What Network Sniffing Tools Do You Use? 539
network-nose asks: "I work as a Network Administrator in a 500 user manufacturing facility in southeastern Wisconsin. My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software. As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets. I am wondering what tools the rest of you network guys and gals out there use in a corporate environment for analyzing packets. Of course, the more reasonbly priced the better, but I know you usually get what you pay for."
Ethereal (Score:4, Informative)
Re:Ethereal (Score:5, Informative)
Re:Ethereal (Score:5, Informative)
Re:Ethereal (Score:5, Informative)
Ethereal is my tool of choice. However, if you have a Linux router, there are a number of interesting tools you can use to monitor stuff that is crossing your routing points.
iptraf is pretty interesting. If you can get that installed on critical points in your network you can watch traffic flows, and see who the major badwidth hogs are, and what services they are using. The one truely annoying this is that if you run it via an SSH session, it constantly counts SSH traffic it is generating. I wish it did a better job of accumulating UDP totals for me.
Kirby
Re:Ethereal (Score:5, Informative)
Cheers.
Re:Ethereal (Score:5, Informative)
True.
True.
Ethereal has dissectors for more protocols than tcpdump does; however, tcpdump has dissectors for more than just TCP/UDP/IP (some protocols atop them, such as NFS, as well as non-IP-based protocols, including 802.11 management frames).
Re:Ethereal (Score:4, Informative)
tcpdump is good for two things:
1) doing some fast checking of what's going.. small jobs
2) reading the source to see how to use libpcap.. case example (people who made tcpdump also made libpcap)
So which one is better.. the one with the more features (ethereal) or tcpdump? Depends on the situation..
Re:Ethereal (Score:5, Interesting)
Only feature I wish it had would be the ability to ARP poison switches. Etherape has this ability and it is nice for listening on unmanaged switches.
Otherwise, ethereal is a great product. Nice filtering and easy to follow streams. It also will do a lot of legwork for you and figure out what higher level protocol is being used over TCP.
Re:Ethereal (Score:4, Insightful)
Although I've never used ethereal on windows, it works great on linux. And you can even use tethereal in your scripts since it's the command line based version of ethereal.
Re:Ethereal (Score:5, Insightful)
I'm not. It's not like you need to know the secret handshake before you can become a network administrator. In a lot of places, it just means you're the guy who knows the most about it.
Re:Ethereal (Score:5, Funny)
Actually, you do [homebrew.net].
Re:Ethereal (Score:4, Funny)
Re:Ethereal (Score:5, Interesting)
My first job was to look after a Novell server and a network of 30+ machines with no training apart from what I could pick up along the way and from my experience with PC's. Another job I was looking after a Unix box for the first time and didn't know how to do much.
Recently I got a free label printing program from a web site for my Mother to use at work (she was hand writing 100's of addresses on envelopes that were printed from a computer!) The "computer guy" at the company said they couldn't do labels (even though they use Word) so I go her this free one. I had to explain to him how to find a directory on the PC! They do have a network and the main computer guy who set it up was in another country, but they had put this other person in charge of the PC's and he didn't know anything about them. Another time I had to tell him how to find the size of a hard drive...
Re:Ethereal (Score:3, Interesting)
"Sniffing" for HTTP (Score:5, Interesting)
Of course, when I found the live http headers plugin [mozdev.org] for Mozilla it was exactly what I needed -- just the headers, scrolling by realtime, and no more sniffing needed.
Yeah, this is slightly OT (which may be good in a discussion that seems to be a long string of ethereal links, all +5) -- but I wanted to point out to those people out there who think they "need a sniffer" -- unless you're a network admin, you probably don't.
[Plus the Futurama quotes in the
Re:"Sniffing" for HTTP (Score:5, Informative)
Agree with the above. Sniffing will also not get you anywhere if you are trying to see what happening on a https stream as all you'll see is the encrypted traffic.
If you are stuck with IE as a browser for whatever reasons there are two tool comparable to live http headers plugin for Mozilla.
Re:Ethereal (Score:3, Interesting)
Re:Ethereal (Score:3, Informative)
Re:Ethereal (Score:3, Informative)
Re:Ethereal (Score:3, Insightful)
I guess I just see things in terms of the networks I work with a lot. Throwing 80+Mb/s through a hub may not be the wisest choice.
My prefered way to do it is just have a port monitor another. But we use Cisco extensively, so it's really easy for us.
Link (Score:5, Informative)
I haven't used it for a while (College) but it was the most impressive tool I've ever used for Network Sniffing. It's available for pretty much every major platform.
