Wireshark
Wireshark Wireshark is the gold-standard GUI sniffer for dissecting packets with 3000+ protocol dissectors, filtering traffic in real-time for protocol anomalies or malware C2. Capture via tshark CLI for scripts, exporting PCAPs for offline analysis with Lua plugins for custom decodes. Open-source from Wireshark Foundation, it's the packet pathologist for network pentesters tracing threats through wires.
Explore →tcpdump
tcpdump tcpdump is the lightweight CLI capturer that grabs packets with BPF filters for targeted traffic like HTTP on port 80, dumping to PCAP for Wireshark feeds. Compile from libpcap source, run on interfaces with -w for files, and script rotations for long sessions. Open-source from TCPDUMP, it's the raw recorder for sysadmins sniffing basics without GUI overhead.
Explore →tshark
tshark tshark is Wireshark's CLI sibling for scripted packet extraction, filtering with display filters for fields like ip.src or http.request.uri in batch analyses. Pipe PCAPs through it for JSON outputs, automating dissections in forensics chains. Open-source from Wireshark, it's the terminal tracer for analysts parsing captures programmatically.
Explore →Scapy
Scapy Scapy is the Python packet crafter with sniffing modules for capturing and dissecting layers like TCP/IP or DNS with custom filters for targeted hunts. Import sniff() in scripts for live captures, replaying or forging for testing. Open-source from secdev, it's the packet playwright for pentesters scripting dissections and injections.
Explore →Ettercap
Ettercap Ettercap is the MITM sniffer with ARP spoofing for capturing traffic between hosts, dissecting protocols like HTTP for credential grabs in LAN attacks. Run its C++ binary with -T for text UI, scripting plugins for custom filters. Open-source from ettercap, it's the spoof sniffer for network pentesters hijacking sessions.
Explore →Suricata
Suricata Suricata's sniff mode captures and analyzes packets with rule-based dissection for threats, logging EVE JSON for SIEM feeds in high-throughput networks. Configure YAML rules, run in IDS mode for alerts on anomalies. Open-source from OISF, it's the threat tracker for defenders dissecting traffic with signatures.
Explore →tcpflow
tcpflow tcpflow reassembles TCP streams from PCAPs into files, sniffing for HTTP bodies or file transfers without full protocol parses for quick extractions. Compile its C code, run on interfaces or dumps for parallel reconnections. Open-source from tcpreplay, it's the stream stitcher for analysts reconstructing sessions from fragments.
Explore →ngrep
ngrep ngrep is the regex-based packet matcher that sniffs for patterns like 'password' in payloads, filtering traffic with PCAP-like syntax for targeted hunts. Run its C binary on interfaces with -q for quiet mode, piping to files for logs. Open-source from rurban, it's the pattern prowler for pentesters grep-ing network noise.
Explore →PcapPlusPlus
PcapPlusPlus PcapPlusPlus is the C++ lib for sniffing and crafting packets with dissectors for Ethernet to HTTP, enabling custom analyzers for protocol-specific forensics. Link its headers in projects, capturing with PcapLiveDevice for real-time processing. Open-source from seladb, it's the packet plumber for devs building tailored sniffers.
Explore →Pypcap