Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
Pluralsight + Digital-Tutors - 3,000 tech & creative courses - starting at $29/month Get it now →
November 8, 2012

Ethical Hacking: Network Sniffing Software Tools


Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, social engineering, hijacking, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.



There are actually several dozen network sniffing software tools out there. Far and away the most common is Wireshark. Wireshark is the de facto attacker tool for network sniffing. In fact, it’s probably the most common legitimate network administration tool in this space as well. It’s been around for quite a while, it’s relatively stable, and it’s got a huge following. It’s actually the kind of technology that if you take the certified ethical hacker exam and if they’re asking questions around sniffing the wire, they’re probably asking Wireshark specific questions. They’re probably asking questions on how to use it, how not to use it, and so forth. Wireshark actually adds a couple of different add ons. It has a WinPcap add on for sniffing hard wired ethernet connection as well as AirPcap for sniffing wireless network traffic, which you’ll see in other videos.

Microsoft Network Monitor

As I said, there’s dozens of different tools. Probably my other favorite is Network Monitor, the Microsoft network monitor tool. It’s built into some versions of Windows, so actually in a lot of cases compromising a system, you don’t have to load an additional network monitor on, and it might already be there.

Network Monitor might already be on the compromised Windows system. It’s also relatively stable. Wireshark, in certain versions, has not been as stable as Network Monitor. The downside to Network Monitor is that it is not quite as good at capturing a variety of traffic as Wireshark is. It’s really a personal preference thing and there are many, many, many other tools.

You should definitely take a look at the tools that are right for you, based on your use, preference of interface, preference of performance, and so forth. Generally speaking though, I would start with Wireshark and get familiar with Wireshark. If you’re not familiar with any network sniffing tool at this moment download Wireshark and actually practice with it a little bit. I’ll show you how it looks in just a moment.

Network Interface Card

A question that often comes up is how do these network sniffing tools remain passive? How do they stay out of the way of network intrusion detection and intrusion prevention systems? How do they stay away from tipping off administrators? Actually the interesting thing here is in how a Network Interface Card or a NIC works.

A NIC that’s connected to a network listens to all network traffic and, by default it simply discards or ignores any traffic that it’s not supposed to service. Any traffic that’s not destined for the upper level protocol suite or operating system is just thrown away. These network sniffing tools tell the NIC, “Hey, everything that you see is important to me, send it all up.”

That’s how they work. They don’t really change how the network card is connected to the wire. They just change what gets reported up from the network card. The network card was already seeing all of this traffic. It’s now simply reporting it instead of discarding it.

You may say to yourself, depending on your level of familiarity with current network technology, “ But my NIC doesn’t see all of the traffic that’s on the network. My NIC doesn’t see traffic on that segment over there or this segment over there.” This is common in switch networks, which is most of the networks that are actually out there. It just depends on what kind of network, what protocol, and so forth.

On a typical switch network only traffic for that segment is going to be available to the network card. What we sometimes have to do as ethical hackers is fool the network either into giving us all of the traffic or break the switch or the router that’s keeping traffic away from us. The most common technique, that actually won’t destroy anything or alert administrators to our presence, is actually to figure out whether there are any mirror ports or span ports. Which is essentially a port on a router or switch that sends all the traffic from one port to a different port.

For example, if the target that I’m trying to listen in on is on port eight and I’m on port seven, I want to tell the switch, “Hey, all that traffic from port eight, send it over to port seven because I want to see it too.” Some switches are easy to do with this, some are nearly impossible to make happen like this. It depends on the switch, it depends on the vulnerabilities.

This information relates back to an earlier video you saw on how to footprint, enumerate and then identify weaknesses in switching hardware and in routers and so forth. That’s exactly what you’re looking for. One of the nice things to find is, “Oh, I can set up a mirror port very easily.” It makes your task an awful lot easier and it makes sniffing a lot more possible.

On some switches, you actually can flood them with certain types of packets, (crafted packets), in order to make them not really distinguished between packets going hither and yon and send all traffic to all ports for a very, very brief amount of time. That’s flooding and that’s actually a little bit more difficult as the switches and routers get more mature.

Unfortunately, t flooding only works on older devices or on devices that haven’t been updated in a while. For the moment let’s just go and talk a little bit more about the network sniffing on the segment that we’re on. That’s the easiest one to focus on before we actually branch out and look at other segments.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: