Network Monitoring and Packet Sniffing Tools
How to Monitor Traffic on the Network
Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user! Let's see how to capture packets from both wired and wireless networks using free software. I cannot imagine how you could claim to do LAN troubleshooting without capturing packets at times.
At the same time, protocols that move sensitive data as cleartext are commonly used. POP and IMAP carry the user's account name and password in cleartext, and FTP and even TELNET are still used more than you might expect. The bad guy could easily capture user authentication information like the login and password, or other sensitive data such as the complete contents of shared files, copies of every print job submitted, and more.
So, you have to use these to maintain your networks, and you need to realize that the bad guys could use these against you.
There are various categories of network monitoring tools to solve various types of problems:
Capture and analyze in detail all the packets on the wire or in the air with Wireshark. Wireshark is a serious protocol analyzer. And it's free!
Show general characteristics of the network traffic with ntop or EtherApe.
Only show counts of packets
to/from the host itself with
Packetstorm has a nice archive of network monitoring tools.
LAN Monitoring Tools
LAN Monitoring Software
Wireshark, formerly called Ethereal, is really the very best tool short of a dedicated piece of hardware costing a few thousand dollars. Get it from wireshark.org.
My biggest warning about Wireshark is that new users will find it difficult to build filter strings, Note that Wireshark uses the same filter syntax as tcpdump in some contexts, and that syntax is well documented on the tcpdump manual page. Also check out the books on packet analysis with Wireshark.
Another issue is that Wireshark can be difficult to build from source.
ntop is included with Linux, BSD, and addable to other operating systems. It shows the general characteristics of traffic on the network, showing the packet and byte rate broken out by application layer protocols.
EtherApe is another tool to characterize general traffic characteristics. It's a graphical network monitor for Unix-family operating systems. Hosts and links change in size with traffic. Color coded protocols display. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
is a console-based network statistics utility.
It shows you counts of packets to/from the host
broken out by protocol type and TCP/UDP ports.
shows you the current top traffic flows by
Other classic tools include SniffIt, solsniff (for Solaris), and Snoop (comes with Solaris). If you capture traffic with snoop, you can use Wireshark to decode and display it. But why not just use Wireshark?
Other tools include ETHDUMP to capture packets, then ETHLOAD to load them up and browse through the capture.
Hardware Network Testing and Monitoring Tools
Fluke and Netscout have fantastic lines of tools. Cisco Stealthwatch Enterprise is a very nice product.
Wireless LAN/WAN Monitoring and Attacks on WEP and WPA
Wikipedia has a very useful introduction to wireless networking and the security issues.Breaking
Note that wireless monitoring tools can be extremely dependent on chipset. Make sure that your planned software and WLAN card will get along!
The Trifinite Group has information on wireless security, including RFIDiot and other RFID security tools and information.
Also see my COMSEC page for details on how mobile phone encryption can be broken. Really. It can. Mobile phone salesmen don't want you to know this, but it's true.
Free wireless sniffers for Linux and BSD
Kismet is nice for WLAN surveillance. It displays all wireless access points (WAPs) and WLAN nodes it detects, showing channel, use of encryption, signel strength and more.
Aircrack-ng captures and attacks WEP, WPA, and WPA-2.
AirSnort captures and attacks WEP.
WaveStumbler is a console-based 802.11 network mapper.
Wellenreiter is another wireless network discovery tool.
Free wireless sniffers for Android
Fing — Network Tools
Shark for Root —
tshark for Android
WiEye — WiFi Scanner
Wigle WiFi Wardriving
Network Signal Info
Meraki WiFi Stumbler
SDR Touch — 50-2200 MHz receiver
Free wireless sniffers for macOS
looks to be the most powerful utility, with
all the features of the other macOS ones and even more.
Free wireless sniffers for Windows
Net Stumbler Aircrack-ng
Commercial tools — divided into categories:
Packet Sniffing and War-Driving Tools
Security System War Driving Kit
Vulnerability Assessment Tools —
do more than just sniffing:
SecPoint's Portable Penetrator Netscout AirMagnet Handheld/Laptop Analyzer
Traffic Monitoring and Analysis Tools — use the free tool Wireshark
WLAN Intrusion Detection Tools
Air Defense StillSecure Border Guard
WLAN attack tools:
WEP is, of course, well known to be weak.
In 2007 three researchers announced an
attack that required just 1 minute of WLAN
data collection and 3 seconds of cryptanalysis
on a 1.75 GHz Pentium.
Announcement Detailed paper
A WPA attack was announced in late 2008.
It does not recover the key (allowing the
decryption of all data) but just allows the
decryption of individual short packets.
Ars Technica article Authors' paper SANS report Gizmodo report
file2air is a command-line utility for injecting IEEE 802.11 frames from files.
Void11 implements some basic 802.11 attacks.
Antennas, access point modification, building your own WLAN hardware, etc.
Antenna designs Building antennas and access points Orinoco WLAN antennas Tin can waveguide WiFi antenna Cantenna comparisons Slot waveguide antennas Tiny biquad antenna Cantenna 802.11 antennas
WPA2 / 802.11i
Here's my page on setting up WPA2 / 802.11i wireless security.
Beware a false sense of security based on switches
A switch can improve LAN throughput immensely,
but it does not really provide security.
which uses ARP trickery to confuse hosts about the
mappings between IP and MAC addresses.
The attacker can use
arpspoof to have
all datagrams between specified pairs of hosts
sent to a sniffing host.
The sniffer grabs copies and possibly modifies
contents before sending the frames back through
the switch to the legitimate hardware addresses.
dsniff toolkit from
Also be aware that some tools (
webspy, for example)
understand application-layer protocols and make it
easy to capture and analyze
FTP logins and passwords,
web traffic, mail, etc.
Dsniff is a great tool for password capture.
You must understand that your attackers all know
this and will use it if possible.
There are legitimate cybersecurity applications of password or other sensitive information capture and display! One use is to demonstrate to the naïve just how insecure cleartext protocols such as POP, IMAP, FTP, TELNET, etc really are.
Packet capture is also crucial when testing to verify that new tools really do enforce the use of encryption and don't silently roll back to cleartext mode.
Tapping Optical Fiber
Optical fiber can be tapped without splicing.
You can read the data by removing some of the sheath
and gently bending the fiber in a bend coupler.
You can supposedly buy them for a few hundred US$,
optical+fiber+tap at eBay.
There are claims that optical taps have been found on police networks in the Netherlands and Germany, and the FBI investigated one discovered on Verizon's network in the US.
Techworld published a nice overview.
NetworkIntegrity Systems only sells their Interceptor Optical Network Security System to the U.S. Government. It detects unauthorized tampering by monitoring spare fibers.
Blind Man's Bluff, by Sharry Sontag and Christopher Drew, describes U.S. Navy fiber tapping operations on the floor of the Sea of Okhotsk and elsewhere.
TEMPEST is a classified specification for shielding both electromagnetic and acoustical signals, and for exploiting the emenations of targets. Parts of the specification are public, but many details are classified. See the Wikipedia page for a good overview.
Secure Systems & Technologies (SST) has a list of TEMPEST standards.
For an archive of late 1990s TEMPEST information and speculation, see "The Complete, Unofficial TEMPEST Information Page".
Eavesdropping Via Light, Audio, and Other Unexpected Means
Interactive keyboard use can be "eavesdropped" by means you might not expect.
Consider the relative difficulty or ease of touch-typing different character sequences on a standard QWERTY keyboard: F-J would be very fast (home key on left hand then home key on right hand, easy and fast) while 2-X would be very slow (extreme reaches for the same finger, awkward and slow).
So, a good typist may have a high aggregate rate of characters per minute, but the inter-character spacings are going to vary. A given two-character or longer sequence is not always going to be exactly the same, but over time the distribution is going to be fairly distinctive.
Measure the inter-character times and you have the data needed for bigram analysis. You won't recover 100% of the cleartext, but with adequate data and quality typing of large blocks of text, you will recover some.
So how can you measure the inter-character times?
1: Shine a laser
at the reflective surface of a
laptop cover (that is, the surface opposite the
display) or an external keyboard.
Obviously, do this with an infrared laser or it will be terribly obvious to people! Even an infrared laser will be obvious to security cameras. Point your TV remote at your smart phone camera to see what I mean.
