What Network Sniffing Tools Do You Use?

network-nose asks: "I work as a Network Administrator in a 500 user manufacturing facility in southeastern Wisconsin. My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software. As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets. I am wondering what tools the rest of you network guys and gals out there use in a corporate environment for analyzing packets. Of course, the more reasonbly priced the better, but I know you usually get what you pay for."

I'm not a network admin

[ObviousGuy]

What kinds of problems can only be figured out by sniffing packets? Rogue programs? Unauthorized porn downloads? Illegal P2P activity?

On a properly configured network, where are the points of failure that can't be figured out with any other method besides packet sniffing? If these problems exist, would it be worthwhile to incorporate functionality directly into the networking software to watch for these problems and fix them automatically?

Re:I'm not a network admin

[timmarhy]

i find packet sniffing to be the fastest way to find problems. I just use tcpdump and take a look at the traffic. look at applications does you know good since they never tell you exactly what they are sending out. using tcpdump i found a major issue in one of our applications ( was reading a database table in an infinte loop) this had gone unoticed for years, and no one ever though why the network was so so congested

Re:I'm not a network admin

[menscher]

One case I solved was when a client couldn't talk to the server. Ran snoop (a packet sniffer that comes with IRIX) to see what the network traffic looked like. Turned out the client was being DoSed by multicast traffic. Stopped the box spewing the multicast, and everything was fixed. Not sure how I would've figured that out without the sniffer.

I could give dozens of other examples, but others have already done that. Let's just say I'm sort of a sniffer zealot. Any time I'm seeing network strangeness, a sniffer is the first tool I reach for.

Re:I'm not a network admin

[iabervon]

Most things can be diagnosed in other ways, but a good packet sniffer can make it easy to check a whole bunch of things at once. For example, you plug in a computer and try to print to the network printer. Nothing happens. There are about a dozen things that could be wrong with your configuration, and they're all in different places, and not necessarily easy to see at a glance whether they're right. With a packet sniffer, you can see pretty trivially where things went wrong, even if it's something complicated (the nameserver is returning the printer's address as if you were on the private network, but you're not, and the firewall drops the packets).

For that matter, it could be something like "the network gets really slow at 2:30 PM every day". Obviously, it's something out there doing too much, but you've got no idea what machine.

Re:I'm not a network admin

[blate]

I'm not a net. admin either, I'm a software engineer.

When you're writing network software, or software that uses the network, you often run into wierd and hard-to-debug problems. The task of finding the cause of these bugs if often expedited by looking at the packets on the wire.

For example, you think you're sending a particular pattern of bits (1's and 0's) -- that's what you think you coded in your program. But for some reason, the other end doesn't understand your packets. You could put a bunch of debugging statements in your program, recompile, and hope you can see the problem, or, you can simply sniff the packets and see what's really going out on the wire.

As another person mentioned, sniffing is also useful for reverse-engineering closed-source software that uses the network. That's how those guys implimented clients for AIM -- they just figured out what messages to send back and forth. (Sadly, AOHell decided to change the protocol every 2 minutes so the open-source clients don't work very well.)

As far as security, sniffing or analyzing traffic is one of best tools available to see what's passing through your network. It's analagous to the security cameras in the local stop-and-rob (gas station) or in a casino -- they let the security guys watch what's going on, review it after the fact, and find/identify the bad guys.

Re:Ethereal

Also, when in the initial grip of a spreading Windows worm or what have you, I have a curious attachment to running tethereal in a window (rxvt say). It's surprising how much sense you can make out of what flies by, and you can scroll back and/or pause the flow as necessary to record individual IPs or the like. Ethereal provides the same data, but don't knock the immediacy of the text-only version. To say nothing of remote administration.

tcpdump and/or ethereal

[The+AtomicPunk]

Like everybody else has said, you have those two, you're covered.

However, I find myself frequently using tcpdump to capture data, then downloading it and analyzing it in Ethereal on my workstation later.

tcpdump -w myfile.dump -s 2000

Re:tcpdump and/or ethereal

[Autonin]

Actually -s 0 is better.

10/100BaseT Ethernet, which pretty much everyone uses these days, is limited to 1500 snaplen. But the good old FDDI was a whopping 4500!

With -s 0, it basically means "All" - you don't have to think about what transmission medium you're using.

I also usually name my packet captures with extention *.pcap, and just make Ethereal be the default *.pcap file handler.

I'll also use tcpdump to whittle my pcaps down. Say I capture for a long time and end up with a 500MB+ pcap. Opening this in most any workstation with Ethereal will cause you to wait awhile, and could actually crash your box (yay for WinXP pre-fetch!).

So when I've found a particular port or host I want to extract from a stream to make the pcap more managable, I'll do something like this:

tcpdump -s 0 -r infile.pcap -w outfile.pcap host x.x.x.x and port xxx

Sometimes, I'll use tethereal instead to go a little deeper. tethereal is ***SLOW*** compared to tcpdump, but the granularity is worth it sometimes. Just set it going, and go get a coffee or something.

When examining a capture of some malware trying to spread, often times it will SYN several hundred machines without getting a reply. Trolling through these can be a pain. But by using tethereal, you can make what I call "Jesus" pcaps (no SYN's). To make it complete, I also filter RST's like so:

tethereal -r infile.pcap -w outfile -R "tcp.flags.syn==0 && tcp.flags.reset==0"

There is a way to do this in tcpdump, but it's much more complicated. Besides, you need the break anyway, right? :)

Ethereal on Win/Lin and EtherApe on Linux.

[openmtl]

User EtherApe on Linux - very cool graphics and allows you to focus on who's loading LAN segments (put it onto the monitor port on your switch). And Ethereal as many have mentioned on both Windows and Linux. I use Ethereal for everything from finding what spyware is trying to do through to trapping inconsistent content from a server farm to working out what ciphers SSL is negotiating through to looking at what DNS replies I'm getting. I'd be lost without it.

Re:I don't mean to flame, but...

[Loconut1389]

Funny you mention EtherPeek. I worked for that company (who was in my little hometown) back when they were still Ag Group. Last I heard they became WildPackets!. (Exclamation is part of the name). EtherPeek was some slick software, but yeah cost some $$ if you didnt get a free key from them =)

Along similar lines

[lewko]

Although only useful for fun, and not serious network analysis, have a play with Etherpeg

EtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups based on TCP connection (determined from source IP address, destination IP address, source TCP port and destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning the resulting data for byte sequences that suggest the presence of JPEG or GIF data.

Or in other words, fire it up, plug in a data projector and watch everyone's porn. Interesting side-effect: It makes (most) people a lot more careful what they browse if they know the results will be displayed for everyone's amusement. Mercifully, it's also a lot less likely these days to see The Goatse flying across the screen.

Re:Along similar lines

[SLot]

Since the above is for Mac only, on the linux side of the house lives Driftnet.

We have one guy in our office that watches porn for an hour twice daily - at 11 & 4. We all gather around the machine running driftnet, fire up ethereal & etherape on another, and watch along. It is unofficially known as the "Hour of Power Pr0n".

Re:Ethereal

[MrBlue+VT]

I agree, Ethereal is a godsend. Made it easy to reverse engineer a protocol I needed to replicate in one of my projects.

Only feature I wish it had would be the ability to ARP poison switches. Etherape has this ability and it is nice for listening on unmanaged switches.

Otherwise, ethereal is a great product. Nice filtering and easy to follow streams. It also will do a lot of legwork for you and figure out what higher level protocol is being used over TCP.

Re:Sounds like an NT/XP...Use Linux/Unix

[the+Slashbot]

Isnt it funny that free software is actually more useful than commercial?

Linux even comes with numerous sniffers, all under the GPL.

Heres an interesting idea for M$, why dont they ship Windoze with a couple of CD's of GPL'ed software and give people the choice? Not products that compete with anything in the M$ family, just complementary products. Then slowly the world could move towards GPL'ed software, and M$ need not be left out.

Re:I don't mean to flame, but...

[interiot]

Ethereal can do TCP/UDP/GRE/... IP, Appletalk, IPX, Banyan Vines, etc etc etc., so there's no lack there.

