Packet Peeper is a free network protocol analyzer (or ‘packet sniffer’) for Mac OS X. Its features include: TCP stream reassembly; Privilege separation; Simultaneous capture sessions; Filters, which may be defined at any time. Packet Peeper uses the same syntax as tcpdump and Wireshark (or any other program that uses the pcap library). A network sniffer, also known as a packet analyzer, is either software or hardware that can intercept data packets as they travel across a network. Admins use network sniffers to monitor network traffic at the packet level, helping ensure network health and security.
A packet sniffer captures the data that travels around a network. Packet sniffers come in a range of types, and one category is a piece of hardware.
Jan 22, 2020 MAC Address Scanner remotely scans and finds the MAC Address of all systems on your local network. It allows you to scan either a single host or range of hosts at a time. During the scan, it displays the current status for each host. After the completion, you can generate detailed scan report in HTML/XML/TEXT/CSV format. Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
When you want to look at the flow of traffic around a network or detect for network intrusion, your first requirement is for a packet sniffer. Software packet sniffers range from straightforward data capture and storage systems through to sophisticated traffic analysis packages.
In this guide, you will learn about a variety of packet sniffing software and find out the strengths and limitations of each. Packet sniffers aren’t just meant for wired networks. Many packet sniffers can monitor your wireless traffic and others can cover hybrid networks, even tracing traffic to cloud-based services contracted in by your company.
This guide focuses on a list of the best packet sniffers, both free and paid, available on the market in 2018. After the summaries, you can read more about the different uses of a packet sniffer.
Here is our list of the best packet sniffers:
- Paessler Packet Sniffer
- ManageEngine NetFlow Analyzer
- Microsoft Message Analyzer
- Free Network Analyzer
- Network Miner
Packet Sniffers by operating system
|SolarWinds Network Performance Monitor||Yes||No||No||No|
|Paessler Packet Sniffer||Yes||No||No||No|
|ManageEngine NetFlow Analyzer||Yes||Yes||No||No|
|Microsoft Message Analyzer||Yes||No||No||No|
|Free Network Analyzer||Yes||No||No||No|
1. SolarWinds Network Performance Monitor (FREE TRIAL)
The SolarWinds Network Performance Monitor focuses on gathering status information from network-attached equipment. It also has a packet sniffer module that can help analyze traffic as it moves around the network.
The packet sniffer can look at the origins of traffic on your network. Seeing which terminal data originated at can help you detect unauthorized network intrusion. Examining packets on the network will tell you what applications generate the most traffic.
The dashboard of the packet sniffer shows network throughput and identifies each of the applications that send out packets. You can see the response times per application over the past 24 hours. The records that indicate slow responses show warnings highlighted in red. You can nominate a start and end points for analysis, which allows you to examine traffic on different network segments. Other utilities in the Network Performance Monitor extend the visibility of network events found during packet analysis. These include the PerfStack screen, which enables you to view metrics for underlying services together with application traffic data. This greatly aids in identifying the cause of traffic bottlenecks.
The Network Performance Monitor is not free. The price of the system increases with the number of devices you have connected to your network. SolarWinds offers an alternative method for network traffic monitoring, which is called the NetFlow Traffic Analyzer. This system uses the system messages sent out by routers and switches instead of capturing packets from the network.
The company offers a package called the Network Bandwidth Analyzer Pack, which combines both the Network Performance Monitor and the NetFlow Traffic Analyzer. All of the SolarWinds packages are designed to run on Windows Server 2012 and Windows Server 2016, though it can collect data from devices running any operating system. You can access the Network Performance Monitor, the NetFlow Traffic Analyzer, and the Bandwidth Analyzer Pack on a 30-day free trial.
2. Paessler Packet Sniffer
Paessler produces a network monitoring package called PRTG that includes the All-In-One Packet Sniffing Tool. One of the elements of this tool is a packet sniffer. PRTG can only be installed on the Windows operating system. However, a cloud-based version of the package is accessible through a browser and so can be used from any operating system.
PRTG offers a range of network traffic analysis methods including a packet sniffer. An alternative to this is provided by the package’s ability to capture system messages from network hardware (IPFIX, NetFlow, sFlow, and J-Flow). The packet analysis function of the system lets you to identify which terminals, applications, and protocols generate traffic on your network. This information enables control of network access and throttling of bandwidth to specific MAC or IP addresses, protocols, or applications.
The dashboard of the PRTG interprets the information that the packet sniffer collects and displays it through graphical data visualizations. These include color-coded dials, which make it easy to spot critical conditions at a glance. The Paessler PRTG system is priced on the number of “sensors” that you wish to monitor. A sensor is an attribute on a device. For example, the traffic on a network connection is a sensor and so is a monitored switch port. Paessler explains that it takes five to ten sensors to properly monitor a device. You can get a 30-day free trial of the system. If you monitor 100 sensors or less, you can use PRTG completely free of charge.
3. ManageEngine NetFlow Analyzer
To find the packet sniffer offered by ManageEngine, you need to look at the company’s NetFlow Analyzer tool, which can be installed on Windows and Linux. Although NetFlow is a Cisco network device messaging system, the NetFlow Analyzer also includes packet analysis capabilities.
The analyzer includes deep packet inspection. Although it wouldn’t be much use to look at the content of encrypted packets, the inspection capabilities offer a good route to examine the headers of packets. The analyzer captures packets and stores them to a file. This is because examining packets in isolation can only give you so much information. Being able to aggregate data and plot trends gives more powerful analytical capabilities.
The packet header information includes the source and destination addresses and port numbers of a transfer. Thus, you can assess the impact of protocols, applications, and the impact of user activity on network utilization. Important comparisons between network response times and application response times will give you an idea of which applications are overloading or slowing down the network. That information will help you decide whether to expand capacity, selectively limit network access, or investigate alternative and less bandwidth-hungry applications.
The packet capture files can be stored and loaded back into the NetFlow Analyzer dashboard for long-term performance comparison. This gives you the capability to assess the effects of infrastructure investments.
