Hello! I, with an intern, wrote a small utility to capture named pipe traffic from another process on the system. It works like this: I have a process that connects to a process server using some named pipe name. I run an application that forces the target application to load a DLL and hijack the ReadFile, WriteFile, and GetQueuedCompletionStatus Win32API methods. It then has the process create a named pipe server which sends over Pcap-formatted traffic. I connect to this with Wireshark, which causes the aforementioned methods to start serving captured named pipe traffic, encapsulated in TCP/IP headers so that I can track (potentially) multiple named pipe streams from the same process, independently. Now, this code is in early alpha, but it is currently working and sending over data. It may crash the target application on unload, as I still need to ensure that all callers are out of the hijacked methods before unloading. Does it make any sense to have this kind of functionality built into WinPcap or Wireshark directly? asked 24 Aug '15, 12:06 Scott Mueller |
One Answer:
This sounds a lot like the functionality provided by extcap, which is in the development (1.99.x) builds of Wireshark. Unfortunately extcap isn't very well documented as yet, there is an html page for the interface provided with the dev builds, which doesn't show up online, and also the code and an example extcap interface. answered 24 Aug '15, 12:55 grahamb ♦ |
I see. Would I need to write an interface for extcap to be able to consume this data that I serve out on a named pipe?