1 reply to this topic

[wildweaselmi]

Have you ever been in the situation where a ping and traceroute doesn't show any issues with the network and yet users are complaining an application or site is slow.

An option you can use for Windows is a program called WinDump (this is similar to tcpdump, Wireshark or Ethereal but no installation, just running the windump.exe file)  Pre-Req is the WinPcapinstallation

The command line looks as follows;

windump[ -AdDeflLnNOpqRStuUvxX ] [ -c count ]

[ -C file_size ] [ -F file ]

[ -i interface ] [ -m module ] [ -M secret ]

[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]

[ -W filecount ]

[ -E spi@ipaddr algo:secret,... ]

[ -y datalinktype ] [ -Z user ]
[ expression ]

[wildweaselmi]

To capture data based on destination run
tcpdump -nnvvXSs 1514 dst mywiseguys.com (you could use IP address instead if you want)

Many of us will capture to an output file like
tcpdump -w mwgoutput.pcap

You can view the file using tcpdump
tcpdump -nnr mwgoutput.pcap

If you look at this file in notepad or wordpad you probably won't make much sense of it so convert it to txt file by running
tcpdump -nnr mwgoutput.pcap > mwgoutput.pcap.txt

If you want a detailed (ascii and hex) output you will use
tcpdump -nvvXSs 1514 dst mywiseguys.com > mwgtest.txt

A pretty common capture with a filter on destination
tcpdump -nnvvS dst mywiseguys.com

19:03:56.725037 IP (tos 0x0, ttl 128, id 22285, offset 0, flags [none], proto TCP (6), length 40)

	0.0.0.0.49778 > 74.220.207.116.80: Flags [F.], cksum 0x3837 (correct), seq 1400, ack 5393, win 32768, length 0

19:03:56.725046 IP (tos 0x0, ttl 128, id 22285, offset 0, flags [none], proto TCP (6), length 40)

	0.0.0.0.49778 > 74.220.207.116.80: Flags [.], cksum 0x3836 (correct), seq 1401, ack 5394, win 32768, length 0

Attached Files

•  tcpdump_trial_license.zip   512.7K   0 downloads