A packet sniffer is usually used to analyze network traffic. The reason for using a packet sniffer (or simply called “sniffer”) is to configure the NIC to work in a mode called “promiscuous” mode. Without going into that mode, Ethernet network interface cards normally work in a “filter” mode that ignores all traffic that doesn’t belong to it. By working in “promiscuous” mode we are allowing the capture of ANY frame that is transmitted on the wire, even though it is not destined for that NIC. With that said, a packet sniffer is a actually wire-tap device that plugs into a computer networks and eavesdrops on the network traffic.
Note: The word “sniffer” is a registered trademark by Network Associates referring to the “Sniffer(r) Network Analyzer”. However, the term “sniff” is used in many other products (some of which are listed in this document) and the term “sniffer” is more popular in everyday usage than alternatives like “protocol analyzer” or “network analyzer”.
Typical uses of packet sniffer programs include:
- Automatic sifting of clear-text passwords and usernames from the network. Used hackers/crackers in order to break into systems
- Conversion of data to human readable format so that people can read the traffic
- Fault analysis to discover problems in the network, such as why computer A can’t talk to computer B
- Performance analysis to discover network bottlenecks
- Network intrusion detection in order to discover hackers/crackers
- Network traffic logging, to create logs that hackers can’t break into and erase
You can read more about sniffers on the (old but still relevant) Sniffing (network wiretap, sniffer) FAQ (see link below).
So, what freeware packet sniffers do I use? The answer is simple. I use the only packet sniffer program I am most used to, and the one that gives me the most flexibility for my specific tasks and needs. That means that, usually, I can get along with just one or two programs. I’ve tried to list some of these, but more exist and if you feel that I left any out, please email me and I’ll upload it to this article.
Microsoft Network Monitor 3.2
Ever since the only Windows NT 4.0 version, Microsoft had a nice (but quite limited) packet sniffer called Network Monitor. Well, the days of the old and limited Netmon are over with the advent of the new generation of Netmon. Microsoft Network Monitor 3.2 is the new version of Netmon, which enables you to capture, view, and analyze network data, and decipher protocols. You can use it to help troubleshoot network problems and applications on the network.
Download Microsoft Network Monitor from here, with both 32-bit and 64-bit versions available.
You can read more about Netmon 3.2 on the Network Monitor Blog.
Wireshark is the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.
Note: Wireshark used to be known as Ethereal.
Note: Like many sniffers, Wireshark requires Winpcap, which is included with the download.
You can get the entire Wireshark documentation online here.
IP Sniffer is a suite of IP Tools built around a packet sniffer. The sniffer has basic features like filter, decode, replay, parse.
Some of the IP tools in IP Sniffer are: Bandwidth monitor, Adapter statistics, List and manage ARP entries, resolve IP from/to MAC, ARP scan, Create ARP proxy, send a WAKEUP call, RARP client/server, List and manage routes, enable & disable host as a route, List and manage open ports and attached processes, View network config (interfaces, adapters, parameters), Spoof ARP (and do ARP cache poisoning), Change MAC address, SNMP Get & Set, List interfaces, Switch port mapper, Media Attachment Unit table, Net to media table, network stats, connection table, WINS and DNS query, Whois Query and much more.
Note: Like many sniffers, IP Sniffer requires Winpcap, which is included with the download.
AnalogX PacketMon is a fast and simple to use network monitor. AnalogX PacketMon allows you to capture IP packets that pass through your network interface – whether they originated from the machine on which PacketMon is installed, or a completely different machine on your network! Once the packet is received, you can use the built in viewer to examine the header as well as the contents, and you can even export the results into a standard comma-delimited file to importing into your favorite program. As if that’s not enough, PacketMon has a powerful rule system that allows you to narrow down the packets it captures to ensure you get EXACTLY what you’re after, without tons of unrelated information.
Note: Test to see if this tool works in Vista, as the author makes no claims on this issue.
SmartSniff allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS).
Note: Like many sniffers, SmartSniff requires Winpcap, which is included with the download.
VisualSniffer is a powerful packet capture tool and protocol analyzer (Packet Sniffer or IP Sniffer) for use with the Microsoft Windows operating system. VisualSniffer 2.0 is available as free software. VisualSniffer can be used by LAN administrators, and security professionals for network monitoring intrusion detection, and network traffic logging. It can also be used by network programmers for checking what the developing program has sent and received, or others to get a full picture of the network traffic. For example, parents may want to know what kids are doing online. If you stored important data in your PC, you may need to detect whether your data is sending out by some “Adware” or Spyware”. If you are a student, you may want to know how your network is working and the mechanism of each network protocol.
Note: Like many sniffers, VisualSniffer requires Winpcap, which is included with the download.
Do you know more freeware (and I mean 100% free, not adware, “click here to eat me” kind of “freeware” crap)? Email me and I’ll gladly feature them up on the site.
Got a question? Post it on our Windows Vista Forums!