Sniffer is also called a traffic analyzer - is it a program or something else hardware device that intercepts and then analyzes network traffic. Currently, these programs have a completely legal justification, therefore they are widely used on the network, but they can be used both for good and for harm.
The history of their origin dates back to the 90s, when hackers could use such software to easily capture a username and password, which at that time were very weakly encrypted.
The word sniffer comes from the English. to sniff - to sniff, the principle of operation is that this program registers and analyzes programs installed on machines transmitting information packages... It must be close to the host PC for the reading operation to be effective.
Programmers use this application for traffic analysis, other goals are pursued by hackers on the network, they just hunt down passwords or other information they need.
Types of traffic analyzers
Sniffers differ in types, they can be online applets or applications installed directly on a computer, which in turn are divided into hardware and firmware. 
Most often they are used to intercept passwords, while the application gains access to the codes of the encrypted information. This can bring enormous inconvenience to the user, since there are often cases when the same passwords are set for several programs or sites, which ultimately leads to the loss of access to the necessary resources.
There is a type of sniffing that is used to capture a snapshot random access memory because it is difficult to read information all the time without using the processor's power. Detect spy it is possible by tracking the maximum file load of the PC during operation.
Another type of program works with a large data transmission channel, while the pest can generate up to 10 megabyte protocols every day.
How it works
Analyzers work only with TCP / IP protocols, such programs need wired connection such as routers that share the Internet. Data transmission is carried out using individual packages, which once again become a single whole when the final goal is achieved. They are also able to intercept packets at any stage of transmission and receive with it valuable information in the form of insecure passwords. In any case, with the help of decoder programs, it is possible to obtain a key even to a protected password.
The easiest way to use WiFi sniffers in networks with weak protection - in a cafe, in public places etc.
Providers using these programs can track down unauthorized access to external system addresses.
How to protect yourself from sniffers
To understand that someone has penetrated the local network, first of all, you should pay attention to package download speed if it is significantly lower than the declared one, this should be alarming. Computer performance can be monitored using the Task Manager. Can be used special utilities, but they most often conflict with windows firewall, so it is better to turn it off for a while.
For system administrators checking and searching for traffic analyzers in local network Is a necessary event. To detect harmful applications, you can use well-known network antiviruses, such as Doctor Web or Kaspersky Anti-Virus, which can detect pests both on remote hosts and directly within the local network.
In addition to special applications that just install on your computer, you can use more complex passwords and cryptographic systems. Cryptographic systems work directly with information, encrypting it using an electronic signature.
Application overview and key features
CommView
CommView decodes packets of transmitted information, displays statistics of the protocols used in the form of diagrams. Traffic sniffer allows you to analyze IP packets, and those that are needed. Sniffer for Windows works with known protocols
: HTTP, HTTPS, DHCP, DDNH, DIAG, POP3, TCP, WAP, etc. CommView works with Ethernet modems, wi-fi and others. Capturing packets occurs through established connection, using the tab " CurrentIP-connections", Where you can create address aliases. 
Tab " Packages»Reflects information about them, while they can be copied to the clipboard. 
« LOG-files»Allows you to view packages in NFC format.
Tab " Rules". Here you can set the conditions for capturing packets. Sections of this tab: IP-addresses, MAC-addresses, Ports, Process, Formulas and Individual parameters.
« Warning": Provides for setting up notifications in the local network, functions with the" Add "button. Here you can set conditions, type of events:
- "Packets per second" - when the network load level is exceeded.
- "Bytes per second" - when the data transmission frequency is exceeded.
- "Unknown address", that is, detection of unauthorized connections.
Tab " View"- traffic statistics are displayed here.
CommView is compatible with Windows 98, 2000, XP, 2003. The application requires an Ethernet adapter.
Advantages: user-friendly interface in Russian, supports common types network adapters, statistics are visualized. The disadvantages include only the high price. 
Spynet
Spynet performs packet decoding and interception functions. With its help, you can recreate the pages visited by the user. Consists of 2 programs CaptureNet and PipeNet. It is convenient to use it on a local network. CaptureNet scans data packets, a second program monitors the process.
The interface is quite simple:
- Button Modify Filter- setting filters.
- Button Layer 2,3 - installs the Flame - IP protocols; Layer 3 - TCP.
