[Winpcap-users] Monitoring network traffic between two processes onthe same host?

Fish fish at infidels.org
Sat Jun 7 12:51:13 GMT 2008

Hash: SHA1

Brockus, David P. wrote:

> Hello,
> Is there a way to use WinPcap to monitor network traffic between 
> two processes on the same host?  

I seriously doubt it.

As Richard Horton explained in his response since the intended
recipient is on the same host there's no need to send it out the NIC.
Thus WinPCap will never see it. (Most likely Windows simply hands the
o/p packet from the one process off to another part of its TCP/IP
logic such that it then gets inserted into the i/p queue of the other


You *might* wish to investigate Layered Service Provider (LSP):


   "LSPs work by intercepting Winsock 2 commands before they
    are processed by ws2_32.dll, they can modify the commands,
    drop a command, or just log the data which makes them a
    powerful tool for: Network filters, Network interceptors,
    and stream based sniffers."

I've personally used LSP in the past to provide transparent proxying
support for one of my products and it's not really that tough. About
the only thing you have to be careful with, as I recall, is the
actual updating of the Winsock "Catalog" in order to "install"
("register") your code as a new Layered Service Provider. That's
*critical*. If you screw it up your TCP/IP stack is essentially

There's a sample in the DDK (now called WDK? Windows Driver Kit?) I
believe (or at least there *used to be anyway!), which should be easy
enough to modify to do whatever you need to do. In fact, as I recall,
it is essentially *exactly* the thing you're looking for from the
sounds of it: it was purposely designed (the sample that is) to log
all Winsock calls (sort of like a "Spy++" for Windows Sockets). All
you should need to do is change the "logging" logic to suit your own
needs. <shrug>

Hope that helps.

- -- 
"Fish" (David B. Trout) - fish(at)infidels.org
Fight Spam! Join CAUCE! <http://www.cauce.org/>
(Any HTML email received will be deleted unread)
PGP key fingerprints:
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A

Version: PGP 8.1


More information about the Winpcap-users mailing list