"See the Unseen, Hear the Digital Whisper" | 516 Hackers Collective
A comprehensive guide to network packet sniffing - from basic concepts to advanced traffic analysis techniques. Built for security researchers, network administrators, and ethical hackers.
sudo bettercap -iface eth0net.probe on
net.recon on
set arp.spoof.targets 192.168.1.100
arp.spoof on
net.sniff on
events.stream
#!/usr/bin/env python3
from scapy.all import *
def packet_handler(packet):
if packet.haslayer(IP):
print(f"[+] {packet[IP].src} -> {packet[IP].dst} | Protocol: {packet[IP].proto}")
# Start sniffing
sniff(prn=packet_handler, count=50, filter="tcp")# Capture HTTP traffic only
wireshark -i eth0 -f "tcp port 80" -w http_capture.pcap
# Analyze existing capture
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri- What is Packet Sniffing?
- Legal & Ethical Framework
- Tools of the Trade
- Practical Guides
- Scripts & Automation
- Detection & Prevention
- Learning Resources
- 516 Hackers Methodology
- Contributing
- Disclaimer
Packet sniffing is the practice of capturing and analyzing data packets as they travel across a network. Think of it as "eavesdropping on digital conversations" to understand, diagnose, and secure network communications.
- Promiscuous Mode: Network card captures ALL packets, not just those addressed to it
- MITM Positioning: Placing yourself between communication points
- Protocol Analysis: Decoding various network protocols
- Traffic Inspection: Examining packet contents and patterns
| Traffic Type | Visibility | Example Data | Security Impact |
|---|---|---|---|
| HTTP | π Full Content | Passwords, cookies, images | High - Plaintext data |
| HTTPS | π Encrypted | Only metadata visible | Low - Encrypted content |
| DNS | π Queries | Websites being visited | Medium - Privacy exposure |
| FTP | π Full Content | Files, credentials | High - Plaintext credentials |
| SMTP | π Full Content | Emails, attachments | High - Sensitive data |
| TCP | π Headers | Connection patterns | Medium - Network mapping |
- Network Troubleshooting: Identify connectivity issues
- Security Monitoring: Detect intrusions and attacks
- Performance Analysis: Optimize network performance
- Forensic Investigation: Analyze security incidents
- Protocol Development: Test and debug network protocols
- β Security research on YOUR OWN networks
- β Penetration testing with EXPLICIT WRITTEN permission
- β Network troubleshooting and education
- β Academic research and learning
- β Incident response and forensics
- β Unauthorized network monitoring
- β Credential theft or data interception
- β Corporate espionage or surveillance
- β Privacy violation of any kind
- β Any illegal activities
"With great power comes great responsibility. Knowledge is a tool - use it to protect, not to harm. Always obtain proper authorization, respect privacy, and use your skills for defensive purposes."
- United States: Computer Fraud and Abuse Act (CFAA)
- European Union: General Data Protection Regulation (GDPR)
- United Kingdom: Computer Misuse Act 1990
- Canada: Criminal Code Section 342.1
- Australia: Cybercrime Act 2001
# Installation
sudo apt install bettercap
# Features:
- Real-time network monitoring
- ARP, DNS, DHCP spoofing
- HTTP/HTTPS manipulation
- Modular architecture with caplets# Installation
sudo apt install wireshark
# Features:
- Deep packet inspection
- Graphical protocol analysis
- Powerful filtering capabilities
- Multi-platform support# Installation
sudo apt install tcpdump
# Features:
- Command-line packet capture
- Lightweight and fast
- BPF filter support
- Script-friendly output# Installation
pip3 install scapy
# Features:
- Packet manipulation and crafting
- Protocol implementation
- Network scanning and discovery
- Custom tool developmentReconnaissance:
- bettercap: Network discovery and attacks
- nmap: Port scanning and service detection
- netdiscover: Host discovery
Capture:
- wireshark: Deep analysis and GUI
- tcpdump: Command-line capture
- tshark: Wireshark in terminal
Analysis:
- scapy: Python packet manipulation
- custom scripts: Automated analysis
- NetworkMiner: Forensic analysis
Defense:
- arpwatch: ARP spoofing detection
- snort/suricata: Intrusion detection
- security onion: Complete monitoring platform| Tool | Best For | Learning Curve | Stealth Level |
|---|---|---|---|
| Bettercap | Real-time attacks and MITM | Intermediate | Medium |
| Wireshark | Deep analysis and debugging | Beginner | High |
| TCPDump | Scripting and automation | Beginner | High |
| Scapy | Custom tools and protocols | Advanced | Customizable |
Learn fundamental packet capture techniques:
- Network interface configuration
- TCPDump basics and filters
- Scapy scripting fundamentals
- Bettercap reconnaissance
Advanced network attacks and monitoring:
- ARP spoofing and MITM attacks
- HTTP/HTTPS manipulation
- Caplet development and automation
- Stealth operations and cleanup
Professional packet analysis:
- Advanced display filters
- Protocol dissection
- Statistical analysis
- Forensic investigation techniques
# Quick network recon
sudo bettercap -iface eth0 -eval "net.probe on; net.recon on; sleep 30; net.show"
# MITM with sniffing
sudo bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.100; arp.spoof on; net.sniff on"
# HTTP traffic analysis
sudo bettercap -iface eth0 -eval "set net.sniff.filter 'tcp port 80'; net.sniff on"# Capture HTTP traffic
sudo tcpdump -i eth0 -A 'tcp port 80'
# Capture to file with rotation
sudo tcpdump -i eth0 -w capture -C 100 -W 10
# Capture specific host
sudo tcpdump -i eth0 'host 192.168.1.100'# Common display filters
http.request.method == "GET"
dns.qry.name contains "google"
tcp.port == 443
ip.src == 192.168.1.100#!/usr/bin/env python3
from scapy.all import *
def packet_handler(packet):
if packet.haslayer(IP):
print(f"IP: {packet[IP].src} -> {packet[IP].dst}")
sniff(prn=packet_handler, filter="tcp")Features:
- Real-time packet capture and analysis
- Protocol filtering and classification
- Credential detection in plaintext traffic
- Color-coded terminal output
#!/usr/bin/env python3
import pyshark
def analyze_http(capture):
for packet in capture:
if 'HTTP' in packet:
print(f"HTTP: {packet.http.request_method} {packet.http.host}")Features:
- HTTP request/response analysis
- Cookie and session extraction
- Credential pattern matching
- File upload detection
#!/usr/bin/env python3
from scapy.all import *
def detect_arp_spoof(packet):
if packet.haslayer(ARP) and packet[ARP].op == 2:
real_mac = getmacbyip(packet[ARP].psrc)
if real_mac != packet[ARP].hwsrc:
print(f"[!] ARP Spoof: {packet[ARP].psrc} is now {packet[ARP].hwsrc}")
sniff(prn=detect_arp_spoof, filter="arp", store=0)Features:
- Real-time ARP spoofing detection
- MAC address change monitoring
- Alert system with thresholds
- Logging and reporting
# Basic packet sniffer
python3 scripts/basic-sniffer.py -i eth0 -c 100
# HTTP analysis from PCAP
python3 scripts/http-traffic-analyzer.py -p capture.pcap -o report.json
# ARP spoofing detection
python3 scripts/arp-spoof-detector.py -i eth0 --threshold 3All scripts are modular and can be extended:
- Add new protocol parsers
- Implement custom detection rules
- Integrate with other security tools
- Create automated response actions
#!/usr/bin/env python3
from scapy.all import *
import time
from collections import defaultdict
arp_table = {}
alert_threshold = 3
def monitor_arp(packet):
if packet.haslayer(ARP):
ip = packet[ARP].psrc
mac = packet[ARP].hwsrc
if ip in arp_table and arp_table[ip] != mac:
print(f"[ALERT] ARP Spoof detected: {ip} changed from {arp_table[ip]} to {mac}")
arp_table[ip] = mac
sniff(prn=monitor_arp, filter="arp", store=0)- Unusual traffic patterns
- Unexpected protocol usage
- Suspicious port activity
- Data exfiltration attempts
# Always use encrypted protocols
HTTPS instead of HTTP
SSH instead of Telnet
SFTP instead of FTP
VPN for sensitive communications# Separate sensitive networks
VLANs for different departments
DMZ for public services
Air-gapped critical systems# Implement continuous monitoring
arpwatch -i eth0
suricata -c /etc/suricata/suricata.yaml -i eth0
security onion for comprehensive monitoring# Configure switch protections
port security max-mac-count 1
dhcp snooping
dynamic arp inspection
storm control- Perimeter Defense: Firewalls, IDS/IPS
- Network Segmentation: VLANs, access controls
- Host Protection: EDR, host-based firewalls
- Encryption: Data in transit and at rest
- Monitoring: Continuous traffic analysis
- Incident Response: Prepared detection and response
Comprehensive directory of packet analysis tools:
- Capture and analysis tools
- Wireless security utilities
- Forensic investigation software
- Monitoring and defense platforms
Structured educational roadmap:
- Beginner to expert progression
- Book recommendations and courses
- Practice labs and CTF challenges
- Certification guidance
# Recommended lab configuration
VirtualBox/VMware with:
- Kali Linux (attacker)
- Windows 10 (target)
- Metasploitable (vulnerable)
- Security Onion (monitoring)| Timeline | Focus Areas | Key Milestones |
|---|---|---|
| 0-3 Months | Basic tools, protocols, capture techniques | First successful MITM, basic analysis |
| 3-6 Months | Advanced filters, scripting, detection | Custom scripts, traffic pattern recognition |
| 6-12 Months | Forensics, malware analysis, automation | Incident response, tool development |
| 1+ Years | Research, tool creation, teaching | CVEs, open source contributions, mentoring |
# Network discovery and mapping
netdiscover -i eth0 -r 192.168.1.0/24
nmap -sS 192.168.1.0/24
bettercap -iface eth0 -eval "net.probe on; net.recon on"# Strategic packet acquisition
tcpdump -i eth0 -w reconnaissance.pcap
bettercap -iface eth0 -eval "set net.sniff.output targeted.pcap; net.sniff on"# Deep packet inspection
wireshark targeted.pcap
tshark -r targeted.pcap -Y "http" -T fields -e http.request.uri
python3 scripts/traffic-analyzer.py -f targeted.pcap# Documentation and findings
capinfos targeted.pcap
tshark -r targeted.pcap -z io,phs
python3 scripts/generate-report.py -f targeted.pcap -o report.html"Understand the protocol before you capture it. Read the RFCs, study the specifications, know what normal looks like before hunting for anomalies."
