At one time or another, it happens to us all: Something weird is traversing the network, but you can't quite pin it down. In such cases, a packet capture and analysis program can come to your rescue, providing detailed discovery, detection or forensic information on TCP/IP traffic. These tools enable you to decipher raw data streams, learn what systems "touched" each other (and when), what protocols were in use (and how), and what was sent and received between two hosts.
Packet grabbers come in many shapes and sizes. Commercial tools such as Network Associates' Sniffer and Network Instruments' Observer have powerful features and friendly interfaces, but may be too expensive for cash-strapped IT departments. While bare-bones freeware tools are less user-friendly, they can be just as effective.
The main distinguishing feature among sniffers is how they decode and present the traffic. Some give you data fields or statistics; others give you colorful pictures. Keep in mind that no matter what sniffer you're using, it won't be able to decode encrypted traffic.
Before installing a sniffer, make sure you get authorization. Sniffers allow you to monitor all plaintext traffic traversing the network--including people's passwords, favorite Web sites and personal communications. In some states, employees have to acknowledge in writing that their communications may be monitored. In any case, make sure you're covered legally and procedurally.
The godfather of packet grabbers is the Unix tcpdump command. Tcpdump is an incredibly powerful tool that does three important things: captures packets based on a detailed specification; displays them in a human-readable fashion; and allows you to save them for further analysis.
Packet-grabbing specifications in tcpdump range from the simple to the complex, depending on what you need to accomplish. For example: tcpdump host 10.10.10.223 gives you all the packets entering or exiting the machine with that specific IP address. Now, let's save the data to a file:
tcpdump -s 5000 -w pkt.dat between 10.10.10.22318.104.22.168 tcp port 80
Running this command gives us a file of Web traffic in a standard tcpdump format that's also used by many other sniffers. The "-s 5000" option specifies the buffer space to use for packet capture, and the "-w pkt.dat" specifies the output capture file name.
While tcpdump is free with virtually every version of Unix, it's also available for Windows. To use tcpdump on Windows, you need WinPcap, a DLL that offers the same interface as the Unix packet capture library.
My favorite packet-viewing tool is Ethereal, which also works on Unix and Windows. Ethereal visually decodes packets into tree hierarchies so you can quickly see what packets contain, including more than 300 application and network protocols. Want to quickly see what's in a Gnutella request? 802.11? HTTP? Ethereal's got you covered.
For broad dissection of network traffic, consider a tool like EtherApe for Unix . EtherApe graphically represents overall usage by hosts, protocols and links. If you want to visually understand which systems on a network are causing the most traffic at what times, this is an excellent tool for real-time analysis. For command-line junkies, consider ngrep, the original "network grep" that lets you search traffic for specific patterns. Want to search for the string "[ \t]sex[ \t]" in all HTTP traffic coming? Or how about "ngrep 'user|pass' tcp port 21"?
Ngrep is ideal when you want to search for specific packets as part of a script or batch process. For more sophisticated, programmable network searching, take a look at the popular snort IDS, which allows you to write complex and powerful collection and alerting rules based on traffic.
If you're involved in cyberforensics, you'll want to have most of these tools in your bag of tricks. If you're a network administrator, they'll come in equally handy. If you only have time to get to know one or two, learn your way around Ethereal and tcpdump.
About the author:
Marcus J. Ranum is an independent security consultant and author. He is the founder of NFR Security and built the first commercial firewall product, DEC SEAL.