impacket-sniffer

View documentation for the original command

$ tldr sniffer.py

impacket-sniffer [-i interface] [-f filter] [-p protocol] [-c count] [-o output_file] [-q]

-i interface
    Specifies the network interface to listen on. If omitted, it usually defaults to the first available interface.

-f filter
    Applies a BPF (Berkeley Packet Filter) filter to capture only specific traffic. For instance, 'tcp port 80' will capture only HTTP traffic.

-p protocol
    Filters traffic based on a specific protocol. Can be used to focus on specific communication such as SMB, DNS, or Kerberos. Check impacket documentation for possible protocol filtering options.

-c count
    Specifies the number of packets to capture before exiting. Useful for limited duration captures.

-o output_file
    Saves the captured packets to a file for later analysis. The file can be usually opened with tools like Wireshark.

-q
    Quiet mode. Suppresses verbose output during packet capture.

The `impacket-sniffer` command is a Python-based network packet sniffer that leverages the Impacket library to capture and dissect network traffic. It allows you to passively monitor network communications, analyze protocols, and potentially identify security vulnerabilities. Unlike simple packet capture tools like `tcpdump`, `impacket-sniffer` focuses on protocol dissection and provides a higher-level view of the captured data. It decodes various protocols (e.g., SMB, NTLM, Kerberos, DNS) and presents them in a readable format, making it easier to understand the network interactions.

The tool is valuable for security researchers, network administrators, and penetration testers. It's used to troubleshoot network issues, analyze application behavior, and detect malicious activities. It provides detailed insights into network protocols, which helps identify deviations from normal behavior. Be mindful of legal and ethical considerations when using packet sniffing tools.

Root Privileges: Usually requires root privileges to capture network traffic on most systems.
Performance: Can impact network performance if capturing a large volume of traffic, especially on high-bandwidth networks.
Compatibility: Relies on the Impacket library. Requires Python and Impacket to be installed correctly.

Capture all traffic on interface eth0:
impacket-sniffer -i eth0

Capture HTTP traffic on interface wlan0 and save it to http_capture.pcap:
impacket-sniffer -i wlan0 -f 'tcp port 80' -o http_capture.pcap

Capture 100 DNS packets:
impacket-sniffer -p DNS -c 100

tcpdump(1), wireshark(1), tshark(1)