Hi guys: My OS is windowsxp.When I use Wireshark to catch the packets between server and client who are both running on my comuputer,I can't catch any packets between them. But on the other hand,I use command 'netstat' to show connection between them and still find the establishment between them. Maybe I can figure out the reason why Wireshark catch no data.(Because of their correspondence relys on LoopBack and datas aren't sent by interface.) Strongly I have no idea about the result that 'netstat' shows.In my opinion, netstat is connected with TCP/IP protocol and no three-way handshaking means no establishment,so how can netstat show this kind of result? It's a very confusing and contradictory result. The result just look like belows: Proto Local Address Foreign Address State PID TCP 0.0.0.0:60000 0.0.0.0:0 LISTENING 2924 TCP 172.16.80.65:60000 172.16.80.65:1827 ESTABLISHED 2924 asked 14 Jun '12, 01:11  waterjacky edited 14 Jun '12, 01:22 |
One Answer:
Unfortunately you cannot sniff the loopback interface on Windows with Wireshark (WinPCAP).
Regarding the netstat output (IP address not beeing the loopback address). What you see, depends on the IP address used by the client to connect to the server. telnet 127.0.0.1 445
telnet 192.168.30.142 445
BOTH connections won't show up in Wireshark, as both are handled internally in the IP stack. Finally here is an explanation for the last line of your netstat output:
Windows shows ESTABLISHED connections in this format
If the connection was established from the same machine, you will see two entries:
2924 is the PID of your server process and xxxx is the PID of your client process. Please run this command Example, after
Regards answered 14 Jun '12, 01:38  Kurt Knochner ♦ edited 14 Jun '12, 03:38 |
