Wireshark 本地主机流量捕获

发布于 2024-11-04 11:48:41 字数 1436 浏览 5 评论 0 原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

纸短情长 2024-11-11 11:48:43

在Windows平台上,还可以使用Wireshark捕获本地主机流量。
您需要做的是安装 Microsoft 环回适配器,然后嗅探它。

On Windows platform, it is also possible to capture localhost traffic using Wireshark.
What you need to do is to install the Microsoft loopback adapter, and then sniff on it.

听风吹 2024-11-11 11:48:43

我实际上还没有尝试过这个,但是来自网络的这个答案听起来很有希望:

Wireshark实际上无法在Windows XP上捕获本地数据包,因为
Windows TCP 堆栈的性质。当数据包被发送并且
在同一台机器上收到的,它们似乎没有跨越网络
wireshark 监控的边界。

但是有一种方法可以解决这个问题,您可以路由本地流量
通过设置(临时)通过您的网关(路由器)
Windows XP 计算机上的静态路由。

假设您的 XP IP 地址是 192.168.0.2,您的网关(路由器)
地址是 192.168.0.1 你可以运行以下命令
Windows XP 命令行强制所有本地流量进出
网络边界,因此wireshark可以跟踪数据(注意
在这种情况下,wireshark 将报告数据包两次,一次是在
他们离开您的电脑并在返回时离开一次)。

路由添加 192.168.0.2 掩码 255.255.255.255 192.168.0.1 指标 1

http://forums.whirlpool.net.au/archive/1037087,刚刚访问。

I haven't actually tried this, but this answer from the web sounds promising:

Wireshark can't actually capture local packets on windows XP due to
the nature of the windows TCP stack. When packets are sent and
received on the same machine they don't seem to cross the network
boundary that wireshark monitors.

However there is a way around this, you can route the local traffic
out via your network gateway (router) by setting up a (temporary)
static route on your windows XP machine.

Say your XP IP address is 192.168.0.2 and your gateway (router)
address is 192.168.0.1 you could run the following command from
windows XP command line to force all local traffic out and back across
the network boundary, so wireshark could then track the data (note
that wireshark will report packets twice in this scenario, once when
they leave your pc and once when they return).

route add 192.168.0.2 mask 255.255.255.255 192.168.0.1 metric 1

http://forums.whirlpool.net.au/archive/1037087, accessed just now.

一桥轻雨一伞开 2024-11-11 11:48:43

您可以通过让 Wireshark 立即读取 RawCap 的输出来查看实时环回流量。 cmaynard 描述了这个巧妙的Wireshark 论坛上的方法。我在这里引用一下:

[...] 如果您想在 Wireshark 中查看实时流量,您仍然可以通过从一个命令行运行 RawCap 并从另一个命令行运行 Wireshark 来实现。假设你有 cygwin 的 tail 可用,这可以使用类似这样的东西来完成:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

它需要 cygwin 的 tail,而我找不到使用 Windows 开箱即用工具来执行此操作的方法。他的方法对我来说非常有效,并允许我在捕获的实时环回流量上使用 Wiresharks 的所有过滤功能。

You can view loopback traffic live in Wireshark by having it read RawCap's output instantly. cmaynard describes this ingenious approach at the Wireshark forums. I will cite it here:

[...] if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

It requires cygwin's tail, and I could not find a way to do this with Windows' out-of-the-box tools. His approach works very fine for me and allows me to use all of Wiresharks filter capabilities on captured loopback traffic live.

丶情人眼里出诗心の 2024-11-11 11:48:43

请尝试Npcap:https://github.com/nmap/npcap,它基于WinPcap并支持Windows 上的环回流量捕获。 Npcap 是 Nmap (http://nmap.org/) 的子项目,因此请报告 Nmap 开发列表中的任何问题(http://seclists.org/nmap-dev/)。

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).

硬不硬你别怂 2024-11-11 11:48:43

对于Windows

您无法在Wireshark中捕获本地环回的数据包,但是,您可以使用一个非常小但有用的程序,称为RawCap< /强>;

RawCap

命令提示符上运行RawCap并选择环回伪接口(127.0.0.1),然后只需写入数据包捕获文件的名称(.pcap

一个简单的演示如下;

C:\Users\Levent\Desktop\rawcap>rawcap
Interfaces:
 0.     169.254.125.51  Local Area Connection* 12       Wireless80211
 1.     192.168.2.254   Wi-Fi   Wireless80211
 2.     169.254.214.165 Ethernet        Ethernet
 3.     192.168.56.1    VirtualBox Host-Only Network    Ethernet
 4.     127.0.0.1       Loopback Pseudo-Interface 1     Loopback
Select interface to sniff [default '0']: 4
Output path or filename [default 'dumpfile.pcap']: test.pcap
Sniffing IP : 127.0.0.1
File        : test.pcap
Packets     : 48^C

