What Is a Network Sniffer?

A network sniffer is just as it sounds; a software tool that monitors, or sniffs out the data flowing over computer network links in real time. It can be a self-contained software program or a hardware device with the appropriate software or firmware.

Network sniffers can take snapshot copies of the data without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other network protocols and at lower levels, including Ethernet frames.

Years ago, sniffers were tools used exclusively by professional network engineers. Nowadays, however, with software applications available for free on the web, they are also popular with internet hackers and people just curious about networking.

Note: Network sniffers are sometimes referred to as network probes, wireless sniffers, Ethernet sniffers, packet sniffers, packet analyzers, or simply snoops.

There's a wide range of applications for packet sniffers but most data probing tools do not differentiate between a nefarious reason and a harmless, normal one. In other words, most packet sniffers can be used inappropriately by one person and for legitimate reasons by another.

A program that can capture passwords, for example, could be used by a hacker but the same tool might be used by a network administrator for finding network statistics like available bandwidth.

A sniffer might also be useful for testing firewall or web filters, or troubleshooting client/server relationships.

Wireshark (formerly known as Ethereal) is widely recognized as the world's most popular network sniffer. It's a free, open source application that displays traffic data with color coding to indicate which protocol was used to transmit it.

On Ethernet networks, its user interface displays individual frames in a numbered list and highlights by separate colors whether they are sent through TCP, UDP, or other protocols. It also helps group together message streams being sent back and forth between a source and destination (which are normally intermixed over time with traffic from other conversations).

Wireshark supports traffic captures through a start/stop push button interface. The tool also contains various filtering options that limit what data is displayed and included in captures. That's a critical feature since traffic on most networks contain many different kinds of routine control messages that are usually not of interest.

Many different probing software applications have been developed over the years. Here are just a few examples:

• tcpdump (a command line tool for Linux and other Unix-based operating systems)
• CloudShark
• Cain and Abel
• Microsoft Message Analyzer
• CommView
• Omnipeek
• Capsa
• Ettercap
• PRTG
• Free Network Analyzer
• NetworkMiner
• IP Tools

Some of these tools are free while the others cost or might have a free trial. Also, some of these programs are no longer maintained or updated but they're still available for download.

Sniffer tools offer a great way to learn how protocols work. However, they also give easy access to some private information such as network passwords. Check with the owners to get permission before using a sniffer on someone else's network.

Network probes can only intercept data from networks their host computer is attached to. On some connections, sniffers only capture the traffic addressed to that particular network interface. Many Ethernet network interfaces support so-called promiscuous mode that allows a sniffer to pick up all traffic passing through that network link (even if not addressed directly to the host.)