives. Best server OS? BSD. Best Web server? Apache. It has something to do with Eric Raymond's theory of programming culture as a gift-based society where members grow in stature based on what they freely give to the community.

It has something to do with Native Americans and Potlatch dinners and stuff, but to be honest it was years ago when he explained it to me and I was half-drunk at the time and utterly distracted by how stereotypically Linux geek-y he was, with the hair and the beard and the flannel shirt and the GLAVIN! Um... oh yeah, Ethereal is free too.

A couple of useful tools.

[jafo]

I haven't worked with it yet, but I keep threatening to set up Argus. Argus is nice because it logs packet headers so it can answer questions like "How long was it taking to get SYN ACKs back last Friday between 5:02 and 5:05am", "What was all this traffic yesterday morning at 8am", etc.

SmokePing, which uses rrdtool as a backend, is a great tool for graphically displaying ping informaiton.

Netsaint is very good for monitoring systems and networks and letting you know ASAP when there's a problem. It can also use rrdtool to generate graphs of packet loss and ping latency.

All of the above are things that will give you current as well as historic information. Current information is good, but historic information is incredibly important. Trending is the obvious thing, allowing you to predict future use to some extent. More importantly, it lets you examine things that happened recently but aren't currently happening, and to see recurring issues.

Recently, our local Internet cooperative was having problems where one of the upstream connections was going into very high packet loss and dropping it's BGP peer. We keep fairly high resolution traffic statistics through ganglia, another rrdtool based network system. That along with the RRD CGI grapher allowed us to create custom graphs of traffic with very high resolution, for days and weeks past, overlaying multiple sources.

Once we did that, it became obvious that every time we ran into these problems, one of our members was hitting the line somewhat hard. It wasn't hard enough that it pegged the line from a bandwidth standpoint, but it apparently was hard enough that it caused some part of the network to experience extremely high packet loss.

That was definitely a case where having the right tool allowed us to track down a fairly hard to see problem. Because our line was not at all saturated, we spent a lot of time looking for things like bad cables, ports with lots of accumulating errors, etc...

Sean

For Winblows

Capsa works awesome for Winblows.
www.colasoft.com/products/capsa

options

[Wouter+Van+Hemel]

hunt (sniffer, spoofer, ... perhaps more handy in blackhat situations or to sniff ascii services)
tcpdump (simple packet dumper)
netwatch (console tool to monitor connections etc)
ethereal (graphical traffic analyser - pretty easy to use)
snort (IDS, probably better for aimed searching)

... and whatever firewall-software you use - it probably has LOG'ing targets, which might be handy if you know what you are looking for.

These are the programs I have used in the past (and some others like netcat and netgrep, but these probably don't come in handy for what you want to do). Be careful that whatever daemon you run, doesn't get you into trouble - although these are security-programs, they occasionally have security bugs themselves. It would feel stupid to be compromised because of the very program that's supposed to aid in fighting hackers.

Also remember some of these tools can fill up your drives in seconds, if you're not careful. I once had that problem, due to a typo, and it took a few days before I realised. Ofcourse, you miss anything you would want to have logged during that time...

I don't really know any commercial tools. And I don't think I'll ever need one... Unix/Linux systems have lots of net tools, it's probably one of the best represented categories.

Driftnet!

[Nailer]

Cause its fun!

Red Hat / Fedora packages at Dag's apt repository

Fluke NetTool

[tbdean]

The Fluke NetTool does all that plus stuff like it can hook up inbetween a workstation and a switch and tell you why it's not connected (crossover cable instead of a patch cable, wrong subnet, cut wire, etc.)

$1200, but well worth it.
They have an 802.11x version too.

What I use.

[mindstrm]

I use:

tcpdump, whenever possible.

I grab packets with that, and view them in ethereal.

For debugging application level problems with tcp stuff, sometimes sniffit is more convenient.

Now.. for situations where I don't have a suitable machine in the right place to sniff what I want... and don't want to start re-cabling things... ettercap can be handy, specifically the arp poisoning stuff, so you can sniff traffic off a switched network. Make sure you have clear in your head the ramifications of how it works, though, or you might end up with a bit of a mess.

The best too by far, though, is your own head.. having a really clear idea of what it is you are SUPPOSED to see makes it a lot easier to find out what's wrong.

