Capturing traffic without installing anything!

Capturing traffic without installing any software:

  • By using the following method you will be able to sniff all traffic (including traffic dropped by the Windows Firewall) to/from a Windows host without ever installing any software. The packet capture driver is embedded in the .exe and runs without being installed.
  • Download microOLAP’s tcpdump.exe from http://www.microolap.com/products/network/tcpdump/
    Remeber that this version of tcpdump is tailored to Windows and requires a license!
  • tcpdump.exe MUST be run in a DOS promt & “Run as Administrator”
  • tcpdump.exe -D
    (displays available adapters to sniff packets from)
    This part can be a bit tricky – the names displayed are not always readily understandable. My tip is to run tcpdump.exe without any arguments on all interfaces in turn and see which have any traffic on them.
  • tcpdump.exe -i n
    (captures all traffic on interface n)
  • tcpdump.exe -i n port x
    (captures all traffic to/from interface n that is on port x)
  • tcpdump.exe -i n not host w.x.y.z and port x
    (captures all traffic to/from interface n on port x, except from that to/from host w.x.y.z)
  • tcpdump.exe -i n dst host w.x.y.z1 and not src host w.x.y.z2 and dst port 80
    (captures all traffic on interface n to w.x.y.z1 on port 80, except from that from host w.x.y.z2)
  • tcpdump.exe -i 2 -c 10 -v (dst host w.x.y.z1 and not src host w.x.y.z2) and dst portrange 80-90
    (the first 10 records of traffic on interface 2 that goes to w.x.y.z1 on any port in the range between 80-90, except traffic from w.x.y.z2 – with added verbose output “-v”)
  • tcpdump.exe -i 2 -c 10 -w outfile.pcap (dst host w.x.y.z1 and not src host w.x.y.z2) and dst portrange 80-90
    (same as above but written to file outfile.pcap)
  • tcpdump.exe -i 2 -c 10000 -w outfile.pcap (dst host w.x.y.z1 and not src host w.x.y.z2) and (dst port 80 or dst port 8090)
    (same as above, but with individual ports specified)
  • tcpdump.exe -i 2 -c 10000 -w outfile.pcap ((dst host w.x.y.z1 and not src host w.x.y.z2) and (dst port 8040 or dst port 8043 or dst port 8050 or dst port 8053)) and “tcp[tcpflags] & (tcp-syn|tcp-ack) != 0”
    (Interface #2, Count = 10000, Write to file outfile.pcap in current directory, all SYN and ACK packets to w.x.y.z1 on ports 8040, 8043, 8050 or 8053 except those from w.x.y.z2
    PS! This filter will NOT give any SYN/ACKs sent back from the server to the client – only the initial SYN & SYN/ACK from clients + all other ACKs from clients)
  • tcpdump.exe -i 2 -c 10000 -w outfile.pcap ((dst host w.x.y.z1 and not src host w.x.y.z2) and (dst port 8040 or dst port 8043 or dst port 8050 or dst port 8053)) and “tcp[tcpflags] & tcp-syn != 0”
    (Interface #2, Count = 10000, Write to file outfile.pcap in current directory, all SYN and ACK packets to w.x.y.z1 on ports 8040, 8043, 8050 or 8053 except those from w.x.y.z2
    PS! This filter will NOT give any SYN/ACKs sent back from the server to the client – only the initial SYN from clients)
  •  .\tcpdump.exe -i 6 ‘ip[0] & 15 > 5’
    Shows all IP traffic on interface 6 looking in the 1st byte (0) with a value larger than 5 with a mask of 15 (0000 1111).
    In reality this filter will show you all IP traffic with headers larger than 20 bytes (5 x 32bit blocks of header data = 160bits -> 160bits/8 = 20 bytes)

 

Leave a Reply

Your email address will not be published. Required fields are marked *