network

by

Wireshark – The NPF driver isn’t running

When starting Wireshark On a new Windows7 box, getting error
“The NPF driver isn’t running. You may have trouble capturing or listing interfaces”
wireshark_nfp_driver_notrunning

this error refers to Wincap.

Checking to see if  Netgroup PF is installed , open the Computer Management console:

  1.  Start | compmgmt.msc  |OK
  2. system tools > Device Manager
  3. menu : view | show Hidden Devices
  4. system tools > Device Manager > Non-Plug and Play Drivers | NetGroup Packet Filter Driver

nettgroup_packet_filter_driver

if not available, then  download Wincap from here.

bring up a command prompt (as administrator) :

C:\Windows\system32>sc qc npf

[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
 TYPE : 1 KERNEL_DRIVER
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : system32\drivers\npf.sys
 LOAD_ORDER_GROUP :
 TAG : 0
 DISPLAY_NAME : NetGroup Packet Filter Driver
 DEPENDENCIES :
 SERVICE_START_NAME :

all that was needed was to start it

C:\Windows\system32>sc start npf

and then change it to start automatically

C:\Windows\system32>sc config npf start= auto
[SC] ChangeServiceConfig SUCCESS
by

Zabbix Netstat

Required to get back netstat data from the linux clients.

to achieve this, added this line to the agent file

UserParameter=netstat.stat[*],(netstat -$1|grep -i $2|wc -l)

and then restarted the agent.

Then just added lines to the respective template :
netstat.stat[ntp,active]

egnetstat_established

which then can be put into a graph :
netstat_graph_example

So by using the above key parameters it allows me to use for any command set of netstat and filter on the result set. Should in theory work on Windows o/s also.

Using Wireshark to trace packets

Recently been using wireshark to determine network activity when using multicasting – is proved invaluable to helping to track down some application features.

Wireshark is a great free tool available from http://www.wireshark.org/

Image

Use wireshark to sniff the network.  Download here

to start a trace:

  1. define filter – see examples below
  2. menu – capture/interfaces.  Select interfaces you wish to trace :  wireshark_interfaces
  3. press start

The filter is all powerful, change it to do what you need!

examples

trace UDP traffic only for a define port

here, we want to trace all UDP traffic on ports 7980 and 6980
So, the filter will be ” udp.port==7980 or udp.port==6980″
wireshark_udp_example

show all traffic originating from a given IP and being sent to another IP

Set the filter to be ip.dst==xxx.xxx.xxx.xxx&&ip.src==xxx.xxx.xxx.xxx

example

wireshark_example2

Eg ip.dst==230.6.8.1&&ip.src==172.27.98.15   .  ie i used this example to show all traffic sent from my source machine (.15) onto the multicast pool address (230.6.8.1).