Packet Sniffing is a colloquial term that refers to the art of network traffic analysis.
Contrary to common sense, things like emails and web pages don’t traverse the internet in one piece. They are broken down into thousands of small data packets and sent across the internet in that manner.
As the packets make it across many hops from source to destination, some of them are lost along the way. Technically they are not lost as the clients will send a new request to the server to re-send the missing packet – so more lost packets results in more network resources being used.
There are many, many tools out there that will collect network traffic and most of them use pcap (Unix-like systems) or libcap (Windows systems) at their core to do the actual collection.
Another set of tools exists to help analyze that data because even a small amount of data can result in thousands of packets which can be hard to navigate. Almost all of these tools collect in the same way; it’s the analysis that differentiates them.
This post gets into some detail on each of the tools that made it here, but if you are short of time, here’s our list of the best packet sniffers and network analyzers:
- SolarWinds Deep Packet Inspection and Analysis Tool EDITOR’S CHOICE Gives detailed insights into what causes network slowness and uses deep packet inspection to allow you to resolve the root causes. You can identify traffic by application, category and risk level to eliminate and filter problem traffic. With a great user interface, this is an excellent choice for packet sniffing and network analysis.
- Paessler Packet Capture Tool (FREE TRIAL) A packet sniffer, a NetFlow sensor, an sFlow sensor, and a J-Flow sensor built into Paessler PRTG.
- ManageEngine NetFlow Analyzer (FREE TRIAL) A traffic analysis tool that works with NetFlow, J-Flow, sFlow Netstream, IPFIX, and AppFlow
- Omnipeek Network Protocol Analyzer A network monitor that can be extended to capture packets.
- tcpdump The essential free packet capture tool that every network manager ne4eds in his toolkit.
- Windump A free clone of tcpdump written for Windows systems.
- Wireshark A well-known free packet capture and data analysis tool.
- tshark A lightweight answer to those who want the functionality of Wireshark, but the slim profile of tcpdump.
- Network Miner A Windows-based network analyzer with a no-frills free version.
- Fiddler A packet capture tool that focuses on HTTP traffic.
- Capsa Written for Windows, the free packet capture tool can be upgraded for payment to add on analytical features.
- 1 Advantages of packet sniffing
- 2 Promiscuous mode
- 3 Network traffic types
- 4 Enterprise tools
- 5 Hacker tools
- 6 How do Packet Sniffers and Network Analyzers work?
- 7 The best packet sniffers and network analyzers
- 7.1 1. SolarWinds Deep Packet Inspection and Analysis tool (FREE TRIAL)
- 7.2 EDITOR'S CHOICE
- 7.3 2. Paessler Packet Capture Tool (FREE TRIAL)
- 7.4 3. ManageEngine NetFlow Analyzer (FREE TRIAL)
- 7.5 4. Omnipeek Network Protocol Analyzer
- 7.6 5. tcpdump
- 7.7 6. WinDump
- 7.8 7. Wireshark
- 7.9 8. TShark
- 7.10 9. Network Miner
- 7.11 10. Fiddler (HTTP)
- 7.12 11. Capsa
- 8 Final words
Advantages of packet sniffing
A packet sniffer is a useful tool to enable you to implement your company’s network capacity policy. The main benefits are that they:
- Identify congested links
- Identify applications that generate the most traffic
- Collect data for predictive analysis
- Highlight peaks and troughs in network demand
The actions you take depend on your available budget. If you have the resources to expand network capacity, the packet sniffer will enable you to target new resources more effectively. If you have no budget, packet sniffing will help traffic shaping through prioritizing application traffic, resizing subnets, rescheduling heavy-traffic events, limiting bandwidth for specific applications, or replacing applications with more efficient alternatives.
It is important to understand how the network card on your computer operates when you install packet sniffing software. The interface from your computer to the network is called the “network interface controller,” or NIC. Your NIC will only pick up internet traffic that is addressed to its MAC address.
To capture general traffic, you need to put your NIC into “promiscuous mode.” This removes the listening limit on the NIC. In promiscuous mode, your NIC will pick up all network traffic. Most packet sniffers have a utility within the user interface that manages the mode switch for you.
Network traffic types
Network traffic analysis requires an understanding of how networking works. There’s no tool that will magically remove the requirement for an analyst to understand the basics of networking such as the TCP three-way handshake which is used to initiate a connection between two devices. Analysts should also have some understanding of the types of network traffic that exist on a normally functioning network such as ARP and DHCP traffic. This knowledge is essential because analyzing tools will just show you what you ask for – it’s up to you to know what to ask for. If you’re not sure how your network looks normally, it can be hard to ensure you’re digging for the right thing in the mass of packets you’ve collected.
