Introduction

A sniffer, or packet sniffer, is software or hardware that captures network traffic. This traffic can be analyzed to determine problems in a network, such as bottlenecks or performance degradation. It can also confirm hacker attacks against your network systems. If you suspect a system is under attack, you can capture the packets on its interface to identify what types of packets are hitting the system, as well as where the packets originated. Once a problem is determined, an administrator can make network changes to ensure that the network operates efficiently and securely.

Packet sniffers capture packets on a specific interface, or on all interfaces, depending on how you configure the sniffer. By default, they display all traffic captured on the network. However, this usually results in far too much traffic for an administrator to sort through. Therefore, sniffers offer filters that allow you to only capture and display packets that meet particular criteria. For instance, you may only be interested in capturing packets between one client and one server to determine the server s response time, or to determine why a particular client cannot access a server. Sniffers allow you to enter the Internet Protocol (IP) addresses of the client and server, so that only the network traffic between the two IP addresses will be captured and displayed.

This chapter introduces you to three popular open source Linux sniffers:

• Tcpdump A command-line network traffic monitoring tool. It has been around for a long time and most graphical sniffers depend...