Introduction to classic Sniffer Software

I don't know if I have ever sent it. I will forward it again.

Sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. sniffer can be used as a device to capture network packets. ISS defines Sniffer as a tool to intercept data packets destined for other computers using computer network interfaces.
Sniffer is divided into two categories based on the network type: 1. Sniffer In the exchange environment 2. Sniffer in the shared environment
In the exchange environment, Sniffer often intercepts data by performing ARP spoofing on the switch and turns it into a man in the middle.
In a shared environment, Sniffer only needs to set the NIC of the local machine to the mixed mode to listen to all the data packets on the network without any spoofing.

Sniffer principle:
The network in the exchange environment uses a Switch to connect to each network node, while the network in the sharing environment uses a hub to connect to each node.
Let's talk about the shared environment first. The shared network also becomes a hub network. After the datagram arrives at the hub, the hub forwards the datagram to the port of each hub. In other words, each network node connected to the hub has the right to receive all data packets. after Sniffer is run, Sniffer sets the NIC to the hybrid mode. Once it is set to the hybrid mode, Sniffer can accept all the data packets, thus achieving the Sniffer goal.
In the exchange environment, the Switch replaces the hub in the shared environment to solve several security issues of the hub. The switch decides to send the datagram to a port through its own ARP cache list, in this way, a datagram is not forwarded to each port. This greatly improves the network performance and security. In the exchange environment, even if the NIC is set to the mixed mode, only local data packets can be monitored, because the switch does not forward the data packets from other nodes to the sniffing host. therefore, in the exchange environment, you must find a way to send the datagram of the host to be sniffed to the host. This method is called ARP spoofing ), in this way, the switch updates the ARP cache list by forging ARP packets to cheat the switch, so that the datagram sent to the host to be sniffed is completely forwarded to the sniffing host, however, the sniffing host cannot receive any data packets. In order to enable normal interception of data packets, the sniffing host must act as a man-in-the-middle (mitm) in addition to the identity of the sniffing host. you can search for ARP spoofing on Google for the specific principles and methods.
In the exchange environment, without ARP spoofing, how can we analyze the data of the entire network? I provide two methods for reference:
1. use a vswitch with the image function on the root node. The vswitch with this function can be set to forward all data packets to a specified port, you can connect to the host running sniffer on this port.
2. if your Root Node switch does not have this function, you can add a hub at the top of the root node. The Hub has one port to connect to the switch, and the other port can connect to the host running sniffer.
The following are typical sniffer that I personally think is worth adding to my favorites.

1. libpcap
Version: v0.8.3
Updated on: 2004-03-30
Description: libpcap is an essential tool for Unix or Linux to capture network packets from the kernel. It is a system-independent API interface and provides a portable framework for underlying network monitoring, it can be used for network statistics collection, security monitoring, network debugging, and other applications. many network programs in Unix or Linux need libpcap to run. similar programs in windows are Winpcap.
Download path: Software/Network/Libpcap/(including the latest version, stable version, and Development Documentation)

2. Winpcap
Version: v3.1 beta3
Updated on: 2004-05-15
Description: Winpcap is similar to libpcap and supports the Win32 platform. Winpcap provides three modules: NPF (netgroup packet filter, kernel-level datagram filter) and packet. DLL (underlying dynamic Connection Library), wpcap. DLL (Architecture in packet. DLL, providing a more convenient and direct programming method ). many network tools (such as Sniffer) are developed using Winpcap. To run these network tools, you must install Winpcap. I used vbs to call Winpcap and wrote sniffer in the console. ~ _*
Download path: Software/Network/Winpcap/(including the latest version, stable version, and Development Documentation)

3. Network Associates sniffer portable
Version: v4.7.5 SP4
Updated on: 2004-05-20
Introduction: as the main product of Nai, Sniffer produced by Nai is expensive. sniffer portable is a series of Network Fault and performance management solutions. network professionals can use it to maintain, resolve, optimize, adjust, and expand multi-topology and multi-protocol networks. the sniffer portable software can run on desktop machines, portable computers, laptops, and other hardware platforms. It can also use advanced custom hardware components to ensure full-line speed capturing. sniffer portable is outstanding, which is different from other sniffer mainly in the following aspects:

