This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can wireshark capture local host traffic on Windows?

1
1

I'm using Visual Basic 2010 for client/server authentication. I want the information that is transferred during that time between client and server. Is it possible that Wireshark is able to display it?

This question is marked "community wiki".

asked 27 Jan '14, 19:54

vikramd's gravatar image

vikramd
11123
accept rate: 0%

edited 29 Jan '14, 08:21

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


3 Answers:

3

While the Loopback wiki page does mention RawCap, it perhaps should expand on its use. For example, if you want to view live traffic in Wireshark, you can still do it by running RawCap from one command-line and running Wireshark from another. Assuming you have cygwin's tail available, this could be accomplished using something like so:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

answered 29 Jan '14, 08:12

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Couldn't a pipe be used?

(29 Jan '14, 08:29) grahamb ♦

Ideally, but in practice, it doesn't work ... at least not in my testing. Perhaps the Netresec folks would be willing to modify RawCap to be able to write to a pipe though.

(29 Jan '14, 08:41) cmaynard ♦♦

An update: Netresec just announced today (Jan 30, 2020) a new version of RawCap that now supports writing to a pipe or to stdout. So as of today, the solution provided above can be simplified as follows, with no tail required:

RawCap.exe -q 127.0.0.1 - | Wireshark.exe -i - -k

You can read more about the new RawCap features on the RawCap Redux announcement page.

(30 Jan '20, 11:22) cmaynard ♦♦

0

Assuming that your client and server are on the same machine and your OS is Windows (as you're using VB), then Wireshark, or more precisely WinPCap, can't easily capture such traffic.

See the Wiki page on Loopback capturing for more info.

answered 28 Jan '14, 01:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

I realize that this is an old question and this site is no longer the active Wireshark Q&A site, but for the benefit of anyone who happens to find this question looking for a solution to loopback capturing on the Windows platform, another solution is to use Npcap instead of WinPcap, which newer versions of Wireshark now ship with by default. Npcap provides an "Adapter for loopback traffic capture" that Wireshark can directly capture from, just like any other local interface. Npcap is also mentioned on the Loopback wiki page.

answered 30 Jan '20, 11:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%