|
PortPeeker is a freeware utility for capturing network traffic for TCP, UDP
or ICMP protocols (see Note below about ICMP traffic). With Port Peeker
you can see what traffic is being sent to a given port, easily and quickly.
Before we go any further a disclaimer to fend off any legal hyenas out
there. PortPeeker is written in Borland's Delphi language which is a
Pascal derivative and implies that it not as vulnerable to attacks like buffer
overflows as say applications written in C/C++ as Delphi strings are dynamically
allocated
on the heap and not on the stack like C/C++, but we have written PortPeeker to
be freeware and as such we can not and or will not guarantee or make any warrantees
concerning PortPeeker, it's usage or this documentation. Please feel free
to use PortPeeker and hopefully you find it to be a solid and helpful tool, but
remember you are using it at your own risk. The samples given on this page
are meant as examples of usage and types of information which you can retrieve
using PortPeeker, but we advise you to carefully consider security issues when
listening to network traffic such that you don't inadvertently or unknowingly expose
your system or network to harmful traffic or events. In short we hope you
like PortPeeker and find it to be a useful and informative tool, but if you
toast yourself while using it, 'gosh
that's
too bad'.
Now to the fun stuff.
PortPeeker is a single standalone exe will should work on Windows 95, 98,
98SE, ME, NT, 2000, XP and 2003 and can be placed anywhere on the system. We
recommend creating a desktop shortcut to PortPeeker so its quick and easy to
find and use.
NOTE on Windows NT, 2000, and XP you will not by default be able to listen to
ICMP traffic. Windows NT and Win2000 have security
in place that inhibits the use of ICMP. The work around for NT is to disable the
security check on RAW sockets by creating the following registry variable and
settings its value to DWORD 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity
Once you have started PortPeeker you have to configure it as to what protocol
and port (or just ICMP protocol as it doesn't use 'ports') to listen on.
You can also configure PortPeeker as to what type of traffic events to
record. For example if we want to listen for TCP port 80 traffic (http), we would configure PortPeeker to listen on
TCP 80.
NOTE you can have PortPeeker send an 'On Connection' and/or
'On Data In' response
string or echo back the data sent. In this case we added a http
response that appears in the user's browser as:
After pressing OK PortPeeker will start listening on the designated
port (given that some other application isn't already using this port, if so
PortPeeker will report an error). PortPeeker can do a number of things
with the captured inbound traffic including searches.
PortPeeker can also perform WhoIs searches. For example
you can highlight an IP address from the capture and select WhoIs from the pop
up menu and PortPeeker can lookup who owns the IP address or hostname.
For a case study done with PortPeeker investigating inbound UDP Port 137
traffic please
see 'A
Day and a Night with PortPeeker and UDP Port 137' that we posted on
DSLReports.
Hopefully this brief introduction to PortPeeker answers any questions you
might have have and helps you understand how to use PortPeeker. We often
use it as a quick and dirty honeypot to capture suspicious traffic events for
analysis in parallel with our firewall logging tools (Link Logger and SonicLogger
(for SonicWall firewalls)).
* Please use the mirrors as I don't have a lot of bandwidth
to spare on my site *
Some sample captures. PLEASE NOTE that displaying these samples could
cause your IDS (if your using one) to report a false positive, if so please do not
email a notification to our ISP.
Please send any captures you think should be added to the list.
While PortPeeker is not an officially supported product but if you have any
suggestions or find any bugs please send them to PortPeeker@LinkLogger.com
|
Latest News
