PACKET SNIFFERS

WIRESHARK (ETHEREAL REPLACEMENT)

http://www.wireshark.org/

WIRESHARK IS ONE OF THE WORLD'S FOREMOST NETWORK PROTOCOL ANALYZERS, AND IS THE STANDARD IN MANY PARTS OF THE INDUSTRY. IT IS THE CONTINUATION OF A PROJECT THAT STARTED IN 1998. HUNDREDS OF DEVELOPERS AROUND THE WORLD HAVE CONTRIBUTED TO IT, AND IT IT STILL UNDER ACTIVE DEVELOPMENT.

WIRESHARK HAS A RICH FEATURE SET WHICH INCLUDES THE FOLLOWING:

  • STANDARD THREE-PANE PACKET BROWSER
  • MULTI-PLATFORM: RUNS ON WINDOWS, LINUX, OS X, SOLARIS, FREEBSD, NETBSD, AND MANY OTHERS
  • MULTI-INTERFACE: ALONG WITH A STANDARD GUI, WIRESHARK INCLUDES TSHARK, A TEXT-MODE ANALYZER WHICH IS USEFUL FOR REMOTE CAPTURE, ANALYSIS, AND SCRIPTING
  • THE MOST POWERFUL DISPLAY FILTERS IN THE INDUSTRY
  • VOIP ANALYSIS
  • LIVE CAPTURE AND OFFLINE ANALYSIS ARE SUPPORTED
  • READ/WRITE MANY DIFFERENT CAPTURE FILE FORMATS: TCPDUMP (LIBPCAP), NAI'S SNIFFER™ (COMPRESSED AND UNCOMPRESSED), SNIFFER™ PRO, NETXRAY™, SUN SNOOP AND ATMSNOOP, SHOMITI/FINISAR SURVEYOR, AIX'S IPTRACE, MICROSOFT'S NETWORK MONITOR, NOVELL'S LANALYZER, RADCOM'S WAN/LAN ANALYZER, HP-UX NETTL, I4BTRACE FROM THE ISDN4BSD PROJECT, CISCO SECURE IDS IPLOG, THE PPPD LOG (PPPDUMP-FORMAT), THE AG GROUP'S/WILDPACKET'S ETHERPEEK/TOKENPEEK/AIROPEEK, VISUAL NETWORKS' VISUAL UPTIME AND MANY OTHERS
  • CAPTURE FILES COMPRESSED WITH GZIP CAN BE DECOMPRESSED ON THE FLY
  • HUNDREDS OF PROTOCOLS ARE SUPPORTED, WITH MORE BEING ADDED ALL THE TIME
  • COLORING RULES CAN BE APPLIED TO THE PACKET LIST, WHICH EASES ANALYSIS