As an alternative to packet capture, you can use the NetFlow Analyzers system message reading capabilities. These rely on information sent out by network infrastructure following the NetFlow, NetStream, Appflow, sFlow , cflow, J-Flow , FNF, and IPFIX standards.
The ManageEngine NetFlow Analyzer is priced by a count of interfaces. An Interface is a Layer 3 physical or logical interface or a port on a switch or router. The software for this package can be installed on Windows or Linux.
The system is available in two versions: an Enterprise edition suitable for small, medium, and large networks; and the Distributed edition suited to large enterprises. You can get a 30-day free trial for either of these versions. A free version of NetFlow Analyzer can monitor two interfaces.
ManageEngine’s OpManager tool also includes the same deep packet inspection capabilities as the NetFlow Analyzer. This utility is also available as a free service to monitor ten devices or less. The company makes three paid versions of OpManager and offers a 30-day free trial on all editions.
Wireshark is a very handy free packet sniffer that can be installed on Windows, Linux, Unix, and macOS. This system will capture packets passing along your network. It can scan wi-fi and Bluetooth as well as wired networks. The collected packets can be shown in the Wireshark dashboard and/or saved to file. The file formats that Wireshark can write to and read from are numerous. They include tcpdump, Pcap NG, Microsoft Network Monitor format, and Sniffer Pro.
Once you get packets into the dashboard’s data viewer, you have a lot of visualization options. Records can be filtered and you can also identify packets by protocol, including the ability to isolate VoIP streams. You can enable coloring rules to quickly recognize different packet sources and statuses.
Wireshark is developed by a not-for-profit organization that has no income stream from advertising. The developers of the system are funded by donations and by sponsorship from a company, called Riverbed Technology. Riverbed produces a network performance monitor, called SteelCentral, which is designed to integrate Wireshark. However, Wireshark has its own front end, so you don’t need to buy in extra software in order to examine the data that it collects. You can use Wireshark at the command line through a facility called TShark.
Network Sniffer Tool
EtherApe was written for Unix and Unix-like systems, so it can be installed on Linux and MacOS. This packet sniffer is a free utility based around a graphic representation of the links in a network.
The console of the tool shows all of the hosts in a network, identifying each by its IP address. These hosts are plotted in a circle and the connections from one to another are linked by straight lines. Each line is colored, with a different color representing each protocol generating traffic on the network. The source for this information is in the headers of the packets that the program captures.
Each line expands and contracts in width according to the current traffic volume that it generates. A constantly changing visual representation of the traffic on your network is based on live data. The packet sniffer can work with both IPv4 and IPv6 addressing systems and it tracks both TCP and UDP packets. You can filter the data for the display to concentrate on a limited list of traffic sources. You can also switch the perspective of the data to show either end to end connections, network-only traffic, or port number activity for TCP traffic. The packet sniffer can cover wireless traffic and virtual environments as well.
EtherApe can write packets to a file. The displayed traffic can be sourced from files instead of live traffic events. Clicking on a node gives detailed information on the activities at that host’s network card.
This packet sniffer has been around since the year 2000 and its longevity has earned it a good reputation among the system administrator community. It is particularly popular with administrators who have been in the business a long time and have come to rely on the tool. Newer practitioners of the trade would probably be drawn to tools with more sophisticated interfaces, such as SolarWinds, ManageEngine, or Paessler products.
SmartSniff can be installed on any version of Windows and Windows Server. It is a free packet sniffer that captures data packets on networks. Although the utility can access packets on wireless networks, those WLANs need to be unencrypted in order for SmartSniff to access the packet data. The chances of ever coming across an unprotected wireless system are just about nil, so don’t rely on SmartSniff to analyze wireless networks.
The main focus of this tool is traffic passed over TCP connections. The reporting module of the utility will categorize traffic by network application, such as HTTP, POP3, FTP, and SMTP. Packet capture is started and stopped on demand. The console for the tool has two panes. The upper panel shows each connection and the two devices engaged in each exchange. If you select one of these connection records, the lower panel shows the packet stream that passed in both directions in the connection.
You can filter data either at the point of collection, or in the conversation viewer. The filter options include including or excluding TCP, UDP, and ICMP messages. You may specify an IP address or port range for the session.
Collected data can be saved to file and you can also load file contents into the console for viewing. SmartSniff isn’t one of the most sophisticated packet sniffing tools on this list, but it has a following.
7. Microsoft Message Analyzer
Microsoft Message Analyzer offers an alternative packet sniffing strategy. This research method might please your CIO because it does not involve reading the passing data generated by users, which may require privacy enforcement. This application only examines communication messages generated by protocols to manage connections. Limiting packet sniffing to these types of messages preserves data privacy.
The dashboard displays messages in a hierarchy, so you can see related messages together. Those message overviews appear in the main panel of the data viewer. Smaller detail panes below the main panel give you detailed information on any selected message.
You can store captured messages to a file and the viewer can display live network messages or stored records loaded in from a file. The viewer allows you to group and filter messages. You can trace messages through their journey to an endpoint on your network.
Although the Microsoft Message Analyzer won’t give you access to actual data packets, the protocol details that you can capture will give you a good indication of network load.
The free utility can be installed on Windows 7, Windows 8, Windows 8.1, Windows 7, 8, 8.1, and 10 and Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
8. Free Network Analyzer/HHD Network Monitor
The Free Network Analyzer and the paid Network Monitor from HHD Software are both available for Windows and Windows Server. This paid packet sniffer is available in three editions: Standard, Professional, and Ultimate. With the free version your session will cut off after 15 minutes and you can only start up the system five times a day.
All versions of the Network Analyzer/Network Monitor allow you to capture packets and view them in the console. You can’t save records to a file with the Standard or free versions. You are only able to view the raw packets in the Ultimate version.
The packet sniffer will pick up data from wired and wireless networks. Ultimate edition can read packets written to the MODBUS industrial network standard. You can set select criteria to only record packets with specific characteristics. You can also choose to filter packet data once it is in the viewer. The viewer shows live traffic and can buffer up to 1GB of data.
