Sniff process communication on Windows 7

windows-7 process pipe sniffing
9,388

Wireshark can sniff named pipes, as described in this article :

Before pipes, Wireshark could read the captured packets to display either from a file (which had been previously created) or for a network interface (in real time). Since pipes are supported, Wireshark can also read packets from another application, and shows them in real time.

There are some limitations that you should be aware of:

  1. This only works with the de facto standard libpcap format version 2.4, as described in Development/LibpcapFileFormat. Some other formats may work in theory, but this has not been tested.
  2. Capturing from a pipe is inconvenient, because you have to set up the pipe and put a file header into the pipe before you can start the capture. A few patches have been mailed to the development list that could solve this, so if you find the approach inconvenient, try the patches.
  3. The named pipe is not listed in the drop-down interface selection, and must be typed into the interface box. On Windows, it must be typed slowly (or pasted).

After trying it out, or finding out which are the mentioned patches, or getting in touch with the author of the above article, there is still left the problem of knowing the name of the pipe, which is miraculously solved (again) by the sysinternals utility PipeList :

What you might also find surprising is that it's possible to obtain a directory listing of the named pipes defined on a system. This fact is not documented, nor is it possible to do this using the Win32 API.

Another solution might be the commercial product I/O Ninja ($30, trial available).

Share:
9,388

Related videos on Youtube

ragnq
Author by

ragnq

Updated on September 18, 2022

Comments

  • ragnq
    ragnq over 1 year

    I have two local processes which communicate to let the other execute commands. And I want to know what they are talking about.

    After some first investigation, it's not over Sockets or Loopback, but seems like they are using (named-)pipes (at least both have opened a few of them, can't say if they are the same).

    How can I sniff all that communication between these processes?

  • ragnq
    ragnq over 12 years
    The pipe I want to sniff has limited the max. instances to 1. Wireshark will not be able to "connect".
  • harrymc
    harrymc over 12 years
    Connecting is done to an existing instance, so I don't see the problem. See this article.
  • Admin
    Admin over 10 years
    Wireshark can't sniff arbitrary named pipes. What it does support is running a program that writes something that looks like captured traffic to a pipe and "capturing" traffic from that pipe. This is not useful for watching arbitrary named pipe traffic - if the traffic doesn't look like a pcap or pcap-ng file, Wireshark can't handle it.
  • Admin
    Admin over 10 years
    I read the text and I downvoted it because I know, with 100% certainty, that you cannot use Wireshark to capture arbitrary local named-pipe traffic (YOU should carefully read the "This only works with the de facto standard libpcap format version 2.4" part!). And, since 2011, the only thing that's changed is that it now handles pcap-ng; I can state this with 100% certainty as a Wireshark core developer.
  • Admin
    Admin over 10 years
    And one thing that changed since 2011 is the page you cited; I fixed it to reflect reality, so people don't get confused into thinking that Wireshark supports sniffing arbitrary local named pipes.
  • Admin
    Admin over 10 years
    The warning means that your answer is incorrect; you can't use Wireshark to sniff arbitrary named pipe traffic, which is what the person asking the question wanted to do.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unix Piping using Fork and Dup
Kill Java processes
Can I pipe any two processes to each other?
What is non-existent process in windows?
dwm.exe stopped working message every few minutes
Which application causes to invoke MDM.exe(Machine Debug Manager)?? How can I disable it?
svchost.exe memory usage up to 4Gb every hour, how to fix?
Automatically starting a child process with 'High' priority?
Find out what started a process using "services.exe"
Is there a way to find out what process created certain file?