How often have you looked at an ostensibly idle PC’s flashing drive-access light and wondered: “What’s my computer doing?”
Some of that activity is internal, but much of it also involves external devices and services. Here’s how to get a peek at that otherwise hidden network chatter.
An introduction to sniffing data packets
Before I get into details, you should know that this article is merely an introduction to the process of examining network TCP/IP packets. Thoroughly covering this topic requires considerably more space than will fit into a Windows Secrets issue.
Fortunately, there’s a plethora of books, self-study courses, and in-person training sessions — as well as certifications — for the tools I discuss below. For example, the Wireshark tool has an entire training process built around it. Wireshark University (site) is led by Laura Chappell and Gerald Combs. I’ve attended some of Laura’s classes, and she’s an excellent instructor.
Examining the packets of data that go between your machine and another system is daunting — but it also provides a fascinating glimpse into what your computer is doing. There are numerous tools for analyzing data packets. Along with Wireshark (formerly Ethereal), some of the more popular packet-sniffing tools include Microsoft’s Message Analyzer and RSA NetWitness Investigator, offered on the EMC site.
For space and simplicity, I’m limiting this discussion to Wireshark — it’s the best-known of the three, and it’s relatively easy to install.
Note: As always when adding new software — especially applications that poke deep into Windows — make a full backup of your system. Packet analyzers typically install a small app called WinPcap (Windows Packet Capture; more info) for listening in on your network connections. A backup is always good insurance, should something go awry with an installation or other system changes.