live capture of localhost

sashabel commented 5 years ago

Hello, Is there a way to capture localhost packets? I've tried :

// find the interface by IP address
pcpp::PcapLiveDevice* dev = pcpp::PcapLiveDeviceList::getInstance().getPcapLiveDeviceByIp("127.0.0.1");

but I probably missing something basic.

seladb commented 5 years ago

On Linux it should be possible using the loopback interface (usually lo). On Windows it's possible only if you're using npcap, please read more here.

Please let me know if you have more questions.

sashabel commented 5 years ago

thank's for the fast response. so if i want to use PcapPlusPlus on windows and I have installed npcap I just shuold use the ip of loopback interface ? (how is that possible assuming it is acquired by dhcp)

seladb commented 5 years ago

yes, I think that should work. Please give it a try and let me know if you have more questions

sashabel commented 5 years ago

Well, I probably missing something. My network interfaces are listed below:

>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Npcap Loopback Adapter:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::b46a:d98:f85d:e7b6%49
   Autoconfiguration IPv4 Address. . : 169.254.231.182
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::952e:bace:bf9c:47e%19
   IPv4 Address. . . . . . . . . . . : 192.168.138.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::ec3c:bd73:49a0:94b2%3
   IPv4 Address. . . . . . . . . . . : 192.168.211.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4419:cbea:c773:843f%11
   IPv4 Address. . . . . . . . . . . : 172.20.5.153
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.20.0.1

Wireless LAN adapter Local Area Connection* 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

as you can see the Loopback NPcap is

Ethernet adapter Npcap Loopback Adapter:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::b46a:d98:f85d:e7b6%49
   Autoconfiguration IPv4 Address. . : 169.254.231.182
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

but the following code

const std::vector<pcpp::PcapLiveDevice*>& devList = pcpp::PcapLiveDeviceList::getInstance().getPcapLiveDevicesList();

    if (devList.empty()) {
        printf("Device list is empty");
        exit(0);
    }

    printf("\nNetwork interfaces:\n");
    for (std::vector<pcpp::PcapLiveDevice*>::const_iterator iter = devList.begin(); iter != devList.end(); iter++)
    {
        if  ((*iter)->getIPv4Address() != pcpp::IPv4Address::Zero) {
            printf(" -> Name: '%s', Description: '%s', IP address: %s\n", 
                (*iter)->getName(), (*iter)->getDesc(),
                (*iter)->getIPv4Address().toString().c_str()
            );
        }
    }

produces following output:


Network interfaces:
 -> Name: '\Device\NPF_{0C532FD8-8C94-4343-A6DA-328B224FD830}', Description: 'VMware Virtual Ethernet Adapter', IP address: 192.168.211.1
 -> Name: '\Device\NPF_{D5CAA0E3-3E3A-4D08-9D70-146610574CE1}', Description: 'VMware Virtual Ethernet Adapter', IP address: 192.168.138.1
 -> Name: '\Device\NPF_{CA31E7F7-E707-422A-86EF-337E68AA0DF9}', Description: 'Realtek PCIe GBE Family Controller', IP address: 192.168.0.105
 -> Name: '\Device\NPF_{73F6ABA6-3533-41E9-B521-DB080D0CFA04}', Description: 'Microsoft', IP address: 172.20.5.153

i.e. the NPcap loopback device is not detected !

seladb commented 5 years ago

That's interesting... do you see this interface in Wireshark?

sashabel commented 5 years ago

Yes, I do

seladb commented 5 years ago

Got it. Can you please send a screeshot of the interface view in Wireshark?

I'll try to look into it.

sashabel commented 5 years ago

ScreenShot

sashabel commented 5 years ago

ScreenShot

seladb commented 5 years ago

Thanks, I'll look into it and get back to you

seladb commented 5 years ago

In my machine I do see the loopback interface. I think the code that checks if the IP address is not zero might be the reason you're not seeing it:

if  ((*iter)->getIPv4Address() != pcpp::IPv4Address::Zero) ...

