An IP sniffer is also known as a “packet sniffer.” This tool looks at all the packets of data as they travel around your network. It can also examine packets as they enter or leave the network.
An IP packet contains some interesting information, even without looking into the data payload of the packet. The header on each IP packet contains a large amount of data about the sender and destination of the packet.
We get into a lot of detail on each of the tools below, but in case you can’t stick around to the end, here is our list of the ten best IP sniffers:
- Paessler PRTG IP Sniffer (FREE TRIAL) Part of a network monitoring suite that runs on Windows Server.
- SolarWinds Packet Sniffer (FREE TRIAL) An element of the Windows Server-based Network Performance Monitor.
- ManageEngine NetFlow Analyzer A traffic-monitoring package for Windows or Linux.
- Wireshark A free packet detection and capture tool for Windows, Linux, Unix, and Mac OS.
- Kismet A free wifi sniffer for Linux, Unix, and Mac OS.
- EtherApe A free packet sniffer for Linux, Unix, and Mac OS.
- SmartSniff A free IP sniffer for Windows.
- Microsoft Message Analyzer A packet sniffer that focuses on protocol data in headers.
- Free Network Analyzer A free packet sniffer for Windows.
- Network Miner An IP sniffer for Windows, Linux, Unix, and Mac OS.
- 1 Issues with IP sniffers
- 2 The purpose of IP sniffers
- 3 The best IP sniffers
- 4 7. SmartSniff
- 5 Working with IP sniffers
Issues with IP sniffers
Many businesses don’t like network administrators capturing packets and reading the data payload. That may contain personal information and the company would be liable to prosecution if non-authorized staff could read its contents. Therefore, when packet sniffing, it is better to focus on the contents of the header, which contain network administration information and no sensitive data.
Deep packet inspection tools can be regarded as a category of packet sniffers. These examine the contents of the packet, even looking into the payload. DPI is a form of firewall that is deployed at the network gateway. It can be used to block users within the network from accessing banned internet content and it can also be used to scan incoming data for a list of keywords: the presence of a blacklisted word in a data packet usually results in that traffic being dropped so that it cannot enter the network.
The process of examining the data payload contents of IP packets with automated processes with DPI is not as controversial as outright IP sniffing or packet capture. This is because the computer program does not store or judge the contents of the payload and won’t disclose that data to third parties.
The purpose of IP sniffers
When you use an IP sniffer, you will probably be looking for the source of traffic surges and planning remedial action, such as an extension of infrastructure or the implementation of traffic shaping measures.
This list of tools includes both free and paid utilities and software that will run on Windows or Linux. You can read more about each in the following sections.
PRTG is an all-in-one infrastructure monitor that covers networks, servers, and applications. This tool is made up of a large number of monitors, which are called “sensors.” One of the sensors available in the suite is the IP sniffer. The company ships every customer the same software and then you tailor it by paying for a number of sensors and then activating the parts of the package that you need.
The packet sniffer will display packet headers as they pass along the network, or store them to a file. The PRTG system also includes traffic measuring sensors that include Netflow, sFlow, IPFIX, and J-Flow detection. A combination of all of these packet monitoring sensors will give you a very detailed view of your traffic flows. This information can be displayed in the dashboard or analyzed through other facilities in the PRTG suite.
As well as displaying packets as they pass, PRTG can be set to detect for anomalies and you can create custom alerts based on your own thresholds of traffic volume by packet type.
PRTG installs on Windows Server. You can get a 30-day free trial of the system that will give you an unlimited number of sensors. The system is free to use for up to 100 sensors.
SolarWinds produces a range of infrastructure monitoring and management software. The central product of the company is its Network Performance Monitor (NPM). This tool includes a packet sniffer.
One of the main features of the SolarWinds Network Packet Sniffer (which is part of the Network Performance Monitor) is its ability to identify the applications that originated packets. The interface for the tool will display the application name and group traffic by these identifiers so that you can quickly see which application is generating the most traffic on your network.
You will also be able to measure transfer times per application – if all traffic is slow then there is something wrong with the network. But if only the traffic of one application seems to be slow, you know where to direct your investigations. You can also choose to look at traffic by other categories, such as source or destination. The monitor will store and aggregate packet data of a 24-hour period. Below average transfer speeds are shown in red, so you can see at a glance what times of the day or what traffic types put your network under strain.
The SolarWinds Network Performance Monitor installs on Windows Server 2012 and Windows Server 2016. If you are examining traffic problems, then you would also benefit from the NetFlow Traffic Analyzer. You can buy both of those modules together in the Network Bandwidth Analyzer Pack. SolarWinds offers a 30-day free trial of the Network Packet Sniffer with NPM.
ManageEngine produces a range of network monitoring tools and the NetFlow Analyzer focuses on traffic data. This is where you will find the system’s packet sniffer as well as other traffic analysis tools.
The analyzer will perform deep packet inspection, although this is focused on packet header data rather than the payload – which is probably obscured by encryption anyway.
As well as the IP sniffer, the NetFlow analyzer contains the capability to monitor packet traffic data generated by the NetFlow, sFlow, J-Flow, IPFIX, NetStream, Appflow, and FNF standards. A combination of all of this traffic analysis data, together with stored, recalled, and aggregated packet header data should give you enough information to refine the performance of your network.
The captured packet header information can be grouped by source or destination addresses, port numbers, protocols, and applications. As well as seeing traffic volumes listed by any of these categories, you will also be able to look at response times by the same groupings.
