Porting tcpdump on Windows

Porting tcpdump to Windows

1. Introduction

WinDump is the porting to the Windows platform of TCPDump. WinDump is fully compatible with tcpdump but introduces some extensions to work better in the Win32 environments. The WinDump.exe executable file is linked with libpcap for Win32, therefore can run both under Windows 95/98 and under Windows NT/2000. To run WinDump, the correct version of the BPF packet capture driver and of the PACKET.DLL library must be installed in the system.

2. Manual

Since the differences from WinDump and tcpdump are very few, we provide the HTML version of the manpage of tcpdump, modified to include our additions.

3. Differences between WinDump and tcpdump

Our WinDump project tries to make a clean and complete porting of tcpdump, therefore the use of the two programs is nearly identical. All functions offered by tcpdump are implemented in WinDump, so every operation that can be done by tcpdump can be done in Windows as well, using WinDump. In addition, WinDump offers some characteristics that are not present in tcpdump:

It is possible to obtain, with the ‘–D’ switch, the list of the network interfaces present in the system and a short description of them. This option was added because the names that Windows gives to the interfaces (i.e. the names of the files associated with the device drivers that manage the adapters) are different from the names used in UNIX. These names are not very easy to obtain in Windows, so a flag that lists them is very handy, particularly if the machine has more than one network adapter. Since in Windows NT and Windows 2000 the name of an adapter can be quite long to type, it is possible also indicate it with its number.
It is possible to change directly from WinDump the dimension of the circular buffer used by the NDIS packet capture driver to store the packets coming from an interface. This operation can be done through the ‘-B’ switch. The variable-dimension driver's buffer is a feature of NDIS packet capture driver that is not present in BPF, and therefore tcpdump for UNIX does not have this switch. As we say in the documentation of the driver and of the PACKET.DLL API, the size of the driver’s buffer influences deeply the capture performances and is a very important parameter of the capture process. A big buffer can allow good captures also on slow machines or on fast networks.

4. Some words on the porting

The problems encountered during the porting of WinDump are more or less the same that we had during the porting of the libpcap library. We had to import some include files from BSD, and we put them in the Win32-Include directory. Moreover, we wrote some Windows specific code to handle things like Winsock and the Windows NTx UNICODE format. This code is in the file Win32-Src\w32_fzs.c. Finally we had to modify tcpdump.c, the file containing the main() function, to add the new switches of the command line.

However, the porting of tcpdump was easier than the porting of the pcap library. In fact tcpdump, using the functions exported by libpcap, does not interact directly with the system and with the network adapter. This makes it quite easy to port.

We isolated all our changes to the original sources through the use of #ifdef and #ifndef like in the following example

#ifdef WIN32

/* source code for Windows */

#endif

Therefore the code of WinDump is compatible with the code of tcpdump and can be compiled under UNIX generating the normal tcpdump executable.