Windump

Many Linux systems have tcpdump installed by default. Because tcpdump is so common (at least on non-Windows systems), it has been ported to Windows and is called WinDump.WinDump requires WinPcap in order to work.WinDump can be downloaded from www.winpcap.org/windump/ install/.There is no setup file; the .EXE you download is the entire package. Simply download it and place the file in a directory of your choosing.The manual for WinDump is pretty much the same as for tcpdump, and is located at www.winpcap.org/windump/docs/manual.htm. Although there are far too many options to explain them all in detail, here are a few that will get you started.

Windump -D lists the interfaces WinDump can see to capture on. Windump -i 2 listens on interface number 2.You could restrict the output to show traffic only to or from the host named lab2003 by entering windump -i 2 host lab2003. Although the command-line syntax is relatively intuitive, there are a lot of options.The manual is very good, with some useful examples at the bottom. In our Wireshark example, we worked with a Telnet session. If we wanted to see traffic to or from host lab2003, with a source or destination port of 23 (used for Telnet), we could enter windump -I 2 -host lab2003 and tcp port 23. Open a Telnet session with lab2003 and the partial output shown below. Note: I removed the time stamps so that every line would not wrap to the next line.

Windump of Telnet Session

windump: listening on \Device\NPF_{C428C1BF-C15A-460B-90D6-3A6F5DF68F22}
IP server.RedHat.2714 > LAB2003.23: S 639728410:639728410(0) win 16384 <mss
1460,nop,nop,sackOK>
IP LAB2003.23 > server.RedHat.2714: S 1106948603:1106948603(0) ack 639728411
win 16384 <mss 1460,nop,nop,sackOK>
IP server.RedHat.2714 > LAB2003.23: . ack 1 win 17520
IP LAB2003.23 > server.RedHat.2714: P 1:22(21) ack 1 win 17520
IP server.RedHat.2714 > LAB2003.23: P 1:4(3) ack 22 win 17499
IP LAB2003.23 > server.RedHat.2714: P 22:30(8) ack 4 win 17517
IP server.RedHat.2714 > LAB2003.23: P 4:28(24) ack 30 win 17491
IP LAB2003.23 > server.RedHat.2714: P 30:65(35) ack 28 win 17493
IP server.RedHat.2714 > LAB2003.23: P 28:31(3) ack 65 win 17456
IP LAB2003.23 > server.RedHat.2714: . ack 31 win 17490
IP server.RedHat.2714 > LAB2003.23: P 31:88(57) ack 65 win 17456
IP LAB2003.23 > server.RedHat.2714: P 65:228(163) ack 88 win 17433
IP server.RedHat.2714 > LAB2003.23: P 88:133(45) ack 228 win 17293
IP LAB2003.23 > server.RedHat.2714: . ack 133 win 17388
IP server.RedHat.2714 > LAB2003.23: P 133:319(186) ack 228 win 17293
IP LAB2003.23 > server.RedHat.2714: P 228:419(191) ack 319 win 17202
IP server.RedHat.2714 > LAB2003.23: . ack 419 win 17102
IP server.RedHat.2714 > LAB2003.23: P 319:320(1) ack 419 win 17102

One obvious thing you will notice is that by default WinDump shows only the high-level header information, not any of the packet data.To display this data, you will need to use the -X or -XX switch. By default,WinDump will display only a certain amount of the data portion of the packet; this is determined by the "snap length."This is set using the -s option on the command line and will default to 68 bytes if it is not set manually.WinDump's extensive filtering options make it a good tool for those times when you need very specific information.You can restrict the output using a number of parameters and end up with a very specific capture of the network traffic.