Problem solve Get help with specific problems with your technologies, process and projects.

Freeware captures raw sockets and TCP/IP packets

SmartSniff allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers.

Packet sniffers are among a network administrator's best friends -- they can help pinpoint whether a problem exists with a client, a server, or somewhere in between. Nir Sofer, author of many other excellent utilities I've covered in the past, has now written a sniffer of his own: SmartSniff.

SmartSniff can work in one of two ways. It can capture packets with Windows's native raw sockets capture system, although this only works on Windows 2000 or better, and has some limitations: you cannot capture outgoing UDP and ICMP packets, and Windows XP Service Pack 1 does not support capture at all. Another way to capture is with the WinPcap driver, a free / open-source packet-capture driver that works on Windows 98 and up and lets you capture everything.

Each separate ICMP, TCP or UDP connection is broken out individually and referred to as a stream. Multiple conversations on the same connection are aggregated into the same stream. The program's top panel lists all of the streams captured by the application, and shows just about every important piece of information you could need: local and remote address, hosts and ports; service type; number of packets exchanged, total data size and capture time. Click on one of the conversations and the data in that conversation is displayed in the bottom panel. Data sent from your machine is in blue, while data sent to your machine is in purple.

Note that remote host name lookups are only resolved after you stop recording (so that traffic doesn't get logged as well), and that only 7-bit ASCII data is presented by default. If you select Options | "Display Characters Above ASCII 127", you'll see all the characters, but the color-coding on the display will vanish and the data might not be as coherent.

One of the things I've liked about Mr. Sofer's applications is how they have a high degree of consistency in their presentation. If you double-click on one of the conversations, for instance, you get an expanded infobox that's the same as one he's written for other tools. The whole record buffer can be saved in both a native data format and to an HTML report, and both the display results and capture actions can have filters applied to them so you only record what you need to see.

About the Author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

More information from

This tip originally appeared on

This was last published in June 2006

Dig Deeper on Network Security Best Practices and Products