Wireshark localhost traffic capture

I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?

If you're using Windows it's not possible - read below. You can use the local address of your machine instead and then you'll be able to capture stuff. See CaptureSetup/Loopback.

> Summary: you can capture on the > loopback interface on Linux, on > various BSDs including Mac OS X, and > on Digital/Tru64 UNIX, and you might > be able to do it on Irix and AIX, but > you definitely cannot do so on > Solaris, HP-UX....

Although the page mentions that this is not possible on Windows using Wireshark alone, you can actually record it using a workaround as mentioned in a different answer.

---

EDIT: Some 3 years later, this answer is no longer completely correct. The linked page contains instructions for capturing on the loopback interface.

For some reason, none of previous answers worked in my case, so I'll post something that did the trick. There is a little jewel called RawCap that can capture localhost traffic on Windows. Advantages:

• only 17 kB!
• no external libraries needed
• extremely simple to use (just start it, choose the loopback interface and destination file and that's all)

After the traffic has been captured, you can open it and examine in Wireshark normally. The only disadvantage that I found is that you cannot set filters, i.e. you have to capture all localhost traffic which can be heavy. There is also one bug regarding Windows XP SP 3.

Few more advices:

• Wireshark wiki

On Windows platform, it is also possible to capture localhost traffic using Wireshark. What you need to do is to install the Microsoft loopback adapter, and then sniff on it.

I haven't actually tried this, but this answer from the web sounds promising:

> Wireshark can't actually capture local packets on windows XP due to > the nature of the windows TCP stack. When packets are sent and > received on the same machine they don't seem to cross the network > boundary that wireshark monitors. > > However there is a way around this, you can route the local traffic > out via your network gateway (router) by setting up a (temporary) > static route on your windows XP machine. > > Say your XP IP address is 192.168.0.2 and your gateway (router) > address is 192.168.0.1 you could run the following command from > windows XP command line to force all local traffic out and back across > the network boundary, so wireshark could then track the data (note > that wireshark will report packets twice in this scenario, once when > they leave your pc and once when they return). > > route add 192.168.0.2 mask 255.255.255.255 192.168.0.1 metric 1

http://forums.whirlpool.net.au/archive/1037087, accessed just now.

You can view loopback traffic live in Wireshark by having it read RawCap's output instantly. cmaynard describes this ingenious approach at the Wireshark forums. I will cite it here:

> [...] if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so: > > cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap > > cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

It requires cygwin's tail, and I could not find a way to do this with Windows' out-of-the-box tools. His approach works very fine for me and allows me to use all of Wiresharks filter capabilities on captured loopback traffic live.

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).

For Windows,

You cannot capture packets for Local Loopback in Wireshark however, you can use a very tiny but useful program called RawCap;

RawCap

Run RawCap on command prompt and select the Loopback Pseudo-Interface (127.0.0.1) then just write the name of the packet capture file (.pcap)

A simple demo is as below;

C:\Users\Levent\Desktop\rawcap>rawcap
Interfaces:
 0.     169.254.125.51  Local Area Connection* 12       Wireless80211
 1.     192.168.2.254   Wi-Fi   Wireless80211
 2.     169.254.214.165 Ethernet        Ethernet
 3.     192.168.56.1    VirtualBox Host-Only Network    Ethernet
 4.     127.0.0.1       Loopback Pseudo-Interface 1     Loopback
Select interface to sniff [default '0']: 4
Output path or filename [default 'dumpfile.pcap']: test.pcap
Sniffing IP : 127.0.0.1
File        : test.pcap
Packets     : 48^C

You cannot capture loopback on Solaris, HP-UX, or Windows, however you can very easily work around this limitation by using a tool like RawCap.

RawCap can capture raw packets on any ip including 127.0.0.1 (localhost/loopback). Rawcap can also generate a pcap file. You can open and analyze the pcap file with Wireshark.

See here for full details on how to monitor localhost using RawCap and Wireshark.

Yes, you can monitor the localhost traffic using the Npcap Loopback Adapter