TCPDump for Windows? How to use it.
Alex
Zarutin
Software Engineer,
Motorola Corp.
You can find more information on http://www.tcpdump.org
In spite of the fact it was originally developed for Unix, you can also use it on Windows because it has been fully ported to Windows and named as WinDump.
See WinDump: tcpdump for Windows. http://windump.polito.it/
windump.exe is a command line utility that does need to be installed or registered. You can download and immediately start to use it. Do not forget to install WinPcap from the same web-site, in order to run windump.
Since windump is a fully ported tcpdump, windump supports all TCPDumps’s flags, parameters and settings.I will point out only few common tasks that I performed learning windump:
1. List interfaces of the computer, and select appropriate
interface for sniffing.
By default windump will collect data only from the first interface, so
if you need to choose another one, you have first to list them:
C:\>windump -D
1.\Device\NPF_{570CF22E-921A-4B7D-8733-2731EBA547DB} (Intel(R) PRO Adapter)
2.\Device\NPF_{9650FC49-566B-442E-9877-5D9322B9996F} (Intel DC21140 PCI
Fast Ethernet Adapter)
and than explicitly set appropriate interface. For example, if you want to use Intel DC21140 PCI Fast Ethernet Adapter from example above, you have to use –I flag:
C:\>windump -i2
windump: listening on \Device\NPF_{9650FC49-566B-442E-9877-5D9322B9996F}
22:47:54.456100 IP evrtwa1-ar6-4-46-155-139.evrtwa1.dsl-verizon.net.4101
> netgroup-serv.polito.it.80: R 2567692119:2567692119(0) win 0 (DF)
2. Setting buffer for capturing.
You have two ways to change default value for the buffer size, that is
68 bites, by setting –c flag and number in bites:
C:\>windump -i2 -c1000
Or setting –B flag and number in kilo bites:
C:\>windump -i2 -B100
windump: listening on \Device\NPF_{9650FC49-566B-442E-9877-5D9322B9996F}
23:54:12.590038 IP crtntx1-ar8-4-47-218-009.crtntx1.dsl-verizon.net >
evrtwa1-ar6-4-46-155-139.
3. Getting detailed log in readable format.
I was not able to find more simple sample than setting –X flag that
allows you to detailed log in both HEX and ASCII:
C:\>windump -i2 -B100 -X
windump: listening on \Device\NPF_{9650FC49-566B-442E-9877-5D9322B9996F}
23:56:37.711862 IP evrtwa1-ar6-4-46-155-139.evrtwa1.dsl-verizon.net.4329
> vnsc-pri-dsl.genuity.net.53: 35266+ A? www.privet.com. (32)
23:56:39.167910 IP evrtwa1-ar6-4-46-155-139.evrtwa1.dsl-verizon.net.4333
> 4.35.253.46.80: P 1:868(867) ack 1 win 17520 (DF)
0x0000 4500 038b edc2 4000 8006 689f 042e 9b8b E.....@...h.....
0x0010 0423 fd2e 10ed 0050 d7ff 459b 463b c661 .#.....P..E.F;.a
0x0020 5018 4470 b2e2 0000 4745 5420 2f66 6f72 P.Dp....GET./for
0x0030 756d 2f74 656d 706c 6174 6573 2f73 7562 um/templates/sub
0x0040 5369 6c76 6572 2f69 6d61 6765 732f 6963 Silver/images/ic
0x0050 6f6e on
23:56:39.168376 IP evrtwa1-ar6-4-46-155-139.evrtwa1.dsl-verizon.net.4332
> 4.35.253.46.80: P 2551:3421(870) ack 422 win 17099 (DF)
0x0000 4500 038e edc4 4000 8006 689a 042e 9b8b E.....@...h.....
0x0010 0423 fd2e 10ec 0050 d7fc d270 4638 f675 .#.....P...pF8.u
0x0020 5018 42cb 104a 0000 4745 5420 2f66 6f72 P.B..J..GET./for
0x0030 756d 2f74 656d 706c 6174 6573 2f73 7562 um/templates/sub
0x0040 5369 6c76 6572 2f69 6d61 6765 732f 6963 Silver/images/ic
0x0050 6f6e on
4. Dump appropriate port data.
If you want to capture named traffic such as HTTP, you have to do the following:
c:\>windump -i1 -s 65535 -X tcp port 8080
or for Unix boxes: /usr/local/sbin/tcpdump -i1 -s 65535 -X tcp port 8080
/usr/local/sbin/tcpdump -i1 -s 65535 -X tcp port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hme0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:28:33.619750 IP 192.168.9.2.44534 > test249.8080: S 426495546:426495546(0) win 64240
0x0000 4500 0030 c375 4000 7d06 a006 c0a8 0902 E..0.u@.}.......
0x0010 c0a8 0ff9 adf6 1f90 196b ce3a 0000 0000 .........k.:....
0x0020 7002 faf0 38b6 0000 0204 05b4 0101 0402 p...8...........
19:28:33.619887 IP test249.8080 > 192.168.9.2.44534: S 2745937907:2745937907(0) ack 426495547 win 24820
0x0000 4500 0030 9a67 4000 4006 0615 c0a8 0ff9 E..0.g@.@.......
0x0010 c0a8 0902 1f90 adf6 a3ab aff3 196b ce3b .............k.;
0x0020 7012 60f4 7f02 0000 0101 0402 0204 05b4 p.`.............
19:28:33.621029 IP 192.168.9.2.44534 > test249.8080: . ack 1 win 64240
0x0000 4500 0028 c376 4000 7d06 a00d c0a8 0902 E..(.v@.}.......
0x0010 c0a8 0ff9 adf6 1f90 196b ce3b a3ab aff4 .........k.;....
0x0020 5010 faf0 11ca 0000 0000 0000 0000 P.............
19:28:33.639617 IP 192.168.9.2.44534 > test249.8080: P 1:34(33) ack 1 win 64240
0x0000 4500 0049 c377 4000 7d06 9feb c0a8 0902 E..I.w@.}.......
0x0010 c0a8 0ff9 adf6 1f90 196b ce3b a3ab aff4 .........k.;....
0x0020 5018 faf0 ad3c 0000 4745 5420 2f34 672f P....<..GET./4g/
0x0030 773f 753d 3432 3539 3939 3939 3939 2048 w?u=4259999999.H
0x0040 5454 502f 312e 310d 0a TTP/1.1..
19:28:33.639686 IP test249.8080 > 192.168.9.2.44534: . ack 34 win 24820
0x0000 4500 0028 9a68 4000 4006 061c c0a8 0ff9 E..(.h@.@.......
0x0010 c0a8 0902 1f90 adf6 a3ab aff4 196b ce5c .............k.\
0x0020 5010 60f4 aba5 0000 P.`.....
19:28:33.640903 IP 192.168.9.2.44534 > test249.8080: P 34:317(283) ack 1 win 64240
0x0000 4500 0143 c378 4000 7d06 9ef0 c0a8 0902 E..C.x@.}.......
0x0010 c0a8 0ff9 adf6 1f90 196b ce5c a3ab aff4 .........k.\....
0x0020 5018 faf0 8948 0000 5573 6572 2d41 6765 P....H..User-Age
0x0030 6e74 3a20 3474 6870 6173 7320 4b42 726f nt:.4thpass.KBro
0x0040 7773 6572 2f33 2e30 206a 326d 650d 0a41 wser/3.0.j2me..A
0x0050 6363 6570 743a 2061 7070 6c69 6361 7469 ccept:.applicati
0x0060 6f6e 2f78 2d6a 6176 612d 6172 6368 6976 on/x-java-archiv
0x0070 652c 2074 6578 742f 7868 746d 6c2c 2069 e,.text/xhtml,.i
0x0080 6d61 6765 2f77 626d 702c 2061 7070 6c69 mage/wbmp,.appli
5. Save log to the file.
If you want to capture traffic to the file, you have to pipe output to
raw file:
C:\>windump -i2 -X –w windump_raw.log
Alternately, you could redirect it to a text file with this command:
C:\>windump -i2 –X –r windump_raw.log
> windump_text.log