Handy Windows tools for sniffing network traffic

Sniff Kit

Testing WiFi for Security Vulnerabilities

You can check insecure WiFi and read passwords in unencrypted WiFi networks if you use SmartSniff and SniffPass in parallel. This option requires that you have Microsoft Network Monitor 3.4 [7] running on the computer. SmartSniff and SniffPass use a driver from Network Monitor to read data from networks.

Start both programs and call up the settings for capture processes via Options | Capture Options . Enable the Network Monitor Driver 3.x options and click on the WiFi Monitor Mode button. (Some network adapters don't support these functions.) You have the option to select the WiFi card. Choose the Switch to Monitor Mode option and select the channels you want to examine. (Leave the window open while performing the scan or you'll stop the process.)

SmartSniff and SniffPass do not officially support Microsoft Message Analyzer. You can thoroughly test the tools together on computers running Windows 8.1 or Windows Server 2012 R2, but you cannot load the Microsoft Message Analyzer driver. Whether or not data can be read depends much more on the network adapters, the drivers installed, the operating system, and the network devices. Be sure you install WinPcap on the computer.

Tracking Packets Using Open Visual Traceroute

Open Visual Traceroute graphically displays the path of a packet on a map of the Earth (Figure 4), in addition to capturing and displaying packet data. First you need to install Open Visual Traceroute. For a first sniffing process, click Sniffer at the top of the program, enable the TCP , UDP , and ICMP options, then click on the Traceroute icon to start the scan. After a while, you will see the packets and the path they take across the globe.

Figure 4: Open Visual Traceroute tracks the path of a network packet.

Alternatively, you can track the path of a packet to a specific server. Click on Traceroute and specify the IP address or the server name at the top of the window. When you start the process, you will see the path of the packet.

If you select the hop in the right-hand window, you receive further information and a graphical display for each step. You can zoom in and out of the window using the mouse wheel or the globe symbol. The software provides interesting information that ideally supplements the data from SmartSniff and SniffPass. If your graphics card supports it, you can switch the display to 3D at the top.

Microsoft Message Analyzer

Microsoft provides the Microsoft Message Analyzer [8] for IT professionals who want to perform further analysis. Message Analyzer runs on Windows 7/8/8.1 and Windows Server 2008 R2/2012/2012 R2. You also need .NET Framework 4.5 on the computer.

Unlike the other tools in this article, Microsoft Message Analyzer (Figure 5) is quite complicated and only really suitable for advanced analysis. The message analyzer is just as unsuitable as its predecessor, the Microsoft Network Monitor, for quick captures. You can start a first scan process with File | Quick Trace | Local Network Interfaces . You will need to start the tools with administrator rights in order to perform measuring operations on workstations.

Figure 5: Use Microsoft Message Analyzer for more complex network analysis problems.

In addition to simple network capture and analysis, you can also carefully examine network overloads and other troubleshooting issues. The new version supports the current SMB protocol from Windows Server 2012 R2. The message analyzer can start sniffing processes on several computers at the same time (Multiple Remote Capture ) and send them to a central client. The client collects the data, evaluates it, and displays the result.

Microsoft Message Analyzer can decrypt SSL data. However, you need to install the corresponding certificate for decryption. You will find a comprehensive guide to Message Analyzer in TechNet [9]. Microsoft also shows the capabilities of the new program in a video on YouTube [10]. For more information see the TechNet blog [11].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Moving Data Between Virtual Machines
    Network information in virtualized computer landscapes is not easy to access. In this article, we look at a few approaches you can use.
  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Security analysis with Microsoft Advanced Threat Analytics
    Classic security safeguards, like antivirus and firewall products, are imperative for system protection. To search proactively for network intruders, as well, Microsoft offers Advanced Threat Analytics – a tool that will help even less experienced admins.
  • Autoconfiguring IPv6 Clients

    Most clients on a network need both an address and some environmental information such as a name server or a web proxy. This article investigates whether a recent operating system on an IPv6-only LAN can handle this.

comments powered by Disqus