Although you can only store packets to a file with the Ultimate version, all versions can read in packet data from a file.If you don’t have the Ultimate edition, however, those files would need to be assembled by another application.
The viewer of the Free Network Analyzer and the HHD network monitor shows packet summaries in a top pane and details for selected packets in the bottom. The viewer can interpret data into visualizations such as graphs.
9. Network Miner
You can use a free version of Network Miner or you can pay for the Professional edition, which costs $900. This packet sniffer works on Windows, Linux, Mac OS, and FreeBSD. The free version has a number of limitations, including the inability to write captured packets to a file. With Network Miner you can examine packets from a live stream taken from your network. The data viewer can also read in packets stored to a file.
Network information contained in packet headers is richer for TCP than for other transport layer protocols. As with most network analyzers, Network Miner gives much more detailed information for TCP connections than messages transferred with other protocols. The packet sniffer will pick up UDP packets, though it won’t be able to string those together into a stream of related packets. The Network Miner packet sniffer can identify FTP, TFTP, SMB, SMB2, HTTP, SMTP, POP3 and IMAP streams and can extract the security certificate details from session establishment exchanges for secure connections, such as HTTPS and SMTPS.
The packet sniffer for both free and paid versions has some features that may make you uncomfortable as a network administrator. It can extract files and during transfer and it can also identify users. The user credentials search will display user names and passwords of those users connected to the network. These facilities would help hackers and data thieves by compromising the confidentiality of personal information sent across your network. For these reasons, your CIO might not let you use Network Miner.
Capsa comes in three versions: Free, Standard, and Enterprise. With the paid versions, your purchase gives you the right to use the software forever, but you only get one year’s maintenance. After the first year, you will have to sign up for an annual maintenance plan in order to continue receiving updates and patches. You can get a 15-day free trial for either of the paid versions of Capsa.
You can monitor up to 10 IP addresses with the free version of Capsa. With the Standard Edition, that limit goes up to 50. There is no limit on the number of addresses you can monitor with the Enterprise Edition. The Free and Standard versions of Capsa only monitor Ethernet networks. The Enterprise Edition covers wireless networks and can list data by port number. Both the Standard and Enterprise versions can filter data capture by application or process.
Security functions are reserved for the Enterprise Edition. These give you an opportunity to analyze both past and ongoing DoS attacks. The Enterprise version can also highlight suspicious connections and scan for worm activity.
You can write data out to files with all versions of the system, but you can only log data saves with the Enterprise and Standard versions. Printing and exporting data are not possible with the free version.
The Capsa Network Analyzer runs on Windows.
Netsniff-NG is a free network monitoring utility written for Linux. A packet sniffer forms the core of this tool, but extra functionality has been added on over the years.
The extra facilities bundled into the Netsniff-NG package include two traceroute-like facilities that track the origins of connections to the network from external sources. This ties in with geo-location information to give the physical location of the host that connects to the network. A packet filter utility lets you reduce the captured traffic to see only certain categories of network traffic. A utility called ifpps creates overview reports on network traffic statistics.
Once installed, traffic generators help test new equipment before connecting to the network. Another useful tool is a basic tunneling program that lets you divert test traffic around your firewall. Such an action helps assess the effects that network defense software has on network performance.
Netsniff-NG has been around since 2009 and it doesn’t have the sophisticated GUI interface that newer packet sniffers on this list provide. Another problem with the package is that it doesn’t write to a file. However, with command line manipulation, you could easily pipe output to a file yourself. The output isn’t formatted and results can be difficult to interpret. However, regular long-term users of Netsniff-NG become accustomed to the patterns of regular traffic and can quickly spot anomalies.
Kismet is a free packet sniffer for wifi networks that can be extended by plug-ins to monitor standards other than 802.11, such as Bluetooth. This is a free tool that includes some interesting stealth features. It is available for Linux, Unix, and MacOS. If you have Kali Linux, then you don’t need to install Kismet because it is part of the Kali bundle.
The packet sniffer of Kismet can pick up signals generated to 802.11a, 802.11b, 802.11g, and 802.11n standards. Its operating methods are a little worrying because they make it a perfect live hacker tool. Kismet doesn’t query APs, so it cannot be detected by other network monitoring systems. If there is a computer on your network running Kismet and gathering information on all connected hosts, you will just see it as a regular endpoint rather than a traffic monitor.
Kismet’s packet sniffer is called a “drone.” It passively gathers wifi signals and logs them. Those signals contain enough information to allow the Kismet data interpreter, called the “server,” to assemble statistics on each transmitting host and the traffic that it generates. That data is then displayed by the “client.” You can substitute other packet analyzing interfaces for the Kismet client if you wish.
Although other intrusion detection systems can’t spot Kismet, this tool can spot other wifi sniffers actively probing the network. Kismet reads the headers of packets to get its information. You can get file dumps of all traffic, including packet payloads.
Wifi networks are a lot more complicated than wired systems because the many frequencies available for transmission can only be monitored if the receiver uses the same frequency. So, Kismet constantly hops from channel to channel to capture data from as many frequencies as possible. It is possible to specify the channels that the receiver tunes into and the sequence of those visits, but Kismet installs with a default channel order that is probably best to leave in place.
The interface of Kismet is user-friendly, including live histograms of passing data. However, if you already have a tool that you prefer to use, you may be able to import stored traffic data gathered by Kismet. This is because the utility can store data files in tcpdump and Airsnort formats, which many network analysis tools can read. Kismet is a very thorough wireless network analysis tool.
13. KisMAC 2
KisMAC was a useful network monitoring tool written for Mac OS. It shut down but has since been revived by others as KisMAC 2. This wifi packet sniffer is a free utility.
KisMAC and KisMAC 2 closely emulate the capabilities of Kismet — hence the names. KisMAC 2 has some nice data visualization tools not available in Kismet. For example, it is able to draw a wifi signal map that shows the footprints of surrounding wifi APs. KisMAC 2 can detect signals from WAPs and wireless NICs following the 802.11b, 802.11n, and 802.11g standards. It is particularly effective for monitoring Apple’s AirPort and AirPort Extreme traffic.