NOTE: AN EXCELLENT WIKI PAGE IS AVAILABLE THAT COVERS AND CONTAINS THE FOLLOWING SAMPLE PROTOCOL TRACES

http://wiki.wireshark.org/SampleCaptures

1. ARP/RARP
2. BLUETOOTH
3. UDP-LITE
4. NFS PROTOCOL FAMILY
5. SERVER MESSAGE BLOCK (SMB)/COMMON INTERNET FILE SYSTEM (CIFS)
6. PARALLEL VIRTUAL FILE SYSTEM (PVFS)
7. HYPERTEXT TRANSPORT PROTOCOL (HTTP)
8. TELNET
9. SNMP
10. NETWORK TIME PROTOCOL
11. POSTGRESQL V3 FRONTEND/BACKEND PROTOCOL
12. VENDORLANPROTOCOLFAMILY
13. SIGTRAN PROTOCOL FAMILY
14. STREAM CONTROL TRANSMISSION PROTOCOL (SCTP)
15. IPMI
16. SIP AND RTP
17. RTSP PROTOCOL
18. USB RAW
19. WAP PROTOCOL FAMILY
20. X.509 DIGITAL CERTIFICATES
21. LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP)
22. SAN PROTOCOL CAPTURES (ISCSI, ATAOVERETHERNET, FIBRECHANNEL, SCSI-OSD AND OTHER SAN RELATED PROTOCOLS)
23. PEER-TO-PEER PROTOCOLS
1. MANOLITO PROTOCOL
2. BITTORRENT PROTOCOL
3. SOULSEEK PROTOCOL
4. JXTA PROTOCOL
24. KASPERSKY UPDATE PROTOCOL
25. KERBEROS AND KEYTAB FILE FOR DECRYPTION
26. MDNS & APPLE RENDEZVOUS
27. POINT-TO-POINT (PPP)
28. X.400
29. STANAG 5066
30. RTP NORM
31. DCE/RPC AND MSRPC-BASED PROTOCOLS
1. DSSETUP MSRPC INTERFACE
2. NSPI MSRPC INTERFACE
32. IPSEC - ESP PAYLOAD DECRYPTION AND AUTHENTICATION CHECKING EXAMPLES
33. PRO-MPEG FEC - PROFESSIONAL VIDEO FEC DATA OVER RTP
34. SSL WITH DECRYPTION KEYS
35. NDMP
36. KISMET CLIENT/SERVER PROTOCOL
37. DTLS WITH DECRYPTION KEYS
38. ETHERNET POWERLINK V1
39. ETHERNET POWERLINK V2
40. ARCHITECTURE FOR CONTROL NETWORKS (ACN)
41. INTELLON HOMEPLUG (INT51X1)

NOTE: OTHER SOURCES OF SAMPLE CAPTURE FILES

ETHERPEEK VX (COMMERCIAL)

http://www.wildpackets.com/products/etherpeek/etherpeek_vx/overview

ETHERPEEK VX, WILDPACKETS' EXPERT VOIP NETWORK ANALYZER, OFFERS BOTH ETHERNET AND VOIP DIAGNOSTICS IN REAL TIME. ETHERPEEK VX PROVIDES REAL-TIME EXPERT ANALYSIS, APPLICATION RESPONSE TIME (ART) ANALYSIS, FULL 7-LAYER DECODES, ALARMS, TRIGGERS, COMPREHENSIVE GRAPHS AND REPORTS, AND MORE. IN ADDITION TO ITS ADVANCED WIRELESS NETWORK ANALYTICS, ETHERPEEK VX OFFERS PER-CALL ANALYSIS AND SUPPORTS MULTIPLE SIGNALING PROTOCOLS. THE MEDIA PLANE ANALYSIS LOOKS AT PACKET-LEVEL DETAILS OF RTP AND RTCP STREAMS AND EVALUATES PACKET DELAY VARIATIONS, PACKET LOSS, JITTER, AND PROVIDES MOS SCORES AS WELL AS R-FACTOR VALUES FOR EACH CALL.

ETTERCAP

http://ettercap.sourceforge.net/

ETTERCAP IS A SUITE FOR MAN IN THE MIDDLE ATTACKS ON LAN. IT FEATURES SNIFFING OF LIVE CONNECTIONS, CONTENT FILTERING ON THE FLY AND MANY OTHER INTERESTING TRICKS. IT SUPPORTS ACTIVE AND PASSIVE DISSECTION OF MANY PROTOCOLS (EVEN CIPHERED ONES) AND INCLUDES MANY FEATURES FOR NETWORK AND HOST ANALYSIS.

