packet sniffer for outgoing packets on local machine ?

[Guest]

is there a good way to monitor incoming and, more importantly, outgoing
packets from a local WinXP/sp2 machine ? would a packet sniffer be the best
way to do this - and, if so, which one ? for some reason, one machine has
been running very slow and when clicking on LAN Status there is a
suspiciously large amount of packets being sent and received - even though
there is no interaction being done with the OS and no programs that are known
to be running in the backround. and running the Netstat command does not
show any suspicious active or established connections but just a single
connection to the network server. monitoring the network filewall does not
show any outgoing SMTP connections that might be indicative of a zombie
either. TIA for any help on this one ...

 

[Guest]

I like to use Wireshark (http://www.wireshark.org/download.html) to monitor
my packets. It will categorize the packets with colors so that you can tell
the difference between the packets, as well as tell you the destination
address, sending address, and allow you to save the capture so it can be
analyzed with another program.

Good Luck!

P.S. Do you have a firewall installed and running?

 

[Allan]

is there a good way to monitor incoming and, more importantly, outgoing
packets from a local WinXP/sp2 machine ? would a packet sniffer be the
best
way to do this - and, if so, which one ? for some reason, one machine has
been running very slow and when clicking on LAN Status there is a
suspiciously large amount of packets being sent and received - even though
there is no interaction being done with the OS and no programs that are
known
to be running in the backround. and running the Netstat command does not
show any suspicious active or established connections but just a single
connection to the network server. monitoring the network filewall does
not
show any outgoing SMTP connections that might be indicative of a zombie
either. TIA for any help on this one ...

I have used a version of TCPDump available here :
http://www.microolap.com/products/network/tcpdump/ . I have not tried many
others so I can't compare them for you.

 

[Allan]

I have used a version of TCPDump available here :
http://www.microolap.com/products/network/tcpdump/ . I have not tried many
others so I can't compare them for you.

BTW, I just noticed this security warning for tcpdump 3.9.6 and below :
http://secunia.com/advisories/26135/ . The version I referred you to was
3.9.4 .

 

[Vanguard]

in message

is there a good way to monitor incoming and, more importantly,
outgoing
packets from a local WinXP/sp2 machine ? would a packet sniffer be
the best
way to do this - and, if so, which one ? for some reason, one machine
has
been running very slow and when clicking on LAN Status there is a
suspiciously large amount of packets being sent and received - even
though
there is no interaction being done with the OS and no programs that
are known
to be running in the backround. and running the Netstat command does
not
show any suspicious active or established connections but just a
single
connection to the network server. monitoring the network filewall
does not
show any outgoing SMTP connections that might be indicative of a
zombie
either. TIA for any help on this one ...

Some packet sniffers:
Nirsoft's SmartSniff (http://www.nirsoft.net/utils/smsniff.html)
Ethereal (http://www.ethereal.com/)

 

[Guest]

Ethereal has changed its name to Wireshark.

in message


Some packet sniffers:
Nirsoft's SmartSniff (http://www.nirsoft.net/utils/smsniff.html)
Ethereal (http://www.ethereal.com/)

 

[Vanguard]

in message

Ethereal has changed its name to Wireshark.

They do a good job of hiding that fact. When visiting www.ethereal.com,
it isn't obvious the product name got changed. Yes, I can Google on the
site and find Wireshark mentioned, but even their download file still
says "ethereal" (no "wireshark"). Their FAQ page
(http://www.ethereal.com/faq.html). Must be a very new name change.

I found http://www.wireshark.org/faq.html#q1.2 which explains the name
change. Geez, you'd think the old www.ethereal.com web site would get
updated to point at the new one.

 

[Guest]

Cool, thanks guys ! I am going to look into all of those mentioned. I also
came across Ultra Network Sniffer which seems pretty good. It lists all of
the applications that are using a local LAN interface and details each
applications activity (ie packets sent & received, listening or transmitting,
etc...).

e.