The main network monitoring tool produced by ManageEngine is called OpManager. This also includes the same IP sniffer that is contained in the NetFlow Analyzer; however, it doesn’t include all of the other traffic monitors that the Analyzer has. Both tools install on Windows and Linux. You can get a 30-day free trial of the NetFlow Analyzer.
Wireshark is a well-known free packet sniffer for both LANs and wireless networks, including WiFi and Bluetooth. The software can be installed on Windows, Linux, Unix, and Mac OS. This system will capture packets passing along your network.
One problem you might have with getting approval to use Wireshark is that it makes the entire packet visible. That means that you will also be able to access the data payload. However, given that most applications encrypt data for transmission, you might be able to get away with it.
Wireshark will show all packets in the dashboard as they pass by and you can also store them to a file. Wireshark is able to write packet capture files following a number of formats, including tcpdump, Pcap NG, Sniffer Pro, and Microsoft Network Monitor format.
Stored packets can be loaded back into the dashboard from a file for analysis. The Wireshark data viewer is able to filter packets according to a limited set of criteria, such as protocol. This facility enables you to identify critical traffic, such as VoIP packets.
Wireshark is a not-for-profit development that doesn’t accept any advertising on its website or within the application. The organization has signed a sponsorship deal with Riverbed Technology, which produces paid, Wireshark-compatible monitoring tools.
Kismet is a free wireless IP sniffer. The basic tool will capture packets structured following the 802.11a, b, g, and n wifi standards. You can extend its capabilities with add-ons that enable the tool to detect Bluetooth packets and other wireless standards. By default, Kismet reads the headers of packets. However, it can be set to capture entire packets.
The software for Kismet is built into Kali Linux. It can be installed on other versions of Linux and also on Windows, Unix, and Mac OS.
Kismet uses stealth methods to gather IP data, which may make some network managers nervous – it can’t be detected as an IP sniffer. The system has three elements, a drone, which is the data collector, the server, which processes packets, and the client which is a data viewer.
The drone searches through all known wireless frequency channels to detect passing traffic. It is also possible for the user of the software to specify a channel or range of channels for the IP sniffer to scan.
As the captured packets can be stored to file, you are not restricted to using the server and client modules of Kismet. Instead, you could just deploy the drone and funnel data through files into other analysis and data display utilities. Data can be saved in tcpdump and Airsnort formats, which are accessible by a long list of data analysis tools.
EtherApe is a free IP sniffer with the source code available for download from Sourceforge. This software will run on Linux, Unix, and Mac OS. This packet sniffer was first released in 2000, so it is a very mature piece of code and has gathered a lot of followers over its long service history.
The interface is not very sophisticated, but it shows all of the network nodes that it has discovered and all traffic between two points is drawn as a line on the screen, joining those two addresses. It is a simple, but very effective way to represent connections. Those lines are color-coded to show their protocols. The width of each line varies according to the amount of traffic volume that it represents at any one time.
You can filter results to concentrate on looking at only certain types of traffic or traffic between a limited number of nodes. The tool will pick up wireless transmissions and virtualizations as well as regular LAN traffic. You can get packets written to file and read back into the viewer for analysis.
SmartSniff is a free IP sniffer for Windows environments. It focuses on traffic transported with TCP. Detected packets are displayed according to their application/protocol that pass between two nominated points on a network. Those points can be across several links. UDP traffic can also be shown, but this carries less information.
Packets are shown live in the dashboard and they can also be saved to file. Stored packets can be loaded back into the data viewer for later analysis.
Microsoft Message Analyzer is a free packet analyzer for Windows 7 and higher and Windows Server 2008 and higher. The packet data capture is limited to connection administration traffic, which removes the danger of your packet sniffing activities breaking data confidentiality.
The dashboard groups pass messages into exchanges between endpoints, which enables you to quickly see all of the transactions that create, maintain, and break a connection. Drill-down detail panels enable you to examine individual packets. There is also a trace facility that shows the links that each message in a connection has passed through.
The information reaped by this tool is enough to give you an idea of which endpoints and applications are generating the most traffic. These results will help you work out a traffic shaping strategy to improve network performance for all.
Free Network Analyzer is part of a team of packet sniffing tools produced by HHD Software. A paid version of this IP sniffer is called HHD Network Monitor, which comes in a Standard and an Ultimate edition. Both of these tools run on Windows environments.
You can capture packets and view them in the dashboard with either of these tools. However, you can only save packets to file with the Ultimate HHD Network Monitor. That top version is also able to read the industrial MODBUS packet standard. The viewer for all versions of this tool can buffer up to 1GB of live data and interpret aggregated data into graphical representations.
This IP sniffer runs on Windows, Linux, Unix, and Mac OS. The tool is available in both free and paid versions. The free version has fewer capabilities, for example, writing packets to file is not available.
The packet sniffer displays passing packets in a data viewer, identifying the protocol/application of each. Another interesting feature is that it can extract the security certificate data from secure session establishment packets. Another disturbing capability of this tool is that it can identify the traffic of individual users and even give you the username and password of each.
Working with IP sniffers
Be careful when selecting an IP sniffer. Some of the tools on this list are particular favorites of hackers. This category includes Wireshark, Kismet, and Network Miner. You may be breaking the law by using any of these and you could get your company sued for improperly securing data if word gets out that the IT department has these tools.
The very best professional tools are well worth investing in. The PRTG IP Sniffer, the SolarWinds Packet Sniffer, and the ManageEngine NetFlow Analyzer are certainly worth a trial.