Using wireshark to trace localhost traffic on windows.

(If you don’t care why this works and just need a recipe, switch to this post)

Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:

  • netcat - telnet on steroids (nc.exe)
  • tshark - command line network sniffer from the wireshark package.
  • powershell jobs - background jobs from the shell!

Step 1 - launch the server as a background job (Woohoo powershell) 

PS C:\Users\igord> $server = start-job { \bin_drop\nc -L -p 8082 }
Step 2 - Make client connection: 
PS C:\Users\igord> \bin_drop\nc.exe 127.0.0.1 8082
Hello 
You can see me
Step 3: See if we can see anything in tshark on port 8082. 
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
Step 4: Point netcat at our ip address that's external: 
PS C:\Users\igord> ipconfig
    Windows IP Configuration
    Wireless LAN adapter Wireless Network Connection:   
    Connection-specific DNS Suffix  . : hsd1.state.comcast.net   
    Link-local IPv6 Address . . . . . : fe80::49a:2ea6:7757:db5%14   
    IPv4 Address. . . . . . . . . . . : 192.168.1.100   
    Subnet Mask . . . . . . . . . . . : 255.255.255.0   
    Default Gateway . . . . . . . . . : 192.168.1.1PS 

C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello can you see me in tshark?

(Still nothing in netcat)

Step 5: Add a route for our local address to the router: 

PS C:\Users\igord> route add 192.168.1.100 192.168.1.1
OK!
Step 6: Run netcat again - and check tshark: 
PS C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello Do you see me
Now we get our packets in tshark! 
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
107.838518 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.840456 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.841013 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.841988 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.842291 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
107.844181 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 449#1] 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
110.528557 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.530030  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.530139 192.168.1.100 -> 192.168.1.100 TCP [TCP Out-Of-Order] 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.730222 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
110.731258  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.731797 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 480#1] us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
116.982412 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0
116.984259  192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
116.984390 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0

For bonus points, why do you see 2 of each packet?

Step 7: Cleanup 

PS C:\Users\igord> route delete 192.168.1.100 OK!

Comments

Todaydownload.com said…
This valuable editorial was very useful to read, I savored it completely.
I'm about now to email it to my colleagues to permit them examine this too.
Thank you really
Get Wireshark
6/28/2012 1:28 AM
Lee Wei said…
Doing so, every network traffic from your machine to itself will use the physical network interface, it will then
go to the gateway, back to you. Therefore, you will see each packet twice.
8/14/2014 11:16 PM
MrSchism said…
The best way to handle the repeating would be with the ip.src== filter.
8/25/2014 8:38 AM
Post a Comment

Popular posts from this blog

Finding CLR exceptions without visual studio

(If you want to understand what exception code 0xe0434352 is, read this post ) Often exceptions are thrown and caught and you don't see them. You probably know how to debug this in Visual Studio, so let me show you how to do it in cdb. Sample Code: class Program { static void Main(string[] args) { foreach (var x in Enumerable.Range(0,2000)) { Thread.Sleep(TimeSpan.FromSeconds(1)); Console.WriteLine("Hello World"); ThrowAndCatchException(); } } private static void ThrowAndCatchException() { try { throw new NotImplementedException(); } catch(Exception) { } } } Output of the application: Hello World Hello World Hello World Nothing about an exception, but you're sure it's happening behind the covers -- fire up cdb: C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn consoleapplication3.exe <SNIP> ModLoad: 000007fe`f7e90000 000007fe`f7eb4000 C:\Windows\Mi
Read more

Why do I keep getting exception code e0434352?

If you want to know how to debug CLR exceptions using cdb then read this post . Exception code e0434352 is the exception code used internally by the CLR to represent most exceptions(*). Regardless of if you throw a System.NullReferenceException or a System.ArgumentException in C#, you'll throw a SEH exception e0434352 under the covers. A fun way to validate this theory is to watch what happens to the CLR exceptions settings in cdb. Fire up cdb, and see the state of clr exceptions: 0:000> .shell -ci "sx" findstr clr clr - CLR exception - second-chance break - not handled clrn - CLR notification exception - break - handled .shell: Process exited Now, set the exception handler for exception number e0434352 and recheck the value of the clr exception handler: 0:000> sxe e0434352 0:000> .shell -ci "sx" findstr clr clr - CLR exception - break - not handled clrn - CLR notification exception - break - handled .shell: Process exited Armed with
Read more

Powershell script to enable windows to capture localhost traffic in wireshark

If you want to understand why the following scripts work read this post . Otherwise just paste the following into an elevated powershell window: Setup windows networking to allow localhost capturing in wireshark: # Find the network configuration that has the default gateway. $defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway} if (@($defaultAdapter).Length -ne 1) {throw "You don't have 1 default gateway, your network configuration is not supported" } # Route local IP address via the default gateway route add $defaultAdapter.IPAddress[0] $defaultAdapter.DefaultIPGateway Write-Host "Start capturing on localhost by connecting to $($defaultAdapter.IPAddress[0])" Return windows networking to normal configuration: # Find the network configuration that has the default gateway. $defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway} if (@($defaultAdapter).Length -ne 1) {throw "Y
Read more