Skip to content
MyCyberSecurityPath

Network Sniffing — Packet Capture, ARP Poisoning, and Traffic Analysis

What Is Network Sniffing and Why Does It Matter?

Section titled “What Is Network Sniffing and Why Does It Matter?”

Network sniffing is the practice of capturing and analysing network packets in transit, classified by MITRE ATT&CK as technique T1040 — Network Sniffing. NIST SP 800-115 identifies packet capture as a core method for both security testing and network monitoring.

Network sniffing is one of the most powerful techniques in both offensive security (intercepting credentials, session tokens, and sensitive data) and defensive security (monitoring for suspicious activity, troubleshooting network issues, and investigating incidents).

Understanding network sniffing is essential for several reasons:

  • Penetration testers use sniffing to capture credentials transmitted in cleartext, intercept session cookies, and map network communication patterns.
  • SOC analysts use packet captures daily to investigate alerts, verify whether data was actually exfiltrated, and understand the full context of security incidents.
  • Network engineers rely on sniffing tools like Wireshark to troubleshoot connectivity issues, diagnose performance problems, and verify that encryption is working.
  • Certification exams including CompTIA Security+ SY0-701 and CEH v13 cover sniffing attacks, defence mechanisms, and protocol analysis extensively.

This page covers passive and active sniffing techniques, ARP poisoning, MAC flooding, Wireshark fundamentals, and the defensive measures that protect networks from sniffing attacks.

The first time I opened Wireshark in my home lab, I was overwhelmed. Thousands of packets flooding the screen, each with layers of protocol headers I barely understood. But when I applied a display filter for HTTP traffic and saw a login form submission with the username and password in plain text — transmitted from my own test machine to my vulnerable web server — everything clicked. I could see exactly why HTTPS matters, not as an abstract best practice, but as the literal difference between a password being readable by anyone on the network and being encrypted gibberish. That moment turned packet analysis from intimidating to fascinating.

Ethical and legal warning: Capturing network traffic on networks you do not own or have explicit authorisation to monitor is illegal in most jurisdictions. This includes public Wi-Fi networks, workplace networks (without authorisation), and any network where you are not the administrator. In Australia, the Telecommunications (Interception and Access) Act 1979 makes unauthorised interception a serious offence. Only sniff traffic on networks you own or are explicitly authorised to test.

What Do Real-World Sniffing Attacks Look Like?

Section titled “What Do Real-World Sniffing Attacks Look Like?”

According to the Wireshark Foundation, Wireshark is the world’s most widely used network protocol analyser, deployed by security teams and network engineers across every industry. Network sniffing is used in both attack and defence scenarios every day.

ScenarioWhat sniffing revealsWhy it matters
Penetration testCleartext credentials, session tokens, and unencrypted data on the networkDemonstrates the impact of missing encryption
Incident investigationFull packet captures showing exactly what an attacker did and what data they accessedProvides definitive evidence for forensic analysis
Network troubleshootingPacket retransmissions, DNS failures, handshake errorsIdentifies the root cause of connectivity and performance issues
Compliance verificationWhether sensitive data is actually encrypted in transit as policy requiresProves (or disproves) that encryption controls are working
Malware analysisCommand-and-control communications, data exfiltration patternsReveals what malware does after it infects a system
Wi-Fi security auditUnencrypted wireless traffic, rogue access points, weak protocolsIdentifies wireless network vulnerabilities

How Does Network Sniffing Work?

Section titled “How Does Network Sniffing Work?”

NIST SP 800-115 defines packet sniffing as the use of software or hardware to capture and analyse network traffic in real time, categorising it as a fundamental technique for information security testing and assessment.

Think of a network like a postal system. In a hub-based network (rare today), every letter is delivered to every house on the street — anyone can read anyone else’s mail. In a switch-based network (modern standard), letters are delivered only to the correct address. Sniffing attacks on switched networks are like tricking the postal system into delivering someone else’s mail to you.

