rawsniff.exe
Description:
Rawsniff is a quick and dirty command-line RAW socket based packet sniffer. (This means that it has all the drawbacks of raw sockets, for instance only being able to pick up on traffic on the current machine and only working on IPv4. If you want a *real* packet sniffer, you are going to want something like Wireshark, or, well, Wireshark. On the other hand, rawsniff doesn't require installing a packet capture driver, all you need is Administrator access on the local machine to open the socket) There are command line filtering options to limit the amount of packet spam, as well as some limited decoding options (including a rough |strings mode for looking at arbitrary and otherwise unsupported protocols). Finally, rawsniff can export a libpcap formatted capture file to be analyzed in a more capable environment (Wireshark again).
Rawsniff must be run as an Administrator, for instance by finding cmd.exe, right clicking on it, and selecting "Run As Administrator" or by using "runas" (which bugs me, so I wrote uac.exe for my own use)
It was originally written to be run side by side with tcping to provide some low level information that the tcping couldn't provide by itself. Another sample use case for this utility is a situation where you suspect that a computer is infected and want to peek into its network traffic real quick without having to reboot the machine or set up a sniffer on separate hardware.
Updates:
14 Apr 2016 - Bug fixes and --packets X option, thanks to Jari Parviainen for these.
7 Jun 2016 - 0.5 adds process id support. Since we are mostly sniffing traffic that pertains only to the local machine, why not be able to list/filter packets based on the owning process id? Added --process <NAME> and --pid <PID> to filter the traffic and --nopid to disable the lookup and display (its on by default). I've noticed that my approach doesn't appear to be 100% effective - it doesn't mark every bit of traffic I think it should, especially with UDP (seems to me anyway). This might be due to there basically being a race condition - we get the packet, then go and look it up in the netstat table real quick - it may or may not be there anymore.
0.5 specifically is using an extended-for-UDP version of Tim Van Wassenhove's Managed IP Helper API: http://timvw.be/2007/09/09/build-your-own-netstatexe-with-c/. I'm not sure on the licensing: Tim's page said "As always, feel free to download the code", so I did. Thank you Tim!
24 Feb 2019 - 0.6 has added "standard in" (pipe) support for Wireshark. For instance: "rawsniff.exe --listen 192.168.x.x --dump | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -" will bind a raw socket on 192.168.x.x and feed what it sees to Wireshark's stdin. This allows Wireshark to capture raw packets via standard input. screenshot
Download:
Listing directory https://download.elifulkerson.com/files/rawsniff/0.6:rawsniff-0.6.zip February 25 2019 03:07:07 26879 Zip archive data, at least v2.0 to extract
rawsniff-0.6.zip.asc February 25 2019 03:08:30 801 GnuPG signature
rawsniff-0.6.zip.md5 February 25 2019 03:39:36 51 MD5 checksum
Usage:
Usage: rawsniff.exe [options]
Note:
Must be administrator due to raw socket restrictions. Also, antivirus may
complain that you're opening a raw socket. IPv4 only.
Options:
-? Get this help screen
-v Display version information
--listen X Listen on specified IP address (otherwise choose from list)
Types of packets:
--tcp Display TCP matches
--udp Display UDP matches
--icmp Display ICMP matches
--other Display matches for other protocols
Output options:
--brief Display brief (single line) packet information (default)
--data Brief mode, including readable ASCII data payloads
--list Display a list of packet information
--full Display the full list of packet information
--gag No output to console
--pcap Write out a timestamp.pcap file in the current directory.
(libpcap format)
--packets X Program exits after certain count of matching packets are
displayed (default is 2,147,483,647)
Filter:
--ip X Match packets with this IP in either src_ip or dst_ip
--port X Match packets with this IP in either src_port or dst_port
--src_ip X If specified, display packets with a given src_ip only
--dst_ip X If specfied, display packets with a given dst_ip only
--src_port X If specified, display packets with a given src_port only
--dst_port X If specified, display packets with a given dst_port only
--nopid Disable the process info display, which is on by default.
--pid X If specified, display packets that belong to a given Process ID only
--process X If specified, display packets that belong to a given Process name only
Example Output - ASCII data and Pcap File:
C:\rawsniff.exe --data --pcap
For help, use "rawsniff.exe --help"
IP Address List:
----------------
0: <redacted>
1: <redacted>
2: <redacted>
3: <redacted>
4: 192.168.Y.Z
5: <redacted>
Please select an IPv4 address to listen on: 4
192.168.Y.Z selected.
