blog.kynan.org - The Possibly Accurate Now

-= Menu =-

siteSections menu: Home The home page; Blog My blog (suprised?)
You Are Here; Stuff Random projects and stuff; Junkcode A repository for bits and pieces; Contact Me Various ways you can contact me; Resume My current resume and work details; Links Some exciting places to go

Blog Navigation Menu

←June →
Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

←2005 →
Months
Jan	Feb	Mar
Apr	May	Jun
Jul	Aug	Sep
Oct	Nov	Dec

the possibly accurate now

Mon, 27 Jun 2005

[06:32] TCPDump on Windows
Date: 6/27/05 at 2:32PM

I had a situation today where I needed the functionality of TCPDump but I couldn't install ANYTHING on the server I wanted to dump on. This ruled out WinDump as you need to install WinPcap to get that, and most other similar utilities, working. I then stumbled across MicroOLAP TCPDump. This is a windows port of the original tcpdump program using their own Packet Sniffer SDK. From what I've read on the site, the SDK is actually a rebadged (and reworked?) Network Investigation Suite - a Delphi based fully self-contained, dynamically-loaded packet capture technology.

It is free for personal use and attracts a $US40 license fee for commercial use.

It has exactly the same command line switches as the *nix version (yay!) but the interface selection is a little difficult. I couldn't find any doco on it so here's what I worked out/guessed:

How To Find Your Network Interface ServiceName

Start RegEdit.exe
Navigate to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards key
Assuming you have a NIC in the machine there will be one or more keys listed here, one for each NIC. Each key is an integer but I don't know what this integer is, it is NOT the number of cards you have. There are two string (REG_SZ) values in each of these keys. Description and ServiceName. The Description field should provide you with enough information to identify the card you're after, the ServiceName is the string you are going to need.
As you can see in the image below, my ServiceName data value is "{5A484F38-DF22-483C-A4B8-69570E3C7DE2}".
That's all you need - to use it with tcpdump:
tcpdump -i \Device\{5A484F38-DF22-483C-A4B8-69570E3C7DE2}

If you don't want to expend all that effort I've written a script that will enumerate all the NICs in your registry and put the ServiceName value in an InputBox so you can copy it out. Copy everything between the lines below into a file with a vbs extension and double-click it (NOTE: you'll need WMI on the box for this to work):



Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

sKey = "Software\Microsoft\Windows NT\CurrentVersion\NetworkCards"

lRet = oReg.EnumKey(&H80000002, sKey, arSubKeys)

If (lRet = 0) Then

For Each oKey In arSubKeys

sSubPath = sKey & "\" & oKey

oReg.GetExpandedStringValue &H80000002, sSubPath, "Description", sDesc

oReg.GetExpandedStringValue &H80000002, sSubPath, "ServiceName", sValue

InputBox sDesc, "Network Card ServiceName", sValue

Next

Else

WScript.Echo "Couldn't get registry array (" & lRet & ")!"

End If

category: /modblog | permalink | Comments suspended due to spamwhores