Driftnet! (Score:3, Informative)
Red Hat / Fedora packages at Dag's apt repository [wieers.com]
Re:Ethereal (Score:4, Informative)
RMON (Score:5, Informative)
RMON (see RFC 3577) or Remote Monitoring is a set of SNMP MIBs which you allow you to gather traffic information (including packet captures) from network elements itself. You do not need to have a computer to run ethereal, snoop or tcpdump.
The switch/router/probe will collect the info for you, automatically.
Virtually all switches support (mini-)RMON. Furthermore you have (full) RMON probes which you can install at various places in the network.
The flexibility of RMON probes is much larger then ethereal. However, I often use ethereal to look at the packet captured using RMON.
Some info:
http://www.ietf.org/html.charters/rmonmib-
http://www.cisco.com/univercd/cc/td/doc/cis
my 2 cents
Rik
Re:Ethereal (Score:3, Insightful)
MSFT had me download a time limited version of Netmon, which has more features than the version that ships with Windows NT/2000 Server. It seemed to be way better than Ethereal. But beggars can't be choosers
Hrm... (Score:3, Funny)
My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software
Are you trying to steal my job?Sniffing Tools... (Score:5, Informative)
Tcpdump is generally considered the superior learning tool, while ethereal is considered the more refined choice. In other words, ethereal does a lot of the work for you, while you are getting pretty raw stuff when you use tcpdump.
In general, tcpdump and ethereal are the tools of choice if you don't have tons of money to spend. Fancy looking enterprise applications essentially do the same thing as the apps mentioned above -- they just add a nice GUI to the mix.
Re:Sniffing Tools... (Score:3, Informative)
I tend to use tcpdump when I am watching a box using a specific filter and expecting very little traffic,
Having a fancy machine with X running isn't always an option. We have a old 200Mhz Celeron machine attached to our 8Mb Internet link (With a Network interface that doesn't have a IP) and that machine can captured whatever traffic I am looking for with just tcpdump.
There are options to exclude and include whatever traffic you want..
For example, we had a problem with a governament agency in Canada
Ethereal (Score:5, Informative)
Re:Ethereal (Score:5, Funny)
Re:Ethereal (Score:5, Funny)
Ethereal. (Score:5, Informative)
Re:Ethereal. (Score:4, Informative)
Works great.
Re:Ethereal. (Score:5, Informative)
The best web-based version is ntop [ntop.org], which is another one of those "Oh my god, this is SOOO cool" tools, similar to ethereal. It lets you drill-down through a fair bit of data, and pages load fast and it's virtually real-time, so you can bang on the reload key and see a similar sort of data that etherape/iftop would give you. It has a daemon piece and a CGI piece, so installing it via a package (eg. apt-get install ntop [google.com]) may be much prefered to installing it by hand.
Ethereal! (Score:3, Informative)
zasniff (Score:3, Informative)
I found it to be quite nice for monitoring telnet usage and I use it a lot.
Sounds like an NT/XP...Use Linux/Unix (Score:3, Informative)
I'm not a network admin (Score:4, Interesting)
On a properly configured network, where are the points of failure that can't be figured out with any other method besides packet sniffing? If these problems exist, would it be worthwhile to incorporate functionality directly into the networking software to watch for these problems and fix them automatically?
Re:I'm not a network admin (Score:5, Interesting)
Re:I'm not a network admin (Score:5, Insightful)
Sometimes it's not practical to hack sniffing in to the application, when you can just do 'tcpdump -Xns 16384' any time.
Re:I'm not a network admin (Score:3, Insightful)
Re:I'm not a network admin (Score:3, Interesting)
I could give dozens of other examples, but others have already done that. Let's just say I'm sort of a sniffer zealot. Any time I'm seeing network strangeness
Re:I'm not a network admin (Score:3, Interesting)
Re:I'm not a network admin (Score:4, Interesting)
When you're writing network software, or software that uses the network, you often run into wierd and hard-to-debug problems. The task of finding the cause of these bugs if often expedited by looking at the packets on the wire.
For example, you think you're sending a particular pattern of bits (1's and 0's) -- that's what you think you coded in your program. But for some reason, the other end doesn't understand your packets. You could put a bunch of debugging statements in your program, recompile, and hope you can see the problem, or, you can simply sniff the packets and see what's really going out on the wire.
