< PHP and PEAR/PECL on Windows XP Pro SP2 | Java & Friends  | Snort on Windows XP  Pro SP2 >



WinPcap on Windows XP Pro SP2


What do we have in this session?

  1. The WinPcap and Windows XP Pro SP2

  2. WinPcap Download and Installation

  3. Verifying WinPcap Installation

  4. Windows Network Monitor Capture Utility (Netcap)

  5. Barnyard: Alternative Snort Output System






The WinPcap and Windows XP Pro SP2


For Windows users installing Snort binaries the only requirements is WinPcap. Installing the base Snort system requires two components: the WinPcap packet capture library, and the Snort IDS program itself. In the following sections we configure and install both WinPcap and Snort.

WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort. WinPcap is a Windows version of libpcap, which is used for running Snort with Linux. The WinPcap driver performs the following functions for Snort:


  1. Obtains a list of operational network adapters and retrieves information about the adapters.
  2. Sniffs packets using one of the adapters that you select.
  3. Saves packets to the hard drive or throw them to Snort.


WinPcap Download and Installation


The installation and configuration of WinPcap is very easy and require no intervention by you. Firstly, download the latest installation executable file from http://www.winpcap.org/install/. The current version is 4.1.1 and you may want to do the MD5 or SHA1 checksum.


The WinPcap binary file


Double-click the executable installation file and follow the instructions on the screen. WinPcap installs itself where it belongs.


Windows security warning when trying to run WinPcap binary


The WinPcap setup installer


The WinPcap setup wizard welcome page


The WinPcap License agreement


The WinPcap installation options












Completing the WinPcap setup wizard


The installation applet will automatically detect the operating system and install the correct drivers. From the last screenshot, the WinPcap-based applications are now ready to work. To remove WinPcap from the system, go to the Control Panel, click on "Add/Remove programs" and then select "WinPcap" or launch the Uninstall wizard from the Start menu as shown in the following screenshot.


The WinPcap Windows start and short cut menu


Verifying WinPcap Installation


To verify whether WinPcap is currently running on my Win2K/XP/2k3 machine, click on the Start button and then on run. Type msinfo32 (or Start > All Programs > Accessories > System Tools > System Information menu) and the System Information panel should show up. Choose Software Environment, then System Drivers. The entry NPF should appear there. If you launched a WinPcap application previously, the state should be running. Remember that WinPcap should have been run at least one time in order to appear in this list.


WinPcap NPF and npfs system driver seen in Windows System information


Snort calls WinPcap directly on any of the functions to grab and analyze network packets. If the driver did not install properly, Snort does not function. Please refer to The WAN/PPP packet capture for capturing traffic on different network connection, mainly the dial-up line, USB and wireless.


Windows Network Monitor Capture Utility (Netcap)


It is advisable for you to install the Windows Network Monitor Capture Utility (Netcap). For Win XP Pro SP2, when we type Netcap at the Windows command prompt, the driver was installed automatically, then we can see the WAN (PPP/SLIP) interface which is normally invisible.


Windows Network Monitor Capture Utility (Netcap) help information


Windows Network Monitor Capture Utility (Netcap) - running snort to view the available interfaces


You may also find that WinDump tool will also be very useful. WinDump tool is the Windows version of the TcpDump found in any Linux/Unix system.


The windump (Windows tcpdump version) tool showing the available interfaces


Barnyard: Alternative Snort Output System


Barnyard is an output system for Snort. Snort creates a special binary output format called "unified". Barnyard reads this file, and then resends the data to a database back-end. Unlike the database output plugin, Barnyard manages the sending of events to the database and stores them when the database temporarily cannot accept connections. You can download Barnyard here or newer version here. However there are no binary for Windows system. So, forget it, it is just an optional for Snort and we think that Snort’s Unified should be good enough which supported by BASE (we will install BASE later on).


The SnortUnified output format









< PHP and PEAR/PECL on Windows XP Pro SP2 | Java & Friends  | Snort on Windows XP  Pro SP2 >