Description of Promqry 1.0 and PromqryUI 1.0 (892853)


The information in this article applies to:

  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition

SUMMARY

A network "sniffer" is designed to collect data that is flowing across a network. The data can be useful for many purposes, including troubleshooting, network traffic analysis, and security purposes. However, the data can be used for illegitimate purposes, such as network attack. This article introduces two tools, Promqry and PromqryUI, that allow you to detect network sniffers that are running on Microsoft Windows Server 2003, on Microsoft Windows XP, and on Microsoft Windows 2000.

Promqry is a command-line tool that can also be used in scripts. PromqryUI is a tool that has a Windows graphical user interface. Both tools have the same basic functionality:
  • To query the local computer's network interfaces
  • To query a single remote computer's interfaces
  • To query a range of remote computers' interfaces
Promqry and PromqryUI require the Microsoft .NET Framework to run, and the tools must run under the security context of Administrator. Additionally, the tools have the following limitations:
  • They cannot detect stand-alone sniffers.
  • They cannot detect sniffers that are running on operating systems prior to Microsoft Windows 2000.
  • They cannot remotely detect sniffers that are running on Windows systems where the network hardware has been modified specifically to avoid detection.
At the end of the article, you are provided with details about how to use Promqry 1.0 and PromqryUI 1.0.
IN THIS TASK

INTRODUCTION

This article introduces two tools that enable you to detect a network sniffer that is running on a computer that is running Windows Server 2003, Windows XP, or Windows 2000.

MORE INFORMATION

Background information


A network "sniffer" is software and hardware that is designed to collect data that is flowing across a network. The data that a sniffer collects can be useful for many purposes, including troubleshooting, network traffic analysis, and security purposes. This type of data can also be used for illegitimate purposes, including data theft, password cracking, and networking mapping (reconnaissance). This type of passive network attack can be difficult to detect.

A network sniffer can run in one of two modes:
  • Non-promiscuous mode
  • Promiscuous mode
Network sniffers that do not run in Promiscuous mode typically collect data from the network that is destined to or sent from the computer that is running the sniffer. This traffic may include unicast, broadcast, and multicast traffic.

Promiscuous mode is a state in which a network adapter card copies all the frames that pass over the network to a local buffer, regardless of the destination address. This mode enables network sniffers to capture all network traffic on the sniffer's local subnet or virtual local area network (VLAN). Again, this traffic may include unicast, broadcast, and multicast traffic. You can configure a switch to limit this activity so that the network sniffer can collect only data sent to and from the computer that is running the sniffer (for example, the switch port that the computer that is running the sniffer is plugged into). If a computer has network interfaces that are running in Promiscuous mode, a network sniffer may be running on the computer.

Promqry and PromqryUI


Promqry and PromqryUI are two tools that detect network interfaces that are running in Promiscuous mode. Promqry is a command-line tool, and PromqryUI is a tool that has a Windows graphical user interface. Both tools have the same basic functionality. They can accurately determine whether a managed computer has network interfaces that are running in Promiscuous mode if the computer is running Windows 2000 or a later version. These tools cannot detect stand-alone sniffers or sniffers that are running on non-Microsoft Windows-based computers.

How to obtain the tools

DownloadDownload the Promqry package now.

DownloadDownload the PromqryUI package now.

Common features

Both Promqry and PromqryUI can do the following things:
  • Query the local computer's network interfaces
  • Query a single remote computer's interfaces
  • Query a range of remote computers' interfaces
When a range of computers is queried, both tools will ping (by using the ICMP protocol) each remote computer in the specified range. If the ping fails, for example, if the remote computer is not online or is behind a firewall, the computer's network interfaces will not be queried. This feature allows both tools to query the specified range quicker because they will not spend time attempting to query unreachable computers. This ping feature can be disabled for networks that filter ICMP, if it is required.

By default, both tools provide verbose output. Verbose output can be toggled off so that only summary data is provided.

Requirements

  • Both tools require the .NET Framework in order to run. Therefore, you must have the .NET Framework installed on the computer from which you run Promqry or PromqryUI. However, the .NET Framework does not have to be installed on the remote computers that you want to query. For more information about the .NET Framework, visit the following Microsoft Web site: http://msdn.microsoft.com/netframework/downloads/framework1_1redist/
  • To use either tool to successfully query a computer, you must run the tools under the security context of an administrator on the computer that you are querying.
  • Both tools use Windows Management Instrumentation (WMI) to query computers for information when an interface is found to be running in Promiscuous mode. By default, WMI is included in Windows 2000, Windows XP, and Windows Server 2003.
    For more information about WMI, visit the following Microsoft Web site:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/about_wmi.asp
  • Because Promqry and PromqryUI use WMI (and DCOM), the tools must have access to various TCP/UDP ports, including TCP port 135, when they query remote computers.
    For information about connecting to remote computers through a firewall by using WMI, visit the following Microsoft Web site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/connecting_through_windows_firewall.asp

Known limitations

Promqry and PromqryUI have some limitations, including the following limitations:
  • The tools cannot detect stand-alone sniffers, for example, devices that are manufactured for the sole purpose of sniffing network traffic. These devices can use different types of hardware and software.
  • The tools cannot detect sniffers that are running on operating systems other than Windows 2000, Windows XP, Windows Server 2003, and later Windows operating systems.
  • The tools cannot remotely detect sniffers that are running on Windows-based computers where the network hardware has been modified specifically to avoid detection. For example, the hardware may be modified so that the network interface card or a network cable allows the computer to receive traffic from the network, but not to send traffic to the network. In this scenario, the computer receives a query to determine whether it has interfaces that are running in Promiscuous mode, but its response does not make it back across the network to the computer that sent the query. However, Promqry and PromqryUI can be used to query these computers locally, instead of remotely, to determine whether interfaces are running in Promiscuous mode.

