What is a Network Sniffer and What is the Best Way to Use One?

Networks increase the utility of computers by making them accessible to anyone no matter where they are located. They also introduce increased complexity to computer systems while posing potential security risks that were not a concern with standalone machines. Specialized tools such as network sniffers are required by network administrators to understand and optimize their networks. The same network sniffer tools can be used to subvert or enhance network security, as we shall soon see.

What is a Network Sniffer?

A network sniffer is a software tool or piece of hardware which is used to monitor network traffic. You may be familiar with the tool under one of its other names such as packet analyzer, network analyzer, or protocol analyzer. Hardware implementations of a packet analyzer are mostly employed by network administrators or security professionals operating with large networks.

There are many software network sniffing tools available that make it possible for anyone to monitor network traffic. The same tool can be used for constructive or malicious purposes depending on who is operating the application. Network admins and hackers both have the same tools but with very different intentions. Wireless network sniffers are used to monitor and potentially gain entry into WiFi networks which are becoming more prevalent every day.

How Does a Network Sniffer Work?

A network sniffer takes advantage of the method in which data is transmitted across a network. Networks send data in distinct packets in order to maintain data integrity and avoid network congestion. When files or emails are sent they are broken into smaller packets before being sent to their destination. Information included with each transmission includes:

  • The destination address
  • Number of packets being transmitted
  • Reassembly order of the packets
  • The Source address

When the data arrives at its destination, the message’s headers and footers are stripped off and the data is reconstructed. Networks and computers discard all messages that are not intended for them via a network filter.

A network packet sniffer operates by intercepting and logging the network traffic. The software analyzes the traffic and converts it to a user-friendly format. Depending on who is using the packet analyzer, the information provided by the tool can be used in a variety of ways.

Network sniffers can be operated in two modes.

  • Passive sniffing — This involves simply listening to and capturing traffic. This type of sniffing is not detectable.
  • Active sniffing — An Address Resolution Protocol (ARP) spoofing or traffic-flooding attack is launched against a switch in order to capture traffic. This is detectable by network intrusion tools.

How is a Network Sniffer Used?

A network sniffer tool can be used by network administrators to test and improve the functionality of their network. Some specific areas where a network sniffer is used for constructive purposes are:

  • Troubleshooting network issues such as bottlenecks.
  • Compiling statistics on a network such as available bandwidth.
  • Testing firewall implementations.
  • Securing a network by analyzing packet traffic in an attempt to detect unauthorized access to the network.

Unfortunately, the same tools that can assist a network admin to understand and protect their network can be used by individuals with malicious intentions. Some of the nefarious uses of a protocol analyzer are:

  • Using a network sniffer in promiscuous mode enables intruders to examine any packet traveling across the network regardless of its destination.
  • Intercepting packets of unencrypted data allows hackers to compromise passwords and gain unauthorized access to your network or applications.
  • WiFi sniffers can be used by hackers who set up fake hotspots and monitor the traffic in the hopes of finding unencrypted data that they can use for profit.
  • Inclusion in malware as in the VPNFilter malware attack.

As with many inventions, the way in which packet analyzers are used is solely determined by the person or entity using the tool. Governments, businesses, and advertisers also make use of network sniffing software to monitor the online activities of citizens and to find ways to inject ads that target specific individuals or groups.

Some Excellent Network Sniffers

There are many network sniffer tools available that can be run on the computing platform of your choice. Let’s take a look at some of them.


KisMac2 is a free network sniffer tool which is designed to run on the macOS platform. The open-source tool is meant to be used with WiFi networks and can perform a wide variety of WiFi monitoring and sniffing tasks.


It supports all of the Apple internal AirPort Extreme hardware as well as some third-party USB network cards. You need to be running macOS 10.9 or later to use this tool. Some of its features include:

  • User-friendly GUI
  • Ability to reveal hidden or cloaked SSIDs
  • Mapping and GPS support
  • Kismet drone support
  • Obtain maps of network coverage

KisMac2 is a great choice in a free network sniffer for the Mac.


This free and open-source network analyzer has versions which can be run on Windows, macOS, and Linux machines.


It is one of the most popular network sniffing applications available and comes packed with features such as:

  • Live packet capture and offline analysis
  • Powerful display filters
  • The ability to read and write numerous capture file formats
  • Decryption support for many protocols such as WEP and WPA/WPA2
  • Export output in a variety of formats

You can’t go wrong with this widely-used network tool.


Unix and Linux users can use this tool to monitor their network packets. It is a freeware tool that presents you with a graphical representation of your network. Lines expand and contract in the display based on current traffic and different colors are used to represent varying protocols on the network.


It is a popular choice among experienced network administrators.


WinDump is a Windows port of the popular command line tool tcpdump. It is freeware that requires the prior installation of the Winpcap library. Once the library is installed, you simply run the tool as an executable file.


It performs all of the basic network sniffing tasks that you would expect and can be used with filters to limit data capture.

SolarWinds Network Performance Monitor

Here is a professional-grade network performance monitor that entails a substantial financial investment to deploy. It is obviously meant for use in professional settings where maintaining network performance is critical. One of its specialties is gathering information from network-attached equipment and this facility can help you track down the origin of unauthorized access to your system.


Pricing is based on the number of devices that will be monitored.

* * *

Network sniffing software should be a mandatory part of every network administrator’s toolbox. Use of this type of software can help you maintain a secure network and troubleshoot any issues that may arise. If you don’t already have a network sniffer, we suggest you download one today.