2: Detect electrical noise:
Researchers' page hackaday.com, #1 hackaday.com, #2
3: Use both wired and wireless signals:
Compromising Electromagnetic Emanations of Wired and Wireless Keyboards
4: Detect keypresses acoustically.
That is, listen to the clicking:
"Keyboard Acoustic Emanations Revisited" A description Bruce Schneier's discussion "A Closer Look at Keyboard Acoustic Emanations: Random Passwords, Typing Styles and Decoding Techniques"
5: Use electrical signals plus timing.
The Soviet Union used this against the U.S. in the mid 1970s
into the mid 1980s.
Izvestia reported in 2013
that Russian security services were buying more typewriters
to avoid the increased risk of electrical ones.
1987 New York Times article Internal NSA document Public NSA document Ars Technica story
6: Observe the timing of packets of an SSH connection.
Even though they are encrypted you can use the packet timing.
Interactive SSH does remote echo, so it's generally one
packet per keypress.
You can recover some information that way.
See these papers:
"Timing analysis of keystrokes and timing attacks on SSH" "Inter-Packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones" (2002)
7: Similarly, observe the network activity lights
on router or Ethernet switch ports.
Sit in the next building with a telescope....
See the paper:
"Information Leakage from Optical Emanations"
Like so much of information theory, this isn't entirely new. A Morse code operator might be recognized by a distinctive "fist" or slight imperfection in their keying cadence.
The paper RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis explains how the authors extracted full 4096-bit RSA decryption keys from laptop computers running the GnuPG implementation of RSA by listening to the high-pitched sounds generated by vibration of components within the processor. An ordinary smart phone could be used to collect the audio. Similar attacks can use the electrical potential of the computer chassis, possibly using the ground wires at the remote end of VGA, USB or Ethernet cables. Non-technical overviews are available here and here.
The Air-Gap Research Page of the Cyber-Security Research Center at the Ben-Gurion University of the Negev has more along these lines. Some of it assumes that the attacker can replace router and switch firmware, or place smart phones with rootkitted baseband firmware into the air-gapped target area. Wired ran a story, " Mind the Gap: This Researcher Steals Data With Noise, Light, and Magnets".
You can also watch for the distinctive way that hand position distorts Wi-Fi signals. See the paper: Keystroke Recognition Using WiFi Signals
Then there are more "movie-style" threats. Jan-Michael Frahm of the University of North Carolina at Chapel Hill is the head of the 3D Computer Vision Group there. His group has developed their iSpy system, which can identify text typed on touchscreens from video footage of the screen itself or of its reflection in windows or even in sunglasses. Their paper is available here. Their system was described in New Scientist, 29 October 2011, pp 22-23.
They say that they can use video from an ordinary mobile phone up to 3 meters away, but a digital SLR camera shooting HD video could read screens up to 60 meters away. Their approach takes advantage of the fact that the targeted platforms magnify the virtual keys. It isn't perfect, but they get over 90% copy of what is typed on these ever more prevalent interfaces.
I wait for the papers "Information Leakage via Observations of Message-Bearing Avian Flight Patterns", and "Information Leakage via Carefully Timed Emissions of Smoke from Motherboard Components", all of these to be mitigated by the replacement of all LED indicator lamps with neon bulbs.
Other Side-Channel Attacks
The significant attacks on virtualization security use side-channel attacks. See my virtualization security page for the details.
Detecting Packet Sniffing Attacks
For suggestions on spotting sniffer attacks, see the discussion in an older CERT advisory. One method would be to send out an Ethernet frame to MAC destination address that is not in use on your network. Inside of that is an IP datagram to which a typical host would reply. The NIC would normally have filtered out (that is, ignored or dropped) that frame because it was sent to some other unicast MAC address. But since its chipset is in promiscuous mode, the filtering is turned off and the IP datagram is passed to the operating system. The operating system then replies, and now you know that host has its interface in promiscuous mode. The sniffer detection relies on tricking the host with a promiscuous interface into reporting itself.
To detect network interfaces in promiscuous mode, use AntiSniff or the SecurityFriday tool.
Two other tools require that they be run on the attacking host during an attack: cpm and ifstatus. Get them from Purdue's CERIAS research group.