Under Windows XP, SP 3, is it possible to forward loopback packets to a physical network card?
This is one of many attempts I'm making at being able to sniff loopback traffic. The best-looking lead I have so far is to use RawCap, but it's just not grabbing the packets for some unknown reason (I have another post on this topic).
Also, I'll note that Windows Loopback Adapter (WLA) is not a solution for me. The traffic I'm trying to catch is on 127.0.0.1. WLA requires an address other than 127.0.0.1 be used.
Thanks,
Dave
I think you can set any IP that you want to microsoft loopback adapter.
You can use Wireshark / winpcap and monitor the loopback adapter itself.
Related
When I'm connected via cable to the building's network socket I can see all other computers in the network.
Now I introduced a router and can only see computers in the router's sub-network. Is there something I can do to be able to see other computers in the network to which now router is directly connected?
I disabled firewall on the router.
Cheers
Router is a Layer 3 device for routing network traffic between networks. But not broadcast by default. So you can see only PCs in your subnet. Because broadcast is allowed. So you have to find a solution how to allow the broadcast traffic in your router. If it not possible you can't get what you want by simple solution.
I am a developer of WinPcap, a famous packet capturing and sending software under Windows. I have ported WinPcap to NDIS 6 Light-Weight Filter technique, but it still doesn't support loopback packets (such as packets sent to and received from 127.0.0.1) capturing because of Windows' nature: The loopback packets are handled directly in TCP/IP stack and don't go down to NDIS layer.
Someone told me that Windows Filtering Platform can see the loopback traffic, so I have done some research about it. I have several questions about this.
1) What are actually loopback packets? I mean the packets NDIS can't see? Like when I ping 127.0.0.1, these ICMP packets are definitely loopback ones. When I ping an address that a local network adapter has bound to (like 192.168.0.24), it is also loopback I think. Are these all conditions? If yes, then I can filter out which packets are loopback ones based on whether their local IPs are 127.0.0.1 or local adapter IPs (like 192.168.0.24).
2) I learnt that WFP has many layers, I think my requirement should use the "IP Packet (Network Layer)", I wonder that can WFP Network Layer captures all loopback packets inbound and outbound?
3) I don't know if the loopback packets captured by WFP will have an Ethernet header? If not, then I think I should manually add Ethernet header to the packet prefix before sending them to user mode, as WinPcap is an ethernet-level packet capture software and many software using WinPcap (like Wireshark) will by default parse the packets from Ethernet layer. However, I think I will let the whole Ethernet header to be all-0, as there's actually no Ethernet header in fact.
Thanks and appreciated for your help!
Is it possible that set a proxy for windows (7) and all packets go Through the proxy server ? I mean all packets even ARP packets !
Sure it is take a look at arp spoofing/poisoning basically arp protocol works by machine saying this is my IP address and the router takes note and forwards any packets with this IP to that machine (Mac Address). SO basically you have to send out the arp messages at a faster rate tricking the router that messages should be bound to your machine and not the actual mac address that IP should belong to.
just to note (arp is a LAN protocol) so if your proxy is not within the the subnet as the machine your presumably attacking their is no way you can get these packets
Is there a way to find out the IP address of a device that is directly connected to a specific ethernet interface? I.e. given one host, one wired ethernet connection and one second host connected to this wired connection, which layer or protocol below IP could be used to find this out.
I would also be comfortable with a Windows-only solution using some Windows-API function or callback.
(I know that the real way to do this would probably via DHCP, but this is about discovering a legacy device.)
Mmh ... there are many ways.
I answer another network discovery question, and I write a little getting started.
Some tcpip stacks reply to icmp broadcasts.
So you can try a PING to your network broadcast address.
For example, you have ip 192.168.1.1 and subnet 255.255.255.0
ping 192.168.1.255
stop the ping after 5 seconds
watch the devices replies : arp -a
Note : on step 3. you get the lists of the MAC-to-IP cached entries, so there are also the hosts in your subnet you exchange data to in the last minutes, even if they don't reply to icmp_get.
Note (2) : now I am on linux. I am not sure, but it can be windows doesn't reply to icm_get via broadcast.
Is it the only one device attached to your pc ?
Is it a router or another simple pc ?
To use DHCP, you'd have to run a DHCP server on the primary and a client on the secondary; the primary could then query the server to find out what address it handed out. Probably overkill.
I can't help you with Windows directly. On Unix, the "arp" command will tell you what IP addresses are known to be attached to the local ethernet segment. Windows will have this same information (since it's a core part of the IP/Ethernet interface) but I don't know how you get at it.
Of course, the networking stack will only know about the other host if it has previously seen traffic from it. You may have to first send a broadcast packet on the interface to elicit some sort of response and thus populate the local ARP table.
Windows 7 has the arp command within it.
arp -a should show you the static and dynamic type interfaces connected to your system.
Your Best Approach is to install Wireshark, reboot the device wait for the TCP/UDP stream , broadcasts will announce the IP address for both Ethernet ports
This is especially useful when the device connected does not have DHCP Client enabled, then you can go from there.
You can also get information from directly connected networking devices, such as network switches with LDWin, a portable and free Windows program published on github:
http://www.sysadmit.com/2016/11/windows-como-saber-la-ip-del-switch-al-que-estoy-conectado.html
LDWin supports the following methods of link discovery: CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol).
You can obtain the model, management IP, VLAN identifier, Port identifier, firmware version, etc.
I recently turned on Windows Firewall logging on my computer and started tracking incoming and outgoing connections. Something curious about the logfiles is that I have noticed numerous UDP packets (in fact, it constitutes basically all of my incoming traffic) that don't have my host as destination or source showing up in the logs.
I thought this might be a implementation detail for UDP (the packets are hopping over my computer in the subnet) but Wikipedia'ing UDP didn't enlighten me any more, and I don't see why my computer should be forwarding these packets in the first place.
Any ideas?
Edit 1: Here is what a log file line with the mysterious UDP packet looks like:
2008-10-11 16:04:31 ALLOW UDP 18.243.7.218 239.255.255.250 49152 3702 0 - - - - - - - RECEIVE
Is 239.255.255.250 a broadcast address? Now that you mention it, the UDP packets I'm seeing have very specific destinations, basically 224.0.0.252, 239.255.255.250, 18.243.255.255. I also get phantom ICMP pings addressed to 224.0.0.1.
The packets addressed to IPs starting with 239 and 224 are multicast packets. This is a way to address traffic to a group of computers without broadcasting it to an entire network. It is used by various legitimate protocols.
224.0.0.252 is the address used by the Link Local Name Resolution protocol.
239.255.255.250 is the address used by the Simple Service Discovery Protocol.
224.0.0.1 is the all hosts address, used by your router to see who on your network is willing to participate in multicast conversations.
The ones addressed to 18.243.255.255 look like broadcasts, again this is used by many legitimate protocols such as Bonjour.
As recommended by Luka, a good protocol analyzer like Wireshark will tell you precisely what each of these packets are and what they contain.
It depends on the type of connection you are on.
On most cable modem ISP's you are basicly on the same LAN as your neigburs, and can usualy see some of their traffic (like brodcast).
Id recomend you install packet sniffer and see what is realy going on.
Good multiplatform packet sniffer is Wireshark
Hard to say without analyzing the log data, but they could be broadcast packets on the segment, in which case you're system would listen to them. This is possible in IPv4 and IPv6.
Your system should not be forwarding them unless it's set up to route, but it can certainly be listening to packets all the time (various network protocols use UDP).