Bookmark Us
Download
Buy Now
Support
Flash Tutorial
FAQ
ZDNet popular
Packet Sniffer
Connection-oriented TCP/IP packet sniffer.
EffeTech HTTP Sniffer
Capture and analyze HTTP traffic and rebuild the HTTP files.
Ace Password Sniffer
Capture usernames and passwords sent through http, ftp, smtp, pop3, telnet.
MSN Sniffer
Monitor MSN messenger conversations on LAN.
AIM Sniffer
Monitor AIM conversations on LAN.
ICQ Sniffer
Monitor ICQ conversations on LAN.
EtherBoss MSN Monitor
Monitor MSN conversation on LAN and save onto disk automatically.
EffeTech HTTP Sniffer FAQ
Q: Can I use EffeTech HTTP Sniffer on a PPP connection?
A:
EffeTech HTTP Sniffer use WinPcap as packet-capturing driver. We tested WinPcap on PPP connections under Windows 95, Windows 98 and Windows ME. In Windows 95, due to a bug in NDIS, WinPcap sometimes resets the PPP connection. In Windows 98/ME this bug appears to be corrected, and WinPcap seems to work properly. Under Windows NT and Windows 2000 there are problems with the binding process, that prevents a protocol driver from working properly on the WAN adapter. But first of all, just try it to find out whether it works properly on your computer.

Q. I am connected to the LAN through a switch, and when I launch EffeTech HTTP Sniffer, it captures only the packets sent to and from my own machine. I can't see the traffic of other machines. Why is this so?
A.
The easiest way to achieve this goal is to place the EffeTech HTTP Sniffer on the gateway. However, if you want to reach this goal on any PC on the LAN, you have to do some easy configurations for your switch. So lets talk about the working theory of switch first. Unlike hubs, switches prevent promiscuous sniffing. In a switched network environment, EffeTech HTTP Sniffer (or any other packet analyzer) is limited to capturing broadcast and multicast packets and the traffic sent or received by the PC on which EffeTech HTTP Sniffer is running, because a switch will not forward others' packets to your PC. However, most modern switches support "port mirroring", which is a feature that enables switches to forward any packet to one PC and allows the network manager to determine the location of a problem on his network simply and efficiently. Port Mirroring is configured by assigning a port (called "management port") from which to copy all frames, and a port to which to send those frames. Finally, when the feature is activated, all frames bound for or sourced from the selected source port will be copied and sent (in addition to their regular destinations) to the selected destination port. Simply by placing a sniffer on this destination port, each segment can be separately monitored without moving the equipment. By using this feature, you will able to monitor the entire LAN segment.

Please refer to the documentation that comes with your switch for information on availability of this feature and configuration instructions. Various networking hardware manufacturers name this feature differently. Below is a short reference list of hardware by three major manufacturers - Cisco, 3COM, and Intel that support port mirroring.

Manufacturer Name used for the port mirroring feature Models of switches with port mirroring support
Cisco SPAN

Cisco Catalyst 1900 Series Switches
Cisco Catalyst 6000 Family Switches
...

3COM Roving analysis port (RAP) 3Com SuperStack 3 Switch 4400
...
Intel Port mirroring

Express 100BASE-TX Switching Hub
Intel Express 460T
Intel Express 480T
Express 510, 520 and 550 Series Switches software v2.21 or later.
Intel NetStructure 6000 Switch
...