- Button Pattern Matching searches for packages with specified parameters.
- Button IP— Adresses allows you to scan the necessary IP-addresses, transmitting the information of interest. (Options 1-2, 2-1, 2 = 1). V the latter case all traffic.
- Button Ports, that is, the choice of ports.
To intercept data, you must run the Capture Start program, that is, the process of capturing data is started. The file with the saved information is copied only after the Stop command, i.e., termination of the capture actions.
The advantage of Spynet is the ability to decode web pages that the user has visited. The program can also be downloaded for free, although it is rather difficult to find. The disadvantages include a small set of features in Windows. Works in Windows XP, Vista. 
BUTTSniffer
BUTTSniffer analyzes network packets directly. The principle of operation is the interception of transmitted data, as well as the possibility of their automatic save on the media, which is very convenient. The launch of this program occurs across command line ... There are also filter options. The program consists of BUTTSniff.exe and BUTTSniff. dll.
Significant disadvantages of BUTTSniffer include unstable work, frequent failures up to OS demolition are not uncommon ( blue screen of death).
In addition to these sniffer programs, there are many others, no less famous: WinDump, dsniff, NatasX, NetXRay, CooperSniffer, LanExplorter, Ne Analyzer.
There are also online sniffers, which, in addition to obtaining the victim's IP address, change the attacker's IP address directly. Those. the attacker first logs in under an IP address, sends a picture to the victim's computer that needs to be downloaded or email that you just need to open. After that, the hacker receives all the necessary data.
It is worth recalling that interference with the data of someone else's computer is a criminal offense.
When regular user hears the term "sniffer", he immediately begins to be interested in what it is and why it is needed.
We will try to explain everything simple language.
However, this article will be intended not only for novice users, but also for.
Definition
Sniffer Is a traffic analyzer. In turn, traffic is all information that passes through computer networks.
This analyzer looks at what information is being transmitted. To do this, you need to intercept it. In fact, this is an illegal thing, because in this way people often gain access to other people's data.
It can be compared to a train robbery - a classic plot of most Westerns.
You transfer some information to another user. She is driven by a "train", that is, a network channel.
The assholes from Bloody Joe's gang intercept the train and rob it to the bone. In our case, the information goes further, that is, attackers do not steal it in the truest sense of the word.
But, let's say that this information is passwords, personal notes, photos and the like.
Attackers can simply rewrite and photograph the whole thing. In this way, they will have access to sensitive data that you would like to hide.
Yes, you will have all this information, it will come to you.
But you will know that everyone knows the same and perfectly strangers. But in the 21st century, it is information that is most valued!
In our case, this is the principle used. Certain people stop traffic, read data from it and send it further.
However, in the case of sniffers, things are not always so scary. They are used not only to gain unauthorized access to data, but also to analyze the traffic itself. This is an important part of the work of system administrators and simply administrators of various resources. It is worth talking about the application in more detail. But before that, we will touch on how these same sniffers work.
Principle of operation
In practice, sniffers can be portable devices, which are literally put on the cable and read data from it, as well as programs.
In some cases, it is just a set of instructions, that is, codes that must be entered in a specific sequence and in a specific programming environment.
In more detail, that the interception of traffic by such devices can be read by one of following ways:
1 By installing hubs instead of switches. In principle, listening to a network interface can be performed in other ways, but all of them are ineffective.
2 By connecting a literal sniffer to the channel break. This is exactly what was discussed above - and is put small device, which reads everything that moves along the channel.
3 By installing a branch from the traffic. This branch is directed to some other device, perhaps decrypted and sent to the user.
4 An attack aimed at completely redirecting traffic to a sniffer. Of course, after the information enters the reader, it is again sent to the end user, to whom it was originally intended. v pure form!
5 Through analysis electromagnetic radiation that arise due to traffic movement. This is the most difficult and rarely used method.
Here approximate diagram work of the second method.
True, it is shown here that the reader is simply plugged into the cable.
In fact, it is almost impossible to do it this way.
The fact is that end user will still notice that in some place there is a gap in the channel.
The very principle of operation of a conventional sniffer is based on the fact that within one segment they are sent to all connected machines. Stupid enough, but so far no alternative method! And between segments, data is transmitted using switches. This is where it becomes possible to intercept information using one of the above methods.