The compatibility with Kismet extends to the fact that you can use a Kismet “drone” to collect data and feed it into KisMAC 2. It can read in files created in the PCAP format and write output in PCAP or tcpdump formats, so it can be used to supply data to many other packet analyzing tools.
Although KisMAC 2 is advertised as a security tool, many of its features look a lot like hacker utilities. These include brute force WEP and WPA key cracking, packet injection, and deauthorization attacks. The original KisMAC project was developed in Germany and was abandoned when changes in German law made its capabilities illegal. KisMAC 2 is now managed from Russia.
As with Kismet, this tool can be used for ethical hacking. Its ability to reveal hidden/cloaked SSIDs is a really useful feature that aides intrusion detection.
Ettercap is a hacker tool used to carry out “man in the middle” attacks on networks. However, it is able to detect other players performing hacker scams on a network, and so it is a useful poacher-turned-gamekeeper ethical hacking tool. This is a free utility and it is available for Linux, Unix, Mac OS, and Windows.
Most network cards have a “promiscuous mode” which enables them to discover other devices and communicate directly with them. Once a target has been identified, Ettercap practices ARP poisoning to get its host computer regarded as a network access point or router. This makes Ettercap particularly effective at capturing traffic traveling into the network from an external source or destined for a connection to an external source. Ettercap can work on the MAC address level to masquerade as a genuine host on the network.
Ettercap can gather passwords for a range of network applications and can even induce SSL procedures to disclose security certificates, which enables the host to pose as a bona fide correspondent and reap passwords on secure connections.
The program can alter the contents of passing packets and even cause connections to drop. All in all, you probably wouldn’t want anyone else using Ettercap on your network. However, the software’s ability to detect the usage of these techniques by others makes it a good tool for intrusion detection. The in-app facility to disconnect and isolate a suspicious user means you don’t have to switch to another network management tool in order to repel intrusion.
Reading through the capabilities of Ettercap might make you anxious. However, installing and using this tool yourself will educate you in the possible actions of hackers and intruders and help you create strategies in order to defend your network. The packet sniffing, data and packet injection and connection killing facilities in Ettercap may save your network.
EtherDetect is a lightweight packet sniffer for Windows. This is not a free utility. It costs $99.95 and you get 30 percent off if you don’t use it for a business. The packet sniffer works on wired networks and it can operate from any Windows device.
The packet sniffer captures entire packets, not just the headers, and it can reap both TCP and UDP transmissions. Traffic is displayed live in the program’s viewer. If the speed of passing data is too much for interpretation, you can filter traffic to only capture specific protocols. You can also sort and search data in the data displaying interface. The viewer will also interpret the signals and codes used in packet headers according to the conventions of the protocol under scrutiny.
The viewer can save packet captures to files and you can load saved data later for analysis when offline. Getting stored data allows the viewer to organize traffic by connection. With this view you can follow the messages that travel back and forth between two endpoints rather than trying to spot those threads among all the other network traffic as it streams past in live mode.
The viewer gives you options to either view the raw packet data in hex format or get every character interpreted into an alphanumeric display. Another feature will highlight protocol tags in colors to help you spot the header fields and their values for HTTP and data formats for HTML and XML.
Packet sniffer insights
Depending on the packet sniffer you choose, this category can give you a range of insights into your network’s performance. A packet sniffer is more usually used for on demand analysis to give you information on why congestion has occurred. The packet capture and storage functions of a classic packet sniffer creates large volumes of data, and so you won’t want to leave one turned on all the time.
NetFlow analyzers that reap summaries of packet information provided by routers are more suitable for constant monitoring scenarios. These tools can be left running in order to alert you when surges in traffic occur and when a constant rise in traffic threatens to congest your network. These insights are useful as part of intrusion detection plans and also to help you introduce traffic shaping in order to give you the best value from your network infrastructure budget. Being able to head off congestion in the short term, and plan for the expansion of services will prevent you from losing time with firefighting.
By introducing a packet sniffer to your support toolset you can head off problems and reduce demand on your Help Desk, thus freeing up staff for more constructive network administration activities.
Packet sniffer selection
As with any category of networking utility, packet sniffers range from quick, free command line data dumps to sophisticated traffic visualization tools. Your choice of tool really depends on your budget, the complexity of your network, and the types of network administration tools that you already have.
Some of the tools on this list border on illegal, in that they are advertised as security and monitoring utilities but are often used by hackers. Ettercap outright advertises itself for use by hackers. Although you may not want to be associated with such utilities, getting to know the methodologies of network intrusion will help you defend your network from attack. The “ethical hacking” tools included in this list have detection and blocking features that make them useful for thwarting hackers.
High-end packet sniffers, such as those produced by SolarWinds, ManageEngine, and Paessler, are so comprehensive they could more accurately be described as network monitoring systems rather than just plain packet sniffers.
Alternatives to packet sniffers
Packet sniffers are not universally popular. You may find that others in your organization block your plans to install one. This is because packet sniffers capture data in transit over the network and it is normal procedure to store that data in a file for analysis. However, if your company keeps sensitive information or personal data, the CIO may not allow you to copy data at will.
A packet sniffer is a type of network traffic analyzer. However, not all network traffic analyzers are packet sniffers. It is possible to get traffic information without examining passing data packets.
Mac Packet Sniffer
Router manufacturers include messaging and reporting systems in the firmware of their products. Examples of this are NetFlow by Cisco, J-Flow from Juniper Networks, NetStream by Huawei and a non-proprietary network messaging system called sFlow. These reporting standards offer an alternative method to measure network traffic flows that don’t require any packets to be copied off the network.
Packet sniffing issues
It is easy to see why many organizations regard packet sniffers with distrust. In these cases, there are alternative network monitoring methods to look out for. Packet sniffers have a role in a network administrator’s toolkit and some circumstances might arise in which you really need to look at passing packets to resolve a traffic problem on your network.
You may not feel the need to install and maintain a packet sniffer permanently on your network. However, in emergency situations, knowing where to find a free packet sniffer to examine protocol performance on your network can help get you out of a hole very quickly.
Image:Hey, Look at Me byWalter Rumsby via Flickr. Licensed underCC BY-SA 2.0
It’s no question that bottlenecks, downtime, and other common network performance issues can vastly affect the end-user experience and put productivity on hold, ultimately cutting into your company’s bottom line. Getting to the root cause of performance problems is a top priority for nearly every sysadmin. This is where packet sniffers, also known as network sniffers or network analyzers, come into play. With the right packet sniffer, you’ll be well-equipped to capture and analyze network traffic, helping you identify the cause of network performance problems and prevent them from recurring.
1. What Are Packet Sniffers?
2. How Do Packet Sniffers Work?
3. The Benefits of Packet Sniffing
4. Packet Sniffing Best Practices
5. Types of Packet Sniffing Tools
6. 10 Best Packet Sniffers
What Are Packet Sniffers?
A packet sniffer is either a software or hardware tool to intercept, log, and analyze network traffic and data. These tools aid in the identification, classification, and troubleshooting of network traffic by application type, source, and destination. There are a variety of tools on the market, most of which rely on application program interfaces (APIs) known as pcap (for Unix-like systems) or libcap (for Windows systems) to capture network traffic. The best packet sniffers then analyze this data, enabling you to both pinpoint the source of an issue and prevent it from happening in the future. My personal favorite is SolarWinds® Network Performance Monitor. This comprehensive software offers in-depth packet sniffing capabilities as well as a host of other cutting-edge resources at a reasonable price point.
To truly understand the power of packet sniffers, it’s important to establish a sound knowledge base of internet routing. Let’s start at the beginning. Every email you send, webpage you open, and file you share is distributed across the internet as thousands of small, manageable chunks known as data packets. These packets are transmitted through a protocol stack known as the Transmission Control Protocol/Internet Protocol (TCP/IP). The TCP/IP is broken into four layers: the application protocol layer, transmission control protocol (TCP) layer, internet protocol (IP) layer, and hardware layer.
Each packet moves through your network’s application layer to the TCP layer, where it’s assigned a port number. Next, the packet migrates to the IP layer and receives its destination IP address. Once a packet has a port number and IP address, it can be sent over the internet. Sending is carried out through the hardware layer, which converts packet data into network signals. When a packet arrives at its destination, the data used to route the packet (port number, IP address, etc.) is removed, and the packet moves on through the new network’s protocol stack. Once it reaches the top, it’s reassembled into its original form.
How Do Packet Sniffers Work?
Packet sniffers work by intercepting traffic data as it passes over the wired or wireless network and copying it to a file. This is known as packet capture. While computers are generally designed to ignore the hubbub of traffic activity from other computers, packet sniffers reverse this. When you install packet sniffing software, the network interface card (NIC)—the interface between your computer and the network—must be set to promiscuous mode. This commands the computer to capture and process, via the packet sniffer, everything that enters the network.
What can be captured depends on the network type. For wired networks, the configuration of network switches, which are responsible for centralizing communications from multiple connected devices, determines whether the network sniffer can see traffic on the entire network or only a portion of it. For wireless networks, packet capture tools can usually only capture one channel at a time unless the host computer has multiple wireless interfaces.
The Benefits of Packet Sniffing
So, what’s the point of packet analyzers, and why should you want to IP sniff? A packet sniffer can help you target new resources when expanding your network capacity, manage your bandwidth, increase efficiencies, ensure delivery of business services, enhance security, and improve end-user experience. Here’s how.
- Identify the Root Cause. For companies large and small, daily tasks can instantly be derailed by performance issues related to the network, an application, or both. To get their company back up and running, sysadmins must be able to quickly determine the root cause. Because packet sniffers view and gather information for all the traffic across the network, they can evaluate critical network pathways to help admins determine whether the application or the network is the cause of poor user experience. With this information in hand, admins are better equipped to pinpoint—and resolve—the origin of an issue.
- Dig Deep into Slowdowns. When users report slowness, admins can use PCAP analysis to measure the network response time—also known as network path latency—and determine the amount of time required for a packet to travel across a network path from sender to receiver. This enables admins to quickly determine the cause of slowdowns and identify affected applications, so they can take action.
- Analyze Traffic by Type. When evaluating network and application performance issues, having a firm grasp of the traffic on your network is paramount. With the right IP sniffer and packet analyzer, traffic is categorized into types based on destination server IP addresses, ports used, and measurement of the total and relative volumes of traffic for each type. This empowers you to identify excessive levels of non-business traffic (such as social media and external web surfing) that may need to be filtered or otherwise eliminated. You can also identify traffic flowing over a network link as well as traffic to specific servers or applications for capacity management purposes.
- Improve Bandwidth. When users complain “the network is slow,” or “the internet is down,” productivity grinds to a halt, reducing ROI and jeopardizing business growth. To get back on track, you need to understand how your network bandwidth is being used and by whom. A Wi-Fi packet sniffer can retrieve performance metrics for autonomous access points, wireless controllers, and clients. Many also offer fault, performance, and network availability monitoring, cross-stack network data correlation, hop-by-hop network path analysis, and much more, to help you detect potential issues and minimize network downtime.
- Improve Security. A high volume of outbound traffic could indicate a hacker is using your applications, either to communicate externally or to transfer a large amount of data. A packet sniffer can highlight unusual spikes in traffic so you can dig deeper to determine whether a cybercriminal is at work.
Network Sniffer Windows 10
Packet Sniffing Best Practices
With your packet sniffer in hand and your NIC set to promiscuous mode, you’ll be off and running with packet capture. But while many of the benefits of packet sniffing will fall into place, there are certain best practices to follow if you want to reap the full results and protect your company from security violations. To get the most out of your packet sniffer, ensure you:
- Know the Basics. To analyze network traffic, you must understand how networking works. Yes, some packet sniffers will break data down and offer dashboards full of insight, but knowing about the types of network traffic on a healthy network, such as the Address Resolution Protocol (ARP), for communication, and the Dynamic Host Configuration Protocol (DHCP), for network management, is key. You need to know what you want the packet sniffer to collect and have at least a general idea of what’s normal and what’s not. With a base-level understanding of network traffic, you can help ensure you’re evaluating the right mass of packets. Equip yourself with the foundational principles and you’ll be set for success.
