Port Peeker Description

PortPeeker is a tool that I use and Blake has a new version that he wanted to let people try. It's a beta version of freeware, so while I trust Blake's coding understand that it isn't complete. Blake uses it himself to capture traffic on his honeypots so it must be pretty close to done or he wouldn't be distributing it.

If you own a Zyxel, SonicWall, Linksys, or Netgear router you owe it to yourself to try his logging software. I've included one screenshot of his logging software on this page. Looking at router logs to see what's happening in your corner of the internet is very difficult with raw logs. In 5 minutes a day I have can see and understand the effects of new worms and script kiddies. It was one of the best investments in internet security software that I made.

I'll try it out as soon as I'm done with this page and post my thoughts on it. Until then, this is Blake's description of his product. Download here or at the bottom of the page.

PortPeeker is a freeware utility for capturing network traffic for TCP, UDP or ICMP protocols (see Note below about ICMP traffic).  With Port Peeker you can see what traffic is being sent to a given port, easily and quickly.

Before we go any further a disclaimer to fend off any legal hyenas out there.  PortPeeker is written in Borland's Delphi language which is a Pascal derivative and implies that it not as vulnerable to attacks like buffer overflows as say applications written in C/C++ as Delphi strings are dynamically allocated on the heap and not on the stack like C/C++, but we have written PortPeeker to be freeware and as such we can not and or will not guarantee or make any warrantees concerning PortPeeker, it's usage or this documentation.  Please feel free to use PortPeeker and hopefully you find it to be a solid and helpful tool, but remember you are using it at your own risk.  The samples given on this page are meant as examples of usage and types of information which you can retrieve using PortPeeker, but we advise you to carefully consider security issues when listening to network traffic such that you don't inadvertently or unknowingly expose your system or network to harmful traffic or events.  In short we hope you like PortPeeker and find it to be a useful and informative tool, but if you toast yourself while using it, 'gosh that's too bad'.

Now to the fun stuff.

PortPeeker is a single standalone exe will should work on Windows 95, 98, 98SE, ME, NT, 2000, XP and 2003 and can be placed anywhere on the system.  We recommend creating a desktop shortcut to PortPeeker so its quick and easy to find and use.  

NOTE on Windows NT, 2000, and XP you will not by default be able to listen to ICMP traffic.  Windows NT and Win2000 have security in place that inhibits the use of ICMP. The work around for NT is to disable the security check on RAW sockets by creating the following registry variable and settings its value to DWORD 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity 

Once you have started PortPeeker you have to configure it as to what protocol and port (or just ICMP protocol as it doesn't use 'ports') to listen on.  You can also configure PortPeeker as to what type of traffic events to record.  For example if we want to listen for TCP port 80 traffic (http), we would configure PortPeeker to listen on TCP 80.

PortPeeker setup to capture and reply to TCP port 80 Traffic

NOTE you can have PortPeeker send an 'On Connection' and/or 'On Data In' response string.  In this case we added a http response that appears in the user's browser as:

 

After pressing OK PortPeeker will start listening on the designated port (given that some other application isn't already using this port, if so PortPeeker will report an error).  PortPeeker can do a number of things with the captured inbound traffic including searches.

Tracking malicious uploads on myDoom port.

 

PortPeeker can also perform WhoIs searches.  For example you can highlight an IP address from the capture and select WhoIs from the pop up menu and PortPeeker can lookup who owns the IP address or hostname.

 

For a case study done with PortPeeker investigating inbound UDP Port 137 traffic please see 'A Day and a Night with PortPeeker and UDP Port 137' that we posted on DSLReports.

Hopefully this brief introduction to PortPeeker answers any questions you might have have and helps you understand how to use PortPeeker.  We often use it as a quick and dirty honeypot to capture suspicious traffic events for analysis in parallel with our firewall logging tools (Link Logger and SonicLogger (for SonicWall firewalls)).

 

Download PortPeeker final