As another person mentioned, sniffing is also useful for reverse-engineering closed-source software that uses the network. That's how those guys implimented clients for AIM -- they just figured out what messages to send back and forth. (Sadly, AOHell decided to change the protocol every 2 minutes so the open-source clients don't work very well.)
As far as security, sniffing or analyzing traffic is one of best tools available to see what's passing through your network. It's analagous to the security cameras in the local stop-and-rob (gas station) or in a casino -- they let the security guys watch what's going on, review it after the fact, and find/identify the bad guys.
sniffing, etc. (Score:5, Informative)
http://www.flukenetworks.com/us/default.htm
Re:sniffing, etc. (Score:3, Interesting)
Sure, it has Total Integration [flukenetworks.com]. But is it an e-Solution for my enterprise application?
What does it do? Can anyone enlighten us, since fluke's web site makes this product look like an April fool's gag?
Great tools. (Score:5, Informative)
Simple.... (Score:4, Funny)
Re:Simple.... (Score:3, Insightful)
Re:Simple.... (Score:4, Funny)
When I was young, we just held our fingers against the wire, and felt the electic pulses.
Kids these days...
Re:Simple.... (Score:3, Funny)
The rest of us would monitor the nose twitches.
This is where the term 'Test Bunny' came from.
Re:Simple.... (Score:5, Funny)
Translation:
You'd be surprised at the shear amount of BS a well trained conartist^H^H^H^H^H^H^H^H^Htechnician can pull off with an oscilliscope. Doesn't even have to be hooked up to anything.
"I see you have a large piece of test equipment there."
"Yes. It's telling me your password is insecure and hackers know about you-know-what..."
"Uh - I'll be right back..."
-Adam
Re:Simple.... (Score:5, Funny)
Re:Simple.... (Score:3, Informative)
Re:Simple.... (Score:4, Funny)
Re:^H^H^H (Score:3, Funny)
I use ettercap (Score:5, Informative)
Cool Features: Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
Remote traffic through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it
PPTP broker: you can perform man in the middle attack against PPTP tunnels
Plug-ins support : You can create your own plugin using the ettercap's API. List of available plugins
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter
Kill a connection: from the connections list you can kill all the connections you want
Passive scanning of the LAN: you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop.
Check for other poisoners: ettercap has the ability to actively or passively find other poisoners on the LAN
Bind sniffed data to a local port: you can connect to that port with a client and decode unknown portocols or inject data to it (only in arp based mode)
Port Stealing: a new method to sniff on switched LAN without ARP poisoning...
http://ettercap.sourceforge.net/
Re:I use ettercap (Score:3, Insightful)
That's not a sniffer... that's a freakin' rootkit!
Cheers
Stor
Fluke meters (Score:4, Informative)
we have been having quite a few network problems that can only really be resolved by sniffing packets.
By "packets" I hope you mean "Ethernet frames". Looking only at layer 3+ information can be useless for many network problems. Anyhow, brain dump:
Do your switches and LAN router(s) have statistic counters (# of frames of various sizes, undersided/oversized frames, flooded frames, deferred frames, etc)?
If you don't have a LAN router for 500 users: why?
What's the most amount of hops (switches) your packets will travel from one end of the LAN to the other? Any more than 3 and you should be putting a LAN router in there (ideally)
Do you have hubs? If so, destroy them all right now. Hubs are pure, unadulterated evil.
My point of that is simple: not all LAN problems are computer problems. Looking at the IP traffic doesn't always cut it. Re: the subject: At my workplace we have a nice LAN meter from Fluke [fluke.com]. They aren't cheap but if you have that many users your company should damn well pay for the right tools for you to do your job.
Re:Fluke meters (Score:3, Insightful)
I disagree. They're great for sniffing packets. If you've got an ethernet-connected device that doesn't have a sniffer onboard, and you want to see what the heck it's doing, a hub is a handy tool to have on your shelf. I use them quite often to intercept traffic while debugging software and hardware at work.
They also allow you to run a trace on a separate machine, so as not to interfere with the unit-under-test.
Yes, you could use a monitor-port, but that assumes
tcpdump and/or ethereal (Score:3, Interesting)
However, I find myself frequently using tcpdump to capture data, then downloading it and analyzing it in Ethereal on my workstation later.
tcpdump -w myfile.dump -s 2000
Re:tcpdump and/or ethereal (Score:5, Interesting)
10/100BaseT Ethernet, which pretty much everyone uses these days, is limited to 1500 snaplen. But the good old FDDI was a whopping 4500!
With -s 0, it basically means "All" - you don't have to think about what transmission medium you're using.