Actually, this is called cyberattacks and hacking!
By the way, if you correctly install these same switches, you can completely protect the segment from all kinds of cyber attacks.
There are other methods of protection, which we will talk about at the very end.
Application
Of course, first of all, this concept has the application discussed above, that is, hacker attacks and illegal acquisition of user data.
But besides this, sniffers are used in other areas, specifically, in the work of system administrators.
In particular, such devices or programs help to accomplish the following tasks:
As you can see, the devices or programs we are considering can greatly facilitate the work of system administrators and other people who use networks. And this is all of us.
Now let's move on to the most interesting part - an overview of sniffer programs.
Above, we figured out that they can be made in the form of physical devices, but in most cases special ones are used.
Let's study them.
Sniffer programs
Here is a list of the most popular such programs:
CommView... The program is paid, like everyone else on our list. One minimum license costs $ 300. But the software has the richest functionality. The first thing to note is the possibility self installation rules. For example, you can make it so that (these are protocols) are completely ignored. It is also noteworthy that the program allows you to view the details and log of all forwarded packets. There is a regular version and a Wi-Fi version.
SpyNet. This is, in fact, the Trojan that we are all so tired of. But it can also be used for the noble purposes that we talked about above. The program intercepts and, which are in the traffic. There are many unusual features. For example, you can recreate the pages on the Internet that the "victim" has visited. It is noteworthy that this software is free, but it is not easy to find it.
BUTTSniffer. This is a pure sniffer that helps to analyze network packets, and not intercept other people's passwords and browser history. By at least, so the author thought. In fact, his creation is used you yourself understand why. This is the usual batch program which works through the command line. To get started, two files are loaded and run. Captured packets are saved on the hard disk, which is very convenient.
There are many other sniffer programs out there. For example, fsniff, WinDump, dsniff, NatasX, NetXRay, CooperSniffer, LanExplorer, Net Analyzer and many others are known. Choose any! But it's fair to say that CommView is the best.
So, we have sorted out what sniffers are, how they work and what they are.
Now let's move from the place of a hacker or sysadmin to the place of an ordinary user.
We are well aware that our data can be stolen. What to do to prevent this from happening?
A sniffer, or traffic analyzer, (from English to sniff - to sniff) is a network traffic analyzer, program or software and hardware device designed for interception and subsequent analysis, or only analysis network traffic intended for other nodes.
The sniffer can only analyze what goes through him network card... Inside one segment Ethernet networks all packets are sent to all machines, because of this it is possible to intercept other people's information. The use of switches (switch, switch-hub) and their competent configuration is already protection against eavesdropping. Between segments, information is transferred through switches. Packet switching is a form of transmission in which data, broken down into individual packages, can be forwarded from source to destination by different routes. So if someone in another segment sends any packets inside it, then the switch will not send this data to your segment.
Traffic interception can be carried out:
...
0 0
In this article I will explain what a sniffer is, how to use it, check fakes, what an ID PASS is.
What we need for this:
-sniff socketsniff or smsniff
-2 hands
-1 head
-9 Grades Completed: D
I will not explain to you what a sniffer is, I think many have heard.
You can read in detail here
http://ru.wikipedia.org/wiki/%D0%90%D0% ... 0% BA% D0% B0
First, download the sniffer
http://www.nirsoft.net/utils/socketsniff.zip
It is convenient in that you can only sniff one application that you choose and other running programs will not interfere with us.
Well, let's get started, first let's check the program for the total virus http://www.virustotal.com/ (didn't they slip us a Trojan instead of a fake)
To check whether we draw conclusions to launch or not, do not forget that AntiVirus can swear at the packer.
Next, we launch the downloaded program (for example, I will take a fake with sending codes to Asya)
We start socketsniff, we are looking for our program in the processes which ...
0 0
Sniffers are programs that intercept
all network traffic. Sniffers are useful for network diagnostics (for admins) and
to intercept passwords (it is clear for whom :)). For example, if you got access to
one networked machine and installed a sniffer there,
then soon all passwords from
their subnets will be yours. Sniffers put
network card in listening
mode (PROMISC). That is, they receive all packets. In LAN, you can intercept
all outgoing packages from all machines (unless you are separated by all sorts of hubs),
So
how broadcasting is practiced there.
