Where Can I Get a Sniffer? Sniffers come in two basic flavors: commercial and freeware. If you're just learning about networking, I recommend getting a freeware sniffer. On the other hand, if you manage a large network, your company should purchase at least one commercial sniffer. They are invaluable when you're trying to diagnose a network problem. Commercial Sniffers The sniffers in this section are commercial, but many of these companies offer demo versions. Prices range from $200 to $2,000. Sniffer Portable Analysis Solutions from Network Associates Network Associates has produced several levels of network analysis tools including Sniffer Basic (formerly NetXRay by Cinco Networks), Sniffer Pro LAN, Sniffer Pro WAN, Sniffer High-Speed, and Sniffer Packet over SONET. These sniffers decode more than 240 LAN/WAN protocols, and Sniffer Pro High-Speed works with ATM and Gigabit Ethernet. SnifferPro is a powerful tool providing visibility into the data network. It allows the user to perform a variety of functions including capturing network traffic, diagnosing network problems, and monitoring network activity in real-time. Figure 15.1 shows an example of a SnifferPro session in progress. The Expert window displays accumulated objects, symptoms, and diagnoses in the Expert Overview pane, while the Capture gauge shows the status of the capture in progress. The Capture function of this easily used and popular sniffer stores the actual packets from a network and decodes them, providing the user with detailed information about various network transactions. The Dashboard displays a network segment's packet rate, percentage of utilization, and error rate in real-time. Figure 15.1. SnifferPro's real-time Expert and Capture gauge windows. 
SnifferPro can collect data about conversations between network nodes in real-time. Figure 15.2 shows an example of this feature. A display of the network's traffic map depicting traffic patterns between network nodes can be seen, as well as traffic count statistics for node pairs. Figure 15.2. SnifferPro's Traffic Map Matrix display. 
Network Associates also offers a sniffer rental service, from which a client can receive a portable computer with the latest sniffer software loaded. Both weekly and monthly rentals are offered. Network Associates, Inc. Sniffer Technologies 3965 Freedom Circle Santa Clara, CA 95054 Phone: 800-Sniffer URL: http://www.networkassociates.com/ Shomiti Systems Surveyor, Explorer, and Century LAN Analyzers Shomiti Systems LAN Analyzers are heavy-duty hardware/software solutions that support 10/100Mbps and gigabit Ethernet. The systems work with both Ethernet and token ring networks and offer real-time reporting. Surveyor operates on Windows 95/98/2K or NT. Shomiti also offers a plug-in module for Surveyor, which provides Quality of Service analysis for factors important to voice-over IP applications. Shomiti Systems, Inc. 1800 Bering Drive San Jose, CA 95112 Phone: 408-437-3940 Email: info@shomiti.com URL: http://www.shomiti.com PacketView by Klos Technologies PacketView is a DOS-based packet sniffer designed for use in Ethernet, token ring, ARCNET, and FDDI environments. It runs about $300. You can try before you buy by downloading a demo version located at http://www.klos.com/get.pvdemo.html. Klos Technologies, Inc. 12 Jewett Cortland, NY 13045 Phone: 607-753-0568 Fax: 561-828-6397 Email: sales@klos.com URL: http://www.klos.com/ Network Probe from Network Communications Network Communications produces several network analyzers including the Ranger Network Probe and the 8000 Network Probe for both LANs and WANS. They can capture and analyze packets from the following protocols: AppleTalk, Banyan, DEC Net, Microsoft, IBM, NFS, Novell, SMB, Sun NFS, TCP/IP, Token Ring/LLC, X-WINDOWS, and XNS. Network Communications Corporation 7601 Washington Avenue South Edina, MN 55439 Phone: 952-946-8800 Fax: 952-946-8822 Email: sales@netcommcorp.com URL: http://www.netcommcorp.com LANWatch by Precision Guesswork LANWatch is a software-based sniffer solution for both DOS (LANWatch 4.1) and Windows 95/98/2K/NT(LANWatch32) platforms. It will monitor packets from the following protocols: TCP, UDP, IP, IPv6, NFS, NetWare, SNA, AppleTalk, VINES, ARP, NetBIOS, and some 50 others. LANWatch monitors traffic in real-time and can display a wide range of usable statistics. A demo version is located at http://www.guesswork.com/demo.html. Precision Guesswork Five Central Street Topsfield, MA 01983 Phone: 978-887-6570 Email: info@precision.guesswork.com URL: http://www.guesswork.com