I also usually name my packet captures with extention *.pcap, and just make Ethereal be the default *.pcap file handler.
I'll also use tcpdump to whittle my pcaps down. Say I capture for a long time and end up with a 500MB+ pcap. Opening this in most any workstation with Ethereal will cause you to wait awhile, and could actually crash your box (yay for WinXP pre-fetch!).
So when I've found a particular port or host I want to extract from a stream to make the pcap more managable, I'll do something like this:
tcpdump -s 0 -r infile.pcap -w outfile.pcap host x.x.x.x and port xxx
Sometimes, I'll use tethereal instead to go a little deeper. tethereal is ***SLOW*** compared to tcpdump, but the granularity is worth it sometimes. Just set it going, and go get a coffee or something.
When examining a capture of some malware trying to spread, often times it will SYN several hundred machines without getting a reply. Trolling through these can be a pain. But by using tethereal, you can make what I call "Jesus" pcaps (no SYN's). To make it complete, I also filter RST's like so:
tethereal -r infile.pcap -w outfile -R "tcp.flags.syn==0 && tcp.flags.reset==0"
There is a way to do this in tcpdump, but it's much more complicated. Besides, you need the break anyway, right?
Bitch, don't you know where you are? (Score:5, Funny)
This is Slashdot, you'll lose an eye here faster than you will in a barfight for saying that free (beer and speech) GNU/Linux isn't better than costly (money and your soul) Windows!
LK
Re:Bitch, don't you know where you are? (Score:3, Informative)
It has something to do with Native Americans and Potlatch dinners and stuff, but to be honest it was years ago when he explained it to me and I was half-drunk at the
dsniff, ntop (Score:5, Informative)
Argus (Score:5, Informative)
It's really good for summarizing flow information in quasi-realtime, so it fills the niche of being more detailed than NetFlow, but more big-picture than tcpdump or ethereal.
Re:Argus (Score:4, Informative)
It's not open source or free, but is a really useful tool at work, IMHO.
What problems are you talking about (Score:4, Insightful)
What kind of problems are you talking about? On ethernet level? On IP level? On application level?
They all have different approaches, and all have different tools.
ngrep (Score:3, Informative)
Ethereal + other tools works nicely (Score:5, Informative)
To install Ethereal, you will need to download and install the low-level WinPcap [polito.it] driver.
And you may find the Ethereal packet analysis plug-in Packetyzer [networkchemistry.com] helpful; sometimes reading raw logs gets a bit annoying.
--LP
My tools (Score:4, Funny)
Sniffer Pro (Score:5, Informative)
Got wan problems, Sniffer can work with a Y cable and hardware decoder to watch your WAN.
They even have long term trending and reporting tools. Its maybe the one tool that Network Associates does right.
Ethereal and TCPDump are good for protocol analysis, but most network problems I've delt with are not really at the application layer, but more the pysical layer. (Dodgy Network Cards, Flat network designs with hundreds of hosts, causing your collision rate to go through the roof etc)
The other thing that I like about sniffer, is its made for people that might not have degree's in network analysis. Its got that Expert System. It will throw at you all the errors it finds, and is good enough to tell you what those errors means.
Lastly, The export feature is great. Does my boss want to know what is the biggest talker on the network, Let sniffer run for a few hours, export to excell, and I can give him the top 10/20/50, I can break it down further by protocol or application, and can even tell him who the partners are.
I know there are other tools out there that can do all this, (ntop, ethereal, tcpdump, rrd's) but thats exactly my point. They are different tools, they don't work together, and imho, none of them are true network diagnostic tools.
I'm Ex NAI employee btw, so maybe a bit biased, but I still use Sniffer (legit copies) to this day. There are only a few reasons why I still have a windows drive for my laptop, and Sniffer is no. 1)
my tools.... (Score:3, Informative)
Outsourcing to Trained Cats (Score:5, Funny)
i prefer analyzer to ethereal on win32 (Score:3, Informative)
snort (Score:5, Informative)
Packetyzer (Score:4, Informative)
k.
network traffic analysis tools vs sniffers (Score:3, Informative)
A classic 'Sniffer' from Network General (which is currently 'Network Associates' attempts to perform some rudimentary analysis (which is called 'Expert whatever
If you are interested in pin-pointing the reason why some distributed applicaiton doesn't run well on your network, by all means get OPNET Application Doctor. it is fairly expensive tool, but this is probably the best you can get. Used it and love it.
