What Is a Network Sniffer?

Computer in dark office, security alert on screen
Getty Images/Dimitri Otis

A network sniffer monitors data flowing over computer network links in real time. It can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Also sometimes called "network probes" or "snoops," sniffers monitor network trafffic, taking snapshot copies of the data but without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other network protocols and at lower levels including Ethernet frames.

Years ago, sniffers were tools used exclusively by professional network engineers. Nowadays, however, they are also popular with Internet hackers and people just curious about networking. Several sniffer software applications are available on the Web for download.

Features of Network Sniffers

Key characteristics of network sniffers include

  • how many and which specific network protocols they support
  • how easy they present the protocol data for users to understand and be able to pick out relevant pieces of information
  • ability to capture snapshots of data and save it to files
  • which operating systems the sniffer runs on

Network Sniffer Tools

Many different sniffer software applications have been developed over the years. Well-known sniffers tools include

  • WireShark
  • tcpdump (a command-line tool for Linux and other Unix-based operating systems)
  • GlassWire
  • CloudShark
  • Microsoft Message Analyzer (for Windows)

Some tools were popular in the past but no longer supported by their creators.

These include Microsoft Network Monitor (also known as "Bloodhound') which was replaced by Microsoft Message Analyzer.


WireShark (formerly known as Ethereal) is widely recognized as the world's most popular network sniffer. It is free, open source application software.

WireShark displays traffic data with color coding to indicate which protocol was used to transmit it.

For example, on Ethernet networks, its user interface displays individual Ethernet frames in a numbered list and highlights by separate colors whether they are sent through TCP, UDP, or other protocols. It also helps group together message streams being sent back and forth between a source and destination (which are normally intermixed over time with traffic from other conversations).

WireShark supports traffic captures through a start/stop push button interface. The tool also contains various filtering options that limit what data is displayed and included in captures - a critical feature as traffic on most networks contains many different kinds of routine control messages that are usually not of interest.

Issues with Network Sniffers

Sniffer tools offer a great way to learn how protocols work. However, they also give easy access to some private information such as network passwords. Check with the owners to get permission before using a sniffer on someone else's network.

Sniffers can only intercept data from networks their host computer is attached to. On some connections, sniffers only capture the traffic addressed to that particular network interface. Many Ethernet network network interfaces support so-called promiscuous mode that allows a sniffer to pick up all traffic passing through that network link (even if not addressed directly to the host.)