Tags:

Port Snoop / Spy Tool
May 2, 2009 1:04 PM   Subscribe

How can I Spy the messages being exchanged by 2 programs on 2 known port nos. in my computer ?

I am running 2 instances of a particular program: 1 in server mode and 1 in client mode. I have configured the server instance to run on a particular port and the client instance to run on a different port. In the client instance, I also tell the client where (which port) to look for the server instance.

Upon certain user action, the client instance initiates some communication with the server instance. Then the server instance also sends back a message and both the instances keep communicating until all messages are exchanged.

All the messages are exchanged in text format (I know this from a particular source).

I want to spy the messages being sent from the client to the server and the server to the client.

For this, I am looking for an easy-to-use tool which I can first install on the server port, so that I can see the message being first sent by the client. Then I will put this tool on the client port to see what reply the server gives. In this way, I will keep on alternating the spy tool between the server port and the client port.

Which tool can serve my need and which is also easy-to-use and powerful ?

The reason is I want to develop some plug-ins for this software, so I should know the message protocol. The developers of the product are not willing to share this information.
posted by inquisitive to computers & internet (19 answers total) 1 user marked this as a favorite
 
Try Wireshark
posted by qxntpqbbbqxl at 1:08 PM on May 2, 2009


Introductory article here. You could also set up virtual machines and monitor traffic between them, or set up physical boxes with a packet sniffer between the boxes. In your case, it sounds like a simple software solution is probably available. Which operating system / environment are you using?
posted by TeatimeGrommit at 1:09 PM on May 2, 2009 [1 favorite]


Ethereal is also nice and easy to use.

BTW, rather than capture only one port at a time, you'll probably want to just capture all traffic, then use filters to only show you the packets from one port at a time. Much easier that way.
posted by equalpants at 1:23 PM on May 2, 2009


My Operating System is Win XP Service Pack 3.

Can you please explain the steps of setting up WireShark in detail for my simple needs. WireShark seems to be a very powerful software, but my needs are quite simple.

Also the program I am talking about does not communicate over the network. The communication is on the same computer on different ports.

I will prefer a more user-friendly (and less intimidatory :-) ) tool.
posted by inquisitive at 1:25 PM on May 2, 2009


WireShark site mentions that WireShark used to be known as Ethereal. So both are same only.

Yes capturing the entire traffic and analyzing it later will be nice. But can it be done for local port-to-port traffic which does not travel over the network ?

Can you please explain the steps in some detail which can get me started. At the moment, it seems quite difficult to use Wireshark / Ethereal.
posted by inquisitive at 1:30 PM on May 2, 2009


Port-to-port traffic on the same machine IS network traffic, it just (generally) uses the "loopback" interface, which is kind of a dummy interface used expressly for that purpose.
posted by RustyBrooks at 1:46 PM on May 2, 2009


Do the programs use 127.0.0.1 to make the connection? I was going to suggest using Microsoft Network Monitor as an easy solution for watching traffic. However, according to this article both Netmon and Etheral are unable to monitor traffic that goes through 127.0.0.1. If you can configure these programs, you could tell them to use your local IP on the LAN, IE 192.168.0.1 or such. If you can't configure the programs to use something other than 127.0.0.1 or localhost, you could install the Microsoft Loopback Adapter which might allow you to see the packets with Netmon or Etheral.
posted by TungstenChef at 1:47 PM on May 2, 2009


So the first thing you'll want to know is which port your server and client are using. It's probably going to be sufficient only to gather packets on one or the other. I assume you've set up your client to look for a server at the ip address assigned to your computer, I think you should start with that address. If it doesn't work, try the address 127.0.0.1.

Open up wireshark and go to Capture->Capture Filters...

In the field called "Filter name," enter a name for this particular filter. In "Filter string," enter "port and host ". Click the "new" button and you've got your filter ready to go.

Now go to Capture->options... and enter in the appropriate information, in particular select your network adapter from the dropdown box (these are named by what your computer calls the driver it uses for the adapter, eg. eth0, eth1), and select the filter you just made from the capture filter dropdown (note that you could have accessed the filter creation screen from the button here).

Now click on start (bottom right), and it will start collecting packets. You may want to specify how long or how many as conditions for stopping collection, you can do that before clicking "start."

Caveats: I'm assuming unix-based os, I don't know how things work in windows; I've not actually just gone through the steps I listed above, as my wireshark installation can't see my interfaces, but I'm pretty sure this works.
posted by olaguera at 1:49 PM on May 2, 2009


Basic instructions for Ethereal (since that's what I have):

From the "Capture" menu, choose "Interfaces...", which gives you a list of all the network devices on your machine. Find your network card and hit the "Capture" button next to it. A window should pop up that gives you a running count of how many packets of various types it's captured, and how long the capture has been going on.

