• home
  •  > 
  • Office programs
  •  > 
  • What is a sniffer and how to use it. Network traffic analyzer sniffer

What is a sniffer and how to use it. Network traffic analyzer sniffer

Many network administrators often encounter problems that can be resolved by analyzing network traffic. And here we come across such a concept as a traffic analyzer. So what is it?

NetFlow analyzers and collectors are tools that help you monitor and analyze network traffic data. Network process analyzers allow you to accurately identify devices that are reducing channel throughput. They know how to find problem areas in your system and improve the overall efficiency of the network.

The term " NetFlow" refers to a Cisco protocol designed to collect IP traffic information and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.

NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.

Several other network equipment vendors have their own protocols for monitoring and data collection. For example, Juniper, another highly respected network device vendor, calls its protocol " J-Flow". HP and Fortinet use the term " s-Flow". Although the protocols are called differently, they all work in a similar way. In this article, we'll look at 10 free network traffic analyzers and NetFlow collectors for Windows.

SolarWinds Real-Time NetFlow Traffic Analyzer

Free NetFlow Traffic Analyzer is one of the most popular tools available for free download. It gives you the ability to sort, tag, and display data in a variety of ways. This allows you to conveniently visualize and analyze network traffic. The tool is great for monitoring network traffic by type and time period. As well as running tests to determine how much traffic various applications consume.

This free tool is limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow analyzer is a powerful tool that is worth using.

Colasoft Capsa Free

This free LAN traffic analyzer identifies and monitors over 300 network protocols and allows you to create custom reports. It includes email monitoring and sequence charts TCP synchronization, all of this is collected in one customizable panel.

Other features include network security analysis. For example, tracking DoS/DDoS attacks, worm activity and ARP attack detection. As well as packet decoding and information display, statistical data about each host on the network, packet exchange control and flow reconstruction. Capsa Free supports all 32-bit and 64-bit versions of Windows XP.

Minimum system requirements for installation: 2 GB of RAM and a 2.8 GHz processor. You must also have an Ethernet connection to the Internet ( NDIS 3 compliant or higher), Fast Ethernet or Gigabit with mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.

Angry IP Scanner

It is an open source Windows traffic analyzer that is fast and easy to use. It does not require installation and can be used on Linux, Windows and Mac OSX. This tool works by simply pinging each IP address and can determine MAC addresses, scan ports, provide NetBIOS information, determine the authorized user on Windows systems, discover web servers, and much more. Its capabilities are expanded using Java plugins. Scan data can be saved to CSV, TXT, XML files.

ManageEngine NetFlow Analyzer Professional

A fully featured version of ManageEngines' NetFlow software. This is a powerful software with a full set of functions for analysis and data collection: monitoring of channel throughput in real time and alerts when threshold values ​​are reached, which allows you to quickly administer processes. In addition, it provides summary data on resource usage, monitoring of applications and protocols, and much more.

The free version of the Linux traffic analyzer allows unlimited use of the product for 30 days, after which you can monitor only two interfaces. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for a minimum flow rate of 0 to 3000 threads per second are a 2.4 GHz dual-core processor, 2 GB of RAM, and 250 GB of available hard drive space. As the speed of the flow to be monitored increases, the requirements also increase.

The Dude

This application is a popular network monitor developed by MikroTik. It automatically scans all devices and recreates a network map. The Dude monitors servers running on various devices and alerts you if problems arise. Other features include automatic discovery and display of new devices, the ability to create custom maps, access to tools for remote device management, and more. It runs on Windows, Linux Wine and MacOS Darwine.

JDSU Network Analyzer Fast Ethernet

This traffic analyzer program allows you to quickly collect and view network data. The tool provides the ability to view registered users, determine the level of network bandwidth usage by individual devices, and quickly find and fix errors. And also capture data in real time and analyze it.

The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large volumes of data, and much more. This tool for entry-level professionals, as well as experienced administrators, allows you to take complete control of your network.

Plixer Scrutinizer

This network traffic analyzer allows you to collect and comprehensively analyze network traffic, and quickly find and fix errors. With Scrutinizer, you can sort your data in a variety of ways, including by time interval, host, application, protocol, and more. The free version allows you to control an unlimited number of interfaces and store data for 24 hours of activity.

