Download a portable network analyzer to monitor, analyze and troubleshoot your network.

A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams travel back and forth over the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.

A "packet sniffer" is a utility that sniffs without modifying the network's packets in any way. By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. packet sniffers merely watch, display, and log this traffic.

One disturbingly powerful aspect of packet sniffers is their ability to place the hosting machine's network adapter into "promiscuous mode." Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also ALL of the traffic on the physically connected local network.

A packet sniffer is a device or program that allows eavesdropping on traffic traveling between networked computers. The packet sniffer will capture data that is addressed to other machines, saving it for later analysis.

All information that travels across a network is sent in "packets." For example, when an email is sent from one computer to another, it is first broken up into smaller segments. Each segment has the destination address attached, the source address, and other information such as the number of packets and reassembly order. Once they arrive at the destination, the packet's headers and footers are stripped away, and the packets reconstituted.

In the example of the simplest network where computers share an Ethernet wire, all packets that travel among the various computers are "seen" by every computer on the network. A hub broadcasts every packet to every machine or node on the network, then a filter in each computer discards packets not addressed to it. A packet sniffer disables this filter to capture and analyze some or all packets traveling through the ethernet wire, depending on the sniffer's configuration. This is referred to as "promiscuous mode." Hence, if Ms. Wise on Computer A sends an email to Mr. Geek on Computer B, a packet sniffer set up on Computer D could passively capture their communication packets without either Ms. Wise or Mr. Geek knowing. This type of packet sniffer is very hard to detect because it generates no traffic of its own.

A slightly safer environment is a switched Ethernet network. Rather than a central hub that broadcasts all traffic on the network to all machines, the switch acts like a central switchboard. It receives packets directly from the originating computer, and sends them directly to the machine which they are addressed. In this scenario, If computer A sends an email to computer B while the computer D working in promiscuous mode, It can see no packet. Therefore, some people mistakenly assume a packet sniffer cannot be used on a switched network.

But there are ways to hack the switch protocol. A procedure called ARP poisoning basically fools the switch to substituting the machine with the packet sniffer for the destination machine. After capturing the data, the packets can be sent to the real destination. The other technique is to flood the switch with MAC (network) addresses so that the switch defaults into "failopen" mode. In this mode it starts behaving like a hub, transmitting all packets to all machines to make sure traffic gets through. Both ARP poisoning and MAC flooding generate traffic signatures that can be detected by packet sniffer detection programs.

A packet sniffer can also be used on the Internet to capture data traveling between computers. Internet packets often have very long distances to travel, passing through several routers that act like intermediate post offices. A packet sniffer might be installed at any point along the way. It could also be clandestinely installed on a server that acts as a gateway and collects vital personal information.

A packet sniffer is not just a hacker's tool. It can be used for network troubleshooting and other useful purposes. However, in the wrong hands, a packet sniffer can capture sensitive personal information that may result in invasion of privacy, identity theft, and other serious eventualities.

The best defense against a packet sniffer is a good offense: encryption. When strong encryption is used, all packets are unreadable to any but the destination address, making packet sniffers useless. They can still capture packets, but the contents will be undecipherable. This illustrates why it is so important to use secure sites to send and receive personal information, such as name, address, passwords, and certainly any credit card information and other sensitive data. A website that uses encryption starts with https. Email can be made secure by encrypting with a program like PGP (Pretty Good Privacy), which comes with seamless plug-ins for all major email programs.

Related Packet Sniffer Software:

Sniffer - A program and/or device that monitors data traveling over a network.
Protocol Analyzer - an essential part of the Network Manager's toolkit.
MSN Sniffer & Monitor - Capture MSN messenger chat and conversations on your network.
Network Monitor - a packet capture and network protocol analyzer software.