LinuxCommandLibrary

impacket-sniffer

Sniff network traffic and decode protocols

TLDR

View documentation for the original command

$ tldr sniffer.py
copy

SYNOPSIS

impacket-sniffer [-h] [-i INTERFACE] [-f FILTER] [-w PCAP] [-r PCAP] [-d] [-v]

PARAMETERS

-h, --help
    Show help message and exit

-i INTERFACE, --interface INTERFACE
    Network interface to sniff on (e.g., eth0). Required for live capture

-f FILTER, --filter FILTER
    BPF filter expression (e.g., 'tcp port 80') to select packets

-w PCAP, --write PCAP
    Write captured packets to PCAP file

-r PCAP, --read PCAP
    Read and display packets from existing PCAP file

-d, --debug
    Enable debug output for troubleshooting

-v, --verbose
    Enable verbose output

DESCRIPTION

Impacket-sniffer is a versatile packet capture tool from the Impacket suite, a collection of Python libraries for network protocol manipulation. It enables live sniffing on network interfaces or reading from existing PCAP files, applying Berkeley Packet Filter (BPF) expressions for precise traffic selection.

Ideal for security researchers, penetration testers, and network analysts, it captures raw packets and outputs them in standard PCAP format compatible with tools like Wireshark. Unlike heavier GUI tools, it's lightweight, scriptable, and runs on Linux/Unix systems.

Key features include real-time sniffing, file I/O for captures/replays, verbose/debug modes for troubleshooting, and integration with other Impacket tools for protocol dissection. It requires root privileges for live capture due to raw socket access. Commonly used in red teaming for traffic analysis, credential harvesting, or detecting network anomalies without complex setups.

CAVEATS

Requires root privileges for live sniffing due to raw socket usage.
Python 3 and Impacket dependencies needed.
BPF filters must be valid or capture fails silently.
Not suitable for high-volume traffic without tuning.

EXAMPLE USAGE

Live sniff HTTP: sudo impacket-sniffer -i eth0 -f 'tcp port 80' -w capture.pcap
Read PCAP: impacket-sniffer -r capture.pcap -v

INSTALLATION

pip install impacket
Or clone from GitHub: git clone https://github.com/fortra/impacket

HISTORY

Developed as part of Impacket by SecureAuth Corporation around 2010-2015 for penetration testing. Acquired and maintained by Fortra (formerly Core Security) in the Impacket GitHub repo. Evolved with Python 2/3 support and PCAP enhancements; widely used in cybersecurity tools like Cobalt Strike integrations.

SEE ALSO

tcpdump(1), tshark(1), wireshark(1)

Copied to clipboard