Wireshark

Wireshark is a powerful network analyzer that can run on Linux, Windows, MacOS X, Solaris and other platforms. Wireshark allows you to view captured data using a GUI, or use the TTY-mode TShark utilities. Its features include VoIP traffic collection and analysis, real-time display of Ethernet, IEEE 802.11, Bluetooth, USB, Frame Relay data, XML, PostScript, CSV data output, decryption support, and more.

System requirements: Windows XP and higher, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free disk space. Wireshark NetFlow Analyzer is a powerful tool that can greatly simplify the work of any network administrator.

Paessler PRTG

This traffic analyzer provides users with many useful features: support for monitoring LAN, WAN, VPN, applications, virtual server, QoS and environment. Multi-site monitoring is also supported. PRTG uses SNMP, WMI, NetFlow, SFlow, JFlow and packet analysis, as well as uptime/downtime monitoring and IPv6 support.

The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.

Sniffers Sniffers are programs that can intercept and subsequently analyze network traffic. Sniffers are useful in cases where you need to intercept passwords or conduct network diagnostics. The program can be installed on one device to which you have access and within a short time receive all transmitted data from the subnet.

How sniffers work

You can intercept traffic through a sniffer in the following ways:

  • By listening in the normal mode of the network interface, this method is effective only when hubs and not switches are used in a certain field.
  • If you connect a sniffer to the place where the channel breaks, you can intercept the traffic.
  • The adapter or program changes the path of the traffic and sends a copy to the sniffer.
  • Stray electromagnetic radiation is analyzed and traffic is restored for listening.
  • The link and network layer are attacked, which redirects traffic to the sniffer to obtain data, after which the traffic is redirected along the previous route.

Traffic intercepted by the sniffer is analyzed, which allows us to identify:

Conventional sniffers analyze traffic very simply, using the most available automated tools and are able to analyze only very small volumes.

Examples of the most famous sniffers:

  • WinSniffer 1.3 is the best sniffer, has many different customizable modes, and is capable of catching passwords for various services;
  • CommViev 5.0 catches and analyzes Internet traffic, as well as the local network. Collects information data associated with the modem and network card and decodes it. This makes it possible to see a complete list of connections on the network and statistical information on IP. The intercepted information is saved in a separate file for subsequent analysis; in addition, a convenient filtering system allows you to ignore unnecessary packets and leaves only those that the attacker needs;
  • ZxSniffer 4.3 is a small-sized sniffer with a volume of 333 kb, it fits on any modern storage medium and can be used by;
  • SpyNet is a fairly well-known and popular sniffer. The main functionality includes intercepting traffic and decoding data packets;
  • IRIS has extensive filtering capabilities. Capable of catching packets with specified restrictions.

Classification of sniffers

Sniffers are divided according to the method of use into legal and illegal. At the same time, the very concept of sniffers is applied specifically in relation to illegal use, while legal ones are called “Traffic Analyzer”.

In order to receive complete information about the state of the network and understand what employees are doing at their workplaces, they use legal sniffers (traffic analyzers). The help of sniffers cannot be overestimated when it is necessary to “listen” to program ports through which they can send confidential information to their owners. For programmers, they help debug and interact programs. Using traffic analyzers, you can promptly detect unauthorized access to data or a DoS attack.

Illegal use involves spying on network users; the attacker will be able to obtain information about which sites the user uses, sends data, and learns about the programs used for communication. The main purpose of “listening” to traffic is to obtain logins and passwords transmitted in unencrypted form.

Traffic analyzers differ in the following capabilities:

  • Support for link layer protocols as well as physical interfaces.
  • Quality of protocol decoding.
  • User interface.
  • Provide access to statistics, viewing traffic in real time, etc.

Source of threat

Sniffers can work on:

  • Router – all traffic passing through the device can be analyzed.
  • At the end node of the network, all data transmitted over the network is available to all network cards, but in standard operation mode, network cards for which the data is not intended simply do not notice it. At the same time, if you switch the network card to promiscuous mode, you will be able to receive all data transmitted on the network. And of course, sniffers allow you to switch to this mode.

Risk analysis

Any organization may be at risk of sniffing. At the same time, there are several options on how to protect an organization from data leaks. First, you need to use encryption. Secondly, you can use antisniffers.

Antisniffer is a software or hardware tool that works on a network and allows you to find sniffers.

Using only encryption when transmitting data, it will not be possible to hide the fact of transmission. Therefore, you can use encryption in conjunction with an antisniffer.

Surely many users of computer systems have heard of a “sniffer”, although not everyone fully understands what this concept means. Also today, one can identify a rather limited circle of users who know how and where such programs and hardware components are used. Let's try to figure out what's what.

