Sniff is a utility that allows the watching/recording
of network packets that a computer can "see". Typically what is seen depends
on the network topology, and more specifically, if its a switched or shared
segment. Sniff can be configured to display specific packet types (by ID)
or from specific ip addresses. It's sometimes part of the OS, but usually
it's not.
What is Packet Sniffer?
Packet sniffing is listening (with software) to the raw network device for interesting packets. When the software sees a packet that fits certain criteria, it logs it to a file. The most common criterion for an interesting packet is one that contains words like “login” or “password.”
To packet sniff, obtain or code a packet sniffer that
is capable of working with the type of network interface that the operating
system supports:
Network interfaces include:
- LLI
- NIT (Network Interface Tap)
- Ultrix Packet Filter
- DLPI (Data Link Provider Interface)
- BPF (Berkeley Packet Filter)
- LLI was a network interface that SCO used, which has been augmented with DLPI support as of SCO OpenServer Release V.
NIT was a network interface that Sun used, but has been replaced in later releases of SunOS/Solaris with DLPI.
Ultrix supported the Ultrix Packet Filter before Digital implemented support for BPF.
DLPI is supported under current System V Release 4 releases, SunOS/Solaris, AIX, HP/UX, UnixWare, Irix, and MacOS. DLPI is partially supported under Digital Unix. Sun DLPI version 2 supports Ethernet, X.25 LAPB, SDLC, ISDN LAPD, CSMA/CD, FDDI, Token Ring, Token Bus, and Bisync as data link protocols. The DLPI network interface provided with HP/UX supports Ethernet/IEEE 802.3, IEEE 802.5, FDDI, and Fibre Channel.
BPF is supported under current BSD and Digital Unix releases and has been ported to SunOS and Solaris. AIX supports BPF reads, but not writes. A BPF library is available for Linux.