The thing is, there are tons of network applications that fulfill usefully different roles:

• record historical data and let you drill-down and see some things (eg. ntop)
• on-the-fly statistics generation (eg. how many failed connections perhaps)
• on-the-fly intrusion detection
• network uptime monitoring with emailing/paging capability
• high-level performance monitoring, optionally including at the router-level with network topography maps
• ...the list goes on and on

Users range from single computers connected to a congested cable modem, to five-nines uptime network admins who maintain multiple datacenters around the world, so there's a wide range of complexity that different apps need to fill.

Add to that user preferences about specific OS's, licenses, languages, etc. they like to use, and you can spend days searching for just the right network app for your specific need.

Re:sniffing, etc.

[seanadams.com]

Sure, it has Total Integration. But is it an e-Solution for my enterprise application?

What does it do? Can anyone enlighten us, since fluke's web site makes this product look like an April fool's gag?

Re:I don't mean to flame, but...

[achurch]

Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?

I don't mean to flame, but...

Are you THAT fucking stupid? How long have you been a "member of society"? Which part of consulting your peers do you not understand?

Just so that this isn't a total flame:

The fact that the submitter said nothing about Ethereal and the like doesn't mean he's unaware of them; he may just be wondering what other options are available. Or even if he is unaware, maybe he got drafted into the job by a PHB, and he's honestly trying to get more information. Yes, he could use Google, but asking people with experience is undeniably a more direct route to getting answers. Many people will answer such questions willingly. If you don't want to be bothered by them, then for crying out loud, just ignore them. There's no call for insults.

Also try reading this comment, and be enlightened. "He who knows not and knows that he knows not; he is ignorant, teach him."

For the record, I use tcpdump.

"Sniffing" for HTTP

[jtheory]

I used Ethereal for a while, sniffing simple HTTP traffic, sorting out cookie issues and so on (I'm not a netadmin -- mostly web app development)... and it was darned handy.

Of course, when I found the live http headers plugin for Mozilla it was exactly what I needed -- just the headers, scrolling by realtime, and no more sniffing needed.

Yeah, this is slightly OT (which may be good in a discussion that seems to be a long string of ethereal links, all +5) -- but I wanted to point out to those people out there who think they "need a sniffer" -- unless you're a network admin, you probably don't.

[Plus the Futurama quotes in the /. headers are entertaining]

Re:"Sniffing" for HTTP

[ovidus+naso]

If you're stuck in M$ land and want to sniff what your exquisitly byzantine dhtml app is POSTing back to the server, this tool comes quite handy. It acts as a proxy (so it works with whatever browser your using) with a GUI to follow HTTP exchanges in real time. Nice.

Re:"Sniffing" for HTTP

What about HTTPSpy?

Re:"Sniffing" for HTTP

[frodo+from+middle+ea]

My personal favourite for HTTP based traffic is OpenSTA.

Open source, and very flexible, what more it even supports https and you can actully see the https traffic. It can be scripted and automated to run on a cluster for stress testing your web application. Provides CVS results and also graphs

My only gripe are , no proper support for SSL client authentication via digital certificates, and sometimes complex URL created via Javascripts can be a problem in SSL.

Re:ethereal, tcpdump

[throughthewire]

Windows 2003 already has Network Monitor Tools. You can find it in the Add Remove Programs.

For previous versions you can use the version that comes with SMS.

Netmon.exe has been included with Windows Server since NT 4.0.

However, the "free" version is crippled - it does not support promiscuous mode, among other things - you can only capture your own traffic and broadcast traffic.

The version included with SMS is fairly full-featured, and I used it for a long time, but Ethereal is at least as good, and you can't beat the price. I find it slightly harder to construct display filters with Ethereal, but its vastly more flexible capture filters beat Netmon all to hell.

Hubs

[Fnordulicious]

Hubs are not pure unadulterated evil. They have one use that is unmatched by other ethernet switching devices. That is, seeing every damned packet crossing a given segment. If you want to be able to snoop on *all* the traffic on a segment then you can't rely on a switch because it's keeping you from all the stuff not directed to your host. So if you're feeling snoopy, you want a hub.

Now, in real life where people don't have a need to snoop, switches are a big win. But my home network sure as hell uses a hub. I don't care if it slows down one or two machines, I want to make sure I can see all the traffic there is, whether it's hitting the router or not.

