Wireshark localhost traffic capture
Solution 1
If you're using Windows it's not possible - read below. You can use the local address of your machine instead and then you'll be able to capture stuff. See CaptureSetup/Loopback.
Summary: you can capture on the loopback interface on Linux, on various BSDs including Mac OS X, and on Digital/Tru64 UNIX, and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX....
Although the page mentions that this is not possible on Windows using Wireshark alone, you can actually record it using a workaround as mentioned in a different answer.
EDIT: Some 3 years later, this answer is no longer completely correct. The linked page contains instructions for capturing on the loopback interface.
Solution 2
For some reason, none of previous answers worked in my case, so I'll post something that did the trick. There is a little jewel called RawCap that can capture localhost traffic on Windows. Advantages:
- only 17 kB!
- no external libraries needed
- extremely simple to use (just start it, choose the loopback interface and destination file and that's all)
After the traffic has been captured, you can open it and examine in Wireshark normally. The only disadvantage that I found is that you cannot set filters, i.e. you have to capture all localhost traffic which can be heavy. There is also one bug regarding Windows XP SP 3.
Few more advices:
Solution 3
On Windows platform, it is also possible to capture localhost traffic using Wireshark. What you need to do is to install the Microsoft loopback adapter, and then sniff on it.
Solution 4
I haven't actually tried this, but this answer from the web sounds promising:
Wireshark can't actually capture local packets on windows XP due to the nature of the windows TCP stack. When packets are sent and received on the same machine they don't seem to cross the network boundary that wireshark monitors.
However there is a way around this, you can route the local traffic out via your network gateway (router) by setting up a (temporary) static route on your windows XP machine.
Say your XP IP address is 192.168.0.2 and your gateway (router) address is 192.168.0.1 you could run the following command from windows XP command line to force all local traffic out and back across the network boundary, so wireshark could then track the data (note that wireshark will report packets twice in this scenario, once when they leave your pc and once when they return).
route add 192.168.0.2 mask 255.255.255.255 192.168.0.1 metric 1
http://forums.whirlpool.net.au/archive/1037087, accessed just now.
Solution 5
You can view loopback traffic live in Wireshark by having it read RawCap's output instantly. cmaynard describes this ingenious approach at the Wireshark forums. I will cite it here:
[...] if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so:
cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap
cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -
It requires cygwin's tail, and I could not find a way to do this with Windows' out-of-the-box tools. His approach works very fine for me and allows me to use all of Wiresharks filter capabilities on captured loopback traffic live.
Udara S.S Liyanage
Currently I am working as a Software Engineer for WSO2. Earlier worked as a Software Engineer for Microsoft Company. Always ready to learn new technologies, ready to share. Blog - udaraliyanage.wordpress.com Articles - http://techwire.lk/introducing-the-wso2-app-factory/
Updated on August 09, 2020Comments
-
Udara S.S Liyanage over 3 years
I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?
-
feuGene about 12 yearsciphor, have you successfully done this? this is in direct contradiction to cnicutar's answer. -
ciphor about 12 yearsyes, I've done it successfully.
-
GWLlosa over 11 yearsI tried this, and found that it worked very well.
-
GWLlosa over 11 yearsfeuGene's answer actually does work.
-
cnicutar over 11 years@GWLlosa Yup. You can use the local address of your machine.
-
GWLlosa over 11 yearsI found it was not sufficient to simply put your own IP in wireshark instead of loopback; adding the route was necessary for it to work in my situation.
-
schlamar over 11 yearsAnd how? Didn't get it working.
-
antiduh almost 11 yearsI got this to work all the same on Win 7. Device Manager -> Add Legacy Hardware -> I'll pick -> Networking -> Microsoft -> Loopback adapter. Once it's installed, configure it with an IP address of your chosing. Then: reinstall wireshark so that it will reinstall the capture driver on the new interface - this must be performed any time you add new interfaces to windows, loopback or real. -
vantrung -cuncon over 10 yearsnot work on win 7 32bit -
sudo about 10 yearsThanks. On OS X, the loopback interface is lo0. Choosing en1 or whatever your default is won't work, it seems. -
koustubh almost 10 yearsFollowed @antiduh instructions on Win 7 and while I did see some netbios queries, I did not see HTTP traffic on localhost.
-
developer747 almost 9 yearsFor setting up the loopback adapter on Windows 7, I found this youtube video useful. youtube.com/watch?v=KsWICPPO_N8 -
developer747 almost 9 yearsFor setting up the loopback adapter, I found this youtube video useful. youtube.com/watch?v=KsWICPPO_N8
-
hsluoyz over 8 yearsPlease try Npcap: github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (nmap.org), so please report any issues on Nmap's development list (seclists.org/nmap-dev).
-
jsalter over 8 yearsThis doesn't seem to work on windows 8 - can see the loopback adapter in wireshark, and it's IP functions as a loopback, but no traffic is logged.
-
KCD over 7 yearsOption #1 from the wireshark's documentation
Starting from Windows Vista: Npcap is an update of WinPcap using NDIS 6 Light-Weight Filter (LWF), done by Yang Luo for Nmap project during Google Summer of Code 2013 and 2015. Npcap has added many features compared to the legacy WinPcap. -
Richard Kiefer about 7 yearsThe Wireshark Wiki mentions issues with this adapter, e.g. "but it will not work on the 127.0.0.1 IP addresses; it will take its own IP address". -
vibhu about 7 yearsno setup required and was quite simple.
-
Richard Kiefer almost 7 yearsFor me the essential part was to start the second cmd command with some delay, otherwise Wireshark could not read the .pcap file. Presumably, because there needs to be some recorded traffic in it to start with.
-
Richard Kiefer almost 7 yearsAnd you can have Wireshark read RawCap's output instantly, giving you live capturing. See my answer for details.
-
7stud almost 7 years
OSX 10.10.5,Wireshark 2.2.6: I choseLoopback lo0for the Capture, but when I used TCP sockets to send data between a client and server, the Wireshark window remained completely blank. I tried it several times--nothing. Then I typed tcp into the "Apply a display filter" textbox, and voila! Data appeared. On successive TCP transmissions, I didn't have to type anything for a filter. -
Wayne Phipps about 6 yearsYou can download the installer from here: nmap.org/npcap
-
Jan Smrčina about 6 yearsIt is good to know that NPcap has some license limitations for use in business environments. -
ZAB almost 6 yearsInstead of reinstalling wireshark just restart the driver in command prompt net stop npf && net start npf
-
fider over 5 yearsThis should be accepted answer (it is enough to run cmd2 from git bash) -
Christopher Maynard over 4 yearsAn update: Netresec just announced today (Jan 30, 2020) a new version of RawCap that now supports writing to a pipe or tostdout. So as of today, the solution provided above can be simplified as follows, with notailrequired:RawCap.exe -q 127.0.0.1 - | Wireshark.exe -i - -kYou can read more about the new RawCap features on the RawCap Redux announcement page here: netresec.com/?page=Blog&month=2020-01&post=RawCap-Redux