Hubs vs Switches

Section titled “Hubs vs Switches”

The distinction between hubs and switches is fundamental to understanding why different sniffing techniques exist:

  • Hub — broadcasts every packet to every connected port. Any device on the network sees all traffic. Passive sniffing works immediately. Hubs are essentially obsolete in modern networks.
  • Switch — learns which MAC addresses are on which ports and forwards packets only to the correct destination port. Sniffing your own traffic is easy, but seeing other devices’ traffic requires active techniques.

Promiscuous Mode

Section titled “Promiscuous Mode”

By default, a network interface card (NIC) only processes packets addressed to its own MAC address or broadcast/multicast addresses. Promiscuous mode tells the NIC to capture all packets it sees, regardless of destination address. Wireshark and tcpdump automatically enable promiscuous mode when capturing.

On a switch, promiscuous mode alone is not enough to see other devices’ traffic — you also need an active sniffing technique (ARP poisoning, MAC flooding, or a mirror port) to redirect that traffic to your interface.

Passive vs Active Sniffing

Section titled “Passive vs Active Sniffing”
AspectPassive sniffingActive sniffing
How it worksSilently captures traffic already visible to your NICInjects packets to manipulate the network and redirect traffic
Network typeWorks on hubs, Wi-Fi, or mirror/span portsRequired on switched networks
Detection riskVery difficult to detect — no packets are injectedDetectable through ARP anomalies, MAC table changes, or IDS alerts
Impact on networkNo impact — purely observationalCan degrade performance or cause outages if done carelessly
Common useLegitimate monitoring, hub networks, Wi-Fi auditsPenetration testing on switched networks

Step-by-Step: Sniffing Attack Techniques

Section titled “Step-by-Step: Sniffing Attack Techniques”

ARP Poisoning (ARP Spoofing)

Section titled “ARP Poisoning (ARP Spoofing)”

ARP poisoning is the most common active sniffing technique on switched networks. It exploits the fact that the Address Resolution Protocol (ARP) has no authentication — devices trust any ARP reply they receive without verification.

How ARP poisoning works:

  1. The attacker sends forged ARP replies to the victim, claiming their MAC address is associated with the gateway’s IP address.
  2. The attacker sends forged ARP replies to the gateway, claiming their MAC address is associated with the victim’s IP address.
  3. Both the victim and the gateway update their ARP caches with the false information.
  4. Traffic from the victim intended for the gateway now flows through the attacker’s machine, and vice versa.
  5. The attacker forwards the traffic to its intended destination (man-in-the-middle) so the connection stays alive while they capture everything.

ARP Poisoning Attack Flow

Section titled “ARP Poisoning Attack Flow”

Visual Explanation

Section titled “Visual Explanation”

ARP Poisoning Man-in-the-Middle Attack

The attacker poisons ARP caches to intercept traffic between victim and gateway

Normal State
Before attack
Victim knows gateway MAC
Gateway knows victim MAC
Traffic flows directly
ARP Poisoning
Attacker injects
Fake ARP reply to victim
Fake ARP reply to gateway
Both ARP caches poisoned
Interception
Man-in-the-middle
Victim sends to attacker
Attacker captures data
Attacker forwards to gateway
Capture
Data extraction
Credentials in cleartext
Session cookies
Unencrypted file transfers
Idle

Other Active Sniffing Techniques

Section titled “Other Active Sniffing Techniques”

MAC flooding: The attacker floods the switch with thousands of frames, each with a different spoofed source MAC address. This overwhelms the switch’s MAC address table (CAM table), causing it to enter “fail-open” mode where it behaves like a hub — broadcasting all traffic to all ports.

DHCP starvation: The attacker sends hundreds of DHCP requests with spoofed MAC addresses, exhausting the DHCP server’s IP address pool. The attacker then sets up a rogue DHCP server that assigns clients a gateway address pointing to the attacker’s machine.

DNS poisoning: The attacker intercepts DNS queries and sends forged responses, redirecting the victim to a malicious server instead of the legitimate destination. When combined with ARP poisoning, this can redirect victims to credential-harvesting pages.

How Does Sniffing Fit Into a Security Architecture?

Section titled “How Does Sniffing Fit Into a Security Architecture?”

Passive vs Active Sniffing Comparison

Section titled “Passive vs Active Sniffing Comparison”

Visual Explanation

Section titled “Visual Explanation”

Passive Sniffing vs Active Sniffing

Passive Sniffing
  • No packet injectionSilently observes traffic without sending any packets onto the network
  • Works on hubs and Wi-FiAll traffic is already broadcast — just enable promiscuous mode and capture
  • UndetectableNo network anomalies generated — IDS and network monitoring cannot see passive listeners
  • Limited on switchesOnly sees broadcast traffic and traffic destined for your own MAC address
VS
Active Sniffing
  • Injects forged packetsSends ARP replies, MAC floods, or DHCP requests to manipulate network behaviour
  • Works on switched networksOvercomes switch isolation by poisoning ARP caches or flooding MAC tables
  • DetectableARP anomalies, duplicate MACs, and unusual broadcast traffic trigger IDS alerts
  • Risk of disruptionMAC flooding can crash switches; ARP poisoning can break connectivity if forwarding fails
Verdict: Passive sniffing is safe and silent but limited on modern switched networks. Active sniffing is powerful but detectable and potentially disruptive.
Use case
SOC analysts use passive captures from mirror ports for monitoring. Penetration testers use active techniques to demonstrate man-in-the-middle risks.

What Does Network Sniffing Look Like in Practice?

Section titled “What Does Network Sniffing Look Like in Practice?”

The Wireshark User’s Guide documents over 3,000 protocol dissectors, making Wireshark capable of decoding virtually any network protocol a security analyst will encounter.

Wireshark Basics

Section titled “Wireshark Basics”

Wireshark is the industry-standard graphical packet analyser. Every security professional should be comfortable with basic Wireshark operations.

Terminal window
# Launch Wireshark (select your network interface to begin capturing)
wireshark


# Capture on a specific interface from the command line
wireshark -i eth0


# Open a saved capture file
wireshark capture.pcap

Capture filters (applied before capture — limits what is recorded):

# Capture only traffic to/from a specific host
host 192.168.1.100


# Capture only HTTP and HTTPS traffic
port 80 or port 443


# Capture only traffic on a specific subnet
net 192.168.1.0/24


# Capture only TCP traffic
tcp

Display filters (applied after capture — filters what is shown):

# Show only HTTP traffic
http


# Show only DNS queries
dns


# Filter by source IP
ip.src == 192.168.1.100


# Filter by destination port
tcp.dstport == 443


# Show only packets containing a specific string
frame contains "password"


# Show only TCP SYN packets (connection attempts)
tcp.flags.syn == 1 && tcp.flags.ack == 0


# Follow a TCP stream (right-click a packet → Follow → TCP Stream)
tcp.stream eq 5

tcpdump — Command-Line Packet Capture

Section titled “tcpdump — Command-Line Packet Capture”
Terminal window
# Capture all traffic on eth0
sudo tcpdump -i eth0


# Capture and save to a file (for later analysis in Wireshark)
sudo tcpdump -i eth0 -w capture.pcap


# Capture only traffic to/from a specific host
sudo tcpdump -i eth0 host 192.168.1.100


# Capture only HTTP traffic (port 80)
sudo tcpdump -i eth0 port 80


# Capture with verbose output showing packet contents
sudo tcpdump -i eth0 -A port 80


# Read a saved capture file
tcpdump -r capture.pcap


# Capture first 100 packets only
sudo tcpdump -i eth0 -c 100

ARP Poisoning with arpspoof (Lab Only)

Section titled “ARP Poisoning with arpspoof (Lab Only)”
Terminal window
# Enable IP forwarding (so traffic is forwarded, not dropped)
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward


# Poison victim's ARP cache (tell victim you are the gateway)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1


# Poison gateway's ARP cache (tell gateway you are the victim)
# Run in a second terminal
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100


# Now capture traffic flowing through your machine
sudo tcpdump -i eth0 -w mitm_capture.pcap

Detecting ARP Poisoning

Section titled “Detecting ARP Poisoning”
Terminal window
# Check your ARP cache for duplicate MAC addresses
arp -a


# Look for ARP anomalies with Wireshark display filter
# arp.duplicate-address-detected
# arp.opcode == 2 (filter for ARP replies — excessive replies indicate poisoning)

What Are the Limitations of Network Sniffing?

