Handy Windows tools for sniffing network traffic
Sniff Kit
Sometimes you just need a quick answer and don't want to slow down to spin up a big, complicated monitoring application. If you work on a Windows network, three useful tools for sniffing traffic and analyzing network packets are SmartSniff [1], SniffPass [2], and Open Visual Traceroute [3]. In this article, I introduce these three handy utilities and also take a look at Microsoft Message Analyzer, which you can call in for more advanced analysis.
Whereas SmartSniff records networks and packets much like Wireshark, SniffPass investigates the transmission of unencrypted passwords. Open Visual Traceroute in turn brings the individual hops from network packets onto the screen, including their targets on the Internet. The tool does not just intercept packets, it also visualizes their path on a globe.
Network Analysis Using SmartSniff
You can use SmartSniff (Figure 1) on almost all Windows systems, including Windows 8.1 and Windows Server 2012 R2. Download, unpack, and start the tool to analyze your network. You won't need to install. The sniffer process will start when you click the green triangle. However, you first need to choose the network adapter on which the tool will be sniffing for network packets. SmartSniff collects TCP/IP packets and displays their contents without the need to install additional drivers. As with most Windows scan programs, you need to install the WinPcap extension [4] for advanced options.
You will see the local IP address, the packet's remote address, the ports used, and possibly also the DNS name, the size of the packet, and the exact times of transmission in the results window. Click on Options | Capture Options to change the network card later. You can also specify whether to use the restricted RAW mode or the superior WinPcap driver mode.
If you still have Microsoft Network Monitor installed on the computer, you can use this driver for advanced scanning options. However, SmartSniff is not yet compatible with Microsoft Message Analyzer, the successor to Microsoft Network Monitor.
If so desired, you can display the country to which the packet was sent in the IP Country
column. Download the current, and free, country file IpToCountry.csv
[5] (link in the lower-right corner of the website). Unpack the archive in the same directory from which you started SmartSniff. If you now restart the tool and start a new scan, you will see the packet destination country in the column on the far right.
Analyzing Packets in Real Time
When you click on a packet, you see its contents in the field below. You can assess the data according to various criteria. If you click on Options | Display Mode , you switch between different types of display, including Automatic , ASCII , Hex Dump , and URL List . Depending on the mode, SmartSniff displays different information in the packet information window. If set to Automatic, which is the default, the tool checks the first bytes of the data stream. If the bytes contain characters lower than 0x20 (excluding CR, LF, or Tab characters), the tool automatically shows the information in Hex mode; otherwise, SmartSniff uses ASCII mode.
You can also manually enable the mode. Hex Dump mode is slower than ASCII mode. Which to use depends on what data you need and how quickly the measurement needs to take place. The URL List mode filters the display by URL and hides all data except URLs. URL List mode lets you quickly identify which of the packet are sent to various websites on the Internet.
Exporting Packets
You can also export, save, or copy SmartSniff data to other programs, such as Excel, via the clipboard. Simply select the columns whose data you want to analyze later at the top of the window and copy them to the clipboard using the context menu (Figure 2). You can then insert the columns directly into Excel. The Save Packet Summaries option lets you create a text file containing the most important information from the selected packets. Use Export TCP/IP Streams to save the basic packet data and the contents in a text file. If you want to save the whole thing graphically as a report, use the HTML Report – TCP/IP Streams command. The command creates an HTML file with a table and the contents of the packets. At the bottom, you can select the contents of individual packets and copy them to the clipboard using the context menu.
In addition to the option to save individual packets, you can also back up the data from a complete capture process and load it in SmartSniff at any point. To back up the data, stop the capture process and select File | Save Packets Data to File . Then save the process in an SSP file. You can load this file again in SmartSniff at any time and examine it more closely.
Buy this article as PDF
(incl. VAT)