Time to go to the (Win)Dump ?

When looking at network problems most people focus at the higher levels – the physical links – settings on PCs – DNS and Wins arrangements. So what happens when you are seeing strange behaviours and want to know more about whats going on under the covers.

For many years the tool of choice for most people in this situation was Ethereal (now Wireshark) and it provides a wide range of facilities to monitor and profile traffic.

Sometimes you want something a little less graphical and yet still capable of giving you the information you need – so enter WinDump: tcpdump for Windows. Based on the command line network analyzer for UNIX (which I think I first saw in action in 1988 and its was probably quite a few years old then) – Windump is a powerful if slightly unfriendly tool for get a peek at the network traffic that might explain your problems.

Windump useful tips

Download the windump.exe from here and place it in a folder – start a dos session and move to that folder for example c:windump. Don’t run it just yet – have a look at some of the tips.

You need to install Winpcap (also used by Wireshark) also found on that site

To list the network adapters in your system

windump -D

for example

C:!downloads>windump -D
1.DeviceNPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2.DeviceNPF_{5ACA11C3-CB02-4470-857F-718AFE3A8618} (Parallels Host-Guest Virtual NIC (Microsoft’s Packet Scheduler) )
3.DeviceNPF_{7BFEA8C2-1200-4CA1-931C-84B9D16FF243} (Intel(R) PRO/100 VE Network Connection (Microsoft’s Packet Scheduler) )
4.DeviceNPF_{08B49B2A-7F1A-402E-B3F7-DBE187C892AF} (VMware Virtual Ethernet Adapter)
5.DeviceNPF_{9C9CC8B4-09D9-440C-BF86-3FA736042960} (VMware Virtual Ethernet Adapter)

To use a particular adapter to analyse

window -i adapternumber or adaptername as above

i.e in my case

windump -i 3

Putting that all together with a host that we are interested in rather than all traffic ?

C:!downloads>windump -i 3 host www.google.com

windump: listening on DeviceNPF_{7BFEA8C2-1200-4CA1-931C-84B9D16FF243}
09:24:17.543951 IP KIRK.4349 > nf-in-f147.google.com.80: S 2647394775:2647394775(0) win 65535
09:24:17.610091 IP nf-in-f147.google.com.80 > KIRK.4349: S 3348584432:3348584432(0) ack 2647394776 win02,nop,nop,sackOK>
09:24:17.610138 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 1 win 65535
09:24:17.610397 IP KIRK.4349 > nf-in-f147.google.com.80: P 1:883(882) ack 1 win 65535
09:24:17.653227 IP nf-in-f147.google.com.80 > KIRK.4349: . ack 883 win 7056
09:24:17.660916 IP nf-in-f147.google.com.80 > KIRK.4349: P 1:1390(1389) ack 883 win 7056
09:24:17.661878 IP nf-in-f147.google.com.80 > KIRK.4349: . 1390:2792(1402) ack 883 win 7056
09:24:17.661919 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2792 win 65535
09:24:17.661940 IP nf-in-f147.google.com.80 > KIRK.4349: P 2792:2996(204) ack 883 win 7056
09:24:17.855289 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2996 win 65331
09:24:27.657440 IP nf-in-f147.google.com.80 > KIRK.4349: F 2996:2996(0) ack 883 win 7056
09:24:27.657470 IP KIRK.4349 > nf-in-f147.google.com.80: . ack 2997 win 65331

12 packets captured
8499 packets received by filter
0 packets dropped by kernel

The capture was ended by ctrl C and not saved just displayed.

Further info about common problems is found on the link site above.