A packet sniffer — also known as a packet analyzer, protocol analyzer or network analyzer — is a piece of hardware or software used to monitor network traffic. Sniffers work by examining streams of data packets that flow between computers on a network as well as between networked computers and the larger Internet. These packets are intended for — and addressed to — specific machines, but using a packet sniffer in "promiscuous mode" allows IT professionals, end users or malicious intruders to examine any packet, regardless of destination. It's possible to configure sniffers in two ways. The first is "unfiltered," meaning they will capture all packets possible and write them to a local hard drive for later examination. Next is "filtered" mode, meaning analyzers will only capture packets that contain specific data elements.
Packet sniffers can be used on both wired and wireless networks — their efficacy depends on how much they are able to "see" as a result of network security protocols. On a wired network, sniffers might have access to the packets of every connected machine or may be limited by the placement of network switches. On a wireless network, most sniffers can only scan one channel at a time, but the use of multiple wireless interfaces can expand this capability.
Prevalence and Risk Factors
Using a sniffer, it's possible to capture almost any information — for example, which websites that a user visits, what is viewed on the site, the contents and destination of any email along with details about any downloaded files. Protocol analyzers are often used by companies to keep track of network use by employees and are also a part of many reputable antivirus software packages. Outward-facing sniffers scan incoming network traffic for specific elements of malicious code, helping to prevent computer virus infections and limit the spread of malware.
It's worth noting, however, that these analyzers can also be used for malicious purposes. If a user is convinced to download malware-laden email attachments or infected files from a website, it's possible for an unauthorized packet sniffer to be installed on a corporate network. Once in place, the packet sniffer can record any data transmitted and send it to a command and control (C&C) server for further analysis. It's then possible for hackers to attempt packet injection or man-in-the-middle attacks, along with compromising any data that was not encrypted before being sent.
Proper use of packet sniffers can help clean up network traffic and limit malware infections; to protect against malicious use, however, intelligent security software is required.