Recently I had a conversation with a manager regarding network security tools and after about 15 minutes he blurted out:”What is actually a packet sniffer? What does it do?”. At first I was a bit dumbfounded, I mean everyone knows what a packet sniffer is.. right?.. not quite. So I decided to write a very basic text about this subject. It is actually the explanation I gave him.

Ever wondered what traffic on the internet looks like? Well TCP and UDP, the used protocol on the internet, basically is made so that all the data is sent in small chunks, and these chunks are called packets. They are called packets because they have a fixed size, a sender address field and a destination address field. So routers on the internet are actually just like postal offices, that see the packet and resend it to the net one until it reaches its destination. I have illustrated this process as you can see below.

Now that we understand what packets are, I think the idea of a packet sniffer or even a packet analyzer is a bit more easy to grasp. Basically what a packet sniffer / analyzer does is it looks at every packet it can see. Kind of like a postal worker with an x-ray scanner checking out what is in packages. A packet sniffer will analyze the contents of TCP packets based on a filter you give it. For example you can tell a sniffer you want to find everything that contains the word “password” and it will scan all packets it can see for “password” and show you the contents of those packets. Now before you think WOW i can find everyone’s password, NO. It doesn’t work that way. The way you can “see” packets is that you see all the traffic that flows in the same segment of where you are physically plugged in. So if you have a home network with one hub or switch , you will only see packets from the home network. If you are plugged in at work and you have multiple Hubs or switches, you will only see the traffic on the hub or switch where you are plugged in. The best place to connect a packet sniffer would be just behind a large network firewall. So you see all the traffic going on inside the network that hits the firewall AND most of the traffic that comes in. A good free sniffer would be Ethereal.

Packet analyzers are actually programs that analyze packets for what they do. This means that they show you a report where traffic was going to, what kind of traffic it was (HTTP, FTP etc.), and from where it came. A very popular analyzer is ntop. Ntop shows something like what you see below:

Now, I hope this cleared things up a bit.

Popularity: 4% [?]