What are popular packet sniffers on Linux?

A packet sniffer captures live packets from networks, decodes them according to protocol specifications, and optionally takes actions according to the parsed packet contents (e.g., in case of security detection systems). It is a very useful tool to diagnose networks or protect against security attacks over networks. The following are several popular open-source packet sniffers available on Linux.

Tcpdump is the most popular general-purpose packet analyzer. It uses libpcap library to capture packets on OSI layer 2 (e.g., Ethernet, PPP, and SLIP), and above. Tcpdump supports regular expressions for advanced packet filtering, and allows one to export and import packet dumps to and from a file.

Wireshark (formerly known as Ethereal) is an open-source packet analyzer with graphical front end. Functionality-wise, Wireshark is quite similar to tcpdump, and is available on multiple platforms including Linux, BSD, and Mac OS X, and MS Windows.

dhcpdump snoops on DHCP request/response traffic captured by libpcap library, and displays the DHCP packets in human readable formats. dhcpdump is useful for DHCP debugging and troubleshooting.

p0f is a passive OS fingerprinting tool that identifies the operating systems of two end point hosts associated with an existing TCP connection. For accurate fingerprinting, p0f draws from various signatures including TCP/IP headers, TCP three-way handshake dynamics, contents of application-level payloads (e.g., HTTP request/response). Besides OS fingerprinting, p0f also detects the types of HTTP clients, network links (e.g., ethernet, DSL, modem), as well as NAT connection sharing, load-balancing setup, etc.

Snort is an open-source intrusion detection system that relies on real-time network sniffing and analysis. Snort conducts extensive protocol analysis and content matching to detect a variety of network attacks and hostile scans.

Kismet is a wireless network detector and intrusion detection system for 802.11 wireless links, supporting 802.11a, 802.11b, 802.11g, and 802.11n. It identifies wireless clients and their network association by passively collecting packets on wireless network card interfaces. Kismet also detects active wireless sniffing programs to alert wireless network attacks.

hcidump is a Bluetooth traffic sniffer which captures HCI packets associated with Bluetooth devices, and display Bluetooth related activities in human readable formats.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Leave a comment

Your email address will not be published. Required fields are marked *

Current day month ye@r *