Custom hardware:
The custom hardware enables sniffer portable to capture, filter, and trigger line speeds.
Detailed report:
You can generate graphic reports based on rmon1/rmon2 and similar data collected by the sniffer portable application. from bandwidth usage to potential network attenuation, Sniffer reporter provides detailed data to help you plan future network requirements. available reports on Ethernet and licensing rings include host tables, matrices, protocol distribution, global statistics, and other reports.
Sniffer voice options:
Sniffer voice is a value-added package integrated with sniffer portable. It provides necessary information for voice and video aggregation traffic and is mainly used in VoIP networks.
Download path: Software/Network/network. associates. sniffer. Portable. v4.7.5.sp4/

4. wildpackets etherpeek NX
Version: V2.1
Updated on: 2004-06-12
Description: etherpeek NX is the first network protocol analyzer that provides professional diagnosis and structure decoding during information packet capture. etherpeek NX is designed for IT staff to help them analyze and diagnose the ever-accelerating network data groups and provide accurate and up-to-date analysis of the numerous faults currently facing the network. my favorite versions include inettools and packetgrabber. inettools provides some useful network tools (Ping, ping scan, trace route, Name Lookup, name scan, DNS lookup, Port Scan, service scan, finger, Whois, and throughput), packetgrabber is a remote datagram collection program. the peek SDK is also provided to help you develop plug-ins on your own. The SDK documentation is in the 1033/documents/peek sdk/directory of the installation path.
Etherpeek for Windows is an award-winning Ethernet traffic and protocol analyzer. etherpeek establishes "Easy to use" industry standards. etherpeek is the best product selected by the Global Network Testing alliance from five network analyzers.
Download path: Software/Network/wildpackets. etherpeek. NX. V2.1/

5. Iris network traffic analyzer
Version: v4.0.7
Updated on: 2003-12-29
Introduction: sniffer, produced by eeye, an industry-renowned company, has the following advantages: easy to use, comprehensive and rich traffic status and report, Advanced Data Reconstruction, precise packet operation and forgery, extended filtering, and data analysis capabilities.
I personally think IRIS is outstanding in Data Reconstruction, data packet forgery, and data analysis capabilities. the Data Reconstruction function can restore original data packets to complete HTTP, FTP, SMTP, and POP3 sessions. using IRIS's Data Reconstruction function, you can easily view mail messages transmitted over the network, Web Pages browsed by users, and unencrypted ftp transfers. iris's data packet editor allows users to create custom or spoofed data packets. in terms of data analysis capability, Iris can analyze data packet capture files stored by other well-known sniffer.
It is also worth mentioning that the eeye website provides some defined filter files for free, most of which are mainly for viruses and worms.
Download path: Software/Network/Iris. Network. Traffic. analyzer. v4.07/

6. tamosoft commview
Version: v4.1.344
Updated on: 2004-02-19
Description: The commview series is an excellent commercial sniffer product in windows. It supports the ndis3.0 driver standard and has functions similar to other sniffer products. In addition, the commview remote agent can be used for remote sniffing.
Tamosoft commview for WiFi
Version: v4.2.360
Updated on: 2004-04-09
Description: commview for WiFi is a special version of commview. It is designed to capture and analyze wireless networks and supports 802.11a/B/g protocols.
Download path: Software/Network/tamosoft. commview/
Tamosoft commview Remote Agent
Version: v1.1.43
Updated on:
Description: The commview Remote Agent is a dedicated and optional component of commview. It is designed for remote network monitoring.
Download path: Software/Network/tamosoft. commview/

