Packet sniffer trouble

Too lazy to figure this one out myself.. anyone have any info ?

I'm on an XP box with a 56k dialup connection trying to do some packet capturing...

I fired up windump and started getting capture data... however the packets weren't getting to the net.. its almost like windump hijacked the packet stream, and after analysing them wasn't putting them back out to the net... So I figured this was some issue with winpcap as it uses the NDIS_wan interface to fool windows.

Fire up ethereal... same problem... I'm getting the capture data, but everything I capture doesnt ever leave the machine !

Fire up NetworkActive Sniffer - I'm only getting inbound packets.. nothing outbound shows up at all..

Fire up IRis - Can't use it.. it doesnt list the dial up adapter ! Only lists the NICs

There's nothing wrong with the machine or the stack, it seems to sniff the ethernet just fine.. it just doesn't like dial-up (do you blame it)

Ideas ?

Cheers

ps: Yeah I know I have a large sniffer collection, ain't it cool ?

Have you tried a different machine that wasn't XP and doing the dialup from there, say a W2K machine?

It doesn't make much sense that wincap would not pass it on for dialup but would for your network.

I assume that as soon as you turn of the analyzer the dialup works OK.

I dont have much experience with packet sniffing but i have spent plenty of time reading. It depends on the type of sniffer you are using. Some are designed to sniff packets and so will sit on layer 2 and sniff before the packet is encapsulated. Most packet sniffers are set to listen on the ethernet card so thats why whilst you could test it on your own network, it wouldnt work on a modem.

Db

serialcoders.sytes.net/Articles/Sniffing.html

*slaps head in disgust*
Thanks dudbolt.. i can't believe I was such a cretin that I didn't think of.. after all one of the sniffers I used is called ETHEReal... i should have thought of that.

Tom, switching machines didnt work.. so its some problem right here..

I'm downloading a packet sniffer as opposed to an ethernet sniffer.. I hope this works.

I used to use a beautiful program called NetXray over my old dialup connection.. the company has now been bought over (i think by mcafee) and they make a new product.. such a pity, it was really the most incredibly before its time product... all the options you get now with Iris such as follow TCP stream etc... it was all there !


Thanks guys, will post if it works

Sahir,

I remember trying to sniff packets from my dialup using Iris, and it didn't work for the same reason you mentioned.

There was though one program I found I was able to use for sniffing through a dialup, I just cant remember, it was either Packetboy or Network Monitor - Windows standard sniffer that came with NT.

I know Chris, its such a shame because Iris is a really powerful sniffer.. well I'm glad it wasn't some problem only on my end !

I downloaded packetboy from our download section but got some kooky runtime error.. will hit their main site and see if they have a new version up.

I wanted to actually watch DNS packets at work when a zone transfer is being run, I have the DNS packet breakup.. but nothing like seeing it off the wire.. once thats done I want to try and write a snort rule to detect a zone transfer attempt.

I'm quite excited because I'm about to start this four month training program we'll be made to code our own basic firewall, IDS and router. Should be a real learning experience.. not to mention get me back to writing some code


Cheers,