Handy Windows tools for sniffing network traffic

Sniff Kit

Efficiently Filtering Packets

SmartSniff quickly collects a confusingly large volume of data, particularly in large networks with many computers. SmartSniff will help you sort through the mass of packet data. Click Options | Display Filter . Then insert a filter in the window to remove the packets you don't want to see. Make sure you don't use any spaces. See Table 1 for a summary of some SmartSniff filter options.

Table 1

Filter Options in SmartSniff

Filter Effect Filter Syntax
Only packets with a specific remote port [e.g., HTTP (80)] include:remote:tcp:80
Only packets with several specific remote ports [e.g., HTTP (80) and NDS (53)] include:remote:tcp:80include:remote:udp:53
All packets in a certain IP range (e.g., 192.168.178.1 to 192.168.178.125) include:remote:all:192.168.178.1-192.168.178.125
All TCP/UDP packets in a specific port range include:both:tcpudp:53-139

Monitoring Processes

SmartSniff can also monitor the processes that send the network packets. Click Options | Advanced Options and enable Retrieve process information while capturing packets . If the tool detects the process, you will see its process ID and the name of the exporting file in the two columns ProcessID and Process Filename . However, this procedure only works if the connection remains open and continues to capture data. Be mindful that this option burdens the computer. You can only analyze this data in real time.

Reading Passwords Using SniffPass

If you forget the password for your FTP access or another program connects via the network, you can use SniffPass to filter out the password in the network traffic on the local machine if it is stored in a program. A security audit is another scenario. If you also want to check whether passwords are sent in plain text on a computer, (e.g., for POP3/IMAP access), you can read passwords from local computers without much background knowledge.

You do not need to install SniffPass; rather, you can simply start it and begin the Sniff process. SniffPass (Figure 3) then eavesdrops in the network or on the local computer until it detects an unencrypted password sent through SMTP, POP3, IMAP4, FTP, or other common protocols.

Figure 3: You can find unencrypted usernames and passwords on the network with SniffPass.

Many routers and switches do not allow such monitoring operations on networks, which means you can only see the data on the local computer. As with SmartSniff, you should therefore use WinPcap. To read passwords on the network, enable the WinPcap mode and the Promiscuous Mode function via Options | Capture Options . However, not all network cards support this mode. To test the function, go to the website [6] and enter demo as the username and password as the password. SniffPass will immediately show the username and password when the sniffer process is started.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Moving Data Between Virtual Machines
    Network information in virtualized computer landscapes is not easy to access. In this article, we look at a few approaches you can use.
  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Security analysis with Microsoft Advanced Threat Analytics
    Classic security safeguards, like antivirus and firewall products, are imperative for system protection. To search proactively for network intruders, as well, Microsoft offers Advanced Threat Analytics – a tool that will help even less experienced admins.
  • Autoconfiguring IPv6 Clients

    Most clients on a network need both an address and some environmental information such as a name server or a web proxy. This article investigates whether a recent operating system on an IPv6-only LAN can handle this.

comments powered by Disqus