Snort - http://www.snort.org

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. [complete description]

p0f - http://www.stearns.org/p0f

The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queSO, p0f does this without sending anything to the remote host.

This program is now hosted and maintained by William Stearns <wstearns@pobox.com>. It was originally written by Michal Zalewski <lcamtuf@coredump.cx>.

tcpdstat - http://staff.washington.edu/dittrich/talks/core02/tools/tools.html

Produces a per-protocol breakdown of traffic by bytes and packets, with average and maximum transfer rates, for a given libpcap file (e.g., from tcpdump, ethereal, snort, etc.) Useful for getting a high-level view of traffic patterns.

ntop - http://www.ntop.org

ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.

tethereal - http://www.ethereal.com

Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

ngrep - http://www.packetfactory.net/Projects/ngrep

ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

tcpdump - http://www.tcpdump.org

Tcpdump prints out the headers of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -b flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be pro­ cessed by tcpdump.

gnuplot - http://www.gnuplot.info

gnuplot is a command-driven interactive function plotting program. It can be used to plot functions and data points in both two- and three-dimensional plots in many different formats, and will accommodate many of the needs of today's scientists for graphic data representation. gnuplot is copyrighted, but freely distributable; you don't have to pay for it.

NSWC/DD SHADOW - http://www.nswc.navy.mil/ISSEC/CID

SHADOW is the result of a project that was originally called the Cooperative Intrusion Detection Evaluation and Response (CIDER) project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS community and other interested parties to locate, document, and improve security software.

PCAP-APPS - http://www.stearns.org/doc/pcap-apps.html

Alphabetical listing of apps and resources (ADMsniff through Winpcap). Also provides links to Sniffer indexes and tutorials. This program is hosted and maintained by William Stearns <wstearns@pobox.com>.