What is a Packet Sniffer?

A packet sniffer is a device or program that allows the user to eavesdrop on traffic traveling between networked computers. The program will capture data that is addressed to other machines, saving it for later analysis.

All information that travels across a network is sent in "packets." For example, when an email is sent from one computer to another, it is first broken up into smaller segments. Each segment has the destination address attached, the source address, and other information such as the number of packets and reassembly order. Once they arrive at the destination, the packet's headers and footers are stripped away, and the packets are reconstituted.

In the example of the simplest network where computers share an Ethernet wire, all packets that travel between the computers are "seen" by every computer on the network. A hub broadcasts every packet to every machine or node on the network, then a filter in each computer discards packets not addressed to it. A packet sniffer disables this filter to capture and analyze some or all packets traveling through the Ethernet wire, depending on the sniffer's configuration. This is referred to as "promiscuous mode." As a result, if Ms. Wise on Computer A sends an email to Mr. Geek on Computer B, software set up on Computer D could passively capture their communication packets without either Ms. Wise or Mr. Geek knowing. This type of sniffing is very hard to detect because it generates no traffic of its own.

A slightly safer environment is a switched Ethernet network. Rather than a central hub that broadcasts all traffic on the network to all machines, the switch acts like a central switchboard: it receives packets directly from the originating computer, and sends them directly to the machine to which they are addressed. In this scenario, if Computer A sends an email to Computer B, and Computer D is in promiscuous mode, it still won't see the packets. Some people mistakenly assume a packet sniffer cannot be used on a switched network.

There are ways to hack the switch protocol, however. A procedure called ARP poisoning basically fools the switch to substituting the machine with the sniffer for the destination machine. After capturing the data, the packets can be sent to the real destination. The other technique is to flood the switch with MAC (network) addresses so that the switch defaults into "failopen" mode. In this mode it starts behaving like a hub, transmitting all packets to all machines to make sure traffic gets through. Both ARP poisoning and MAC flooding generate traffic signatures that can be detected with the right software.

These programs can also be used on the Internet to capture data traveling between computers. Internet packets often have very long distances to travel, passing through several routers that act like intermediate post offices. A sniffer might be installed at any point along the way, and it could also be clandestinely installed on a server that acts as a gateway or collects vital personal information.

A packet sniffer is not just a hacker's tool. It can be used for network troubleshooting and other useful purposes. In the wrong hands, however, this software can capture sensitive personal information that can lead to invasion of privacy, identity theft, and other serious problems.

The best defense against eavesdropping is a good offense: encryption. When strong encryption is used, all packets are unreadable to any but the destination address. Other programs can still capture packets, but the contents will be undecipherable. This illustrates why it is so important to use secure sites to send and receive personal information, such as name, address, passwords, and certainly any credit card information or other sensitive data. A website that uses encryption starts with https, and email can be made secure by encrypting with a program, some of which come with plug-ins for major email programs.