Sniffers and Wiresharks and other fun stuff

In the network world there are many tools for doing lots of stuff but Sniffers and Wireshark are not terms you would expect to use but they're both an important part to network security. Sniffers, also referred to as Network Pack Analyzer or Network Protocol Analyzer, are used to capture and “sniff” packets of data coming into your network. They can capture and record data traffic for analyzing and can decrypt packets to display in clear text. This will show important information such as IP address, protocol, host or server name among other things.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing all packets traversing the network regardless of destination.


By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

With these three things in mind you can see how helpful of a tool it is in combating malicious activity. A sniffer requires to be run in promiscuous mode to collect data. Promiscuous mode allows the system to capture frames that aren't intended to be delivered to the system. Sniffer's can either run by CLI (Command Line Interface) or a GUI (Graphic User Interface). A CLI sniffer can write to file and then be viewed by a GUI sniffer. Advantages to CL sniffers is they are open source, had fewer vulnerabilities and can write date to a file for later analyzes. Some disadvantages are they only show header fields and it requires a knowledgeable analysis to know how to read the packet data.

Detecting malicious packets on your network can be difficult. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers

The GUI is also available as open source. It is able to analyze complex protocols. They can identify the header fields for intrusion along with the payload. One draw back to GUI sniffers is they are susceptible to coding errors. Wireshark is on open source GUI network analyzer that is available for cross platforms. It can be used to analyze network traffic, has a network troubleshooting tool and security analysis. It can analyze and dissect hundreds of protocols, analyze payload and header fields, capture packets and save as text files for later analysis. Wireshark requires elevated privileges to deploy and use but a non-elevated account can be read and view the logs and analyze them.

There are many options for Sniffers, Network Package Analyzers and Network Protocol Analyzers. Picking the correct one for your network can be a difficult but with research and knowing the needs of your network is a good step in the right direction.