OpenSEC Picks
Ethereal - a network protocol analyzer that lets you capture and interactively browse the contents of network frames. Utilizing the excellent "wiretap" library that replaces libpcap, Ethereal now can examine and capture a very wide range of interfaces and packet types, including: ARP/RARP, BOOTP/DHCP, DNS, Ethernet, ICMP, IGMP, IP/TCP/UDP, IPX, LPR/LPD, OSPF, PPP, RIP, Token Ring, AppleTalk, and many others. The goal of the project is to create a commercial quality analyzer for Unix. Changes: A new "almost-real-time" capture and display mechanism was added. Initial support for SMB and SNMP decoding has been added, although the SMB decoding will be more useful in the future when Ethereal can de-fragment TCP transmissions. Wiretap can now read NetMon 2.0 files.

Ipgrab - tcpdump-based sniffer that provides output similar to snoop; a good place to look for well-documented libpcap code. [0.8.2 / 8/8/99]

libpcap - portable packet capture library that makes a lot of this stuff possible. Also available for Win32.

ngrep - ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP and UDP across ethernet, ppp and slip interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, like tcpdump and snoop.

Tcpdump - the standard packet sniffer for Unix boxes

More Tools
COLD - sniffer providing support for a few protocols that none of the others support.

EPAN - GUI Ethernet Protocol Analyzer (uses xforms)

Exdump - a packet watcher, dumper, and logger. TCP, UDP, and ICMP packets which pass a computer which exdump resides on and runs on are logged. exdump allows output to be directed to the console or to a user-defined file. exdump also has an option to only display packets which are sent to a specified port. exdump can also show you the data which was in the packet.

Gnusniff - a gtk+ GNOME based sniffer for Linux.

Icmp - icmp traffic monitor with Loki detection .

Sniffit - best sniffer for capturing application-layer data.

Tcpflow - a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.

Tcpdump-smb - patch to provide support for NetBIOS over IP protocols

Xip - a weird graphical protocol analyzer with some interesting possibilities