freeware sniffer for windows?

freeware sniffer for windows?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
freeware sniffer for windows? Calvin.Lai 09-14-2006
Posted by on September 14, 2006, 12:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I've use the SPAN command on one of the ports on my main backbone
switch so that I can attached a sniffer to it.

I"ve tried Ethereal but unfortunately I can't find a way to separate
the port #'s when loading the exported capture in Excel.

I'm just looking for something simple that can export the following
data in separate columns:

SOURCE IP
SOURCE PORT
DESTINATION IP
DESTIONATION PORT
PROTOCOLS (UDP, TCP, etc)

It also has to have the option to start writing the capture to new log
files when the log file has reach a certain size.

That's it...


Posted by Merv on September 14, 2006, 1:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Enable NetFlow on the switch and export

There are a number of free NetFlow collectors


http://en.wikipedia.org/wiki/Netflow

http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_home.html

http://www.paessler.com/info/netflow

http://www.networkuptime.com/tools/netflow/

http://www.ipflow.utc.fr/index.php/Main_Page


Posted by on September 14, 2006, 5:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Merv wrote:
> Enable NetFlow on the switch and export
>
> There are a number of free NetFlow collectors
>
>
> http://en.wikipedia.org/wiki/Netflow
>
> http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_home.html
>
> http://www.paessler.com/info/netflow
>
> http://www.networkuptime.com/tools/netflow/
>
> http://www.ipflow.utc.fr/index.php/Main_Page

There is always Ethereal's poor cousin windump.

This is a Windows port of tcpdump. The only thing to watch
out for is that you need to tell it what interface you want to capture
from.

You can tell it to stop after capturing a certain numebr of packets
and you could use a batch file or whatever to rotate the file names.

I put in a few different kinds of packet here including TCP telnet.

H:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN
capture)
2.\Device\NPF_ (Compaq Ethernet/Fast
Ethernet Adapter/Module (Microsoft's Packet Scheduler) )
3.\Device\NPF_ (Broadcom
NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )

H:\>windump -i 3 -n -vv host 192.168.77.1
windump: listening on \Device\NPF_
10:48:05.562387 IP (tos 0xc0, ttl 1, id 56167, len 54) 192.168.77.1 >
224.0.0.13:
pim v2 Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1)
(State Refresh Capable; v1)
10:48:06.122440 IP (tos 0xc0, ttl 1, id 56204, len 76) 192.168.77.1 >
224.0.0.5:
OSPFv2-hello 56: [len 44]
10:48:06.130666 IP (tos 0x0, ttl 128, id 58483, len 60) 192.168.77.249
> 192.168.77.1:
icmp 40: echo request seq 16528
10:48:06.131286 IP (tos 0x0, ttl 255, id 58483, len 60) 192.168.77.1 >
192.168.77.249:
icmp 40: echo reply seq 16528
10:48:06.287708 arp who-has 192.168.77.167 tell 192.168.77.1
10:48:06.542507 IP (tos 0xc0, ttl 1, id 56230, len 54) 192.168.77.1 >
224.0.0.13: pim v2
Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1) (State
Refresh Capable; v1)
10:48:07.131824 IP (tos 0x0, ttl 128, id 58489, len 60) 192.168.77.249
> 192.168.77.1:
icmp 40: echo request seq 17040
10:48:07.132461 IP (tos 0x0, ttl 255, id 58489, len 60) 192.168.77.1 >
192.168.77.249:
icmp 40: echo reply seq 17040
10:48:07.531989 IP (tos 0xc0, ttl 1, id 56283, len 54) 192.168.77.1 >
224.0.0.13: pim v2
Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1) (State
Refresh Capable; v1)
<...snipped....>
10:48:14.659828 arp who-has 192.168.77.167 tell 192.168.77.1
10:48:15.443294 IP (tos 0xc0, ttl 1, id 56727, len 54) 192.168.77.1 >
224.0.0.13: pim v2
Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1) (State
Refresh Capable; v1)
10:48:15.599915 arp who-has 192.168.77.111 tell 192.168.77.1
10:48:16.123364 IP (tos 0xc0, ttl 1, id 56770, len 76) 192.168.77.1 >
224.0.0.5:
OSPFv2-hello 56: [len 44]
10:48:16.431393 IP (tos 0xc0, ttl 1, id 56788, len 54) 192.168.77.1 >
224.0.0.13:
pim v2 Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1)
(State Refresh Capable; v1)
10:48:17.412261 IP (tos 0xc0, ttl 1, id 56841, len 54) 192.168.77.1 >
224.0.0.13:
pim v2 Hello (Hold-time 3s) (Genid: 0x00000527) (DR-Priority: 1)
(State Refresh Capable; v1)
10:48:17.837960 IP (tos 0x0, ttl 128, id 58554, len 48)
192.168.77.249.3078 > 192.168.77.1.23:
S [tcp sum ok] 1475676875:1475676875(0) win 64512 <mss
1460,nop,nop,sackOK> (DF)
10:48:17.839158 IP (tos 0x0, ttl 255, id 0, len 44) 192.168.77.1.23 >
192.168.77.249.3078:
S [tcp sum ok] 2854354119:2854354119(0) ack 1475676876 win 4128 <mss
1460>
10:48:17.839192 IP (tos 0x0, ttl 128, id 58555, len 40)
192.168.77.249.3078 > 192.168.77.1.23:
. [tcp sum ok] 1:1(0) ack 1 win 64512 (DF)
10:48:17.841634 IP (tos 0xc0, ttl 255, id 1, len 52) 192.168.77.1.23 >
192.168.77.249.3078:
P [tcp sum ok] 1:13(12) ack 1 win 4128 [telnet WILL ECHO, WILL
SUPPRESS GO AHEAD, DO
TERMINAL TYPE, DO NAWS]
10:48:17.841819 IP (tos 0x0, ttl 128, id 58556, len 43)
192.168.77.249.3078 > 192.168.77.1.23:
P [tcp sum ok] 1:4(3) ack 13 win 64500 [telnet DO ECHO] (DF)

15257 packets received by filter
0 packets dropped by kernel

H:\>


Posted by on September 14, 2006, 9:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for the suggestions.

I found this:

http://www.plasticwater.com/PlasticSniffer/

I tried it but I'm not sure what format the export file is in? It
doesn't give me an option to select an extension. Anyone know?


Similar ThreadsPosted
Freeware Radius for Windows XP October 5, 2006, 10:34 pm
NetFlow and freeware applicatrion January 16, 2006, 6:09 am
Sniffer? June 16, 2007, 11:35 pm
PIX: PSK, sniffer and hash October 5, 2005, 2:11 pm
Hardware Based Sniffer March 16, 2005, 7:02 pm
Sniffer port in 3550 switches June 11, 2008, 11:00 am
PIX 501 =?windows-1252?Q?=96_NAT_does_not_work_with_?= =?windows-1252?Q?one_of_my_servers=2E?= December 12, 2006, 11:32 am
Pix 501 and Windows 98 September 11, 2006, 2:20 pm
No login windows July 8, 2005, 10:54 pm
Windows Mobile PDA and PIX VPN September 1, 2006, 12:00 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map