2.4 Filters
A good sniffer is more than just a packet collection device or program. At its
fundamental layer, a sniffer simply gathers data and stores it in a file, which can grow to
be several gigs in size in only a few minutes, or hours on a slower network. While this
data is exactly what a troubleshooter wants, it can quickly become overwhelming and can
in effect swamp the user with too much irrelevant information. In other words, finding
that one desired piece of information can be much like finding a needle in a haystack.
As a result, many sniffers have incorporated the use of filters to control and regulate
the amount of, and type of, data that is collected and/or analyzed. If a sniffer uses a filter,
data analysis can be easily narrowed down to just the information that is considered
relevant to the job. In addition, if the filter is a pre-capture filter, it can significantly
reduce the amount of irrelevant data that is captured, thus saving valuable time and
resources that can become heavily taxed when collecting data for a long period of time.
There are many variations of filters available, which are represented by a filtering
language. These languages can be proprietary, or based off a standard filter, such as the
OFDM (Open Filter Definition Language). Regardless of the technical aspects of the
filtering language, most filters are very similar in appearance and are easy to understand.
The following represents two filters, one from Ethereal, which is the most common free
sniffer available, and the other using the OFDM language.
Ethereal
udp.srcport == 67 or udp.srcport == 68 or udp.destport ==67 or udp.destport == 68
OFDM
(udpport(src) == 67 || udpport(dest) == 67 || udpport(src) == 68 || udpport(dest) ==68)
As this illustrates, filtering languages are basically a series of conditional statements.
This example will filter all data for DHCP traffic, which can be detected due to its use of
the UDP protocol and port numbers 67/68.
2.5 The right sniffer for the job
The quality of a sniffer is directly related to the information it can provide for its
user. For example, dsniff is one of the best security sniffers available. This is not because
dsniff captures any better than Ethereal, which is at the top of the list for many
professionals; instead, it is because dsniff incorporates extra features, such as a built in
password sniffer, arp spoofing technology, and more. These small additions make the
program more streamlined, if collecting passwords is your goal. On the other hand, some
troubleshooting will require the use of an expensive all-in-one hardware/software sniffer
package. These devices, which would be overkill for a small network, can collect gigs of
data and never miss a packet.
In addition to landline sniffers, the introduction of wireless networks has caused the
