Packet Sniffing and Protocol Analysis Software


There are a number of packet sniffer and protocol analysis programs that will be very beneficial to your study of TCP/IP and other protocols.

Linux/Unix

  • Linux/Unix-based sniffers use libpcap, which must be installed prior to installing any of the programs below. (In most current Linux distros, libpcap is already installed.)

  • tcpdump, a command-line packet sniffer (tcpdump is usually a standard part of most Linux distributions.)
  • tcpshow (tcpdump-based analysis)
  • Wireshark (Packet sniffer GUI) [Formerly Ethereal]
  • ngreg — network grep (Command line tool to apply regular expressions to tcpdump output)
 Windows

Also available: TCP/IP Pocket Reference Guide.

Running WinDump

WinDump is run from the command line; do not double-click on the windump icon! Unless you saved windump.exe to a directory in your path, you will need to be in the same directory to run the program or enter the complete path.

If windump gives an error message about the adapter or device, try running:

windump -D

This will provide a listing of the devices windump thinks are available. You can then use the command:

windump -i device_num

to direct windump to listen using the selected device. This is also used to point windump to a specific networking device, when you have more than one network adaptor or modem to choose from.

Use the command:

windump -?

to obtain the help file.

The complete tcpdump/WinDump man page can be found at http://www.winpcap.org/windump/docs/manual.htm or from this site at http://www.garykessler.net/download/tcpip/windump_manual.html. [NOTE: Expressions are enclosed within single quotes (') in tcpdump and within double-quotes (") in windump.]