When looking at network problems most people focus at the higher levels – the physical links – settings on PCs – DNS and Wins arrangements. So what happens when you are seeing strange behaviours and want to know more about whats going on under the covers.
For many years the tool of choice for most people in this situation was Ethereal (now Wireshark) and it provides a wide range of facilities to monitor and profile traffic.
Sometimes you want something a little less graphical and yet still capable of giving you the information you need – so enter WinDump: tcpdump for Windows. Based on the command line network analyzer for UNIX (which I think I first saw in action in 1988 and its was probably quite a few years old then) – Windump is a powerful if slightly unfriendly tool for get a peek at the network traffic that might explain your problems.
Windump useful tips
Download the windump.exe from here and place it in a folder – start a dos session and move to that folder for example c:windump. Don’t run it just yet – have a look at some of the tips.
You need to install Winpcap (also used by Wireshark) also found on that site
To list the network adapters in your system
windump -D
for example
C:!downloads>windump -D
1.DeviceNPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2.DeviceNPF_{5ACA11C3-CB02-4470-857F-718AFE3A8618} (Parallels Host-Guest Virtual NIC (Microsoft’s Packet Scheduler) )
3.DeviceNPF_{7BFEA8C2-1200-4CA1-931C-84B9D16FF243} (Intel(R) PRO/100 VE Network Connection (Microsoft’s Packet Scheduler) )
4.DeviceNPF_{08B49B2A-7F1A-402E-B3F7-DBE187C892AF} (VMware Virtual Ethernet Adapter)
5.DeviceNPF_{9C9CC8B4-09D9-440C-BF86-3FA736042960} (VMware Virtual Ethernet Adapter)
To use a particular adapter to analyse
window -i adapternumber or adaptername as above
i.e in my case
windump -i 3
Putting that all together with a host that we are interested in rather than all traffic ?
C:!downloads>windump -i 3 host www.google.com
windump: listening on DeviceNPF_{7BFEA8C2-1200-4CA1-931C-84B9D16FF243}
09:24:17.543951 IP KIRK.4349 > nf-in-f147.google.com.80: S 2647394775:2647394775(0) win 65535
09:24:17.610091 IP nf-in-f147.google.com.80 > KIRK.4349: S 3348584432:3348584432(0) ack 2647394776 win02,nop,nop,sackOK>
09:24:17.610138 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 1 win 65535
09:24:17.610397 IP KIRK.4349 > nf-in-f147.google.com.80: P 1:883(882) ack 1 win 65535
09:24:17.653227 IP nf-in-f147.google.com.80 > KIRK.4349: . ack 883 win 7056
09:24:17.660916 IP nf-in-f147.google.com.80 > KIRK.4349: P 1:1390(1389) ack 883 win 7056
09:24:17.661878 IP nf-in-f147.google.com.80 > KIRK.4349: . 1390:2792(1402) ack 883 win 7056
09:24:17.661919 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2792 win 65535
09:24:17.661940 IP nf-in-f147.google.com.80 > KIRK.4349: P 2792:2996(204) ack 883 win 7056
09:24:17.855289 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2996 win 65331
09:24:27.657440 IP nf-in-f147.google.com.80 > KIRK.4349: F 2996:2996(0) ack 883 win 7056
09:24:27.657470 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2997 win 65331
12 packets captured
8499 packets received by filter
0 packets dropped by kernel
The capture was ended by ctrl C and not saved just displayed.
Further info about common problems is found on the link site above.