Insecure.org Tool List

[pararox]

A comprehensive listing, that has been some years in the making, can be found at Insecure.org.

I found this page, created by the famous and brilliant Fyodor (of nmap fame), to be a truly indispensible resource when I first began to be interested in computer security.

Hope this helps!

-pararox-

Re:^H^H^H

[Synonymous+Yellowbel]

backspace :)

tcpdump, ethereal, etherpeek

[blate]

I guess I'm oldschool, but I still use tcpdump for most day-to-day things. It's handy, it's fast, and it runs on just about every OS (including Windows (google for windump)). The output is ugly, but once you get used to it, you hardly notice.

When I really need to analyze a stream or set of streams, or I'm going to be staring at packets for more than about 10 minutes, I switch to ethereal. Again, it's free, runs on most OS's (including Windows, again), and the GUI is a little clunky, but quite usable. As several people have mentioned, the capture filter syntax is identical to tcpdump. The display filter syntax is different and I find is a little tricky to get right, so I try to prefilter (or filter with tcpdump beforehand) as much as possible.

One handy feature is the ability to analyze certain types of streams, such as a TCP session (filter out the whole session and see all the data in one window) and SIP (analyze jitter, loss, extract audio session, etc.). It's also open-source, so if it doesn't understand some kind of traffic, you can write your own extension. I haven't had to do this yet, but I know people who have, and it seems easy enough for a compitent programmer.

My employer has a site license for WildPackets Etherpeek (it comes in several versions... I think we have one of the higher-end ones). Frankly, it's prettier than ethereal, but, at least for the debugging I do, provides very little extra functionality. The capture filters are embedded in a GUI which I find makes it hard to see how they're configured.

Etherpeek is pretty and may be easier for novices to use. But I wouldn't waste the money unless it has some quirky feature you just can't live without.

Something to keep in mind: often, the place where you capture packets is not where you'd like to analyze them. For example, I've had situations where I needed to sniff traffic on a remote server -- I had ssh access to the server (and root, of course :) ), but couldn't/didn't want to install all kinds of GUI tools, etc. This is where tcpdump really shines. You can capture to a binary file and read the file with tcpdump, ethereal, Etherpeek, and many other packages. As long as you can get the file off the machine, you can analyze the data.

There are also handy tools for managing and analyzing tcpdump files, such as tcpslice, which breaks up large dumps by time, date, etc.; there is a tool that "anonomizes" (sp?) packets so that you can analyze streams without violating anyone's privacy (this is largely for academic use, but if, for example, you wanted to do some kind of traffic analysis on your uplink, you could do so without ruffling as many feathers).

Finally, note that tcpdump will sniff on pretty much any interface that supports libpcap. Tools like Etherpeek only talk to certain (ethernet) adapters, for example. Caveat emptor.

Bottom line: pick the right tool for the job :)

Re:tcpdump, ethereal, etherpeek

Finally, note that tcpdump will sniff on pretty much any interface that supports libpcap. Tools like Etherpeek only talk to certain (ethernet) adapters, for example. Caveat emptor.

That's not true, EtherPeek can sniff on any ethernet interface, in fact on the Mac it uses libpcap. But WildPackets also makes WANPeek which can sniff directly off a T1/E1 (hardware included), GigaPeek (full duplex gig sniffing, hardware included), AiroPeek for wireless sniffing (support for a number of cards), or even a distributed RFGrabber device for sniffing.

Try Pikachu

Pikachu is a free JPEG sniffer for windows. It sniffs emails too :)

PacketSeeker and Ethereal

My vote (as many have also stated) is for Ethereal when you know EXACTLY what you're looking for, or you know HOW to look for what is wrong.

However, to understand my network like I've never done before, I've recently gotten my hands on Packeteer's PacketSeeker:

http://www.packeteer.com/prod-sol/products/packe ts eeker.cfm

While Ethereal is free, the PacketSeeker is a commercial product.

Re:Sniff JPEG images from network

[kylegordon]

You may also be interested in Driftnet

snort

[np_bernstein]

If you are having reoccuring problems on your network, you might want to take a look at snort. While it's not what most people think of when they think of a packet sniffer, it has a large set of rules, which don't just identify potentially dangerous traffic, but "bad traffic" and policy violations as well. In addition, you can write your own rules to match packets against, so if the reoccuring problems are of a similar nature, you can set up rules on distributed sensors, and use the common tools to alert you when those conditions arise, and take a more preemptice approach.

I personally think that snort is one of the top 10-20 most usefull tools to come out of the open source movement and recommend it highly. It, in addition, falls into that mantra of using your resources wisely.

Good luck, and consider asking your company to pay for some classes. Having them equip you with some additional knowledge will end up saving them money in the long run.

More information can be found here.

Snort

[g-to-the-o-to-the-g]

Snort can be used to sniff packets on a only-get-what-you-want level. For the admins like myself who do most of their admining from a remote box, Snort can be very useful. With custom rules, you can configure snort to report packets which have relavence, rather then capturing all packets and looking through afterwards. Hope that helps.

Re:"Sniffing" for HTTP

[PaschalNee]

unless you're a network admin, you probably don't.

Agree with the above. Sniffing will also not get you anywhere if you are trying to see what happening on a https stream as all you'll see is the encrypted traffic.

If you are stuck with IE as a browser for whatever reasons there are two tool comparable to live http headers plugin for Mozilla.

• HTTP Watch - used it and love it. Also the company are open to product improvement suggestions
• HTTPLook - Have not used it myself but have customers who have

Re:"Sniffing" for HTTP

[badzilla]

Not tried these payware tools but an excellent free one for Windows is the evergreen "Proxomitron". Beautifully formatted and color-coded HTTP output.

RMON

[rikboven]

Ethereal is a really nice application. However, it has it's limits.

RMON (see RFC 3577) or Remote Monitoring is a set of SNMP MIBs which you allow you to gather traffic information (including packet captures) from network elements itself. You do not need to have a computer to run ethereal, snoop or tcpdump.

The switch/router/probe will collect the info for you, automatically.

Virtually all switches support (mini-)RMON. Furthermore you have (full) RMON probes which you can install at various places in the network.

The flexibility of RMON probes is much larger then ethereal. However, I often use ethereal to look at the packet captured using RMON.

Some info:
http://www.ietf.org/html.charters/rmonmib-c harter. html
http://www.cisco.com/univercd/cc/td/doc/cisi ntwk/i to_doc/rmon.htm

my 2 cents

Rik

here's my stream of conscious sniffing text file:

[Serveert]

http://www.cs.columbia.edu/~hgs/internet/tools.h tm l

iftop - ncurses
iptraf - ncurses
tcpflow - reconstruct into file per tcp conn
ettercap - ncurses, kill conn, drill down on connection, ssh 1 attack, etc
ssldump - http://www.rtfm.com/ssldump/
etherape - graphical view of net
ntop - web based network monitoring
ethereal - GUI - based sniffer, gets all protocols.
mtr - monitor hops
trafshow - nice ncurses sorted list of top bandwith hogs
http://www.mirrors.wiretapped.net/security/network -monitoring/trafshow/

Network Intercept

[Hacksaw]

A very impressive tool is Network Intercept from Sandstorm. http://www.sandstorm.com.

It makes most tools look like looking at a raw byte stream.

favorite security tools survey

A favorite security tools survey was conducted at the Nmap-hackers mailling list. Many of the mentioned tools are listed in order of popularity (with links and a short description)

see http://www.insecure.org/tools.html

Paul

snoopy

[DrSkwid]

snoopy

sniffing tools

I use:

ngrep - nice libpcap using tool, network grep :) regexs and the like all good, i love this tool just for its simplicity

dsniff is good, some interesting things in there,

driftnet is amazing - shows images as they fly by on the network!

ettercap - for those switched network situations - using arp instead :/

ethereal - usually i use this for browsing pcap dumps but of course its a powerful sniffer in its own right.

CommView

[Mixel]

CommView is a very nice packet viewer for windows with a complicated ruleset and lots of colour-coding, stats, etc. Alarms, packet searching, dns and also a neat Remote Agent feature. It'll cost ya, but its fun :)

Knoppix STD - get it now !!

dowload the ISO from here it's got most of the tools mentioned here and you don't even need to install it onto your hard disk. It runs a full Linux system from CD.

Re:Simple....

[Necro+Spork]

^H (ctrl+H) is backspace typically used while working with UNIX. ^W (ctrl+W) is used to delete the previous word.

