This is a free version of a network protocol analyzer for Windows written in C++
This tool allows examination of data from a live network, or from a captured file
First version of AnNet for Windows has been released at the end of 2001.
It relies on Winpcap.
Commercial versions of this software were used for decoding protocols employed in telecommunication equipment.
This version has been purged from proprietary applications, therefore, it is light and may be used freely.
Captured packets are decoded down to the lowest layer with full analysis of the Ethernet and IP protocols including IPv4, TCP, UDP, ICMP, ARP, BOOTP, DHCP, SUNRPC, TFTP.
It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file (in native capture file format).
In addition, Annet can read capture files from snoop,can export in and read from NAI Sniffer (.enc) format.
A flexible system of filters allows to drop packets not needed or to capture only those packets you wish to analyse. The packets can be saved in files for future analysis.
Annet implements client-server architecture. The snifferc client, that provides a graphical user interface, may be located on same computer of the server (snifferd) or on different one. Communication between client and server is performed by using TCP connections. For this reason, if client and server components are located in different workstations, the network interface used for sniffing, shouldn't be used for communication with the client. In this case, the server computer should be equipped with two network interfaces.
The Win32 programming platform provides no direct support for low-level network access. Applications requiring such access must use a custom device driver. The packet capture driver serves as an interface between the underlying Network Interface Controllers (NICs) and the overlying Win32 application. The adopted architecture of such arrangement is illustrated below:
Microsoft networking protocols use the Network Driver Interface Specification (NDIS) to communicate with network card drivers. Much of the Open Systems Interconnection (OSI) model link layer functionality is implemented in the protocol stack. NDIS provides a fully abstracted interface for network adapter-driver development and provides a pair of abstraction layers that are used to connect network drivers to an overlying protocol stack, such as Transmission Control Protocol/Internet Protocol (TCP/IP). The packet driver uses the functionality of NDIS protocol driver on Windows NT/2000/XP. Upon installation, it binds to all real or virtual net adapters. It creates a named device object for each adapter it binds to so that it can be opened by a 32-bit Windows application through symbolic link. At the lower edge, the packet driver uses the NDIS interface to communicate with the NIC driver. Snifferd service uses the services provided by the Packet.dll to interact with the driver.
WinPcap is a packet capture library that exports a set of functions that are libpcap compatible. Libpcap is a network capture library developed by Network Research Group (NRG) of the Information and Computing Sciences Division (ICSD) at Lawrence Berkeley National Laboratory (LBNL) in Berkeley, California.
Filters are defined using a simple filter definition language. Each filter can be used from both from snifferd and snifferc components; snifferd executes the filter capturing packets, on the contrary snifferc application can apply filter to the buffer of captured packets also importing that buffer from a .pkd file.
A filter consists of a set of rules.
Example of capture - filters
Caputer all packets:
Capture all Ethernet packets that don’t include IP packets that contain UDP or TCP nested packets: