< PHP and PEAR/PECL on Windows XP Pro SP2 | Java & Friends  | Snort on Windows XP  Pro SP2 >


 

 

WinPcap on Windows XP Pro SP2

 

What do we have in this session?

  1. The WinPcap and Windows XP Pro SP2

  2. WinPcap Download and Installation

  3. Verifying WinPcap Installation

  4. Windows Network Monitor Capture Utility (Netcap)

  5. Barnyard: Alternative Snort Output System

 

 

 

 

 

The WinPcap and Windows XP Pro SP2

 

For Windows users installing Snort binaries the only requirements is WinPcap. Installing the base Snort system requires two components: the WinPcap packet capture library, and the Snort IDS program itself. In the following sections we configure and install both WinPcap and Snort.

WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort. WinPcap is a Windows version of libpcap, which is used for running Snort with Linux. The WinPcap driver performs the following functions for Snort:

 

  1. Obtains a list of operational network adapters and retrieves information about the adapters.
  2. Sniffs packets using one of the adapters that you select.
  3. Saves packets to the hard drive or throw them to Snort.

 

WinPcap Download and Installation

 

The installation and configuration of WinPcap is very easy and require no intervention by you. Firstly, download the latest installation executable file from http://www.winpcap.org/install/. The current version is 4.1.1 and you may want to do the MD5 or SHA1 checksum.

 

The WinPcap binary file

 

Double-click the executable installation file and follow the instructions on the screen. WinPcap installs itself where it belongs.

 

Windows security warning when trying to run WinPcap binary

 

The WinPcap setup installer

 

The WinPcap setup wizard welcome page

 

The WinPcap License agreement

 

The WinPcap installation options

--------------------------------------------------------

 

 

 

 

 

 

 

 

 

------------------------------------------------------------------

Completing the WinPcap setup wizard

 

The installation applet will automatically detect the operating system and install the correct drivers. From the last screenshot, the WinPcap-based applications are now ready to work. To remove WinPcap from the system, go to the Control Panel, click on "Add/Remove programs" and then select "WinPcap" or launch the Uninstall wizard from the Start menu as shown in the following screenshot.

 

The WinPcap Windows start and short cut menu

 

Verifying WinPcap Installation

 

To verify whether WinPcap is currently running on my Win2K/XP/2k3 machine, click on the Start button and then on run. Type msinfo32 (or Start > All Programs > Accessories > System Tools > System Information menu) and the System Information panel should show up. Choose Software Environment, then System Drivers. The entry NPF should appear there. If you launched a WinPcap application previously, the state should be running. Remember that WinPcap should have been run at least one time in order to appear in this list.

 

WinPcap NPF and npfs system driver seen in Windows System information

 

Snort calls WinPcap directly on any of the functions to grab and analyze network packets. If the driver did not install properly, Snort does not function. Please refer to The WAN/PPP packet capture for capturing traffic on different network connection, mainly the dial-up line, USB and wireless.

 

Windows Network Monitor Capture Utility (Netcap)

 

It is advisable for you to install the Windows Network Monitor Capture Utility (Netcap). For Win XP Pro SP2, when we type Netcap at the Windows command prompt, the driver was installed automatically, then we can see the WAN (PPP/SLIP) interface which is normally invisible.

 

Windows Network Monitor Capture Utility (Netcap) help information

 

Windows Network Monitor Capture Utility (Netcap) - running snort to view the available interfaces

 

You may also find that WinDump tool will also be very useful. WinDump tool is the Windows version of the TcpDump found in any Linux/Unix system.

 

The windump (Windows tcpdump version) tool showing the available interfaces

 

Barnyard: Alternative Snort Output System

 

Barnyard is an output system for Snort. Snort creates a special binary output format called "unified". Barnyard reads this file, and then resends the data to a database back-end. Unlike the database output plugin, Barnyard manages the sending of events to the database and stores them when the database temporarily cannot accept connections. You can download Barnyard here or newer version here. However there are no binary for Windows system. So, forget it, it is just an optional for Snort and we think that Snort’s Unified should be good enough which supported by BASE (we will install BASE later on).

 

The SnortUnified output format

 

 

 

 

 

 

 


 

< PHP and PEAR/PECL on Windows XP Pro SP2 | Java & Friends  | Snort on Windows XP  Pro SP2 >