Getting netmon sniff on local machine

Getting netmon sniff on local machine

  • Comments 1

To be able to do this, you need more than one network interface cards on the local machine.

You can do the same for one interface too (although it is a hack).


The key here is to ask for any loopback traffic ( to go thru your new route (the gateway) and add a metric that is smaller than the default one.


Depending on the protocol that you want to sniff this may/ may not be helpful (basically anything above TCP should be OK).


The way route works is by trying to match the address as best as it can. The second rule is that no metric can be lower than the interface metric.


You first do an route print, inside your interface list you will see your interface index. Then do an ipconfig and get your gateway, then execute a route add.





1. Get the IPv4 address of the machine (Lets say it is So, we use in the example below


2. Get the default gateway address of the machine (Lets say it is


3. Execute “route print” and get the first number in the interface list besides which you will see you NIC listed


Example, the number 6 in the sample route print output below:


Interface List

  6 ...00 0b cd d4 c4 c5 ...... Broadcom NetXtreme Gigabit Ethernet (NDIS6.0)

  7 ...00 0b cd d4 c4 c4 ...... Broadcom NetXtreme Gigabit Ethernet (NDIS6.0) #2

  1 ........................... Software Loopback Interface 1

  9 ...00 00 00 00 00 00 00 e0  isatap.sys-sqlsvr.local

 10 ...00 00 00 00 00 00 00 e0  isatap.



4. Open up an elevated command prompt and execute the following command


route add MASK METRIC 7 if 6


So the syntax is “route add IPv4AddressWithTwoTrailingZeros MASK DefaultGatewayIPv4Address METRIC ValueGreaterThanThatOfInterfaceMetric if NumberListedBesidesNICInRoutePrintOutput


5. Install netmon on the machine


6. Execute “net stop policyagent” on command prompt


7. Start a capture on netmon


8. Execute the scenario by specifying the actual IPv4 address instead of server name of the request to enable routing


9. Stop capture


10. “net start policyagent” on command prompt


11. Execute

            route delete


More information on route commands is available at:


Also, typing "route" on your command window will give you more information on usage of route.


Sapna Jeswani

SQL Server Protocols

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights

Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post
  • Hi Sapna,

    either I'm missing something or you've left something out.

    I'm trying to capture (using NetMon or WireShark) some local traffic (happens to be IE authenticating with SharePoint, all on the local machine [Server2003SP2 x86]), but in my routing table has a metric of 1 which means I need a narrower MASK to superceed it.



    should do it, only it doesn't like the syntax...

    Your example doesn't seem to override 127 at all.

    Can you explain?



Page 1 of 1 (1 items)