Each interface is associated with a physical or virtual networking device. Typically, your server will have one configurable network interface for each Ethernet or wireless internet card you have. In addition, it will define a virtual network interface called the “loopback” or localhost interface. RawCap is a free command line network sniffer for Windows that uses raw sockets. Quick RawCap facts: Can sniff any interface that has got an IPv4 address, including 127.0.0.1 (localhost/loopback). Bind any Windows application to a specific interface or IP address. ForceBindIP is a freeware Windows application that will inject itself into another application and alter how certain Windows socket calls are made, allowing you to force the other application to use a specific network interface / IP address.
- Download Open Interface Network & Wireless Cards Drivers
- Download Open Interface Network & Wireless Cards Drivers
ForceBindIP
Bind any Windows application to a specific interface or IP address
About
ForceBindIP is a freeware Windows application that will inject itself into another application and alter how certain Windows socket calls are made, allowing you to force the other application to use a specific network interface / IP address. This is useful if you are in an environment with multiple interfaces and your application has no option to bind to a specific interface.
ForceBindIP works in two stages - the loader, ForceBindIP.exe will load the target application in a suspended state. It will then inject a DLL (BindIP.dll) which loads WS2_32.DLL into memory and intercepts the bind(), connect(), sendto(), WSAConnect() and WSASendTo() functions, redirecting them to code in the DLL which verifies which interface they will be bound to and if not the one specified, (re)binds the socket. Once the function intercepts are complete, the target application is resumed. Note that some applications with anti-debugger / injection techniques may not work correctly when an injected DLL is present; for the vast majority of applications though this technique should work fine.
As of version 1.2, all known functions in WS2_32.DLL that either explicitly or implicitly bind to an interface are intercepted. Please note however that certain programs may still end up using the default interface if they implement connections that do not use the standard winsock functions. ForceBindIP will not prevent information leaks that may occur when using applications over a VPN. For example, all host name lookups (DNS requests) will be resolved through the default gateway as these requests originate from the Microsoft DNS Client, not the program.
Usage
ForceBindIP has no user interface, it runs directly from a cmd prompt or a shortcut. To run 'app.exe' and force it to bind to 192.0.2.100, you would run ForceBindIP as 'C:Program Files (x86)ForceBindIPForceBindIP.exe' 192.0.2.100 'c:fullpathtoapp.exe'. Command line options for the target program may also appear after the path if needed.
Many applications expect to be started from their own folder. If you create a shortcut to ForceBindIP, the target program will start in ForceBindIP's folder instead. To fix this, edit the properties of the shortcut and set the 'Start in' folder to the folder containing the program .exe you're trying to bind.
ForceBindIP can also take the GUID of an interface if for example the IP address is dynamic. To find out the GUID of your interface, run regedit and browse to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces. Find the interface which has the dynamic address and then copy the key name. You can then run ForceBindIP as ForceBindIP {4FA65F75-7A5F-4BCA-A3A2-59824B2F5CA0} c:pathtoapp.exe
Version 1.2 and higher provides an optional -i parameter. If the target application crashes on startup or exhibits other unexpected behaviour, try using -i, eg: ForceBindIP -i 192.0.2.100 'c:fullpathtoapp.exe'. This will cause the ForceBindIP loader to wait until the application has entered its message loop before injecting the interception DLL. Any network activity the application makes prior to the DLL being loaded will not have been bound to the chosen interface however.
As of version 1.3, a 64 bit build is also available - use ForceBindIP64 with 64 bit applications. Do note that even if your OS is 64 bit, many applications are still 32 bit. If you aren't sure, run your program normally and check the Task Manager details tab - 32 bit applications are marked with '* 32' next to their name.
Remember to either change to the working directory (cmd prompt) or set the 'Start in' option of any shortcuts you make (see above). Missing quotes and wrong 'Start in' folders are the most common reasons for ForceBindIP failing to work.
Some real examples showing proper command line quoting:
'C:Program Files (x86)ForceBindIPForceBindIP.exe' 192.0.2.100 'C:UsersRichardAppDataLocalDiscordapp-0.0.298Discord.exe'
'C:Program Files (x86)ForceBindIPForceBindIP64.exe' 192.0.2.100 'C:Program Files (x86)GoogleChromeApplicationchrome.exe'
Google Chrome Compatibility
Chrome requires additional configuration to run under ForceBindIP. This is because Chrome 72 or later blocks 3rd party programs from injecting DLLs. To allow ForceBindIP to work, install this enterprise policy registry file to re-enable DLL injection, then open Chrome and go to chrome://flags/#network-service-in-process and enable the setting (Chrome 76+) or chrome://flags#network-service and disable the setting (Chrome 75-).
Firefox Compatibility
Firefox requires the about:config?filter=browser.launcherProcess.enabled preference set to false, otherwise ForceBindIP attaches to the launcher and not the actual program.
Download
ForceBindIP will work on 32 and 64 bit Windows XP / Vista / 7 / 8 / 10. The Visual Studio 2015 Runtimes (x86 and x64) are required for ForceBindIP to function (the installer will let you know if they're missing).
ForceBindIP-1.32-Setup.exe (101 KiB). Setup with uninstaller.
ForceBindIP-1.32.zip (42 KiB). Zip file for manual installation. The ForceBindIP EXE and and BindIP DLL files must be placed in the same folder.
