Understand These 4 Network Traffic Capture Tools

September 16, 2015 | Views: 11919

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Traffic capture, which also is referred to as packet capture, is one activity of Penetration Testing (pentesting)*.

Pentesting allows the pinpointing of vulnerabilities on a network and provides identification of suspicious packets moving across the network. Being able to Identify routine network traffic is also valuable because it provides a look at how a normal network environment operates, making it easier to identify anomalies and vulnerabilities.


During traffic capture (or packet capture), a data packet that is moving over a computer network is intercepted. After the packet is captured, it’s analyzed to diagnose and solve any problems – most likely security problems – that exist on the network. (Or, if it is captured for nefarious purposes – see the paragraph below – the data may be stolen or compromised).


When leveraged as a part of the pentesting described above, traffic capture is used on network traffic that you’re authorized to access. Traffic capture can also include traffic not intended for your network. In other words, it provides a way to see traffic that may be encrypted and that is intended only for specific users. Hackers may use packet capturing techniques to obtain and monitor data that would not necessarily come to them under normal circumstances.


Network Managers and Administrators rely on many traffic capture tools to manage and analyze their overall network traffic and performance. These tools also may be used to hack the network. 4 of them are described below:



The first traffic capture tool discussed is Wireshark (formerly known as Ethereal; it became Wireshark since 2006). Wireshark is a free and open source, fully-featured, network protocol analyzer (also known as a “network sniffer”) that’s used to monitor traffic on a network. Because it is an open source program, it has benefited from the network developers worldwide who have contributed to it. Wireshark allows the user to set up a domain controller. It acts as a viewing tool, supported by a graphical user interface (GUI), and uses various user-chosen information filtering features to assess vulnerable systems and files. With Wireshark, a user can see and capture all traffic passing over a given network.



ARP is a tool that’s used to translate IP addresses into MAC address of network adapters. Then, it tells the hosts where to send the traffic.

Since there’s no requirement in the computer world for machines to tell the truth, ARP can be used for spoofing, allowing the user to see the traffic between two other computers. ARP will trick hosts into sending traffic to the wrong place so that the traffic can be captured in Wireshark.

One downside: it can cause a denial of service condition, which may slow down or completely bring down a system. Therefore, the spoof must be set up so traffic keeps going to the correct machine and doesn’t stop permanently at the intercepting machine.



DNS is a tool that is used to translate domain names (such as aaa.com) into its IP address. The Domain Name Service tells the host where to send traffic when called by its domain name. This isn’t the only way to illicitly bring people to a specific website; it’s just one tool for doing so.

Once again, since there is no requirement for machines to tell the truth, DNS can be used for spoofing (there is a DNS SPOOF tool), and it can be used in conjunction with ARP spoofing.

DNS spoofing, also called DNS cache poisoning, is a computer hacking attack in which data are introduced into a DNS resolver’s cache. This causes the name server to return an incorrect IP address and diverts traffic to the attacker’s computer (or to any other specified computer).



Ettercap is a free and open source network security tool for “man-in-the-middle”* attacks on Local Area Networks (LANs). Ettercap features include sniffing of live connections and content filtering on the fly. It supports active and passive dissection of many protocols (including encrypted ones) and includes many features for network and host analysis. Ettercap offers three interfaces:

  1. traditional command line
  2. GUI
  3. ncurses

Ettercap may be used for computer network protocol analysis and for security auditing. It can intercept traffic on a network segment, capture passwords and conduct active eavesdropping against a number of common protocols. Ettercap acts as a man in the middle to attack its victims. It works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Ettercap also allows you to insert yourself into and break an SSL connection and actively or passively find other poisoners on the LAN.


Two other important concepts in any discussion of Traffic Capture are SSL Stripping and Sniffing. They’re briefly discussed below:

A Word About SSL Stripping…..

Secure Socket Layer (SSL) Stripping is a technique that downgrades https: URLs (secure URLs) and turns them into http: URLs (non-secure URLs). An SSL Stripping may be thought of as a man-in-the-middle attack because all the traffic from the victim’s machine is routed via a proxy created by the attacker. This attack forces a victim’s browser into communicating with an adversary in plain-text over HTTP; the adversary proxies the modified content from an HTTPS server.


….And a Word About Sniffing

A sniffer, also known as a packet analyzer, intercepts data flowing in a network. The sniffer can seize everything that is flowing in the network; this leads to the unauthorized access of sensitive data. A packet sniffer can be either a software tool or a hardware tool. Sniffer tools can be used legitimately to monitor network traffic flow or they can be used for malicious reasons.


* —  Penetration testing (pentesting), which also is known as “security assessment”, can be defined as a method of testing, measuring, and enhancing established security measures on computer systems, networks, or Web applications to find vulnerabilities. (SOURCES: Techopedia and TechTarget).

*A “man-in-the-middle” attack is one in which the attacker secretly intercepts and relays – and possibly alters — messages between two parties who believe they are communicating directly with each other. The packets are viewed and/or modified by the perpetrator and sent on to the recipient, who is unaware of the intrusion. (SOURCES: TechTarget and PC Magazine).



More awesome content…

The Comprehensive Guide to Ethical Hacking

The Most Important Skills You Need to Become a Hacker (and How to Learn Them)



Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Great summary of tools… +1 for adding tcpdump and bettercap should get an honorable mention in the ettercap section.

  2. That’s usefull. Thanks

  3. Nice overview, thanks! 🙂

  4. For me it’s tcpdump rather than wireshark as it has never just aborted in the middle of a capture. Wireshark, on the other hand seems subject to interface and OS issues.
    I do use Wireshark and like it, even – for its convenience and analysis tools. But it’s not heavy duty. More than anything I use it to open and analyze pcap files.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?