What is a sniffer: how it works, tools and detection 2026

A sniffer is a software or hardware tool that captures, decodes and analyses packets travelling across a network so their content and metadata can be inspected. It has been around since the early days of Ethernet and remains a core piece of any team that works seriously with networks. It has legitimate defensive uses including troubleshooting, forensic analysis, threat hunting and performance baselining. It also has offensive uses: credential interception on poorly configured networks, industrial espionage and reconnaissance prior to a broader attack.

This guide explains how a sniffer works technically, the difference between passive and active capture, the standard tools, legitimate and malicious scenarios, the role of TLS and how to detect sniffing activity on a network you own.

Sniffer essentials

• A sniffer captures packets at OSI layer 2 or 3, usually by putting the network interface card into promiscuous mode.
• Passive sniffing only listens. Active sniffing manipulates traffic (ARP spoofing, port stealing) to force packets towards the attacker.
• Wireshark, tcpdump, tshark, Bettercap, Ettercap, Scapy and Zeek cover 95% of real scenarios.
• TLS reduces the impact of sniffing on content but still leaves SNI, metadata and traffic patterns exposed.
• Defensive detection relies on ARP table monitoring, NIC mode alerting and targeted IDS rules.

What is a sniffer and how it works technically

A sniffer interacts with the network stack below the application layer. In a NIC working in normal mode, the card drops any frame whose destination MAC does not match its own. When promiscuous mode (cable) or monitor mode (WiFi) is enabled, the NIC hands the operating system every frame it sees on the medium. The sniffer collects those frames through a kernel API: libpcap on Linux and macOS, npcap on Windows.

Capture happens at layer 2 (Ethernet, WiFi) and layer 3 (IP). The sniffer decodes headers and reconstructs flows at transport level (TCP, UDP) and application level (HTTP, DNS, SMB, TLS, QUIC). To cut volume, BPF (Berkeley Packet Filter) filters are compiled in kernel space and applied before packets reach userspace. A typical filter looks like tcp port 443 and host 10.0.0.5.

The standard storage format is pcap (and its successor pcapng), a binary container that stores packets with timestamps. Nearly the entire toolchain (Wireshark, tcpdump, Zeek, Suricata, ntopng) reads and writes pcap, so you can capture with one tool and analyse with another.

Passive vs active sniffing

The distinction is critical for both attacker and defender.

Passive sniffing is limited to listening. The NIC enters promiscuous or monitor mode and absorbs whatever passes by without emitting anything. On networks with hubs (extinct in enterprise) or unencrypted WiFi, this is enough to observe all traffic on the segment. Its advantage for an attacker is invisibility: a NIC in promiscuous mode does not generate observable traffic at network level. Detection requires indirect techniques such as measuring ARP latency or sending packets with non-existent MACs.

Active sniffing applies on switched networks (the current norm). Each switch port only receives traffic destined for the MAC connected to it. To capture someone else's traffic, the attacker must manipulate switch or victim hosts. Common techniques are ARP spoofing (cache poisoning), MAC flooding (saturating the CAM table to force hub-like behaviour), DHCP spoofing and DNS spoofing. Each leaves detectable traces: anomalous ARP traffic, abrupt CAM changes, IP conflicts. A reasonably monitored corporate network detects active sniffing within minutes, while passive sniffing can go unnoticed for weeks.

Most used tools

Wireshark

Wireshark is the undisputed reference for packet analysis. Cross-platform graphical interface, decoder for more than 3000 protocols and a powerful display filter system. Load a pcap, apply a filter like http.request.method == "POST" && ip.dst == 192.168.1.10, and navigate packet by packet with the full layer hierarchy expanded. It allows following TCP streams, reconstructing HTTP sessions, extracting files transferred via SMB or FTP, and exporting decrypted objects.

For TLS, Wireshark decrypts sessions when supplied with the pre-master key (SSLKEYLOGFILE in browsers) or with server private keys in RSA key exchange scenarios. With TLS 1.3 and forward secrecy, the only practical route is the keylog file. Wireshark lives mainly on the analyst's desktop and is usually the final analysis tool on captures obtained with tcpdump.

tcpdump

tcpdump is the canonical CLI sniffer on Linux and macOS. Efficient, lightweight and available by default. Ideal for capturing large volumes on production servers without hurting performance. Typical syntax: tcpdump -i eth0 -w capture.pcap 'host 10.0.0.5 and port 443'. The -w flag writes binary pcap. Without it, output is decoded to stdout.

Useful options in real operations: -s 0 to avoid truncation, -G 3600 -W 24 for hourly rotation with 24 files, -C 1000 for size-based rotation in megabytes. Filter syntax is pure BPF: learn it once and reuse across Wireshark, Zeek and others. First choice for unattended capture paired with later analysis in Wireshark.

tshark

tshark is Wireshark without the graphical interface. It shares the dissection engine and filters but runs in terminal and integrates into pipelines. Useful when Wireshark-level detail is needed in a scriptable operation or on a remote server without X.

