Passive vs Active Capturing
Passive capture doesn’t directly interact with the traffic. Instead, it extracts the data as it travels on the wire, which should be familiar from tools like Wireshark.
Active capture interferes with traffic between a client application and the server; this has great power but can cause some complications. You can think of active capture in terms of proxies or even a man-in-the-middle attack.
Passive Techniques
- Wireshark
- System Call Tracing
- sTrace
- dTrace
- Process Monitor in Windows
- TCPDUMP
Active Techniques : Network Proxies
- Port Forwarding Proxy
- SOCKS Proxy
- HTTP Proxy
- Reverse HTTP Proxy
For active capturing, a proxy tool(Dante, Canape,etc) require to be setup and traffic require to be redirected.(via hosts file, browser, or application config)
Active or Passive?
When you don’t have full access to the passive technique. ! And doing passive analysis give great insight on where and what to look during active capturing.