Now go run the program(s) you want to check out. When you're done, hit "Stop" on the capture window. The main Ethereal window will now be filled with all the packets you've captured, one per line.

Now the filtering: from the "Analyze" menu, choose "Display Filters." At the bottom of the filter dialog should be a text box labeled "Filter string:". In this box type "tcp.port == 8484", where 8484 is whatever port number you want to see, and hit "Apply".

...on preview: wow, can Ethereal really not see loopback traffic? Huh, maybe it can't, and I somehow never realized. Well, so much for that, I guess.
posted by equalpants at 1:51 PM on May 2, 2009


I tried to use some angle brackets and screwed up my filter string. That should read, "port yourport and host yourip". For example, "port 4990 and host 192.168.0.110".
posted by olaguera at 1:51 PM on May 2, 2009


wow, can Ethereal really not see loopback traffic?

I would assume loopback is fine, but I wasn't sure about how the traffic would go through the tcp/ip stack, ie, if he's sending traffic to 192.168.0.100 (his address), does the stack route it through the loopback device? I'm answering beyond my competence, so I'll stop now...
posted by olaguera at 1:55 PM on May 2, 2009


First of all, I am able to configure the client to use my machine's local IP address i.e. 169.254.196.9. The client is able to communicate using this IP address as well as 127.0.0.1 and localhost.

Secondly, has anybody heard or used some simple tools for TCP port monitoring like TCP Spy.NET ?

I have come to know of only 2 tools so far: Wireshark / Ethereal and Microsoft Network Monitor .

Can you suggest some other tools as well ?
posted by inquisitive at 1:57 PM on May 2, 2009


[goes and checks]

...well, so much for Ethereal, I guess. I can't believe I never noticed that before. (I guess I don't really use it that often...)

But if you can do what TungstenChef suggests and get the programs to use your computer's LAN address instead of 127.0.0.1, then it should work.
posted by equalpants at 1:57 PM on May 2, 2009


How about TCP viewer 2.82 and TCP Spy 2.13 ?
posted by inquisitive at 2:02 PM on May 2, 2009


Well just now I tried TCP Viewer 2.83 and it is really easy and sufficient for simple programming / debugging needs.

The only drawback is it displays the packets in HEX and ASCII (side by side) .. whereas I want this to be in text mode.

If you can tell me of such simple similar tool, my purpose will be solved. Ethereal seems to be an overkill for my need.
posted by inquisitive at 2:17 PM on May 2, 2009


Wireshark is your best bet. You must use the IP address, not the 127.0.0.1 loopback. Set the capture filter to the destination port number ("port 8321") and start the capture. When it's done stop the capture again, then right click on one of the packets and choose "Follow TCP Stream". You will see the conversation in a simple colour coded format.

A packet sniffer like Wireshark is overkill if all you really want to do is eavesdrop on the contents of the TCP stream. There are a variety of simpler tools. I used to regularly use the Apache SOAP TCP Tunnel/Monitor, a simple man in the middle proxy with a useful debugging view. TCP Viewer is the same kind of thing.
posted by Nelson at 2:29 PM on May 2, 2009


"A packet sniffer like Wireshark is overkill if all you really want to do is eavesdrop on the contents of the TCP stream"

Yes thats what I want to do. I just want a tool for TCP stream monitoring, but which can show the contents in text form or XML form (as the data interchanged is in XML form).
posted by inquisitive at 2:33 PM on May 2, 2009


You should be able to do this with tcpdump which will dump out in ASCI format

either

tcpdump -A -n -i lo dst port [XX]

for loopback or

tcpdump -A -n dst host [XXX.XXX.XXX.XXX] dst port [XX]

to specify it by ip address

you can also substitute src (source) for dst (destination) above.

you might also want to use the -w file to write out to a text file.

you can get tpdump for windows and documentation here.
posted by tallus at 5:10 PM on May 2, 2009


Yeah... seconding tcpdump, if you know exactly what you're hunting for, it's way easier than wireshark. Wireshark is great for filtering through large amounts of data, but for tracing something simple, tcpdump is your friend.

I've always used the windump version, but I bet ya all the ports are more or less the same.
posted by ph00dz at 9:22 AM on May 3, 2009


« Older How can I mount a set of playi...   |  Is there a word for the accent... Newer »
This thread is closed to new comments.