1. I can run the program, but as soon as I start the sniffer, I got error
10022: WSAIoctl()... What's the problem?
Usually this happens when there isn't any interface available to sniff. For
example you can have an Ethernet card disconnected. If you are sure your
card is connected, but still receive this error then probably some low-level
driver doesn't allow sniffing on that interface. Firewalls could do it for
example although that's not my case.
2. I'm connected to a LAN, but I see only incoming packets. No outgoing packets
although I'm sure my PC is sending out something. Why?
This is probably due to the Service Pack 2 of Windows XP. If that is your
operating system, activate the Windows Firewall and try again. Many security
issues have been introduced with Windows XP SP2 and sniffing could be hard. Here
are some further information:
http://support.microsoft.com/?id=818043#5.
3. I'm connected to Internet through a dial-up connection, but I see only
incoming packets. I tried to activate my Windows Firewall, but nothing changed.
What can it be?
Unfortunately I noticed the same behavior and couldn't find a solution yet. I
can just say some other sniffers do exactly the same. Further hints or reports
about this matter would be appreciate.
4. Which is the suggested operating system for IP Sniffer?
Windows 2000.
5. I still have Windows 95 on my PC. Do I have any chance to get IP Sniffer working?
I think you do, yes. But probably you need to install Windows Sockets 2 (freely
downloadable from Microsoft web site). Let me suggest you to upgrade your
operating system, though.
6. What's the meaning of the columns in the main screen?
At first, each row represents a packet (received or sent). 'Time stamp' is the
local PC time when the packets has been recorded. 'Source' is the IP address of
the device that generated the packet and 'Destination' is the IP address where
the packet has been directed to. 'Length' is the complete length of the IP packet
(header and data). 'Protocol' is the transport protocol contained (ISO/OSI level 4).
'Info' contains many information depending on the protocol, for example the
TCP port numbers.
7. I unchecked the autoscroll button, but the list still scrolls when a packet
is received, why?
This happens because the list can contain up to 100000 rows (packets). When that limit
is reached and a new packet is received, the oldest packet (on the top) is removed
and all the others are scrolled. I'm still checking if there are ways to avoid
this behavior and really lock the list when autoscroll is unchecked.
8. What's the empty area at the bottom for?
That area (called 'packet data') shows the data contained in the selected packet (only
for known protocols). The bytes, if printable, are showed as normal ASCII text,
otherwise the binary hexadecimal value is printed between less than and greater than
symbols. For example the binary value 13 (carriage return) is showed as <D>.
9. What are filters for?
Usually you don't need a sniffer to monitor all the traffic of your net card. You
probably would like to see only certain protocols or monitor only specific ports and
for that you need one or more filters. See next two questions for examples.
10. I want to monitor only the traffic generated by my browser when I surf the
Web. What should I do?
Set filters as following: only TCP protocol, any IP address (filter disabled),
only TCP port 80 (HTTP) and any UDP port (disabled). You'll see any access
to any web server that is what browsers usually do. Please notice this is not
absolutely true. Some times the connection could be done on another TCP port for
example.
11. I want to see all the UDP traffic sent or received by my PC, but I'd like
to exlude UDP port 1234 because those packets confuse me. How should I set up
filters for that?
Set filters as following: only UDP protocol, enable IP address filter and enter
your PC address, disable TCP port filter (it doesn't matter) and enable UDP port
filter checking 'Exclude' and typing 1234 as port.
12. What's the export feature for?
Through the export button (or menu) all the data currently present are saved to
an external file, so that it is possible to analyse the data with another software.
13. What's the format of the exported files?
The exported files are TSV (tab separated values) files. Each row is a packet (except
the first, the header) and each field is separated by the TABulation character (ASCII
control code 9). Information about this format can be found on the Web. Several
applications, included spreadsheets, allow to import such formatted files easily, that's
why TSV format has been chosen.