windows网络流量监控

NPCap

官网 https://nmap.org/npcap/

这是抓包必须先安装的工具，具体的原因可以看 https://github.com/buger/goreplay/wiki/Running-on-Windows

due to the nature of different networking layer of Windows stack. See https://github.com/buger/goreplay/issues/440 for specific details.
By default, windows do not have loopback network driver, like Unix systems, and it has to be installed separately if you want to capture local traffic.
One of the options is installing https://nmap.org/npcap/ or https://technet.microsoft.com/en-us/library/cc708322.aspx.

网络包抓取库在 Windows 下的版本。Npcap 采用 Microsoft Light-Weight Filter (NDIS 6 LWF) 技术和 Windows Filtering Platform (NDIS 6 WFP) 技术对当前最流行的 WinPcap 工具包进行改进。

• 兼容性：Npcap兼容Windows 7，Windows 10，因为使用了最新的NDIS 6 Light-Weight Filter (LWF) API. 这比NDIS 5 API快并且后者随时可能被微软在新版本中废除. 另外此驱动由我们的EV证书和微软共同签名，兼容Windows 10 1607最严格的驱动签名要求.
• 安全性：Npcap可以设置为只允许管理员抓包.
• Loopback抓包：Npcap通过使用Windows Filtering Platform (WFP)，可以探测loopback包(在本机lo网口上传输的应用数据) . 安装后Npcap将创建一个Npcap Loopback Adapter适配器. 如果您使用Wireshark，使用这个适配器抓包可以看见所有的loopback流量. 可以通过 “ping 127.0.0.1” (IPv4) or “ping ::1” (IPv6)进行测试.
• Loopback包注入: Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack.
• Libpcap API: Npcap uses the excellent Libpcap library, enabling Windows applications to use a portable packet capturing API that is also supported on Linux and Mac OS X. While WinPcap was based on LibPcap 1.0.0 from 2009, Npcap includes the latest Libpcap release along with improvements that we also contribute back upstream to Libpcap.
• 兼容WinPcap: 对于未使用Npcap新特性的应，Npcap可以安装成“WinPcap兼容模式”，这将替换当前存在的WinPcap安装. 如果未选择此模式，Npcap将与WinPcap并存; applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.

NetCap

官网 https://docs.netcap.io/, https://github.com/dreadl0ck/netcap

功能

• net.capture (capture audit records live or from dumpfiles)
• net.dump (dump with audit records in various formats)
• net.label (tool for creating labeled CSV datasets from netcap data)
• net.collect (collection server for distributed collection)
• net.agent (sensor agent for distributed collection)
• net.proxy (http reverse proxy for capturing traffic from web services)
• net.util (utility tool for validating audit records and converting timestamps)
• net.export (exporter for prometheus metrics)

使用

# 列出网卡
getmac /fo csv /v
"Connection Name","Network Adapter","Physical Address","Transport Name"
"Wi-Fi","Intel(R) Dual Band Wireless-AC 7265","01-5E-01-CD-09-EC","\Device\Tcpip_{D11E5516-717A-4369-6C95-15F6211513E6}"
"Ethernet","Intel(R) Ethernet Connection (3) I218-LM","34-1E-75-83-8F-63","Media disconnected"
...

# 查看帮助
net.capture.exe --help

# 监听，注意把Tcpip_改成NPF_
net.capture.exe -iface \Device\NPF_{D11E5516-717A-4369-6C95-15F6211513E6}

各个统计结果会分别打成tar包，解开后可以看到其中的记录，IPV4和TCP，UDP都有访问的IP记录

Windows的HTTP/HTTPS访问抓包

http://www.51testing.com/html/42/15142342-4462193.html

里面介绍的 Proxifier，是值得研究的对象