Example: tshark -r capture.pcap -Y 'http.request' -T fields -e ip.src -e http.host -e http.request.uri extracts hosts and URIs from each HTTP request in tabular format. Used in automated forensic analysis, CI reports and IoC extraction from historical pcaps.

Bettercap

Bettercap is the modern framework for active sniffing and MITM attacks. It replaced Ettercap as the reference tool. It integrates ARP spoofing, DHCP spoofing, DNS spoofing, SSL stripping, credential capture, HTML/JS injection into HTTP sessions, WiFi attacks (deauth, captive portal) and Bluetooth Low Energy.

It works through modules (caplets) loaded from an interactive console or API. A typical caplet activates arp.spoof, net.sniff and https.proxy to MITM a specific victim. Bettercap is purely offensive: it appears in internal pentests, Red Team exercises and also in the hands of real attackers. Its use outside an authorised scope is illegal in virtually any jurisdiction.

Ettercap

Ettercap is the classic MITM framework, predecessor of Bettercap. It remains alive in Kali, but development is slow and many plugins are outdated. It keeps a user base by inertia and because of specific plugins (real-time filters, STP attacks) that Bettercap does not replicate as conveniently. On new audits, the default move is straight to Bettercap.

Scapy

Scapy is a Python library to craft, manipulate, send and capture packets. It is not a conventional sniffer, but its sniff() function covers passive capture and allows writing custom analysis and response logic in few lines. Useful for attack PoCs, protocol fuzzers, detection scripts and network product testing.

Minimal example: sniff(filter="udp port 53", prn=lambda p: print(p[DNS].qd.qname)) prints every DNS query observed. Scapy shines when you need to capture and react (respond with a forged packet, modify and forward), territory where Wireshark falls short.

Zeek

Zeek (formerly Bro) is not a sniffer in the traditional sense but a Network Security Monitor that produces structured logs from observed traffic. Instead of gigantic pcaps, it produces tabular files with one event per line: conn.log, http.log, dns.log, ssl.log, files.log and others. It summarises TCP sessions with relevant metadata (duration, bytes, state, TLS certificates, transferred file hashes) and drops the rest.

Zeek is the foundation of many modern threat hunting operations. Keeping full pcap is expensive; keeping Zeek logs for months or years is viable and allows retroactive searches when a new IoC appears. Complemented with Suricata (signature-based IDS) and SIEM/data lakes (Splunk, Elastic, ClickHouse) that ingest the logs.

Legitimate use cases

Sniffing belongs in the standard defender's kit.

In network pentest, capturing traffic during reconnaissance reveals protocols in use, weak authentication (LLMNR, NBT-NS, NTLMv1), exposed services, credential broadcasts and lateral movement paths. It is the first step to understanding an unknown internal network and overlaps with the work described in infrastructure penetration testing internal and external.

In threat hunting, Zeek or Suricata logs are searched retroactively against new IoCs. If a C2 domain appears in a Mandiant report, a query over the last 90 days of dns.log answers whether that infrastructure touched the network. This maps directly to MITRE ATT&CK and behaviour-based detection engineering.

In incident response, PCAP analysis reconstructs what happened during an attack: DNS tunneling exfiltration, C2 beaconing, suspicious file transfers, exploitation attempts. Without prior capture, investigation remains guesswork.

In troubleshooting and performance baselining, Wireshark is the fastest tool to diagnose latency, TCP retransmissions, MTU problems, TLS handshake failures or application congestion.

Malicious use cases

The same arsenal serves an attacker. The most frequent real scenarios:

Credential harvesting on insecure networks: open WiFi at hotels, airports or coworking spaces remains fertile ground. An attacker with Bettercap captures credentials in clear or via broken protocols. Although HTTPS dominates, legacy applications, internal admin panels and protocols like FTP, Telnet or SMTP without TLS still survive.

ARP spoofing + SSL stripping: after poisoning ARP, the attacker downgrades HTTPS to HTTP when the user does not explicitly type https://. Modern defence relies on HSTS preload, covered in systems and network hardening explained.

Evil twin WiFi: the attacker brings up an AP with the legitimate SSID, forces disconnections with deauth packets and captures traffic from victims connecting to the fake. Combined with a cloned captive portal, it harvests corporate credentials.

Packet injection in RF protocols: in OT, IoT and SCADA environments, many protocols travel unencrypted over radio. An SDR sniffer allows listening and, with the right toolchain, injecting forged packets.

Why TLS makes the sniffer less dangerous (but not useless)

The widespread adoption of HTTPS has changed the attacker's calculus. With TLS, the sniffer sees the handshake and encrypted packets but not cleartext. HSTS makes the browser refuse HTTP connections to marked sites. Certificate pinning adds another layer in serious mobile apps. If everything fits, sniffing loses much of its value against end users.

The key phrase is "much of it", not "all of it". What TLS does not encrypt is metadata. The SNI travels in clear in TLS 1.2 and reveals which hostname is being visited, although not the path or payload. This is enough to profile behaviour. Traffic analysis, with packet sizes, timings and patterns, identifies specific applications and even actions inside them using statistical techniques. DNS connections without DoH or DoT continue to leak resolved domains.

