Windows ports of the most powerful and widely used Unix command-line tools actually are fairly common. I've used various Windows versions of the search tool grep, for instance. Among the most useful is tcpdump, a tool for capturing and reporting packet headers in network traffic for further analysis. The folks at Cace Technologies have compiled a Windows port of the program named WinDump, with just about the entire feature set of its Unix-based brethren. The full source code for the program is also included, in the event that you want to compile a custom version.
Dumping network traffic has many possible applications. I've used it to determine if malware was installed in a given machine by seeing if packets were being broadcast from the computer when there should not have been anything else running (it could also divine their header information and destination). Aside from logging all available traffic, the program can capture and report only the packets that have certain matching information in their headers -- useful if you already know what you're looking for and just want to cut to the chase.
Installation and basic use
WinDump comes in two parts. The first is a set of network capture drivers called WinPcap, which WinDump uses to obtain packet-level access to network interfaces in the computer. The second part is the program itself, windump, which is invoked from the command line after you've installed the WinPcap library.
The first option you'll want to use when you run windump is -D, which lists all available network interfaces in the current system. By default, the program listens on the first available interface, but in Windows, it is typically the software dial-up adapter, not a physical network adapter. The results from -D usually look something like this:
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{707E0236-BEE4-4097-93B1-56DEC35564AA} (Intel DC21140 PCI Fast Ethernet Adapter (Microsoft's Packet Scheduler) )
To use a specific adapter, run the program with the -i switch in conjunction with an adapter number. For instance, if you wanted to use the Ethernet adapter listed above, use windump -i 2. This is a lot easier than referring to the adapter by its GUID, but bear in mind the adapter number may not remain consistent if new hardware or software adapters are added.
Windump has the ability to filter captured input by specific criteria -- specific protocols, hosts or ports -- usually specified on the command line. The syntax for this is fairly complicated. It is explained in the program's documentation in detail, but here are some examples:
windump -i 2 port 80
Captures all traffic from interface #2 via port 80.
windump -i 2 host im-chat.com
Captures all traffic from interface #2 to or from the host im-chat.com.
windump -i 1 net 127
Captures all traffic from interface #1 to or from the subnet 127.x.x.x.
These parameters can be combined freely, too.
Output
By default, the program's output is logged to the console. Unless you're using the program simply to observe network traffic casually, you'll want to capture the results to a file using the -w <filename> switch. By default, the program overwrites any existing file with that name, so be careful you don't erase already-captured data this way!
If you plan to look at the output file while the program is running, use the -U option. It forces the program to write each packet to the output file as it's received. By default, the program maintains a 1 MB buffer for data, which is flushed as it's filled.
By default, windump captures only the header for each packet, not the full payload. The -s 0 option forces the program to dump out the entire raw payload for each packet. If you use this in conjunction with the -A option, you can write the results in ASCII format. Web pages captured in this manner, for instance, will be human-readable provided the server hasn't sent them in gzip/deflate format.
Another useful option, -C <filesize>, writes out the data to multiple files, each no more than <filesize> in length. Each successive file is numbered incrementally. <filesize> is calibrated in millions of bytes; if you use -C 5, each file will be 5,000,000 bytes in length.
When you quit the program (usually by hitting Ctrl-Break), the program writes out a report to the console that lists how many packets were captured, intercepted and dropped (due to lack of buffer space). If the program appears to be dropping packets, you can increase the amount of space allocated to the capture buffer with the command -B <size>, where <size> is allocated in kilobytes. The default buffer size is 1 MB.
Advanced features
One of the more powerful uses of WinDump is its ability to decipher encrypted network traffic sent via IPsec. It is not a trivial operation, however. It requires that you have the ESP secret key for the IPsec encryption in use and that you compile the tcpdump application with the cryptography option enabled (something that's way outside the scope of this article).
If you want to specify an external file that has filter parameters, you can use the switch -F <filename>. Note that this will cause the program to ignore any filter parameters supplied on the command line.
Finally, if you want the program to read and filter previously captured data rather than live data from a network adapter, use the -r <filename> switch.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
