- Passively watches for 3-way handshake
- Vulnerable services include telnet, ftp, rlogin, IMAP, POP ...
- Logs N packets, or until FIN, RST, or timeout
- Stuffs everything into a log file
- Newer sniffers unlink themselves, unlink their log files, send logged data to collecters in ICMP packets