The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. Microsoft Network Monitor. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.
How to use it ?
- Download and install Microsoft Network Monitor on a standalone computer.
- Upload nmconfig.exe and nmcap.exe on the target computer.
- Enable the Microsoft Network Monitor Driver: nmconfig /install
- Test: nmcap /displaynetworks
- Sniff all TCP traffic on every local interface: nmcap /network * /capture tcp /File tcp.cap
- Disable the Microsoft Network Monitor Driver: nmconfig /uninstall
(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)
No comments:
Post a Comment