Sniffers can intercept everything
packages (which is very inconvenient, the log file overflows terribly quickly,
but for a more detailed analysis of the network it is the most)
or only the first bytes from any
ftp, telnet, pop3, etc. (this is the funniest, usually around the first 100 bytes
contains username and password :)). Sniffers now
divorced ... There are a lot of sniffers
both under Unix and under Windows ...
0 0
What_is_sniffer_
Introduction
I hope this article will be a good narration about sniffers for novice hackers, as well as for those who have dealt with them.
What is Sniffer?
Sniffer (sniffer, eng) is a program that is installed under a NIC (Network Interface Card), otherwise called an Ethernet card (one of the necessary pieces of hardware for physical connection computers on the local network). As you know, information is transmitted over the grid in packets - from your machine to the remote one, so a sniffer installed on an intermediate computer through which packets will pass - is able to capture them while they have not yet reached the target. Different sniffers implement the process of capturing information in different ways, well, more on that below.
(your computer) -> (neighboring computer) -> (computer with sniffer) -> (remote computer)
Standard package travels from "your computer" through the network. It will go through every ...
0 0
Sniffers are programs that intercept all network traffic. Sniffers are useful for network diagnostics (for admins) and for intercepting passwords (it is clear for whom). For example, if you got access to one network machine and installed a sniffer there, then soon all the passwords from their subnet will be yours. Sniffers put the network card in a listening mode (PROMISC). That is, they receive all packets. In a local network, you can intercept all sent packets from all machines (if you are not separated by all sorts of hubs), since broadcasting is practiced there. Sniffers can intercept all packets (which is very inconvenient, the log file fills up terribly quickly, but for a more detailed analysis of the network it is the most) or only the first bytes from any ftp, telnet, pop3, etc. There are a lot of sniffers now ... There are many sniffers both under Unix and under Windows (there are even under DOS). Sniffers can only support a certain operating system(for example linux_sniffer.c which Linux supports), or ...
0 0
Wireshark: how to use?
Hello, friends! In this article I will try to explain and tell you about the most necessary things to know when using Wireshark on Linux, and show the analysis three types network traffic. This manual is also applicable for Wireshark to work on Windows.
If you are new to information security, and you understand very well what a sniffer (traffic analyzer) is, I advise you to read the article What is a sniffer, and only then read this article on how to use Wireshark.
Wireshark is a very popular and extremely skillful analyzer network protocol which Gerald Combs developed, Wireshark appeared in June 2006 when Combs renamed network tool Ethereal, also created by him, as it changed jobs and could no longer use the old name. Today most people use Wireshark, and Ethereal is history.
Wireshark: the best sniffer
You might be asking than Wireshark ...
0 0
Sniffer, or traffic analyzer, is special program that is capable of intercepting and / or analyzing network traffic destined for other hosts. As you know, the transmission of information over the grid is carried out in packets - from the user's machine to the remote machine, so if you install a sniffer on an intermediate computer, it will capture passing packets before they reach the target.
The work of one sniffer can differ significantly from the work of another. The standard package begins its movement from the user's PC and then through each computer in the network, passing through the "neighboring computer", "the computer equipped with a sniffer", and ending with " remote computer». Normal car does not pay attention to a packet that is not intended for its IP address, and the sniffer machine ignores these rules and intercepts any packet that is in its "field of activity". A sniffer is the same as a network analyzer, but the security companies and the Federal government ...
0 0
Wireshark will become great helper for those users who need to make a detailed analysis network packets, - traffic computer network... Sniffer easily interacts with common protocols such as netbios, fddi, nntp, icq, x25, dns, irc, nfs, http, tcp, ipv6 and many others. Allows, when analyzing, to divide a network packet into appropriate components, according to a specific protocol, and display readable information in numerical form on the screen.
supports a huge number of different formats of transmitted and received information, is able to open files that are used by other utilities. The principle of operation is that the network card goes into broadcast mode and begins to intercept network packets that are in its range of visibility. Knows how to work as a program for intercepting wifi packets.
How to use wireshark
The program examines the content of information packets that pass through the network. To start and use the results of the sniffer's work, no specific knowledge is required, you just need to open it in the "Start" menu or click on the icon on the desktop (its launch is no different from any other Windows programs). Special function the utility allows it to capture information packets, carefully decrypt their contents and present them to the user for analysis.Launching wireshark, you will see the main program menu on the screen, which is located in the upper part of the window. With the help of it, the utility is controlled. If you need to download files that store data about packages caught in previous sessions, as well as save the data about other packages obtained in the new session, then for this you need the "File" tab.
To start the function of capturing network packets, the user must click on the "Capture" icon, then find a special menu section called "Interfaces", with which you can open separate window"Wireshark Capture Interfaces", which will show all available network interfaces through which the capture will be performed required packages data. In the event that the program (sniffer) is able to detect only one suitable interface, it will display the entire important information about him.
The results of the utility's work are direct evidence that, even if users do not do it on their own (in this moment time) by transmitting any data, the exchange of information does not stop in the network. After all, the principle of operation of a local network is that to maintain it in working mode, each of its elements (computer, switch and other devices) are continuously exchanged with each other service information, therefore, such network tools are designed to intercept such packets.
There is also a version for Linux systems.
It should be noted that sniffer is extremely useful for network administrators and service computer security, because the utility allows you to identify potentially unprotected network nodes - likely areas that can be attacked by hackers.
In addition to its direct purpose, Wireshark can be used as a tool for monitoring and further analyzing network traffic in order to organize an attack on unprotected parts of the network, because the intercepted traffic can be used to achieve various goals.
What is Intercepter-NG
Let's consider the essence of ARP functioning on simple example... Computer A (IP address 10.0.0.1) and Computer B (IP address 10.22.22.2) are connected by an Ethernet network. Computer A wants to send a data packet to computer B, and knows the IP address of computer B. However, the Ethernet network they are connected to does not work with IP addresses. Therefore, computer A needs to know the address of computer B on the Ethernet network (MAC address in Ethernet terms) in order to transmit over Ethernet. For this task, the ARP protocol is used. This protocol uses computer A to send a broadcast request to all computers in the same broadcast domain. The essence of the request: "computer with IP address 10.22.22.2, tell your MAC address to the computer with MAC address (eg a0: ea: d1: 11: f1: 01)". The Ethernet network delivers this request to all devices on the same Ethernet segment, including computer B. Computer B responds to the request to computer A and reports its MAC address (ex. 00: ea: d1: 11: f1: 11) Now, Having received the MAC address of computer B, computer A can transmit any data to it via the Ethernet network.
To avoid the need to use the ARP protocol before each sending of data, the received MAC addresses and the corresponding IP addresses are recorded in the table for some time. If you need to send data to the same IP, then there is no need to poll the devices every time in search of the desired MAC.
As we just saw, ARP includes a request and a response. The MAC address from the response is written into the MAC / IP table. Upon receipt of a response, it is not verified in any way for authenticity. Moreover, it is not even checked whether the request was made. Those. you can immediately send an ARP response to target devices (even without a request), with spoofed data, and this data will be included in the MAC / IP table and they will be used for data transmission. This is the essence of the ARP spoofing attack, which is sometimes called ARP poisoning, ARP cache poisoning.
Description of ARP-spoofing attack
Two computers (nodes) M and N in the local Ethernet network exchange messages. Attacker X on the same network wants to intercept messages between these nodes. Before using ARP-spoofing attack on network interface node M ARP table contains IP and MAC address node N. Also on the network interface of node N, the ARP table contains the IP and MAC of node M.
During an ARP spoofing attack, host X (the attacker) sends two ARP responses (without a request) - to host M and to host N. The ARP response to host M contains the IP address N and the MAC address of X. The ARP response to host N contains the IP address M and MAC address X.
Since computers M and N support spontaneous ARP, after receiving an ARP response, they change their ARP tables, and now the ARP table M contains the MAC address X associated with IP address N, and the ARP table N contains the MAC address X bound to M.
Thus, the ARP-spoofing attack is completed, and now all packets (frames) between M and N pass through X. For example, if M wants to send a packet to N, then M looks at its ARP table, finds an entry with the IP address of the host N, selects the MAC address from there (and there is already the MAC address of node X) and transmits the packet. The packet arrives at the X interface, analyzed by it, and then forwarded to the N node.
