Tuesday, December 29, 2009

Using wireshark to trace localhost traffic on windows.

(If you don’t care why this works and just need a recipe, switch to this post)

Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:

  • netcat - telnet on steroids (nc.exe)
  • tshark - command line network sniffer from the wireshark package.
  • powershell jobs - background jobs from the shell!

Step 1 - launch the server as a background job (Woohoo powershell)

PS C:\Users\igord> $server = start-job { \bin_drop\nc -L -p 8082 } 
Step 2 - Make client connection:
PS C:\Users\igord> \bin_drop\nc.exe 127.0.0.1 8082
Hello 
You can see me 
Step 3: See if we can see anything in tshark on port 8082.
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
Step 4: Point netcat at our ip address that's external:
PS C:\Users\igord> ipconfig
    Windows IP Configuration
    Wireless LAN adapter Wireless Network Connection:   
    Connection-specific DNS Suffix  . : hsd1.state.comcast.net   
    Link-local IPv6 Address . . . . . : fe80::49a:2ea6:7757:db5%14   
    IPv4 Address. . . . . . . . . . . : 192.168.1.100   
    Subnet Mask . . . . . . . . . . . : 255.255.255.0   
    Default Gateway . . . . . . . . . : 192.168.1.1PS 

C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello can you see me in tshark?

(Still nothing in netcat)

Step 5: Add a route for our local address to the router:

PS C:\Users\igord> route add 192.168.1.100 192.168.1.1
OK!
Step 6: Run netcat again - and check tshark:
PS C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello Do you see me
Now we get our packets in tshark!
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
107.838518 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.840456 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.841013 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.841988 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.842291 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
107.844181 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 449#1] 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
110.528557 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.530030  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.530139 192.168.1.100 -> 192.168.1.100 TCP [TCP Out-Of-Order] 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.730222 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
110.731258  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.731797 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 480#1] us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
116.982412 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0
116.984259  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
116.984390 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0

For bonus points, why do you see 2 of each packet?

Step 7: Cleanup

PS C:\Users\igord> route delete 192.168.1.100 OK!

3 comments:

Todaydownload.com said...

This valuable editorial was very useful to read, I savored it completely.
I'm about now to email it to my colleagues to permit them examine this too.
Thank you really
Get Wireshark

Lee Wei said...

Doing so, every network traffic from your machine to itself will use the physical network interface, it will then
go to the gateway, back to you. Therefore, you will see each packet twice.

MrSchism said...

The best way to handle the repeating would be with the ip.src== filter.