(Actually, my Nortel is a layer 3 (and 4 sorta) switch so it's not really a hub and I can configure any arbitrary port to receive traffic from all the others. So I lied a little. But if I didn't have my studly switch then I'd be using a hub. Because I'm suspicious.)

Re:Ethereal

[Apro+im]

I freely admit to having no Cisco cert, and so defer to you, but why does it matter? If you are simply placing a hub in the way of a single connection, hooking in a "listen only" device can't be too bad, can it? I mean, no scope for (additional) collisions you're not adding traffic on there, is there?

As long as the hub and the monitoring system can handle the throughput, I don't understand why this would create any additional backlog.

Re:sniffing, etc.

We have protocol expert from fluke. ($$$)

This is very good as it allows us to break into gig/e fibre links - which ethereal can't do.

However more often than not we export the capture from protocol expert and load it into ethereal :)

Re:Ethereal

[necronom426]

Agreed.

My first job was to look after a Novell server and a network of 30+ machines with no training apart from what I could pick up along the way and from my experience with PC's. Another job I was looking after a Unix box for the first time and didn't know how to do much.

Recently I got a free label printing program from a web site for my Mother to use at work (she was hand writing 100's of addresses on envelopes that were printed from a computer!) The "computer guy" at the company said they couldn't do labels (even though they use Word) so I go her this free one. I had to explain to him how to find a directory on the PC! They do have a network and the main computer guy who set it up was in another country, but they had put this other person in charge of the PC's and he didn't know anything about them. Another time I had to tell him how to find the size of a hard drive...

*sniff*

[Mirko.S]

Hi,
for normal (short) analyse I use ```tcpdump'', or ``netstat -I $INTERFACE 1''* to see, who's gonna make traffic (and slows down my ssh connection :)).
For long distance analysing and for raliable traffic data is use nitpicker.

Under windows i would use etherape to analyse packets... it uses pcap under windows, same as tcpdump, and so its okay :)

Greetings
Mirko

* your `uname -s' should look like this:

$ uname -s
FreeBSD

Re:Ethereal

[lanswitch]

I used ethereal on linux, windows 98, 2000 and xp pro. it works equally well on all platforms. libpcap for windows is called winpcap.

know what you're looking for

[bsmithsweeney]

I won't list any other tools I use, as they've all been mentioned lots of times, but I will add to the list tethereal, which is the command-line version of ethereal.

Two very important general notes about analyzing the network, though. First you should know at least somewhat what your network looks like under normal circumstances. I can't tell you how many times I've beeen at a new organization looking at the network for strangeness and seen a long list of errors that some net admin saw and said "yeah, that's a misconfigured m$ box, haven't fixed it yet...yeah, that's a broken printer...yeah...". It helps if you know this stuff ahead of time.

Second, switching's a pain when it comes to network sniffing. The best tool in the world can't help you if the packet never gets to you. Make sure you know the layout of the network in question very well before you try looking for problems, and make sure you're either tapping as necessary or in the right spot to monitor. There are a number of tools that can just jump on a random switched port and sniff, but they often use dicey methods for dealing with the switch (arp poisoning, flooding, etc.) that you don't necessarily want to mess with if you're already having network issues. And if you're not, arp-flooding a switch or poisoning one of your production servers is a great way to cause some! ;-)

I'll end with the obligatory war-story in response to a post I read that said (paraphrasing) "What would you need this kind of analysis for?" I had to troubleshoot a weird network problem that seemed to be network-wide (in this case, 3 buildings, total of about 30 switches; not too large). Symptoms were that a host would fail to start talking to another host about 1/2 the time, but once it did start, it was fine (for a while). Turns out that there was a busted switche that was bit-flipping and mangling the MAC address in the response. Thing was, we were using HP's with meshing turned on (I hate this feature; much prefer good old spanning-tee and, if you need, trunking) which black-box combines multiple uplinks between switches so you *NEVER* know what path a piece of data is taking. Hence, the only erroring out about 1/2 the time and working once it did go through (arp cache), and hence us having a real hard time figuring out which was the broken switch.

Ethereal was my friend that day. Had to run it in multiple spots though to see the arp change.

Re:Ethereal

Just curious, but why don't you use the management console on your switch to forward all data to a specific port? Or are they cheapo's?