I need to capture named pipes traffic and was wondering if it's possible with wireshark. The forum post below says no, but it's quite old. Just wanted to make sure it's still the case today?
https://superuser.com/questions/31368...
Thanks
Wireshark could capture named pipe traffic between two Windows systems by sniffing on the network between the systems (with the usual issues if it's a switched Ethernet or if it's a Wi-Fi network; network named pipe traffic would appear as SMB traffic.
Wireshark can't capture named pipe traffic between two processes on the same machine. It sounds as if IO Ninja might be able to do that. It looks as if the GitHub project also can intercept named pipe traffic between two processes on a given machine (perhaps by overriding Windows API calls to write to the named pipe with calls that write to the named pipe and provide a copy on the other named pipe) and feed that to Wireshark, over another pipe, as fake TCP (or UDP?) packets.
The comments to Answer in your superuser link clarify that Wireshark can receive pcap-formatted data through a named pipe, allowing to use another application to capture packets on some exotic interfaces and feed Wireshark with them.
The github project seems to make use of that Wireshark's API to capture messages sent over a named pipe between two generic processes and feed them as packets in pcap encapsulation to Wireshark via another named pipe. However, this says nothing about the format and contents of the messages themselves. There is little point in sending messages with network packet headers via a named pipe, so most likely even if Wireshark can receive the messages (the screenshot suggests that they come with some cooked Ethernet, IP and TCP headers), their contents would be proprietary so you'd have to write your own dissector to analyse them.
Comments
wondering if i can use this method ?
https://github.com/Vatyx/NamedPipeCap...
What do you mean by "named pipes traffic"?
Is this on Windows? If not, there's no mechanism that any UN*X I know of provides that would allow Wireshark to capture traffic between two other processes.
If this is on Windows, is this traffic between two processes on the same machine or between two processes on different machines?
Yes, it's on a Windows pc and it's both, the traffic between 2 windows systems and traffic on the same windows pc.
I found something that may do exactly what i was looking for
http://ioninja.com/plugins/pipe-liste...
Found a much easier way to capture database calls.
Used sqllocaldb info to get the name of the db engine and the rest of the process is described in the article below.
https://www.mssqltips.com/sqlserverti...