Packet Sniffers -- also known as Protocol Analyzers -- are devices or programs that monitor traffic on a network. Sniffers are a matter of some controversy. On the one hand, they can be very useful in debugging network problems. On the other hand, they can be used to spy on network traffic.

Packet sniffing is most commonly associated with ethernet networks. On ethernet, sniffers are connected to the network. They place their network interface into promiscuous mode. Most NICs support promiscuous mode. Sniffers can generally be set to record all traffic or a subset of traffic. The principle problem with sniffers is that they can not monitor traffic that they can not see. Sniffers were more effective with older Ethernet networks where large parts of the network were relayed through hubs(repeaters) and thus much or all traffic was visible from any point in the network. In more modern networks where the ethernet hubs have been replaced by switches, it is often impossible to see traffic of interest as it is confined to small network segments that may be difficult to tap into.

Some sniffers can understand hundreds of protocols

Linux packet sniffing most commonly uses tcpdump. MSDOS-Windows PC oriented packet sniffers require a library with support for packet acquisition and analysis. Two libraries are in common use libpcap and winpcap. DOS/Windows sniffing is generally done with Ethereal, Windump, or the Windows version of tcpdump..

Sniffing (network wiretap, sniffer) FAQ

Return To Index Copyright 1994-2009 by Donald Kenney.