RawCap-抓取本地回环接口127.0.0.1的数据包
RawCap is a free command line network sniffer for Windows that uses raw sockets.
Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
RawCap.exe is just 23 kB
No external libraries or DLL's needed other than .NET Framework 2.0
No installation required, just download RawCap.exe and sniff
Can sniff most interface types, including WiFi and PPP interfaces
Minimal memory and CPU load
Reliable and simple to use
D:\rawcap>RawCap.exe --help NETRESEC RawCap version 0.1.5.0 http://www.netresec.com Usage: RawCap.exe [OPTIONS] <interface_nr> <target_pcap_file> OPTIONS: -f Flush data to file after each packet (no buffer) -c <count> Stop sniffing after receiving <count> packets -s <sec> Stop sniffing after <sec> seconds INTERFACES: 0. IP : 192.168.1.103 NIC Name : 无线网络连接 NIC Type : Wireless80211 1. IP : 169.254.134.220 NIC Name : 本地连接 2 NIC Type : Ethernet 2. IP : 169.254.94.64 NIC Name : Bluetooth 网络连接 NIC Type : Ethernet 3. IP : 127.0.0.1 NIC Name : Loopback Pseudo-Interface 1 NIC Type : Loopback Example: RawCap.exe 0 dumpfile.pcap
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.
方式一:
D:\rawcap>RawCap.exe 3 localhost_capture.pcap Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY. Sniffing IP : 127.0.0.1 File : localhost_capture.pcap Packets : 0
方式二:
D:\rawcap>RawCap.exe 127.0.0.1 localhost_capture.pcap Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY. Sniffing IP : 127.0.0.1 File : localhost_capture.pcap Packets : 0
方式三:
D:\rawcap>RawCap.exe Interfaces: 0. 192.168.1.103 无线网络连接 Wireless80211 1. 169.254.134.220 本地连接 2 Ethernet 2. 169.254.94.64 Bluetooth 网络连接 Ethernet 3. 127.0.0.1 Loopback Pseudo-Interface 1 Loopback Select interface to sniff [default '0']: 3 Output path or filename [default 'dumpfile.pcap']: localhost_capture.pcap Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY. Sniffing IP : 127.0.0.1 File : localhost_capture.pcap Packets : 0
通过上面的结果,可以看到这个提示Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY.
根据我的测试也不能监听localhost。就是因为Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY.这个原因。
看网上说cmd不是以管理员身份运行的,但我以管理员身份运行后还是不能有这个提示,并不能监听到localhost。
暂时无解。。。。。。。。
RawCap的不足
RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".
Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.
Microsoft's newer operating systems (later than WinXP) have limitations associated with raw socket sniffing of external interfaces, i.e. everything that isn't localhost. Known limitations in Windows Vista and Win7 are:
Windows 7 - Can't capture incoming packets
Windows Vista - Can't capture outgoing packets
Due to these limitations in the raw sockets implementations of Microsoft's current operating systems we suggest running RawCap on Windows XP if you need to capture from external interfaces.
=====END=====