PacketVB V2 Back to Home Page

PacketVB is a utility program that allows you to intercept and display the Ethernet packets transiting your network. It can display IP (Internet Protocol), ARP (Address Resolution Protocol), and ICMP (Internet Control Message Protocol) packets. The program utilizes the Windows Packet Filter Kit from NT Kernel Resources. This high performance packet filtering framework hooks the NDIS (Network Driver Interface Specification) driver in your Windows Operating System. This Version of PacketVB is designed to work with Version 3.2.3 of NDISRD. This Version of WinpkFilter loads on all versions of Windows (including 64 bit systems), and requires the use of a helper file (NDISApi.dll) of the same version. This library file can be copied into the application directory, or to the "System32" ("SysWow64" on 64 bit systems). Using the System32 directory makes it available to all programs, and placing it in the application directory takes precedence. This Version of WinpkFilter also supports IPv6, as does PacketVB.

PacketVB has the ability to operate the NIC (Network Interface Card) in promiscuous mode. If your network is using a hub (rather than a switch), you can capture and examine packets from all computers on the network by unchecking the "Filter On" option. As well, you can set it to examine IP packets only by checking the "IP Only" option.

PacketVB is written in VB6, and is being made available in ZIP format. Installation is usually straight forward, using "setup.exe" to install files extracted from "PacketVB6.cab" as laid out in "setup.lst". The default installation directory is the "Program Files" (or "Program Files (x86)" on 64 bit systems). It is highly recommended to stick with the default to make it available to all users. Since this directory may restrict users from writing to log files, the log files are located in a sub directory of the individual user (C:\Users\User Name\PacketVB\logs>).

When executing the program for the first time, it will create the log directory and quit. Executing for the second time will ask you to run "setup". "Setup" is available through the drop down menu, or the card icon. Normally, there is only one "Local Area Connection". If you choose one that is not an ethernet interface, the program will advise you of that. Once an ethernet interface has been selected, the MAC address, IP address, and Netmask is recovered and displayed, and the interface ID is stored in the registry. Data capture can be started and stopped from the same menu item, but it is more convenient to use the green triangle and red square in the toolbar.

After capture is started, the data will start to fill in the table:

Because we started capture with the "Filter On" and "IP Only" boxes not checked, we captured a variety of packets, including IPv6. Although it is possible to examine the packet contents while PacketVB is still capturing data, it could be somewhat difficult as the data is scrolling by. It is better to stop the capture by clicking the red square, and then examine the contents by clicking on the individual lines.

When a new packet is displayed, it highlites the data portion of the packet in both the hexadecimal display area in the center, and the text interpretation on the right. In this case, the data is an IPv6 Link-Local Multicast Name Resolution response from a machine on the local network, so the text has some relevance. For convenience, the source and destination MAC addresses, IP addresses, and ports are extracted and displayed at the top. Clicking on any one of them will find information in the hex data.

Here we have clicked on the source IP address. The highlit address is the full IPv6 address, whereas the IP address at the top is the compressed version. You can manually highlite data on the hex display, and the corresponding text is automatically highlit. The contents of the current data display can be copied to the clipboard by using the "Edit" menu. To remove the data display, use the "View" menu or simply press the "Esc" key.

The captured data is automatically stored to disk. Even if the data capture is interrupted for some reason, you can always recover it by clicking on the "File" menu and using the "Display Last Capture" item. In this same menu, you can print the current data display, or save the current data set to disk for future reference. To redisplay a saved data set, use the "Get Saved" menu item or click on the text box in the upper right corner. If you accidently click on the text box, you can remove the list of files by pressing the "Esc" key.

To install PacketVB, you must first install WinpkFilter! There is no charge for personal use.
NOTE: Make sure that the driver version (NDISRD.sys) is the same as that of the library file (NDISApi.dll). Library helper files do not have to be registered. Place it in the "System32" directory ("Syswow64" on 64 bit systems) for universal access, or in the application directory to override whatever is in the System32 directory.

Note: IPv6 version software supports both IPv4 and IPv6, but only works on Windows Vista or better systems.

Bug Fixes: 01/04/2015
PacketVBv2 would not intercept packets with the "Filter On" option checked. This was traced to the Adapter MAC Address missing a trailing semicolon and corrected.
PacketVBv2 would not correctly release the interface in Promiscuous Mode. The exact cause was not determined and the entire program was rewritten.

Bug Fix: 01/06/2018
When exiting the program without starting a packet capture, the ethernet interface would hang and stop all network traffic. The problem was traced to the form unload event trying to release the interface when it had never been activated. A flag was added to follow the interface state.

Back to Top

| Home Page