Where Can I Get a Sniffer?
Sniffers come in two basic flavors: commercial and freeware. If you're just learning about networking, I recommend getting a freeware sniffer. On the other hand, if you manage a large network, your company should purchase at least one commercial sniffer. They are invaluable when you're trying to diagnose a network problem.
The sniffers in this section are commercial, but many of these companies offer demo versions. Prices range from $200 to $2,000.
Sniffer Portable Analysis Solutions from Network
Network Associates has produced several levels of network analysis tools including Sniffer Basic (formerly NetXRay by Cinco Networks), Sniffer Pro LAN, Sniffer Pro WAN, Sniffer High-Speed, and Sniffer Packet over SONET. These sniffers decode more than 240 LAN/WAN protocols, and Sniffer Pro High-Speed works with ATM and Gigabit Ethernet.
SnifferPro is a powerful tool providing visibility into the data network. It allows the user to perform a variety of functions including capturing network traffic, diagnosing network problems, and monitoring network activity in real-time.
shows an example of a SnifferPro session in progress. The Expert window displays
objects, symptoms, and diagnoses in the Expert Overview pane, while the Capture gauge shows the status of the capture in progress. The Capture function of this easily used and popular sniffer stores the actual packets from a network and decodes them, providing the user with detailed information about various network transactions. The Dashboard displays a network segment's packet rate, percentage of utilization, and error rate in real-time.
Figure 15.1. SnifferPro's real-time Expert and Capture gauge windows.
SnifferPro can collect data about conversations between network nodes in real-time.
shows an example of this feature. A display of the network's traffic map depicting traffic patterns between network nodes can be seen, as well as traffic count statistics for node pairs.
Figure 15.2. SnifferPro's Traffic Map Matrix display.
Network Associates also offers a sniffer rental service, from which a client can receive a portable computer with the latest sniffer software loaded. Both weekly and monthly rentals are
Network Associates, Inc.
3965 Freedom Circle
Santa Clara, CA 95054
Shomiti Systems Surveyor, Explorer, and Century LAN Analyzers
Shomiti Systems LAN Analyzers are heavy-duty hardware/software solutions that support 10/100Mbps and gigabit Ethernet. The systems work with both Ethernet and token ring networks and offer real-time reporting. Surveyor operates on Windows 95/98/2K or NT. Shomiti also offers a plug-in module for Surveyor, which provides Quality of Service analysis for factors important to voice-over IP applications.
Shomiti Systems, Inc.
1800 Bering Drive
San Jose, CA 95112
PacketView by Klos Technologies
PacketView is a DOS-based packet sniffer designed for use in Ethernet, token ring, ARCNET, and FDDI environments. It runs about $300. You can try before you buy by downloading a demo version located at
Klos Technologies, Inc.
Cortland, NY 13045
Network Probe from Network Communications
Network Communications produces several network analyzers including the Ranger Network Probe and the 8000 Network Probe for both LANs and WANS. They can capture and analyze packets from the following protocols: AppleTalk, Banyan, DEC Net, Microsoft, IBM, NFS, Novell, SMB, Sun NFS, TCP/IP, Token Ring/LLC, X-WINDOWS, and XNS.
Network Communications Corporation
7601 Washington Avenue South
Edina, MN 55439
LANWatch by Precision Guesswork
LANWatch is a software-based sniffer solution for both DOS (LANWatch 4.1) and Windows 95/98/2K/NT(LANWatch32) platforms. It will monitor packets from the following protocols: TCP, UDP, IP, IPv6, NFS, NetWare, SNA, AppleTalk, VINES, ARP, NetBIOS, and some 50 others. LANWatch
traffic in real-time and can display a wide range of usable statistics. A demo version is located at
Five Central Street
Topsfield, MA 01983
EtherPeek from WildPackets Inc. (formerly AG
EtherPeek (4.0 is the latest version at the time of this writing) is available for both Windows and Macintosh platforms. EtherPeek supports major protocol suites including IP, IPv6, AppleTalk, NetWare, IPX/SPX, NetBIOS, DECnet, SMB, and OSI/TARP. It runs from $900 to $1,350, depending on the type of license you purchase.
2540 Camino Diablo, Suite 200
Walnut Creek, CA 94596
Phone: 925-937-7900 or 800-466-2447
NetMinder Ethernet by Neon Software
NetMinder Ethernet is a Macintosh-based protocol analyzer that can produce automatically updated HTML output reports. These reports are updated in real-time, allowing system administrators to access their latest network analysis statistics from anywhere in the world and from any platform. (Naturally, the application also provides real-time analysis in the standard GUI environment.) A demo version is available at
3685 Mt. Diablo Blvd., Suite 253
Lafayette, CA 94549
DatagLANce Network Analyzer by IBM
DatagLANce is a network analyzer that IBM withdrew from its product line. DatagLANce was designed for both Ethernet and token ring networks, and, to my knowledge, is the only sniffer written expressly for OS/2. DatagLANce can analyze a wide range of protocols, including but not limited to NetBIOS, IBM LAN Manager, TCP/IP, NFS, IPX/SPX, DECnet, AppleTalk, and Banyan VINES. (DatagLANce can also output analysis data in many different formats.)
