Packet Sniffing In Windows

Tuesday, July 20th, 2004
by Robert Glen Fogarty

Windows includes a packet sniffing tool called Network Monitor. You can install Network Monitor in Windows Server 2003 using the following steps:

Click Start, point to Control Panel, and click Add or Remove Programs.
Click Add/Remove Windows Components.
Within the Windows Component wizard, select Management and Monitoring Tools and click the Details button.
Select the Network Monitor Tools check box . Click OK.
Click Next. Click OK.

Once Network Monitor is installed, it is added to the Administrative Tools menu. To launch the console click Start, point to Administrative Tools, and click Network Monitor.

Network Monitor can display a large amount of information about the frames captured to and from a network adapter card. When Network Monitor is first opened, four panes are displayed within the console. The Graph pane displays the network activity in a bar chart. The Session Stats pane displays information about individual sessions. The Station Stats pane displays statistics about the sessions in which the server is participating. The Total Stats pane displays summary statistics since the capture was started.

To view statistics about network traffic, you must first start a capture. To do so, click the Start option from the Capture menu. To view the captured data, click the Stop and View option from the Capture menu. Network Monitor displays all the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window.

Now when you run Network Monitor, all frames going to and from a computer are captured. During a capture a large number of frames may be captured. If you’re looking for specific types of traffic, you can create a capture filter to define which types of frames should be captured. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu.
From the Capture Filter window, you can create filters based on the following criteria:

Protocol - Allows you to specify the protocols to capture or the specific protocol properties.
Address Pairs - Specifies the computer addresses from which frames should be captured.
Pattern Matches - Allows you to configure different variables that captured frames should meet.

When you capture network traffic, a large number of packets can be displayed when you view the captured data, making it difficult to look for specific information.

Network Monitor enables you to configure display filters so only specific types of traffic is displayed. To configure a display filter, select the Filter option from the Capture menu after you have run Network Monitor and captured the network traffic.

By configuring triggers, you can have certain actions performed when specific conditions are met. When Network Monitor is capturing data it will examine the contents of the packets. Any packets that meet the defined conditions will trigger a specific action to be taken. To configure a trigger click the Capture menu and click Trigger. When the trigger criteria are met, you can configure any of the following actions to occur:

The computer will beep.
Network Monitor will stop capturing frames.
A command line program will be executed.

[Diana Huggins]

What Do You Think?

Want to Start a Blog Here for Free?

Are you an expert in one subject or another? If your goal is to help others and dispense your hard-earned information back to the community, get involved in our community site today! You can write about anything - no matter the topic. Exceptional candidates will be offered the chance to contribute to (and generate revenue from) the main Lockergnome site. Join us today!