PDUMP

http://packetstormsecurity.org/sniffers/pdump/pdump-0.781.tar.gz

PDUMP IS A SNIFFER WRITTEN IN PERL WHICH DUMPS, GREPS, MONITORS, CREATES, AND MODIFIES TRAFFIC ON A NETWORK. IT COMBINES FEATURES FROM TCPDUMP, TCPKILL, NGREP, TCPTRACE, DSNIFF (AND ITS WEBSPY AND URLSNARF), PFILT, MACOF, AND XPY. IT IS ABLE TO DO PASSIVE OPERATING SYSTEM DETECTION/FINGERPRINTING AND CAN ALSO WATCH PACKET STREAMS AND THEN CREATE IT'S OWN SPOOFED PACKETS TO HIJACK OR KILL TCP CONNECTIONS. IT UNDERSTANDS TCPDUMP-LIKE AND PERL-LIKE SYNTAX AND ALLOWS EASY MODIFICATIONS VIA A PLUG-IN SYSTEM. THE PACKET DISPLAY IS EASILY CONFIGURABLE.

4G8

http://www.intrusense.com/software/forgate/

4G8 ALLOWS YOU TO CAPTURE TRAFFIC FROM A THIRD PARTY IN A SWITCHED ENVIRONMENT AT THE EXPENSE OF A SLIGHT INCREASE IN LATENCY TO THAT THIRD PARTY HOST. UTILIZING ARP CACHE POISONING, PACKET CAPTURE AND PACKET RECONSTRUCTION TECHNIQUES, 4G8 WORKS WITH NEARLY ALL TCP, ICMP AND UDP IPV4 TRAFFIC FLOWS.

TCP DUMP

http://www.tcpdump.org/

TCPDUMP IS A COMMON COMPUTER NETWORK DEBUGGING TOOL THAT RUNS UNDER THE COMMAND LINE. IT ALLOWS THE USER TO INTERCEPT AND DISPLAY TCP/IP AND OTHER PACKETS BEING TRANSMITTED OR RECEIVED OVER A NETWORK TO WHICH THE COMPUTER IS ATTACHED. IT WAS ORIGINALLY WRITTEN BY VAN JACOBSON, CRAIG LERES AND STEVEN MCCANNE WHO WERE, AT THE TIME, WORKING IN THE LAWRENCE BERKELEY LABORATORY NETWORK RESEARCH GROUP.
TCPDUMP WORKS ON MOST UNIX-LIKE PLATFORMS: LINUX, SOLARIS, BSD, MAC OS X, HP-UX AND AIX AMONG OTHERS. IN THOSE SYSTEMS, TCPDUMP IS BUILT UPON THE LIBPCAP PACKET CAPTURE LIBRARY.

SWITCHSNIFFER

http://www.securityfocus.com/tools/3803

SWITCHSNIFFER IS A PROGRAM THAT CAN SCAN YOUR SWITCHED LAN FOR UP HOSTS AND CAN REROUTE AND COLLECT ALL PACKETS WITHOUT THE TARGET USERS' RECOGNITION. IT CAN ALSO DETECT THE ‘ARPSPOOFER’ PROGRAM RUNNING ON THE NETWORK AND BLOCK USER DEFINABLE SESSIONS LIKE FIREWALL. IF YOU USE THIS PROGRAM IN TANDEM WITH ANY SNIFFER PROGRAM, YOU CAN CAPTURE AND SEE THE USERS' IDS AND PASSWORDS ON A SWITCHED NETWORK.
THAT IS, SWITCHSNIFFER ENABLES YOU TO MONITOR ALL THE PACKETS AND ALL THE HOSTS ON A SWITCH NETWORK.

COARSE PORTKNOCKING

http://coarseknocking.sourceforge.net/

COARSE KNOCKING IS A SIMPLE IMPLEMENTATION OF PORT KNOCKING TECHNIQUES. IT SNIFFS NETWORK PACKETS (UNDER FIREWALL BLOCKED) WITH DETERMINED KEYS AND EXECUTES COMMANDS TO OPEN AND CLOSE PORTS. IN THE CLIENT MODE IT INJECTS PACKETS WITH KEY TO SERVER.

PHOSS PHENOELIT'S OWN SECURITY SNIFFER

http://www.phenoelit.de/phoss/

PHOSS IS A SNIFFER DESIGNED TO FIND HTTP, FTP, LDAP, TELNET, IMAP4 AND POP3 LOGINS ON THE WIRE. IT ALSO SNIFFS THE VNC CHALLANGE/RESPONSE HANDSHAKE.

