Sniffin' the Ether v2.0

I. Introduction

A long time ago I wrote the first incarnation of this document. I was aiming at something that would  explain sniffers and sniffer technology to people who are not all that familiar with security (i.e. newbies) as well as providing a accessible reference to more experienced individuals.

I think that I've stricken a good balance judging from all of the emails that I received (including a few from some kiddies that were clearly running sniffers on networks other than theirs).

As time went on, more and more unique and interesting things were being done with sniffers. I intended on revising this document to reflect these new changes but I have used every excuse in the book to put off this revision.

A quick note: You (the reader) will no doubtfully realize that there is no flow to this article. The reason for this is because like I stated in the above that one of the goals is to also act as a reference for a more experienced person so by keeping it modular provides the reader with the ability to read a specific section without having to refer to another for background reference.

I. Introduction
II. What is a Sniffer?
III. What Type of an Attack is it?
IV. What a Sniffer is Good For
V. Different Types of Sniffers
VI. Sniffer Construction
VII. Popular Sniffers
VIII. Detection & Prevention
IX. Making Sniffers Hard to Detect
X. How to Beat Sniffers
XI. OS Fingerprinting
XII. War Driving
XIII. Carnivore
XIV. Switch Sniffing
XV. Resources
XIV. In Closing

II. What is a Sniffer?

A sniffer is a program that puts a NIC (Network Interface Card), also known as an Ethernet card, (one of the necessary pieces of hardware to physically connect computers together) into what is known as promiscuous mode. Once the network card is set to this mode, it will give the sniffer program the ability to capture packets being transmitted over the network. (A quick note: packets are transmitted over the network until they reach their target host. A sniffer takes advantage of this and captures ALL packets as they are being transmitted). Some sniffers go about different ways of capturing packets and this will be described later on in the article.

                      friend           bad              dest 
                       comp            guy              comp
                        |               |                 |
     your comp    -----------------------------------------
                  > > > ^ > > > > > > > ^ > > > > > > > > ^
A standard packet will travel from "your comp" through the network. Each computer on the network will receive that packet. Starting with "friend comp", followed by "bad guy" and ending up at "dest comp." Each machine is supposed to ignore the packet if it is not destined for the IP address assigned to that computer. However, a sniffer program bends that etiquette and accepts ANY packet it receives. A sniffer is also known as a network analyzer. There is no real difference between a network analyzer or a sniffer but security companies and the Federal government like this name because it sounds more legitimate and less threatening. The original term for capturing all packets on a network was called 'Sniffing the Ether' which sounded like something bad to people not familiar to computers and ethernet. 'Ether' was a technology term used to describe the land of packets, made up of cables and network cards and should not be confused with the chemical ethyl oxide.

III. What Type of an Attack is it?

A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. A passive attack is one that doesn't directly intrude onto a foreign network or computer. Using a sniffer as an example, one is set up in hopes of catching desired information including logins and passwords. On the other hand, an active attack directly interfaces with a remote machine. Remote buffer overflows, network floods and other similar attacks fall under the category of an active attack . By nature, passive attacks are not meant to be discovered by the person(s) being attacked. At no point should they have indication of your activity. This makes sniffers just as serious as any active attack.

IV. What a Sniffer is Good For

Sniffers are multifaceted. They are part of any good sysadmin administrator's, network administrator's, hacker's toolbox. With a sniffer, one can sniff a network for passwords, emails, confidential documents, and whatever else might be flying around unencrypted on the given network. You can also map out a network and establish a understanding of what the network is compromised of (workstations, servers, routers, switches, network appliances, etc.). Points of trust can also be discovered this way. Trust within the scope of a network is that some machines are setup to "trust" other computers to share resources. Therefore if you are able to gain access to a trusted box, you can abuse that trust and use it as a springboard into the rest of the network. By sniffing traffic on hosts close to the target machine, the likelihood of gaining the vital information needed are increased.

The above paragraph outlines the use of a sniffer which one could only assume is illegal. This is true but if you happen to have a security position (like a security consultant or a in-house pen tester), or someone that is doing this to their own network, it is perfectly legal.