Can you try running the SSLAnalyzer example (the one shipped with PcapPlusPlus) with -l switch and print the result: SSLAnalyzer.exe -l

Then run this command: getmac /fo csv /v to see which adapters you really see

sashabel commented 5 years ago


C:\Users\alexbel\Downloads\PcapPlusPlus-master\Examples\SSLAnalyzer\Bin>SSLAnalyzer.exe -l

Network interfaces:
    -> Name: '\Device\NPF_{46D2D0C2-BBDB-499D-9119-D128327357BA}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{80E3715B-5E78-4101-9D2F-83F81DC9BBFF}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{D5CAA0E3-3E3A-4D08-9D70-146610574CE1}'   IP address: 192.168.138.1
    -> Name: '\Device\NPF_{6EB27278-14DC-47A7-A353-4967C3306BA4}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{73F6ABA6-3533-41E9-B521-DB080D0CFA04}'   IP address: 172.20.4.22
    -> Name: '\Device\NPF_{0C532FD8-8C94-4343-A6DA-328B224FD830}'   IP address: 192.168.211.1
    -> Name: '\Device\NPF_{76880E27-8D79-4F78-ADC4-F828820D4249}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{FDC48F19-968C-433B-8518-C24EC08E4860}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{3E29B060-816E-48BB-923A-D250B3280204}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{63818D62-521A-4A2F-94CB-45F84B69FA36}'   IP address: 0.0.0.0
    -> Name: '\Device\NPF_{CA31E7F7-E707-422A-86EF-337E68AA0DF9}'   IP address: 192.168.0.105

C:\Users\alexbel\Downloads\PcapPlusPlus-master\Examples\SSLAnalyzer\Bin>getmac /fo csv /v
"Connection Name","Network Adapter","Physical Address","Transport Name"
"VMware Network Adapter VMnet8","VMware Virtual Ethernet Adapter for VMnet8","00-50-56-C0-00-08","\Device\Tcpip_{0C532FD8-8C94-4343-A6DA-328B224FD830}"
"VMware Network Adapter VMnet1","VMware Virtual Ethernet Adapter for VMnet1","00-50-56-C0-00-01","\Device\Tcpip_{D5CAA0E3-3E3A-4D08-9D70-146610574CE1}"
"Wi-Fi","Qualcomm Atheros QCA9377 Wireless Network Adapter","96-E9-03-FE-D4-13","\Device\Tcpip_{73F6ABA6-3533-41E9-B521-DB080D0CFA04}"
"Ethernet","Realtek PCIe GBE Family Controller","C8-5B-76-90-43-41","Media disconnected"
"Bluetooth Network Connection","Bluetooth Device (Personal Area Network)","94-E9-79-FE-3D-FA","Media disconnected"
"Npcap Loopback Adapter","Npcap Loopback Adapter","02-00-4C-4F-4F-50","\Device\Tcpip_{63818D62-521A-4A2F-94CB-45F84B69FA36}"

C:\Users\alexbel\Downloads\PcapPlusPlus-master\Examples\SSLAnalyzer\Bin>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Npcap Loopback Adapter:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c9c0:6d42:b4b3:d8b2%10
   Autoconfiguration IPv4 Address. . : 169.254.216.178
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Local Area Connection* 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::952e:bace:bf9c:47e%20
   IPv4 Address. . . . . . . . . . . : 192.168.138.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::ec3c:bd73:49a0:94b2%3
   IPv4 Address. . . . . . . . . . . : 192.168.211.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4569:7f66:a372:5724%12
   IPv4 Address. . . . . . . . . . . : 172.20.4.22
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.20.0.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

seladb commented 5 years ago

So you do see the loopback interface, it's '\Device\NPF_{63818D62-521A-4A2F-94CB-45F84B69FA36}'.

You can capture packets using this name:

pcpp::PcapLiveDevice* dev = pcpp::PcapLiveDeviceList::getInstanceByName().getPcapLiveDeviceByName("\Device\NPF_{63818D62-521A-4A2F-94CB-45F84B69FA36}");

seladb commented 5 years ago

Please let me know if it's working now. Should we close the issue?

sashabel commented 5 years ago

Hi, yes it's working. I also found the if I use ip 0.0.0.0 it also captures from the loopback interface. thank's

seladb / PcapPlusPlus

live capture of localhost #210