- Copy Conservatively. Each packet contains a header identifying its source and destination as well as a payload—the term used to describe the contents of the packet. A basic packet sniffer will copy the payload and headers of all packets traveling on the network. If the packet payload isn’t encrypted, members of your IT team can access sensitive business data, opening the doors to a plethora of potential security risks. To help you protect your company and avoid putting sensitive information in jeopardy, many packet sniffers can be set to copy only the header information. Most of the time, this is the only information you’ll need to perform network performance analysis.
- Monitor Storage Space. Even if you’re only capturing packet headers, storing every packet can consume a large amount of your disk space. If you want to glean an understanding of network usage over a set period, say a few days, it’s best to copy every tenth or twentieth packet rather than copying every single one. This is known as packet sampling, and it’s a practice widely used to characterize network traffic. Packet sampling works by leveraging randomness in the sampling process to prevent synchronization with any periodic patterns in the traffic. While this method of network characterization is not 100% accurate, it’s a solution with quantifiable accuracy.
- Decode the Data. Some of the network data gathered by a packet sniffer will be encoded. To glean the full benefits of the data capture process, choose a packet sniffer able to decode this administrative information as well as extract other valuable insights, such as the varying port numbers between which the packets travel. This information will help you generate a more robust analysis of your network traffic.
A Word of Warning — How Hackers Use Packet Sniffers
While sniffer software is a tremendous asset to any IT team when implemented correctly, it can also be used by hackers to collect passwords, eavesdrop on unencrypted data within the packets, and steal data in transit. Hackers also use packet sniffers to conduct man-in-the-middle attacks, in which data is altered and diverted in transit to defraud a user. The malicious use of packet sniffers can lead to security breaches, industrial espionage, and more.
To protect your business from unlawful packet sniffing, it’s critical to always useHTTPS (SSL encrypted sessions) when entering and sending form data. Never rely on HTTP; it’s not secure and it puts your personal, sensitive information, like login credentials, in jeopardy. If you or someone in your business is using a website with HTTP, see if it will accept an HTTPS connection by typing “https://” into the browser bar before the site address. Oftentimes, a website has an SSL certificate in place but doesn’t require visitors to use it.
Alternatively, you can opt to skip this extra step and implement the Electronic Frontier Foundation browser add-on, known as HTTPS Everywhere, for Chrome, Firefox, and Opera. This add-on is designed to automatically connect every website you visit using HTTPS.
Compared to other security measures, VPNs, virtual private networks, offer the most protection because they encrypt your traffic. Software that links xbox to mac. You can also protect the metadata of your packets, such as destination addresses, by ensuring your DNS queries go through the VPN. Nevertheless, while VPNs are a security must-have, you should continue to use HTTPS even when a VPN is in place.
Many sysadmins also choose to invest in intrusion detection systems, which monitor network traffic for unusual spikes in traffic—a telltale sign of an intruder. Another option is to leverage tools like AntiSniff, which detect when a network interface has been put into promiscuous mode, raising a red flag if this occurred without your knowledge.
Types of Packet Sniffing Tools
There are countless packet sniffers on the market today, both paid and free. And while each tool is built on the core tenets of network traffic collection, they vary greatly in their breadth and depth. Many open-source tools are starkly simple in their design, and that’s the point: these tools have been built to offer reliable, clean data collection while leaving as small a footprint as possible. If you’re in need of some simple sniffing and quick diagnostics, a free, open source tool may serve the purpose. Many—although not all—free versions can be upgraded to provide additional analytical features if you determine greater support is needed.
With so many products on the market, it can be hard to know which packet sniffer to choose. While free options abound, putting some money behind your packet sniffer can ensure you’re armed with a tool that not only captures data but also offers intuitive analysis. Going beyond your basic packet sniffers, of which there are dozens, you’ll find the more robust analytic packet capture and network sniffing tools. In many cases, what sets these tools apart is their ability to perform deep packet inspection (DPI).
DPI software relies on sensors installed on transaction servers and a network sensor attached to a test access point (TAP) or mirror port. The software gathers data about the response time in interactions between clients and servers for both connectivity-level and application-level transactions. This metadata empowers admins to regulate traffic flows and differentiate between network issues and application issues to determine the cause of bottlenecks, slowdowns, and downtime.
These large enterprise-level tools are often equipped to alert on exception cases and to produce intuitive graphs and charts displaying detailed metrics. While they come at a price, they’re well worth the investment.
10 Best Packet Sniffers
SolarWinds Network Performance Monitor
While there are plenty of free options out there, none offer the wide range of features, scalability, and ease of use you’ll get with SolarWinds Network Performance Monitor (NPM) and accompanying packet sniffer. This multi-layered tool provides a comprehensive view of your network, so you can quickly detect, diagnose, and resolve network performance issues and avoid downtime. Plus, the system uses minimal bandwidth, requiring low overhead on Orion® Platform servers and nodes.
NPM leverages DPI to capture packet-level data across your network by accessing managed Windows devices and drawing on installed sensors. Within NPM’s Quality of Experience module, you can use the step-by-step “wizard” to deploy sensors and select pre-configured or custom applications to monitor.
With probes installed on network devices, SolarWinds NPM can view and gather metadata for all the traffic across the network. The diagnostic tool then registers and displays information like response times, data volume, and transactions to locate slowdowns and flag any issues. These DPI insights guide you in determining whether the application or the network is the cause of poor user experience and create a hop-by-hop packet path map for you to view bottleneck locations at a glance.
In addition, through the tool’s bandwidth analyzer feature, you can glean an understanding of how your network bandwidth is being used and by whom. NPM leverages NetFlow, JFlow, sFlow, NetStream, and IPFIX data built into most routers to identify the users, applications, and protocols consuming your bandwidth. This empowers you with the information you need to shut down bandwidth-hogging users and apps before putting extra spend behind more bandwidth. You can also use NPM as a wireless sniffer, taking advantage of Wi-Fi packet capture capabilities featuring performance, traffic, and configuration details for devices and apps on-premises, in the cloud, or across hybrid environments.
But that’s not all. NPM boasts a web-based performance dashboard with dynamic charts and graphs categorizing both real-time insights and historical data. Within this intuitive dashboard, you can accelerate root cause identification by dragging and dropping network performance metrics on a common timeline for immediate visual correlation across all your network data. The tool also offers customizable, intelligent alerts to make it easy to stay abreast of network device health, performance issues, and suspicious spikes in traffic activity. With this level of alerts, you can quickly act if something appears amiss, helping to prevent a security breach and keep hackers at bay.
To find out if NPM is the right network sniffer tool for you, download the free, fully functional 30-day trial.
Paessler PRTG Network Monitor
The PRTG Network Monitor from Paessler includes an impressive array of packet capture capabilities. The software relies on four core sensors in your network to sniff IP packets. Each sensor has its own unique capabilities. The packet sniffing sensor is designed to help sysadmins monitor an array of traffic, including web, mail, file transfer, infrastructure, and remote control traffic. It only analyzes packet headers, not packet payloads, so it places less strain on your system and helps safeguard sensitive information. The sFlow sensors are designed to place even less strain on your system: they analyze every nth packet, making them suited for large networks. The NetFlow and JFlow sensors, meanwhile, are designed specifically for monitoring data traffic and packets from Cisco devices and Juniper devices, respectively.
Beyond the scope of those four sensors, PRTG enables customizable NetFlow, IPFIX, JFlow, and sFlow sensors to serve as individual channels or to monitor the specific data traffic you wish to analyze. PRTG also boasts a list of more than 200 sensors to help ensure you’re capturing the exact data traffic you need, thus pinpointing and resolving your issues more quickly. All the data PRTG captures can be viewed in the software’s dashboard, which neatly displays all key facts and figures, helping you quickly identify anomalies, such as an unusual increase in protocols or traffic type.
PRTG is free for up to 100 sensors. Because each device requires approximately five to ten sensors, larger companies will need to put a little spend behind this robust platform.
ManageEngine NetFlow Analyzer
ManageEngine offers a packet sniffer within its NetFlow Analyzer tool, which can be installed on Windows and Linux. NetFlow Analyzer is a complete traffic analysis software leveraging flow technologies to provide your team with in-depth insights into network bandwidth performance and traffic patterns. The software uses a DPI add-on to determine whether the network or the application lies at the root of issues, enabling you to put an end to performance problems before they drastically affect end-user experience. If a problem will affect a group of end-users, NetFlow Analyzer allows you to pull the list of affected users so that you can inform them that a solution is in motion.
Network Sniffer Free Download
To take DPI analysis a step further, NetFlow Analyzer provides a Response Time Dashboard featuring graphs for traffic volumes based on top applications, providing the details you need to troubleshoot bandwidth issues at a glance. Once you identify the application and/or user straining your bandwidth, NetFlow Analyzer provides regulation capabilities in the form of traffic shaping (also known as packet shaping). Traffic shaping is a bandwidth management technique to delay the flow of certain types of network packets to ensure network performance for higher-priority applications.
NetFlow Analyzer also offers some reporting features. With the conversation report function, sysadmins can drill down to better understand the conversation between top users and applications, thereby helping prevent future issues. Along those lines, the historical report function assists in spotting trends and recurring issues so you can take steps to prevent them from happening yet again.
There are two versions of NetFlow Analyzer: the Essential edition and the Enterprise edition. However, DPI is considered an add-on for both.
Omnipeek by Savvius is designed for larger networks with a vast amount of data running through them every second. At its core, it’s a performance, analytics, and forensics tool providing the basics as well as in-depth analysis. Omnipeek can decode over 1,000 protocols for real-time analysis. The software’s intuitive graphic displays and visualization make it easy to drill down, compare, and look across network traffic to identify performance issues. Omnipeek even suggests the most likely root cause of a network problem, further facilitating the troubleshooting process.
In addition, this packet sniffer tool offers remote access for sysadmins, allowing them to troubleshoot from afar, as well as wireless packet capture capabilities and advanced IP sniffing through voice and video monitoring. An alert system is also part of the package, so you can generate automated notifications based on expert views or when pre-determined network policies are violated.
Omnipeek is available in three versions: Connect, which is limited to distributed analysis; Professional, for small to midsize businesses; and Enterprise, for large organizations.
Many sysadmins know tcpdump as the original packet sniffer. While it has evolved slightly since its launch in 1987, it remains largely unchanged. An open-source tool, tcpdump comes installed on nearly all Unix-like operating systems and is a go-to for packet capture on the fly. Because it’s a command-line tool, it doesn’t require a heavy-duty desktop to run, making it a favorite among sysadmins.
tcpdump captures all traffic on the specified network via libcap and then “dumps” it directly to your screen. From there, you can leverage the tool’s complex filtering language to winnow the vast amount of data collected into manageable chunks. A myriad of filters can be applied to accomplish this; you just need to know the right commands. Most sysadmins use commands to segment the data, then copy it to a file exported to a third-party tool for analysis. This is due, in large part, to the fact that tcpdump can’t read the pcap files it captures.
The rudimentary nature of tcpdump combined with its complex commands and highly technical language leads to a rather steep learning curve. Nevertheless, tcpdump is a powerful tool for identifying the cause of network issues once it has been mastered. To give it a try, type “tcpdump” into your search bar to see if it’s already installed on your device.
Due to the success of tcpdump on Unix-like operating systems, it was “ported over” to the Windows platform. This simply means it was cloned to allow for Windows packet capture. Like tcpdump, WinDump is a command-line tool, and its output can be saved to a file for deeper analysis by a third-party tool. WinDump is used in much the same way as tcpdump in nearly every aspect. In fact, the command-line options are the same, and the results tend to be pretty much identical.
