What Are Packet Sniffers and How Do They Work?

Packet sniffing may sound like the latest street drug craze, but it's far from it. Packet sniffers or protocol analyzers are tools that are used by network technicians to diagnose network-related problems. Hackers use packet sniffers for less noble purposes such as spying on network user traffic and collecting passwords.

Packet sniffers come in a couple of different forms. Some packet sniffers used by network technicians are single-purpose dedicated hardware solutions. In contrast, other packet sniffers are software applications that run on standard consumer-grade computers, utilizing the network hardware provided on the host computer to perform packet capture and injection tasks.

Packet sniffers work by intercepting and logging network traffic that they can see via the wired or wireless network interface that the packet sniffing software has access to on its host computer.

On a wired network, the information that can be captured depends on the structure of the network. A packet sniffer might be able to see traffic on an entire network or only a certain segment of it, depending on how the network switches are configured. On wireless networks, packet sniffers can usually capture only one channel at a time unless the host computer has multiple wireless interfaces that allow for multichannel capture.

Once the raw packet data is captured, the packet sniffing software analyzes it and presents it in human-readable form so that the person using the software can make sense of it. The person analyzing the data can view details of the interaction between two or more nodes on the network. Network technicians use this information to determine where a fault lies, such as determining which device failed to respond to a network request.

Hackers use sniffers to eavesdrop on unencrypted data in the packets to see what information is being exchanged between two parties. They can also capture information such as passwords and authentication tokens if they are sent in the clear. Hackers are also known to capture packets for later playback in replay, man-in-the-middle, and packet injection attacks that some systems are vulnerable to.

Like everyone else, network engineers and hackers love free stuff, which is why open source and freeware sniffer software applications are often the tools of choice for packet sniffing tasks. One of the more popular open-source offerings is ​Wireshark, previously known as Ethereal. Use it to sniff your packets in the field, save them to a CAP file, and analyze them later.

If you're a network technician or administrator and you want to see if anyone on your network is using a sniffer tool, check out a tool called Antisniff. It can detect if a network interface on your network has been put into promiscuous mode—don't laugh; that's the actual name for it—which is the required mode for packet capture tasks.

Another way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet's payload so that all the sniffer sees is encrypted gibberish. Any attempt to modify or inject data into the packets fails because messing with the encrypted data causes errors that are evident when the encrypted information is decrypted at the other end.

Sniffers are great tools for diagnosing down-in-the-weeds network problems. Unfortunately, they are also useful for hacking purposes. It's essential for security professionals to familiarize themselves with these tools so they can see how a hacker might use them on their network.

Although packet sniffers are one of the tools of the trade for network engineers, they are also prevalent in some reputable antivirus software and as the malware in nefarious email attachments.

Packet sniffers can gather almost any type of data. They can record passwords and login information, along with the websites visited by a computer user and what the user viewed while on the site. They can be used by companies to keep track of employee network use and scan incoming traffic for malicious code. In some cases, a packet sniffer can record all traffic on a network.