← Back to Cybersecurity
Network Sniffers and Injection Tools
18 min read Cybersecurity
1. What is a Network Sniffer?
A network sniffer (or packet analyzer) is a tool that captures and analyzes network traffic. It intercepts data packets traveling across a network.
Uses of Network Sniffers:
- Legitimate: Network troubleshooting, performance monitoring, security testing
- Malicious: Credential theft, data interception, espionage
2. How Sniffers Work
- Promiscuous Mode: NIC captures all packets, not just those addressed to it
- Packet Capture: Raw packets are captured from the network
- Protocol Decoding: Packets are decoded and analyzed
- Filtering: Specific traffic is filtered for analysis
3. Popular Network Sniffers
| Tool | Description | Platform |
|---|---|---|
| Wireshark | Most popular packet analyzer with GUI | Windows, Linux, macOS |
| tcpdump | Command-line packet analyzer | Linux, Unix |
| tshark | Command-line version of Wireshark | All platforms |
| NetworkMiner | Forensic network analyzer | Windows |
4. Wireshark Basics
Common Display Filters
# Filter by IP address ip.addr == 192.168.1.1 # Filter by source IP ip.src == 192.168.1.1 # Filter by destination IP ip.dst == 192.168.1.1 # Filter by protocol http dns tcp udp icmp # Filter by port tcp.port == 80 tcp.port == 443 # Filter HTTP traffic http.request.method == "GET" http.request.method == "POST" # Filter by MAC address eth.addr == aa:bb:cc:dd:ee:ff
5. tcpdump Commands
# Capture on interface tcpdump -i eth0 # Capture specific host tcpdump host 192.168.1.1 # Capture specific port tcpdump port 80 # Capture and save to file tcpdump -w capture.pcap # Read from file tcpdump -r capture.pcap # Capture with verbose output tcpdump -v -i eth0 # Capture HTTP traffic tcpdump -i eth0 port 80 -A
6. Packet Injection Tools
Packet injection is the process of inserting crafted packets into a network to test security or perform attacks.
| Tool | Purpose |
|---|---|
| Scapy | Python-based packet manipulation tool |
| hping3 | TCP/IP packet crafting and analysis |
| Ettercap | MITM attack tool with injection capabilities |
| arpspoof | ARP spoofing tool |
| Aircrack-ng | Wireless packet injection |
7. Scapy Examples
# Python with Scapy from scapy.all import * # Create ICMP packet packet = IP(dst="192.168.1.1")/ICMP() send(packet) # Create TCP SYN packet syn = IP(dst="192.168.1.1")/TCP(dport=80, flags="S") send(syn) # Sniff packets packets = sniff(count=10) packets.summary() # ARP scan ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"), timeout=2)
8. Defense Against Sniffing
- Encryption: Use HTTPS, TLS, SSH, VPN
- Switched Networks: Use switches instead of hubs
- Port Security: Limit MAC addresses per port
- ARP Inspection: Dynamic ARP Inspection (DAI)
- Network Segmentation: Isolate sensitive traffic
⚠️ Legal Warning:
Unauthorized network sniffing and packet injection is illegal. These tools should only be used on networks you own or have explicit permission to test.