The Dark Side of Packet Capture - Page 3

 By O'Reilly Press
Page 3 of 4   |  Back to Page 1
Print Article

1.8. Microsoft Windows

In general, it is inadvisable to leave packet capture programs installed on Windows systems unless you are quite comfortable with the physical security you provide for those machines. Certainly, packet capture programs should never be installed on publicly accessible computers using consumer versions of Windows.

The programs WinDump95 and WinDump are ports of tcpdump to Windows 95/98 and Windows NT, respectively. Each requires the installation of the appropriate drivers. They are run in DOS windows and have the same basic syntax as tcpdump. As tcpdump has already been described, there is little to add here.

ethereal is also available for Windows and, on the whole, works quite well. The one area in which the port doesn't seem to work is in sending output directly to a printer. However, printing to files works nicely so you can save any output you want and then print it.

One of the more notable capture programs available for Windows platforms is netmon (Network Monitor), a basic version of which is included with Windows NT Server. The netmon program was originally included with Windows NT 3.5 as a means of collecting data to send to Microsoft's technical support. As such, it was not widely advertised. Figure 1-5 shows the packet display window.

Figure 1-5 Figure 1-5. netmon for Windows
Click image to view full-sized in a new window
(Click image for larger view in a new window)

The basic version supplied with Windows NT Server is quite limited in scope. It restricts capture to traffic to or from the server and severely limits the services it provides. The full version is included as part of the Systems Management Server (SMS), part of the BackOffice suite, and is an extremely powerful program. Of concern with any capture and analysis program is what protocols can be effectively decoded. As might be expected, netmon is extremely capable when dealing with Microsoft protocols but offers only basic decoding of Novell protocols. (For Novell protocols, consider Novell's LANalyzer.)

This article was originally published on Dec 4, 2001
Get the Latest Scoop with Networking Update Newsletter