What is a sniffer?

First of all, let's look at the definition of this term. To understand the essence of this issue, you must first translate the word “sniffer”. If translated literally, in English sniffer means “sniffer”. In simpler terms, this is a program or equipment that, based on traffic analysis in the form of transmitted and received data, is capable of extracting all the necessary information, for example, encrypted passwords, external network IP addresses, or confidential information. The sniffers themselves can be used as for both harm and good.

Sniffers: main types

If we talk about the main types of sniffers, then this may not necessarily be software that is installed on a computer terminal or executed in the form of an online applet. Quite often today you can find sniffers made in the form of “hardware” equipment or its components, combining physical and software characteristics. The main classification of sniffers includes the following types:

— software;

— hardware;

— hardware and software;

— online components.

Also, in the main classification, a division can be distinguished according to the direction of analysis. The most common type, for example, is a password sniffer. The main task of this tool is to extract open or encrypted access codes or other information from information packets. There are also sniffers that involve calculating the IP addresses of a specific computer terminal in order to access the user's computer and the information stored on it.

How does it work? Network traffic interception technology can only be applied to networks built on the TCP/IP protocols, as well as connections implemented via Ethernet network cards. Wireless networks can also be analyzed. In such a system, initially there is still a wired connection (to the distributing stationary PC or laptop, router). In a network, data transmission is not carried out as a single block, but by dividing it into standard segments and packets, which, when received by the receiving party, are combined into one. Sniffers can monitor the different transmission channels of each segment. At the time of transmission of unprotected packets to connected devices, for example, switches, hubs, routers, computers or mobile devices, the necessary information is retrieved, which may contain passwords. Cracking a password becomes a technical matter, especially if it is not encrypted properly. Even with modern password encryption technologies, it may be transmitted along with the corresponding key. If this key is of an open type, then obtaining the password will be very simple. If the key is encrypted, then the attacker can use some decryptor program. This will still lead to a data breach eventually.

Where can a network sniffer be used? Application area

The scope of use of sniffers is quite unique. You should not think that some convenient sniffer in Russian is exclusively a tool for hackers who are trying to perform unauthorized interference in network traffic to obtain important information. Sniffers can also be used by providers who, based on their data, analyze the traffic of their users, thereby enhancing the security of computer systems. Such equipment and applications are called antisniffers, but in fact they are ordinary sniffers that work in the opposite direction. Of course, no one notifies users about such actions on the part of the provider. Besides, it doesn't make much sense. It is unlikely that the average user will be able to take any effective measures on their own. For a provider, traffic analysis is often a very important point, so it can prevent attempts to interfere with the operation of networks from outside. By analyzing access to transmitted packets, you can track unauthorized access to them, even based on external IP addresses that are trying to intercept transmitted segments. This is the simplest example. Overall the technology looks much more complex.

How to determine the presence of a sniffer?

Let's leave aside the concept of “sniffer” for now. It’s already a little clear what it is. Let's now look at what signs you can use to independently determine whether a sniffer is “wiretapping”. If, in general, everything is in order with the computer system and the Internet connection and network equipment are working without failures, then the first sign of outside interference is a decrease in the data transfer speed compared to that declared by the provider. In operating systems of the Windows family, the average user is unlikely to be able to determine the speed using standard tools, even when calling up the status menu by clicking on the connection icon. Only the number of received and sent packets is indicated here. The reduction in speed may be due to limitations of the resource itself being accessed. It would be best to use special analyzer utilities. It is worth noting that they work on the principle of a sniffer. The only point that you need to pay attention to is that programs of this type, after installation, can cause errors that appear as a result of conflicts with firewalls (third-party programs or the built-in Windows firewall). For this reason, it is advisable to completely disable the protective screens at the time of analysis.

Conclusion

We briefly examined the main issues that relate to such a concept as a “sniffer”. Now, in principle, it should be clear what this is from the point of view of a security or hacking tool. It remains only to add a few words about online applets. For the most part, they can be used by attackers to obtain the victim’s IP address and access confidential information. Such an online sniffer also performs its direct function; the attacker’s IP address also changes. In some ways, such applets are reminiscent of anonymous proxy servers that hide the user’s real IP address. For obvious reasons, data on such Internet resources is not provided, since interfering with the operation of other people's computer systems using these seemingly officially hosted software products is criminally punishable and illegal.

In this article we will look at creating a simple sniffer for Windows OS.
Anyone interested, welcome to cat.

Introduction

Target: write a program that will capture network traffic (Ethernet, WiFi) transmitted over the IP protocol.
Facilities: Visual Studio 2005 or higher.
The approach described here does not belong to the author personally and is successfully used in many commercial, as well as completely free programs (hello, GPL).
This work is intended primarily for beginners in network programming, who, however, have at least basic knowledge in the field of sockets in general, and Windows sockets in particular. Here I will often write well-known things, because the subject area is specific, if I miss something, my head will be a mess.

I hope you find it interesting.

Theory (reading is not required, but recommended)

At the moment, the vast majority of modern information networks are based on the foundation of the TCP/IP protocol stack. The TCP/IP protocol stack (Transmission Control Protocol/Internet Protocol) is a collective name for network protocols of different levels used in networks. In this article, we will be mainly interested in the IP protocol - a routed network protocol used for the non-guaranteed delivery of data divided into so-called packets (a more correct term is a datagram) from one network node to another.
Of particular interest to us are IP packets designed to transmit information. This is a fairly high level of the OSI network data model, when you can isolate yourself from the device and data transmission medium, operating only with a logical representation.
It is completely logical that sooner or later tools for intercepting, monitoring, recording and analyzing network traffic should have appeared. Such tools are usually called traffic analyzers, packet analyzers or sniffers (from English to sniff - sniff). This is a network traffic analyzer, a program or hardware-software device designed to intercept and subsequently analyze, or only analyze, network traffic intended for other nodes.

Practice (substantive conversation)

At the moment, quite a lot of software has been created to listen to traffic. The most famous of them: Wireshark. Naturally, the goal is not to reap his laurels - we are interested in the task of intercepting traffic by simply “listening” to a network interface. It is important to understand that we are not going to hack and intercept stranger traffic. We just need to view and analyze the traffic that passes through our host.

Why this may be needed:

  1. View the current traffic flow through the network connection (incoming/outgoing/total).
  2. Redirect traffic for subsequent analysis to another host.
  3. Theoretically, you can try to use it to hack a WiFi network (we're not going to do that, are we?).
Unlike Wireshark, which is based on the libpcap/WinPcap library, our analyzer will not use this driver. What’s more, we won’t have a driver at all, and we’re not going to write our own NDIS (oh the horror!). You can read about this in this topic. He will simply be a passive observer, using only WinSock library. Using a driver in this case is redundant.

How so? Very simple.
The key step in turning a simple network application into a network analyzer is to switch the network interface to promiscuous mode, which will allow it to receive packets addressed to other interfaces on the network. This mode forces the network card to accept all frames, regardless of who they are addressed to on the network.

Starting with Windows 2000 (NT 5.0), it became very easy to create a program to listen to a network segment, because its network driver allows you to set the socket to receive all packets.

Enabling Promiscuous Mode
long flag = 1; SOCKET socket; #define SIO_RCVALL 0x98000001 ioctlsocket(socket, SIO_RCVALL, &RS_Flag);
Our program operates on IP packets and uses the Windows Sockets library version 2.2 and raw sockets. In order to gain direct access to an IP packet, the socket must be created as follows:
Creating a raw socket
s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
Here instead of a constant SOCK_STREAM(TCP protocol) or SOCK_DGRAM(UDP protocol), we use the value SOCK_RAW. Generally speaking, working with raw sockets is interesting not only from the point of view of traffic capture. In fact, we get complete control over the formation of the package. Or rather, we form it manually, which allows, for example, to send a specific ICMP packet...

Go ahead. It is known that an IP packet consists of a header, service information and, in fact, data. I advise you to look here to refresh your knowledge. Let's describe the IP header in the form of a structure (thanks to the excellent article on RSDN):

Description of the IP packet structure
typedef struct _IPHeader ( unsigned char ver_len; // header version and length unsigned char tos; // service type unsigned short length; // length of the entire packet unsigned short id; // Id unsigned short flgs_offset; // flags and offset unsigned char ttl ; // lifetime unsigned char protocol; // protocol unsigned long src; // sender IP address unsigned long dest; // destination IP address unsigned short *params; 320 bits) unsigned char *data; // data (up to 65535 octets) )IPHeader;
The main function of the listening algorithm will look like this:
Single packet capture function
IPHeader* RS_Sniff() ( IPHeader *hdr; int count = 0; count = recv(RS_SSocket, (char*)&RS_Buffer, sizeof(RS_Buffer), 0); if (count >= sizeof(IPHeader)) ( hdr = (LPIPHeader )malloc(MAX_PACKET_SIZE); memcpy(hdr, RS_Buffer, MAX_PACKET_SIZE); RS_UpdateNetStat(count, hdr) else return 0;
Everything is simple here: we receive a piece of data using the standard socket function recv, and then copy them into a structure like IPHeader.
And finally, we start an endless packet capture loop:
Let's capture all packets that reach our network interface
while (true) ( ​​IPHeader* hdr = RS_Sniff(); // processing the IP packet if (hdr) ( // print the header in the console ) )
A bit offtopic
Here and below, the author made the RS_ (from Raw Sockets) prefix for some important functions and variables. I did the project 3-4 years ago, and I had a crazy idea to write a full-fledged library for working with raw sockets. As often happens, after obtaining some significant (for the author) results, the enthusiasm faded, and the matter did not go further than a training example.

In principle, you can go further and describe the headers of all subsequent protocols located above. To do this, you need to analyze the field protocol in the structure IPHeader. Look at the example code (yes, there should be a switch, damn it!), where the header is colored depending on what protocol the packet has encapsulated in IP:

/* * Highlighting a package with color */ void ColorPacket(const IPHeader *h, const u_long haddr, const u_long whost = 0) ( if (h->xsum) SetConsoleTextColor(0x17); // if the package is not empty else SetConsoleTextColor(0x07) ; // empty package if (haddr == h->src) ( SetConsoleTextColor(BACKGROUND_BLUE | /*BACKGROUND_INTENSITY |*/ FOREGROUND_RED | FOREGROUND_INTENSITY); // "native" package for return ) else if (haddr == h->dest ) ( SetConsoleTextColor(BACKGROUND_BLUE | /*BACKGROUND_INTENSITY |*/ FOREGROUND_GREEN | FOREGROUND_INTENSITY); // "native" receive packet ) if (h->protocol == PROT_ICMP || h->protocol == PROT_IGMP) ( SetConsoleTextColor(0x70) ; // ICMP packet ) else if(h->protocol == PROT_IP || h->protocol == 115) ( SetConsoleTextColor(0x4F); // IP-in-IP packet, L2TP ) else if(h- >protocol == 53 || h->protocol == 56) ( SetConsoleTextColor(0x4C); // TLS, IP with Encryption ) if(whost == h->dest || whost == h->src) ( SetConsoleTextColor (0x0A);

However, this is significantly beyond the scope of this article. For our training example, it will be enough to look at the IP addresses of the hosts from which and to which traffic is coming, and calculate its amount per unit of time (the finished program is in the archive at the end of the article).

In order to display IP header data, you must implement a function to convert the header (but not the data) of the datagram to a string. As an example of implementation, we can offer the following option:

Converting an IP header to a string
inline char* iph2str(IPHeader *iph) ( const int BUF_SIZE = 1024; char *r = (char*)malloc(BUF_SIZE); memset((void*)r, 0, BUF_SIZE); sprintf(r, "ver=% d hlen=%d tos=%d len=%d id=%d flags=0x%X offset=%d ttl=%dms prot=%d crc=0x%X src=%s dest=%s", BYTE_H (iph->ver_len), BYTE_L(iph->ver_len)*4, iph->tos, ntohs(iph->length), ntohs(iph->id), IP_FLAGS(ntohs(iph->flgs_offset)), IP_OFFSET (ntohs(iph->flgs_offset)), iph->ttl, iph->protocol, ntohs(iph->xsum), nethost2str(iph->src), nethost2str(iph->dest));
Based on the basic information given above, we get this small program (creepy name ss, short for simple sniffer), which implements local listening to IP traffic. Its interface is shown below in the figure.

I provide the source and binary code as is, as it was several years ago. Now I'm scared to look at it, and yet, it's quite readable (of course, you can't be so self-confident). Even Visual Studio Express 2005 will be sufficient for compilation.

What we ended up with:

  • The sniffer operates in user mode, but requires administrator privileges.
  • Packets are not filtered and are displayed as is (you can add custom filters - I suggest looking at this topic in detail in the next article if you are interested).
  • WiFi traffic is also captured (it all depends on the specific chip model, it may not work for you, like it did for me several years ago), although there is AirPcap, which can do this wonderfully, but costs money.
  • The entire datagram stream is logged to a file (see the archive attached at the end of the article).
  • The program operates as a server on port 2000. You can connect to the host using the telnet utility and monitor traffic flows. The number of connections is limited to twenty (the code is not mine, I found it on the Internet and used it for experiments; I didn’t delete it - it’s a pity)
Thank you for your attention, I congratulate the residents of Khabrovsk and Khabrovka residents and everyone, Merry Christmas!

