Loopback capture setup
Interesting/useful post:
WireShark does not capture localhost traffic because it does not reach the
miniport level as Wireshark uses NDIS IM filter driver.
This is done to avoid useless overhead. If you want to capture this data,
try to get sniffers which operate at user mode level, or a TDI level at
kernel mode. You can have a try with TDIMon, TDIScoupe, but they just show
IRPs and not the data. I don't know any good TDI level sniffer, probably you
should search for good LSPs based solutions.
(http://groups.google.com/group/microsoft.public.win32.programmer.
networks/browse_thread/thread/fe5d3b56e41baa5a/69f2b78e6b37367c?lnk=raot)
Solution:
Wireshark can't actually capture local packets on windows XP due to the nature of the windows TCP stack. When packets are sent and received on the same machine they don't seem to cross the network boundary that wireshark monitors.
However there is a way around this, you can route the local traffic out via your network gateway (router) by setting up a (temporary) static route on your windows XP machine.
Say your XP IP address is 192.168.0.2 and your gateway (router) address is 192.168.0.1 you could run the following command from windows XP command line to force all local traffic out and back across the network boundary, so wireshark could then track the data (note that wireshark will report packets twice in this scenario, once when they leave your pc and once when they return).
route add 192.168.0.2 mask 255.255.255.255 192.168.0.1 metric 1
(http://forums.whirlpool.net.au/forum-replies-archive.cfm/1037087.html)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment