Lead Image © Barna Tanko, 123RF.com

Lead Image © Barna Tanko, 123RF.com

Handy Windows tools for sniffing network traffic

Sniff Kit

Article from ADMIN 28/2015
You don't need expensive software to study the traffic on your network. We look at some handy sniffers for Windows environments, including SmartSniff, SniffPass, Open Visual Traceroute, and Microsoft Message Analyzer.

Sometimes you just need a quick answer and don't want to slow down to spin up a big, complicated monitoring application. If you work on a Windows network, three useful tools for sniffing traffic and analyzing network packets are SmartSniff [1], SniffPass [2], and Open Visual Traceroute [3]. In this article, I introduce these three handy utilities and also take a look at Microsoft Message Analyzer, which you can call in for more advanced analysis.

Whereas SmartSniff records networks and packets much like Wireshark, SniffPass investigates the transmission of unencrypted passwords. Open Visual Traceroute in turn brings the individual hops from network packets onto the screen, including their targets on the Internet. The tool does not just intercept packets, it also visualizes their path on a globe.

Network Analysis Using SmartSniff

You can use SmartSniff (Figure 1) on almost all Windows systems, including Windows 8.1 and Windows Server 2012 R2. Download, unpack, and start the tool to analyze your network. You won't need to install. The sniffer process will start when you click the green triangle. However, you first need to choose the network adapter on which the tool will be sniffing for network packets. SmartSniff collects TCP/IP packets and displays their contents without the need to install additional drivers. As with most Windows scan programs, you need to install the WinPcap extension [4] for advanced options.

Figure 1: SmartSniff displays packets, their contents, and information on the target and source.

You will see the local IP address, the packet's remote address, the ports used, and possibly also the DNS name, the size of the packet, and the exact times of transmission in the results window. Click on Options | Capture Options to change the network card later. You can also specify whether to use the restricted RAW mode or the superior WinPcap driver mode.

If you still have Microsoft Network Monitor installed on the computer, you can use this driver for advanced scanning options. However, SmartSniff is not yet compatible with Microsoft Message Analyzer, the successor to Microsoft Network Monitor.

If so desired, you can display the country to which the packet was sent in the IP Country column. Download the current, and free, country file IpToCountry.csv [5] (link in the lower-right corner of the website). Unpack the archive in the same directory from which you started SmartSniff. If you now restart the tool and start a new scan, you will see the packet destination country in the column on the far right.

Analyzing Packets in Real Time

When you click on a packet, you see its contents in the field below. You can assess the data according to various criteria. If you click on Options | Display Mode , you switch between different types of display, including Automatic , ASCII , Hex Dump , and URL List . Depending on the mode, SmartSniff displays different information in the packet information window. If set to Automatic, which is the default, the tool checks the first bytes of the data stream. If the bytes contain characters lower than 0x20 (excluding CR, LF, or Tab characters), the tool automatically shows the information in Hex mode; otherwise, SmartSniff uses ASCII mode.

You can also manually enable the mode. Hex Dump mode is slower than ASCII mode. Which to use depends on what data you need and how quickly the measurement needs to take place. The URL List mode filters the display by URL and hides all data except URLs. URL List mode lets you quickly identify which of the packet are sent to various websites on the Internet.

Exporting Packets

You can also export, save, or copy SmartSniff data to other programs, such as Excel, via the clipboard. Simply select the columns whose data you want to analyze later at the top of the window and copy them to the clipboard using the context menu (Figure 2). You can then insert the columns directly into Excel. The Save Packet Summaries option lets you create a text file containing the most important information from the selected packets. Use Export TCP/IP Streams to save the basic packet data and the contents in a text file. If you want to save the whole thing graphically as a report, use the HTML Report – TCP/IP Streams command. The command creates an HTML file with a table and the contents of the packets. At the bottom, you can select the contents of individual packets and copy them to the clipboard using the context menu.

Figure 2: Select the data you wish to copy, and right click to access the context menu.

In addition to the option to save individual packets, you can also back up the data from a complete capture process and load it in SmartSniff at any point. To back up the data, stop the capture process and select File | Save Packets Data to File . Then save the process in an SSP file. You can load this file again in SmartSniff at any time and examine it more closely.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Moving Data Between Virtual Machines
    Network information in virtualized computer landscapes is not easy to access. In this article, we look at a few approaches you can use.
  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Security analysis with Microsoft Advanced Threat Analytics
    Classic security safeguards, like antivirus and firewall products, are imperative for system protection. To search proactively for network intruders, as well, Microsoft offers Advanced Threat Analytics – a tool that will help even less experienced admins.
  • Autoconfiguring IPv6 Clients

    Most clients on a network need both an address and some environmental information such as a name server or a web proxy. This article investigates whether a recent operating system on an IPv6-only LAN can handle this.

comments powered by Disqus