Articles or papers related to our tools

• WinPcap Brings Unix Network Tools to Windows
• Studying Normal Network Traffic, Part One
• Studying Normal Traffic, Part 2: Studying FTP Traffic
• Studying Normal Traffic, Part Three: TCP Headers
• Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events
• Running Snort on IIS Web Servers: Part 1
• Running Snort on IIS Web Servers Part 2: Advanced Techniques
• IEEE Network - Software Tools for Networking

Miscellaneous links

• tcpdump.org: Original tcpdump and libpcap
• Sponsorships of Microsoft Research Europe: http://research.microsoft.com/programs/europe/projects.asp
• Winsock Programmer's FAQ - Section 5.5: Debugging Resources
  http://tangentsoft.net/wskfaq/resources/debugging.html
  Overview of the most important software analyzers: WinPcap, WinDump and Analyzer got a "5 socket" rating
• Controversy about raw sockets in Windows
  • MS security chief talks raw sockets with the Reg
  • Security geek developing WinXP raw socket exploit
  • Microsoft Seems to Feel that Windows XP Vulnerability is a Laughing Matter
• Tracelook, the all-in-one package for displaying traces in binary WinDump format (recorded with -w option)
  http://www.cs.helsinki.fi/u/gurtov/win-tracelook/
• Dice, a Windows program for decoding traces generated with WinDump -w.
  http://www.ngthomas.co.uk/dice.htm

WinPcap-based tools and programs

Please contact us at [email protected] to add new tools to this list.

• Analyzer and WinDump
  NetGroup's WinPcap based tools.
  http://netgroup-serv.polito.it/analyzer/, http://netgroup-serv.polito.it/windump/
• Archaeopteryx
  Archaeopteryx is a Passive mode OS Identification Tool. It is based off Siphon v.666 by SubTerrain. It has a GUI and a highly configurable OS signature file.
  http://members.fortunecity.com/sektorsecurity/projects/archaeopteryx.html
• ARP0c
  ARP0c is an ARP redirector and bridging engine. ARP requests from various sources in a switched environment get false ARP response which point to the host running ARP0c. Packets from these hosts are bridged to the real destination address to allow normal network operation and keep TCP connections alive.
  http://www.phenoelit.de/arpoc/
• dsniff
  dsniff is a collection of utilities to aid in sniffing network data.
  /~mike/dsniff.html
• Ethereal
  Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
  http://www.ethereal.com/
• FTPXerox
  FTPXerox grabs files that are transferred across the network using the FTP protocol. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers.
  http://members.fortunecity.com/sektorsecurity/projects/ftpxerox.html
• Gamer's IPX Tunnel (GIT)
  GIT is a freeware utility to link LANs together over the internet for IPX-based network gameplay. It can also be used to bridge many configurations of IPX packets and frames from once point to another.
  http://www.csis.gvsu.edu/~rubleyr/git/
• JPcap
  A Java wrapper for WinPcap. It allows Java code to access to the WinPcap (and libpcap on UNIX) system calls.
  http://www.goto.info.waseda.ac.jp/~fujii/jpcap/
• ItCan.Net Monitor
  ItCan.Net Monitor is a bandwidth analysis utility. Besides giving a graphical illustration of the bandwidth usage on your computer or the network it resides, you get a list of all incoming and outgoing connections.
  http://itcan.programmer.nl/
• LC3
  LC3 is the latest version of the password auditing and recovery application L0phtCrack. It helps administrators secure Windows-authenticated networks through comprehensive password auditing.
  http://www.securitysoftwaretech.com/lc3/
• Lcrzo, Lcrzoex
  Lcrzo is a network library that provides network functionnalities for Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols. It supports spoofing, sniffing, client and server creation. Lcrzoex is a toolbox for network administrators and network hackers. Lcrzoex contains over 200 functionnalities using network library lcrzo.
  http://www.laurentconstantin.com/en/lcrzo/
  http://www.laurentconstantin.com/en/lcrzoex/
• LibnetNT
  Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection.
  http://www.securitybugware.org/libnetnt
  http://www.eeye.com/html/Databases/Software/libnetnt.html
• Libnids
  Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.
  /~mike/libnids.html
• lwIP
  lwIP is a small independent implementation of the TCP/IP protocol suite. The focus of the lwIP TCP/IP implementation is to reduce the RAM usage while still having a full scale TCP.
  http://www.sics.se/~adam/lwip/
• Network Development kit for Playstation2
  NDK for PlayStation 2 enables you to add networking capabilities to your PlayStation. It consists of the NDK TCP/IP Stack, for building Internet connectivity into a PlayStation 2 game, plus the NDK Analyzer which allows PlayStation 2 Internet traffic to be examined on a development Windows PC across a LAN using the native DECI2 interface.
  http://www.snsys.com/ps2/ndk.htm
• NmapNT
  Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, sunRPC scanning, reverse-identd scanning, and more.
  http://www.nmap.org
  http://www.eeye.com/html/Databases/Software/nmapnt.html
• ngrep
  Ngrep strives to provide most of GNU grep's common features, applying them to the network layer
  http://ngrep.datasurge.net/
• ntop
  ntop is a tool that shows the network usage, similar to what the popular top Unix command does.
  http://www.ntop.org
• PacketX
  PacketX is set of ActiveX classes that integrate winpcap packet capture functionality with Visual Basic or any other programming environment supporting Microsoft ActiveX technology.
  http://www.beesync.com/products.html
• PromiScan
  PromiScan searches for promiscuous nodes on the local net. It does not create a heavy load on the network. And, PromiScan quickly searches for promiscuous nodes.
  http://www.securityfriday.com/promiscan_doc.html
• Pseud IP Masquerade
  Pseud IP Masquerade is a Windows application and NT/2000 Serivce, that has some basic functions of "IP Masquerade".
  http://www.ff.iij4u.or.jp/~ebata/soft/pipmasq/
• rawstuff
  rawstuff is a toolkit for totally raw (MAC level and with no TCP/IP installed) send and receive on Windows.
  http://www.csee.usf.edu/~christen/tools/toolpage.html#tcpip
• SuperAgent
  This product from NetQoS analyzes application response times without the need to deploy client-side agents.
  http://www.netqos.com/solutions/superagent/
• sniffit
  Network sniffer and analyzer.
  http://www.symbolic.it/Prodotti/sniffit.html
• snort
  Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
  http://www.snort.org/
• snot
  Snot is an arbitrary packet generator, that uses snort rules files as its source of packet information. It can be used as an IDS evasion tool, by using specific decoy hosts, or just something to keep your friendly IDS monitoring staff busy.
  http://www.sec33.com/sniph/
• ssldump
  ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
  http://www.rtfm.com/ssldump/
• TraceDet
  TraceDet is a Traceroute Detector for Windows NT. Basically, it detects and logs if somebody trace routes to your host. The idea is that when somebody traces to your host, you receive IP packets with TTL value equal to 1. So, TraceDet looks out for such packets.
  http://members.fortunecity.com/sektorsecurity/projects/tracedet.html
• Triangle Boy
  Triangle Boy is a free, open source, peer-to-peer application that will bypass firewalls and other mechanisms that attempt to block access to SafeWeb. Users who are currently blocked from directly accessing SafeWeb (or any other site) will be able to access it indirectly through any other computer running Triangle Boy.
  https://fugu.safeweb.com/webpage/tboy1.php3
• WinBridge
  WinBridge acts as a softwarebridge for Windows 9x/ME. You can unite two LAN-networks to one with it. You need at least a PC with two network cards.
  http://www-stud.fh-fulda.de/~fd1534/semaforce/projekte.htm
• WinPcapArp
  WinPcapArp is ARP client library that works on Windows OS(NT and 2000). The main purpose of this library is to get a MAC address of the target ethernet NIC with the IP address.
  http://www.ff.iij4u.or.jp/~ebata/soft/winpcaparp/
• WinPcapDhcpCD
  WinPcapDhcpCD is a DHCP client demon library that works on Windows OS (NT and 2000). The purpose of this library is to get more than one IP addresses in your application program.
  http://www.ff.iij4u.or.jp/~ebata/soft/winpcapdhcpcd/
• WinWhif
  WinWhif allows any PC running Windows (95, 98, NT or 2000) to record the DICOM traffic between two machines on the same network.  It can be useful in diagnosing DICOM communications problems.
  http://www.medicalconnections.co.uk/html/winwhif.html

