Time to take a look at Packet Sniffing ...
#################################################################
In combination with a powerful firewall / intrusion detection system , or even on its own , a good packet sniffer can be a handy secret weapon to catching unauthorized background traffic and also a great way to monitor all connections and the actual contents of the packets being sent and recieved to and from your computer ..
--------------------------------------
PLEASE NOTE :This information is for educational and defensive purposes only.
It is illegal in many countries to use sniffing tools on networks you do not own, so be warned , IT IS ENTIRELY YOUR OWN RESPONSIBILITY IF YOU ACT AGAINST THE LAW.
---------------------------------------
A great detailed FAQ to Packet Sniffing here:
http://linuxsecurity.net/resource_files/in...iffing-faq.html
---
Wikipedia on Packet sniffing:
http://en.wikipedia.org/wiki/Packet_sniffer
---------------------------------------
Please also read the Bluetack Guide to Intrusion detection Systems :
- http://www.bluetack.co.uk/forums/index.php?showtopic=1195
And the IP Address Guide :
- http://www.bluetack.co.uk/forums/index.php?showtopic=52
--------------------------------------
A certain amount of networking knowledge is required before you go pressing any buttons on your packet sniffer .
If you are not sure about what ports , internet protocols or tcp flags are then you should start by reading something like this book first:
QUOTE
IBM's TCP/IP Redbook
The 986-page "TCP/IP Tutorial and Technical Overview", produced by the IBM International Technical Support Organization, is available as a freely downloadable, 7.8MB PDF format file. This is one amazingly useful and comprehensive text which anyone interested in learning more about the ways and means of inter-networking should definitely check out!
The 986-page "TCP/IP Tutorial and Technical Overview", produced by the IBM International Technical Support Organization, is available as a freely downloadable, 7.8MB PDF format file. This is one amazingly useful and comprehensive text which anyone interested in learning more about the ways and means of inter-networking should definitely check out!
right click save target as to download:
http://www.redbooks.ibm.com/pubs/pdfs/redb...ks/gg243376.pdf
or online html version:
http://www.redbooks.ibm.com/redbooks/GG243376.html
QUOTE
Packet sniffing is a form of wire-tap applied to computer networks instead of phone networks.
It came into vogue with Ethernet, which is known as a "shared medium" network. This means that traffic on a segment passes by all hosts attached to that segment.
Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyones traffic.
Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past.
It is still useful, though, as it is becoming increasingly easy to install remote sniffing programs on servers and routers, through which a lot of traffic flows.
Packets sniffing is difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is rarely done.
It came into vogue with Ethernet, which is known as a "shared medium" network. This means that traffic on a segment passes by all hosts attached to that segment.
Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyones traffic.
Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past.
It is still useful, though, as it is becoming increasingly easy to install remote sniffing programs on servers and routers, through which a lot of traffic flows.
Packets sniffing is difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is rarely done.
A lighting quick definition of a packet sniffer from SuraSoft's Security FAQ
http://www.surasoft.com/tut/packsniffing.htm
QUOTE
When you make contact with the Internet, data isn’t sent in one continuous stream of data; this would be impractical and it would limit the performance of the Internet network. To keep the performance of the Internet as high as possible, the data is cut in slices. Such a slice of data (either inbound or outbound) is called "a packet". Now, you can’t see atoms with your naked eye can you? No, I thought so. Sending information on a network means sending "packets" of data. Think of them like the atoms. A lot of packets will create the final information you will see on your screen, be it website or email. To "see" the atoms you would need a special device, some kind of electron microscope, to be able to see the "packets" you’ve sent or received…you also need a special device. This is a special type of monitoring program called … a packet sniffer. By using a packet sniffer you’re able to see any bit of information entering or leaving your computer… even those you normally wouldn’t see!
A packet sniffer can be considered as a sort of wire tap device. A device that can "plug" into computer networks and eavesdrops on the network traffic. Just as a telephone wiretap allows the CIA to listen to conversations, the same concept follows a packet sniffer in the sense that it allows someone to listen in on computer conversations.
Packet sniffers capture "binary" data passing through the network, most if not all decent sniffers "decode" this data into a human readable form. To make it even easier (for humans) another step occurs known as "protocol analysis". There is a varying degree of the analysis that takes place, some are simple, just breaking down the "packet" information. Others are more complex giving "detailed" information about what it sees on the packet (i.e., highlights a password for a service).