SSLDUMP

http://www.rtfm.com/ssldump/

SSLDUMP IS AN SSLV3/TLS NETWORK PROTOCOL ANALYZER. IT IDENTIFIES TCP CONNECTIONS ON THE CHOSEN NETWORK INTERFACE AND ATTEMPTS TO INTERPRET THEM AS SSLV3/TLS TRAFFIC. WHEN IT IDENTIFIES SSLV3/TLS TRAFFIC, IT DECODES THE RECORDS AND DISPLAYS THEM IN A TEXTUAL FORM TO STDOUT. IF PROVIDED WITH THE APPROPRIATE KEYING MATERIAL, IT WILL ALSO DECRYPT THE CONNECTIONS AND DISPLAY THE APPLICATION DATA TRAFFIC.

(VIPPR)

VIRTUAL IP PHALANX ROUTER

http://www.phenoelit.de/vippr/index.htm

VIPPR IS JUST A SNIFFER/PROTOCOL ANALYZER THAT KNOWS SOMETHING ABOUT HOW TO HANDLE CERTAIN KIND OF TRAFFIC AND REACTS ACCORDINGLY.

YOU CAN BIND AS MUCH VIRTUAL IP ADDRESSES TO AN EXISTING INTERFACE AS YOU WANT. THESE ARE NOT USED BY THE KERNEL - THE KERNEL DOESN'T EVEN KNOW ABOUT THEM. THESE VIRTUAL IPS (OR VIPS) CAN HAVE SEVERAL PROPERTIES. IN FACT, THERE ARE DIFFERENT KINDS OF VIPS AVAILABLE TO YOU. BUT YOU DON'T JUST BIND IPS TO AN INTERFACE; YOU ALSO SELECT THE MAC ADDRESS THEY USE. THIS ENABLES YOU TO IMPERSONATE ANY DEVICE ON YOUR NETWORK ON THE LOWER LAYERS. IN CONTRAST TO CONVENTIONAL ROUTERS, VIPPR DOES NOT USE ONE ROUTING TABLE BUT AS MUCH AS YOU LIKE. YOU CAN CREATE ROUTING TABLES AND VIPS INDEPENDENT FROM EACH OTHER. THEN, YOU ASSIGN A ROUTING TABLE TO YOUR VIP. ALL VIPS THAT ARE IN THE SAME ROUTING GROUP CAN FORWARD TRAFFIC FROM ONE TO ANOTHER. VIPS THAT ARE IN A DIFFERENT ROUTING GROUP CAN'T. IT'S THE CONCEPT YOU KNOW FROM VLANS - BUT JUST FOR ROUTING.

TO ENABLE USERS TO PERFORM GRE INTRUSION ATTACKS WITHOUT CHANGING THEIR EXISTING TOOLS, VIPPR SUPPORTS VIPS WHICH DO GRE ENCAPSULATION FOR ANY TUNNEL YOU CAN THINK OF AND SEND THEM TO THE TUNNEL DESTINATION IP. THIS MAKES IT POSSIBLE TO DO A GRE INTRUSION JUST BY SETTING UP THIS VIP AND HAVE YOUR WORKSTATION ROUTE ITS TRAFFIC THROUGH THIS VIP.

DATAECHO SESSION RECONSTRUCTION UTILITY

http://sourceforge.net/projects/data-echo/

DATAECHO IS A TCP SESSION RECONSTRUCTION UTILITY. IT CAN CAPTURE TRAFFIC DIRECTLY FROM A NETWORK ADAPTER OR CAN USE A PCAP FILE AS INPUT. DATAECHO ALLOWS THE PLAYBACK OF A USER'S WEB BROWSING, EMAIL, OR OTHER TEXT-BASED PROTOCOL ACTIVITY.

NETWORK NIGHT VISION

http://www.networknightvision.com

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License