Top 10 Data/Packet Sniffing and Analyzer Tools for Hackers

What is Data Sniffing?

Top 10 Data/Packet Sniffing and Analyzer Tools for Hackers
Top 10 Data/Packet Sniffing and Analyzer Tools for Hackers

In common industry usage, a sniffer (with lower case “s”) is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently.

A sniffer can also be used legitimately or illegitimately to capture data being transmitted on a network. A network router reads every packet of data passed to it, determining whether it is intended for a destination within the router’s own network or whether it should be passed further along the Internet. A router with a sniffer, however, may be able to read the data in the packet as well as the source and destination addresses. Sniffers are often used on academic networks to prevent traffic bottlenecks caused by file-sharing applications.

The term “sniffer” is occasionally used for a program that analyzes data other than network traffic. For example, a database could be analyzed for certain kinds of duplication.

Top 10 Data/Packet Sniffing and Analyzer Tools for Hackers

1: Wiresharkwireshark logo

Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

2: Tcpdump

Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn’t receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

3: Cain and Abel

UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

4: Kismet

Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, …

5: Dsniff

dsniff logoThis popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

6: NetStumbler

Netstumbler is the best known Windows tool for finding open wireless access points (“wardriving”). They also distribute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.

7: Ettercap

Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

8: Ngrep

ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

9: Ntop

Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.

10: EtherApe

EtherApe is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

Whats your favorite Sniffing tool?

Credit: Gordon Lyon a.k.a Fyodor

The following two tabs change content below.

Azad Shaikh

Azad Shaikh is an internet geek at heart. Azad like to write about anything related to computers, internet, hacking, business and marketing. He is a computer engineering graduate and certified ethical hacker.

Latest posts by Azad Shaikh (see all)

  • Bumble

    This tool is a sniffer too:

    • Azad Shaikh

      Looking nice but it’s not a free tool.

      • Flyhigh

        Out of curiosity, they are offering full-featured free edition 🙂

  • Louise

    very good information,thank you

  • Interesting post. However, you should be careful while posting such articles, especially since you’re using Adsense and blackhat (unethical) hacking is against Google’s ToC!

    • Azad Shaikh

      IMO Hacking is always ethical it’s cracking that is unethical but people keep using word Ethical Hacking and I don’t like it. The tools I listed here are for Hackers so that they can analyze their network and keep them safe from crackers. People need to understand what hackers do and what cracker do.
      I am not posting about malicious software spreading virus and malwares thus I am not violating Google TOC.

      Hope this give answer to your question. Let me know if you have further queries I will glad to make this clear to you.

  • Hehe… I surely need to try these tools…! Thanks a lot for the post mate!

    • Azad Shaikh

      Hi Pubudu,
      Thanks for stopping by and leaving a comment at my blog, I appreciate that. I visited your blog and really impressed. Read about how to change from to it quite impressive that you learned as you go.
      I want to know from where you are? if it’s ok for you.

  • Novizul Evendi
    • Azad Shaikh

      Thanks for sharing.
      Just for readers:
      “This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. ”

  • Khaidir

    Ciao Azad,

    Thanks for sharing such a great info.
    I use Kismet, Nmap, TCPDump & BackTrack when I have a “free” time. -:)

    Have a great day.

    • Azad Shaikh

      Hi Khaidir,
      You are welcome and nice to see your comment. Hope you use them for ethical purpose.
      See you around.

  • kathir

    Nice Geek,keep on posting likes this ..

    wishes from

  • Adi

    What about nmap…been using it for a while now