A Complete Guide to Packet Sniffing
To be a good detective you need to follow your nose. The same can be said when tracking down cyber threats, performance issues or network outages, but do you know the smell of a bad packet?
A packet sniffer can definitely help! This primer explains all you need to know about packet sniffers and packet sniffing.
- What is a Packet Sniffer?
- How does a Packet Sniffer work?
- Where Should You Sniff Packets From?
- Benefits of Packet Sniffing
- On-Demand vs Always-On Packet Sniffing
- What are the Alternatives to Packet Sniffing?
- Does My Firewall Offer Packet Capture?
- Security and Privacy Risks with Packet Sniffers
What is a Packet Sniffer?
A Packet Sniffer is hardware or software that connects to a network to monitor, analyse, log, and capture all the network traffic. Historically, packet sniffers were small portable appliances that can be plugged into the network to sniff traffic on-demand if there is a suspected network issue. Packet sniffing can also be done using a laptop and packet sniffing software – such as WiresharkTM or tcpdump.
Packet sniffers are valuable tools for troubleshooting network outages or performance issues and investigating cybersecurity incidents. The network that the packet sniffer monitors may be a physical network such as an Ethernet LAN, or a virtual or cloud network.
Packet sniffers may also be referred to as a network monitor, network recorder, packet capture system, or network analyzer.
Is packet sniffing the same as packet capture?
The term packet sniffing is sometimes used as a synonym for “packet capture” and both do the same thing - it’s simply a matter of scale.
Packet capture is often seen as being the “big brother” of packet sniffing. Packet sniffing is typically done on-demand, using portable packet sniffer devices and usually only collects small volumes of traffic.
Packet capture solutions, on the other hand, are usually deployed as a permanent component of network infrastructure. They are designed to record much larger volumes of traffic and at much higher speeds, than packet sniffers.
For a detailed overview of packet capture see “What is Network Packet Capture?”
How does a Packet Sniffer work?
When monitoring a physical network, a SPAN (Switched Port ANalyzer) – also known as a “port mirror” or TAP (Test Access Point) can be used to provide a copy of all the network packets to the packet sniffer.
A packet sniffer can also be deployed on a PC, server or VM to monitor the packets on a specific interface or virtual interface.
A packet sniffer uses a dedicated network interface (monitoring port) set to “promiscuous mode”. This allows the network interface to receive all the traffic on the network regardless of the traffic’s intended destination. Every packet received on the monitoring port is analyzed, logged, and written to disk. Other devices on the network are not aware of, and are unaffected by, packet sniffing. For this reason, it is often referred to as passive monitoring or out-of-band monitoring.
A range of different metrics and charts are regularly available from packet sniffers including bandwidth utilization, conversation tables, application reports and performance information. These may be instantaneous views or provide a historical view of weeks or months of network traffic.
Packets are usually captured to disk to enable in-depth troubleshooting down to the packet layer. Sniffers can save the captured packets in a portable format called a PCAP file. There are several pcap formats.
For a detailed overview of pcap formats, see “What is a PCAP file?”
Where Should You Sniff Packets From?
When troubleshooting network performance or cybersecurity issues you should deploy a packet sniffer as close to the trouble spot as possible. For example if your web server is having issues, sniff the Ethernet segment it is connected to if you can, of\r sniff the traffic at a common gateway . Sometimes the root cause is downstream from the system showing symptoms, for example a different network segment or a hop point from one network segment to another may be congested. It helps if you have the flexibility to connect your sniffer to various points in your network on demand, this is where a Network Packet Broker can help.
Security scenarios or continuous performance monitoring using a packet sniffer may require you to permanently connect adjacent to a gateway or firewall so you can monitor important traffic 24 x 7.
Benefits of Packet Sniffing
The old saying of network professionals, “the truth is in the packets” always rings true. Troubleshooting issues is difficult when you can’t see what is happening on the network. Just as CCTV camera footage can speed up crime investigations, packet capture from a packet sniffer allows you to see exactly what is occurring on the network and zero-in on the root cause.
Teams that use packet sniffers resolve cybersecurity threats, performance issues and network outages faster and with greater confidence, especially when they have access to always-on packet capture.
On-Demand vs Always-On Packet Sniffing
As mentioned earlier, the traditional use for packet sniffing was to take a portable analyzer and physically connect it to the network or device you are trying to troubleshoot. This approach has significant downsides:
- You need to wait for the problem to occur again
- The connection of the TAP and sniffer might require a link outage
- You may not have physical access to the network you need to monitor – for example if it is in a remote datacenter or remote office.
A better approach is to connect your packet sniffer to key points in your network and continuously record and analyze all the traffic. Then, when a problem occurs, you can rewind and review exactly what occurred, resolve the issue, and move on without having to wait. Packet sniffers have evolved into continuous, always-on packet capture systems for this very reason.
What are the Alternatives to Packet Sniffing?
NetFlow is metadata that is more a complement than an alternative to packet sniffing. It provides high level summarization and logging of network flows but lacks the actual packet capture part. While this information is useful for spotting whether something unusual has happened on the network, the details you need to determine exactly what happened may be missing without the more detailed packet data. Combining NetFlow and full packet data gives you the best of both worlds.
See NetFlow Versus Full Packet Capture for an explanation of the differences between NetFlow and full packet capture and the pros-and-cons of each.
Does My Firewall Offer Packet Capture?
Well sort of …
Some firewalls provide network traffic analysis and limited packet capture. Typically, they will only record a handful of packets – sufficient just to record what firewall rule was triggered by the traffic. Unfortunately, this is rarely enough data to allow you to troubleshoot most problems.
In addition, your firewall is a precious resource that should be focused on protecting your network. Logging, analysis, and packet capture are resource intensive tasks that impact the performance of networking devices. It is much better to offload packet capture to a purpose-built device and let your network devices – firewalls, routers, switches etc. - focus on what they are really intended for.
Security and Privacy Risks with Packet Sniffers
Packet sniffers have access to potentially unencrypted private and/or sensitive information transferred over a network. Someone with access to the sniffer can potentially reassemble the data or files contained within the packets, or even extract sensitive information such as passwords, usernames, or other information that may be damaging if made public.
Malware or other types of malicious content may be contained within the packets residing in a packet sniffer. So care must be taken when handling PCAP files so as not to infect other computer systems. Emailing or saving a PCAP file may trigger virus scanners or IDS/IPS systems. And replaying or reassembling a PCAP could unleash damaging malware. These actions should only be done carefully by experienced professionals and only in a protected or sandboxed environment.
When saving or storing packet sniffer files, organizations should take the same care as they would with any other sensitive information. The data may be classified as protected information under the laws of various state or federal governments - including GDPR, ADPPA, HIPAA, etc. - and using a packet sniffer may be considered as collecting private and/or sensitive information.
Security can be enhanced when PCAPs are strongly encrypted with password security, and stored in a secure location, with access to that data strictly limited to authorized personnel with appropriate security clearance.
Packet sniffers have evolved into continuous capture systems that are powerful tools for troubleshooting any threat or network event. Teams that use packet capture benefit from faster and more precise incident response, and quicker resolution of cyber incidents, performance issues and network outages.
Get in touch
Who is Endace?
Endace specializes in scalable, high-speed, high-performance packet capture. Our solutions are used by some of world’s biggest organizations on some of the fastest networks on the planet.
If you are looking for a packet capture solution, we’d love to show you why Endace is the best choice. Contact us to book a demo or ask a question.