Wireshark localhost traffic capture

Question

I wrote a simple server app in C which runs on localhost  How to capture localhost traffic using Wireshark

User · Answer

You can view loopback traffic live in Wireshark by having it read RawCap's output instantly. cmaynard describes this ingenious approach at the Wireshark forums. I will cite it here:

[...] if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

It requires cygwin's tail, and I could not find a way to do this with Windows' out-of-the-box tools. His approach works very fine for me and allows me to use all of Wiresharks filter capabilities on captured loopback traffic live.

User · Answer

I haven t actually tried this  but this answer from the web sounds promising      Wireshark can t actually capture local packets on windows XP due to   the nature of the windows TCP stack  When packets are sent and   received on the same machine they don t seem to cross the network   boundary that wireshark monitors       However there is a way around this  you can route the local traffic   out via your network gateway  router  by setting up a  temporary    static route on your windows XP machine       Say your XP IP address is 192 168 0 2 and your gateway  router    address is 192 168 0 1 you could run the following command from   windows XP command line to force all local traffic out and back across   the network boundary  so wireshark could then track the data  note   that wireshark will report packets twice in this scenario  once when   they leave your pc and once when they return        route add 192 168 0 2 mask 255 255 255 255 192 168 0 1 metric 1   http   forums whirlpool net au archive 1037087  accessed just now

User · Answer

For Windows   You cannot capture packets for Local Loopback in Wireshark however  you can use a very tiny but useful program called RawCap   RawCap  Run RawCap on command prompt and select the Loopback Pseudo-Interface  127 0 0 1  then just write the name of the packet capture file   pcap   A simple demo is as below   C  Users Levent Desktop rawcap gt rawcap Interfaces   0      169 254 125 51  Local Area Connection  12       Wireless80211  1      192 168 2 254   Wi-Fi   Wireless80211  2      169 254 214 165 Ethernet        Ethernet  3      192 168 56 1    VirtualBox Host-Only Network    Ethernet  4      127 0 0 1       Loopback Pseudo-Interface 1     Loopback Select interface to sniff  default  0    4 Output path or filename  default  dumpfile pcap    test pcap Sniffing IP   127 0 0 1 File          test pcap Packets       48 C

User · Answer

Yes  you can monitor the localhost traffic using the Npcap Loopback Adapter

User · Answer

You cannot capture loopback on Solaris  HP-UX  or Windows  however you can very easily work around this limitation by using a tool like RawCap    RawCap can capture raw packets on any ip including 127 0 0 1  localhost loopback   Rawcap can also generate a pcap file  You can open and analyze the pcap file with Wireshark    See here for full details on how to monitor localhost using RawCap and Wireshark

User · Answer

For some reason  none of previous answers worked in my case  so I ll post something that did the trick  There is a little jewel called RawCap that can capture localhost traffic on Windows  Advantages    only 17 kB  no external libraries needed extremely simple to use  just start it  choose the loopback interface and destination file and that s all    After the traffic has been captured  you can open it and examine in Wireshark normally  The only disadvantage that I found is that you cannot set filters  i e  you have to capture all localhost traffic which can be heavy  There is also one bug regarding Windows XP SP 3   Few more advices    Wireshark wiki

User · Answer

If you re using Windows  it s not possible - read below  You can use the local address of your machine instead and then you ll be able to capture stuff  See CaptureSetup Loopback      Summary  you can capture on the   loopback interface on Linux  on   various BSDs including Mac OS X  and   on Digital Tru64 UNIX  and you might   be able to do it on Irix and AIX  but   you definitely cannot do so on   Solaris  HP-UX       Although the page mentions that this is not possible on Windows using Wireshark alone  you can actually record it using a workaround as mentioned in a different answer     EDIT  Some 3 years later  this answer is no longer completely correct  The linked page contains instructions for capturing on the loopback interface

User · Answer

Please try Npcap  https   github com nmap npcap  it is based on WinPcap and supports loopback traffic capturing on Windows  Npcap is a subproject of Nmap  http   nmap org    so please report any issues on Nmap s development list  http   seclists org nmap-dev

User · Answer

On Windows platform  it is also possible to capture localhost traffic using Wireshark  What you need to do is to install the Microsoft loopback adapter  and then sniff on it

[networking] Wireshark localhost traffic capture

Examples related to networking

Examples related to localhost

Examples related to wireshark

Examples related to packet-capture

Examples related to packet-sniffers