And there's ipaudit

[jrifkin]

Sorry for the shameless plug but I find ipaudit and ipstrings useful. Available from sourceforge.

ipaudit similar to netflow, it summarizes network traffic byte count for every host pair, protocol, and port pair.
ipstrings reads string data off the wire similar to unix utility strings. It's included in the ipaudit package.

Ask Slash: How do I do my job?

[infochuck]

What SysAdmin worth his/her salt hasn't heard of and used Ethereal, or can't use GOOGLE to find something similar? Man, I must be getting bitter and cynical in my old age. Or maybe I just don't like idiots. I should start posting as an AC.

No wonder companies are outsourcing techs.

Re:snort [Funny]

[FreeLinux]

Snort as a recommendation is a rather good pun but, as a network sniffer (packet capture/protocol analyzer) Snort is not the answer.

Snort is an Intrusion Detection System(IDS) that monitors network traffic and performs an action when it sees a matching pattern. That action could be a log entry or it might be configured to save the packet to a file. Other actions are possible using external programs. Snort uses libpcap of TCPDump fame to monitor or capture the network traffic. Snort is useless for displaying or analyzing network traffic but, this is not a function that it was designed for.

Ethereal is a graphical protocol analyzer although it does include a command line version as well called Tethereal. Ethereal also relies on libpcap for actually capturing the network packets but, it goes much further than simply capturing network packets. Ethereal displays a break down of the packets themselves separating categorizing and displaying the various fields and data in a packet. It goes further by also decoding a long list of higher level protocols that may be included in the packet.

Ethereal is also capable of reading and decoding network traffic that has been captured and saved in other formats. Ethereal can read and save packet capture files in MS Network Monitor, NAI Sniffer Pro, and many other formats. Ethereal is increasingly recommended by companies such as Novell who actually has had their own protocol analyzer for years called Lanalyzer. Cisco support engineers are also increasingly recommending the use of Ethereal for capture and analysis of network traffic when troubleshooting potential problems with their equipment.

TCPDump has also been recommended by many people here on Slashdot.. TCPDump is a command line based protocol analyzer. It also relies on libpcap for actual packet capture but, it then displays a break down of the actual packets. Its display is not as attractive or as configurable as the graphical Ethereal and it is more limited in the number of protocols that it can interpret and disassemble but, it is still a very powerful and capable program. Further more, its output can be saved for further examination by ethereal.

Re:"Sniffing" for HTTP

[Hipgnosis]

**or** if you are doing application development that in any way uses TCP/IP. It is extremely useful to be able to see what you are actually sending out over the wire vs. what you *think* you are sending out.

they are everywhere!

[whelck]

I'm actually a little surprised at the small amount of network tools that have been suggested. While Ethereal is a god send (it recently solved a very puzzling DHCP issue that we were having on one of our networks), it isn't the end of what you need to have.

Buy one linux server, and then discover the wonders that are ping and SNMP. Simple tools such as Nagios and MRTG (or NRG or Cricket) can do wonders for helping spot problem switches/routers and congestion spots.

For example, every device we have is pinged 3 times every minute, and queried for bandwidth usage every 5 minutes. This has helped in finding bottlenecks, and the occasional switch that reboots every few minutes. (MRTG alone convinced the higher ups to buy new gear for our Datacenter and give it a dedicated link to the Core).

Also, setting up a wonderful SNMP trap server can be very useful. It allowed us to find a switch that likes to reboot at random intervals (the switch is 5 years old and being replaced this weekend). Of course, having it send a trap whenever a switch reboots is just the start of what certain switches/routers can do.

Also the use of Snort to sniff traffic that can be potentially malicious can be very helpful in tuning firewalls and finding those script kiddies. (use ACID for a pretty front end)

Another nice tool is NTOP Does almost everything NetFlow does and has a pretty graphical frontend built in. (I recently used this to find out that one of our firewalls was sending gigs of syslog data to the wrong server.)

And with the mention of syslog, might as well throw out a link for syslog-ng. yet another useful tool.

Basically the point of this is to say that sometimes it's best to let your equipment do that talking. They'll usually tell you what's wrong, just as long as you've set them up to do so. I found that once we put a lot of these tools into full production, we were able to cut down on our need to sniff the line whenever problems came up. This isn't to say that Ethereal isn't needed. That's hardly the case. Its use is still huge and shown all the time.