Перехватчик процессов GTK+ не отслеживает localhost (127.0.0.1)Как преодолеть этот недостаток wireshark? Я использовал RawCap ... но есть еще способ "Powershell script to enable windows to capture localhost traffic in wireshark" Я здесь на всякий случай скопировал код из этого блога
Powershell script to enable windows to capture localhost traffic in wireshark¶
If you want to understand why the following scripts work read this post. Otherwise just paste the following into an elevated powershell window:
Setup windows networking to allow localhost capturing in wireshark:
Setup windows networking to allow localhost capturing in wireshark:
In []:
# Find the network configuration that has the default gateway.
$defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway}
if (@($defaultAdapter).Length -ne 1) {throw "You don't have 1 default gateway, your network configuration is not supported" }
# Route local IP address via the default gateway
route add $defaultAdapter.IPAddress[0] $defaultAdapter.DefaultIPGateway
Write-Host "Start capturing on localhost by connecting to $($defaultAdapter.IPAddress[0])"
Return windows networking to normal configuration:
In []:
# Find the network configuration that has the default gateway.
$defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway}
if (@($defaultAdapter).Length -ne 1) {throw "You don't have 1 default gateway, your network configuration is not supported" }
# Stop routing localhost traffic to the router.
route delete $defaultAdapter.IPAddress[0]
Remember, you won’t see traffic to localhost (127.0.0.1) but traffic to your network adapter’s IP address as listed in the script.
Using wireshark to trace localhost traffic on windows¶
(If you don’t care why this works and just need a recipe, switch to this post)
Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:
Step 5: Add a route for our local address to the router:
Step 7: Cleanup
Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:
- netcat - telnet on steroids (nc.exe)
- tshark - command line network sniffer from the wireshark package.
- powershell jobs - background jobs from the shell!
PS C:\Users\igord> $server = start-job { \bin_drop\nc -L -p 8082 }
Step 2 - Make client connection: PS C:\Users\igord> \bin_drop\nc.exe 127.0.0.1 8082 Hello You can see meStep 3: See if we can see anything in tshark on port 8082.
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082" Capturing on MicrosoftStep 4: Point netcat at our ip address that's external:
PS C:\Users\igord> ipconfig
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.state.comcast.net
Link-local IPv6 Address . . . . . : fe80::49a:2ea6:7757:db5%14
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1PS
C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello can you see me in tshark?
(Still nothing in netcat)
Step 5: Add a route for our local address to the router:
PS C:\Users\igord> route add 192.168.1.100 192.168.1.1 OK!Step 6: Run netcat again - and check tshark:
PS C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082 Hello Do you see meNow we get our packets in tshark!
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082" Capturing on Microsoft 107.838518 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460 107.840456 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460 107.841013 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 107.841988 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 107.842291 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0 107.844181 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 449#1] 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0 110.528557 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20 110.530030 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host) 110.530139 192.168.1.100 -> 192.168.1.100 TCP [TCP Out-Of-Order] 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20 110.730222 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0 110.731258 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host) 110.731797 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 480#1] us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0 116.982412 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0 116.984259 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host) 116.984390 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0For bonus points, why do you see 2 of each packet?
Step 7: Cleanup
PS C:\Users\igord> route delete 192.168.1.100 OK!
Посты чуть ниже также могут вас заинтересовать
Комментариев нет:
Отправить комментарий