Listen, traffic analysis is the foundation without which pentesting is useless. The data flying over the network is a veritable treasure trove. You can find passwords, keys, sessions, files, you name it. And sniffers are there to intercept it. Many have been invented, and each is good for its own purpose.
I've tried a ton of sniffers in my career. Some are convenient for one-off tasks, others for in-depth analysis, and still others for active attacks. In this article, I'll talk about the most popular sniffers for Windows, analyze their pros and cons, and help you understand which tool is best for what purpose. There will be plenty of specifics, no fluff.
---
Theory: How sniffers intercept traffic
Before we dive into the details, let's review the basics. A network adapter normally only accepts packets addressed to it (their MAC address matches), as well as broadcast packets. It discards all other packets at the data link layer.
Promiscuous mode is when the adapter accepts all packets it sees on a network segment. This is what sniffers use to intercept.
The problem is that in modern networks with switches, traffic from one host to another doesn't go to all ports. Therefore, simply enabling promiscuous mode isn't enough. Additional methods are required: ARP spoofing, gateway spoofing, and MAC table attacks. But that's a topic for a separate article.
An important point: sniffers are configurable. They can intercept only certain protocols (HTTP, FTP, POP3, IMAP, Telnet), and they can limit the packet size (the first 100 bytes—this is where logins and passwords usually reside). Modern sniffers can also work with encrypted traffic (for example, through certificate substitution).
---
Wireshark: The King of Traffic Analysis, Not Attacks
Manufacturer: Wireshark Foundation
Website: https://www.wireshark.org
License: Free
Even those who've never analyzed traffic have heard of Wireshark. And for good reason.
Pros:
Free and open. No subscriptions, no "buy the PRO version."
Supports a ton of protocols. Hundreds of them. Wireshark can chew up any reasonable protocol and cram it into its mouth.
Powerful filters. You can filter packets by IP, port, protocol, and content. I usually catch everything first, and then filter by http.request or tcp.port == 443.
Easy navigation. You can click on a packet to view its structure, headers, and data. There's a "Follow TCP stream" mode that shows the entire conversation between the client and server.
Russian interface available. For some, this is a plus.
You can write scripts in Lua if you need to automate the analysis of a specific protocol.
Cons:
Difficult for beginners. The abundance of information can be confusing. But once you figure it out, you'll become a guru.
Can't actively attack. Wireshark is a passive analyzer. It doesn't modify packets or perform ARP spoofing. It only listens.
Reconstructed streams aren't merged into a single buffer. This complicates their subsequent processing.
Tunnels are a problem. When analyzing multi-layer tunnels, each subsequent parsing module overwrites the results of the previous one. This is truly annoying.
What to use it for:
Deep analysis of network protocols. When you need to understand how a particular service works.
Troubleshooting network problems. Where packets are being lost, who's sending too many.
Parsing malicious traffic. If you have a dump and want to understand what the malware transmitted to C2.
Why NOT use:
· For active attacks. Wireshark can't spoof packets.
· For quickly extracting passwords. It's possible, of course, but inconvenient. It's better to use a specialized tool.
---
CommView: Old, paid, but convenient
Vendor: TamoSoft
Website: https://www.tamos.ru/products/commview/
License: Paid (5-minute trial available)
CommView is a veteran. Hacker wrote about it back in 2001. The project is still active; the latest version was released in 2020.
Pros:
· Russian-language interface. This is important for many.
· Flexible filtering. You can filter by protocol, size, and headers.
· Supports many protocols. Both application and low-level (TCP, UDP, ICMP).
· Can reconstruct TCP sessions and UDP streams.
· Can export data in 12 formats, including .txt, .csv, and even Wireshark format.
· Works with VPNs and modems. A special driver is installed for this.
· Has a packet generator. You can send a custom packet with the required headers to the network.
Cons:
· Paid. Prices are steep. A bit pricey for a one-time use.
· The trial is only 5 minutes long. Just to explore the interface.
What to use it for:
· If you need a Russian-language interface and flexible filtering.
· For professional network diagnostics. If you're a system administrator and willing to pay.
---
Intercepter-NG: A Russian sniffer for active attacks
Manufacturer: Unknown (our compatriots)
Website: http://sniff.su
License: Free
Intercepter-NG is no longer just a sniffer, but a complete network attack tool. "Hacker" wrote about it in 2012, and the project didn't die, but rather continued to evolve. The latest version was released in 2020.
Pros:
Free and open-source.
Works from the console. Can be used in scripts.
Very flexible filters.
**Lightweight.
Cons:
Console only. A downside for some.
**You'll still need to use Wireshark (or tcpdump -r) to analyze dumps.
What to use it for:
For automation. I recorded the dump in cron, then sent it for analysis.
For remote traffic capture.
---
Burp Suite: The king of web pentesting, but not a universal sniffer
Manufacturer: Portswigger
Website: https://portswigger.net/burp
License: Free (Community Edition)
Burp Suite is a "Swiss Army knife" for pentesters, but only for the web.
Pros:
Intercepts and modifies HTTP/HTTPS traffic on the fly.
Powerful tools for web application analysis. Intruder, Repeater, Scanner.
Plugin support.
**Included in Kali Linux.
Cons:
HTTP/HTTPS only. Cannot work with other protocols (FTP, DNS, etc.).
**HTTPS requires a Burp certificate installed on the system.
What it's used for:
For testing web applications. This is its primary purpose.
**For intercepting and modifying HTTP traffic between the browser and the server.
---
Summary Table
Tool License Primary Purpose Active Attacks Password Search
Wireshark Free Deep Protocol Analysis No Manual
CommView Paid Network Diagnostics, Flexible Filtering No Manual
Intercepter-NG Free Active Attacks, Password Interception Yes (ARP, DNS, etc.) Automatic
SmartSniff Free Quick Traffic Viewing No Manual
Tcpdump/WinDump Free Console Capture, Automation No Manual
Burp Suite Free Web Application Testing No (request modification only) Manual
---
Summary and Recommendations
If you need a universal analyzer for deep protocol analysis, go with Wireshark. It's standard, free, and powerful. But it's not suitable for active attacks.
If you're planning active attacks on your local network (ARP spoofing, password interception), consider Intercepter-NG. It's free and does everything, but antivirus software blocks it. That's the price you pay for the functionality.
If you're testing web applications, Burp Suite is unbeatable. Interception, modification, replay of requests, brute force—it's all there.
If you need automation and a console, use Tcpdump/WinDump. Record a dump and submit it for analysis.
If you need a quick look at who's messing with what, use SmartSniff. It couldn't be simpler.
If you have the money and need a Russian interface, consider CommView. But, in my opinion, Wireshark and Intercepter-NG cover 99% of tasks.
The choice of sniffer depends on the task. There's no one tool for everything.
I've tried a ton of sniffers in my career. Some are convenient for one-off tasks, others for in-depth analysis, and still others for active attacks. In this article, I'll talk about the most popular sniffers for Windows, analyze their pros and cons, and help you understand which tool is best for what purpose. There will be plenty of specifics, no fluff.
---
Theory: How sniffers intercept traffic
Before we dive into the details, let's review the basics. A network adapter normally only accepts packets addressed to it (their MAC address matches), as well as broadcast packets. It discards all other packets at the data link layer.
Promiscuous mode is when the adapter accepts all packets it sees on a network segment. This is what sniffers use to intercept.
The problem is that in modern networks with switches, traffic from one host to another doesn't go to all ports. Therefore, simply enabling promiscuous mode isn't enough. Additional methods are required: ARP spoofing, gateway spoofing, and MAC table attacks. But that's a topic for a separate article.
An important point: sniffers are configurable. They can intercept only certain protocols (HTTP, FTP, POP3, IMAP, Telnet), and they can limit the packet size (the first 100 bytes—this is where logins and passwords usually reside). Modern sniffers can also work with encrypted traffic (for example, through certificate substitution).
---
Wireshark: The King of Traffic Analysis, Not Attacks
Manufacturer: Wireshark Foundation
Website: https://www.wireshark.org
License: Free
Even those who've never analyzed traffic have heard of Wireshark. And for good reason.
Pros:
Free and open. No subscriptions, no "buy the PRO version."
Supports a ton of protocols. Hundreds of them. Wireshark can chew up any reasonable protocol and cram it into its mouth.
Powerful filters. You can filter packets by IP, port, protocol, and content. I usually catch everything first, and then filter by http.request or tcp.port == 443.
Easy navigation. You can click on a packet to view its structure, headers, and data. There's a "Follow TCP stream" mode that shows the entire conversation between the client and server.
Russian interface available. For some, this is a plus.
You can write scripts in Lua if you need to automate the analysis of a specific protocol.
Cons:
Difficult for beginners. The abundance of information can be confusing. But once you figure it out, you'll become a guru.