One very important (and very simple) point to understand is that the sniffer has to be on the same "wire" on which the data is travelling to. In short the "probing" device that "captures" the data has to be on the same wire. The data can then be relayed to a decoding computer on a different network.
Situation: Bob and John are engaged in a internet chat session. You are in a city far apart from where the two men reside. Bob and John are talking top secret details on a cocaine deal. You (the law abiding citizen) decide to sniff their chat session (from your location) to help the feds bust Bob and John.
The simple answer is you CAN'T do that as you don't have access to the path that the data travels from! Of course if you are a good hacker (or well Cracker) then you could install a Trojan on Bob or John's computer and run a sniffer from their system, thus the sniffer it self is on the same wire.
Basically to successfully sniff you have to be on a LAN that is connected with a hub and not a switch. Computers can be physically connected in many ways. If they are connected using a Hub then here is what happens. If there were 4 computers (A, B, C & D) and A wanted to send something to D then it goes through the hub. But the hub doesn't know where D is. So the hub "re-transmits" what A sent to all other computers. Computers B and C should ignore this data since the packet says it's for D. Computer D will obviously accept the data.
You can probably see the security issue here, since other computers nearly have direct access to data that's not meant for them. A packet sniffer can put your network card into promiscuous mode. In this mode the data not meant for that computer will silently pass through the system and thus allows for the packet sniffer to log data!
When computers are connected via a switch and not a hub then things are different. A switch actually knows which computers are connected to it. The switch also knows where the computers are. So when A sends something to D the data goes to the switch and it will send it directly to D without passing by B or C. So you cannot sniff data by installing a sniffer on computer B or C. Thus when functioning as intended a switch provides good sniffer projection!
BUT A SWITCH CAN BE TRICKED!
There is a super important point to understand with sniffing and "switches". Whilst switches appear to protect against sniffers THERE ARE WAYS to "trick" the switch which can enable you to start sniffing. You can flood the switch with ARP requests which will cause the switch to start behaving like a hub, or you can trick the switch to redirect traffic to the sniffer system.
How do I prevent my data being sniffed?
Many services on the internet send data in the plain text. By default POP mail, SMTP (for sending mail) send data in clear text. The same applies for FTP, Telnet and News clients. ICQ, MSN and AOL Instant messengers send passwords again in clear text. In fact most services send passwords this way.
Ways to secure yourself
When logging into to mail services check to see if your mail client supports encrypted login's. The server has to support this setting too, so check with them.
Even if you login securely (above) any e-mail you send is still in clear text, anyone on the path that the mail travels through can technically read it. Use Encryption to encrypt the message. PGP (www.pgpi.org) is the popular application for this.
When shopping on-line make sure the store has a "secure" connection for submitting credit card details. Generally SSL 128bit encryption is the standard.
Telnet sends password and normal data in plain text. If your server supports SSH then use this instead of Telnet since the connection is encrypted.
If possible use a Switch rather than a HUB on a LAN. This provides extremely efficient protection in practice (more work required to successfully sniff). This method is a frontline defence but it shouldn't be a method fully relied upon.
It's near impossible to detect that a packet sniffer is sniffing a connection. This is a passive act, the data is "logged" but unaltered. There are some methods of determining a packet sniffer, however they cannot conclude 100% what they found. A major clue that that sniffing MAY be taking place is the fact that many DNS lookup's are taking place. (i.e., the sniffer is attempting to convert IP addresses to host names) however this is only an indication for there may be other reasons as to why this may occur.
Another, stronger method of detecting if a packet sniffer is operating is to send an ARP request to the device in question to determine if it's in promiscuous mode. A packet which is not destined for your computer will be stopped at the hardware level if promiscuous mode is not on. The "device" in most cases is the network card of the computer running the sniffer.
Let's get practical...
So you want to start sniffing now? What better than to sniff your own internet connection or your own private LAN and get you off to a crash course!
A packet sniffer can be considered as a sort of wire tap device. A device that can "plug" into computer networks and eavesdrops on the network traffic. Just as a telephone wiretap allows the CIA to listen to conversations, the same concept follows a packet sniffer in the sense that it allows someone to listen in on computer conversations.
