``Snoopers'' are tools that make copies of part or all the network traffic on LANs your computer is attached to. They can be used to spy, to analyze network traffic, or to analyze protocol behavior (etc.). On Solaris and Unix computers you usually have at least two such tools: tcpdump and snoop. Log on to a Unix or Solaris computer and do man tcpdump man snoop . On Linux computers you usually also have ethereal . Log on to a Linux computer and do man ethereal . I personally prefer tcpdump. Probably mainly because I am used to it. To use these tools you must be root or superuser. That means students in CIS 656 can not use them on NJIT computers. Students who own a computer can do it on their own computer. I recommend you try it out. PCs with Microsoft Windows have a snooper. But you CAN do ``man ...'' even when you are not root or a superuser. Students who take my ``Advanced Networking'' Course (will be taught in fall 2005) get access to my lab (GITC 4325) and can use snoopers there. Actually: HAVE TO use snoopers there: one of the assignments is to ``steal'' my password. (Intra-Lab password only!) Next some intructions for use of tcpdump. This is meant to get students doing this on their own computers started. Once you have started, use the man pages, and all the information available on the web, in Manuals, Books, etc. Example: (Example only, not recommended!) prompt# tcpdump -e -s 100 -vv This will cause tcpdump to monitor traffic on the lowest numbered active interface. It will continue doing this until you hit ^C (Control-C). The -e option will cause it to print information about both the link layer header (say ethernet) as well as other headers (network layer, transport layer, even some application layer). The -s 100 option will cause it to collect only the first 100 bytes of each packet. The -vv option will cause it to give ``verbose'' output. Now that you have seen this one, read about other options yourself. I do not recommend this! The reason is that this choice causes tcpdump to do ``monitoring'' and ``analysis'' at the same time. When you do that, your computer may not have enough CPU cycles to keep up with the traffic. Better to do monitoring and analysis separately: prompt# tcpdump -s 0 -w This causes tcpdump to monitor the traffic, collect (the -s 0 option) ``whole packets'' and dump them (in human unreadable form) in the file (the -w option). Then you can analyze it by (for example): prompt# tcpdump -r -s 100 -e -vv This will read from the file and put the output on your screen. The output is ``human readable'' but in fact pretty hard to read. I call it ``semi human readable''. Among other things, it mostly gives one long line per frame. Usually many more than 80 characters per line. You can analyze and re-analyze the content of using all kinds of different tcpdump options. Because the output of tcpdump is only ``semi human readable'' I recommend instead you do prompt# tcpdump -r -s 100 -e -vv > (Output redirection). This will put the output in a file . You then can write programs (in any language you like, Perl is handy for this purpose) that transform into files that have the format exactly as you want it. So: do man tcpdump , study all the options it has (I gave a few examples), separate ``monitoring'' from ``analysis'' using ``-w '' and ``-r '', re-analyze as often as you like, with various options, create ``semi human readable'' files using output redirection > , and write your own ``scripts'' (e.g. perl scripts) to get the results in the form and format you like. Once this is easy (that will be soon) you will use pipes to make all this even easier. Good Luck! Teun Ott.