Windows 10 Packet Sniffer

[Vin Raichur]

Withtheir ability to capture and analyze data packets in real time, packet sniffers are invaluable tools for network administrators and security professionals. In this article, we will look closer at the best packet sniffers available today, how they work, and what features to look for when choosing the right tool for your network security needs.

A packet sniffer, also known as a network analyzer or protocol analyzer, is a network tool that captures and analyzes network traffic. It intercepts and logs network traffic that passes through a specific network interface, allowing network administrators to diagnose and troubleshoot network problems, detect intrusion attempts, and monitor network activity. Network administrators and security professionals use packet sniffers in network security, performance optimization, and troubleshooting.

Packet sniffers analyze the information packets contain about the source and destination addresses, the protocol used, and the data being transmitted. Protocol analyzers provide detailed information about network activity, including the types of traffic, the sources and destinations of traffic, the protocols being used, and the contents of the data being transmitted.

Packet sniffers can also detect network intrusion attempts by analyzing traffic for signs of suspicious activity or anomalies. For example, a packet sniffer might detect traffic from an unfamiliar IP address or traffic that appears to be attempting to exploit a known vulnerability in a network service.

A packet sniffer works by intercepting network traffic data as it travels between devices on a network. The packet sniffer is placed in a strategic location within the network topology, such as at the network perimeter or within the internal network. Once the packet sniffer has intercepted the data packets, it captures and analyzes the information they contain, including the source and destination addresses, the data payload, and any headers or protocols used.

Packet sniffers can capture network data in two ways: in promiscuous mode or in non-promiscuous mode. In promiscuous mode, the packet sniffer captures all network traffic on the network segment it is attached to, including traffic not intended for its own interface. In non-promiscuous mode, the packet sniffer captures only the traffic intended for its own interface.

Once the data packets have been captured, the packet sniffer analyzes them using various algorithms and protocols to extract meaningful information. This information can include details about the network topology, network performance, and potential security threats. The packet sniffer then presents this information to the network administrator or security professional in a user-friendly format, allowing them to make informed decisions about managing and securing their network.

Wireshark is one of the most popular packet sniffers available, and for a good reason. It is an open-source tool that is free to use and is available on Windows, Linux, and macOS. Wireshark can capture and analyze traffic from hundreds of different network protocols, making it a versatile tool for network administrators and security professionals.

Tcpdump is a command-line packet sniffer that is available on Linux and macOS. It is a lightweight and efficient tool that can capture and analyze traffic from a wide range of protocols. Tcpdump is a powerful network troubleshooting and analysis tool, but its command-line interface can be intimidating for novice users.

Microsoft Message Analyzer is a powerful packet sniffer designed specifically for Windows networks. It can capture and analyze traffic from a wide range of network protocols, including Microsoft-specific protocols like SMB and Kerberos. Microsoft Message Analyzer also includes a powerful filtering system that allows users to identify and analyze specific types of traffic quickly.

Colasoft Capsa is a commercial packet sniffer that is available on Windows. It has a free version for users but it is limited in terms of functionality and time. Colasoft Capsa includes a wide range of network analysis and troubleshooting features, like real-time network traffic monitoring and visual analysis tools.

Ettercap is a free, open-source packet sniffer that is available on Windows and Linux. It is a versatile tool that can be used for a wide range of network analysis tasks, including network monitoring, packet sniffing, and network intrusion detection. Ettercap can capture and analyze traffic from a wide range of network protocols and includes advanced features like ARP poisoning and DNS spoofing.

Packet sniffers are an essential tool for network administrators and security professionals. They provide detailed information about network activity, allowing administrators to identify and troubleshoot network problems, detect network intrusion attempts, and monitor network performance.

Wireshark, Tcpdump, Microsoft Message Analyzer, Colasoft Capsa, and Ettercap are just a few of the many packet sniffers available, each with its own unique set of features and capabilities. Choosing the right packet sniffer depends on the specific needs and requirements of the user, but any of these tools can be a valuable asset in network analysis and troubleshooting. By using a packet sniffer, network administrators can ensure the security and reliability of their networks and keep their systems running smoothly.