Bibliography

[1] S. McCanne and V. Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture. Proceedings of the 1993 Winter USENIX Technical Conference (San Diego, CA, Jan. 1993), USENIX.

[3] Gary R. Wright, W. Richard Stevens, TCP-IP illustrated Volume 2, chapter 31. Addison-Wesley professional computing series.

[4] Microsoft Software Development Kit and Driver Development Kit Examples, Microsoft Corporation.

[5] Lew Perin, Bugs in the NT DDK Packet Protocol Driver Sample, Internet page. Available at http://www.panix.com/~perin/packetbugs.html

[6] Simpson, W., Editor, The Point-to-Point Protocol (PPP), RFC 1548, Daydreamer, December 1993.

[7] Microsoft Corporation, 3Com Corporation, NDIS, Network Driver Interface Specification, May 1988

[8] Microsoft Windows 95, Windows 98, Windows NT and Windows 2000 Driver Development Kit documentation, Microsoft Corporation.

[9] Peter  G. Viscarola, W. Anthony Mason, Windows NT Device Driver Development, Macmillan Technical publishing.

[10] Microsoft MSDN Library, Microsoft Corporation, August 1999.

[11] Ricardo Thompson ([email protected]), Cpumeter, available on the Internet at http://www.winsite.com/info/pc/win95/sysutil/cpumet12.zip/, 1997

[12] A. Begel, S. McCanne, S.L.Graham, BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture, Proceedings of ACM SIGCOMM '99, pages 123-134, Conference on Applications, technologies, architectures, and protocols for computer communications, August 30 - September 3, 1999, Cambridge, USA (available also on Begel's web page).

[13] M. Yuhara, B. Bershad, C. Maeda, J.E.B. Moss. Efficient packet demultiplexing for multiple endpoints and large messages. In Proceedings of the 1994 Winter USENIX Technical Conference, pages 153-165, San Francisco, CA, January 1994.

[14] Marcus J. Ranum, Kent Landfield, Mike Stolarchuk, Mark Sienkiewicz, Andrew Lambeth, and Eric Wall (Network Flight Recorder, Inc.) Implementing a Generalized Tool for Network Monitoring (LISA'97 "Best Paper" Award), Eleventh Systems Administration Conference (LISA '97), San Diego, CA, October 26-31, 1997

[15] Dawson R. Engler, and M. Frans Kaashoek, DPF: fast, flexible packet demultiplexing, in Proceedings of ACM Communication Architectures, Protocols, and Applications (SIGCOMM '96).