Section titled “What Are the Limitations of Network Sniffing?”

NIST SP 800-115 notes that encrypted traffic significantly limits the effectiveness of packet capture analysis, as payload content remains unreadable without the corresponding session keys.

FactorLimitationHow to handle it
Encryption (HTTPS/TLS)Encrypted traffic is visible but content is unreadable — you see packets but cannot read payloadsFocus on metadata analysis (source, destination, timing) rather than content
Switched networksPassive sniffing only sees broadcast traffic and your own trafficUse mirror/span ports for legitimate monitoring; active techniques for authorised testing
High-volume networksCapturing all traffic on a busy network generates enormous files quicklyUse capture filters to limit what is recorded; focus on specific hosts or protocols
VPN and tunnellingVPN-encrypted traffic appears as a single encrypted streamCapture must happen before traffic enters the VPN tunnel or after it exits
802.1X port authenticationNetwork access control prevents unauthorised devices from connectingCannot sniff if you cannot get a valid network connection in the first place
Detection by IDSARP poisoning and MAC flooding generate detectable anomaliesActive techniques are for authorised testing only; accept that they may trigger alerts

A common beginner mistake is capturing traffic on an encrypted network and expecting to read passwords. Modern HTTPS, SSH, and VPN connections encrypt payloads so that even if you capture every packet, the content is unreadable without the encryption keys. Sniffing attacks are most effective against legacy protocols that transmit data in cleartext — FTP, Telnet, HTTP, and unencrypted SMTP.

What Interview Questions Should You Expect About Network Sniffing?

Section titled “What Interview Questions Should You Expect About Network Sniffing?”

Network sniffing is a commonly tested topic in CompTIA Security+ SY0-701 (Domain 4 — Security Operations) and CEH v13, covering both attack techniques and defensive countermeasures.

Sniffing questions test your understanding of network fundamentals and the relationship between encryption and data security.

Q1: What is the difference between passive and active sniffing?

Strong answer: “Passive sniffing silently captures traffic that is already visible to your network interface — it works on hubs, Wi-Fi, and mirror ports without sending any packets. Active sniffing injects packets into the network to redirect traffic to your machine. Techniques like ARP poisoning and MAC flooding are active sniffing methods. Passive sniffing is undetectable, while active sniffing generates network anomalies that IDS systems can detect.”

Q2: How does ARP poisoning work and how would you defend against it?

Strong answer: “ARP poisoning works by sending forged ARP replies that associate the attacker’s MAC address with the gateway’s IP address in the victim’s ARP cache. This redirects the victim’s traffic through the attacker’s machine. Defences include Dynamic ARP Inspection (DAI) on managed switches, which validates ARP packets against a trusted DHCP snooping binding table. Static ARP entries for critical systems, network segmentation, and encrypted protocols like HTTPS and SSH also mitigate the risk.”

Q3: You capture a packet in Wireshark and see login credentials in plaintext. What protocol is likely in use?

Strong answer: “Cleartext credentials suggest an unencrypted protocol like HTTP (not HTTPS), FTP, Telnet, SMTP without STARTTLS, or POP3 without encryption. These legacy protocols transmit authentication data without encryption. The immediate recommendation would be to migrate to encrypted alternatives — HTTPS, SFTP/SCP, SSH, and SMTP with TLS. This is a critical finding in a penetration test because anyone on the network path could capture these credentials.”

Q4: What is a SPAN or mirror port and why is it useful?

