After you install WinPcap, you can download the standalone WinDump executable. Version 3.8.3 is the most recent version at the time of this writing, and it works quite nicely with the most recent WinPcap beta. To launch WinDump, simply run it from the command line with the appropriate options for what you'd like to capture or read. You'll find the online manual for WinDump at http://windump.polito.it/docs/manual.htm.
As you can see in Figure 3, the first command you might want to execute is Win-Dump -D. This command displays a list of interfaces available on your computer, as well as a corresponding number for each interface, so that you can determine which interface to use for your sniffing activities. After you know which interface to run, you can simply use that number with the -i option (i.e., WinDump -i 3, if number 3 is the interface you'd like to use) to start viewing packet data in real time. (Because these are ports of UNIX utilities, the command-line switches are case-sensitive.)
Ngrep
Although WinDump is a tremendous utility, sometimes it requires a considerable amount of overhead or knowledge to determine what you're looking for. For example, suppose you're trying to look up whether a DNS query is making it across your network, but you aren't familiar with the protocols and that DNS uses by default. Or, suppose a lot of traffic is coming across a network connection, and you're finding it too cumbersome to work through all the packets just to find the one particular packet you're looking for. For such situations, I always rely on ngrep, the network-aware grep utility.
If you aren't familiar with grep, it's probably one of the most widely known and oft-utilized UNIX utilities. Grep finds matching text strings (through a mechanism known as regular expressions) in files on a file system, then outputs the lines to the display. You might compare grep with the Windows command-line Find utility, but grep differs by providing an exceptional amount of power in its search for text strings.
By applying these capabilities to the network layer, ngrep provides the same level of functionality for packet sniffing. As a result, you don't need to know what protocols, ports, network, or IP addresses that two devices are using to transfer data. You just need to know something about the packet's payload, and ngrep will find it for you—regardless of how it's transmitted.
I often use ngrep for troubleshooting DNS query problems. In a large Active Directory (AD) environment, dozens of DNS queries are typically occurring across the network per second. If I'm trying to troubleshoot a specific set of problems, searching each packet to find the one I'm looking for is cumbersome at best. Instead of relying on a straight packet capture of all DNS traffic, I can simply use ngrep to find the text string I'm looking for because DNS queries and responses are performed in plain text.
Ngrep currently recognizes ICMP, IGMP, Raw, TCP, and UDP protocols across 802.11, Ethernet, FDDI, PPP, SLIP, Token Ring, and null interfaces. It requires the WinPcap library (as WinDump does) to operate properly. (Ngrep 1.43 has been tested to work with WinPcap 3.1 beta 4.) As you can see in Figure 4, I've instructed ngrep to catch any packets with the word "utilization" embedded in them. Ngrep picked up a packet out of an AOL Instant Messenger (IM) conversation that I was having with one of my colleagues at the time.
Ethereal
When you face a situation in which you need to roll up your sleeves and dive as deeply as possible into network capture and analysis, one utility needs to come to mind: the world's most popular network analyzer, Ethereal. Network experts around the world use Ethereal because it has all the standard features you'll find in most protocol analyzers, in addition to some you won't find in any other product. More than 400 developers around the world have made contributions to this open-source application. A decade ago, I paid nearly $20,000 for software that had the same capabilities, but Ethereal offers it all free.
Ethereal can capture data off your network connection, filter the data, dive into the details of each packet, save the packet capture for detailed analysis, send packet captures to other network engineers (or vendors) to help with debugging, and open packet captures from many other leading packet-capture utilities. Ethereal can capture data off of various network transports, such as Classical IP over ATM (CIP), Ethernet, Fiber Distributed Data Interface (FDDI), Point-to-Point Protocol (PPP), Token Ring, 802.11, and loopback interfaces (although it doesn't support all types on every platform). Across all those network transports, Ethereal can "dissect" more than 750 protocol types, including FTP, HTTP, NetBIOS, POP3, remote procedure call (RPC), SNMP, SSH, SMTP, and Telnet, just to name a few.
Like the other sniffing utilities I've mentioned, Ethereal depends on an installation of WinPcap to function properly, so you'll need to install that first. Then, after you install the latest Ethereal distribution for Windows, simply access the Capture, Interfaces menu and select the interface you want to start using for capture. Then, you're ready to start analyzing your traffic. Figure 5 shows a quick look at Ethereal's primary interface.
Utilities for Scanning, Auditing, and Monitoring
BareTail
Many applications keep detailed logging data in straight text files because the Windows event logs aren't appropriate for certain types of data (e.g., IIS log files). In the course of monitoring or troubleshooting these types of applications, it's often helpful to watch these log files in real time. However, because they're text files, that process typically consists of opening the file in Notepad or another text editor, looking at the contents, closing the file, then reopening the file to see what's changed.
Register