7. ettercap
Version: NG 0.7.0 RC1
Updated on: 2004-06-14
Description: ettercap is a tool for man-in-the-middle attacks in a LAN. It is an open-source project and supports multiple platforms (Linux, BSD, windows, Solaris, and Mac OS ), its functions include sniffing activity connection, content filtering in the on the fly mode, and other interesting spoofing functions. ettercap supports active and passive analysis of multiple protocols, and supports analysis of other networks and hosts. in addition, ettercap has the plug-in function and comes with many plug-ins with good functions. It also allows third parties to write plug-ins. after OpenSSL is installed, SSH1 and HTTPS are supported.
Download path: Software/Network/ettercap/

8. Ethereal
Version: v0.10.4
Updated on: 2004-05-13
Description: Ethereal is the most popular network protocol analyzer in the world. It is a powerful sniffer with the most powerful functions and supports the following platforms: Windows, Linux, Solaris, Mac OS, BSD, BEOs, tru64 UNIX, HP-UX, Aix, Irix, etc.), is an open source project. there are as many as 512 protocols that support analysis, and two real-time and non-real-time modes are supported. the Winpcap library is required to run in windows.
Download path: Software/Network/ethereal/(including source code and installation files in Windows)

9. packetyzer
Version: v2.0.0
Updated on: 2004-04-22
Introduction: packetyzer is an excellent sniffer on one of the few open-source Windows platforms. It supports 483 protocols and can be used together with neutrino sensor to intercept and analyze 802.11 packets, I personally prefer packetyzer's datagram tag color function. you need to install Winpcap.
Download path: Software/Network/packetyzer/(including source code and installation files)

10. Cain & Abel
Version: v2.5 beta56
Updated on: 2004-06-14
Introduction: Cain & Abel is a set of powerful password interception and cracking tools on Windows platforms. I just summarized it into Sniffer, cain & Abel is mainly used in sniffer. It supports intercept in the shared environment and exchange environment. Cain and Abel are two separate tools (Cain as the client, abel as the server ). function is very powerful, detailed features please visit: http://www.oxid.it/cain.html. added support for wireless networks in the new version. winpcap is required for running.
Download path: Software/Network/Cain & Abel/

11. tcpdump/windump
Version: v3.8.3
Updated on: 2004-03-30
Introduction: TCPDUMP is a well-known and popular command line-based network packet analysis and sniffing tool. it can display the packet header that matches the rule, and use tcpdump to locate network problems or monitor network conditions. windump is a portable version of tcpdump on Windows.
Download path: Software/Network/tcpdump/(including tcpdump and windump)

12. dsniff
Version: v2.4 beta2
Updated on: 2004-06-14
Introduction: dsniff is a collection of UNIX executable tools designed for network auditing and network penetration. with the ARP spoofing function, it should also be the first sniffer with the sniffing function in the exchange environment. the author has tested OpenBSD, Red Hat Linux, and Solaris. an earlier version (1.8) has been transplanted to Windows. dsniff was first released by dug in December 1999. dsniff depends on some third-party software packages, including Berkeley dB, OpenSSL, Libnet, and libnids.
Download path: Software/Network/dsniff/(including 2.3, 2.4b1, 2.4b2, and 1.8 for Windows)

13. sniffit
Version: v0.37 Beta
Updated on: 1998-07-17
Introduction: sniffit is developed by Lawrence Berkeley Laboratory and can run sniffer on Linux, Solaris, SGI, windows, and other platforms. It provides functions not available in many commercial sniffer versions, supports scripts and plug-ins. in addition, we can use the touch of death plug-in. By sending an rst package to the target machine, we can cut the TCP connection of the target machine. the Windows version is migrated by symbolic, and Winpcap is required for running.
Download path: Software/Network/sniffit/

14. snarp
Version: v0.9h
Updated on: 2001-03-21
Description: The sniffer for the switched network on Windows. For specific instructions, see readme.txt.
Download path: Software/Network/snarp/

15. arpsnifer
Version: v0.5
Updated on: 2002-08-12
Introduction: the sniffer of the switched network on Windows platform written by Xiao Rong. in addition, the remote ARP network sniffer (Remote ARP network sniffer) function is added in the traffic 5, which adopts the sensor/GUI structure. winpcap is required for running.
Download path: Software/Network/arpsnifer/