My homemade sniffer (Score:5, Funny)
Along similar lines (Score:5, Interesting)
EtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups based on TCP connection (determined from source IP address, destination IP address, source TCP port and destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning the resulting data for byte sequences that suggest the presence of JPEG or GIF data.
Or in other words, fire it up, plug in a data projector and watch everyone's porn. Interesting side-effect: It makes (most) people a lot more careful what they browse if they know the results will be displayed for everyone's amusement. Mercifully, it's also a lot less likely these days to see The Goatse flying across the screen.
LanScaper (Score:5, Informative)
Fluke NetTool (Score:4, Informative)
$1200, but well worth it.
They have an 802.11x version too.
A couple of useful tools. (Score:5, Informative)
SmokePing, which uses rrdtool as a backend, is a great tool for graphically displaying ping informaiton.
Netsaint is very good for monitoring systems and networks and letting you know ASAP when there's a problem. It can also use rrdtool to generate graphs of packet loss and ping latency.
All of the above are things that will give you current as well as historic information. Current information is good, but historic information is incredibly important. Trending is the obvious thing, allowing you to predict future use to some extent. More importantly, it lets you examine things that happened recently but aren't currently happening, and to see recurring issues.
Recently, our local Internet cooperative was having problems where one of the upstream connections was going into very high packet loss and dropping it's BGP peer. We keep fairly high resolution traffic statistics through ganglia, another rrdtool based network system. That along with the RRD CGI grapher allowed us to create custom graphs of traffic with very high resolution, for days and weeks past, overlaying multiple sources.
Once we did that, it became obvious that every time we ran into these problems, one of our members was hitting the line somewhat hard. It wasn't hard enough that it pegged the line from a bandwidth standpoint, but it apparently was hard enough that it caused some part of the network to experience extremely high packet loss.
That was definitely a case where having the right tool allowed us to track down a fairly hard to see problem. Because our line was not at all saturated, we spent a lot of time looking for things like bad cables, ports with lots of accumulating errors, etc...
Sean
options (Score:4, Informative)
hunt (sniffer, spoofer, ... perhaps more handy in blackhat situations or to sniff ascii services)
tcpdump (simple packet dumper)
netwatch (console tool to monitor connections etc)
ethereal (graphical traffic analyser - pretty easy to use)
snort (IDS, probably better for aimed searching)
These are the programs I have used in the past (and some others like netcat and netgrep, but these probably don't come in handy for what you want to do). Be careful that whatever daemon you run, doesn't get you into trouble - although these are security-programs, they occasionally have security bugs themselves. It would feel stupid to be compromised because of the very program that's supposed to aid in fighting hackers.
Also remember some of these tools can fill up your drives in seconds, if you're not careful. I once had that problem, due to a typo, and it took a few days before I realised. Ofcourse, you miss anything you would want to have logged during that time...
I don't really know any commercial tools. And I don't think I'll ever need one... Unix/Linux systems have lots of net tools, it's probably one of the best represented categories.
Sniffing (Score:3, Funny)
You'll learn and get caught. But who am I to stop you from a life experience.
ethereal is great. It's proven to be lots of fun.
For wireless, I use Wellenreiter and Kismet.
Sitting in a major Las Vegas hotel, only a few floors up from the casino, I turned on my laptop, hoping to find an access point I could get online with (damned hotel didn't provide Internet access). I heard two AP's, and caught a couple IP's going by. I assigned myself an IP which appeared to not be used, and fired up ethereal.
I saw text for several of the casino machines going by. It was the text to be updated to the displays, including windows paths to where the files originated from (I believe). It was all in plain text. I noted down what I saw for a few minutes, shut down the laptop, and proceeded to lose for the rest of the night in the casino. Hey, that's what Vegas is for, right?
After I got home, I dug around for something resembling an admin contact at the casino, and advised him of what I saw. It would have probably been pretty easy to push my own updates to the machines. What would I say though?
"Gambing is an addiction, quit now."
"This game is rigged, move on."
"This is the droid you are looking for."
"With a 97% chance of losing, did you really want to play this game?"
or, I guess
"I'm a spiffy keen elite haxor type person, props to my homeyz" haha
tcpdump, ethereal, etherpeek (Score:5, Informative)
When I really need to analyze a stream or set of streams, or I'm going to be staring at packets for more than about 10 minutes, I switch to ethereal. Again, it's free, runs on most OS's (including Windows, again), and the GUI is a little clunky, but quite usable. As several people have mentioned, the capture filter syntax is identical to tcpdump. The display filter syntax is different and I find is a little tricky to get right, so I try to prefilter (or filter with tcpdump beforehand) as much as possible.
