How To Capture X Protocol Traffic Using Wireshark On Windows XP?

This is an experiment about use wireshark to capture X protocol traffic

Google and the wireshark manual/wiki give no hints (ie. How do you capture DISPLAY=:0.0 traffic ?). Setting wireshark to capture “local” ( or “any” devices captured nothing. The remote X11
doesn’t support XRandR so it’s no help.

If you set DISPLAY=localhost:0 then the client will use TCP on the
loopback interface and wireshark can capture that. Of course your X
server can’t be running with “-nolisten tcp”, which is default in many
installations. thanks to Xcb thread discussion

I want to capture localhost traffic on Windows Xp machine with Wireshark, and it fails.
Did google on it about Is there a way to get wireshark to capture packets sent from/to localhost on Windows?
Got this info from WIKI Loopback capture setup
Which says I need to install Loopback adapter and steps here for Microsoft: How to install the Microsoft Loopback adapter in Windows XP

This method did not help much expect able to capture only ARP packets,

Capturing local traffic on Windows XP Route method
> route add mask metric 1
where is your local IP, and that of your default gateway. You must have “Advanced TCP/IP Settings > Automatic metric” disabled! What it does is basically force each packet intended for localhost to go out to the default gateway first, from which it will come back again. Of course this means you see each packet twice.

===Not directly, but if you are on a network with a gateway, you can use the
command-line ROUTE command to redirect the packets through the gateway, which will bounce the packets back at your machine so Ethereal/Wireshark can capture them.  You can use comview tool. It can fullfil your wish. Wireshark does not use IM driver but it uses protocol driver.

Still digging on How To Capture X Protocol Traffic Using Wireshark On Windows XP?

Number of View :1071

Tags: , , ,

  1. No comments yet.

Content Protected Using Blog Protector By: PcDrome.

Mahol Dot Org is Stephen Fry proof thanks to caching by WP Super Cache