What is the usage of Windump/windump?

Windump

Windump is a classic network protocol analysis software for the Windows environment, with the UNIX version name tcpdump. It captures all data packets between two computers on the network for further traffic analysis and intrusion detection by network administrators/intrusion analysts. In this monitoring state, there is no secret between any two computers, all traffic, all the data can not escape your eyes (of course, the encrypted data is not within the scope of the discussion, and the results of the packet analysis depends on your TCP/IP knowledge and experience, different levels of the results may vary widely). If you have done debug or disassembly, you will find that the two are surprisingly similar. In W.richard Stevens's dingding Masterpiece "TCP/IP detailed" Volume one, the entire use of tcpdump captured data packets to the reader to explain TCP/IP, and the United States, the best computer security experts in the U.S. after the pursuit of the world's leading hacker Mitnick, also used tcpdump , the value of tcpdump/windump is evident. The use of Windump We formally begin to introduce Windump. The software is free software, the command line is used below, requires WinPcap driver, the driver can be downloaded in [Url]http://winpcap.polito.it/install/default.htm[/url]. Because windump download is very convenient, many sites have, here I do not provide, please go online search. Now we open a command prompt that appears after running Windump: D:\tools>windump Windump:listening on \device\npf_ This means that windump is listening to my network card, the device name of the NIC is: \device\npf_ If you see this message on the screen indicating that your WINPCAP driver is installed properly, download and install the correct driver. Windump a lot of parameters, run windump-h can see:     usage:     windump     [-aAdDeflnNOpqRStuvxX]      [-B     size]     [-c     count]     [     -C     file_size     ]     [     -F     file     ]      [     -i     interface     ]      [     -r     file     ]      [     -s     snaplen     ]      [     -T     type     ]      [     -w     file     ]     [     -E     algo:secret     ]      [     expression     ]    Let me take a three-step handshake of TCP to introduce the use of windump, and then look down: D:\tools>windump-n Windump:listening on \device\npf_ 09:32:30.977290 IP 192.168.0.226.3295 > 192.168.0.10.80:s 912144276:912144276 (0) win 6 4240 <mss 1460,nop,nop,sackok> (DF)//First line 09:32:30.978165 IP 192.168.0.10.80 > 192.168.0.226.3295:s 2733950406:2733950406 (0) Ack 912144277 win 8760 <nop,nop,sackok,mss 1460> (DF)//second row 09:32:30.978191 IP 192.168.0.226.3295 > 192.168.0.10.80:. Ack 1 win 64240 (DF)//Third line Look at the first line first.     Where 09:32:30.977290 represents the time, 192.168.0.226 is the source IP address, port 3295, is actually my own computer; 192.168.0.10 is the destination address, port 80, we can determine that this is connected to the remote host on the Web service; S 912,144,276:912,144,276 (0) indicates that my computer initiated a SYN request, which is the first handshake, 912144276 is the initial sequence number of the request side, and win 64240 indicates the window size of the originating advertisement; MSS 1460 indicates the maximum reported by the originator The length of the text segment. The implication of this line is that a computer with an IP address of 192.168.0.226 initiates a TCP connection request to a computer with an IP address of 61.133.136.34. Next we look at the second line, the time is not said; The source IP address is 192.168.0.10, and the destination IP address becomes 192.168.0.226, followed by S-2733950406:2733950406 (0) Ack 912144277, which is the second-step handshake, 2733950406 is the initial serial number given by the server, and ACK 912144277 is the acknowledgment sequence number, which is the initial sequence number plus 1 for the client originating request in the first line. The row indicates that the server side accepts the client-initiated TCP connection request and emits its own initial sequence number. Look at the third line, this is the last step of the three-step handshake, the client sends an ACK of 1, indicating that the three-step handshake has ended normally, the following can be transmitted data. In this example, we use the-n parameter, which means that the source address and destination address are not displayed in the form of a hostname and take the form of an IP address. Let's take a look at what happens if the three-step handshake isn't successful. I first telnet to a computer that does not have a Telnet service: C:\Documents and Settings\administrator>telnet 192.168.0.10 Connecting to 192.168.0.10 ... The connection to the host cannot be opened on port 23. Unable to connect because the target machine is actively rejecting. This time we look at the packets captured by Windump: D:\tools>windump-n Windump:listening on \device\npf_ 10:38:22.006930 ARP Who-has 192.168.0.10 tell 192.168.0.226//third line 10:38:22.007150 ARP reply 192.168.0.10 is-at 0:60:8:92:e2:d//line Fourth 10:38:22.007158 IP 192.168.0.226.3324 > 192.168.0.10.23:s 1,898,244,210:1,898,244,210 (0) Win 64240 <mss 1460,nop,nop,sackok> (DF) Line Five 10:38:22.007344 IP 192.168.0.10.23 > 192.168.0.226.3324:r 0:0 (0) Ack 1898244211 WI N 0 Line Six 10:38:22.478431 IP 192.168.0.226.3324 > 192.168.0.10.23:s 1898244210:1898244210 (0) win 64240 <mss 1460,nop,nop,sackok> (DF) 10:38:22.478654 IP 192.168.0.10.23 > 192.168.0.226.3324:r 0:0 (0) Ack 1 win 0 10:38:22.979156 IP 192.168.0.226.3324 > 192.168.0.10.23:s 1,898,244,210:1,898,244,210 (0) Win 64240 <mss 1460,nop,nop,sackok> (DF) 10:38:22.979380 IP 192.168.0.10.23 > 192.168.0.226.3324:r 0:0 (0) Ack 1 win 0 From the third row, We can see 192.168.0.226 because the MAC address of the 192.168.0.10 is not known, so the ARP broadcast packet is sent first, and in line fourth, 192.168.0.10 responds to 192.168.0.226 's request and tells 192.168.0.226 that its MAC address is 0 : 60:8:92:e2:d. In line five, 192.168.0.226 initiates a SYN request to 192.168.0.10, but in line sixth we can see that because the target host rejects this request, it sends a response of R 0:0 (0), indicating that the request for 192.168.0.226 is not accepted. In the next few lines we see 192.168.0.226 continuously sending a SYN request to 192.168.0.10, but all are rejected by the target host. Well, write so much do not know everyone tired, if tired, you also need to know more about TCP/IP knowledge, only in-depth understanding of TCP/IP can become a qualified network administrator. Windump a lot of parameters, the function is very powerful, the above I introduced is only the tip of the iceberg, hope to play a role, but also hope that more network administrators can focus on the analysis of the Protocol, only in this way, we can in the daily network management and emergency period of intrusion analysis in an invincible position, Make a contribution to our cyber security.

What is the usage of Windump/windump?