One handy feature is the ability to analyze certain types of streams, such as a TCP session (filter out the whole session and see all the data in one window) and SIP (analyze jitter, loss, extract audio session, etc.). It's also open-source, so if it doesn't understand some kind of traffic, you can write your own extension. I haven't had to do this yet, but I know people who have, and it seems easy enough for a compitent programmer.
My employer has a site license for WildPackets Etherpeek (it comes in several versions... I think we have one of the higher-end ones). Frankly, it's prettier than ethereal, but, at least for the debugging I do, provides very little extra functionality. The capture filters are embedded in a GUI which I find makes it hard to see how they're configured.
Etherpeek is pretty and may be easier for novices to use. But I wouldn't waste the money unless it has some quirky feature you just can't live without.
Something to keep in mind: often, the place where you capture packets is not where you'd like to analyze them. For example, I've had situations where I needed to sniff traffic on a remote server -- I had ssh access to the server (and root, of course
There are also handy tools for managing and analyzing tcpdump files, such as tcpslice, which breaks up large dumps by time, date, etc.; there is a tool that "anonomizes" (sp?) packets so that you can analyze streams without violating anyone's privacy (this is largely for academic use, but if, for example, you wanted to do some kind of traffic analysis on your uplink, you could do so without ruffling as many feathers).
Finally, note that tcpdump will sniff on pretty much any interface that supports libpcap. Tools like Etherpeek only talk to certain (ethernet) adapters, for example. Caveat emptor.
Bottom line: pick the right tool for the job
Pay for? (Score:3, Insightful)
What a stupid thing to say, on Slashdot of all places!
here's my stream of conscious sniffing text file: (Score:5, Informative)
http://www.cs.columbia.edu/~hgs/internet/tools.
iftop - ncurses
iptraf - ncurses
tcpflow - reconstruct into file per tcp conn
ettercap - ncurses, kill conn, drill down on connection, ssh 1 attack, etc
ssldump - http://www.rtfm.com/ssldump/
etherape - graphical view of net
ntop - web based network monitoring
ethereal - GUI - based sniffer, gets all protocols.
mtr - monitor hops
trafshow - nice ncurses sorted list of top bandwith hogs
http://www.mirrors.wiretapped.net/security/networ
favorite security tools survey (Score:3, Informative)
see http://www.insecure.org/tools.html
Paul
snoopy (Score:3, Informative)
snoopy [bell-labs.com]
Re:ethereal, tcpdump (Score:5, Informative)
Re:ethereal, tcpdump (Score:5, Informative)
you can try it with Knoppix STD Bootable Linux-ON-CD [knoppix-std.org]
with comes with all this:
aimSniff : sniff AIM traffic
driftnet : sniffs for images
dsniff : sniffs for cleartext passwords (thanks Dug)
ethereal 0.10.0 : the standard. includes tethereal
ettercap 0.6.b : sniff on a switched network and more.
filesnarf : grab files out of NFS traffic
mailsnarf : sniff smtp/pop traffic
msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
ngrep : network grep, a sniffer with grep filter capabilities
tcpdump : the core of it all
urlsnarf : log all urls visited on the wire
webspy : mirror all urls visited by a host in your local browser
Re:ethereal, tcpdump (Score:4, Informative)
does a good job under Windows.
Re:ethereal, tcpdump (Score:3)
Yeah, redundant - but concise: (Score:5, Informative)
then get ethereal for windows [ethereal.com]
and get windump [polito.it]
SANS.org has all the info: Packet capture apps [sans.org]
Re:ethereal, tcpdump (Score:5, Informative)
c:\system32\system\netmon\netmon.exe.
It's not going to support 500 protocols like ethereal. But hey, it comes default with windows 2000 without you having to install anything separately.
Re:I don't mean to flame, but... (Score:3, Informative)
Re:I don't mean to flame, but... (Score:3, Interesting)
Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?
I don't mean to flame, but...
Are you THAT fucking stupid? How long have you been a "member of society"? Which part of consulting your peers do you not understand?
Just so that this isn't a total flame:
The fact that the submitter said nothing about Ethereal and the like doesn't mean he's unaware of them; he may just be wondering what other options are ava
Re:I don't mean to flame, but... (Score:3, Interesting)
The thing is, there are tons of network applications that fulfill usefully different roles:
Re:Sniff JPEG images from network (Score:3, Informative)