User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Sniffing loopback traffic (Windows Server) Page [1]  
Talage
All American
5094 Posts
user info
edit post

Anyone ever done this, or heard rumors of people doing this?

Some MS consultant at work told us it could only be done in windows 7, but I need to do it in Server 2003. I keep finding obscure references on message boards suggesting you can add a new route to the routing table to redirect loopback traffic through a second NIC....but I can't find anything definitive about it.

I want to do it b/c we have an app server and IIS running on the same machine (this is all part of a third party app, so we have very little access to the inner workings) and it keeps having issues when communicating with IIS.

[Edited on April 6, 2010 at 10:32 PM. Reason : ,]

4/6/2010 10:31:47 PM

lafta
All American
14880 Posts
user info
edit post

sorry i dont have any experience with servers

4/7/2010 1:42:19 AM

Perlith
All American
7620 Posts
user info
edit post

Quote :
"you can add a new route to the routing table to redirect loopback traffic through a second NIC"


You don't want to do this, trust me. You will likely break a ton of other applications and the OS itself is you do.

Quote :
"it keeps having issues when communicating with IIS."


Do you have a support contract for the third party app? Call them up and get them to help you debug this if it's not working.

Otherwise: Question ... wireshark capture can't do this?

4/7/2010 6:52:08 AM

wwwebsurfer
All American
10217 Posts
user info
edit post

I thought this was the whole point of Ethereal and Wireshark... They don't work in Server 2003?

4/7/2010 8:27:50 AM

BobbyDigital
Thots and Prayers
41777 Posts
user info
edit post

yeah, but with wireshark, you select which interface you're capturing traffic on.

In this particular situation, I don't think communication between the third party app and IIS ever egress a NIC. Unless there is some funky virtual NIC that gets created. Then you could use wireshark as long as that virtual NIC is visible to wireshark...

I dunno, I'm not a server guy.

4/7/2010 8:49:39 AM

disco_stu
All American
7436 Posts
user info
edit post

I've never seen loopback traffic in any wireshark traces. It makes it a pain in the ass to troubleshoot things like SIP servers locally. I always had to put one of the network pieces on another machine to see the traffic in wireshark.

I can't definitively say that means that loopback traffic doesn't hit the NIC, but it's a pretty good indication.

Read this:
http://wiki.wireshark.org/CaptureSetup/Loopback
Quote :
"Supported Platforms

See CaptureSetup/NetworkMedia for Wireshark capturing support on various platforms. Summary: you can capture on the loopback interface on Linux, on various BSDs including Mac OS X, and on Digital/Tru64 UNIX, and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows.
Windows

IP 127.0.0.1
You can't capture on the local loopback address 127.0.0.1!
IP other
You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results as expected either.
This adapter is available from Microsoft:
Microsoft: How to install the Microsoft Loopback Adapter in Microsoft Windows Server 2003
Microsoft: How to install the Microsoft Loopback adapter in Windows XP
Microsoft: How To Install Microsoft Loopback Adapter in Windows 2000
... and is quite different than the ones available for various UN*X systems. This adapter is a virtual network adapter you can add, but it will not work on the 127.0.0.1 IP addresses; it will take its own IP address. BTW: You can only add one Loopback Adapter to the system!
Beware: Capturing from this Loopback Adapter requires the WinPcap 3.1 release, 3.1 beta versions won't work!
Let's suppose you have set the IP address of the loopback adapter to 10.0.0.10 and are capturing on that interface. If you ping to this 10.0.0.10 address the ping will get ping replies, but you won't see any of this traffic in Wireshark (much like the 127.0.0.1 problem). If you ping on 10.0.0.11, you won't get ping replies as there is obviously no remote host, but you will see the corresponding ARP requests in Wireshark.
The only benefit I can see so far is if you use it with colinux (and probably other PC virtualization software) to capture the traffic between Windows and the virtual machine. - UlfLamping
Recipe (to capture traffic on ms loopback adapter / Windows XP): --- by mitra
1. go to MS Loopback adapter properties, set IP 10.0.0.10, MASK 255.255.255.0
2. ipconfig /all and look at the MAC-ID for your new adapter.
3. arp -s 10.0.0.10 <MAC-ID>
4. route add 10.0.0.10 10.0.0.10 mask 255.255.255.255
5. to test: "telnet 10.0.0.10"
I am now using the loopback adapter to capture traffic that I source into a Dyanmips/Dynagen virtual router network. This is a potentially very useful tool/feature that I will be testing further in the weeks to come. As it stands, I can connect my loopback adapter to a virtual router interface and capture ping, arp, etc. In the near future, I hope to tie a server w/ a loopback adapter to a virtual router and then capture a full client/server type of exchange across a Dynamips/Dynagen emulated network. -- Scott Vermillion
NOTE: To get to the Microsoft Loopback Adapter Properties: Start -> Settings -> Control Panel -> System -> Device Manager -> Network Adapters and right click Microsoft Loopback Adapter to select Properties. -- saran"


[Edited on April 7, 2010 at 11:23 AM. Reason : stuff]

4/7/2010 11:20:49 AM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

is there not a named pipe the process is using?

4/7/2010 12:37:50 PM

Master_Yoda
All American
3626 Posts
user info
edit post

^^ Ive seen that done before with varied results, but more often than not it works if you will mess with it enough.

4/7/2010 12:50:54 PM

Talage
All American
5094 Posts
user info
edit post

Quote :
"IP 127.0.0.1
You can't capture on the local loopback address 127.0.0.1!"


Well damn, thats the one I need

4/8/2010 8:55:23 PM

Perlith
All American
7620 Posts
user info
edit post

Ok, so we have a source and a destination. The source can't be (easily) sniffed ... can you bind the destination (IIS) to a specific network adapter and then sniff it?

Otherwise, you can try TCPView for a cruder tool to see the traffic, but not necessarily capture it.

4/8/2010 9:21:25 PM

Talage
All American
5094 Posts
user info
edit post

Quote :
"The source can't be (easily) sniffed ... can you bind the destination (IIS) to a specific network adapter and then sniff it?"

I'm not sure I follow what you're suggesting...in this case the source and destination are both 127.0.0.1.

Quote :
"Otherwise, you can try TCPView for a cruder tool to see the traffic, but not necessarily capture it."

I'm actually already working on this . We have it, but the team that owns it doesn't want to share.

I'm also not sure TCPView will give me much info. Isn't it basically just a continuous version of netstat? Or does it give more in depth info?

Quote :
"Do you have a support contract for the third party app? Call them up and get them to help you debug this if it's not working."


We've engaged them, but their support is so end-user focused its painful. The last time we even got them to admit there was a technical problem I had to essentially shove their face in the crap their program was spitting out on our network (damned thing was getting stuck in a loop or something and hanging for like 5 minutes at a time).

[Edited on April 8, 2010 at 10:24 PM. Reason : .]

4/8/2010 10:16:13 PM

evan
All American
27701 Posts
user info
edit post

Quote :
"You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results as expected either."

this has always worked for me
had almost the exact same problem with 2 apps running on the same system

4/8/2010 10:28:29 PM

 Message Boards » Tech Talk » Sniffing loopback traffic (Windows Server) Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.