Categories: Networks

Building tcpdump on Windows

One of the security podcasts I listened to mentioned using tcpdump to analyze traffic. It looks like a tool you need to build for yourself since is no download page. Build instructions are well documented at tcpdump/doc/README.windows.md. This post is a summary of all the instructions required, including for installation of the Npcap: Windows Packet Capture Library & Driver. First get the Npcap SDK:

mkdir -p /c/software/npcap
cd /c/software/npcap
curl -Lo npcap-sdk-1.13.zip https://npcap.com/dist/npcap-sdk-1.13.zip
unzip npcap-sdk-1.13.zip

Clone the repo and create a build directory:

cd /c/repos
git clone https://github.com/the-tcpdump-group/tcpdump
cd tcpdump
mkdir build

Run these commands from the Developer command prompt:

cd \repos\tcpdump\build
cmake "-DPCAP_ROOT=C:\software\npcap" -G "Visual Studio 16 2019" -A x64 C:\repos\tcpdump
msbuild /m /nologo /p:Configuration=Debug tcpdump.sln

This takes only 40 seconds on my desktop. Next, run the Npcap 1.79 installer to ensure that launching tcpdump does not fail with this error: “The code execution cannot proceed because wpcap.dll was not found. Reinstalling the program may fix this problem.” We can now run tcpdump:

cd Debug
tcpdump.exe

When tcpdump starts up, it indicates that it is listening on a given device.

C:\repos\tcpdump\build\Debug> tcpdump.exe
tcpdump.exe: verbose output suppressed, use -v[v]... for full protocol decode
listening on \Device\NPF_{SOME-GUID}, link-type EN10MB (Ethernet), snapshot length 262144 bytes

Interestingly, the repo does not have much (any?) documentation on how to use tcpdump. However, there are links to tutorials and numerous other resources at Home | TCPDUMP & LIBPCAP. As per the repo:

Richard Stevens gives an excellent treatment of the Internet protocols in his book “TCP/IP Illustrated, Volume 1”. If you want to learn more about tcpdump and how to interpret its output, pick up this book.

GitHub – the-tcpdump-group/tcpdump: the TCPdump network dissector

The 2nd edition is dated November 2011: TCP/IP Illustrated: The Protocols, Volume 1 (Addison-Wesley Professional Computing Series): Fall, Kevin, Stevens, W.: 0785342336313: Amazon.com: Books. I have added it to the reading list.

The earlier test tcpdump did not display any traffic on my desktop. Following an introduction to using tcpdump at the Linux command line | Opensource.com, list the available devices using tcpdump -D then select one of them and pass it as the --interface argument. This allows me to find the device that with network traffic.

tcpdump -D
tcpdump --interface \Device\NPF_{SOME-GUID}

How does tcpdump -D generate the list of network devices? The main function of the application detects the -D option then calls the show_devices_and_exit function, which in turn retrieves the devices by calling the pcap_findalldevs function. Stepping into this call reveals that it is in C:\Windows\System32\wpcap.dll. As shown in the properties of wpcap.dll below, it is part of the libpcap product. This explains why tcpdump fails to start if the Npcap installer is not executed (when “wpcap.dll was not found”). I’m interested in the actual enumeration of network devices but that appears to be part of libpcap, specifically pcap.c. I’ll save that exploration for another day.

wpcap.dll Properties
wpcap.dll Properties

Article info

Categories

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *