Friday, 22 April 2011

Sniffers - Tool and Softwares: Network Sniffers

SMAC is a Windows MAC Address Modifying Utility that allows users to change MAC address for most Network Interface Cards (NIC) on the Windows 2000, XP, and 2003 Server systems. This is irrespective of whether the manufactures of the cards permit the change. It must be noted that SMAC does not burn a new address on the hardware and the new MAC addresses the user change will sustain from reboots..
SMAC has 2 modes of operation: [WBEM ON] and [WBEM OFF]. If the "Windows Management Instrumentation (WMI)" service is running, it will be running on [WBEM ON] mode. Otherwise, it is on [WBEM OFF] mode. The [WBEM ON] mode shows more information. The tool also allows the user to log and track SMAC activities.
SMAC takes advantage of the NdisReadNetworkAddress function in the Microsoft Device Driver Development Kit (DDK.) NdisReadNetworkAddress(...) is called by the network adapter driver to obtain a user specified MAC address in the registry. After the driver confirms that there is a valid MAC address specified in the registry key, the driver then programs the MAC address to its hardware registers to override the burnt-in MAC address.
SMAC was designed originally as a security vulnerability testing tool for MAC address authorization and authentication systems, Intrusion Detection Systems and MAC address based software licenses testing tool. When changing MAC address, the user must ensure that they assign MAC addresses according to IANA Number Assignments database.
Mac Changer


  • MAC changer is a Linux utility for setting a specific MAC address for a network interface.

  • It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor.

  • The user can also set a MAC of the same kind (e.g.: wireless card).

  • It offers a choice of vendor MAC list (more than 6200 items) to choose from
MAC changer is a Linux utility for setting a specific MAC address for a network interface. It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor. The user can also set a MAC of the same kind (e.g.: wireless card). It offers a choice of vendor MAC list (more than 6200 items) to choose from. The latest version is 1.3 and it offers more than 35 wireless cards as well.
Usage Examples:
# macchanger eth1
Current MAC: 00:40:96:43:ef:9c [wireless] (Cisco/Aironet 4800/340)
Faked MAC: 00:40:96:43:ef:9d [wireless] (Cisco/Aironet 4800/340)
# macchanger -A eth1
Current MAC: 00:40:96:43:39:a6 [wireless] (Cisco/Aironet 4800/340)
Faked MAC: 00:10:5a:1e:06:93 (3Com, Fast Etherlink XL in a Gateway 2000)


Iris is an advanced data and network traffic analyzer, a "sniffer", that collects, stores, organizes and reports all data traffic on the network. Iris has advanced integrated technology that allows it to reconstruct network traffic, all with a push of a button.
Iris can reconstruct raw data in packets and turn it into complete HTTP, SMTP and POP3 sessions in their original format. The user can view both outgoing and incoming email messages, web browsing sessions, instant messenger exchanges, non-encrypted web-based email and FTP transfers. Using this, the user can set up automated screens to monitor the Web-browsing patterns of the network. With Iris, the user is able to read the actual text of an email - as well as any attachments - exactly as it was sent. Iris will reconstruct the actual html pages that network users have visited and even simulate cookies for entry into password-protected websites.
Iris provides a larger variety of statistical measurements such as pie charts and bar graphs, and provides information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. Iris' Packet Editor gives the ability to create custom or spoof packets and to send them across the Internet, to specific ports or addresses, or repeatedly across the network. Iris has a fast packet injector that handles up to 9000 packets per second.
Iris can be easily configured to only capture specific data through any combination of packet filters. Packet filters can be based on the hardware or protocol layer, any number of key words, MAC or IP address, source and destination port, custom data and size of the packets

NetIntercept from Sandstorm enterprises belongs to the category of Network Forensics Analysis Tools (NFAT) that is gaining popularity these days. Using a network forensics tool a user can spy on people's email, learn passwords, determine Web pages viewed, and even spy on the contents of a person's shopping cart. The tremendous power these forensic tools have over today's networks makes them subject to abuse. The difference is in range or depth of network monitoring. These tools can be used for full content network monitoring - not just filters.
NetIntercept 1.2 captures LAN traffic using a standard Ethernet interface card placed in promiscuous mode and a modified UNIX kernel. The capture subsystem runs continuously, whether or not the GUI is active. NetIntercept performs stream reconstruction on demand. When the user selects a range of captured network traffic to analyze, NetIntercept assembles those packets into network connection data streams. The reconstructed streams are then presented to the NetIntercept analysis subsystem for identification and analysis. Once TCP streams are reconstructed and parsed, some of the objects that they contain need to be stored for long periods of time. Examples of such objects are web pages, files transferred by FTP, and e-mail attachments.
Besides controlling data capture and analysis, the GUI offers sophisticated search criteria. A user can find one or many network connections according to the time of day, source or destination hardware or Internet address, source or destination TCP or UDP port name or number, username associated with the connection, electronic mail sender, recipient(s) or subject header, file name or World Wide Web URI associated with the transfer, specific protocols or content types recognized in the connection's contents. Once a connection has been identified, the user can drill down to view the search criteria extracted from it

No comments:

Post a Comment