Product Numbers: 5622-441, 5622-442, 5622-443
LinkView Network Analyzers by Acterna
LinkView Network Analysers support token ring, Ethernet, and fast Ethernet but are designed chiefly for protocol analysis on internetworks. They therefore automatically
IP-reporting statistics from other protocol statistics. LinkView Classic runs on Windows 95/98, and Windows NT SP4. LinkView Classic is a
LAN analyzer that works with most third-party network cards. The Acterna Advanced Ethernet Adapter is a hardware exten sion for LinkView Classic that runs on Windows 95/98. The LinkView software is available at
1030 Swabia Court
Research Triangle Park, NC 27709
ProConvert from WildPackets, Inc. (formerly Net3 Group)
ProConvert is not a sniffer, but is instead a tool for integrating data from disparate sniffers. This allows data from different vendors'formats to be converted into a single format, allowing the user to view packets on a platform separate from the one on which the packets were captured. ProConvert decodes (and provides universal translation between) EtherPeek, Fireberd500, Internet Advisor LAN, LAN900, LANalyzer for Windows, LANWatch, Network Monitor, NetXRay, LinkView, and tcpdump formats. In other words, ProConvert is the Rosetta stone for sniffer logs. It can save you many, many hours of work.
2540 Camino Diablo, Suite 200
Walnut Creek, CA 94596
Phone: 925-937-7900 or 800-466-2447
LANdecoder32 by Triticom
LANdecoder32 is an extremely popular sniffer for use on Windows 95/98 or Windows NT/2000. It has advanced reporting capabilities and can be used to analyze frame content. Other features include remote monitoring (requiring RMON on the remote system), ASCII filtering (filter by string), and real-time reporting. Demonstration versions can be obtained by contacting Triticom.
P.O. Box 46427
Eden Prairie, MN 55344
LanExplorer Protocol Analyzer from Sunrise Telecom
LanExplorer Protocol Analyzer decodes all popular protocols, including TCP/IP, 802.3, 802.5, VLAN, Apple, Novell, and Microsoft as well as VoIP protocols including H323, H225, H245, RTP, and RTCP. LanExplorer runs on Windows 95/98/2K and NT and uses existing Ethernet, Fast Ethernet, token ring, or WAN network interface cards. A trial version can be obtained from
Sunrise Telecom, Inc.
22 Great Oaks Blvd
San Jose, CA 95119
Freely Available Sniffers
There are also many freeware and shareware sniffers available. These are perfect if you want to learn about network traffic without spending any money. Unfortunately, some are architecture-specific, and the majority are designed for UNIX.
Esniff is a standard, generic UNIX-based sniffer. It was one of the first sniffers and was originally released in
Magazine (an online hacker zine). Esniff is a very small C program that requires a C compiler and IP include files. A modified version for Solaris 2.X called solsniffer.c also exists. Esniff is available at the following locations:
Gobbler (Tirza van Rijn)
Gobbler was an
early tool for those who wanted to learn about sniffers. It was designed to work on the MS-DOS platform, but ran in Windows 95.
An example of how Gobbler has been used as a tool for diagnosing network traffic jams can be found in a case study provided with the documentation. Here's a snippet of that paper:
A bridge was having problems in getting through its startup sequence using the
protocol. "The Gobbler" packet
was used to capture the packets to and from the bridge. The dump file viewer and protocol analyzer made it possible to follow the whole startup sequence and to track down the cause of the problem.
T.V. Rijn and J.V. Oorschot,
The Gobbler, An Ethernet Troubleshooter/Protocol Analyzer.
November 29, 1991. Delft University of Technology, Faculty of Electrical Engineering, the Netherlands.
Gobbler is no longer widely distributed or used, but it can be found at the following addresses:
Ethload (Vyncke, et al.)
Ethload is a shareware packet sniffer/packet analyzer written in C for Ethernet and token ring networks. It runs well with any of the following interfaces:
3Com/Microsoft Protocol Manager
Further, it analyzes the following protocols:
Unfortunately, the source code is no longer available. The author explains:
After being flamed on some mailing lists for having put a sniffer source code in the public domain and as I understand their fears (even if a large bunch of other Ethernet sniffers are available everywhere), I have decided that the source code is not made available.
Ethload consists of more than 65,000 lines of C code. Two versions are available: You can either register your copy by sending in $200, or you can have an unregistered copy. The registered version has additional functions: more diligent support, printouts, periodic statistics gathered into a file, more buffers, and so on.
For a free sniffer executable on a DOS/Novell platform, Ethload is excellent.
Here are a few sites that offer Ethload:
TCPDUMP is one of the most popular tools for network diagnostics and analysis. TCPDUMP can be used to monitor and decode all IP, TCP, UDP, and ICMP headers. The user can vary the amount of the packet that is grabbed, but the default is 64 bytes. TCPDUMP was loosely based on Sun's etherfind and was designed to aid in ongoing research to improve TCP and Internet gateway performance. TCPDUMP is a UNIX-based program, but a Windows version now exists known as WINDUMP. TCPDUMP can be obtained at
WINDUMP can be found at
LinSniff is a password sniffer. To compile it, you need all necessary network include files (
tcp.h, ip.h, inet.h, if_ther.h,
and so on) on a Linux system. It is available at
Sunsniff is also designed specifically for the SunOS platform. It consists of 513 lines of C source, coded reportedly by crackers who want to
anonymous. It works reasonably well on Sun, and is probably not easily portable to another flavor. This program is good for experimentation and can be found at
pretty much says it all. It consists of 175 lines of C code, distributed primarily at cracker sites on the Net. This program is Linux-specific. It is another utility that is great for experimentation on a nice Sunday afternoon; it's a free and easy way to learn about packet traffic. linux_sniffer.c is available at