| PacketVB | Back to Home Page |
PacketVB is a utility program that allows you to intercept and display the Ethernet packets transiting your network. It can display IP (Internet Protocol), ARP (Address Resolution Protocol), and ICMP (Internet Control Message Protocol) packets. The program utilizes the Windows Packet Filter Kit from NT Kernel Resources. This high performance packet filtering framework hooks the NDIS (Network Driver Interface Specification) driver in your Windows Operating System. Because NDIS is a layer 2 network driver, the ethernet headers have already been stripped from the packets. PacketVB has the ability to operate the NIC (Network Interface Card) in promiscuous mode. If your network is using a hub (rather than a switch), you can capture and examine packets from all computers on the network. As well, you can set it to examine IP packets only. PacketVB is written in VB6, and is being made available in ZIP format. Installation is usually straight forward, using "setup.exe" to install files extracted from "PacketVB.cab" as laid out in "setup.lst". Executing the program:  PacketVB will recover your adapter information and will need to be set up. In the example above, PacketVB has already been set up and the adapter information has been recovered from the registry. To access setup, click on "Capture" or the card icon, and then "Setup". Normally, there is only one "Local Area Connection". If you choose one that is not an ethernet interface, the program will advise you of that. Once an ethernet interface has been selected, the MAC address, IP address, and Netmask is recovered and displayed, and the interface ID is stored in the registry. Data capture can be started and stopped from the same menu item, but it is more convenient to use the triangle and square in the toolbar. After capture is started, the data will start to fill in the table:  Because we started capture with the "Filter On" and "IP Only" boxes checked, we will only capture IP packets to and from the card selected, and the Packet and Byte counters at the bottom may not match the display. Although it is possible to examine the packet contents while PacketVB is still capturing data, it is better to stop the capture by clicking the red square, and then examine the contents by clicking on the individual lines.  When a new packet is displayed, it highlites the data portion of the packet in both the hexadecimal display area in the center, and the text interpretation on the right. In this case, the data is a GET request to a Web server, so the text has some relevance. For convenience, the source and destination MAC addresses, IP addresses, and ports are extracted and displayed at the top. Clicking on any one of them will find information in the hex data.  Here we have clicked on the destination IP address. You can manually highlite data on the hex display, and the corresponding text is automatically highlit. The contents of the current data display can be copied to the clipboard by using the "Edit" menu. To remove the data display, use the "View" menu. The captured data is automatically stored to disk. Even if the data capture is interupted for some reason, you can always recover it by clicking on the "File" menu and using the "Display Last Capture" item. In this same menu, you can print the current data display, or save the current data set to disk for future reference. To redisplay a saved data set, copy it to curlog.log and "Display Last Capture". To install PacketVB, you must first install WinpkFilter! There is no charge for personal use. Note: If you prevously had problems running PacketVB, it may have been the result of a mismatch between the driver (ndisrd.sys) version and the helper file (ndisapi.dll). Make sure both files are V3.0.7.1. If the helper file in the System32/Syswow64 directory is V3.0.2.1, then copy the most recent file from the WinpkFilter directory, or uninstall PAcketVB and reload the most recent one. Note: IPv6 version software supports both IPv4 and IPv6, but only works on Windows Vista or better systems. |
|
