The Windows TCPdump: WinDump

VARs can use the Windows version of TCPDump, WinDump, to analyze their customer's network traffic or to determine whether a machine is infected with malware. This tip explains how to install and use the open source network tool.

Packet analysis can be a useful exercise as part of your efforts to audit a customer's network traffic. A popular tool for doing so is the open source Unix command-line tool TCPdump, but if you need to use a Windows-based tool, try WinDump. This tip discusses some of WinDump's applications, from analyzing output files to deciphering encrypted network traffic.

WinDump: The TCPdump tool for Windows

WinDump comes in two parts. The first is a set of network capture drivers called WinPcap, which WinDump uses to obtain packet-level access to network interfaces in the computer. The second part is the program itself, windump, which is invoked from the command line after you've installed the WinPcap library.

The first option you'll want to use when you run windump is -D, which lists all available network interfaces in the current system. By default, the program listens on the first available interface, but in Windows, it is typically the software dial-up adapter, not a physical network adapter. The results from -D usually look something like this:

1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{707E0236-BEE4-4097-93B1-56DEC35564AA} (Intel DC21140 PCI Fast Ethernet Adapter (Microsoft's Packet Scheduler) )

Learn more about WinDump and its features.

About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Dig Deeper on Managed network services technology