joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Using a network monitor to “sniff” traffic sent to/from the local machine…

by @ 12:50 am on 8/21/2006. Filed under tech

Occasionally you want to sniff some network traffic but the traffic is all local and you find that the network sniffer doesn’t show anything. This is because the traffic doesn’t make it out to the capture drivers, it is redirected internally before it gets that far.

I am working on testing AdMod right now with ADAM on the local machine and sure enough I wanted to see what the actual traffic was so I dug through my old notes on how I accomplished this before. Then I whipped up a perl script to configure it automatically for me on a single IP machine.

The basic concept is to force all of the local traffic out through the network interface. You can do this by changing the routing table for the packets. Specifically, you need to add a new entry for the local IP address with a 32 bit subnet mask directing the traffic to the default gateway with a lower metric than the entry directing the traffic to 127.0.0.1….

Ok… so specifics. Here is the default routing table of my current machine (yes the formatting sucks)

F:\Dev\Perl\SniffLocal>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ……………………… MS TCP Loopback interface
0x10003 …00 0b db 98 aa e7 …… Broadcom 440x 10/100 Integrated Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.2    192.168.0.106     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.0.0    255.255.255.0    192.168.0.106    192.168.0.106     20
    192.168.0.106  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.0.255  255.255.255.255    192.168.0.106    192.168.0.106     20
        224.0.0.0        240.0.0.0    192.168.0.106    192.168.0.106     20
  255.255.255.255  255.255.255.255    192.168.0.106    192.168.0.106      1
Default Gateway:       192.168.0.2
===========================================================================
Persistent Routes:
  None

 

You will note the entry

    192.168.0.106  255.255.255.255        127.0.0.1        127.0.0.1     20

That keeps the traffic sent to 192.168.0.106 local. I just add an additional entry with the command

route add 192.168.0.106 MASK 255.255.255.255 192.168.0.2 metric 10

Which results in a new table of

IPv4 Route Table
===========================================================================
Interface List
0x1 ……………………… MS TCP Loopback interface
0x10003 …00 0b db 98 aa e7 …… Broadcom 440x 10/100 Integrated Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.2    192.168.0.106     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.0.0    255.255.255.0    192.168.0.106    192.168.0.106     20
    192.168.0.106  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.0.106  255.255.255.255      192.168.0.2    192.168.0.106     10
    192.168.0.255  255.255.255.255    192.168.0.106    192.168.0.106     20
        224.0.0.0        240.0.0.0    192.168.0.106    192.168.0.106     20
  255.255.255.255  255.255.255.255    192.168.0.106    192.168.0.106      1
Default Gateway:       192.168.0.2
===========================================================================
Persistent Routes:
  None

 

Here is some perl code to do it all automagically

print "\nSniffLocal V01.00.00pl Joe Richards (joe\@joeware.net) August 2006\n\n";
my @out=`ipconfig`;
my @ipa=grep(/IP Address.+/,@out);
my @gwa=grep(/Default Gateway.+/,@out);

my ($ip)=($ipa[0]=~/: (.+)/);
my ($gw)=($gwa[0]=~/: (.+)/);

chop $ip;
chop $gw;

print "IP Address     : $ip\n";
print "Gateway Address: $gw\n";

my $routemod="route add $ip MASK 255.255.255.255 $gw metric 10";

print "\nCurrent Routing Table\n";
print `route print`;
print "Route Modification Command: $routemod\n";
print "Route Modification Output:\n";
print `$routemod 2>&1`;
print "\nNew Routing Table\n";
print `route print`;

print "\n";

So now any traffic the local machine sends to the local IP address will get redirected out to the router. What won’t get routed will be anything sent to localhost, 127.0.01, or the machine’s name (since it will get resolved to localhost). For those you can add entries to the hosts file and force those to the machine’s IP address and those should get redirected as well.I don’t recall when I first started doing this but it has worked for years for me. I am sure it may help at least one of you (y’all) as well.

joe  

Rating 3.00 out of 5

3 Responses to “Using a network monitor to “sniff” traffic sent to/from the local machine…”

  1. Fred says:
    8/21/2006 at 10:25 am

    Good to know, Joe, thanks. Come to think of it, I don’t know what the default behaviour is for *nix boxes. Something to find out. Nice.

  2. mark says:
    8/21/2006 at 10:39 am

    Joe, this is extremely helpful. Thanks!!

  3. joe says:
    8/25/2006 at 9:13 pm

    You are welcome. 🙂

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]