Posted by : Muhammad Haseeb Javed Wednesday, January 5, 2011
- WinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX.
WinDump is the porting to the Windows platform of tcpdump, the most prolific network sniffer/analyzer for UNIX. Porting is currently based on version 3.5.2. WinDump is fully compatible with tcpdump and can be used to watch and diagnose network traffic according to various complex rules.
WinDump is simple to use and works at the command prompt level. The syntax that we have used as seen in our screenshot here, is Windump -n -S -vv. The -n option tells Windump to display IP addresses instead of the computers' names. The -S option indicates that the actual TCP/IP sequence numbers should be shown. If this option is omitted, relative numbers will be shown. The -vv options make the output more verbose, adding fields such as time to live and IP ID number to the sniffed information.
Let's take a closer look at how WinDump records various types of packets. Here's a TCP example, which shows a data packet with the PUSH and ACK flags set. First, we have the WinDump log entry for the packet. Immediately after it is the same entry, but with an explanation added for each field:
20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 > 22.214.171.124.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win 8767 (DF)
The above entry can be deciphered as 20:50:00.037087 [timestamp] IP [protocol header follows] (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 [source IP:port] > 126.96.36.199.5190: [destination IP:port] P [push flag] [tcp sum ok] 157351:157357 [sequence numbers] (6) [bytes of data] ack 2475757024 [acknowledgement and sequence number] win 8767 [window size] (DF) [don't fragment set]
The next example is UDP.
20:50:11.190427 [timestamp] IP [protocol header follows] (tos 0x0, ttl 128, id 6071, len 160) 192.168.2.28.3010 [source IP:port] > 192.168.2.1.1900: [destination IP:port] udp [protocol] 132
ICMP log entry looks as given below.
20:50:11.968384 [timestamp] IP [protocol header follows] (tos 0x0, ttl 128, id 8964, len 60) 192.168.2.132 [source IP] > 192.168.2.1: [destination IP] icmp [protocol type] 40: [Time to live] echo request seq 43783 [sequence number]
Finally, WinDump will also capture ARP requests and replies.
20:50:37.333222 [timestamp] arp [protocol] who-has 192.168.2.1 [destination IP] tell 192.168.2.118 [source IP]
20:50:37.333997 [timestamp] arp [protocol] reply 192.168.2.1 [destination IP] is-at 0:a0:c5:4b:52: fc [MAC address]