Does someone know about a CPAN module on Win32 that captures network packets and edit them on the fly? As far as I know, the only Perl module on Win32 that deals with packets on the fly is Net::Pcap but it only support passive monitoring and not affet the TCP/IP stack.
Is there a such module could someone provide example /reference /documentation ?
As far as I know, libpcap allows you to read copies of incoming and outgoing packets, and some implementations allow you to inject a raw packet, but not rewrite a packet. You would basically have to drop the original packet (something libpcap cannot do) and then inject a new one in it's place.
Firewall apps that allow you to filter incoming and outgoing packets might be able to do something like this. However, since you're talking about Perl and Win32 your options are probably limited.
I think right answer is "implement proxy for this".
If it works in your scenario, try to implement proxy server. Listen on same port as your target service does and read all incoming traffic. If you need modification of packet, do it and pass all traffic to target service. Of course you have to implement both directions.
You can search for basic TCP deamon snippet in perl or maybe you can implement just module for existing proxy server for your service. Is it HTTP or what kind of traffic you need to handle?
I would suggest using Net::Pcap to capture traffic, then the Cygwin port of TCPReplay to modify and replay the traffic. Obviously a Linux setup would be more reliable since TCPreplay would work on it out of the box without requiring cygwin.
Related
I've been trying to create a proxy server to analyze TCP packages sent between my computer and a game server.
Now I know that you can do this kind of stuff with Wireshark, but I want to understand the logic of it and how the connections are made.
My main question is that I don't know where to start from. I have the server IP and port from Process Explorer and have the basic socket programming knowledge in python, but as I said, I don't know what to code.
Am I supposed to write a socket that hijacks the incoming TCP connection and forward it to my localhost? but then how would my client send data to server?
As you can see, I'm a bit lost, and I would be very happy if someone could put me in a correct path (what should I research?).
Thank you in advance.
I think there is a useful tools can help you: iptables and netfilter. Using this, you can hijacks the incoming TCP connection and forward it to your localhost easily.
I have a local host webserver c++ code which runs on port 8080 on windows 10.
My first task is to test http requests and responses, and it's done properly with Postman.
But I have another task which is to capture those requests and responses via Wireshark(No other packet sniffing application).
Now, as far as I know it's no possible doing it unless one installs a loopback adapter, so I did it. But Wireshark still doesn't capture packets from and to port 8080.
Can sombedy please tell me what other configurations need to be done so it will be possible?
Probably your best option is to install and use Npcap instead of WinPcap. Be sure to install npcap's loopback adapter and capture on that interface and not on the Microsoft Loopback Adapter interface.
Another very good and simple option (if you're not required to use Wireshark) is to use RawCap instead of Wireshark.
Refer to the Wireshark Loopback capture setup wiki page for more details.
Setup:
I have client C connecting to server S
Both C and S are on the same machine
In C the server address is hardcoded to 127.0.0.1. Likewise, in S the client address is hardcoded to 127.0.0.1
Problem:
I want to be able to sniff the traffic between the client and the server.
Due to the configuration, I cannot move the client nor the server to different locations (the address are hardcoded)
Installing the loopback interface and using tools like Wireshark+WinPcap doesn't lead anywhere (was actually already known but was worth a try)
RawCap, suggested in another topic, doesn't work. IP 127.0.0.1 is listed, but does not record any traffic.
Using rinetd to route the traffic elsewhere, as suggested here doesn't work (cannot bind on 127.0.0.1)
Not interested in using a HTTP local proxy, such as Fiddler, because I'd like to capture also other protocols
Two commercial tools work, specifically CommView and Local Network Monitor, which means it must be possible to do that ;)
How can I do to capture the traffic?
Any pointer on functions I should use or documentation I should read?
Thanks!
Basically you need to write a TDI filter driver to achieve that... for some pointers see:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff565685%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563317%28v=VS.85%29.aspx
Another option is to write a WinSock LSP.
BEWARE
Since Windows 8 it is strongly encouraged to use WFP (Windows Filtering Platform) for this sort of thing...
Although it might be more cost-effective to just use/buy an existing solution - esp. if you are not a very experienced driver developer...
Use RawCap, which can solve your concerns, see this
I am testing a thick client which is connected to a database, need to sniff traffic b/w tcp port on same machine
WireShark (formerly Ethereal) will work perfectly, if you're not familiar with it, it can be a little tricky on OSX, Windows it's no problem and Linux can be a headache. You can download it here http://www.wireshark.org/, and read a short-primer here - http://www.ipprimer.com/packets.cfm
Essentially there's a capture phase, and then you can work with the data – for your purposes you can live-capture and filter the output to the packets on the port/destination you care about, I've used it many-a-time to debug dodgy home networking, or problems at the office.
Beware if using MySQL and localhost for example, this is a key-word for MySQL and it will infact use the socket instead.. which makes things a matter more complicated, you can circumvent this problem by always making sure to use 127.0.0.1 if working with MySQL. (Perhaps other software uses this convention?)
You can try some tools like WireShark.
Assuming you're on Windows:
I'd split the client and server across two machines, either two real ones, or a VM with something VMWare. Then I'd use Wireshark.
For example http://www.utorrent.com/testport?port=12345
How does this work? Can the server side script attempt to open a socket?
There are many ways of accomplishing this through server-side scripting. As #Oded mentioned, most server-side handlers are capable of initiating socket connections on arbitrary ports, and most of those even have dedicated port-scanning packages/libraries (PHP has one in the PEAR repository, Python's 'socket' module makes this type of tasks a breeze, etc...)
Keep in mind that on shared host platforms, socket connections are typically disabled for security purposes.
Another way that is also very easy to accomplish is to use a command-line port-scanner such as nmap from your server-side script. i.e in PHP, you would do echo ``nmap -p $port $ip\
The server side script will try to open a connection on the specified port to the originating IP.
If there is no response (the attempt will timeout), this would be an indication that the port is not open.
The server can try, as #Oded said. But that doesn't ensure the receiver will respond.
Typically, something like this happens:
The URL request contains instructions about which port to access. The headers that your browser sends include information about where the request is originating from.
Before responding to the request, the server tries to open a port and checks if this is successful. It waits a while before timing out.
The webpage is rendered dynamically based on the results of this test.
The response is returned to you containing the results.
Sometimes steps (2) and (3) will be replaced with an AJAX callback, which allows the response to return sooner.