Microsoft KB Archive/892853

= Description of Promqry 1.0 and PromqryUI 1.0 =

Article ID: 892853

Article Last Modified on 12/28/2006

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



SUMMARY
''A network &quot;sniffer&quot; is designed to collect data that is flowing across a network. The data can be useful for many purposes, including troubleshooting, network traffic analysis, and security purposes. However, the data can be used for illegitimate purposes, such as network attack. This article introduces two tools, Promqry and PromqryUI, that allow you to detect network sniffers that are running on Microsoft Windows Server 2003, on Microsoft Windows XP, and on Microsoft Windows 2000.''

''Promqry is a command-line tool that can also be used in scripts. PromqryUI is a tool that has a Windows graphical user interface. Both tools have the same basic functionality:''
 * To query the local computer's network interfaces
 * To query a single remote computer's interfaces
 * To query a range of remote computers' interfaces

''Promqry and PromqryUI require the Microsoft .NET Framework to run, and the tools must run under the security context of Administrator. Additionally, the tools have the following limitations:''
 * They cannot detect stand-alone sniffers.
 * They cannot detect sniffers that are running on operating systems prior to Microsoft Windows 2000.
 * They cannot remotely detect sniffers that are running on Windows systems where the network hardware has been modified specifically to avoid detection.

At the end of the article, you are provided with details about how to use Promqry 1.0 and PromqryUI 1.0.



IN THIS TASK
 INTRODUCTION MORE INFORMATION  Background information Promqry and PromqryUI  How to obtain the tools Common features Requirements</li> Known limitations</li> Notes on Virtual PC and Virtual Server</li> Promqry 1.0 usage</li> PromqryUI 1.0 usage</li></ul> </li></ul>

</li></ul>

<div class="notice_section">

INTRODUCTION
This article introduces two tools that enable you to detect a network sniffer that is running on a computer that is running Windows Server 2003, Windows XP, or Windows 2000.

<div class="moreinformation_section">

Background information
A network &quot;sniffer&quot; is software and hardware that is designed to collect data that is flowing across a network. The data that a sniffer collects can be useful for many purposes, including troubleshooting, network traffic analysis, and security purposes. This type of data can also be used for illegitimate purposes, including data theft, password cracking, and networking mapping (reconnaissance). This type of passive network attack can be difficult to detect.

A network sniffer can run in one of two modes:
 * Non-promiscuous mode
 * Promiscuous mode

Network sniffers that do not run in Promiscuous mode typically collect data from the network that is destined to or sent from the computer that is running the sniffer. This traffic may include unicast, broadcast, and multicast traffic.

Promiscuous mode is a state in which a network adapter card copies all the frames that pass over the network to a local buffer, regardless of the destination address. This mode enables network sniffers to capture all network traffic on the sniffer's local subnet or virtual local area network (VLAN). Again, this traffic may include unicast, broadcast, and multicast traffic. You can configure a switch to limit this activity so that the network sniffer can collect only data sent to and from the computer that is running the sniffer (for example, the switch port that the computer that is running the sniffer is plugged into). If a computer has network interfaces that are running in Promiscuous mode, a network sniffer may be running on the computer.

Promqry and PromqryUI
Promqry and PromqryUI are two tools that detect network interfaces that are running in Promiscuous mode. Promqry is a command-line tool, and PromqryUI is a tool that has a Windows graphical user interface. Both tools have the same basic functionality. They can accurately determine whether a managed computer has network interfaces that are running in Promiscuous mode if the computer is running Windows 2000 or a later version. These tools cannot detect stand-alone sniffers or sniffers that are running on non-Microsoft Windows-based computers.

How to obtain the tools
Download the Promqry package now.

Download the PromqryUI package now.

Common features
Both Promqry and PromqryUI can do the following things:
 * Query the local computer's network interfaces
 * Query a single remote computer's interfaces
 * Query a range of remote computers' interfaces

When a range of computers is queried, both tools will ping (by using the ICMP protocol) each remote computer in the specified range. If the ping fails, for example, if the remote computer is not online or is behind a firewall, the computer's network interfaces will not be queried. This feature allows both tools to query the specified range quicker because they will not spend time attempting to query unreachable computers. This ping feature can be disabled for networks that filter ICMP, if it is required.

By default, both tools provide verbose output. Verbose output can be toggled off so that only summary data is provided.

Requirements

 * Both tools require the .NET Framework in order to run. Therefore, you must have the .NET Framework installed on the computer from which you run Promqry or PromqryUI. However, the .NET Framework does not have to be installed on the remote computers that you want to query. For more information about the .NET Framework, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/netframework/aa569265.aspx
 * To use either tool to successfully query a computer, you must run the tools under the security context of an administrator on the computer that you are querying.
 * Both tools use Windows Management Instrumentation (WMI) to query computers for information when an interface is found to be running in Promiscuous mode. By default, WMI is included in Windows 2000, Windows XP, and Windows Server 2003.

For more information about WMI, visit the following Microsoft Web site:http://msdn2.microsoft.com/en-us/library/aa384642.aspx
 * Because Promqry and PromqryUI use WMI (and DCOM), the tools must have access to various TCP/UDP ports, including TCP port 135, when they query remote computers.

For information about connecting to remote computers through a firewall by using WMI, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/library/aa389286.aspx

Known limitations
Promqry and PromqryUI have some limitations, including the following limitations:
 * The tools cannot detect stand-alone sniffers, for example, devices that are manufactured for the sole purpose of sniffing network traffic. These devices can use different types of hardware and software.
 * The tools cannot detect sniffers that are running on operating systems other than Windows 2000, Windows XP, Windows Server 2003, and later Windows operating systems.
 * The tools cannot remotely detect sniffers that are running on Windows-based computers where the network hardware has been modified specifically to avoid detection. For example, the hardware may be modified so that the network interface card or a network cable allows the computer to receive traffic from the network, but not to send traffic to the network. In this scenario, the computer receives a query to determine whether it has interfaces that are running in Promiscuous mode, but its response does not make it back across the network to the computer that sent the query. However, Promqry and PromqryUI can be used to query these computers locally, instead of remotely, to determine whether interfaces are running in Promiscuous mode.

Notes on Virtual PC and Virtual Server
Promqry and PromqryUI may report that the physical interface is running in Promiscuous mode on a Windows-based computer that is running Microsoft Virtual PC and/or Microsoft Virtual Server. Virtual PC and Virtual Server will configure the host's physical interface to run in Promiscuous mode.

Promqry and PromqryUI report that the host's interface is running in Promiscuous mode in any one of the following conditions:
 * A virtual PC or server is configured to use the host's physical interface. For example, the virtual PC or server is directly connected to the host's network instead of being configured on its own local network or configured to be behind an interface that is configured to perform Network Address Translation (NAT).
 * An application such as a network sniffer has configured the host computer's network interface to run in Promiscuous mode. When the host computer is queried, it reports that one of the host computer's interfaces is running in Promiscuous mode.

Promqry and PromqryUI report that the host's interface is not running in Promiscuous mode under the following conditions:
 * A virtual PC or server is configured to use its own local network or is configured to use a shared NAT connection. For example, the virtual PC or server is not configured to use the host's physical interface. In one of these configurations, even when the virtual PC or server is running a network sniffer that configures the interface to run in Promiscuous mode, Promqry and PromqryUI report that the interface is not running in Promiscuous mode. Although the interface of the virtual PC or server is running in Promiscuous mode, the interface will only be able to sniff network traffic that is sent to and from its own IP address. It will not be able to sniff all the traffic on the subnet that it is connected to.

Promqry 1.0 usage
Promqry is a command-line tool that can also be used in scripts. Promqry queries computers for interfaces that are running in Promiscuous mode.

To query a local computer's interfaces, run the promqry.exe command.

Notes
 * Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
 * Returns 1 if no interfaces are found to be running in Promiscuous mode.
 * Returns 99 if an error is encountered.
 * The np and nv options are not valid for a local query.

To query a remote computer's interfaces, run the promqry.exe remote_IP | remote_name [-nv]

Notes
 * Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
 * Returns 1 if no interfaces are found to be running in Promiscuous mode.
 * Returns 99 if an error is encountered.
 * The nv option means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.

To query a range of remote computers' interfaces, run the promqry.exe start_remote_IP:end_remote_IP [-np] [-nv] command.

Notes
 * The value of start_remote_IP must be lower than the value of end_remote_IP.
 * np means that there is no ping before the query.
 * np is valid only when querying a range of computers.
 * nv means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.

PromqryUI 1.0 usage
The PromqryUI interface has two panes. The left pane lists the systems to query, and the right pane displays the output that is generated when the START QUERY button is clicked.



To add systems to the list of systems to query, click Add. You will be asked whether you want to add a single system or a range of systems to the list.



Single systems can be added by IP address or by name. If a name is added, PromqryUI attempts to resolve the name to an IP address when you click the START QUERY button. If the name fails to resolve to an IP address, the query fails.



When you add a range of systems to the list of systems to query, the start IP address must be less than the end IP address.



After you add systems, click to select the box next to each or range to select the systems that you want to query. Systems and ranges that are not selected will not be queried when you click the START QUERY button.



Any systems that you have added to the list will be automatically saved when you exit PromqryUI in the usual manner (by using the File, Exit menu item or by using the control box). The next time you start PromqryUI, the Systems To Query list is automatically populated with the systems and ranges that were saved.

You can use the Edit menu to set the ping option and the verbose option that were described earlier.



Press the START QUERY button to start to query the selected systems. In verbose mode, each interface is listed and whether each interface is running in Promiscuous mode.

If no interfaces are found to be running in Promiscuous mode, you will receive a message similar to the message displayed in the graphic below.



If an interface is found to be running in Promiscuous mode, you will receive a message similar to the one displayed in the graphic below.



When PromqryUI (or Promqry) finds a host that has an interface that is running in Promiscuous mode, PromqryUI uses WMI to query the host for additional information to make it easier to identify that host. The following is an example of this data:

Computer name: MYCOMPUTER

Domain: contoso.com

Computer manufacturer: Dell Computer Corporation

Computer model: Precision WorkStation 340

Primary owner: John Smith

User currently logged on: contoso\user1

Operating : Microsoft(R) Windows(R) Server 2003, Enterprise Edition

Organization: Contoso Corp.

Keywords: kbnetworkmon kbnetwork kbinfo KB892853

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.