Let’s start at the top and work our way down into the nitty-gritty basics. If you’re dealing with an enterprise-level network, you’ll need the big guns. While almost everything uses tcpdump at its core (more on that later), enterprise-level tools can provide other analytical functions such as correlating traffic from many servers, providing intelligent query tools to spot issues, alerting on exception cases, and producing nice graphs that management demands.
Enterprise-level tools tend to focus on network traffic flow rather than judging packet content. By that, I mean that the focus of most sysadmins in an enterprise is to keep the network humming along without performance bottlenecks. When bottlenecks occur, the goal is usually to determine if the problem is the network or an application on the network. On the other side of the coin, these enterprise-level tools are usually able to see so much traffic that they can help predict when a network segment will saturate which is a critical element of capacity management.
Packet sniffers are also used by hackers. Be aware that these tools can be used to attack your network as well as to solve problems. Packet sniffers can be used as wiretappers to help steal data in transit and they can also contribute to “man in the middle” attacks that alter data in transit and divert traffic in order to defraud a user on the network. Invest in intrusion detection systems to protect your network from these forms of unauthorized access
How do Packet Sniffers and Network Analyzers work?
The key feature of a packet sniffer is that it copies data as it travels across a network and makes it available for viewing. The sniffing device simply copies all of the data that it sees passing over a network. When implemented on a switch, settings of the device allow the passing packet to be sent to a second port as well as the intended destination, thus duplicating traffic. Usually, the packets of data that are reaped from the network get copied to a file. Some tools will also show that data in a dashboard. However, packet sniffers can gather a lot of data, which includes encoded admin information. You will need to find an analysis tool that can help you be dereferencing information on the journey of the packets in the extract and other pieces of information, such as the relevance of the port numbers that the packets travel between.
A straightforward packet sniffer will copy over all of the packets traveling on the network. This can be a problem. If the packet payload isn’t encrypted, you will be enabling IT department staff to see sensitive business information as it travels over the network. For this reason, many packet sniffers can be limited so that they will only copy over the header information. In most cases, the contents of the packet are not needed for network performance analysis. If you want to track network usage over a 24 hour period or over a few days, then storing every packet will occupy a very large amount of disk space — even if you are only taking in the packet headers. In these scenarios, it is advisable to sample packets, which means copy every 10th or 20th packet rather than copying over every single one.
We have ranked the following tools according to the following general considerations: useful features, reliability, ease of installation, integration, and of use, amount of help and support offered, how well the software is updated and maintained and how reputable the developers are in the industry.
SolarWinds is a very broad suite of IT management tools. The tool that is more relevant to this article is the Deep Packet Inspection and Analysis tool. Collecting network traffic is fairly easy. Using tools like WireShark, basic level analysis isn’t a show stopper either. But not all situations are that cut and dried. In a very busy network, it may be hard to determine even some very basic things such as:
- What application on the network is creating this traffic?
- If the application is known (say, a web browser) where are people spending most of their time?
- Which connections take the longest and are bogging down the network?
Most network devices just use each packet’s metadata to ensure the packet gets where it is going. The contents of the packet are unknown to the network device. Deep Packet Inspection is different; it means that the actual contents of the packet are inspected in order to learn more about it. Critical network information that cannot be gleaned from the metadata can be discovered in this way. Tools like those provided by SolarWinds can provide more meaningful data than simply traffic flow.
Other techniques for managing high volume networks include NetFlow and sFlow. Each has its strengths and weaknesses and you can read more about NetFlow and sFlow techniques here.
Network analysis, in general, is an advanced topic that is half experience and half training. It’s possible to train someone to understand every detail about network packets, but unless that person also has knowledge of the target network, and some experience to identify anomalies, they won’t get very far. The tools I’ve listed in this article can be used by experienced network admins who already know what they’re looking for, but aren’t sure which tools are best. They can also be used by more junior sysadmins to gain experience with how networks look during day-to-day operations, which will help identify issues later on.
SolarWinds Network Performance Monitor gives detailed insights into what causes network slowness and allows you to quickly resolve the root causes using deep packet inspection. By identifying traffic by application, category (business vs. social) and risk level you can eliminate and filter problem traffic and measure application response time. With a great user interface, this is an excellent choice for packet sniffing and network analysis. Get 30 Day Free Trial: www.solarwinds.com/topics/deep-packet-inspection/ OS: Microsoft Windows Server 2016 & 2019
SolarWinds Network Performance Monitor gives detailed insights into what causes network slowness and allows you to quickly resolve the root causes using deep packet inspection. By identifying traffic by application, category (business vs. social) and risk level you can eliminate and filter problem traffic and measure application response time. With a great user interface, this is an excellent choice for packet sniffing and network analysis.