Some more legal ways that sniffers can benefit the people that use them are things like network mapping. Even though this method was described as a way exploit a target network, an administrator can map out a network to update old maps, discover any new systems that might be rogue, use in conjunction with another software suite to act as a IDS (think Shadow), to identify any bottlenecks on the network, as well as a few other useful things.

V. Different Types of Sniffers

Most of the more popular sniffers only monitor one connection at a time. The reason for this is to make the sniffer harder to detect due to smaller logs and less use of CPU power. A small number of sniffers monitor all connections. Often times, looking at the CPU load and file system are the only ways to detect such sniffers. Intruders are often quick to backdoor systems so that normal utilities like ps and ifconfig will not provide reliable output. If you notice your CPU load is higher than normal, or that every day you lose one more meg of disk space that can't be explained, it may point to the presence of a sniffer. This type is easier to spot because their logs will be much larger, they will eat up much more CPU, but in return it will log much more. On large networks, these sniffers may generate up to ten megabyte logs a day if set to log all interactive traffic. Sniffers designed to monitor interactive traffic as well as mail may grow even faster. Sniffers also have different methods of logging. Some sniffers will only record the first X (X being a certain number) bytes of a packet to capture a login/password. The other method will capture the entire session, which would make it into a key logger. Some of the more versatile sniffers will support both methods. These will vary depending on the intruder and the desired end result.

VI. Sniffer Construction

If you are interested in more details on how a sniffer works, there is an excellent two-part paper by Chad Renfro. He details the basic elements of programming a sniffer which requires a working knowledge of the C programming language. If you understand Renfro's article well, you should advance on to studying the source code of sniffers (such as esniff.c).

VII. Popular Sniffers

There are sniffers that are considered to be primarily 'hacker' tools while the rest of them are considered to be system administration tools. If you are looking for a sniffer to put into a production environment then you are going to want to find a sniffer that is actively in production and is rather mature in its evolution such as tcpdump, ethereal, and snort.

The following is a list with a synopsis of various sniffers available. I will only list sniffers that are open source and for free  . This is not a complete list but still is a comprehensive one.

This sniffer was put out by the ADM group. It was authored by antilove with help from plaguez. The purpose of ADMsniff is supposed to be "portable and powerful."

Aldebaran was created by its author after no other sniffer was able to meet his needs. The author got the name Aldebaran after finding it on a Enya CD. This sniffer is interesting in the regard that it can operate in a distributed fashion: an included program (boadicea) in the software suite can collect data collected captured from various aldebaran sniffers. The sniffer also has encryption capabilities as well as a kernel module based off of the Adore module to hide the sniffer.

Altivore is a sniffer with just under 1800 lines of C code meant to be a replacement for the FBI's Carnivore (Now renamed to DCS1000). It could still stand to have much more improvement. None the less, this makes for some for a good starting point to learn about sniffers in general as well as the behavior of programs like Carnivore.

Anger was authored by Aleph One. This sniffer is not a general purpose sniffer but rather a program that will set out to specifically sniff the challenge/responce portion of a PPTP (Point to Point Tunneling Protocol) and then the captured data can be feed into a password cracker.

Angst is described as a sniffer that "provides methods for aggressive sniffing" by its author Patrok Argyroudis. Angst has the ability to sniff a switched network. This is a rather new technique and will be described in a later section of this document.

APS (Advanced Packet Sniffer) was written by Christian Schulte. He wrote it in an attempt to better understand various popular protocols.

This is the king of the hill of all sniffers. Dsniff is very well developed by Doug Song and is mature in its development. This suite of programs sport functionality for general sniffing, arp spoofing, dns spoofing, switch sniffing, and a plethora of other unique and amusing capabilities.

Etherape bills itself as a network traffic browser. It is a etherman clone that uses GNOME for its display interface.

Ethereal is obviously one of the best of breed sniffers out there. It is being developed as a free commercial strength sniffer. It has many features, a good interface, the support of a copious amount of popular protocols, and it is actively being developed and maintained. This is a sniffer you may want to use if you are searching for one to put into a production environment.

