Skip to main content

Packet Capturing

Unit: 8 Lesson: 5 aliases:

  • Packet Sniffer

i need to plant a bug in the oval office

Protocol analyzers, often called 'packet sniffers,' are useful hardware devices used to inspect traffic received by a host or passing over a network link.

Software-based Sniffers

These are software applications that analyze the incoming frames received by the host device's network adapter using a special driver. They are read and stored to disk, using filters for efficiency.

Physical Sniffers

There are three ways to install a hardware-based sniffer.

Switched Port Analyzer

Abbreviated as SPAN, also called port mirroring. The sensor is attached to a specially configured port that receives copies of the the frames addressed to a specified set of ports (or all the other ports). Not reliable, errored frames are dropped, and frames might be dropped under heavy traffic

Passive Test Access Point

Abbreviated as TAP. Literally a box that you run two cables through. There are variants for copper (often in the form of twisted pair) and fiber optic cabling. No logical decisions are made, so all frames are copied, regardless of corruption or error. Unaffected by network traffic load.

Active TAP

A powered box this time that performs signal regeneration, meaning that it retransmits frames to the monitoring port, ensuring that network traffic isn't lost and is accurately captured. This is important in cases where data integrity is necessary. However, since it's an active, logical device, it can become a point of failure in the event of power loss.

  • [i] A TAP will usually output two streams to monitor a full-duplex link (one channel for upstream and one for downstream). Alternatively, there are aggregation TAPs, which rebuild the streams into a single channel, but these can drop frames under very heavy load.

#Netplus

Back to top