A packet sniffer is can be a software or hardware tool to intercept, log, and analyze network traffic and data. These tools support in the identification, classification, and troubleshooting of network traffic by application type, source, and destination. IT professionals and cybercriminals alike can effectively check on the contents of files and communications traveling to, from, or within a network. Packet sniffers rely on application program interfaces (APIs) known as pcap (for Unix-like systems) or libcap (for Windows systems) to capture network traffic.
Data packets are transmitted via protocol stack known as the TCP/IP (Transmission Control Protocol/Internet Protocol). The TCP/IP has four layers: the application protocol layer, transmission control protocol (TCP) layer, internet protocol (IP) layer, and hardware layer.
Each packet moves through network’s application layer to the TCP layer, where it’s assigned a port number. Next, the packet transfers to the IP layer and appended its destination IP address. After adding port number and IP address, it can be sent over the internet. Sending is carried out through the hardware layer, which converts packet data into network signals. When a packet arrives at its destination, the data used to route the packet (port number, IP address, etc.) is removed, and the packet moves on through the new network’s protocol stack.
A packet analyzer used for intercepting traffic on wireless networks is known as a wireless analyzer or WiFi analyzer
List of Password Sniffers
1. Cain and abel
2. John the ripper
Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cain and Abel is a Windows-only password recovery tool that leads the pack. Capable of recording VoIP conversations; it can decode scrambled passwords and analyze routing protocols. It uncovers cached passwords, reveals password boxes, cracks encryption with brute force style attacks and cryptanalysis, and on and on.
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, “web apps” (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and “sparse bundles”, Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office’s, etc.)
John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string.
tcpdump captures all traffic on the specified network via libcap and then “dumps” it directly to your screen. From there, you can leverage the tool’s complex filtering language to winnow the vast amount of data collected into manageable chunks. The tool uses fewer system resources than competing options and opens little security risk.
Wireshark offers real-time network analysis. It allows users to view reconstructed TCP session streams. Many prefer Tcpdump for security and system-resource reasons, but Wireshark remains the most popular packet sniffer. The software receives regular updates to outfit its robust packet-sniffing capabilities. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports. Data can be captured “from the wire” from a live network connection or read from a file of already-captured packets. Captured files can be programmatically edited or converted via command-line switches to the “editcap” program and data display can be filtered using a display filter.
WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX. WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules. WinDump captures using the WinPcap library and drivers, which are freely downloadable from the WinPcap.org website. WinDump supports 802.11b/g wireless capture and troubleshooting through the Riverbed AirPcap adapter.
WinDump is free and is released under a BSD-style license.