02 Where are sniffers available
Description
This article is from the Sniffer FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
02 Where are sniffers available
Sniffing is one of the most popular forms of attacks used by hackers. One
special sniffer, called Esniff.c, is very small, designed to work on Sunos,
and only captures the first 300 bytes of all telnet, ftp, and rlogin
sessions. It was published in Phrack, one of the most widely read freely
available underground hacking magazines. You can find Phrack on many FTP
sites. Esniff.c is also available on many FTP sites such as
coombs.anu.edu.au:/pub/net/log.
You may want to run Esniff.c on an authorized network to quickly see how
effective it is in compromising local machines.
Other sniffers that are widely available which are intended to debug network
problems are:
* RealSecure (real time monitoring, attack recognition and response) on
SunOs 4.1.x, Solaris 2.5, and Linux. Available at
http://www.iss.net/RealSecure
* SniffIt for Linux, SunOs, Solaris, FreeBsd,and IRIX available at
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
* Etherfind on SunOs4.1.x
* Snoop is a utility on Solaris.
* Tcpdump 3.0 uses bpf for a multitude of platforms.
* Packetman, Interman, Etherman, Loadman works on the following
platforms:
SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on
ftp://ftp.cs.curtin.edu.au/pub/netman/[sun4c|dec-mips|sgi|alpha|solaris2]/
[etherman-1.1a|interman-1.1|loadman-1.0|packetman-1.1].tar.Z
Packetman was designed to capture packets, while Interman, Etherman,
and Loadman monitor traffic of various kinds.
DOS based sniffers
* Gobbler for IBM DOS Machines
* ethdump v1.03
Available on ftp
ftp.germany.eu.net:/pub/networking/inet/ethernet/ethdp103.zip
* ethload v1.04
Companion utility to a ethernet monitor. Available on ftp
ftp://ftp.germany.eu.net/pub/networking/monitoring/ethload/
Commercial Sniffers are available at:
* Klos Technologies, Inc.
PacketView - Low cost network protocol analyzer
Phone: 603-424-8300
BBS: 603-429-0032
* Network General.
Network General produces a number of products. The most
important are the Expert Sniffer, which not only sniffs on
the wire, but also runs the packet through a high-performance
expert system, diagnosing problems for you. There is an
extension onto this called the "Distributed Sniffer System"
that allows you to put the console to the expert sniffer on
you Unix workstation and to distribute the collection agents
at remote sites.
* Microsoft's Net Monitor
" My commercial site runs many protocols on one wire -
NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors,
most notably SNA. This posed a big problem when trying to
find a sniffer to examine the network problems we were
having, since I found that some sniffers that understood
Ethernet II parse out some 802.3 traffic as bad packets, and
vice versa. I found that the best protocol parser was in
Microsoft's Net Monitor product, also known as Bloodhound in
its earlier incarnations. It is able to correctly identify
such oddities as NetWare control packets, NT NetBios name
service broadcasts, etc, which etherfind on a Sun simply
registered as type 0000 packet broadcasts. It requires MS
Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top
level monitoring provides network statistics and information
on conversations by mac address (or hostname, if you bother
with an ethers file). Looking at tcpdump style details is as
simple as clicking on a conversation. The filter setup is
also one of the easiest to implement that I've seen, just
click in a dialog box on the hosts you want to monitor. The
number of bad packets it reports on my network is a tiny
fraction of that reported by other sniffers I've used. One of
these other sniffers in particular was reporting a large
number of bad packets with src mac addresses of
aa:aa:aa:aa:aa:aa but I don't see them at all using the MS
product. - Anonymous
Continue to:
My Books