Can't actively attack. Wireshark is a passive analyzer. It doesn't modify packets or perform ARP spoofing. It only listens.
Reconstructed streams aren't merged into a single buffer. This complicates their subsequent processing.
Tunnels are a problem. When analyzing multi-layer tunnels, each subsequent parsing module overwrites the results of the previous one. This is truly annoying.
What to use it for:
Deep analysis of network protocols. When you need to understand how a particular service works.
Troubleshooting network problems. Where packets are being lost, who's sending too many.
Parsing malicious traffic. If you have a dump and want to understand what the malware transmitted to C2.
Why NOT use:
· For active attacks. Wireshark can't spoof packets.
· For quickly extracting passwords. It's possible, of course, but inconvenient. It's better to use a specialized tool.
---
CommView: Old, paid, but convenient
Vendor: TamoSoft
Website: https://www.tamos.ru/products/commview/
License: Paid (5-minute trial available)
CommView is a veteran. Hacker wrote about it back in 2001. The project is still active; the latest version was released in 2020.
Pros:
· Russian-language interface. This is important for many.
· Flexible filtering. You can filter by protocol, size, and headers.
· Supports many protocols. Both application and low-level (TCP, UDP, ICMP).
· Can reconstruct TCP sessions and UDP streams.
· Can export data in 12 formats, including .txt, .csv, and even Wireshark format.
· Works with VPNs and modems. A special driver is installed for this.
· Has a packet generator. You can send a custom packet with the required headers to the network.
Cons:
· Paid. Prices are steep. A bit pricey for a one-time use.
· The trial is only 5 minutes long. Just to explore the interface.
What to use it for:
· If you need a Russian-language interface and flexible filtering.
· For professional network diagnostics. If you're a system administrator and willing to pay.
---
Intercepter-NG: A Russian sniffer for active attacks
Manufacturer: Unknown (our compatriots)
Website: http://sniff.su
License: Free
Intercepter-NG is no longer just a sniffer, but a complete network attack tool. "Hacker" wrote about it in 2012, and the project didn't die, but rather continued to evolve. The latest version was released in 2020.
Pros:
Free and open-source.
Works from the console. Can be used in scripts.
Very flexible filters.
**Lightweight.
Cons:
Console only. A downside for some.
**You'll still need to use Wireshark (or tcpdump -r) to analyze dumps.
What to use it for:
For automation. I recorded the dump in cron, then sent it for analysis.
For remote traffic capture.
---
Burp Suite: The king of web pentesting, but not a universal sniffer
Manufacturer: Portswigger
Website: https://portswigger.net/burp
License: Free (Community Edition)
Burp Suite is a "Swiss Army knife" for pentesters, but only for the web.
Pros:
Intercepts and modifies HTTP/HTTPS traffic on the fly.
Powerful tools for web application analysis. Intruder, Repeater, Scanner.
Plugin support.
**Included in Kali Linux.
Cons:
HTTP/HTTPS only. Cannot work with other protocols (FTP, DNS, etc.).
**HTTPS requires a Burp certificate installed on the system.
What it's used for:
For testing web applications. This is its primary purpose.
**For intercepting and modifying HTTP traffic between the browser and the server.
---
Summary Table
Tool License Primary Purpose Active Attacks Password Search
Wireshark Free Deep Protocol Analysis No Manual
CommView Paid Network Diagnostics, Flexible Filtering No Manual
Intercepter-NG Free Active Attacks, Password Interception Yes (ARP, DNS, etc.) Automatic
SmartSniff Free Quick Traffic Viewing No Manual
Tcpdump/WinDump Free Console Capture, Automation No Manual
Burp Suite Free Web Application Testing No (request modification only) Manual
---
Summary and Recommendations
If you need a universal analyzer for deep protocol analysis, go with Wireshark. It's standard, free, and powerful. But it's not suitable for active attacks.
If you're planning active attacks on your local network (ARP spoofing, password interception), consider Intercepter-NG. It's free and does everything, but antivirus software blocks it. That's the price you pay for the functionality.
If you're testing web applications, Burp Suite is unbeatable. Interception, modification, replay of requests, brute force—it's all there.
If you need automation and a console, use Tcpdump/WinDump. Record a dump and submit it for analysis.
If you need a quick look at who's messing with what, use SmartSniff. It couldn't be simpler.
If you have the money and need a Russian interface, consider CommView. But, in my opinion, Wireshark and Intercepter-NG cover 99% of tasks.
The choice of sniffer depends on the task. There's no one tool for everything.
