Problem solve Get help with specific problems with your technologies, process and projects.

Introduction to freeware packet sniffer SmartSniff

A packet sniffer is a valuable tool in the network consultant's troubleshooting arsenal. This tip covers the basics of freeware packet sniffer program SmartSniff.

A packet sniffer is a valuable tool in the network consultant's troubleshooting arsenal. This tip, provided courtesy of, covers the basics of freeware packet sniffer program SmartSniff.

Packet sniffers are among a network administrator's best friends -- they can help pinpoint whether a problem exists with a client, a server or somewhere in between. Nir Sofer, author of many other excellent utilities I've covered in the past, has now written a sniffer of his own: SmartSniff.

SmartSniff can work in one of two ways. It can capture packets with Windows' native raw sockets capture system, although this only works on Windows 2000 or better, and has some limitations: you cannot capture outgoing UDP and ICMP packets, and Windows XP Service Pack 1 does not support capture at all. Another way to capture is with the WinPcap driver, a free and open-source packet-capture driver that works on Windows 98 and up, and lets you capture everything.

Each separate ICMP, TCP or UDP connection is broken out individually and referred to as a stream. Multiple conversations on the same connection are aggregated into the same stream. The program's top panel lists all of the streams captured by the application, and shows just about every important piece of information you could need: local and remote address, hosts and ports, service type, number of packets exchanged, total data size and capture time. Click on one of the conversations and the data in that conversation is displayed in the bottom panel. Data sent from your machine is in blue, while data sent to your machine is in purple.

Note that remote host name lookups are only resolved after you stop recording (so that traffic doesn't get logged as well), and that only 7-bit ASCII data is presented by default. If you select Options | "Display Characters Above ASCII 127", you'll see all the characters, but the color-coding on the display will vanish and the data might not be as coherent.

One of the things I've liked about Mr. Sofer's applications is how they have a high degree of consistency in their presentation. If you double-click on one of the conversations, for instance, you get an expanded infobox that's the same as one he's written for other tools. The whole record buffer can be saved in both a native data format and to an HTML report, and both the display results and capture actions can have filters applied to them so you only record what you need to see.

About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

This tip originally appeared on


Dig Deeper on Campus area networks and services