How to Use a Free Packet Sniffer
Jun 15, 2011 • 3 Minute Read
Packet Sniffer (aka Network Sniffer, Network Analyzer, Packet Analyzer) is a troubleshooting and network analyzing tool that is very useful and important to master, but is often forgotten.
Network analyzing tools come in many forms and are used to monitor the traffic conversations that occur across the network. Often the information obtained from a packet sniffer can be used to figure out exactly how devices are communicating, making it easier to figure out the root cause of the problem you're troubleshooting. But the use of a packet sniffer is not limited to troubleshooting, it can also be used to help train, design and operate devices on a network.
In this article we'll discuss the basic operation of a packet sniffer and some of the more common sniffers that are available for free.
What is a Packet Sniffer?
So what exactly is a packet sniffer and how can you use it? At its most basic, a packet sniffer captures traffic directly from a network interface and allows the user the ability to interpret the information contained within this traffic. While this is not that complicated for an experienced network engineer, it does limit the use of the tool to junior level engineers and novices.
Figure 1 below shows an example of a capture being done while browsing the web using the Hypertext Transfer Protocol (HTTP).
Figure 1: Packet Sniffer Capture
A specific packet can then be displayed showing all of the different information contained within; this is shown in Figure 2.
Figure 2: Example of a Packet Captured by the Packet Sniffer
There are also command line based scanners that are very popular but require a higher level of knowledge; one of the most popular is tcpdump which is typically used on Linux machines. Figure 3 below shows an example capture from tcpdump being run on a Linux based machine.
Figure 3: tcpdump Capture on Linux
More advanced functions that are possible on many packet sniffers include not only simple traffic capture but traffic analysis. This can include everything from simple tracking of conversations, statistical analysis, and stream analysis among many other options. Figure 4 below shows an example of a HTTP packet count statistical analysis.
Figure 4: HTTP Packet Count Statistical Analysis
How to Use a Packet Sniffer
The basic capture of network traffic on most packet sniffers is relatively easy to start. Figure 5 below shows the capture options screen of a popular network protocol analyzer tool called Wireshark (more on Wireshark below).
This is the screen that is used to start a network capture. It is on this screen where the specific interface and options are selected before a capture is started.
Figure 5: Wireshark Capture Options Screen
Once a capture is started in Wireshark, the screen will show the captured packets and permits the viewing of packet details as the capture continues. It is in these detailed packet screens where specific packet traffic analysis can be done; for example if a specific protocol conversation between hosts is being followed, this is where the details of this traffic can be seen. Figure 6 below shows an example of an FTP packet that was sent to initiate a file transfer; this can be verified as the only TCP flag used is SYN.
Figure 6: Example of an FTP Packet
Figure 7 below shows an example of a simple capture using the tcpdump utility on a Linux machine showing an initial ftp conversation.
Figure 7: Capture using the tcpdump Utility
Wireshark can also be used to track the different conversations that are going on within the captured traffic. Figure 8 below shows how to use Wireshark to display this conversation list.
Figure 8: Example of Conversations within Captured Traffic
Figure 9 below shows an example of all the ongoing IPv4 conversations going on when capturing from a single computer. The packets going to and from the remote host via ftp are highlighted. This ability can be extended greatly when a packet sniffer is connected to an interface where multiple hosts are sending and receiving traffic.
In this type of configuration, the network sniffer can be used to troubleshoot network problems between a number of hosts and not just the traffic from the host running the packet sniffer software.
Figure 9: Example of IPv4 Conversations
The different things that can be done with a packet sniffer are really quite extensive and certainly cannot all be completely covered in a single article. The different tasks shown above are simply a few of the basic things that a network sniffer can be used for.
Free Packet Sniffers
There are a few different packet sniffer software packages that are available for free. The most common of these are Wireshark and tcpdump.
The Wireshark utility, as shown in most of the examples above, is easy to use and offers the ability to perform a number of different traffic analysis functions that are built in; with over 1000 different protocols supported, this tool is commonly found in the bag of network engineering tools.
The tcpdump utility and its companion WinDump utility for Windows offer the ability to capture traffic in a number of different ways including the ability to analyze traffic within different scripts. These utilities are commonly used by network administrators who are well versed in scripting and have the ability to utilize all of the functionality of operating system scripting and tcpdump. The tcpdump utility is typically part of Linux operating system repositories and can be installed from there.
Download Wireshark for free http://www.wireshark.org/download.html
Downlaod tcpdump for free http://www.tcpdump.org/#latest-release
Download WinDump for free http://www.winpcap.org/windump/
There are other packer sniffers out there, but these three will get you to a good start.
Should You Use a Packet Sniffer?
The operation and use of a packet sniffer is not overly challenging and can be a great addition to the bag of utilities of any engineer or network administrator.
If you need additional help getting started, Wireshark provides documentation, including user guides and videos available in their Resources section. Similarly, tcpdump.org provides documentation, including an FAQ section and WinDump offers a manual that will help you get started as well.
So give the packer sniffer a try and see how you can utilize it to troubleshoot issues and understand your network better. And I hope this introductory article helped you understand the possibilities of network analyzing tools. If you have any questions or would like to share your experiences with packet sniffers, leave a comment below.