Windump
Many Linux systems have tcpdump installed by default. Because tcpdump is so common (at least on non-Windows systems), it has been ported to Windows and is called WinDump.WinDump requires WinPcap in order to work.WinDump can be downloaded from www.winpcap.org/windump/ install/.There is no setup file; the .EXE you download is the entire package. Simply download it and place the file in a directory of your choosing.The manual for WinDump is pretty much the same as for tcpdump, and is located at www.winpcap.org/windump/docs/manual.htm. Although there are far too many options to explain them all in detail, here are a few that will get you started.
Windump -D lists the interfaces WinDump can see to capture on. Windump -i 2 listens on interface number 2.You could restrict the output to show traffic only to or from the host named lab2003 by entering windump -i 2 host lab2003. Although the command-line syntax is relatively intuitive, there are a lot of options.The manual is very good, with some useful examples at the bottom. In our Wireshark example, we worked with a Telnet session. If we wanted to see traffic to or from host lab2003, with a source or destination port of 23 (used for Telnet), we could enter windump -I 2 -host lab2003 and tcp port 23. Open a Telnet session with lab2003 and the partial output shown below. Note: I removed the time stamps so that every line would not wrap to the next line.
Windump of Telnet Session
windump: listening on \Device\NPF_{C428C1BF-C15A-460B-90D6-3A6F5DF68F22} IP server.RedHat.2714 > LAB2003.23: S 639728410:639728410(0) win 16384 <mss 1460,nop,nop,sackOK> IP LAB2003.23 > server.RedHat.2714: S 1106948603:1106948603(0) ack 639728411 win 16384 <mss 1460,nop,nop,sackOK> IP server.RedHat.2714 > LAB2003.23: . ack 1 win 17520 IP LAB2003.23 > server.RedHat.2714: P 1:22(21) ack 1 win 17520 IP server.RedHat.2714 > LAB2003.23: P 1:4(3) ack 22 win 17499 IP LAB2003.23 > server.RedHat.2714: P 22:30(8) ack 4 win 17517 IP server.RedHat.2714 > LAB2003.23: P 4:28(24) ack 30 win 17491 IP LAB2003.23 > server.RedHat.2714: P 30:65(35) ack 28 win 17493 IP server.RedHat.2714 > LAB2003.23: P 28:31(3) ack 65 win 17456 IP LAB2003.23 > server.RedHat.2714: . ack 31 win 17490 IP server.RedHat.2714 > LAB2003.23: P 31:88(57) ack 65 win 17456 IP LAB2003.23 > server.RedHat.2714: P 65:228(163) ack 88 win 17433 IP server.RedHat.2714 > LAB2003.23: P 88:133(45) ack 228 win 17293 IP LAB2003.23 > server.RedHat.2714: . ack 133 win 17388 IP server.RedHat.2714 > LAB2003.23: P 133:319(186) ack 228 win 17293 IP LAB2003.23 > server.RedHat.2714: P 228:419(191) ack 319 win 17202 IP server.RedHat.2714 > LAB2003.23: . ack 419 win 17102 IP server.RedHat.2714 > LAB2003.23: P 319:320(1) ack 419 win 17102
One obvious thing you will notice is that by default WinDump shows only the high-level header information, not any of the packet data.To display this data, you will need to use the -X or -XX switch. By default,WinDump will display only a certain amount of the data portion of the packet; this is determined by the "snap length."This is set using the -s option on the command line and will default to 68 bytes if it is not set manually.WinDump's extensive filtering options make it a good tool for those times when you need very specific information.You can restrict the output using a number of parameters and end up with a very specific capture of the network traffic.
In this tutorial:
- Network Reporting and Troubleshooting
- Reporting on Bandwidth Usage and Other Metrics
- Collecting Data for Analysis
- Understanding SNMP
- SNMP Security
- Configuring Multi Router Traffic Grapher
- Configuring MZL & Novatech TrafficStatistic
- Configuring PRTG Traffic Grapher
- Configuring ntop
- Enabling SNMP on Windows Hosts
- Enabling SNMP on Linux Hosts
- Troubleshooting Network Problems
- Using a GUI Sniffer
- Using a Command-Line Sniffer
- Windump
- ngSniff
- Tcpdump
- Additional Troubleshooting Tools
- Netcat
- Tracetcp
- Netstat