Q

What is network snooping? Can it be used for good?

What is network snooping? Can it be used for good?

This Content Component encountered an error
What is network snooping? Can it be used for good?
Yes, indeed! Snooping, which also goes by the name of "sniffing" after the Network General "Sniffer" product, is one of my favorite troubleshooting tools. As with many tools, you can do good or harm with it.

What it (snooping or sniffing) is properly called traffic capture and analysis. That is, you run a special program or device that listens in "promiscuous" mode -- meaning that it will pick up any traffic, whether or not it's addressed to that system, which is passing by on the particular wire.

Many manageable hubs and switches have what is called a SPAN port function (SPAN=Sniffer Port Analyzer, although that may be a Cisco term, I don't know who originated it), where you can redirect traffic to and from a particular port to another port for analysis. You can also purchase a device known as a "network tap," which allows all traffic through a cable or fiber to be copied to a separate output for analysis. But taps tend to be expensive, ranging from $300 up through $1,000, depending on the type and details.

Not all problems can be solved with these, and it shouldn't be the only tool in a toolbox, but I can't count the number of times I've solved a problem with a network analyzer that simply could not be seen any other way.

There are free ones (e.g., TCPDump/WinDump and Ethereal) and commercial products (e.g., Network General's Sniffer product, Shomiti Surveyor). There are also full-on hardware solutions from many of the same vendors. The key difference is that any analyzer that relies on the NDIS network card driver to pass packets up for capture does NOT pass on any physical layer error information. The full hardware implementations usually write their own drivers so that this information (Jabber, Collision, etc.) IS passed on for analysis. This is not usually a problem, since modern switches and such contain better automatic protections and controls. But if your network was built with unmanaged or unmanageable equipment, then this may be the only way to find out that you have a problem.

This was first published in October 2005

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close