Collecting packet captures is often a vital component of troubleshooting network connectivity issues, or unusual and unexpected behavior between clients and servers.  While you can easily load Wireshark on a portable computer, it doesn’t make sense to put this on a server.  On Un*x systems, the standard tcpdump is usually what is needed.  In case you didn’t know it, tcpdump has been ported to Windows systems.  It’s called WinDump, and it implements all the same features with which you are already familiar.

There is one thing to be aware of.  The default interface may not be what you want to use.  Unfortunately, you cannot just reference interfaces with the typical Un*x device names, e.g. eth0, lo, etc.
If you don’t get results, when you expected to, first list all of the existing interfaces with the following command:

C:\>windump -D

Now you can reference the proper interface name.  [Update: you can also simply reference the interface number rather than the full device name!] Once I’m sure I have the right interface (cut/paste makes things easier) and command line arguments, I usually write a capture file which I can transfer to a client system and analyze with Wireshark.  For example, you might do something the following (all on one line) to look for traffic from Entourage clients on an Exchange Client Access Server going to the back-end mailbox server:

C:\>windump -i \Device\NPF_{063FD410-66A0-44E4-9AD6-0183DEF45AF7} -s 1000 -w c:\capture.pcap ip host mbox.example.com and port 80

Of course, you can always just watch the traffic go by in real-time.

Advertisements