What is Data Sniffing?
In
common industry usage, a sniffer (with lower case “s”) is a program
that monitors and analyzes network traffic, detecting bottlenecks and
problems. Using this information, a network manager can keep traffic
flowing efficiently.
A sniffer
can also be used legitimately or illegitimately to capture data being
transmitted on a network. A network router reads every packet of data
passed to it, determining whether it is intended for a destination
within the router’s own network or whether it should be passed further
along the Internet. A router with a sniffer, however, may be able to
read the data in the packet as well as the source and destination
addresses. Sniffers are often used on academic networks to prevent
traffic bottlenecks caused by file-sharing applications.
The
term “sniffer” is occasionally used for a program that analyzes data
other than network traffic. For example, a database could be analyzed
for certain kinds of duplication.
Top 10 Data/Packet Sniffing and Analyzer Tools
1: Wireshark
Wireshark (known as Ethereal until a
trademark dispute in Summer 2006) is a fantastic open source network
protocol analyzer for Unix and Windows. It allows you to examine data
from a live network or from a capture file on disk. You can
interactively browse the capture data, delving down into just the level
of packet detail you need. Wireshark has several powerful features,
including a rich display filter language and the ability to view the
reconstructed stream of a TCP session. It also supports hundreds of
protocols and media types. A tcpdump-like console version named
tethereal is included. One word of caution is that Ethereal has suffered
from dozens of remotely exploitable security holes, so stay up-to-date
and be wary of running it on untrusted or hostile networks (such as
security conferences).
2: Tcpdump
Tcpdump
is the IP sniffer we all used before Ethereal (Wireshark) came on the
scene, and many of us continue to use it frequently. It may not have
the bells and whistles (such as a pretty GUI or parsing logic for
hundreds of application protocols) that Wireshark has, but it does the
job well and with fewer security holes. It also requires fewer system
resources. While it doesn’t receive new features often, it is actively
maintained to fix bugs and portability problems. It is great for
tracking down network problems or monitoring activity. There is a
separate Windows port named WinDump. TCPDump is the source of the
Libpcap/WinPcap packet capture library, which is used by Nmap among many
other tools.
UNIX
users often smugly assert that the best free security tools support
their platform first, and Windows ports are often an afterthought. They
are usually right, but Cain & Abel is a glaring exception. This
Windows-only password recovery tool handles an enormous variety of
tasks. It can recover passwords by sniffing the network, cracking
encrypted passwords using Dictionary, Brute-Force and Cryptanalysis
attacks, recording VoIP conversations, decoding scrambled passwords,
revealing password boxes, uncovering cached passwords and analyzing
routing protocols. It is also well documented.
4: Kismet
Kismet
is an console (ncurses) based 802.11 layer2 wireless network detector,
sniffer, and intrusion detection system. It identifies networks by
passively sniffing (as opposed to more active tools such as
NetStumbler), and can even decloak hidden (non-beaconing) networks if
they are in use. It can automatically detect network IP blocks by
sniffing TCP, UDP, ARP, and DHCP packets, log traffic in
Wireshark/TCPDump compatible format, and even plot detected networks
and estimated ranges on downloaded maps. As you might expect, this tool
is commonly used for wardriving. Oh, and also warwalking, warflying,
and warskating, …
5: Dsniff
This
popular and well-engineered suite by Dug Song includes many tools.
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively
monitor a network for interesting data (passwords, e-mail, files, etc.).
arpspoof, dnsspoof, and macof facilitate the interception of network
traffic normally unavailable to an attacker (e.g, due to layer-2
switching). sshmitm and webmitm implement active monkey-in-the-middle
attacks against redirected ssh and https sessions by exploiting weak
bindings in ad-hoc PKI. A separately maintained partial Windows port is
available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.
6: NetStumbler
Netstumbler
is the best known Windows tool for finding open wireless access points
(“wardriving”). They also distribute a WinCE version for PDAs and such
named Ministumbler. The tool is currently free but Windows-only and no
source code is provided. It uses a more active approach to finding
WAPs than passive sniffers such as Kismet or KisMAC.
7: Ettercap
Ettercap
is a terminal-based network sniffer/interceptor/logger for ethernet
LANs. It supports active and passive dissection of many protocols (even
ciphered ones, like ssh and https). Data injection in an established
connection and filtering on the fly is also possible, keeping the
connection synchronized. Many sniffing modes were implemented to give
you a powerful and complete sniffing suite. Plugins are supported. It
has the ability to check whether you are in a switched LAN or not, and
to use OS fingerprints (active or passive) to let you know the geometry
of the LAN.
8: Ngrep
ngrep
strives to provide most of GNU grep’s common features, applying them
to the network layer. ngrep is a pcap-aware tool that will allow you to
specify extended regular or hexadecimal expressions to match against
data payloads of packets. It currently recognizes TCP, UDP and ICMP
across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and
understands bpf filter logic in the same fashion as more common packet
sniffing tools, such as tcpdump and snoop.
9: Ntop
Ntop
shows network usage in a way similar to what top does for processes.
In interactive mode, it displays the network status on the user’s
terminal. In Web mode, it acts as a Web server, creating an HTML dump
of the network status. It sports a NetFlow/sFlow emitter/collector, an
HTTP-based client interface for creating ntop-centric monitoring
applications, and RRD for persistently storing traffic statistics.
EtherApe is a graphical network
monitor for Unix modeled after etherman.Featuring link layer, IP and TCP
modes, EtherApe displays network activity graphically with a color
coded protocols display. Hosts and links change in size with traffic.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It
can filter traffic to be shown, and can read traffic from a file as
well as live from the network.
0 comments:
Post a Comment