Packet sniffers capture "binary" data passing through the network, most if not all decent sniffers "decode" this data into a human readable form. To make it even easier (for humans) another step occurs known as "protocol analysis". There is a varying degree of the analysis that takes place, some are simple, just breaking down the "packet" information. Others are more complex giving "detailed" information about what it sees on the packet (i.e., highlights a password for a service).
One very important (and very simple) point to understand is that the sniffer has to be on the same "wire" on which the data is travelling to. In short the "probing" device that "captures" the data has to be on the same wire. The data can then be relayed to a decoding computer on a different network.
Situation: Bob and John are engaged in a internet chat session. You are in a city far apart from where the two men reside. Bob and John are talking top secret details on a cocaine deal. You (the law abiding citizen) decide to sniff their chat session (from your location) to help the feds bust Bob and John.
The simple answer is you CAN'T do that as you don't have access to the path that the data travels from! Of course if you are a good hacker (or well Cracker) then you could install a Trojan on Bob or John's computer and run a sniffer from their system, thus the sniffer it self is on the same wire.
Basically to successfully sniff you have to be on a LAN that is connected with a hub and not a switch. Computers can be physically connected in many ways. If they are connected using a Hub then here is what happens. If there were 4 computers (A, B, C & D) and A wanted to send something to D then it goes through the hub. But the hub doesn't know where D is. So the hub "re-transmits" what A sent to all other computers. Computers B and C should ignore this data since the packet says it's for D. Computer D will obviously accept the data.
You can probably see the security issue here, since other computers nearly have direct access to data that's not meant for them. A packet sniffer can put your network card into promiscuous mode. In this mode the data not meant for that computer will silently pass through the system and thus allows for the packet sniffer to log data!
When computers are connected via a switch and not a hub then things are different. A switch actually knows which computers are connected to it. The switch also knows where the computers are. So when A sends something to D the data goes to the switch and it will send it directly to D without passing by B or C. So you cannot sniff data by installing a sniffer on computer B or C. Thus when functioning as intended a switch provides good sniffer projection!
BUT A SWITCH CAN BE TRICKED!
There is a super important point to understand with sniffing and "switches". Whilst switches appear to protect against sniffers THERE ARE WAYS to "trick" the switch which can enable you to start sniffing. You can flood the switch with ARP requests which will cause the switch to start behaving like a hub, or you can trick the switch to redirect traffic to the sniffer system.
How do I prevent my data being sniffed?
Many services on the internet send data in the plain text. By default POP mail, SMTP (for sending mail) send data in clear text. The same applies for FTP, Telnet and News clients. ICQ, MSN and AOL Instant messengers send passwords again in clear text. In fact most services send passwords this way.
Ways to secure yourself
When logging into to mail services check to see if your mail client supports encrypted login's. The server has to support this setting too, so check with them.
Even if you login securely (above) any e-mail you send is still in clear text, anyone on the path that the mail travels through can technically read it. Use Encryption to encrypt the message. PGP (www.pgpi.org) is the popular application for this.
When shopping on-line make sure the store has a "secure" connection for submitting credit card details. Generally SSL 128bit encryption is the standard.
Telnet sends password and normal data in plain text. If your server supports SSH then use this instead of Telnet since the connection is encrypted.
If possible use a Switch rather than a HUB on a LAN. This provides extremely efficient protection in practice (more work required to successfully sniff). This method is a frontline defence but it shouldn't be a method fully relied upon.
It's near impossible to detect that a packet sniffer is sniffing a connection. This is a passive act, the data is "logged" but unaltered. There are some methods of determining a packet sniffer, however they cannot conclude 100% what they found. A major clue that that sniffing MAY be taking place is the fact that many DNS lookup's are taking place. (i.e., the sniffer is attempting to convert IP addresses to host names) however this is only an indication for there may be other reasons as to why this may occur.
Another, stronger method of detecting if a packet sniffer is operating is to send an ARP request to the device in question to determine if it's in promiscuous mode. A packet which is not destined for your computer will be stopped at the hardware level if promiscuous mode is not on. The "device" in most cases is the network card of the computer running the sniffer.
Let's get practical...
So you want to start sniffing now? What better than to sniff your own internet connection or your own private LAN and get you off to a crash course!
