Title: Overview of packet sniffers for Linux

KBTAG: kben10000053
URL: http://www.securityportal.com/lskb/10000050/kben10000053.html
Date created: 09/07/2000
Date modified: 18/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Overview of packet sniffers for Linux
Keywords: Network

 

Summary:

Packet sniffing is the practice of capturing network data not destined for your machine, typically for the purpose of viewing confidential/sensitive traffic such as telnet sessions or people reading their email. Unfortunately there is no real reliable way to detect a packet sniffer since it is mostly a passive activity, however by utilizing network switches and fiber optic backbones (which are very difficult to tap) you can minimize the threat. There is also a tool called AntiSniff, that probes network devices and sees if their response indicates an interface in promiscuous mode. These tools are also invaluable if your network is under attack and you want to see what is going on. There is an excellent FAQ on sniffing at: http://www.robertgraham.com/pubs/sniffing-faq.html.

More information:

 

THC-Parasite

THC-Parasite allows you to sniff on switched networks by using either ARP Spoofing or MAC Flooding. THC-Parasite is intelligent and its algorithms are designed to bypass the basic switch security. http://www.infowar.co.uk/thc/

tcpdump

The granddaddy of packet sniffers for Linux, this tool has existed as long as I can remember, and is of primary use for debugging network problems. It is not very configurable and lacks advanced features of newer packet sniffers, but it can be useful. Most distributions ships with tcpdump.

sniffit

My favorite packet sniffer, sniffit is very robust, has nice filtering capabilities, will convert data payloads into ASCII text for easy reading (like telnet sessions), and even has a graphical mode (nice for monitoring overall activity/connections). Sniffit is available at: http://sniffit.rug.ac.be/~coder/sniffit/sniffit.html.

Ethereal

A nice looking network protocol analyzer (a.k.a., a souped up sniffer) with an interface very similar to NT’s network monitor. It allows easy viewing of data payloads for most network protocols (tftp, http, NetBIOS, etc). It is based on GTK, thus meaning you will probably have to be running gnome to use it. I haven't tested it yet (but intend to). It is available at: http://ethereal.zing.org/.

Snort

Snort is a nice packet sniffing tool that can be used to detect various attacks as well. It can watch for activity such as Queso TCP-IP fingerprinting scans, Nmap scans, and the like. Snort is available from: http://www.snort.org/.

SPY

SPY is an advanced multi protocol sniffer that runs on various platforms. It is not a free program however there is a single user license available for non commercial use with a maximum of 5 hosts. Commercial it costs around $6000 US dollars, but from a quick look at it’s capabilities I would say it is worth it if you need an industrial grade sniffer. You can get it from: http://pweb.uunet.de/trillian.of/Spy/.

packetspy

packetspy is another libpcap based sniffer. You can get it from: http://www.bhconsult.com/packetspy/.

Other sniffers

There are a variety of packet sniffers for Linux, based on the libpcap library among others, here is a short list:

http://www.mtco.com/~whoop/ksniff/ksniff.html - KSniff
http://ksniffer.veracity.nu/ - Ksniffer
http://mojo.calyx.net/~btx/karpski.html - karpski
http://www.ozemail.com.au/~peterhawkins/gnusniff.html - Gnusniff
http://www.xnet.com/~cathmike/mike/Software/ - ipgrab