WinDump: tcpdump for Windows


Last modified: Friday, November 16, 2001 09.53

Latest News
Change Log
Description
Downloads
FAQ
Docs
Credits
Mirrors
Links
Make a Gift
Other Tools
Frequently Asked Questions

See also the WinPcap FAQ, at http://netgroup.polito.it/winpcap/misc/faq.htm

 

Q-1: WinDump seems not to run properly / Windump doesn't see any network adapter.

A: Have you installed the latest version of WinPcap? WinDump needs the new updated WinPcap in order to work properly. Download and install it.

 

Q-2: When I try to install the driver I get the error: "Could not create Services subkey".

A: This problem seems to appear on NT 4.0 machines with Internet Explorer 4/5. Currently we do not know any solution to this problem. Anyway, please send us an email ([email protected]): maybe you can help us to solve the problem...

 

Q-3: How can I know the names of the network adapters installed in my machine?

A: Type

WinDump �D
Then you can run the program on a particular adapter with the command 
WinDump �i adaptername

or

WinDump �i adapternumber

 

Q-4: Can I use WinDump on a PPP connection?

A: We have tested WinPcap on PPP connections under Windows 95, Windows 98 and Windows ME. In Windows 95, due to a bug in NDIS, WinPcap sometimes resets the PPP connection. In Windows 98/ME this bug appears to be corrected, and WinPcap seems to work properly. Under Windows NT and Windows 2000 there are problems with the binding process, that prevents a protocol driver from working properly on the WAN adapter. To discover the name of the PPP adapter, go to Q-3

 

Q-5: Does WinDump decode the protocol XXX?

A: WinDump is the porting of tcpdump. You can send this kind of questions to the mailing list of the original program, that can be found at http://www.tcpdump.org.

 

Q-6: Why doesn�t WinDump capture all the packets from the network?

A: If you are using an old version of WinDump, please download and install the latest version from the download page. Old versions have lower capture performance.

Remember: you have to download both the network driver and the WinDump program.

Q-7: I have installed latest version and WinDump keeps on loosing packets.

A: Try to set a bigger driver�s buffer with the �-B� switch. For example

Windump �B 5000

starts WinDump with a 5 megabytes driver�s buffer. When not specified, the dimension of the buffer is 1 megabyte. Bigger sizes mean better capture performance.

Remember, however, that WinDump is a software network analyzer and needs a fast hardware if used on fast networks.

 

Q-8: On which OS can I run WinDump?

A: WinDump can run on all the operating systems supported by WinPcap, i.e. Windows 95, 98, ME, NT4, 2000 and XP.

WinDump does not work on SMP machines, because we don't have a multiprocessor computer on which developing/testing it. Please contact us if you want to donate us such a machine. :-)

 

Q-9: Which network adapters are supported?

A: WinPcap was developed to work primarily with Ethernet adapters. Support for other MACs was added during the development, but Ethernet remains the preferred one. The main reason is that all our development stations have Ethernet adapters so all our tests were made on this type of network. However, the current situation is:

  • Windows 95/98/ME: the packet driver works correctly on Ethernet networks. It works also on PPP WAN links, but with some limitations (for example it is not able to capture the LCP and NCP packets). FDDI, ARCNET, ATM and Token Ring should be supported, however we did not test them because we do not have the hardware, so do not expect them to work perfectly.
  • Windows NT4/2000: the packet driver works correctly on Ethernet networks. We were not able to make it working on PPP WAN links, because of binding problems on the NDISWAN adapter. As in Win9x,  FDDI, ARCNET, ATM and Token Ring should be supported, but are not granted to work perfectly.

 

Q-10: Do I need to be Administrator in order to run Windump?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute WinDump for the first time since the last reboot, you must have administrator provileges in order to run it. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

Q-11: Can I launch multiple istances of Windump on the same machine?

A: Yes. It is possible to launch more than one session (on the same network adapter or on different adapters). Except for the increased CPU load, there are no drawbacks in using multiple applications at the same time.

 

Q-12: Why WinDump hangs for some seconds while capturing? How can I avoid it?

A: When WinDump prints on the screen the information of the packets, it uses the DNS services to convert the addresses of the hosts to names. WinDump must wait until the operating system returns the result of the DNS resolution. This process seems to be quite slow in Win32, and can influence the performances of the capture process. You can use the -n switch to avoid name resolution.

 

Q-13: When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?

A: In at least some cases, this appears to be the result of PGPnet running on the network interface on which you're capturing; turn it off on that interface.