EtherPeek from WildPackets Inc. (formerly AG Group) EtherPeek (4.0 is the latest version at the time of this writing) is available for both Windows and Macintosh platforms. EtherPeek supports major protocol suites including IP, IPv6, AppleTalk, NetWare, IPX/SPX, NetBIOS, DECnet, SMB, and OSI/TARP. It runs from $900 to $1,350, depending on the type of license you purchase. WildPackets, Inc. 2540 Camino Diablo, Suite 200 Walnut Creek, CA 94596 Phone: 925-937-7900 or 800-466-2447 Email: info@wildpackets.com URL: http://www.wildpackets.com/ NetMinder Ethernet by Neon Software NetMinder Ethernet is a Macintosh-based protocol analyzer that can produce automatically updated HTML output reports. These reports are updated in real-time, allowing system administrators to access their latest network analysis statistics from anywhere in the world and from any platform. (Naturally, the application also provides real-time analysis in the standard GUI environment.) A demo version is available at http://www.neon.com/demos_goodies.html. Neon Software 3685 Mt. Diablo Blvd., Suite 253 Lafayette, CA 94549 Phone: 800-334-NEON Email: info@neon.com URL: http://www.neon.com DatagLANce Network Analyzer by IBM DatagLANce is a network analyzer that IBM withdrew from its product line. DatagLANce was designed for both Ethernet and token ring networks, and, to my knowledge, is the only sniffer written expressly for OS/2. DatagLANce can analyze a wide range of protocols, including but not limited to NetBIOS, IBM LAN Manager, TCP/IP, NFS, IPX/SPX, DECnet, AppleTalk, and Banyan VINES. (DatagLANce can also output analysis data in many different formats.) IBM Product Numbers: 5622-441, 5622-442, 5622-443 LinkView Network Analyzers by Acterna LinkView Network Analysers support token ring, Ethernet, and fast Ethernet but are designed chiefly for protocol analysis on internetworks. They therefore automatically segregate IP-reporting statistics from other protocol statistics. LinkView Classic runs on Windows 95/98, and Windows NT SP4. LinkView Classic is a software-only LAN analyzer that works with most third-party network cards. The Acterna Advanced Ethernet Adapter is a hardware exten sion for LinkView Classic that runs on Windows 95/98. The LinkView software is available at http://www.tinwald.com/sc_forms/linkview_classic_software.htmllv_classic_software.html. Acterna, Inc. 1030 Swabia Court Research Triangle Park, NC 27709 Phone: 800-346-6332 Email: linkview.info@wwgsolutions.com URL: http://www.linkview.com ProConvert from WildPackets, Inc. (formerly Net3 Group) ProConvert is not a sniffer, but is instead a tool for integrating data from disparate sniffers. This allows data from different vendors'formats to be converted into a single format, allowing the user to view packets on a platform separate from the one on which the packets were captured. ProConvert decodes (and provides universal translation between) EtherPeek, Fireberd500, Internet Advisor LAN, LAN900, LANalyzer for Windows, LANWatch, Network Monitor, NetXRay, LinkView, and tcpdump formats. In other words, ProConvert is the Rosetta stone for sniffer logs. It can save you many, many hours of work. WildPackets, Inc. 2540 Camino Diablo, Suite 200 Walnut Creek, CA 94596 Phone: 925-937-7900 or 800-466-2447 Email: info@wildpackets.com URL: http://www.wildpackets.com/ LANdecoder32 by Triticom LANdecoder32 is an extremely popular sniffer for use on Windows 95/98 or Windows NT/2000. It has advanced reporting capabilities and can be used to analyze frame content. Other features include remote monitoring (requiring RMON on the remote system), ASCII filtering (filter by string), and real-time reporting. Demonstration versions can be obtained by contacting Triticom. Triticom P.O. Box 46427 Eden Prairie, MN 55344 Phone: 952-829-8019 Email: info@triticom.com URL: http://www.triticom.com/ LanExplorer Protocol Analyzer from Sunrise Telecom LanExplorer Protocol Analyzer decodes all popular protocols, including TCP/IP, 802.3, 802.5, VLAN, Apple, Novell, and Microsoft as well as VoIP protocols including H323, H225, H245, RTP, and RTCP. LanExplorer runs on Windows 95/98/2K and NT and uses existing Ethernet, Fast Ethernet, token ring, or WAN network interface cards. A trial version can be obtained from http://www.intellimax.com/download.htm. Sunrise Telecom, Inc. 22 Great Oaks Blvd San Jose, CA 95119 Phone: 408-363-8000 Email: info@intellimax.com URL: http://www.intellimax.com/ Freely Available Sniffers There are also many freeware and shareware sniffers available. These are perfect