HI, Waht would you all recommend for for an entry level user to monitor packets? What's most user friendly? TCPdump? Snort? Wireshark? Thanks.
Snort is an Intrusion Detection System, not a sniffer.
tcpdump is command line and Wireshark is a GUI. They do the same thing.
I use Wireshark to process a tcpdump or airdump capture.
WireShark is Ethereal. From the WireShark FAQ:
Q 1.2: What's up with the name change? Is Wireshark a fork?
A: In May of 2006, Gerald Combs (the original author of Ethereal) went to work for CACE Technologies (best known for WinPcap). Unfortunately, he had to leave the Ethereal trademarks behind.
This left the project in an awkward position. The only reasonable way to ensure the continued success of the project was to change the name. This is how Wireshark was born.
Wireshark is almost (but not quite) a fork. Normally a "fork" of an open source project results in two names, web sites, development teams, support infrastructures, etc. This is the case with Wireshark except for one notable exception -- every member of the core development team is now working on Wireshark. There has been no active development on Ethereal since the name change. Several parts of the Ethereal web site (such as the mailing lists, source code repository, and build farm) have gone offline.
I just know Sniffer, OmniPeek, Capsa, Clearsight and Wireshark(Ethereal), but i don't know which one is better.
"If you are looking for some network sniffer software, Wireshark is good enough as freeware. Or if you do have some budget and need for a commercial one, I would recommend Colasoft's network analyzer software, the price is reasonable, and it is more easy to use comparing with Wireshark, ideal for those not professionals. Or if you have a huge budget, you can try some other high-end products. You may start from searching "network analyzer software" on Google."
Wireshark and Capsa have this function---network monitor
I keep etherape running in one KDE desktop. If I'm not doing anything else with that computer, I switch to that desktop to monitor overall traffic. Occasionally I run driftnet, which shows the graphic images being transferred through my LAN (I have children; you betcha I monitor what kinds of pictures they're spending bandwidth on, it's part of my responsibility as a parent).
If I see something that warrants a deeper look, I'll fire up iptraf in an xterm so I can see ports and packet-counts. I keep iptraf on my gateway/firewall, too, so I can shell into that and see what traffic looks like at the Internet interface.
If what I see warrants a closer look. I fire up etherial/wireshark to look at the contents of the passing packets themselves. I figure the only thing deeper than that is shelling into the guilty machine to see what's in the process table (top).
All of these tools are Free/Libre Open-Source Software and run on Linux. If you don't feel like committing one of your machines to Linux fulltime, there are admin-oriented live-CD distributions which contain these tools; go browse at http://www.distrowatch.com. Choose one, burn it to CDR and keep it handy; when you suspect something's up with the network, reboot into the CD and look around.