Get 30 Day Free Trial: www.solarwinds.com/topics/deep-packet-inspection/
OS: Microsoft Windows Server 2016 & 2019
The Paessler Packet-Capture-Tool PRTG: All-In-One-Monitoring is a unified infrastructure monitoring tool. It helps you manage your network and your servers. The network monitoring segment of the utility covers two types of tasks. These are a network performance monitor, which examines the statuses of network devices and a network bandwidth analyzer, which covers the flow of traffic over links in the network.
The bandwidth analysis part of PRTG is implemented through the use of four different packet capture tools. These are:
- A packet sniffer
- A NetFlow sensor
- An sFlow sensor
- A J-Flow sensor
The PRTG packet sniffer only captures the headers of the packets traveling across your network. This gives the analyzer a speed advantage and it also reduces the amount of storage space needed to hold capture files. The dashboard of the packet sniffer categorizes traffic by application type. These include email traffic, web packets, chat app traffic data, and file transfer packet volumes.
NetFlow is a very widely used data flow messaging system. It was created by Cisco Systems but it is also used for equipment produced by other manufacturers. The PRTG NetFlow sensor also picks up IPFIX messages — this messaging standard is an IETF-sponsored successor to NetFlow. The J-Flow method is a similar messaging system used by Juniper Networks for its equipment. The sFlow standard samples traffic flows, so it will collect every nth packet. NetFlow and J-Flow both capture continuous streams of packets.
Paessler prices its PRTG software on the number of “sensors” that an implementation activates. A sensor is a system condition or hardware component. For example, each of the four packet sniffers offered by Paessler counts as one PRTG sensor. The system is free to use if you activate 100 sensors or less, so if you only use this package for its packet sniffing interfaces, you won’t have to pay Paessler anything.
The Paessler system includes a lot of other network and server monitoring capabilities including a virtualization monitor and an application monitor. PRTG can be installed on-premises or you can access it as a cloud service. The software runs on Windows environments and you can get it on a 30-day free trial.
The ManageEngine NetFlow Analyzer takes traffic information from your network devices. You can choose to sample traffic, capture entire streams, or gather statistics on traffic patterns with this tool.
The makers of network devices don’t all use the same protocol for communicating traffic data. Thus, the NetFlow Analyzer is capable of using different languages to gather information. These include Cisco NetFlow, Juniper Networks J-Flow, and Huawei Netstream. It is also capable of communicating with the sFlow, IPFIX, and AppFlow standards.
The monitor is able to track the consistency of data flows as well as the load on each network device. Traffic analysis capabilities let you see packets as they pass through a device and capture them to file. This visibility will enable you to see which applications are chewing up most of your bandwidth and take decisions over traffic shaping measures, such as priority queuing or throttling.
The dashboard of the system features color-coded graphics, which make your task of spotting problems a lot easier. The attractive look and feel of the console ties in with other ManageEngine infrastructure monitoring tools because they were all built on a common platform. This makes it integrate with several ManageEngine products. For example, it is very common for network administrators to buy both the OpManager and the NetFlow Analyzer from Manage Engine.
OpManager monitors devices’ statuses with SNMP procedures, which NetFlow Analyzer focuses on traffic levels and packet flow patterns.
ManageEngine NetFlow Analyzer installs on Windows, Windows Server, and RHEL, CentOS, Fedora, Debian, SUSE, and Ubuntu Linux. The system is offered in two editions.
The Essential edition gives you the standard network traffic monitoring functions plus a reporting and billing module. The higher plan is called the Enterprise Edition. This has all of the features of the Essential Edition plus NBAR & CBQoS monitoring, an advanced security analytics module, capacity planning utilities, and deep packet inspection capabilities. This Edition also includes IP SLA and WLC monitoring.
You can get either edition of the NetFlow Analyzer on a 30-day free trial.
LiveAction Omnipeek, previously a product of Savvius, is a network protocol analyzer that can be used to capture packets as well as produce protocol analysis of network traffic.
Omnipeek can be extended by plug-ins. The core Omipeek system doesn’t capture network packets. However, the addition of the Capture Engine plug-in gets the packet capture function. The Capture Engine system picks up packets on a wired network; another extension, called Wifi Adapter adds wireless capabilities and enables Wifi packets to be captured through Omnipeek.