TLS 1.3 encrypts more of the handshake, removes broken algorithms and forces forward secrecy. ECH (Encrypted Client Hello), still rolling out during 2026, also encrypts the SNI. Combined with DoH/DoT, metadata leakage reduces noticeably. It does not disappear: traffic analysis does not need SNI and remains a valid intelligence vector.

How to detect sniffing on your network

Detecting passive sniffing is hard by design; active sniffing is more accessible. Techniques that work best on a corporate network:

ARP table monitoring: alert on anomalous changes (a MAC suddenly tied to a wrong IP, MAC conflicts, abrupt gateway changes). Tools like arpwatch keep a historical baseline and notify deviations.

Promiscuous mode detection: on managed switches and NICs, expose SNMP or NetFlow to the SOC. On Windows endpoints, NIC monitor mode change events can feed the EDR.

Specific IDS rules: Suricata and Snort have signatures for ARP, rogue DHCP, DNS spoofing and SSL stripping patterns. Enabling them narrows detection window to minutes.

Active probing: send an IP packet with a fake destination MAC and observe who replies. Only a NIC in promiscuous mode processes it at ARP level, giving itself away. Works on small networks but generates noise.

Honey tokens: bait credentials embedded in low-profile traffic. If anyone uses them, you know capture took place.

Sniffing on WiFi vs Ethernet vs Cloud

The medium changes the rules.

On switched Ethernet, the attacker needs access to the switch, ARP spoofing or MAC flooding. The defender controls the switch: 802.1X, port security, DHCP snooping and Dynamic ARP Inspection are well-documented standard countermeasures.

On WiFi, the medium is shared by design. WPA2 and WPA3 encrypt traffic per client, but a sniffer in monitor mode captures all frames, and an attacker with the PSK decrypts sessions (WPA2-PSK more easily than Enterprise with EAP). WPA3 introduces SAE and per-session forward secrecy. For corporate, WPA2/WPA3-Enterprise with certificates is the acceptable minimum.

On cloud (AWS, Azure, GCP) the model changes. There is no physical NIC of your own: the hypervisor controls virtual switching and blocks promiscuous mode by default. For visibility you use VPC Flow Logs (metadata), Traffic Mirroring on AWS, vTAP on Azure, Packet Mirroring on GCP. Malicious sniffing from a compromised EC2 against a neighbour is practically impossible when the architecture is well designed.

Frequently asked questions

Is using Wireshark illegal?

No. Wireshark is legal software in any reasonable jurisdiction. What can be illegal is capturing traffic from networks you do not own without authorisation. On your own network, lab, or within an audit scope, use is legitimate. On a third-party network without explicit permission, unauthorised capture and disclosure of communications are criminal offences in Spain (Penal Code art. 197) and in most European frameworks.

Can I capture TLS traffic?

Capture yes, decrypt depends. Without keys you see encrypted packets and metadata (SNI, IPs, timings, sizes). With SSLKEYLOGFILE in Firefox or Chrome, Wireshark decrypts sessions in testing. With server private keys it only works if the handshake does not use forward secrecy, rare in modern infrastructure. For decryption in production, TLS termination at a reverse proxy gives control without tricks.

Does a sniffer detect APT?

On its own, no. A sniffer captures. APT detection requires analysis on top: Zeek and Suricata as sensors, SIEM as aggregator and detection engineering rules based on MITRE ATT&CK. Network visibility is one of the pillars for lateral movement, exfiltration and C2 detection, but it demands continuous investment in detection engineering.

How do I use tcpdump in production?

Keep the BPF filter narrow, configure rotation with -G and -W or -C, write to fast disk and monitor space. Avoid long captures without rotation: a growing pcap fills the disk. Use -s 96 if you only need headers. For prolonged capture, consider Zeek logs instead of raw pcap.

What is the difference with an IDS?

A sniffer captures and displays. An IDS analyses traffic in real time against signatures or anomalies and alerts on matches. Suricata or Snort are signature-based; Zeek is closer to a Network Security Monitor with programmable logic. A sniffer is general; an IDS adds detection engine and alerting workflow.

Do I need admin/root?

Yes, on practically every system. Putting a NIC into promiscuous or monitor mode requires elevated privileges. On Linux this can be mitigated with CAP_NET_RAW and CAP_NET_ADMIN capabilities on the binary, avoiding full root. On Windows, npcap installs a SYSTEM service that allows capture to non-admin users if enabled. On macOS, BPF devices require permissions over /dev/bpf*.

Related resources

• Systems and network hardening explained
• What is social engineering
• Google Dorks: OSINT reconnaissance
• Maltego: OSINT investigation
• Infrastructure penetration testing internal and external
• What is MITRE ATT&CK: tactics and techniques

Network audits with Secra

At Secra we work on real corporate networks. We run internal and external infrastructure pentests with controlled capture and visibility validation, threat hunting over Zeek and Suricata logs, and forensic PCAP analysis when an incident requires complete reconstruction. If you need to assess real exposure to sniffing and MITM attacks, or deploy in-house detection capability over network traffic, contact us and we will scope the engagement for your environment.