--------------------------------------------------------------------------------
Packet Sniffers for Windows:
---------------------------------------------------------------------------------
AnalogX PacketMon - http://www.analogx.com/ - Free
A promising freeware sniffer overcoming the WinPCap issue of not being able to capture Dial up traffic in Windows 2000/XP. This sniffer utilizes the RAW SOCKET feature of XP and 2000 (hence only works on these systems). Ethereal still has the best protocol analyzing! Hopefully PacketMon will output a "Ethereal" readable format so Ethereal can do the analyzing.
-------------------
Anasil (Network Analyser) - http://www.sniff-tech.com/
An extremely powerful network analyser for Win9x/NT/2000/XP designed for Ethernet networks.
Includes packet sniffing, decoding of protocols, network utilization tests and detailed network statistics. Anasil also has a separate desktop agent that runs in stealth on network workstations from where screen shots, adapter and port information can be transmitted to the main Anasil system. Workstations running the desktop agent may also be shut down remotely.
A free demo version is available from Sniff-Tech
--------------------
AWPTA - AW Ports Traffic Analyzer - http://www.atelierweb.com/pta/index.htm $$
Port monitor /sniffer / trojan connection monitor
Atelier Web Ports Traffic Analyzer is the only software in the World that can capture the data that flows in and out of your PC since boot time.
A "sniffer" can track every byte that flows in and out of the network interface card, but can not correlate them with any running software. And it can not report listening ports (AWPTA does it and also reports any software the moment they open any socket).
* Real-time mapping of ports to processes (applications and...services)!
* History since boot-time of all TCP, UDP and RAW ports open through Winsock and respective mapping to processes!
* Log since boot-time of data sent and received (up to 500 MB, but restricted to 3 MB in the evaluation version) by the above ports!
* Sophisticated archiving feature allowing to review previous sessions with the same detail as the current session.
* The Packets viewer grid is literally tens of times faster than in previous 1.xx releases. Even large multimegabyte data captures are displayed almost instantly - so fast is it that the Abort button, which was used in previous releases to cancel tedious data manipulation, was simply discarded.
* Captured data can be saved in raw format. This is very useful for reconstructing whatever came or was sent across the line, such as html pages, exe files or video and sound files. This works both in the Traffic and in the Archives page.
* The Ports Database has been dramatically improved and augmented.
Now, it contains about 6000 records, covering more than 12000 port references, more than twice the quantity of releases 1.xx - making it, hands down, the most comprehensive Ports database in the market.
http://www.atelierweb.com/pta/faq.htm
30-day trial
-----------------------------------------
Cain & Abel
A freeware password recovery [ sniffing ] tool for Microsoft Operating Systems.
It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords , uncovering cached passwords and analyzing routing protocols.
http://www.oxid.it/cain.html
Online guide:
http://www.oxid.it/ca_um/
CAIN FEATURES:
- Protected Storage Password Manager
- LSA Secrets Dumper
- Users, Groups, Shares and Services Enumeration
- SID Scanner
- Local/Remote Service Manager
- APR (ARP Poison Routing) ENABLES SNIFFING on switched networks.
- Sniffer filters for HTTP-BASIC, HTTP-FORM, HTTP-COOKIE, HTTP-NTLMv1, HTTP-NTLMv2, HTTP-NTLMSSP, POP3, IMAP, FTP, VNC, HSRP, SMTP, NNTP, TDS (Sybase and MS-SQL), MS-Kerberos5 Pre-Auth, VRRP, RIPv2, OSPF, SMB (ClearText, NTLMv1, NTLMv2), NTLMSSP (NTLMv1, NTLMv2, NTLM Session Security), RADIUS, IKE Aggressive Mode Pre-Shared Keys, ICQ and MySQL authentications- HSRP, VRRP, RIPv1, RIPv2, EIGRP, OSPF Monitors
- Full Telnet sessions sniffer
- Full SSH-1 sessions sniffer for APR (FULL-DUPLEX, stealth, supports DES, 3DES, Blowfish symmetric encryption algorithms, auto-downgrade to SSH-1 if server version is v1.99)
- Full HTTPS sessions sniffer for APR
- Auto IP-MAC Discovery
- MAC Address Scanner with OUI fingerprint
- Promiscuous-mode Scanner based on ARP packets
- Dialup Password Decoder
- Route Table Manager
- TCP/UDP Table Viewer
---------------------------------------
CommView - http://www.tamosoft.com/ $
An excellent commercial sniffer from TamoSoft. Doesn't rely on WinPCap or other external drivers to capture. Can capture both Dial up connections and Ethernet connections on Win9x, ME, NT, 2000 and XP. A time and feature restricted trial is available
30-day trial
-----------------------------------------
Distinct Network Monitor - http://www.network-monitor.com/
An easy to use commercial sniffer with powerful protocol analyzing and decoding engine. Breaks down packet contents into a human readable form. This product also has a decent set of summary charts which can be sorted by traffic or various protocols. Works on Win9x, ME, NT, 2000 and XP. A restricted trial is available
----------------------------------------
~D-SNIFF :http://www.datanerds.net/~mike/dsniff.html - Freeware -
Built and tested on OpenBSD, Linux, Solaris, and WIN32!. YMMV.