Notes on Virtual PC and Virtual Server

Promqry and PromqryUI may report that the physical interface is running in Promiscuous mode on a Windows-based computer that is running Microsoft Virtual PC and/or Microsoft Virtual Server. Virtual PC and Virtual Server will configure the host's physical interface to run in Promiscuous mode.

Promqry and PromqryUI report that the host's interface is running in Promiscuous mode in any one of the following conditions:
  • A virtual PC or server is configured to use the host's physical interface. For example, the virtual PC or server is directly connected to the host's network instead of being configured on its own local network or configured to be behind an interface that is configured to perform Network Address Translation (NAT).
  • An application such as a network sniffer has configured the host computer's network interface to run in Promiscuous mode. When the host computer is queried, it reports that one of the host computer's interfaces is running in Promiscuous mode.
Promqry and PromqryUI report that the host's interface is not running in Promiscuous mode under the following conditions:
  • A virtual PC or server is configured to use its own local network or is configured to use a shared NAT connection. For example, the virtual PC or server is not configured to use the host's physical interface. In one of these configurations, even when the virtual PC or server is running a network sniffer that configures the interface to run in Promiscuous mode, Promqry and PromqryUI report that the interface is not running in Promiscuous mode. Although the interface of the virtual PC or server is running in Promiscuous mode, the interface will only be able to sniff network traffic that is sent to and from its own IP address. It will not be able to sniff all the traffic on the subnet that it is connected to.

Promqry 1.0 usage

Promqry is a command-line tool that can also be used in scripts. Promqry queries computers for interfaces that are running in Promiscuous mode.

To query a local computer's interfaces, run the promqry.exe command.

Notes
  • Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
  • Returns 1 if no interfaces are found to be running in Promiscuous mode.
  • Returns 99 if an error is encountered.
  • The np and nv options are not valid for a local query.
To query a remote computer's interfaces, run the promqry.exe remote_IP | remote_name [-nv]

Notes
  • Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
  • Returns 1 if no interfaces are found to be running in Promiscuous mode.
  • Returns 99 if an error is encountered.
  • The nv option means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.
To query a range of remote computers' interfaces, run the promqry.exe start_remote_IP:end_remote_IP [-np] [-nv] command.

Notes
  • The value of start_remote_IP must be lower than the value of end_remote_IP.
  • np means that there is no ping before the query.
  • np is valid only when querying a range of computers.
  • nv means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.

PromqryUI 1.0 usage

The PromqryUI interface has two panes. The left pane lists the systems to query, and the right pane displays the output that is generated when the START QUERY button is clicked.
PromqryUI main window

To add systems to the list of systems to query, click Add. You will be asked whether you want to add a single system or a range of systems to the list.
Select Addition Type dialog box

Single systems can be added by IP address or by name. If a name is added, PromqryUI attempts to resolve the name to an IP address when you click the START QUERY button. If the name fails to resolve to an IP address, the query fails.
Add System to Query dialog box

When you add a range of systems to the list of systems to query, the start IP address must be less than the end IP address.
Add Range of Systems to Query dialog box

After you add systems, click to select the box next to each or range to select the systems that you want to query. Systems and ranges that are not selected will not be queried when you click the START QUERY button.
Select the systems you want to query

Any systems that you have added to the list will be automatically saved when you exit PromqryUI in the usual manner (by using the File, Exit menu item or by using the control box). The next time you start PromqryUI, the Systems To Query list is automatically populated with the systems and ranges that were saved.

You can use the Edit menu to set the ping option and the verbose option that were described earlier.
Ping Before Query option and Verbose Output option

Press the START QUERY button to start to query the selected systems. In verbose mode, each interface is listed and whether each interface is running in Promiscuous mode.

If no interfaces are found to be running in Promiscuous mode, you will receive a message similar to the message displayed in the graphic below.

Query Result output dialog (no interfaces are found in Promiscuous mode)

If an interface is found to be running in Promiscuous mode, you will receive a message similar to the one displayed in the graphic below.

Query Result output dialog (an interface is found in Promiscuous mode)

When PromqryUI (or Promqry) finds a host that has an interface that is running in Promiscuous mode, PromqryUI uses WMI to query the host for additional information to make it easier to identify that host. The following is an example of this data:Computer name: MYCOMPUTER
Domain: contoso.com
Computer manufacturer: Dell Computer Corporation
Computer model: Precision WorkStation 340
Primary owner: John Smith
User currently logged on: contoso\user1
Operating : Microsoft(R) Windows(R) Server 2003, Enterprise Edition
Organization: Contoso Corp.
Modification Type:MajorLast Reviewed:2/5/2005
Keywords:kbNetworkMon kbnetwork kbinfo KB892853 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.