SyntaxFix

[networking] Wireshark localhost traffic capture

I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?

This question is related to networking localhost wireshark packet-capture packet-sniffers

The answer is

Yes, you can monitor the localhost traffic using the Npcap Loopback Adapter

On Windows platform, it is also possible to capture localhost traffic using Wireshark. What you need to do is to install the Microsoft loopback adapter, and then sniff on it.

For Windows,

You cannot capture packets for Local Loopback in Wireshark however, you can use a very tiny but useful program called RawCap;

RawCap

Run RawCap on command prompt and select the Loopback Pseudo-Interface (127.0.0.1) then just write the name of the packet capture file (.pcap)

A simple demo is as below;

C:\Users\Levent\Desktop\rawcap>rawcap
Interfaces:
 0.     169.254.125.51  Local Area Connection* 12       Wireless80211
 1.     192.168.2.254   Wi-Fi   Wireless80211
 2.     169.254.214.165 Ethernet        Ethernet
 3.     192.168.56.1    VirtualBox Host-Only Network    Ethernet
 4.     127.0.0.1       Loopback Pseudo-Interface 1     Loopback
Select interface to sniff [default '0']: 4
Output path or filename [default 'dumpfile.pcap']: test.pcap
Sniffing IP : 127.0.0.1
File        : test.pcap
Packets     : 48^C

For some reason, none of previous answers worked in my case, so I'll post something that did the trick. There is a little jewel called RawCap that can capture localhost traffic on Windows. Advantages:

  • only 17 kB!
  • no external libraries needed
  • extremely simple to use (just start it, choose the loopback interface and destination file and that's all)

After the traffic has been captured, you can open it and examine in Wireshark normally. The only disadvantage that I found is that you cannot set filters, i.e. you have to capture all localhost traffic which can be heavy. There is also one bug regarding Windows XP SP 3.

Few more advices:

You can view loopback traffic live in Wireshark by having it read RawCap's output instantly. cmaynard describes this ingenious approach at the Wireshark forums. I will cite it here:

[...] if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

It requires cygwin's tail, and I could not find a way to do this with Windows' out-of-the-box tools. His approach works very fine for me and allows me to use all of Wiresharks filter capabilities on captured loopback traffic live.

You cannot capture loopback on Solaris, HP-UX, or Windows, however you can very easily work around this limitation by using a tool like RawCap.

RawCap can capture raw packets on any ip including 127.0.0.1 (localhost/loopback). Rawcap can also generate a pcap file. You can open and analyze the pcap file with Wireshark.

See here for full details on how to monitor localhost using RawCap and Wireshark.

I haven't actually tried this, but this answer from the web sounds promising:

Wireshark can't actually capture local packets on windows XP due to the nature of the windows TCP stack. When packets are sent and received on the same machine they don't seem to cross the network boundary that wireshark monitors.

However there is a way around this, you can route the local traffic out via your network gateway (router) by setting up a (temporary) static route on your windows XP machine.

Say your XP IP address is 192.168.0.2 and your gateway (router) address is 192.168.0.1 you could run the following command from windows XP command line to force all local traffic out and back across the network boundary, so wireshark could then track the data (note that wireshark will report packets twice in this scenario, once when they leave your pc and once when they return).

route add 192.168.0.2 mask 255.255.255.255 192.168.0.1 metric 1

http://forums.whirlpool.net.au/archive/1037087, accessed just now.

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).

Source: Stackoverflow.com

Examples related to networking

Access HTTP response as string in Go Communication between multiple docker-compose projects Can't access 127.0.0.1 How do I delete virtual interface in Linux? ConnectivityManager getNetworkInfo(int) deprecated Bridged networking not working in Virtualbox under Windows 10 Difference between PACKETS and FRAMES How to communicate between Docker containers via "hostname" java.net.ConnectException: failed to connect to /192.168.253.3 (port 2468): connect failed: ECONNREFUSED (Connection refused) wget: unable to resolve host address `http'

Examples related to localhost

Xampp localhost/dashboard Set cookies for cross origin requests Invalid Host Header when ngrok tries to connect to React dev server How to turn on/off MySQL strict mode in localhost (xampp)? What is IPV6 for localhost and 0.0.0.0? How do I kill the process currently using a port on localhost in Windows? How to run html file on localhost? Can't access 127.0.0.1 Server http:/localhost:8080 requires a user name and a password. The server says: XDB How to solve ERR_CONNECTION_REFUSED when trying to connect to localhost running IISExpress - Error 502 (Cannot debug from Visual Studio)?

Examples related to wireshark

How to filter wireshark to see only dns queries that are sent/received from/by my computer? Understanding [TCP ACKed unseen segment] [TCP Previous segment not captured] What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK] Capturing mobile phone traffic on Wireshark Why doesn't wireshark detect my interface? Wireshark localhost traffic capture Monitor network activity in Android Phones How do I monitor all incoming http requests? Wireshark vs Firebug vs Fiddler - pros and cons? How to filter by IP address in Wireshark?

Examples related to packet-capture

How can I capture packets in Android? How to filter wireshark to see only dns queries that are sent/received from/by my computer? Wireshark localhost traffic capture iPhone and WireShark

Examples related to packet-sniffers

Wireshark localhost traffic capture iPhone and WireShark

Tags

Monkey Certificate-store Ssds Image-clipping Guava Link-to Messages Remote-connection Sieve-of-eratosthenes Pyusb Parser-generator Autoboxing Boost-functional Inamingcontainer Xmlunit Treeview Vimpulse Related-content Nibble Add-filter Volume-shadow-service Tiles Hardware-acceleration Webforms-routing Dlopen Ecopy Pulpcore Sharepoint-2007 Wsdlc Mailing Forms Asp.net-caching Dxperience Java-6 Mojibake Resolveclienturl Generic-variance Wacom Ajax.beginform Nsmatrix Ssms Nptl Usernametoken Xml-namespaces Drupal-feeds Binding-expressions Component-design Openxml Xpath-api Sgi Dtd-parsing Onload-event Deb Datatableadapters Bayesian Banner-ads Ebcdic Self-type Treetop Web-reference Portable-contacts Simplemodal Bitbucket-api Scope-creep Permanent-generation Checkboxfor Textview Inheritance Ncurses Contact Ttcpserver Objective-c-runtime Vistadb Expression Window-object Soap4r Msf Novell Distribute Fileinfo Except Winusb Strsplit Redistributable Image-manipulation Acts-as-taggable-on-ster Vignette Monads Position Sqlsitemapprovider Virtual-server Maximize Typeset Openwrt Legend Getdistance Rawsql Elapsedtime Swig Formatted-input