if you want to learn about network traffic without spending any money. Unfortunately, some are architecture-specific, and the majority are designed for UNIX. Esniff is a standard, generic UNIX-based sniffer. It was one of the first sniffers and was originally released in Phrack Magazine (an online hacker zine). Esniff is a very small C program that requires a C compiler and IP include files. A modified version for Solaris 2.X called solsniffer.c also exists. Esniff is available at the following locations: http://rootshell.com/archive-j457nxiqi3gq59dv/199707/Esniff.c.html http://www.chaostic.com/filez/exploites/Esniff.c Gobbler (Tirza van Rijn) Gobbler was an excellent early tool for those who wanted to learn about sniffers. It was designed to work on the MS-DOS platform, but ran in Windows 95. An example of how Gobbler has been used as a tool for diagnosing network traffic jams can be found in a case study provided with the documentation. Here's a snippet of that paper: A bridge was having problems in getting through its startup sequence using the bootp protocol. "The Gobbler" packet catcher was used to capture the packets to and from the bridge. The dump file viewer and protocol analyzer made it possible to follow the whole startup sequence and to track down the cause of the problem. T.V. Rijn and J.V. Oorschot, The Gobbler, An Ethernet Troubleshooter/Protocol Analyzer. November 29, 1991. Delft University of Technology, Faculty of Electrical Engineering, the Netherlands.  Gobbler is no longer widely distributed or used, but it can be found at the following addresses:
http://packetstorm.securify.com/NT/audit/ http://agape.trilidun.org/hack/network-sniffers/ Ethload (Vyncke, et al.) Ethload is a shareware packet sniffer/packet analyzer written in C for Ethernet and token ring networks. It runs well with any of the following interfaces: Novell ODI 3Com/Microsoft Protocol Manager PC/TCP/Clarkson/Crynwr Further, it analyzes the following protocols: TCP/IP DECnet OSI XNS NetWare NetBEUI Unfortunately, the source code is no longer available. The author explains: After being flamed on some mailing lists for having put a sniffer source code in the public domain and as I understand their fears (even if a large bunch of other Ethernet sniffers are available everywhere), I have decided that the source code is not made available. Ethload consists of more than 65,000 lines of C code. Two versions are available: You can either register your copy by sending in $200, or you can have an unregistered copy. The registered version has additional functions: more diligent support, printouts, periodic statistics gathered into a file, more buffers, and so on. For a free sniffer executable on a DOS/Novell platform, Ethload is excellent. Here are a few sites that offer Ethload: http://www.ping.be/~pin01407/ http://www.computercraft.com/noprogs/ethld104.zip ftp://ftp.simtel.net/pub/simtelnet/msdos/lan/ethld200.zip TCPDUMP TCPDUMP is one of the most popular tools for network diagnostics and analysis. TCPDUMP can be used to monitor and decode all IP, TCP, UDP, and ICMP headers. The user can vary the amount of the packet that is grabbed, but the default is 64 bytes. TCPDUMP was loosely based on Sun's etherfind and was designed to aid in ongoing research to improve TCP and Internet gateway performance. TCPDUMP is a UNIX-based program, but a Windows version now exists known as WINDUMP. TCPDUMP can be obtained at http://www.tcpdump.org/ WINDUMP can be found at http://netgroup-serv.polito.it/windump/ LinSniff LinSniff is a password sniffer. To compile it, you need all necessary network include files (tcp.h, ip.h, inet.h, if_ther.h, and so on) on a Linux system. It is available at http://packetstorm.securify.com/Exploit_Code_Archive/linsniff.c Sunsniff Sunsniff is also designed specifically for the SunOS platform. It consists of 513 lines of C source, coded reportedly by crackers who want to remain anonymous. It works reasonably well on Sun, and is probably not easily portable to another flavor. This program is good for experimentation and can be found at http://securax.org/l0t/prog/sniffers/sunsniff.c linux_sniffer.c This program's name pretty much says it all. It consists of 175 lines of C code, distributed primarily at cracker sites on the Net. This program is Linux-specific. It is another utility that is great for experimentation on a nice Sunday afternoon; it's a free and easy way to learn about packet traffic. linux_sniffer.c is available at http://rootshell.com/archive-j457nxiqi3gq59dv/199707/linux_sniffer.c.html 
| 