Get started Bring yourself up to speed with our introductory content.

Use a network analyzer to sniff the network

A network analyzer is a useful tool, helping you do things like track traffic and malicious usage on the network. Learn how to use a "sniffer" and all its capabilities.

Hacking for Dummies This excerpt is from Chapter 9 - Network Infrastructure in "Hacking for Dummies, 2nd edition" written by Kevin Beaver and published by Wiley Publishing.

Click here to purchase the entire book.

A network analyzer is a tool that allows you to look into a network and analyze data going across the wire for network optimization, security and/or troubleshooting purposes. Like a microscope for a lab scientist, a network analyzer is a must-have tool for any security professional.

Network analyzers are often generically referred to as sniffers, though that's actually the name and trademark of a specific product from Network Associates, Sniffer (the original commercial network analysis tool).

A network analyzer is handy for sniffing packets off the wire. Watch for the following network traffic behavior when using a network analyzer:

    • What do packet replies look like? Are they coming from the host you're testing or from an intermediary device?

  • Do packets appear to traverse a network host or security device, such as a router, a firewall or a proxy server?

When assessing security and responding to security incidents, a network analyzer can help you:

  • View anomalous network traffic and even track down an intruder.
  • Develop a baseline of network activity and performance, such as protocols in use, usage trends and MAC addresses, before a security incident occurs.

When your network behaves erratically, a network analyzer can help you:

  • Track and isolate malicious network usage.
  • Detect malicious Trojan-horse applications.
  • Monitor and track down DoS attacks.

Network analyzer programs

You can use one of the following programs for network analysis:

  • WildPackets EtherPeek is my favorite network analyzer. It does everything I need and more and is very simple to use. EtherPeek is available for the Windows operating systems.

If you're going to be doing a lot of network analysis on both wired and wireless networks that may require the decoding of Gigabit Ethernet, WAN protocols, voice over IP (VoIP) and other advanced systems, you should check out WildPackets OmniPeek product line. OmniPeek offers an all-in-one solution to help you keep your network analysis costs down plus you get the benefit of being able to use one tool for everything.

  • Cain and Abel is a free alternative for performing network analysis, ARP poisoning, Voice over IP capture/replay, password cracking and more.

  • Ethereal is a free alternative. I download and use this tool if I need a quick fix and don't have my laptop nearby. It's not as user-friendly as most of the commercial products, but it is very powerful if you're willing to learn its ins and outs. Ethereal is available for both Windows and UNIX-based operating systems.

  • ettercap is another powerful (and free) utility for performing network analysis and much more on both Windows and UNIX-based operating systems.

A network analyzer is simply software running on a computer with a network card. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined for the network analyzer's host. The network analyzer performs the following functions:

  • Captures all network traffic
  • Interprets or decodes what is found into a human-readable format
  • Displays it all in chronological order

Here are a few caveats for using a network analyzer:

    • To capture all traffic, you must connect the analyzer to either
  • A hub on the network.
  • A monitor/span/mirror port on a switch.
  • A switch that you've performed an ARP poisoning attack on.
    • You should connect the network analyzer to a hub on the outside of the firewall, as shown in Figure 9-13, as part of your testing so you can see traffic similar to what a network-based IDS sees:

  • What's entering your network before the firewall filters eliminate the junk traffic.
  • What's leaving your network after the traffic goes past the firewall.

Figure 9-13

HACKING FOR DUMMIES  Part 1: Use a network analyzer to sniff the network  Part 2: Microsoft network security testing for ARP spoofing  Part 3: Network security assessment for network infrastructure

Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.