windows下抓本机环回包的方法
在进行通信开发的过程中,我们往往会把本机既作为客户端又作为服务器端来调试代码,使得本机自己和自己通信。但是wireshark此时是无法抓取到数据包的,需要通过简单的设置才可以。 具体方法如下: ①:以管理员身份运行cmd ②:route add 本机ip mask 255.255.255.255 网关ip for example route add 172.16.51.115 mask 255.255.255.255 172.16.1.1 metric 1 使用完毕后用 route delete 172.16.51.115 mask 255.255.255.255 172.16.1.1 metric 1删除,否则所有本机报文都经过网卡出去走一圈回来很耗性能 此时再利用wireshark进行抓包便可以抓到本机自己同自己的通信包,这样配置的原因是将发往本机的包发送到网关,而此时wireshark可以捕获到网卡驱动的报文实现抓包。 route add 172.16.50.189 mask 255.255.255.255 172.16.1.1 metric 1 route delete 172.16.50.189 mask 255.255.255.255 172.16.1.1 metric 1
1. 使用wireshark无法抓取本地环回接口127.0.0.1的数据包:
Windows TCP/IP stack does not implement a network loopback interface, as found in other TCP/IP stack like lo* interfaces in BSD systems.
Thus, it is not possible to sniff network traffic using the typical Windows packet capture driver, WinPcap。
http://wiki.wireshark.org/CaptureSetup/Loopback
http://www.hsc.fr/ressources/articles/win_net_srv/missing_loopback.html
2. Rawcap工具可以实现抓取本地环回接口127.0.0.1的数据:
Sniffing tools like dumpcap, WinDump and NMCap can unfortunately not be used since no WinPcap or NDIS driver is installed. RawCap does, however, not need any special driver installed since it makes use of the Raw Sockets functionality built into Windows. Pen-testers can therefore run RawCap.exe to sniff traffic without installing any drivers.