Compartilhar via


Getting netmon sniff on local machine

To be able to do this, you need more than one network interface cards on the local machine.

You can do the same for one interface too (although it is a hack).

 

The key here is to ask for any loopback traffic (127.0.0.0) to go thru your new route (the gateway) and add a metric that is smaller than the default one.

 

Depending on the protocol that you want to sniff this may/ may not be helpful (basically anything above TCP should be OK).

The way route works is by trying to match the address as best as it can. The second rule is that no metric can be lower than the interface metric.

 

You first do an route print, inside your interface list you will see your interface index. Then do an ipconfig and get your gateway, then execute a route add.

 

Example:

1. Get the IPv4 address of the machine (Lets say it is 10.193.42.1). So, we use 10.193.0.0 in the example below

2. Get the default gateway address of the machine (Lets say it is 10.193.20.1)

3. Execute “route print” and get the first number in the interface list besides which you will see you NIC listed

Example, the number 6 in the sample route print output below:

===========================================================================

Interface List

  6 ...00 0b cd d4 c4 c5 ...... Broadcom NetXtreme Gigabit Ethernet (NDIS6.0)

  7 ...00 0b cd d4 c4 c4 ...... Broadcom NetXtreme Gigabit Ethernet (NDIS6.0) #2

  1 ........................... Software Loopback Interface 1

  9 ...00 00 00 00 00 00 00 e0 isatap.sys-sqlsvr.local

 10 ...00 00 00 00 00 00 00 e0 isatap.

===========================================================================

4. Open up an elevated command prompt and execute the following command

route add 10.193.0.0 MASK 255.255.0.0 10.193.20.1 METRIC 7 if 6

So the syntax is “route add IPv4AddressWithTwoTrailingZeros MASK 255.255.0.0 DefaultGatewayIPv4Address METRIC ValueGreaterThanThatOfInterfaceMetric if NumberListedBesidesNICInRoutePrintOutput

5. Install netmon on the machine

 

6. Execute “net stop policyagent” on command prompt

 

7. Start a capture on netmon

 

8. Execute the scenario by specifying the actual IPv4 address instead of server name of the request to enable routing

 

9. Stop capture

 

10. “net start policyagent” on command prompt

 

11. Execute

            route delete 10.193.0.0

 

More information on route commands is available at:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true

 

Also, typing "route" on your command window will give you more information on usage of route.

Sapna Jeswani

SQL Server Protocols

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights

Comments

  • Anonymous
    February 21, 2010
    Hi Sapna, either I'm missing something or you've left something out. I'm trying to capture (using NetMon or WireShark) some local traffic (happens to be IE authenticating with SharePoint, all on the local machine [Server2003SP2 x86]), but in my routing table 127.0.0.0 has a metric of 1 which means I need a narrower MASK to superceed it. So route add 127.0.0.0 MASK 255.255.255.0 [LOOPBACK ADAPTER IP] METRIC 1 should do it, only it doesn't like the syntax... Your example doesn't seem to override 127 at all. Can you explain? Thanks Craig