Problem solve Get help with specific problems with your technologies, process and projects.

What is network snooping? Can it be used for good?

What is network snooping? Can it be used for good?

What is network snooping? Can it be used for good?
Yes, indeed! Snooping, which also goes by the name of "sniffing" after the Network General "Sniffer" product, is one of my favorite troubleshooting tools. As with many tools, you can do good or harm with it.

What it (snooping or sniffing) is properly called traffic capture and analysis. That is, you run a special program...

or device that listens in "promiscuous" mode -- meaning that it will pick up any traffic, whether or not it's addressed to that system, which is passing by on the particular wire.

Many manageable hubs and switches have what is called a SPAN port function (SPAN=Sniffer Port Analyzer, although that may be a Cisco term, I don't know who originated it), where you can redirect traffic to and from a particular port to another port for analysis. You can also purchase a device known as a "network tap," which allows all traffic through a cable or fiber to be copied to a separate output for analysis. But taps tend to be expensive, ranging from $300 up through $1,000, depending on the type and details.

Not all problems can be solved with these, and it shouldn't be the only tool in a toolbox, but I can't count the number of times I've solved a problem with a network analyzer that simply could not be seen any other way.

There are free ones (e.g., TCPDump/WinDump and Ethereal) and commercial products (e.g., Network General's Sniffer product, Shomiti Surveyor). There are also full-on hardware solutions from many of the same vendors. The key difference is that any analyzer that relies on the NDIS network card driver to pass packets up for capture does NOT pass on any physical layer error information. The full hardware implementations usually write their own drivers so that this information (Jabber, Collision, etc.) IS passed on for analysis. This is not usually a problem, since modern switches and such contain better automatic protections and controls. But if your network was built with unmanaged or unmanageable equipment, then this may be the only way to find out that you have a problem.

This was last published in October 2005

Dig Deeper on Real-time network monitoring and forensics