Starting PCAP file: 2015-02-08-03-02-18-188850.pcap
1 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:52 SYN data:E 4 i@ l v
2 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK data:E ( j@ l > P u
3 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK data:E ( j@ l > P u
4 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:110 ACK PSH data:E n k@ l > P 4 A = T + q p \ R-/rI 1 [ t 1 9 3 5 / #
5 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:110 ACK PSH data:E n k@ l > P 4 A = T + q p \ R-/rI 1 [ t 1 9 3 5 / #
6 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK FIN data:E (R @ K% P w e\ P J
7 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK data:E ( l@ l @ > iP jK
8 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK data:E ( l@ l @ > iP jK
9 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:174 ACK PSH data:E m@ x l @ > %P \ F 7DP1 9 g w O$ < 1 G b4 m 1 W= 0 y"c <: p /5 p n N +
8 < G +KK
10 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:174 ACK PSH data:E m@ x l @ > %P \ F 7DP1 9 g w O$ < 1 G b4 m 1 W= 0 y"c <: p /5 p n N +
8 < G +KK
11 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK data:E (R @ K$ P w e\ P J
12 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK data:E (R @ K$ P w e\ P J
13 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:898 ACK PSH data:E n@ l > P t m 3Ws$ ] 8 c o r: e 0 d M ) ; + b g 7 | J* Ed u U J + X _ ! | x ;l Q `@ i]_Zc
( ?`g ; Ny l ' C{MD $Xl t Su f Q 5 R ,QA~OV d -BA e R ,QA~OV d -BA e
Example Output - Watching DNS Traffic:
C:\rawsniff.exe --udp --data --port 53 For help, use "rawsniff.exe --help" IP Address List: ---------------- 0: <redacted> 1: <redacted> 2: <redacted> 3: <redacted> 4: 192.168.Y.Z 5: <redacted> Please select an IPv4 address to listen on: 4 192.168.Y.Z selected. 1 UDP 192.168.Y.Z:58743 -> 8.8.8.8:53 size:62 data:E >] w 5 * elifulkerson com 2 UDP 8.8.8.8:53 -> 192.168.Y.Z:58743 size:78 data:E N 8 5 w : G elifulkerson com F; @ g 3 UDP 192.168.Y.Z:58744 -> 8.8.8.8:53 size:62 data:E >] x 5 * elifulkerson com 4 UDP 8.8.8.8:53 -> 192.168.Y.Z:58744 size:115 data:E s 8 5 x _ elifulkerson com ) ns1 linode admin x 8@ 8@ u Q 5 UDP 192.168.Y.Z:64863 -> 8.8.8.8:53 size:63 data:E ?] _ 5 + W whatismyproxy com 6 UDP 8.8.8.8:53 -> 192.168.Y.Z:64863 size:79 data:E O 8 5 _ ; whatismyproxy com M @ g 7 UDP 192.168.Y.Z:64864 -> 8.8.8.8:53 size:63 data:E ?] ` 5 + U whatismyproxy com 8 UDP 8.8.8.8:53 -> 192.168.Y.Z:64864 size:116 data:E t 8 5 ` ` W whatismyproxy com ) ns1 linode admin w 9 8@ 8@ u Q 9 UDP 192.168.Y.Z:64865 -> 8.8.8.8:53 size:61 data:E =]! a 5 ) dnsparanoia com 10 UDP 8.8.8.8:53 -> 192.168.Y.Z:64865 size:77 data:E M 8 5 a 9^' dnsparanoia com M ^ 11 UDP 192.168.Y.Z:64866 -> 8.8.8.8:53 size:61 data:E =]" b 5 )i dnsparanoia com 12 UDP 8.8.8.8:53 -> 192.168.Y.Z:64866 size:114 data:E r 8 5 b ^&s dnsparanoia com ) ns1 linode admin x 8@ 8@ u Q
Example Output - ICMP decode:
C:\rawsniff --icmp --full For help, use "rawsniff.exe --help" IP Address List: ---------------- 0: <redacted> 1: <redacted> 2: <redacted> 3: <redacted> 4: 192.168.Y.Z 5: <redacted> Please select an IPv4 address to listen on: 4 192.168.2.20 selected. - PACKET 1 - IP Packet Header IPv : 4 Header Len: 5 ToS : 0 Total Len : 60 ID : 23843 Evil : 0 Don't Frag: 0 More Frags: 0 FragOffset: 0 TTL : 128 Protocol : ICMP Checksum : 2770 src_ip : 192.168.X.Y dst_ip : 8.8.8.8 - ICMP Segment Header type : 8 Echo code : 0 chksum : 19802 - PACKET 2 - IP Packet Header IPv : 4 Header Len: 5 ToS : 0 Total Len : 60 ID : 23843 Evil : 0 Don't Frag: 0 More Frags: 0 FragOffset: 0 TTL : 128 Protocol : ICMP Checksum : 2770 src_ip : 192.168.X.Y dst_ip : 8.8.8.8 - ICMP Segment Header type : 8 Echo code : 0 chksum : 19802