dsniff
simple password sniffer. handles FTP, Telnet, HTTP, POP, NNTP, IMAP, SNMP, LDAP, Rlogin, NFS, SOCKS, X11, IRC, AIM, CVS, ICQ, Napster, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, and Oracle SQL*Net auth info. goes beyond most sniffers in that it minimally parses each application protocol, only saving the "interesting" bits. uses Berkeley DB as its output file format, logging only unique auth info. supports full TCP/IP reassembly, courtesy of libnids (all of the following tools do, as well).
mailsnarf
a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs all messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).
urlsnarf
output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc.).
webspy
sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). a fun party trick. :-)
-----------------------------------------
Ethereal - http://www.ethereal.com/ - Freeware -
A freeware sniffer for the UNIX platform but has versions for Windows too! Ethereal is probably the best freeware sniffer available for Windows with a lot of "protocol analyzing". Ethereal requires WinPCap which is available from the Ethereal site. This is the "driver" that lets Ethereal do the hard work. Note: WinPCap works with Win9x/ME, NT, 2000 and WinXP. WinPCap will enable applications such as Ethereal to capture data from Ethernet networks and also from Dial Up networks ONLY in Win9x/ME. On NT/2000/XP dial up connections cannot be sniffed due to technical issues.
screenshot:
http://www.ethereal.com/image/mainwin-20020929.png
--------------------------------------------
IP sniffer
http://erwan.l.free.fr/
http://www.softpedia.com/progDownload/IP-S...load-16567.html
IP sniffer is a packet sniffer using the new raw socket implementation of Windows2K! it runs on windows 2000 / XP and it has cool FEATURES like:
- filtering rules
- interface selection
- decoding ability
- advanced protocol description
- replay function
- ... much more ...
also IP Sniffer is a suite of IP Tools :
- IP trafic monitor
- IP statistics
- ARP (list & deleter entries, send request)
- Netbios Names
- Route Print
- Netstat (shows process attached to a connection, kill attached process, kill tcp entry)
- Network informations (Params, Adapters, Cards)
- Spoofing (TCP, UDP, ICMP, ARP)
- WINS Query
- DNS Query (using win32 DNSAPI)
- DHCP Find
- WHOIS
- Resolve IP / Hostname
- PING (Host & Subnet)
- TCP Scan (Host & Subnet)
-------------------------------------------------------------
LANWatch
http://sandstorm.net/products/lanwatch/
LANWatch is a software-based network packet analyzer.
Easy to install and use, LANWatch monitors traffic in real time and displays a wide range of statistics. With LANWatch, network administrators can quickly identify problems and keep networks running at peak performance.
Support and QA Personnel can determine the origin of network problems. Network Application and Protocol Developers can easily monitor, examine and verify network protocols in both hexadecimal and formatted views.
------------------------------------------
Networkactiv Piafctm - Freeware -
posted by DeathAngel
Group: Administrators :
Dual mode packet analyzer,
Mode 1 (Packet interceptor)
Receive and analyze IP packets from your network or the internet. Analyze only the packets of interest to you by way of filtering; this filtering may be done by IP address, port, packet size, protocol, or sub-string searching of packet content. Also, you can search for a sub-string within the current list of packets, save the list of packets to a text file, view the contents of each packet, and more.
Mode 2 (HTTP file interceptor)
This mode collects packets of the HTTP protocol, analyzes the packets, constructs them into usable files, and then automatically saves these files to a user specified directory. These files may be web-pages, pictures, videos, downloads, and more. You may filter the saving of files by IP address, port, and/or file size.
Notice: This is 100% freeware; No ads, banners, spyware, or nags.
http://www.networkactiv.com/PIAFCTM.html
-------------------------------------------
Port Explorer - http://www.diamondcs.com.au/index.php?page=products $
Port Explorer is an advanced network tool that is easy to use but very powerful that allows you to look at the network/Internet connections of your computer in a way you never have before. It is most famous for its precision port-to-process mapping capabilities, but it has many other capabilities including hidden server detection (allowing you to detect most remote access trojans simply by looking at the display to see red sockets), a packet-sniffer (you can even spy on individual sockets), as well as 7 unique utilities.
-------------------------------------------
PORTMON - Freeware -
Freeware port / serial monitor by sys internals.
http://www.sysinternals.com/
--------------------------------------------
~ Port Peeker ~ - freeware -
PortPeeker is a freeware utility for capturing network traffic for TCP, UDP or ICMP protocols (see Note below about ICMP traffic). With Port Peeker you can see what traffic is being sent to a given port, easily and quickly.
http://www.linklogger.com/portpeeker.htm
http://ct7support.com/linklogger/portpeeke...r/download.html
For a case study done with PortPeeker investigating inbound UDP Port 137 traffic please see 'A Day and a Night with PortPeeker and UDP Port 137' that we posted on DSLReports.
http://www.dslreports.com/forum/remark,964...44670~mode=flat
-------------------------------------------
SmartSniff v1.00 - Freeware -
http://www.nirsoft.net/utils/smsniff.html
SmartSniff allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers.
You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS)
SmartSniff can capture TCP/IP packets on any 32-bit Windows operating system (Windows 98/ME/NT/2000/XP) as long as WinPcap capture driver is installed and works properly with your network adapter.
Under Windows 2000/XP (or greater), SmartSniff also allows you to capture TCP/IP packets without installing any capture driver, by using 'Raw Sockets' method. However, this capture method has some limitations and problems:
Outgoing UDP and ICMP packets are not captured.
On Windows XP SP1 outgoing packets are not captured at all - Thanks to Microsoft's bug that appeared in SP1 update...
This bug was fixed on SP2 update
-------------------------------------------
Sniff'em - http://www.sniff-em.com/
An extremely cost effective network analyzer offering packet sniffing, protocol decoding and support for USB adapters, it is extremely easy to use and has the added benefit of being an intrusion detection system with powerful raw data logging.
Supports all versions of Windows 95 and onwards excluding Windows XP (which is said to be supported soon!)
--------------------------------
TCPDump / WinDump -
http://www.tcpdump.org/ - http://windump.polito.it/ - Freeware -
The classic sniffer for network monitoring and data acquisition.
Tcpdump is a well-known and well-loved text-based network packet analyzer ("sniffer").
It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems or to monitor network activities. There is a separate Windows port named WinDump. TCPDump is also the source of the Libpcap/WinPcap [ http://winpcap.polito.it/ ] packet capture library, which is used by Nmap among many other utilities.
Note that many users prefer the newer Ethereal sniffer.
The NPF device driver was developed to work primarily with Ethernet adapters. Support for other MACs was added during the development, but Ethernet remains the most tested one. The main reason is that all our development stations have Ethernet adapters. However, the current situation is:
Windows 95/98/ME: the packet driver works correctly on Ethernet networks. It works also on PPP WAN links, but with some limitations (for example it is not able to capture the LCP and NCP packets). FDDI, ARCNET, ATM and Token Ring should be supported, however we did not test them because we do not have the hardware, so do not expect them to work perfectly.
Windows NT4/2000: the packet driver works correctly on Ethernet networks. We were not able to make it work on PPP WAN links, because of binding problems on the NDISWAN adapter. As in Win9x, FDDI, ARCNET, ATM and Token Ring should be supported, but are not granted to work perfectly.
Wireless adapters are not granted to work: some of them are not detected, other don't support promiscuous mode. In the best case, WinPcap is able to see an Ethernet emulation and not the real transiting packets. The AirSnare website contains a page (http://home.comcast.net/~jay.deboer/airsnare/supported.htm) with a list of wireless adapters, specifying for each of them the ability to work with WinPcap.
