Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in the 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.
To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.
I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. To start NPF manually, I ran the following:
C:\>runas /u:administrator "net start npf"
Enter the password for administrator:
Attempting to start net start npf as user "NEELY\administrator" ...
C:\>sc query npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.
Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.
No comments:
Post a Comment