Ask Your Question

capturing named pipes with wireshark

asked 2018-02-11 11:27:51 +0000

net_tech gravatar image

I need to capture named pipes traffic and was wondering if it's possible with wireshark. The forum post below says no, but it's quite old. Just wanted to make sure it's still the case today?


edit retag flag offensive close merge delete


wondering if i can use this method ?

net_tech gravatar imagenet_tech ( 2018-02-11 11:35:13 +0000 )edit

What do you mean by "named pipes traffic"?

Is this on Windows? If not, there's no mechanism that any UN*X I know of provides that would allow Wireshark to capture traffic between two other processes.

If this is on Windows, is this traffic between two processes on the same machine or between two processes on different machines?

Guy Harris gravatar imageGuy Harris ( 2018-02-11 21:36:51 +0000 )edit

Yes, it's on a Windows pc and it's both, the traffic between 2 windows systems and traffic on the same windows pc.

I found something that may do exactly what i was looking for

net_tech gravatar imagenet_tech ( 2018-02-12 02:18:55 +0000 )edit

Found a much easier way to capture database calls.

Used sqllocaldb info to get the name of the db engine and the rest of the process is described in the article below.

net_tech gravatar imagenet_tech ( 2018-02-25 14:45:01 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2018-02-11 16:16:54 +0000

sindy gravatar image

updated 2018-02-11 16:18:53 +0000

The comments to Answer in your superuser link clarify that Wireshark can receive pcap-formatted data through a named pipe, allowing to use another application to capture packets on some exotic interfaces and feed Wireshark with them.

The github project seems to make use of that Wireshark's API to capture messages sent over a named pipe between two generic processes and feed them as packets in pcap encapsulation to Wireshark via another named pipe. However, this says nothing about the format and contents of the messages themselves. There is little point in sending messages with network packet headers via a named pipe, so most likely even if Wireshark can receive the messages (the screenshot suggests that they come with some cooked Ethernet, IP and TCP headers), their contents would be proprietary so you'd have to write your own dissector to analyse them.

edit flag offensive delete link more

answered 2018-02-12 02:29:37 +0000

Guy Harris gravatar image

updated 2018-02-12 02:34:34 +0000

Wireshark could capture named pipe traffic between two Windows systems by sniffing on the network between the systems (with the usual issues if it's a switched Ethernet or if it's a Wi-Fi network; network named pipe traffic would appear as SMB traffic.

Wireshark can't capture named pipe traffic between two processes on the same machine. It sounds as if IO Ninja might be able to do that. It looks as if the GitHub project also can intercept named pipe traffic between two processes on a given machine (perhaps by overriding Windows API calls to write to the named pipe with calls that write to the named pipe and provide a copy on the other named pipe) and feed that to Wireshark, over another pipe, as fake TCP (or UDP?) packets.

edit flag offensive delete link more


Thank you!

net_tech gravatar imagenet_tech ( 2018-02-12 11:58:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-02-11 11:27:51 +0000

Seen: 8,071 times

Last updated: Feb 12 '18