How network sniffing works
Every device on a network sends and receives data as discrete packets containing source addresses, destination addresses, and payload. Normally, a network interface card (NIC) only processes packets addressed to itself. Put that NIC into promiscuous mode and it captures all traffic on the segment regardless of destination — passwords, session cookies, emails, and everything in between.
On a hub-based network, every device sees every packet by default — passive sniffing requires no special configuration. On a modern switched network, the switch forwards packets only to the intended port. This limits passive sniffing, which is why attackers use active techniques to redirect traffic through themselves before capturing it.
Once packets are captured, a protocol analyser decodes them layer by layer from the Ethernet frame through to the application payload. If that application layer is unencrypted HTTP, FTP, or Telnet, the content is readable as plain text. Credentials, session tokens, and email body content are all immediately visible.
Passive vs active sniffing
Passive sniffing simply listens. No packets are injected, no network behaviour is modified. On hub-based or wireless monitor-mode networks, a passive sniffer captures everything without sending a single packet — leaving no trace in logs and remaining essentially undetectable.
Active sniffing is required on modern switched networks, where the switch only forwards traffic to the intended port. The attacker must redirect traffic through their own machine. The most common technique is ARP poisoning — sending forged ARP replies to associate the attacker's MAC address with the gateway's IP address. Both communicating parties then send traffic to the attacker, who forwards it on after inspecting or modifying it. This is the foundation of most man-in-the-middle attacks.
Tools of the trade
A small set of well-established tools dominates packet capture and analysis work in both offensive and defensive security:
- Wireshark: The industry-standard graphical packet analyser. Decodes hundreds of protocols, supports display filters, and can reconstruct TCP streams to view full application-layer conversations in plain text.
- tcpdump: A CLI packet capture tool found on virtually every Unix-like system. Essential for remote server capture and scripted analysis. Output can be piped to Wireshark for deep inspection.
- Ettercap: Combines ARP poisoning with real-time sniffing — enables active MitM attacks with built-in credential extraction. Covered specifically in CEH v13 labs.
- Bettercap: A modern, modular framework with built-in sniffing, ARP poisoning, HTTPS downgrade, and credential harvesting capabilities. Preferred for contemporary red team engagements.
What attackers capture with sniffing
The value of a successful sniffing attack depends entirely on which protocols are running unencrypted. On networks with legacy protocol usage, the haul can be devastating:
- Credentials in transit: HTTP login forms, FTP passwords, Telnet sessions, and SMTP authentication transmit credentials in plain text. A sniffer captures them instantly.
- Session tokens: Even when passwords are hashed or protected, session cookies transmitted over HTTP can be stolen and replayed to hijack an authenticated session without needing the original password — a technique called session hijacking.
- Email content: SMTP, IMAP, and POP3 without TLS transmit message bodies and attachments in the clear — including confidential internal communications.
- Internal reconnaissance: Passively monitoring internal traffic reveals the network topology, active hosts, services, and communication patterns — invaluable for planning lateral movement after initial access.
Intercepting network traffic without authorisation violates wiretapping laws in most jurisdictions — including the Computer Misuse Act (UK), CFAA (US), and EU equivalents. Always obtain explicit written permission before capturing traffic on any network you do not personally own and operate.
How to defend against network sniffing
The primary defence is encryption — making captured packets useless even if intercepted:
- TLS everywhere: Force HTTPS for all web traffic. Replace FTP with SFTP, Telnet with SSH, plain SMTP with SMTP-TLS. Encrypted protocols mean captured packets contain ciphertext, not readable credentials.
- HSTS (HTTP Strict Transport Security): Prevents browsers from downgrading HTTPS connections to HTTP — blocks SSL-stripping attacks where an active sniffer downgrades encryption.
- Dynamic ARP Inspection (DAI): A switch-level feature that validates ARP packets against a trusted binding table, directly blocking ARP poisoning attacks used to enable active sniffing.
- 802.1X port authentication: Requires devices to authenticate before being granted network access — preventing rogue devices from connecting to sniff traffic.
- Network segmentation: VLANs limit the broadcast domain available to a potential attacker, even if they gain access to one segment.
- IDS monitoring: Detect promiscuous mode NICs and anomalous ARP traffic patterns indicative of active sniffing using network-based IDS rules.
Sniffing skills in security careers
Packet analysis is a foundational skill for multiple security career paths. SOC analysts use Wireshark to investigate suspected data exfiltration and malware C2 beacon traffic. Incident responders use packet capture files (pcaps) to reconstruct attack timelines post-breach. Network forensics specialists rebuild entire compromise scenarios from raw packet data.
For penetration testers, sniffing and ARP poisoning are core skills covered in CEH v13 Module 8 (Sniffing) and Module 11 (Session Hijacking). Hands-on lab practice with Wireshark, Ettercap, and Bettercap in controlled environments is the standard way to develop these skills legally and safely — exactly what VAPTIC's browser-based lab environment provides.