For Windows,

You cannot capture packets for Local Loopback in Wireshark however, you can use a very tiny but useful program called RawCap;

RawCap

Run RawCap on command prompt and select the Loopback Pseudo-Interface (127.0.0.1) then just write the name of the packet capture file (.pcap)

A simple demo is as below;

C:\Users\Levent\Desktop\rawcap>rawcap
Interfaces:
 0.     169.254.125.51  Local Area Connection* 12       Wireless80211
 1.     192.168.2.254   Wi-Fi   Wireless80211
 2.     169.254.214.165 Ethernet        Ethernet
 3.     192.168.56.1    VirtualBox Host-Only Network    Ethernet
 4.     127.0.0.1       Loopback Pseudo-Interface 1     Loopback
Select interface to sniff [default '0']: 4
Output path or filename [default 'dumpfile.pcap']: test.pcap
Sniffing IP : 127.0.0.1
File        : test.pcap
Packets     : 48^C
梦屿孤独相伴 2024-11-11 11:48:43

您无法在 Solaris、HP-UX 或 Windows 上捕获环回,但是您可以使用 RawCap

RawCap 可以捕获任何 IP 上的原始数据包,包括 127.0.0.1 (localhost/loopback)。 Rawcap 还可以生成 pcap 文件。您可以使用Wireshark打开并分析pcap文件。

请参阅此处了解有关如何使用 RawCap 和 Wireshark 监控本地主机的完整详细信息。

You cannot capture loopback on Solaris, HP-UX, or Windows, however you can very easily work around this limitation by using a tool like RawCap.

RawCap can capture raw packets on any ip including 127.0.0.1 (localhost/loopback). Rawcap can also generate a pcap file. You can open and analyze the pcap file with Wireshark.

See here for full details on how to monitor localhost using RawCap and Wireshark.

↘人皮目录ツ 2024-11-11 11:48:43

是的,您可以使用 Npcap 环回适配器监控本地主机流量

Yes, you can monitor the localhost traffic using the Npcap Loopback Adapter

孤独难免 2024-11-11 11:48:42

如果您使用的是 Windows 这是不可能的 - 请阅读下文。您可以使用计算机的本地地址,然后您就可以捕获内容。请参阅CaptureSetup/Loopback

摘要:您可以在
Linux 上的环回接口
各种 BSD,包括 Mac OS X,以及
在 Digital/Tru64 UNIX 上,您可能
能够在 Irix 和 AIX 上执行此操作,但是
你绝对不能这样做
Solaris、HP-UX...。

尽管该页面提到在 Windows 上单独使用 Wireshark 是不可能的,但您实际上可以使用不同的答案<中提到的解决方法来记录它/a>.


编辑:大约三年后,这个答案不再完全正确。链接页面包含在环回接口上捕获的说明

If you're using Windows it's not possible - read below. You can use the local address of your machine instead and then you'll be able to capture stuff. See CaptureSetup/Loopback.

Summary: you can capture on the
loopback interface on Linux, on
various BSDs including Mac OS X, and
on Digital/Tru64 UNIX, and you might
be able to do it on Irix and AIX, but
you definitely cannot do so on
Solaris, HP-UX...
.

Although the page mentions that this is not possible on Windows using Wireshark alone, you can actually record it using a workaround as mentioned in a different answer.


EDIT: Some 3 years later, this answer is no longer completely correct. The linked page contains instructions for capturing on the loopback interface.

寻找我们的幸福 2024-11-11 11:48:42

由于某种原因,以前的答案都不适用于我的情况,因此我将发布一些可以解决问题的内容。有一个名为 RawCap 的小工具,可以捕获 Windows 上的本地主机流量。优点:

  • 只有 17 kB!
  • 不需要外部库,
  • 使用起来非常简单(只需启动它,选择环回接口和目标文件即可)

捕获流量后,您可以打开它并在 Wireshark 中正常检查。我发现的唯一缺点是您无法设置过滤器,即您必须捕获所有可能很重的本地主机流量。还有一个关于 Windows XP SP 3 的 bug

更多建议:

  • < a href="http://wiki.wireshark.org/CaptureSetup/Loopback" rel="noreferrer">Wireshark wiki

For some reason, none of previous answers worked in my case, so I'll post something that did the trick. There is a little jewel called RawCap that can capture localhost traffic on Windows. Advantages:

  • only 17 kB!
  • no external libraries needed
  • extremely simple to use (just start it, choose the loopback interface and destination file and that's all)

After the traffic has been captured, you can open it and examine in Wireshark normally. The only disadvantage that I found is that you cannot set filters, i.e. you have to capture all localhost traffic which can be heavy. There is also one bug regarding Windows XP SP 3.

Few more advices:

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文