I have two applications a client and a server running on my local machine and want to monitor their network traffic through NetMon.
One solution is to route the local traffic through the default gateway. However, I never got this working. It should be as easy as adding the following route:
net add <localip> MASK <mask> <defaultgatway> METRIC 1 IF 1
Result:
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
87.198.54.0 255.255.255.0 87.198.54.9 87.198.54.9 25
---> 87.198.54.0 255.255.255.0 87.198.54.1 87.198.54.9 1
87.198.54.9 255.255.255.255 127.0.0.1 127.0.0.1 25
87.255.255.255 255.255.255.255 87.198.54.9 87.198.54.9 25
Default Gateway: 87.198.54.1
===========================================================================
---> 87.198.54.0 255.255.255.0 87.198.54.1 87.198.54.9 1
So I would expect that this route routes everything to 87.198.54.9 to the gateway. It doesn't.
The approach is described in the following Technet slides. So I am pretty sure there must be a way to make this work….
Any ideas why the route doesn't work?
QUESTION MADE MORE SPECIFIC:
I run a ping on local machine to my local machine.
How can I see the ICMP packets in MS NetMon?
Thanks,
Alex
Best Answer
Monitoring local traffic on Windows is dodgy, at best. The method you're describing won't work for traffic bound for 127.0.0.1. As far as I know, there's no simple way to get that traffic into any sniffer.
Assuming you're looking to capture a TCP-based protocol, I'd install a build of rinetd (Windows binary available at that link) on a remote computer with a configuration to listen on the appropriate port and send the traffic back to the listening program back on your machine. Then the traffic will be sent across the wire and you can catch it with NetMon.
I've used this "remote proxy back to the local machine" technique on many occasions to great success.