本文介绍如何在Windows平台上利用Wireshark结合npcap插件实现本地环回接口的网络数据包捕获,通过添加路由配置来捕捉不同进程或端口间的通信数据。
用wireshark抓不同进程或不同端口之间的包主要是没有经过网卡,可以通过添加一个路由,制造本地环路实现。
windows平台上的wireshark不支持抓取本地环路的包,需要插件配合,但不是winpcap,而是npcap
Supported Platforms
Windows
Starting from Windows Vista: Npcap
1) NDIS 6 Support
2) "Admin-only Mode" Support
3) "WinPcap Compatible Mode" Support
4) Loopback Packets Capture and Send Support (either as fake Ethernet or Null/Loopback frames)
5) Raw 802.11 packets Capture Support (in "monitor mode")
When installed on Windows Vista or later (including Win7, Win8 and Win10) with option "Support loopback traffic ("Npcap Loopback Adapter" will be created)" selected, it will create anNpcap Loopback Adapter that can be selected in Wireshark so as to capture IPv4/IPv6 loopback traffic.
See CaptureSetup/NetworkMedia for Wireshark capturing support on various platforms. Summary: you can capture on the loopback interface on Linux, on various BSDs including Mac OS X, and on Digital/Tru64 UNIX, and youmight be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows.
Npcap is an update of WinPcap using NDIS 6 Light-Weight Filter (LWF), done by Yang Luo for Nmap project during Google Summer of Code 2013 and 2015. Npcap has added many features compared to the legacyWinPcap.
具体操作步骤:
1.先卸载wireshark包括winpcap,或者只卸载winpcap
2.到https://nmap.org/npcap/下载npcap安装最新(0.9.4)版本, 源码在https://github.com/nmap/npcap/releases
3.添加本地环路
win32控制台(大多数认为的dos窗口)输入
route add 172.16.35.77 mask 255.255.255.255 172.16.32.1 metric 1
添加后重启将会消失。如果需要永久使用似乎需要使用 在route add时添加-p选项,具体请查看route命令具体操作说明。
下面这条是删除本地环路的,不再需要抓包时可以执行该操作。
route delete 172.16.35.77 mask 255.255.255.255 172.16.32.1 metric 1
4.重新启动wireshark就会看见捕获列表中 Npcap Loopback Adapter的捕获对象。双击即可捕获两个进程间的网络包。
route print查看当前所有路由列表。
route -f 删除所有额外路由。
删除之后重新启动可能IP网关需要重新设置IP和网关。
wireshark说明文档中文版见 https://wenku.baidu.com/view/2a892abac77da26925c5b051.html
route相关操作见 http://blog.youkuaiyun.com/lanmenghcc/article/details/41344429
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
