WinDump: tcpdump for Windows

Frequently Asked Questions

  1. WinDump seems not to run properly / Windump doesn't see any network adapter.
  2. How can I know the names of the network adapters installed in my machine?
  3. Can I use WinDump on a PPP connection? Which network adapters are supported?
  4. On which OS can I run WinDump?
  5. Does WinDump decode the protocol XXX?
  6. Why doesn’t WinDump capture all the packets from the network?
  7. I have installed latest version and WinDump keeps on loosing packets.
  8. Do I need to be Administrator in order to run Windump?
  9. Can I launch multiple istances of Windump on the same machine?
  10. Why WinDump hangs for some seconds while capturing? How can I avoid it?
  11. When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?
  12. When I capture I'm not seeing any traffic being sent by the machine running WinDump.
  13. When I run WinDump I get the error "WinDump.exe EntryPoint Not found. The Procedure entry point opterr could not be located in the dynamic link library wpcap.dll".
  14. When I use WinDump, why do I see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

     

See also 


Q-1: WinDump seems not to run properly / Windump doesn't see any network adapter.

A: Have you installed the latest version of WinPcap? WinDump needs the new updated WinPcap in order to work properly. Download and install it.

 

Q-2: How can I know the names of the network adapters installed in my machine?

A: Type

WinDump –D
Then you can run the program on a particular adapter with the command
WinDump –i adaptername

or

WinDump –i adapternumber

 

Q-3: Can I use WinDump on a PPP connection? Which network adapters are supported?

A: WinDump is able to use the interfaces exported by WinPcap. Read Q-16 in the WinPcap FAQ to know the supported link layers.

 

Q-4: On which OS can I run WinDump?

A: WinDump can run on all the operating systems supported by WinPcap, i.e. Windows 95, 98, ME, NT4, 2000, XP, 2003, Longhorn/Vista.

 

Q-5: Does WinDump decode the protocol XXX?

A: WinDump is the porting of tcpdump. You can send this kind of questions to the mailing list of the original program, that can be found at http://www.tcpdump.org.

 

Q-6: Why doesn’t WinDump capture all the packets from the network?

A: If you are using an old version of WinDump, please download and install the latest version from the download page. Old versions have lower capture performance. Remember to update also WinPcap

 

Q-7: I have installed latest version and WinDump keeps on loosing packets.

A: Try to set a bigger driver’s buffer with the ‘-B’ switch. For example

Windump –B 5000

starts WinDump with a 5 megabytes driver’s buffer. When not specified, the dimension of the buffer is 1 megabyte. Bigger sizes mean better capture performance.

Remember, however, that WinDump is a software network sniffer and needs a fast hardware if used on fast networks.

Q-8: Do I need to be Administrator in order to run Windump?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute WinDump for the first time since the last reboot, you must have administrator privileges in order to run it. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

Q-9: Can I launch multiple istances of WinDump on the same machine?

A: Yes. It is possible to launch more than one session (on the same network adapter or on different adapters). Except for the increased CPU load, there are no drawbacks in using multiple applications at the same time.

 

Q-10: Why WinDump hangs for some seconds while capturing? How can I avoid it?

A: The cause of the slowness is that is that gethostbyaddr(), used by Windump to resolve the host names, on Windows actually uses more than just DNS and hosts files to translate IP addresses to names: it also tries using NetBIOS-over-TCP to do the translation. The translation of an IP address to a NetBIOS name requires to send a NetBIOS Name Service Node Status Request (see section 4.2.17 of RFC 1002) to the IP address, and wait for a reply: the reply will have the machine's NetBIOS name. However, if the machine in question isn't running any NetBIOS name service code (most non-Windows boxes don't), no reply will come back. An ICMP Port Unreachable might get sent out, but that might not cause an error to get delivered to the socket on which the request was sent. Therefore, the machine trying to get the name might have to wait for the request to time out before concluding that it can't get the name for that IP address using NetBIOS.  That could take a significant amount of time. 

You can use the -n switch to avoid name resolution and speed-up the display process.

 

Q-11: When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?

A: In at least some cases, this appears to be the result of PGPnet running on the network interface on which you're capturing; turn it off on that interface.

 

Q-12: When I capture I'm not seeing any traffic being sent by the machine running WinDump.

A: If you are running some form of VPN client software, it might be causing this problem; people have seen this problem when they have Check Point's VPN software installed on their machine. If that's the cause of the problem, you will have to remove the VPN software in order to have WinDump (or any other application using WinPcap) see outgoing packets.

 

Q-13: When I run WinDump I get the error "WinDump.exe EntryPoint Not found. The Procedure entry point opterr could not be located in the dynamic link library wpcap.dll".

A: You are using the wrong version of WinDump/WinPcap. WinDump 3.6.2 and older versions require Winpcap 2.3, while starting from version 3.8 alpha WinPcap 3.0 is required.

 

Q-14: When I use WinDump, why do I see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

A: See http://www.winpcap.org/misc/faq.htm#Q-22.

 

 
 
 


Last modified: Wednesday, October 18, 2006 19.04