LinuxCommandLibrary

impacket-sniff

Sniff network traffic for authentication information

TLDR

View documentation for the original command

$ tldr sniff.py
copy

SYNOPSIS

impacket-sniff [-h] [-f FILTER] [-s SNAPLEN] [-t TIMEOUT] [-p PROMISC] [-m] [-d DISSECTORS] iface

PARAMETERS

-h, --help
    Show help message and exit

-f FILTER, --filter FILTER
    BPF/pcap filter expression (e.g., 'port 445')

-s SNAPLEN, --snaplen SNAPLEN
    Capture length per packet (default: 1500)

-t TIMEOUT, --timeout TIMEOUT
    Sniff timeout in seconds (default: infinite)

-p PROMISC, --promisc PROMISC
    Promiscuous mode (true/false, default: true)

-m, --multithread
    Enable multithreading for faster processing

-d DISSECTORS, --dissectors DISSECTORS
    Comma-separated dissectors (e.g., 'smb,ntlm'; default: all)

DESCRIPTION

impacket-sniff is a packet capture tool from the Impacket suite, a Python library for low-level network protocol manipulation. It uses libpcap to sniff packets on a specified interface, supporting BPF filters for selective capture. Packets are dissected using Impacket's protocol parsers, excelling at Microsoft protocols like SMB, NTLM, Kerberos, DCE/RPC, and LDAP. Ideal for penetration testers and security researchers to detect cleartext credentials, NTLM hashes, or Kerberos tickets in transit.

Key features include adjustable snaplen, promiscuous mode, timeouts, multithreading for high-volume capture, and selective dissectors (e.g., smb, ntlm). Output is printed to stdout with hex dumps and protocol details. Not suited for long-term logging; pair with tcpdump or Wireshark for that. Requires root privileges and Python 3 with Impacket installed.

CAVEATS

Requires root privileges for packet capture.
Python 3 and libpcap-dev needed.
Not for production monitoring; limited output formatting.
High traffic may overwhelm without filters.

BASIC USAGE

impacket-sniff -i eth0
impacket-sniff -f 'port 445 or port 139' -i eth0 -t 60

DISSECTORS

Available: smb,smb2,ntlm,kerberos,dcerpc,rpc,ldap. Use -d 'smb,ntlm' for targeted output.

HISTORY

Part of Impacket suite, originally developed by SecureAuth (2010s), later maintained by Fox-IT/SpecterOps. sniff.py example evolved into installable tool in distros like Kali Linux for pentesting workflows.

SEE ALSO

tcpdump(8), tshark(1), wireshark(1), scapy(1)

Copied to clipboard