Any online tracking is based on the use of sniffer technologies (network packet analyzers). What is a sniffer?

A sniffer is a computer program or a piece of computer equipment that can intercept and analyze traffic passing through a digital network or part of it. The analyzer captures all streams (intercepts and logs Internet traffic) and, if necessary, decodes the data, sequentially storing the transmitted user information.


Nuances of using online tracking through sniffers.

On the broadcast channel of the user’s computer network LAN (Local Area Network), depending on the structure of the network (switch or hub), sniffers intercept traffic of either the entire or part of the network coming from one laptop or computer. However, using various methods (for example, ARP spoofing) it is possible to achieve Internet traffic and other computer systems connected to the network.

Sniffers are also often used to monitor computer networks. Performing constant, continuous monitoring, network packet analyzers identify slow, faulty systems and transmit (via email, phone or server) the resulting failure information to the administrator.

Using network taps, in some cases, is a more reliable way to monitor Internet traffic online than monitoring ports. At the same time, the probability of detecting faulty packets (flows) increases, which has a positive effect under high network load.
In addition, sniffers are good at monitoring wireless single- and multi-channel local networks (the so-called Wireless LAN) when using several adapters.

On LAN networks, a sniffer can effectively intercept both one-way traffic (transfer of a packet of information to a single address) and multicast traffic. In this case, the network adapter must have a promiscuous mode.

On wireless networks, even when the adapter is in “promiscuous” mode, data packets that are not redirected from the configured (main) system will be automatically ignored. To monitor these information packets, the adapter must be in a different mode - monitoring.


Sequence of intercepting information packets.

1. Intercepting headers or entire content.

Sniffers can intercept either the entire contents of data packets or just their headers. The second option allows you to reduce the overall requirements for storing information, as well as avoid legal problems associated with the unauthorized removal of users’ personal information. At the same time, the history of transmitted packet headers may have a sufficient amount of information to identify the necessary information or diagnose faults.


2. Decoding packets.

The intercepted information is decoded from a digital (unreadable form) into a type that is easy to perceive and read. The sniffer system allows protocol analyzer administrators to easily view information that has been sent or received by a user.

Analyzers differ in:

  • data display capabilities(creating timing diagrams, reconstructing UDP, TCP data protocols, etc.);
  • type of application(to detect errors, root causes or to track users online).

Some sniffers can generate traffic and act as a source device. For example, they will be used as protocol testers. Such test sniffer systems allow you to generate the correct traffic necessary for functional testing. In addition, sniffers can purposefully introduce errors to test the capabilities of the device under test.


Hardware sniffers.


Traffic analyzers can also be of a hardware type, in the form of a probe or a disk array (the more common type). These devices record information packets or parts thereof onto a disk array. This allows you to recreate any information received or transmitted by the user to the Internet or promptly identify a malfunction in Internet traffic.


Methods of application.

Network packet analyzers are used for:

  • analysis of existing problems in the network;
  • detecting network intrusion attempts;
  • determining traffic abuse by users (inside and outside the system);
  • documenting regulatory requirements (possible login perimeter, traffic distribution endpoints);
  • obtaining information about network intrusion possibilities;
  • isolation of operating systems;
  • monitoring the loading of global network channels;
  • used to monitor network status (including user activity both within and outside the system);
  • monitoring of moving data;
  • WAN monitoring and endpoint security status;
  • collecting network statistics;
  • filtering suspicious content coming from network traffic;
  • creating a primary data source for monitoring the status and management of the network;
  • online tracking as a spy collecting confidential user information;
  • debugging server and client communications;
  • checking the effectiveness of internal controls (access control, firewalls, spam filters, etc.).

Sniffers are also used by law enforcement agencies to monitor the activities of suspected criminals. Please note that all ISPs and ISPs in the US and Europe comply with the CALEA.


Popular sniffers.

The most functional system analyzers for online tracking:


The NeoSpy spy program, whose main activity is monitoring online user actions, includes, in addition to the universal sniffer program code, keylogger (keylogger) codes and other hidden tracking systems.