A few weeks ago I stumbled on a neat feature in Windows 10 that evidently has been there since Windows 10 October 2018 Update. It is called Pktmon or Packet Monitor. It is a built-in packet sniffer right in the OS that can be run from an elevated CMD prompt. You can export the captures to an ETL file and Use Microsoft Network Monitor to read them. Looks like pktmon is on Windows 2019 as well.

Pulling the newest Windows 10 2004 update, I found this utility was updated to now supports the ability to export the captures as PCAPNG files (Wireshark friendly format) and real-time monitoring. This has the potential to speed up troubleshooting with out installing third-party software. Searching around, I found Bleeping Computer does a decent breakdown as I have not been able to find any Microsoft docs on this yet.

With Windows 10 having been with us for a number of years, you would think that all of its secrets had been discovered by now. Of course, Microsoft has released numerous updates to the operating system but it's hard to imagine anything included in these going unnoticed, right?

Over the weekend Lawrence Abrams from BleepingComputer wrote about the Pktmon tool which Microsoft has said nothing about. When Windows 10 October 2018 Update was released, there was no mention of the network packet sniffer, it does not appear to be mentioned on the Microsoft website, and no documentation appears to have been produced.

How to get this working on Windows 10 x64? I have the same problem as mentioned above in that the CC2540 dongle shows up in device manager with no driver installed and is therefore not showing up in the Packet Sniffer. The dongle is untouched as received from TI, which I understand should mean that its flashed with the packet sniffer firmware by default.

My situation is similar to one described by the guys above, but with some difference: when I first installed SmartRF Studio + Packet Sniffer + SmartRF Flash Programmer, everything worked just fine: I was able to use cc2540 dongle with sniffer, read and write firmware from/to cc2540 chips through SmartRF05EB.

Yesterday I tried to read the firmware from cc2531 chip and found out that now neither Packet Sniffer nor Flash Programmer nor Studio don't see any of the chips! It seems that the main big thing that happened in between is the automatic Win 10 upgrade to ver 1703 (build 15063.413 as it says now; don't remember, which one was before). It's x64.

As everything worked before, I didn't look to Windows' device manager. Now I looked there and under "Other devices" I have CC2540USB Dongle with error 28, driver not installed, like mentioned in above messages. It's pretty surprising to see that, but at least it correlates to the fact that things are broken now.

Further, I don't see any "cebal2_x64.inf under C:\Program Files (x86)\Texas Instruments\SmartRF Tools\drivers\cebal\win_64bit_x64". Under C:\Program Files (x86)\Texas Instruments\SmartRF Tools\drivers\cebal there are only 2 dirs: \not_certified and \win_32bit_x86, no mentioning of 64bit version at all. So, as far as I see, I have latest versions of all tools and neither one has installed 64bit version. Where can I find it?

To activate this mode in Windows, we need a card supported by Acrylic Wi-Fi Sniffer. This should not be a problem as the compatible Wi-Fi cards list for our sniffer is very extensive and includes modern 802.11ac cards such as the ALPHA cards.

When Acrylic Wi-Fi Sniffer cannot enable monitor mode on the installed WiFI card using its driver we can use NDIS driver, by installing it in the program control panel.

NDIS is a native Windows mechanism to turn a card into a Wi-Fi sniffer. Unfortunately, Microsoft lack of support for this technology and the lack of support from manufacturers means that it does not always work optimally and it has certain technical limitations, so NDIS is Acrylic plan B for sniffing.

If you are more interested in using a graphical diagnostic tool, to graphically navigate and visualise all the information without losing the power of a WiFi packet viewer, we recommend you to try Acrylic Wi-Fi Analyer.

I am attempting to add the packet sniffer sensor to my local probe. When configuring it, the network adapters setting is grayed out and says "No network adapters available." I currently have the onboard NIC collecting SNMP traffic. I also have a PCIE NIC with two interfaces. I'm hoping to use one of those to receive traffic using SPAN.

I have searched for awhile and haven't come up with a solution. One thing I found was to check the administration tool in the Probe Settings and Monitoring tab to make sure the interfaces show up and select auto. That looks fine to me.

3a8082e126