Strong answer: “A SPAN (Switched Port Analyzer) or mirror port is a switch feature that copies all traffic from one or more ports to a designated monitoring port. This allows security tools like IDS sensors, packet analysers, and network forensic tools to see all traffic on the switch without interfering with normal operations. It is the legitimate, defensive equivalent of active sniffing — it gives visibility into switched network traffic without the risks of ARP poisoning.”

Q5: Why can you not read HTTPS traffic even if you capture all the packets?

Strong answer: “HTTPS uses TLS encryption to protect data between the client and server. Even though you can capture the encrypted packets, you cannot decrypt the payload without the session keys. TLS uses ephemeral key exchange (like Diffie-Hellman) so that even if you have the server’s private key, you cannot decrypt past sessions — this is called perfect forward secrecy. You can still see metadata like source and destination IP addresses, timing, and the amount of data transferred, but the actual content remains encrypted.”

How Is Network Sniffing Used in Real Security Operations?

Section titled “How Is Network Sniffing Used in Real Security Operations?”

The SANS Institute identifies packet analysis as one of the top five skills required for SOC analyst roles, with Wireshark proficiency expected from day one.

Day-One SOC Scenarios

Section titled “Day-One SOC Scenarios”

As a new SOC analyst, packet capture and analysis will be part of your regular workflow:

  • Alert verification. When an IDS alerts on suspicious activity, you pull the packet capture to verify whether it is a true positive. The packets are the evidence — they show exactly what happened.
  • Data exfiltration investigation. If DLP (Data Loss Prevention) alerts suggest sensitive data leaving the network, packet captures prove what was actually transmitted.
  • Malware traffic analysis. Captured packets reveal malware command-and-control communication patterns — DNS tunnelling, beaconing intervals, and exfiltration channels.
  • Network forensics. During an incident, full packet captures provide a complete record of network activity during the compromise window.

Australian Context

Section titled “Australian Context”

The ASD Essential Eight and ACSC ISM include controls directly relevant to sniffing defence:

  • Application control and patching reduce the risk of malware that performs internal sniffing after compromising an endpoint.
  • Network segmentation limits the scope of what a sniffer can capture even if an attacker gains network access.
  • Encryption of data in transit is emphasised throughout the ISM — HTTPS, SSH, and VPN usage are expected for all sensitive communications.

Australian organisations subject to the Privacy Act 1988 must protect personal information in transit. The Notifiable Data Breaches scheme requires organisations to notify the OAIC if data is compromised through interception. The Telecommunications (Interception and Access) Act 1979 makes it a criminal offence to intercept communications without authorisation, which is why explicit written permission is mandatory before any sniffing activity during penetration tests.

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”

Network sniffing is a fundamental skill for both attackers and defenders — understanding it is non-negotiable for cybersecurity professionals.

  • Passive sniffing captures traffic silently and is undetectable, but is limited on modern switched networks to broadcast traffic and your own communications.
  • Active sniffing techniques like ARP poisoning and MAC flooding redirect traffic on switched networks, but they are detectable and potentially disruptive.
  • Wireshark is the industry-standard tool. Learning capture filters, display filters, and stream following is essential for any security role.
  • Encryption is the primary defence. HTTPS, SSH, and VPN connections render captured traffic unreadable. Focus on eliminating cleartext protocols.
  • ARP poisoning is the most common active sniffing attack. Dynamic ARP Inspection (DAI) and 802.1X port authentication are the primary switch-level defences.
  • Packet captures are evidence. In SOC and incident response work, pcap files are definitive proof of what happened on the network.
  • Legal requirements are strict. Unauthorised packet capture is a criminal offence in most jurisdictions. Always have explicit written authorisation.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Section titled “Related”
  • Scanning Networks for discovering what is on the network before sniffing traffic
  • Enumeration for extracting detailed service information from discovered hosts
  • Networking Basics for the TCP/IP and OSI fundamentals that sniffing relies on
  • Wireshark for an in-depth guide to the primary packet analysis tool

Frequently Asked Questions

What is network sniffing?