"Be invisible when necessary, but always for legitimate reasons. Leave no trace unless documenting authorized testing."
"Clean up after your testing. Restore network configurations, clear ARP caches, and remove any temporary changes."
"Document your findings, contribute to the community, and help others learn. Knowledge grows when shared."
- Authorization: Do I have explicit permission?
- Purpose: Is this for legitimate security testing?
- Scope: Am I staying within authorized boundaries?
- Impact: Could this disrupt normal operations?
- Documentation: Am I properly documenting my activities?
- Cleanup: Will I restore everything to its original state?
We welcome contributions from ethical security researchers, network professionals, and students!
- Fork the repository
- Create a feature branch
- Add your improvements
- Submit a pull request
- New detection scripts and techniques
- Advanced analysis methodologies
- Protocol-specific guides
- Tool integration examples
- Tutorials and walkthroughs
- Lab setup guides
- Certification study materials
- Translation to other languages
- Code reviews and testing
- Issue triage and bug reports
- Documentation improvements
- Community engagement
# Python scripts should follow PEP8
python3 -m pycodestyle script.py
# Include proper documentation
"""Script description, usage, and examples"""
# Add ethical usage warnings
# EDUCATIONAL USE ONLY - GET PROPER AUTHORIZATION- Use clear, concise language
- Include practical examples
- Add ethical considerations
- Provide references and further reading
- Test scripts in isolated environments
- Verify no harmful code is included
- Ensure compatibility with latest tools
- Document any dependencies
Contributors will be:
- Added to our contributors list
- Featured in release notes
- Acknowledged in relevant documentation
- Given credit for their specific contributions
THIS REPOSITORY IS FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.
-
Educational Purpose: This material is intended for learning about network security and packet analysis.
-
Authorization Required: Always obtain explicit written permission before testing on any network.
-
Legal Compliance: Users are solely responsible for complying with applicable laws and regulations.
-
No Warranty: This software is provided "as is" without warranty of any kind.
-
Liability: The 516 Hackers Collective and contributors are not liable for any damages or legal issues.
- United States: Subject to Computer Fraud and Abuse Act
- European Union: Must comply with GDPR regulations
- International: Respect local cybercrime and privacy laws
For professional security testing:
- Obtain signed authorization documents
- Define clear scope and rules of engagement
- Maintain professional insurance
- Follow industry standards (OSSTMM, PTES)
For educational institutions:
- Use in controlled lab environments
- Supervise student activities
- Document learning objectives
- Ensure ethical guidelines are followed
- Instagram: [https://www.instagram.com/516_hackers/]
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Wiki: Project Wiki
- Discord Server: Join our community
- Study Groups: Weekly learning sessions
- CTF Team: Competitive security challenges
- Mentorship Program: Learn from experienced professionals
Special thanks to:
- The open source security community
- Tool developers and maintainers
- Educators and trainers
- Ethical hackers worldwide
Current Version: 1.0.0
Last Updated: 2024-01-15
Maintainer: 516 Hackers Collective
License: MIT License
- Initial release
- Complete guide structure
- Basic scripts and documentation
- Ethical framework established
- Advanced detection scripts
- More protocol analyzers
- Interactive learning modules
- Video tutorial integration
- Web-based analysis tools
- Machine learning integration
- Real-time monitoring dashboard
- Mobile application companion
"In the silence of packets, truth travels. In the hands of the ethical, knowledge protects." - 516 Hackers
516 Hackers Collective - Learn Responsibly, Protect Ethically