Along with the striking similarities between the two, there are a few distinct differences. Unlike tcpdump, which is built into an operating system, WinDump must be downloaded; it’s delivered as an executable file and requires no installation. For WinDump to run, the WinPcap library (the Windows version of the libpcap library used by tcpdump) must be installed. However, WinDump doesn’t have to be installed on every single one of your machines—you can simply copy it over as needed.
Like tcpdump and WinDump, Wireshark has been around for a few decades and helped set the standard for network protocol analysis. Wireshark is a completely free, open-source tool that has been ported over to nearly all network operating systems, including Windows, Linux, macOS, Solaris, FreeBSD, and NetBSD. To this day, Wireshark remains a volunteer-run organization backed by several significant sponsorships.
The Wireshark packet sniffing tool is known for both its data capture and its analysis capabilities. You can apply filters to limit the scope of data Wireshark collects, or simply let it collect all traffic passing through your selected network. Importantly, it can only collect data on a server with a desktop installed. Since desktops aren’t common on servers, many sysadmins choose to use tcpdump or WinDump to capture traffic to a file, which they then load into Wireshark for in-depth analysis.
Whether or not you use Wireshark for data capture, you can still leverage its dynamic set of filters to home in on the exact set of information you’re interested in. One filter feature that distinguishes Wireshark from the pack is its ability to follow a stream of data. For example, if you want to view only the Google IP address, you can right-click and select “Follow” and then “TCP Stream” to view the entire conversation. In addition to its filtration capabilities, Wireshark is widely respected for its rich VoIP analysis, gzip decompression, live data readings from Ethernet sniffing, and decryption support for a variety of protocols, including IPsec, WPA and WPA2, and SNMPv3. Nevertheless, the learning curve for Wireshark is steep, as it’s not as intuitive as other packet sniffers.
While Telerik Fiddler technically isn’t a packet sniffer or network analyzer, it is a useful http sniffer known for its desktop debugging capabilities. Unlike other tools and browser functions, Fiddler captures both browser traffic and any HTTP traffic on the desktop, including traffic from non-web applications. This is key due to the sheer volume of desktop applications using HTTP to connect to web services.
While tools like tcpdump and Wireshark can capture this type of traffic, they can only do so at the packet level. To analyze this information with tcpdump or Wireshark would require the reconstruction of those packets into HTTP streams, a time-consuming endeavor. Fiddler makes web sniffing easy and can help discover cookies, certificates, and payload data coming in or out of applications. You can even use the tool for performance testing to improve the end-user experience. Simply leverage Fiddler’s API response analysis and you’ll be able to determine which part of the response contains a bottleneck, allowing you to quickly diffuse the issue.
Fiddler is a free tool designed for Windows. However, beta builds for OS X and Linux (using the Mono framework) can be downloaded.
NETRESEC NetworkMiner is an open-source network forensic analysis tool (NFAT) that can be leveraged as a network sniffer and packet capture tool to detect operating systems, sessions, hostnames, open ports, and so on, without putting any of its own traffic on the network. Like Wireshark, NetworkMiner can follow a specified TCP stream and reconstruct files sent over the network, giving you access to an entire conversation. This software can also work in offline mode, parsing pcap files for offline analysis and regenerating/reassembling transmitted files and certificates from pcap files. Simply use tcpdump to capture the packets of your choosing and import the files into NetworkMiner for analysis.
NetworkMiner was designed for Windows, but it can be run on any operating system with a Mono framework. While a free version is available, a professional license is required to use the tool’s more advanced features, including IP-based geolocation, custom scripting, and the ability to decode and play back VoIP calls.
Capsa, developed by Colasoft, is a Windows packet capture tool boasting free, standard, and enterprise editions. The free version is designed for Ethernet sniffing and can monitor 10 IP addresses and approximately 300 protocols. While the free version is fairly limited in scope, it offers some graphical analysis of the network traffic it captures and can even be used to set alerts. It’s best suited for those who want to dip their toes into network monitoring and learn how to pinpoint network problems and enhance network security.
Capsa Standard is designed with small and budget-strapped teams in mind. It helps sysadmins troubleshoot network problems by monitoring traffic transmitted over a local host and a local network. Capsa Standard provides advanced network protocol analysis of more than 1,000 protocols and network applications and can monitor 50 IP addresses. Through the platform’s in-depth packet decoding, all network traffic collected is displayed in hex, ASCII, and EBCDIC. You can also view real-time data as well as perform historical analysis to help stop a performance problem in its tracks and prevent recurring issues from disrupting the end-user experience.
The most robust of the bunch is Capsa Enterprise, which, despite its name, is suited for small and large businesses alike. Capsa Enterprise performs network monitoring, troubleshooting, and analysis for both wired and wireless networks, making it a comprehensive option for identifying and diagnosing network issues. It can monitor an unlimited number of IP addresses and identify and analyze 1,500 protocols and sub-protocols, including VoIP, as well as network applications based on the protocol analysis. But what truly makes the Enterprise edition stand out is its user-friendly dashboard and the extensive statistics it provides for each host and its accompanying traffic.
While packet sniffing products abound, finding the best fit for your company comes down to your own skill level and needs. My preferred packet sniffing software is Network Performance Monitor. This comprehensive tool offers in-depth network sniffing capabilities as well as a myriad of other features to help you quickly and efficiently identify the cause of bottlenecks, downtime, and more, all at a reasonable price point. Whether you’re an IT veteran working for a major corporation or a new sysadmin at a small organization, SolarWinds NPM can be tailored to fit your unique needs.
Whether you’re a small nonprofit or a major corporation, patch management must be incorporated into your IT team’s strategy to repair vulnerabilities that, if left unattended, can allow attackers to strike and put your entire system in jeopardy. Here’s my list of the best free options on the market.
Your company relies on hundreds of printers, computers, phones, software, and more to operate successfully on a day-to-day basis. Managing the health, inventory, and contractual agreements associated with each of these devices is no easy task. Here’s my list of the best IT asset management software, designed to help you consolidate your assets, remain compliant, and boost security.