VPN: some implementations are not detected because of their unclean NDIS intermediate driver structure.
------------------------------------
What Is Transferring Free
Probably the easiest packet sniffer to use in the whole list.
What Is Transferring is a easy-to-use packet sniffer for Windows 2000/XP.
-> http://www.wfshome.com/wit.htm
It is able to capture TCP/IP packets that pass through your network adapter, and view the captured data in Text mode (for HTML page, email, etc.) or in Hex/Ascii mode (for ZIP, JPEG, GIF, etc.).
With this software, you can check:
1) If there is any unwanted connections.
For example, if you do nothing but this software captured some HTTP or UDP connections - it means that some software automatically tried to connect to other computer. (might be spyware, adware, virus, trojan, etc.)
2) What have those connections sent or received.
For example, if you installed adware on your computer, you may want to know if your privacy was sent out.
It works on Windows 2000/XP, no need to install any capture driver. It also allows you to save captured data to text file.
This software is absolutely clean. No backdoor, no spyware, no banners, no pop-up, virus, etc.
Requirements:
1. Windows 2000/XP.
2. About 2 Meg of disk space.
------------------------------------
Other Sniffer download links and resource material :
------------------------------------
http://www.iss.net/security_center/advice/...ing/default.htm
Sniffers: What They Are and How to Protect Yourself
http://www.securityfocus.com/infocus/1549
Antionline Packet sniffing tutorials:
http://www.antionline.com/showthread.php?s...threadid=130877
http://www.antionline.com/showthread.php?s...threadid=242751
http://www.antionline.com/showthread.php?s...threadid=243986
Insecure Org's Top 75 Security Tools :
http://www.insecure.org/tools.html
G-Pick List of List on Packet sniffing :
http://lists.thedatalist.com/pages/Packet_Sniffing.htm
Google directory :
http://www.google.com/Top/Computers/Softwa...ocol_Analyzers/
About.com about Packet Sniffers:
http://netsecurity.about.com/cs/hackertool...reepacsniff.htm
------------------------------------
Packetstorm Security Sniffers page:
http://packetstormsecurity.org/sniffers/
-------------------------------------
Powerful packet sniffers:
http://www.networknewz.com/2001/0723.html
Introduction to Packet Sniffing
http://netsecurity.about.com/cs/hackertools/a/aa121403.htm
#################################
Packet Sniffers for Mac
#################################
EtherPeek - http://www.aggroup.com/
This sniffer has been around a while for the Mac platform. You can also find a windows version of EtherPeek.
#################################
Packet Sniffers for *NIX
#################################
There is an abundance supply of sniffers on the UNIX/Linux type platform
tcpdump - http://www.tcpdump.org/
Most common program for this platform. Your distribution should include this. In its primitive mode it dumps a decoded line of data into one command line. This is the "standard" form of capture for UNIX. Other programs build on this engine
Ethereal - http://www.ethereal.com/
A freeware sniffer for the UNIX platform.
Ethereal is probably the best freeware sniffer available for Linux/Unix/BSD et al with a lot of "protocol analyzing".
Ethereal has a very good graphical user interface.
DSniff:
A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
A separately maintained partial Windows port is available here.
Again *NIX has a lot sniffers, search the net for a near unlimited list.
--------------------------------------------
juggernaut-For capturing sessions, killing connections, or hijacking.
Trinux-A Linux distribution with a number of security tools, including packet sniffers.
NFSwatch-Monitors RPC and NFS traffic.
http://www.klos.com
http://www.guesswork.com
--------------------------------------------
GRC guide to sniffing :
http://grc.com/oo/packetsniff.htm
A practical hands on guide with ETHEREAL...
Dick Hazeleger [ http://www.hazeleger.net/ ] has created a Crash Course to Packet Sniffing that gives you hands on experience and you will gain deeper knowledge into this subject. The course is easy to follow, with diagrams etc. The course uses Ethereal for Windows as its primary sniffer.
The course also includes previously captured spyware files.
http://www.hazeleger.net/zipfiles/Crash_Co...niffing_100.zip
http://www.hazeleger.net/zipfiles/PS-CC_Files.zip
You will require the "crash course", the example files for the course and of course "Ethereal" as your packet sniffer.
####################################################################
----------------------------------------------------
Last updated Feb 2006
----------------------------------------------------