Common switches sorted by Port mirroring supported

Company
Product Name/Model
Port mirroring supported
3Com Corp.
Super Stack II Switch 3300
Yes
Addtron Technology
ADS-824M
Yes
Addtron Technology
ADS-816M
Yes
Allied Telesyn International
AT-8224XL
Yes
Asante Technologies
IntraStack 6014DSB
Yes
KTI Networks
KS2316 10/100 Fact Ethernet Switch
Yes
Matrox Electronic Systems
Matrox Switchbox 12
Yes
Bay Networks, a Nortel Networks Line of Business
Bay Stack 350T-HD 10/100 Autosense Switch
Yes
Bay Networks, a Nortel Networks Line of Business
Bay Stack 350T 10/100 Autosense Switch
Yes
Bay Networks, a Nortel Networks Line of Business
Bay Stack 350 F - HD 10/100 Autosense Switch
Yes
Bay Networks, a Nortel Networks Line of Business
Bay Stack 350F 10/100 Autosense Switch
Yes
Cisco Systems
Cisco Catalyst 2924C XL
Yes
Cisco Systems
Cisco Catalyst 2924 XL
Yes
Matrox Electronic Systems
Matrox Switchbox 12 (FX)
Yes
NBase-Xyplex
MegaSwitch II SX-2024
Yes
Teleware Corp.
Teleway 1080EX
Yes
Enterasys Networks
Vertical Horizon VH-4802
Yes
Foundry Networks
FastIron Workgroup Switch 16 port
Yes
Foundry Networks
FastIron Workgroup Switch 24 port
Yes
IBM Corp.
IBM 8271-712 NWAYS Ethernet LAN Switch
Yes
Intel Corp.
Express 550T Routing Switch (ES550T)
Yes
NBase-Xyplex
MegaSwitch SX-2016
Yes
LANart Corp.
ETS 1210 Fast Ethernet Switch
Yes
Lucent Technologies (formerly Prominet)
Lucent P550 Cajun Switch
Yes
Network Peripherals
FE-D512
Yes
Olicom
CrossFire 8420 Fast Ethernet Switch
Yes
NBase-Xyplex
Mega Switch II SX-2012
Yes
Proteon LAN Products by Microvitec
ProNet/E Series 84 Fast Ethernet Switch
Yes
Network Peripherals
FE-DS-24
Yes
Performance Technologies
Nebula 6000 Departmental Switch
Yes
Performance Technologies
Nebula 4000 Workgroup Switch
Yes
Performance Technologies
Nebula 8000 Fault Tolerant Backbone Switch
Yes
Point Com
CEM56-100
Yes
Asante Technologies
Friendly Net FS4004DS Switch
No
NDC Communications
Plug-n-Switch
No
Asante Technologies
Friendly Net FS4008DS Switch
No
Compaq Computer Corp.
Compaq NETELLIGENT 5708 TX
No
Omnitron Systems Technology
FlexSwitch 600X 10/100 Switch with Opitonal Fiber/UTP Plug-Ins
No
Omnitron Systems Technology
FlexSwitch 600X3 10/100 Ethernet Modular Switch (Model # 6200)
No
Compex
Compex Ready Switch SNW 1213
No
TRENDware International
TE100-S1212
No
D-Link Systems
5016
No

Even switches currently don't support this feature, they may support by upgrading firmware image. Please contact your manufacturers to upgrade.

Q. I launched the program and clicked Button "Start sniffer", but no HTTP communications are displayed. Why?
A.
There are three possible reasons: You may have more than one network adapters and you have selected an unused one. You may made a mistake when configuring the filter. Select at least one of three options in the "content" area, and select "any host" in the "host" area. Or you network is switched, therefor refer to the answer to the previous question.

Q: How can I see if WinPcap is installed on my system? How can I remove it?
A:
WinPcap 2.3 is a packet-capturing driver. To remove it, you should go to the control-panel, open the "add/remove programs" applet. If WinPcap is present in your system, an entry called "WinPcap" will be present. Double-click on it to uninstall WinPcap. To be absolutely sure that WinPcap has been installed, please look at your system folder: you should find files called packet.* and wpcap.dll. Please check the file dates, which should be compatible with the WinPcap release dates.

Q: What is a "packet sniffer"?
A:
packet sniffer is a wire-tap devices that plugs into computer networks and eavesdrops on the network traffic. Like a telephone wiretap allows the FBI to listen in on other people's conversations, a "sniffing" program lets someone listen in on computer conversations. However, computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" the computer traffic and make sense of it. Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". This means that you don't need to break into a wiring closet to install your wiretap, you can do it from almost any network connection to eavesdrop on your neighbors. This is called a "promiscuous mode" sniffer. However, this "shared" technology is moving quickly toward "switched" technology where this will no longer be easy, which means you will make some configuration for your switch.
Q: Questions about WinPcap?
A:
http://winpcap.polito.it/misc/faq.htm