Passive Sniffing on Windows

With Linux you can configure a sniffing only port relatively easy. Put it in promiscuous mode without an IP and sniff away passively. With windows, there is typically always an IP address assigned to an interface. If not statically assigned the interface will search for DHCP and will ultimately end up with an address in the 169 range if no address information is found. Either way there will be information from your machine showing up in a full, unfiltered packet capture.
To get around this you will actually want to disable the TCP/IP stack for that interface. If this is your only interface network connectivity will stop, by the way.
Go to the connection properties for the specific interface you would like to capture with. Under the general tab, simply uncheck the “Internet Protocol (TCP/IP)” box. Click OK and you should be ready to roll. This is illustrated below:

Fire up wireshark and begin a capture. You will see the interface selection box has no IP address listed but is still seeing packets. Connect this interface to a monitoring port on a switch to monitor a specific connection.

As mentioned earlier, this setup will allow you to sniff packets without picking up any that would have been generate by your machine. This works great for wireshark, NTOP, and any of your other favorite monitoring applications.

This entry was posted in Networking, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.