A Sniffer (of English. Sniff for sniffing) is a software that the traffic can check a network for abnormalities. It is a tool ( tool ) of network analysis .
Origin of the term
Sniffer is the English word for sniffer. The manufacturer Network General used it to describe software for analyzing networks for abnormalities in data traffic. Since the name of this product accurately described the function of the software and was catchy, it has become the term for software of this type.
A sniffer knows the so-called non-promiscuous mode and the promiscuous mode . In the non-promiscuous mode , incoming and outgoing data traffic from your own computer is "sniffed". In promiscuous mode , the sniffer collects all data traffic to the network interface switched to this mode . So not only the frames addressed to him are received, but also those not addressed to him. The addressee of a frame is determined in Ethernet networks using the MAC address .
It also depends on the network structure which data a sniffer can see. If the computers are connected to hubs , all traffic from the other hosts can be recorded. If a switch is used, little or no data traffic can be seen that is not intended for the sniffing system itself. However, in this case there are several options such as B. ARP spoofing , ICMP redirects, DHCP spoofing or MAC flooding in order to still be able to receive the frames.
There are several reasons to use a sniffer:
- Diagnosing network problems
- Detect intrusion attempts ( intrusion detection systems )
- Network traffic analysis and filtering for suspicious content
- Data espionage
Well-known sniffer products and their classification
(Product overview: see below)
LAN analyzers, commonly known as “sniffers” (named after the oldest and long most widespread product), have been around since the late 1980s. Therefore, in the field of LAN analysis , the general term “sniffer use” is often used without specifically referring to the product of the same name, but simply any product of this type.
A general distinction is made between:
- Local Analyzer ↔ Remote Analyzer / Distributed Analyzer - Local Analyzer are classic PC programs. Remote analyzers are agents located in remote LAN segments that are controlled from a central station - as has long been the norm in network management. One then speaks of distributed analysis . In networks that are heavily segmented by switching / routing, this type of analysis is ultimately indispensable.
- Hardware Analyzer ↔ Software Analyzer - Until the mid-1990s there was still a strong focus on hardware analyzers, today software analyzers that work on a PC basis have largely established themselves. The use of hardware analyzers is still indispensable in high-performance networks; However, their high costs, the moderate development speed compared to software analyzers and the capital risk in the event of errors have led customers to use hardware only where it is really absolutely essential. The result is that hardly any hardware analyzer manufacturers are still active on the market.
- Commercial Analyzer ↔ Non-Commercial (“Open-Source”) Analyzer - Until the late 1990s, there were practically only proprietary analyzers. This has gradually changed with Wireshark (formerly Ethereal) from 1998 onwards.
Until the late 1990s, users were practically completely dependent on commercial products. Their lack was not so much that they cost money, but rather that the manufacturers were bypassing the market and did not recognize important needs or recognized them too late. The result was that users resorted to self-help (see Wireshark). The result is a crisis for many commercial manufacturers.
Since about 2002 the acceptance and distribution of the GPL analyzer Wireshark (formerly Ethereal) has increased immensely. The main reasons are that this software can be obtained free of charge via the Internet, its power, constant updating and its practical relevance. At the end of the 1990s around ten major commercial manufacturers of LAN analyzers were still active on the global market (not counting smaller ones); the number of manufacturers worth mentioning has now fallen to around five.
The extremely large programming community that Wireshark has now been able to bind to itself can no longer be countered on the part of most commercial manufacturers. In addition, large companies that use their own LAN protocols are now participating in the development. Since Wireshark is an open platform, Siemens, for example, helps to analyze its own machine control or medical technology protocols.
Legal situation in Germany
The recording of network traffic by ignorant persons falls under the spying of data in accordance with Section 202a of the German Criminal Code ( StGB ).
Important products of LAN analysis in alphabetical order:
- Cain & Abel
- NETCORtools (TCP Trace based)
- Wireshark (formerly known as Ethereal)
- caplon (consistec)
- Clearsight Analyzer (Clearsight Networks)
- EtherPeek, OmniPeek, GigaPeek (Savvius)
- LANdecoder32 (Triticom)
- Capsa (Colasoft)
- Microsoft Network Monitor
- NetSpector (INAT)
- NetVCR (Niksun)
- NetworkActiv PIAFCTM
- Observer (Viavi)
- OptiView (Fluke Networks)
- Sniffer (NetScout, after taking over Network General)
- TraceCommander (Synapse Networks)
- webSensor and webProbe (Moniforce)
- Cubro Netrecorder (Cubro)
- http://www.easy-network.de/snffer.html Structure, functionality and protective measures against a sniffer
- http://www.ietf.org/rfc/rfc1761.txt IETF Request for Comments No. 1761