The functions of the base Omnipeek Network Protocol Analyzer extend to network performance monitoring. As well as listing traffic by protocol, the software will measure the transfer speed and regularity of traffic, raising alerts if traffic slows down or trips passed boundary conditions set by the network administrator.
The traffic analyzer can track end-to-end transfer performance across an entire network, or just monitor each link. Other functions monitor interfaces, including incoming traffic arriving at web servers from outside the network. The software is particularly interested in traffic throughput and a display of traffic per protocol. Data can be viewed as lists of protocols and their throughput or as live graphs and charts. Packets captured with the Capture Engine can be stored for analysis or replayed across the network for capacity testing.
Omnipeek installs on Windows and Windows Server. The system isn’t free to use. However, it is possible to get Omnipeek on a 30-day free trial.
The fundamental tool of almost all network traffic collection is tcpdump. It is an open-source application that comes installed on almost all Unix-like operating systems. Tcpdump is an excellent collection tool and comes complete with a very complex filtering language. It’s important to know how to filter the data at collection time in order to end up with a manageable chunk of data to analyze. Capturing all data from a network device on even a moderately busy network can create too much data to analyze easily.
In some rare cases, allowing tcpdump to output its capture directly to your screen may be enough to find what you’re looking for. For example, in writing this article, I captured some traffic and noticed that my machine was sending traffic to an IP I did not recognize. It turns out that my machine was sending data to a Google IP address of 188.8.131.52. Since I did not have any Google products running, nor Gmail open, I did not know why this was happening. I examined my system and found this:
[ ~ ]$ ps -ef | grep google user 1985 1881 0 10:16 ? 00:00:00 /opt/google/chrome/chrome --type=service
It seems that even when Chrome is not running in the foreground it remains running as a service. I would not have necessarily noticed this without a packet analysis to tip me off. I re-captured some more tcpdump data but this time told tcpdump to write the data to a file that I opened in Wireshark (more on that later). Here’s that entry:
Tcpdump is a favorite tool among sysadmins because it is a command-line tool. This means that it doesn’t require a full-blown desktop to run. It is unusual for production servers to provide a desktop because of the resources that would take, so command-line tools are preferred. As with many advanced tools, tcpdump has a very rich and arcane language that takes some time to master. A few of the very basic commands involve selecting the network interface from which to collect data, and writing that data to a file so it can be exported for analysis elsewhere. The
-w switches are used for this.
# tcpdump -i eth0 -w tcpdump_packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C51 packets captured
This produces a capture file:
file tcpdump_packets tcpdump_packets: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
The standard TCP capture file is a
pcap file. It is not text so it can only be read by an analysis program that knows how to read pcap files.
Most useful open source tools are eventually cloned to other operating systems. When this happens, the application is said to have been ported over. WinDump is a port of tcpdump and behaves in very similar ways.
One major difference between WinDump and tcpdump is that Windump needs the WinpCap library installed prior to being able to run WinDump. Despite both WinDump and WinpCap being provided by the same maintainer, they are separate downloads.
WinpCap is an actual library that needs to be installed. But, once it is installed, WinDump is an .exe file that needs no installation so it can just run. That may be something to keep in mind if you’re running a Windows network. You don’t necessarily need WinDump installed on every machine since you can just copy it over as needed, but you will want WinpCap installed in order to support WinDump.
As with tcpdump, WinDump can output network data to the screen for analysis, be filtered in the same way, and also write data to a pcap file for analysis offsite.
Wireshark is probably the next best-known tool in any sysadmin’s toolkit. It can not only capture data, but also provides some advanced analysis tools. Adding to its appeal, Wireshark is open source, and has been ported over to almost every server operating system that exists. Starting life named Etheral, Wireshark now runs everywhere, including as a standalone portable app.
If you’re analyzing traffic on a server with a desktop installed, Wireshark can do it all for you. It can collect the data, and then analyze it all in one spot. However, desktops are not common on servers, so in many cases, you’ll want to capture the network data remotely and then pull the resulting pcap file into Wireshark.
At first launch, Wireshark allows you to either load an existing pcap file, or start capturing. If you elect to capture network traffic, you can optionally specify filters to pare down the amount of data Wireshark collects. Since its analysis tools are so good, it’s less important to ensure you surgically identify the data at collection time with Wireshark. If you don’t specify a filter, Wireshark will simply collect all network data that your selected interface observes.
One of the most useful tools Wireshark provides is the ability to follow a stream. It’s probably most useful to think of a stream as an entire conversation. In the screenshot below we can see a lot of data has been captured, but what I am most interested in is that Google IP. I can right-click it and Follow the TCP Stream to see the entire conversation.
If you’ve captured traffic elsewhere, you can import the pcap file using Wireshark’s File -> Open dialogue. The same filters and tools that can be used for natively captured network data are available for imported files.
TShark is a very useful cross between tcpdump and Wireshark. Tcpdump excels at collecting data and can very surgically extract only the data you want, however it is limited in how helpful it can be for analysis. Wireshark does a great job at both collection and analysis, but since it has a heavy user interface, it can’t be used on headless servers. Enter TShark; it captures and analyzes but does the latter on the command line.
TShark uses the same filtering conventions as Wireshark which should be no surprise since they’re essentially the same product. This command tells TShark to only bother capturing the destination IP address as well as some other interesting fields from the HTTP part of the packet.
# tshark -i eth0 -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/styles/phoenix.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack.js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /images/images/title.png 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /favicon.ico
If you want to capture to a file you can use the
-w switch to write it, and then use TShark’s
-r (read mode) switch to read it.
# tshark -i eth0 -w tshark_packets Capturing on 'eth0' 102 ^C
Read it, either on the same server, or transfer it to some other analysis server.
# tshark -r tshark_packets -Y http.request -T fields -e ip.dst -e http.user_agent -e http.request.uri 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /contact 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /reservations/ 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /reservations/styles/styles.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/code/jquery_lightbox/jquery_lightbox/js/jquery-1.2.6.pack.js 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/styles/index.css 172.20.0.122 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 /res/images/title.png
Network Miner is a very interesting tool that falls more into the category of a forensic tool rather than a straight-up packet sniffer. The field of forensics typically deals with the investigation and collection of evidence and Network Miner does that job well for network traffic. Much like WireShark can follow a TCP stream to recover an entire TCP conversation, Network Miner can follow a stream in order to reconstruct files that were sent over the network.
To capture live traffic, Network Miner should be strategically placed on the network to be able to observe and collect the traffic you’re interested in. It won’t introduce any of its own traffic onto the network, so it operates very stealthily.
Network Miner can also operate in offline mode. You can use the tried and true tcpdump tool to catpure packets at a point of interest on your network, and then import the pcap files into Network Miner. It will then attempt to reconstruct any files or certificates it finds in the capture file.
Network Miner is built for Windows, but by using Mono, it can be run on any OS that has a Mono framework such as Linux and macOS.
There’s a free version to get you started that has a decent array of features. If you want more advanced capabilities such as GeoIP location and custom scripting, you’ll need to purchase a professional license.
Fiddler is not technically a network packet capture tool, but it is so incredibly useful that it made the list. Unlike the other tools listed here which are designed to capture ad-hoc traffic on the network from any source, Fiddler is more of a desktop debugging tool. It captures HTTP traffic and while many browsers already have this capability in their developer tools, Fiddler is not limited to browser traffic. Fiddler can capture any HTTP traffic on the desktop including that of non-web applications.
Many desktop applications use HTTP to connect to web services and without a tool like Fiddler, the only way to capture that traffic for analysis is using tools like tcpdump or WireShark. However, those tools operate at the packet level so analysis includes reconstruction of those packets into HTTP streams. That can be a lot of work in order to perform some simple HTTP investigation and Fiddler comes to the rescue. Fiddler can help discover cookies, certificates, and payload data coming in or out of those apps.
It helps that Fiddler is free and, much like Network Miner, it can be run within Mono on any other operating system that has a Mono framework.
Capsa Network Analyzer has several editions, each with varying capabilities. At the first level, Capsa free, the software essentially just captures packets and allows some very graphical analysis of them. The dashboard is very unique and can help novice sysadmins pinpoint network issues quickly even with little actual packet knowledge. The free level is aimed at people who want to know more about packets and build up their skills into full-fledged analysts.
The free version knows how to monitor over 300 protocols, it allows for email monitoring and also it is able to save email content and also supports trigger. The triggers can be used to set alerts for specific situations which means Capsa can also be used in a support capacity to some extent.
Capsa is only available for Windows 2008/Vista/7/8 and 10.
With the tools I have mentioned, it is not a big leap to see how a systems administrator could build an on-demand network monitoring infrastructure. Tcpdump, or Windump, could be installed on all servers. A scheduler, such as cron or Windows scheduler, could kick off a packet collection session at some time of interest and write those collections to a pcap file. At some later time, a sysadmin can transfer those packets to a central machine and use Wireshark to analyze them. If the network is so large that this isn’t feasible, then enterprise-level tools like the SolarWinds suite can help tame all that network data into a manageable data set.