Packet sniffer, network packet sniffer or simply sniffers are programs or devices that can monitor data traveling over a network. They usually work by capturing packets from Data Link Layer(read OSI model for more information) and hence called as packet sniffers. They can be used for legitimate as well as illegitimate activities. Legitimate activities include network traffic monitoring and administration where as illegitimate activities may include stealing passwords, email text as well as files that are in transfer. They are available for all well known platforms like Windows, UNIX, Linux etc.
On the basis of on which type of network sniffing is done sniffing is classified as follows,
In passive sniffing a sniffers gathers packets from data link layer. At practical level it can grab all packets in LAN network. This is because a network with hub implements a broadcast medium shared by all systems on the LAN. Any data sent over LAN is actually sent to each and every machine connected to LAN. Majority of sniffer tools are ideally suited to sniff data in a hub environment. These tools are know as passive sniffers because they passively wait for data to be sent for capturing.
A countermeasure against sniffing is to replace the network hub with a switch. Unlike a hub-based network, switched Ethernet does not broadcast all information to all systems on the LAN. So passive sniffer will not be able to sniff data on switched network. For sniffing around a switched network an attacker actively injects traffic into LAN to enable sniffing of the traffic. This is known as Active Sniffing. ARP spoofing, MAC Flooding, MAC duplicating are all methods of active sniffing.
Protocol Vulnerable To Sniffing:
HTTP, SMTP, NNTP, POP, FTP, IMAP, Telnet, Rlogin practically every protocol that does not uses encryption.