Saturday, August 30, 2008

Quick View Of Traffic Using Windump

Issue:
Get a view of network traffic using free, easy to install, Windump utility. Also how to check for arp happy malware.

Quick:
Download winpcap and windump from winpcap.org. Run winpcap.exe from a command-line.

Visual/Learning:
WinDump is the Windows version of the Unix tcpdump utility. Like many Unix tools this is a command-line utility, so no fancy graphics, but not that hard to use either.


Download WinPcap utility from http://www.winpcap.org/install/default.htm
Download the WinDump utility from http://www.winpcap.org/windump/install/default.htm


Install the WinPcap utility onto you computer. You will see the Setup screen, Welcome screen, License screen, Install screen, and Finished Screen.


Next I copied the WinDump.exe file to the C:\Utils directory. I open a command prompt, go to that directory and run windump. By default WinDump tries to use the first adapter it sees which in my case is the DialupAdapter.

I use the "windump -D" command to see all the adapters. The network card is the one I want and I see it listed here as number 2 in the list.
Now "windump -n -i 2 -c 10" gives me output from my network card. (-n) means no name lookup, (-i 2) means use the second adapter which is the network card, (-c 10) means only capture 10 packets.
I can enter a string to filter on. Here I am filtering on packets that have the string arp. All you have to do is type the string at the end of the command line.

Here is the same command except I am going to (-c 10) get the first 10 packets that have the string arp, (-t) remove the time stamp, and () pipe it to the sort command and sort it starting with the (/+30) 30th character. Unix has better tools for this but I am trying to sort by the second IP address so that I can see who is sending the arp requests. Machines that send a lot of arp request may be infected with malware. See this link for a discussion about that.
Here is a manual for the various switches you can use with WinDump http://www.winpcap.org/windump/docs/manual.htm


No comments: