What Is a Network Sniffer?

Both admins and hackers can use packet sniffing apps

Hacker
loveguli / Getty Images

Network sniffing is the use of a software tool that monitors or sniffs the data flowing over computer network links in real time. The software could be a self-contained software program or a hardware device with the appropriate software or firmware.

Network sniffers take snapshot copies of the data flowing over a network without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other network protocols and at lower levels, including Ethernet frames.

Years ago, sniffers were tools used exclusively by professional network engineers. Nowadays, however, with software available for free on the web, they are also popular with internet hackers and people just curious about networking.

Network sniffers are sometimes referred to as network probes, wireless sniffers, Ethernet sniffers, packet sniffers, packet analyzers, or simply snoops.

What Packet Analyzers Are Used For

There's a wide range of applications for packet sniffers. Most packet sniffers can be used inappropriately by one person and for legitimate reasons by another.

A program that can capture passwords, for example, could be used by a hacker, but the same tool might be used by a network administrator for finding network statistics like available bandwidth.

Network sniffing might also be useful for testing firewall or web filters, or troubleshooting client/server relationships.

How Network Sniffing Works

A photo of connected computers sending network traffic

A packet sniffer connected to any network will intercept all data flowing over that network.

On an Local Area Network (LAN), computers typically communicate directly with other computers or devices on the network. Anything connected to that network is exposed to all of that traffic. Computers are programmed to ignore all network traffic not intended for itself.

Network sniffing software opens up to all traffic by opening up the computer's Network Interface Card (NIC) to listen to that traffic. The software reads in all of that data and performs analysis or data extraction on it.

Once it receives network data, the software can perform all of the following actions on it.

  • The contents, or individual packets (sections of network data) are recorded.
  • Some software only records the header section of data packets to save space.
  • Captured network data is decoded into a format where the user of the software can view the information.
  • Packet sniffers can analyze errors in network communication, troubleshoot network connections, and even reconstruct entire datastreams intended for other computers.
  • Some network sniffing software can even retrieve sensitive information like passwords, PIN numbers, and private information.

How to Thwart Network Sniffing Tools

If you're concerned about network sniffing software spying on network traffic coming from your computer, there are ways to protect yourself.

There are ethical reasons somewhat may need to use sniffer software, such as when a network administrator monitors network traffic flow.

When network administrators are concerned about nefarious use of these tools on their network, they use anti-sniff scans to guard against sniffer attacks. This means corporate networks are usually pretty safe.

However, when one considers how easy it is to obtain and use sniffer software for malicious reasons, its illegitimate use against your internet use from home is a cause for concern. It would be very easy for someone to connect such software even to a corporate computer network.

If you want to protect yourself from someone spying on your internet traffic, using a VPN that encrypts your internet traffic can help. You can learn all about VPNs, and VPN providers you can use to protect yourself.

Network Sniffer Tools

Screenshot of the Wireshark network sniffer.

Wireshark (formerly known as Ethereal) is widely recognized as the world's most popular network sniffer. It's a free, open source application that displays traffic data with color coding to indicate which protocol was used to transmit it.

On Ethernet networks, its user interface displays individual frames in a numbered list and highlights by separate colors whether they are sent through TCP, UDP, or other protocols.

Wireshark also helps group together message streams sent back and forth between a source and destination (which are normally intermixed over time with traffic from other conversations).

Wireshark supports traffic captures through a start/stop push button interface. The tool also contains various filtering options that limit what data is displayed and included in captures. That's a critical feature since traffic on most networks contain many different kinds of routine control messages that are usually not of interest.

Many different probing software applications have been developed over the years. Here are just a few examples:

Some of these tools are free while the others cost or might have a free trial. Also, some of these programs are no longer maintained or updated, but they're still available for download.

Issues with Network Sniffers

Sniffer tools offer a great way to learn how network protocols work. However, they also provide easy access to some private information such as network passwords. Check with the owners to get permission before using a sniffer on someone else's network.

Network probes can only intercept data from networks their host computer is attached to. On some connections, sniffers only capture the traffic addressed to that particular network interface. In any case, the most important thing to remember is that anyone looking to use a network sniffer to spy on traffic will have a more difficult time doing so if that traffic is encrypted.