Donate
If you find ForceBindIP useful, please support my work by making a PayPal donation or using Bitcoin (1J6K7yYNC697aqNA9nM52CkwuFMDETQTYh) / Bitcoin Cash (18Hxu4ciWgiMVvyMMYpJMMF7mhqpVDxKGB). Thanks!
Version History
- v1.32 (2017-12-01)
Updated usage instructions and improved error messages when failing to launch the target process. No functional changes. - v1.31 (2016-08-30)
Fixed binding to the wrong port when overriding listening sockets. The problem had appeared due to code changes needed for 64 bit support. Thanks to Marvin Wagner for the report. - v1.3 (2015-12-29)
Updated loader to load BindIP.dll from the installation folder.
Updated installer to check for pre-requisites.
No longer installs to the system folder. - v1.2a (2009-09-17)
Re-released with obfuscated function names to work around false positive anti virus detection. - v1.2 (2008-06-03)
Updated to include additional Winsock functions (WSA family).
Added -i parameter for delayed injection. - v1.0 (2005-10-18)
First public version.
Microsoft has quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update, and it has gone unnoticed since its release.
A packet sniffer, or network sniffer, is a program that monitors the network activity flowing over a computer down to an individual packet level.
This can be used by network administrators to diagnose networking issues, see what types of programs are being used on a network, or even listen in on network conversations sent via clear text.
While Linux users always had the tcpdump tool to perform network sniffing, Windows users have had to install third-party programs such as the Microsoft Network Monitor and Wireshark.
This all changed when Microsoft released the October 2018 Update as now Windows 10 comes with a new 'Packet Monitor' program called pktmon.exe.
Built-in packet sniffer comes to Windows 10
With the release of the Windows 10 October 2018 Update, Microsoft quietly added a new network diagnostic and packet monitoring program called C:Windowssystem32pktmon.exe.
This program has a description of 'Monitor internal packet propagation and packet drop reports', which indicates it is designed for diagnosing network problems.
Similar to the Windows 'netsh trace' command, it can be used to perform full packet inspection of data being sent over the computer.
This program has no mention on Microsoft's site that we could find, and we had to learn how to use it by playing with the program.
Thankfully it includes a fairly extensive help system that can be used by typing 'pktmon [command] help'.
For example, pktmon filter help, will give you the help screen for the filter command.
To learn how to use Pktmon, I strongly suggest you read through the help documentation and play around with the program. We have also provided an example in the next section to help you get started.
Using Pktmon to monitor network traffic
Unfortunately, diving into the full feature set of Pktmon is outside of the scope of this article, but we wanted to show you a basic example of how you can use the tool.
For our example, we will use Pktmon to monitor FTP traffic from the computer it is run on.
To do this, we first need to launch a Windows 10 elevated command prompt as Pktmon requires administrator privileges.
We then need to create two packet filters that tell Pktmon what traffic to monitor, which in our example will be the traffic on TCP ports 20 and 21.
These filters can be created by using the pktmon filter add -p [port] command for each port we want to monitor.
You can then use the pktmon filter list command to see the packet filters we just created.
To start monitoring for packets communicating with TCP ports 20 and 21, we need to use the pktmon start --etw command.
Once executed, pktmon will log all packets on ALL network interfaces on the device to a file called PktMon.etl and only record the first 128 bytes of a packet.
To make it log the entire packet and only from a specific ethernet device, you can use the -p 0 (capture entire packet) and -c 13 (capture only from the adapter with ID 13) arguments.
To determine what ID your adapters are, you can run the command pktmon comp list command
When we combine all the arguments, we get a final command of:
Download Open Interface Network & Wireless Cards Drivers
Pktmon will now quietly run while capturing all packets that match our inputted filters.
To stop capturing packets, enter the pktmon stop command, and a log file called PktMon.etl will have been created in the same folder that contains the raw captured data.
This data in this file is not directly usable, so you need to convert it to a human-readable text format with the following command:
Even converted into text, it is not going to give you the full packets, but only a summary of the network traffic as shown below.
To benefit from the captured data, I suggest you download and install the Microsoft Network Monitor and use it to view the ETL file.
Download Open Interface Network & Wireless Cards Drivers
Using Network Monitor, you can see the full packet that was sent, including any clear-text information.
For example, below you can see a packet containing the clear-text password we entered when logging into this FTP test site.
When done using the Pktmon program, you can remove all created filters using the command:
Real-time monitoring and pcapng support coming soon
With the upcoming release of the Windows 10 May 2020 Update (Windows 10 2004), Microsoft has updated the Pktmon tool to allow you to display monitored packets in real-time and to convert ETL files to the PCAPNG format.
In the version of Pktmon coming in the next feature update, you can enable real-time monitoring using the -l real-time argument.
This will cause the captured packets to be displayed directly to the screen while also saving it to the ETL file.
Microsoft is also adding the ability to convert ETL files to the PCAPNG format so that they can be used in programs like Wireshark.
Once the file has been converted into the PCAPNG format, they can be opened into Wireshark so you can view the network communication better.
Once again, these features are not available in Windows 10 1903/1909, and will be coming to Windows 10 2004 when it's released at the end of the month.
Update 5/16/20: Added other new features coming with Windows 10 2004
Related Articles: