• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
 
A Tutorial on Sniffer for Windows
By Bit_Logicbit_logic@s-mail.com  “To those who dare to learn.” 
Disclaimer
Consider this electronic book (eBook) literary freeware. It may be transferred,reproduced, and viewed with no limitations so long as the following two conditionsare maintained without exception:1. This document may not be modified in any way, in part or in whole.2. Under no circumstances may you accept payment for redistribution of thiseBook, either electronically or in print.And of course, the author cannot be held responsible for anything foolish youdecided to do. This document is provided solely for educational purposes.
“Information 
wants
to be free.” 
- Bruce Sterling
SYN
I get a lot of requests from people to teach them how to use Sniffer. Sniffer, as youprobably know since you’re reading this tutorial, is a Windows-based GUI networkpacket sniffing application. Essentially, it captures all data frames and/or packets[Note 1] going in and out of your network card. Why would anyone care to viewthese packets? There are actually a lot of reasons. Sniffing is used primarily tomonitor network performance, but of course much more devious uses can be appliedto it. For example, if you configured a switch to send all network traffic through yourcomputer by means of SPANing (Switched Port ANalysis) a certain switch, you couldmonitor every bit of data sent and received by everyone on your LAN.The main goal of this tutorial is not to teach you to spy on your coworkers (well,maybe a little), but to teach you how to capture and view packets using Sniffer, sothat you can in turn learn more about networking in general. As Sniffer is Windows-based, we’ll be dealing almost exclusively with TCP/IP Ethernet traffic. If youhaven’t installed Sniffer yet, now is a good time to do so. The installation process isrelatively straightforward, and shouldn’t take more than a few minutes, plus areboot. If you have any problems getting it to run, consult the Sniffer readme file.Once you have it working, it’s time to capture our first frames!
Getting Started
When you run Sniffer for the first time, you’ll notice a main window with a buttontoolbar at the top, and a child window titled “Dashboard”. Close the dashboard for
 
now, and let’s focus on the main toolbar for a moment. Here’s a rough list of eachfunction available in the toolbar:
Capture Controls
– These first few buttons allow you to start, pause, stop, andview captures.
Filters
– You can define and apply packet filters with the “Define Filter” button anddrop-down list.
Open/Save
– You can save captured packet lists and open them to view later.
Print
– Take wild guess.
Dashboard
– The dashboard displays real-time traffic going in and out of yournetwork card.
Host Table
– The host table lists all recorded hosts on your LAN that havesent/received data to/from your computer.
Matrix
– That’s right, it’s not just a movie. The matrix has a whole bunch of trafficsummarization tools. You can choose to view traffic in a list or graphical format.These are neat when you have at least a couple dozen computers on your LAN.
Application Response Time
– You can see exactly – and I mean
exactly 
- how longit takes for a certain webpage to load, or how high the delay on your domaincontroller is, for example.
History
– Here you can find a summary of just about any packet category,represented in just about any graphical format.
Protocol Distribution
– See how different protocols stack up to each other in useon your network.
Global Statistics
– Displays the rarity of different frame sizes.
Alarm Log
– Problematic frame transmissions (collisions, fragments, etc.) shouldshow up here.
Capture Panel
– Displays real-time capture statistics. The detail tab provides a niceclean overview of the entire process.
Address Book
– Sniffer will usually auto-detect hostnames and other identities, butyou can manually add specific addresses to the address book.Sound like a lot of features? You haven’t seen half of them yet. Now, the momentyou’ve been waiting for; we’re going to capture a minute or so of typical networktraffic. Back at the far left of the toolbar, click the “Start” button. You should seethe “Expert” window pop up. This window provides a real-time summary anddiagnostic of network traffic. There are three gray buttons at the bottom of the leftcolumn. “Diagnoses” and “Symptoms” list packet errors or other indications of poornetwork performance. “Objects” offers a more interesting survey of all knowndevices, protocols, connections and more.
 
We’ll discuss the Expert window more in-depth (probably a lot more in-depth thanyou ever wanted to go) later. For now, open up your web browser and go to a website. Any web site, it doesn’t matter; our goal here is to generate some traffic for usto sniff. A single hit to cnn.com should give you a healthy few hundred frames.When the page has finished loading, go back into Sniffer. You can view the numberof captured frames in Sniffer’s status bar at the bottom of the screen.There are two ways to stop sniffing. The “Stop” button will simply abort the capture.This means you will not be able to save anything. The “Stop and Display” button,however, will allow you to save your capture, and view saved statistical informationtoo. It also opens up the ability to view and edit
raw 
data frames. Click “Stop andDisplay”.I know at first it doesn’t look like much, but you have actually captured a greatamount of data. In the top window bar, go to File > Save As… Rename the file toMyFirstSniff.cap and save it to a directory of your choice. Congratulations! You have just captured and saved real live network traffic.
Viewing Raw Frames
If you don’t understand exactly what Sniffer is doing yet, that’s okay. This nextsection should provide a good insight to the actual process of frame capturing. First,you need a stopped frame capture open. You can create a new capture or open anexisting one, just make sure you have a
stopped 
capture, as you can’t view rawframes in real-time.In your completed capture window, you should see a row of tabs along the bottom of the window (Expert, Decode, Matrix…). Click on the “Decode” tab to switch to theraw frame view. At this point, you will be presented with an enormous amount of information; try not to explode. (Note: You may find it easier to maximize theSniffer and Decode windows to take up the entire screen.) The decode view isdivided into three horizontal panes, each taking up a rough third of the screen. Eachpane has a separate degree of detail:
Summary Pane
This top window lists every captured frame in chronological order. It has severalcolumns that you can resize, move, or hide as you see fit:
Selection
 
– The leftmost column contains a checkbox for selecting individualframes. More on this later.
Number
 
– The frame’s chronological ranking (No. 1 is the first frame captured).
Status
 
– Any special status of the frame, usually none. You’ll notice the first frameis marked with “M”.
Source Address
– The protocol address or hostname of the transmitting station.
Destination Address
- The protocol address or hostname of the receiving station.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...