Network sniffing is the practice of capturing and analysing network packets as they travel across a network. It uses tools like Wireshark and tcpdump to intercept traffic, allowing you to see the data being transmitted — including headers, payloads, and protocol information. It is used for both legitimate network monitoring and offensive security testing.

What is the difference between a hub and a switch for sniffing?

A hub broadcasts all traffic to every connected port, making passive sniffing trivial — every device sees all traffic. A switch forwards traffic only to the correct destination port based on MAC addresses. On a switched network, you can only see your own traffic and broadcasts unless you use active techniques like ARP poisoning or a mirror port.

What is promiscuous mode?

Promiscuous mode is a NIC setting that tells the network interface to capture all packets it receives, not just those addressed to its own MAC address. Wireshark and tcpdump enable this automatically. On a switch, promiscuous mode alone is not enough to see other devices' traffic — you need the traffic to be directed to your port first.

How does ARP poisoning work?

ARP poisoning sends forged ARP reply packets that associate the attacker's MAC address with another device's IP address (typically the default gateway). Victims update their ARP cache with the false mapping and send their traffic to the attacker instead of the legitimate destination. The attacker then forwards the traffic to maintain connectivity while capturing a copy.

What is MAC flooding?

MAC flooding overwhelms a switch's MAC address table (CAM table) by sending thousands of frames with different spoofed source MAC addresses. When the table is full, the switch cannot learn new entries and enters fail-open mode, broadcasting all traffic to all ports like a hub. This allows the attacker to passively sniff all network traffic.

Can I read HTTPS traffic with a packet sniffer?

You can capture HTTPS packets, but the payload is encrypted by TLS and unreadable without the session keys. You can still see metadata like source and destination IPs, port numbers, and packet sizes. With access to TLS session keys (for example, through SSLKEYLOGFILE on your own browser), you can decrypt the traffic in Wireshark for analysis.

What is the difference between a capture filter and a display filter in Wireshark?

Capture filters are applied before packets are recorded — they limit what Wireshark saves to disk and use BPF syntax (e.g., 'port 80'). Display filters are applied after capture — they filter what is shown on screen without affecting the saved data and use Wireshark's own syntax (e.g., 'http.request.method == GET'). Capture filters reduce file size; display filters help you find specific data.

What is Dynamic ARP Inspection?

Dynamic ARP Inspection (DAI) is a switch security feature that validates ARP packets against the DHCP snooping binding table. It drops ARP replies that do not match known IP-to-MAC mappings, preventing ARP poisoning attacks. DAI is configured on managed switches and is one of the most effective defences against man-in-the-middle sniffing attacks.

What is DHCP starvation?

DHCP starvation is an attack where the attacker sends hundreds of DHCP requests using spoofed MAC addresses, exhausting the DHCP server's IP address pool. Once legitimate users cannot obtain IP addresses, the attacker sets up a rogue DHCP server that assigns addresses with a malicious gateway, enabling man-in-the-middle traffic interception.

How do I practise network sniffing safely?

Set up a home lab with virtual machines on an isolated virtual network. Capture traffic between your own VMs using Wireshark. Set up a web server without HTTPS and observe cleartext traffic. Practise ARP poisoning between your own VMs using tools like arpspoof. TryHackMe and CyberDefenders offer guided packet analysis challenges with provided pcap files.

Related sections

Scanning Networks

Discover what is running on the network before you start analysing traffic flows.

Explore Networking Basics

The TCP/IP and OSI model fundamentals that packet analysis depends on.

Explore Enumeration

Extract detailed service and user information from the hosts you discover.

Explore

More resources

Wireshark Official Documentation

The definitive reference for Wireshark — capture techniques, display filters, protocol dissectors, and analysis workflows.

Visit tcpdump Manual Page

Complete reference for tcpdump command-line options, capture filters, and output formats.

Visit SANS Packet Analysis Poster

Quick-reference guide for Wireshark display filters, protocol analysis, and common investigation patterns.

Visit

Technical content verified in March 2026 against Wireshark 4.2, CompTIA Security+ SY0-701 exam objectives, CEH v13 syllabus, and NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment).