[Winpcap-users] Monitoring network traffic between two processes
onthe same host?
Fish
fish at infidels.org
Sat Jun 7 12:51:13 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brockus, David P. wrote:
> Hello,
>
> Is there a way to use WinPcap to monitor network traffic between
> two processes on the same host?
<snip>
I seriously doubt it.
As Richard Horton explained in his response since the intended
recipient is on the same host there's no need to send it out the NIC.
Thus WinPCap will never see it. (Most likely Windows simply hands the
o/p packet from the one process off to another part of its TCP/IP
logic such that it then gets inserted into the i/p queue of the other
process).
HOWEVER...
You *might* wish to investigate Layered Service Provider (LSP):
http://en.wikipedia.org/wiki/Layered_Service_Provider
"LSPs work by intercepting Winsock 2 commands before they
are processed by ws2_32.dll, they can modify the commands,
drop a command, or just log the data which makes them a
powerful tool for: Network filters, Network interceptors,
and stream based sniffers."
I've personally used LSP in the past to provide transparent proxying
support for one of my products and it's not really that tough. About
the only thing you have to be careful with, as I recall, is the
actual updating of the Winsock "Catalog" in order to "install"
("register") your code as a new Layered Service Provider. That's
*critical*. If you screw it up your TCP/IP stack is essentially
hosed.
There's a sample in the DDK (now called WDK? Windows Driver Kit?) I
believe (or at least there *used to be anyway!), which should be easy
enough to modify to do whatever you need to do. In fact, as I recall,
it is essentially *exactly* the thing you're looking for from the
sounds of it: it was purposely designed (the sample that is) to log
all Winsock calls (sort of like a "Spy++" for Windows Sockets). All
you should need to do is change the "logging" logic to suit your own
needs. <shrug>
Hope that helps.
- --
"Fish" (David B. Trout) - fish(at)infidels.org
Fight Spam! Join CAUCE! <http://www.cauce.org/>
(Any HTML email received will be deleted unread)
PGP key fingerprints:
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSEqEQUj11/TE7j4qEQJmigCgmWH40eX42A4RsCc3eaomvwvns4gAoMG3
9jRpFH4/M48fj6jHUq3KFH6/
=wwCK
-----END PGP SIGNATURE-----
More information about the Winpcap-users
mailing list