Ettercap is probably the best sniffer out there targeted for sniffing switched networks. It has a ncurses interface and the ability to collect passwords, inject characters, sniff traffic traversing a GRE (Generic Routing Encryption), and a few more things. Be sure to check this one out because it is one of the better pieces of software floating out there on the Net.

Ksniffer, as its name implies, is a  sniffer is designed for the KDE environment. If you are someone that is fond of KDE then this sniffer should be able to please you.

Maxty, coded by IhaQueR, is a sniffer designed to reside in kernel-space and sniff tty sessions. This is another sniffer whose purpose is a specific one.

Netdude is essentially a advance filter for tcpdump. When a log is produced by tcpdump using the -t option, you can then feed that log into Netdude and enjoy a nice GUI (Graphical User Interface) to inspect the network dump.

Netl is a more fully featured sniffer that sports a rather nice logging capabilities and a customizable and modular architecture. This would be ideal for an individual who is looking to experiment with sniffer code but does not want to code one from scratch.

Written by Tim Potter, NetPacket is a collection of Perl modules that aid in the disassembling of popular protocols as well as Ethernet frames. Any Perl monger should look into this.

Ngrep stands for Network Grep. This sniffer has the unique (and very useful) ability to 'grep' (if you don't know what grep is, it is a Unix command. For more information on it, issue the command 'man grep' ) network traffic with specified regular expressions. This was authored by Jordan Ritter and is one of the better sinffers out there so be sure to check this one out.

Ntop, coded by Luca Deri, is designed to act like the top command(type 'man top' on a *nix system for more information) on a given network to provide network information and statistics. There have been reports that this program does not perform very well on a active network.

This was written by the famous van Hauser of the THC. This is another sniffer that is designed for snifing switches. This would be a good starting place for someone who wants to study code to learn the ins and outs of switch sniffing.

Written by Crain Smith as proof-of-concept code to demonstrate the theory that utilizing passive sniffing, someone can then use the collected data to determine what OSs are available on the network just by identifying various OS specific idiosyncrasies in packet headers.

This is a module written in Python that interfaces with libpcap.  If you are a Python coder, you might want to give this one a look. Pylibpcap was written by AAron L. Rhodes

This is another sniffer designed to perform passive OS fingerprinting. This was authored by bind and aempirei. If my memory serves me correct, this was the first passive OS fingerprinter made available on the internet.

This is describes as a "simple ARP sniffer." This is another sniffer that enables the user to do some sniffing on a switched network. This was written by IhaQueR.

This sniffer is written by Marko Zivanovic, is described as a "script-driven network traffic monitoring tool", and has a generic name.

Coded by Brecht Claerhout, Sniffit was intended to ""demonstrate the unsafeness of TCP." This sniffer is not actively developed or maintained but the code is still very good and would make for good studying for those wishing to learn more about sniffers as well as how to use libpcap.

Snmpsniff is another specific sniffer designed to be a SNMP PDU sniffer. Snmpsniff was authored by Nuno Leitao. There is no support for SNMP v3 only v1 and v2.

Ah, Snort. This is a piece of software that I can not begin to do justice for. It is a LIDS (lightweight Intrusion Detection System). Snort captures the entire packet: all the header information as well as the payload. This is definitely one of the better sniffers out there. It is very well developed and maintained. It has a huge following and is regarded by many as the best IDS out there.  Snort is something that you have to become familiar with if you are interested in sniffers or security in general.

Sosd is yet another sniffer designed to be a passive OS identifier.

SSLdump is a another specific sniffer whose purpose is to sniff SSLv3/TLS packets. A note worthy feature is that in the readme file, it says that if you link ssldump with OpenSSL, you can dump certificates in decoded form.

Well here is another sniffer that has earned the title of being one of the best. This sniffer is very mature and well maintained. It is very easy to use a filter on. There are many great features. This is something that you have to get if you are interested in sniffers and/or general security.

VIII. Detection & Prevention

If you are in charge of a network's security, you are going to need to check if someone has installed a sniffer somewhere on the network that is not supposed to be there. The first way to do this is to get a small C program called promisc.c. When compiled, it will search your local machine for any NICs in promiscuous mode (which was briefly discussed at the beginning of this text). The C program, neped.c, will do remote checking for any sniffing activity however it will compile on Linux only. To search by hand, issue the command 'ifconfig -a' if you are on a *nix. Look for any of your network interfaces bearing the PROMISC flag. The L0pht has put out a very good piece of ware called AntiSniff. So far, it is still in beta and runs on Win9* but was made with NT in mind. The L0pht is planning to release an open source command-line version for Linux. But if you want a Linux program now that will do the same type of searching, check out neped.c. Sentinel is another good contender by trying to detect all publicly known methods to hide a promisc sniffer on a network. These tools are designed to remotely detect sniffers on other hosts within the same subnet. While not foolproof, they are excellent tools and often quite reliable. For the prevention of unauthorized sniffing, you should use strong cryptography, (you should be using strong crypto no matter what!), so even if someone does sniff you, you are not at much risk from this form of attack. When you originally designed your LAN, you should of had security in mind anyway. I am not going to go into secure LAN and segmentation design because it is another text all together however these are a couple of methods to help you out. You should search the net and various security sites (as well as using you brain) to help better the security of your network.

IX. Making Sniffers Hard to Detect

There is a method to help make it more difficult to detect a sniffer on a network. For this to work, you have to deploy two NICs in on computer. For the first NIC, configure the interface with the address of This will allow the sniffer to monitor traffic but to not be detected. But there is still the issue of messages and alerts which will be handed off from the card the sniffer is on to another card to finish being delivered. The second card has a regular address but is not in promiscuous mode so it will be very hard for someone to detect this type of setup.

X. How to Beat Sniffers

I am not going to get into this because Horizon put out an awesome article in Phrack issue 54 (file 10) so go and study it. His paper outlines many methods and tricks for beating sniffers.

XI. OS Fingerprinting
Passive sniffing has recently been utilized in a unique way that it allows the fingerprinting of a OS (Operating System) on a given host. How this is accomplished is that each OS (and their respective distributions and versions) have various idiosyncrasies in their implementation of a TCP stack (see rfc798). Armed with this knowledge, someone can study the information in a packet header, record the various fields and then label it the OS that the packet came from. You now have a fingerprint of that OS.

What passive sniffing does is it looks at whatever packets it captures off of the network and tries to match up the packet header information with a known OS fingerprint located in a database.

This is a surreptitious way to learn what OS is residing on what host. The more conventional way to do fingerprinting is to actually send packets to the target host(s) and see what you get back. This type of fingerprinting is accomplished with the aid of such tools like nmap and queso.

Some of the tools that  can do passive OS fingerprint are mention above in section VII: passfing, siphon, sosd.

XII. War Driving
War driving is new and extremely popular. War driving is a variation of war dialing where instead of someone calling a list of numbers recording anything interesting, you drive around with a laptop with a wireless NIC, possibly with a high gain antenna for even greater range, looking for any wireless networks that are available.

A lot of wireless networks to not enable native security mechanisms on their AP (Note: An AP is a Access Point which is basically like a hub or a switch for wireless networks that has a antena to provide coverage for a specific area). The native security on APs is something called WEP or Wired Equivalent Protocol. WEP is very, very broken. When war driving, if you encounter a network that uses WEP, you can easily bypass the security because when you put your wireless NIC  in to a promiscuous mode, you can capture vital information you need to crack WEP.  Some things you can grab are SSIDs and if you collect enough information,  you can actually crack the WEP encryption.

Since so many wireless networks are not properly secured (even if you enable security, you are still not secure), you can use your wireless NIC to capture any packets that are flying around. This yields all kinds of things like account names and passwords, company info, information about the network, email messages, as well as providing a means of possibly accessing the internet with a high connection rate.

There are many sites on the net that are devoted to war driving. If this type of thing interests you then I recommend that you search google for things like WEP, war driving, etc.

Some tools that are of interest are:
FreeBsd war driving

XIII. Carnivore
Carnivore is the code name for the FBI's sniffer. It was later renamed to DCS100 in an attempt to obscure its image and to calm the public's fear of its misuse. Its purpose is to monitor a suspects email correspondence.

When a Carnivore is installed, federal agents go to the suspect's ISP with a "black box", which is just a dedicated server with all of the FBI's preloaded Carnivore software running on a MS OS, it is placed right on the ISP's trunk so it would be impossible for any data to not pass through the box. It then reads the header information looking for any email coming or going to the suspect.

The real controversy with Carnivore is how it handles network traffic: It reads all packet headers until it finds one it likes. This rises questions like what's stopping the FBI from intercepting traffic it has no authority to do so. People would be more comfortable if the FBI's program could only look at the targeted suspect's email rather than everyone's.  Another thing worth mentioning is that after 9/11, it was reported that the FBI arrived at numerous ISP with Carnivore boxes wishing to install them.

Some sites that are useful for finding out more information on Carnivore are:
Cryptome This is the best place to go.
The FBI's web site This has some more useful documents.
AntiOffline's Circumventing Carnivore

XIV. Switch Sniffing
When I wrote the first incarnation of this document, I received quite a few emails from admins and a few others asking if their switches are susceptible to being sniffed. The answer is probably yes.

I should first start by explaining the difference between a hub and a switch: A hub is a device that allows you to connect multiple hosts over a shared medium. When a host sends out data, the data travels into the hub and then the hub blindly forwards the data to all connected hosts. The host that the data was meant for will recognize it's MAC address in the packet headers and then accept it. A switch on the other hand will receive data from a host and inspect the packet looking for a MAC address for its destination. The switch will have a list that contains MAC address with the corresponding ports on the switch the host is connected to. It will then forward that packet to the specified port. If you don't quite understand why this complicates the process of sniffing a switch, please refer to section II.

I should also mention a little about collision domains. A collision domain is the space provided on a switch or a hub for data transfer. A hub has only one collision domain for which all traffic will traverse. This is a messy method because it allows for sniffing and other things like bandwidth hogging. A switch make use of better technology by setting up with could be thought of as a pipe between a host that is trying to make a connection and the host who is receiving the connection. That pipe is a dedicated collision domain for that connection. Any data that is sent will only travel through the pipe and will not be visible to anyone else. The collision domain will also provide a definite amount of bandwidth for the connection rather than a shared amount like on a hub.

The price of switches have dramatically fallen so there is no excuse to not replace hubs with switches or to choose a hub over a switch when you purchase networking equipment. Keep in mind that some of the more costly switches are endowed with better technology and are resistant to being sniffed.

There are methods of defeating switches but this is contingent upon on how a switch operates. One of the more interesting way to accomplish this feat is a method called MAC flooding. When you send too much MAC information, some switches will get "confused" and will revert to a hub mode which will make the switch act just like a hub: one shared collision domain and blind forwarding of all packets to all connected hosts.

I am going to start a database on my website which will have a detailed list of switches and whether or not they are capable. The success of this database will be placed on people (admins, hackers, etc.) whom have access to a switch or switches, determine if it can or cannot be sniffed, and are willing to contribute that information. Please visit my site for further information.

Some resources that can help you out are some switches mentioned in section VII like dsniff, ettercap, and parasite. There are also more detailed accounts of switch sniffing available on the net. Google is a good place to start (as always) as well as:
The Dsniff FAQ
Why Your Switched Network Isn't Secure

XV. Resources

Security tool depositories like and are always a good starting place when you are in search of sniffers or anything else security related. For interesting dumps of network traffic, go to The Honey Project; the site has loads of logs that show intrusion attempts and would be a great place for someone to get aquatinted to reading logs and knowing what to look for.

XVI. In Closing

I hope that I have done a good enough educating some of you newbies reading this as well as making a decent point-of-reference for the more experienced that may stumble upon this.

Written by: Alaric (
Copyright © 1999, 2002 Alaric