RE: Looking for network sniffing program
- From: <Nick.Adamson@xxxxxxxxxxxxxxxxxxxxxx>
- To: <programmingblind@xxxxxxxxxxxxx>
- Date: Tue, 12 Oct 2010 10:08:42 +0100
Hi.
You said:
I probably need help with your script, which will probably help me a
lot.
Available interfaces are listed with their CLSID. How can I know which
one
is Ethernet and which one is wireless ? Both are only labelled
"Microsoft"
NA: when I run that bit of the script I see:
1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN
capture)
2. \Device\NPF_{DCDD6FFD-A1A6-45BB-A1E7-28E91804DC2F} (VMware Virtual
Ethernet Adapter)
3. \Device\NPF_{29F028D8-6F50-45FA-BE0E-308199558878} (VMware Virtual
Ethernet Adapter)
4. \Device\NPF_{65D5E1C9-805D-427C-B4E2-3FE41F72635B} (Broadcom
NetXtreme Gigabit Ethernet Driver)
5. \Device\NPF_{D981580C-AFBF-47C4-AB51-69A985DBAF4E} (Intel(R)
82567LM-3 Gigabit Network Connection)
If you look at interface 4 above you can see after its guid "Broadcom
NetXtreme Gigabit Ethernet Driver)"
This relates to the card for the connection. If you go to network
connections in the control panel and highlight the connection you want
to sniff take a look at the status bar and it'll tell you which card its
using. So for me, to sniff "local area connection" I can see its device
4 in the list from the script.
You said:
I've tried, as a test, to catch HTTP traffic. The produced file has
strange
symbols at the beginning of each request. What are they ?
And it seems that I have only the beginning of each request, that is,
only
headers or a truncated body, is it normal ?
NA: below is a run of my script and the output which shows normal http
traffic. Note the settings from the script.
Also I've only selected to show a summary of the http requests, an
option in the script will let you see the complete packet.
I've also removed the options I've not set, makes it easier to see what
I'm doing.
H:\>runTshark.bat
running tshark. - the network packet capture tool
This interactive script can be used to set up the command line for a
tshark session.
this script prompts for all command line flags. if you don't want to
set this flag just hit enter.
layer type
Specify that if the layer type in question (for example, tcp.port or
udp.port for a TCP or UDP port number) has the specified selector value,
packets should be dissected as the specified protocol.
Example: -d tcp.port==8888,http will decode any traffic running over
TCP port 8
888 as HTTP.
Layer type... [-d] option.tcp.port==80,http
capture interface
Set the name of the network interface or pipe to use for live packet
capture.
the folowing numbers can be used.
NOTE: you should run 'diskperf -y' to enable the disk statistics
Could not open file: 'eap.xml', error: No such file or directory
1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN
capture)
2. \Device\NPF_{DCDD6FFD-A1A6-45BB-A1E7-28E91804DC2F} (VMware Virtual
Ethernet Adapter)
3. \Device\NPF_{29F028D8-6F50-45FA-BE0E-308199558878} (VMware Virtual
Ethernet Adapter)
4. \Device\NPF_{65D5E1C9-805D-427C-B4E2-3FE41F72635B} (Broadcom
NetXtreme Gigabit Ethernet Driver)
5. \Device\NPF_{D981580C-AFBF-47C4-AB51-69A985DBAF4E} (Intel(R)
82567LM-3 Gigabit Network Connection)
Capture Interface... [-i] option.5
read (display) filter
Cause the specified filter (which uses the syntax of read/display
filters, rather than that of capture filters) to be applied before
printing a decoded form of packets or writing packets to a file;
packets not matching the filter are discarded rather than being printed
or written.
Read filter... [-R] option.http
command line configured.
running:
tshark.exe "-d" "tcp.port==80,http" "-i" "5" "-l" "-R" "http" "-S"
Press any key to continue . . .
running...
NOTE: you should run 'diskperf -y' to enable the disk statistics
Could not open file: 'eap.xml', error: No such file or directory
Capturing on Intel(R) 82567LM-3 Gigabit Network Connection
8.883223 10.43.65.27 -> 172.16.1.65 HTTP GET /pacs/proxy.pac
HTTP/1.1
8.965981 172.16.1.65 -> 10.43.65.27 HTTP HTTP/1.1 200 OK
(application/x-ns-
proxy-autoconfig)
8.990223 10.43.65.27 -> 10.43.17.13 HTTP GET http://www.google.com/
HTTP/1.1
9.053010 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 302 Found
(text/html)
9.055447 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/ HTTP/1
.1
9.233022 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK
(text/html)
9.457590 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/images/
mgyhp_sm.png HTTP/1.1
9.479623 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/images/
srpr/nav_logo14.png HTTP/1.1
9.573690 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG)
9.576064 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/intl/en
_com/images/srpr/logo1w.png HTTP/1.1
9.629280 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG)
9.706108 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK (PNG)
9.751212 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/extern_
js/f/CgJlbhICdWsrMEU4ACwrMFo4ACwrMA44ACwrMBc4ACwrMCc4ACwrMDw4ACwrMFE4ACw
rMBY4ACw
rMBk4ACwrMCU4z4gBLCswNTgALCswQDgALCswQTgALCswTjgGLCswVDgALCswGDgALCswJjg
ALIACF5A
CHw/qae3N6A9FiM.js HTTP/1.1
9.904762 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 200 OK
(text/javascript)
9.995244 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.google.co.uk/csi?v=3
&s=webhp&action=&e=17259,17311,26613,26629&ei=wCO0TImrEIn94gaKpdjRCg&exp
i=17259,
17311,26613,26629&imc=1&imn=1&imp=1&rt=prt.140,xjsls.312,ol.437,iml.343,
xjses.50
0,xjsee.531,xjs.562 HTTP/1.1
10.088419 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 204 No Content
10.250742 10.43.17.13 -> 10.43.65.27 HTTP [TCP Retransmission]
HTTP/1.1 204 N
o Content
13.219454 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.yourdolphin.com/news
.xml HTTP/1.1
13.391117 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 407 Proxy
Authentication R
equired (text/html)
13.517116 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.yourdolphin.com/news
.xml HTTP/1.1 , NTLMSSP_NEGOTIATE
13.519852 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 407 Proxy
Authentication R
equired (text/html)
13.520613 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.yourdolphin.com/news
.xml HTTP/1.1 , NTLMSSP_AUTH, User: U\G
13.530892 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 304 Not Modified
13.532409 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.boost.org/feed/downl
oads.rss HTTP/1.1
13.534560 10.43.17.13 -> 10.43.65.27 HTTP HTTP/1.1 304 Not Modified
13.702056 10.43.65.27 -> 10.43.17.13 HTTP GET
http://www.mod.uk/DefenceIntern
et/DefenceNews/rss.aspx?feed=recentdefencenews HTTP/1.1
13.943667 10.43.17.13 -> 10.43.65.27 HTTP/XML HTTP/1.1 200 OK
14.072418 10.43.65.27 -> 10.43.17.13 HTTP GET
http://feeds.feedburner.com/cms
madesimple/blog?format=xml HTTP/1.1
14.241316 10.43.17.13 -> 10.43.65.27 HTTP/XML HTTP/1.1 200 OK
29 packets captured
Terminate batch job (Y/N)? y
H:\>
HTH.
Nick.
-----Original Message-----
From: programmingblind-bounce@xxxxxxxxxxxxx
[mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of QuentinC
Sent: 11 October 2010 18:14
To: programmingblind@xxxxxxxxxxxxx
Subject: Re: Looking for network sniffing program
Hello,
I probably need help with your script, which will probably help me a
lot.
AVailable interfaces are listed with their CLSID. How can I know which
one
is ethernet and which one is wireless ? Both are only labelled
"microsoft"
I've tried, as a test, to catch HTTP traffic. The produced file has
strange
symbols at the beginning of each request. What are they ?
And it seems that I have only the beginning of each request, that is,
only
headers or a truncated body, is it normal ?
Thank you for your script.
Information for other people who would be interested: the windows
version
of wireshark is probably not totally unaccessible. It is possible to
read
the window with the jaws cursor... but of course it is not very
practical.
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind
Other related posts:
