Sniff process communication on Windows 7
Wireshark can sniff named pipes, as described in this article :
Before pipes, Wireshark could read the captured packets to display either from a file (which had been previously created) or for a network interface (in real time). Since pipes are supported, Wireshark can also read packets from another application, and shows them in real time.
There are some limitations that you should be aware of:
- This only works with the de facto standard libpcap format version 2.4, as described in Development/LibpcapFileFormat. Some other formats may work in theory, but this has not been tested.
- Capturing from a pipe is inconvenient, because you have to set up the pipe and put a file header into the pipe before you can start the capture. A few patches have been mailed to the development list that could solve this, so if you find the approach inconvenient, try the patches.
- The named pipe is not listed in the drop-down interface selection, and must be typed into the interface box. On Windows, it must be typed slowly (or pasted).
After trying it out, or finding out which are the mentioned patches, or getting in touch with the author of the above article, there is still left the problem of knowing the name of the pipe, which is miraculously solved (again) by the sysinternals utility PipeList :
What you might also find surprising is that it's possible to obtain a directory listing of the named pipes defined on a system. This fact is not documented, nor is it possible to do this using the Win32 API.
Another solution might be the commercial product I/O Ninja ($30, trial available).
Related videos on Youtube
ragnq
Updated on September 18, 2022Comments
-
ragnq over 1 year
I have two local processes which communicate to let the other execute commands. And I want to know what they are talking about.
After some first investigation, it's not over Sockets or Loopback, but seems like they are using
(named-)pipes
(at least both have opened a few of them, can't say if they are the same).How can I sniff all that communication between these processes?
-
Admin over 10 yearsSee ivan_pozdeev's answer to this similar question.
-
-
ragnq over 12 yearsThe pipe I want to sniff has limited the max. instances to 1. Wireshark will not be able to "connect".
-
harrymc over 12 yearsConnecting is done to an existing instance, so I don't see the problem. See this article.
-
Admin over 10 yearsWireshark can't sniff arbitrary named pipes. What it does support is running a program that writes something that looks like captured traffic to a pipe and "capturing" traffic from that pipe. This is not useful for watching arbitrary named pipe traffic - if the traffic doesn't look like a pcap or pcap-ng file, Wireshark can't handle it.
-
Admin over 10 yearsI read the text and I downvoted it because I know, with 100% certainty, that you cannot use Wireshark to capture arbitrary local named-pipe traffic (YOU should carefully read the "This only works with the de facto standard libpcap format version 2.4" part!). And, since 2011, the only thing that's changed is that it now handles pcap-ng; I can state this with 100% certainty as a Wireshark core developer.
-
Admin over 10 yearsAnd one thing that changed since 2011 is the page you cited; I fixed it to reflect reality, so people don't get confused into thinking that Wireshark supports sniffing arbitrary local named pipes.
-
Admin over 10 yearsThe warning means that your answer is incorrect; you can't use Wireshark to sniff arbitrary named pipe traffic, which is what the person asking the question wanted to do.