What Is a Network Sniffer?

Both admins and hackers can use packet sniffing apps

loveguli / Getty Images

Network sniffing is the use of a software tool, called a network sniffer, that monitors or sniffs the data flowing over computer network links in real time. This software tool is either a self-contained software program or a hardware device with the appropriate software or firmware.

What is a Network Sniffer?

Network sniffers take snapshot copies of the data flowing over a network without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools work with many other network protocols and at lower levels, including Ethernet frames.

Years ago, sniffers were tools used exclusively by professional network engineers. Nowadays, however, with software available for free on the web, they are also popular with internet hackers and people who are curious about networking.

Network sniffers are sometimes referred to as network probes, wireless sniffers, Ethernet sniffers, packet sniffers, packet analyzers, or simply snoops.

How Packet Analyzers Are Used

There's a wide range of applications for packet sniffers. Most packet sniffers can be used inappropriately by one person and for legitimate reasons by another.

A program that captures passwords, for example, could be used by a hacker, but the same tool might be used by a network administrator to find network statistics like available bandwidth.

Network sniffing is also used to test firewall or web filters, and to troubleshoot client/server relationships.

How Network Sniffing Works

A packet sniffer connected to any network intercepts all data flowing over that network.

On an local area network (LAN), computers typically communicate directly with other computers or devices on the network. Anything connected to that network is exposed to all of that traffic. Computers are programmed to ignore all network traffic not intended for it.

A photo of connected computers sending network traffic

Network sniffing software opens up to all traffic by opening up the computer's network interface card (NIC) to listen to that traffic. The software reads that data and performs analysis or data extraction on it.

Once it receives network data, the software performs the following actions on it:

  • The contents, or individual packets (sections of network data), are recorded.

  • Some software only records the header section of data packets to save space.

  • Captured network data is decoded and formatted so that the user can view the information.

  • Packet sniffers analyze errors in network communication, troubleshoot network connections, and reconstruct entire datastreams intended for other computers.

  • Some network sniffing software retrieves sensitive information like passwords, PIN numbers, and private information.

How to Thwart Network Sniffer Attacks

If you're concerned about network sniffing software spying on network traffic coming from your computer, there are ways to protect yourself.

There are ethical reasons someone may need to use sniffer software, such as when a network administrator monitors network traffic flow.

When network administrators are concerned about nefarious use of these tools on their network, they use anti-sniff scans to guard against sniffer attacks. This means corporate networks are usually safe.

However, it's easy to obtain and use sniffer software for malicious reasons, which makes its illegitimate use against your home internet a cause for concern. It would be very easy for someone to connect such software even to a corporate computer network.

If you want to protect yourself from someone spying on your internet traffic, use a VPN that encrypts your internet traffic. You can learn all about VPNs, and VPN providers you can use to protect yourself.

Network Sniffer Tools

Wireshark (formerly known as Ethereal) is widely recognized as the world's most popular network sniffer. It's a free, open source application that displays traffic data with color coding to indicate which protocol was used to transmit it.

On Ethernet networks, its user interface displays individual frames in a numbered list and highlights by separate colors whether they are sent through TCP, UDP, or other protocols.

Screenshot of the Wireshark network sniffer.

Wireshark also groups message streams sent back and forth between a source and destination (which are intermixed over time with traffic from other conversations).

Wireshark supports traffic captures through a start/stop push button interface. The tool also contains filtering options that limit what data is displayed and included in captures. That's a critical feature since most network traffic contains routine control messages that aren't of interest.

Many different probing software applications have been developed over the years. Here are just a few examples:

Some of these network sniffer tools are free while the others cost or have a free trial. Also, some of these programs are no longer maintained or updated, but they're still available for download.

Issues with Network Sniffers

Sniffer tools offer a great way to learn how network protocols work. However, they also provide easy access to some private information such as network passwords. Check with the owners to get permission before using a sniffer on their network.

Network probes only intercept data from networks their host computer is attached to. On some connections, sniffers only capture the traffic addressed to that particular network interface. In any case, the most important thing to remember is that anyone looking to use a network sniffer to spy on traffic will have a difficult time doing so if that traffic is encrypted.