This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing traffic from Loopback adapter on Windows 7 64 bit

0

N.B. I've already read this one - http://ask.wireshark.org/questions/29211/how-can-wireshark-capture-local-host-traffic-on-windows

I'm running Windows 7 65bit SP1 under VMWare Fusion and I've two applications that communicating via HTTP over 127.0.0.1:8888

Try as I might I seem unable to capture the traffic between the two applications (using winpcap 4.1.3 and Wireshark 1.10.5)

I've installed an configured the Loopback adapter as per VMWare's instructions - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004779

I've also tried configuring it as per the recipe on Wireshark wiki page - http://wiki.wireshark.org/CaptureSetup/Loopback

I've also tried using RawCap but that fails to launch and I get pointed to http://support.microsoft.com/kb/2715633 I've got .Net framework 3.5 installed (which seems to imply it includes .Net 2.0)

If push comes to shove I've got a 32bit install on Windows somewhere I could use as a temporary measure but wondering if anyone has any suggestions for where to go next.

asked 30 Jan '14, 02:25

andydavies's gravatar image

andydavies
1112
accept rate: 0%

edited 30 Jan '14, 11:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

2 Answers:

0

IMHO the simplest answer here is to use Network MonitorMessage Analayzer from Microsoft to capture the traffic, then use Wireshark to inspect the captures.

Update: After the tests from Kurt below and my own tests on Network Monitor 3.4 it appears that the MS capture applications can't capture localhost traffic either.

answered 30 Jan '14, 02:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 30 Jan '14, 08:08

While Message Analyzer is indeed able to capture local traffic, there are two main problems.

  • the GUI itself is incredible slow and it often gets stuck for a few seconds, at least on my system (there is almost nothing installed on that system) !?!?
  • When I save the captured local traffic as a 'cap' file (the only export file type), I get a file that looks pretty strange: http://cloudshark.org/captures/b72d280b7ec6 (should be: 127.0.0.1:* -> 127.0.0.1:445). Changing the encapsulation type does not help either, as there is no valid ethernet frame, maybe because there is no ethernet frame at all in Message Analyzer for that kind of traffic as well!?! Possible reason: I had to use the 'Firewall' Network, as that was the only one that reported/captured local (localhost) traffic to/from 127.0.0.1. The so called 'Local Link Layer' captured only 'external' traffic. But, when I exported that one (Local Link Layer) as a 'cap' file, I was able to read it in Wireshark, as there were valid frames: eth:ip:tcp etc.

So, currently Message Analyzer is (for me)

  • a nice try of M$
  • worse than Network Monitor
  • slow
  • unstable
  • Probably a help, if you need to monitor other 'messages' on a windows system, besides network traffic.

Nevertheless, I will have a closer look. Maybe the problems I've found are just Layer 8 problems ;-))

(30 Jan '14, 07:48) Kurt Knochner ♦

I would suspect that localhost traffic doesn't have an ethernet frame as it never gets as far as the NIC.

You've made me check with NM 3.4, and I can't make it capture localhost traffic on Win7. Now I'm doubting I have ever done that. I'll amend my answer.

(30 Jan '14, 08:06) grahamb ♦

I would suspect that localhost traffic doesn't have an ethernet frame as it never gets as far as the NIC.

Yeah, that was basically what I also found in a Network Monitor blog as an explanation why NW is not able to capture local traffic :-)

Unfortunately I lost the link and I'm unable to find it again :-(

(30 Jan '14, 08:18) Kurt Knochner ♦

0

I've got .Net framework 3.5 installed (which seems to imply it includes .Net 2.0)

I've got .Net 4.5.1 installed on my Win7 64 Bit SP1. RawCap works. So, maybe there is something wrong with your .Net installation.

Please run the following command to check if there is a .net 2.0 installed in your system.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

You should see something like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0

then run

dir \%windir\%\Microsoft.NET\Framework\v*

You should see something like:

Directory of C:\Windows\Microsoft.NET\Framework

1.11.2010  04:31    [DIR]          v1.0.3705
4.07.2009  04:20    [DIR]          v1.1.4322
7.01.2014  15:51    [DIR]          v2.0.50727
1.11.2010  08:06    [DIR]          v3.0

++ UPDATE ++
You can also try to ‘repair’ the .Net installation. I’ve never used that tool!!

http://support.microsoft.com/kb/2698555

Additionally, please check if the .Net Framework is enabled

Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off

If there is no ‘check mark’ for ‘Microsoft .Net Framework 3.5.x’, that might also explain your problems with RawCap.

Regards
Kurt

answered 30 Jan ‘14, 03:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Jan ‘14, 04:31

The date on the v2 directory is interesting, implies that it was a recent addition, or maybe a recent update.

See also this blog entry on .Net version detection.

(30 Jan ‘14, 03:57) grahamb ♦

v2 directory is interesting

maybe just due to a recent windows update, containing a v2 patch….

(30 Jan ‘14, 04:15) Kurt Knochner ♦

These look OK to me, and the repair tool doesn’t seem to make any difference - perhaps it’s just something really odd about our corporate install

reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0

dir %windir%\Microsoft.NET\Framework\v*

21/11/2010  03:31    v1.0.3705
14/07/2009  03:20    v1.1.4322
30/01/2014  10:20    v2.0.50727
12/04/2011  07:38    v3.0
12/12/2013  09:42    v3.5
30/01/2014  10:21    v4.0.30319
(30 Jan ‘14, 05:43) andydavies

what is the error message, when you run RawCap?

(30 Jan ‘14, 06:17) Kurt Knochner ♦

perhaps it’s just something really odd about our corporate install

RawCap requires local Admin rights. Do you have that in your corp environment?

Is there any security software installed on your system, like AV, IDS, VPN client, Endpoint Security (Symantec seems to block network related tools pretty often)?

(30 Jan ‘14, 06:20) Kurt Knochner ♦

I’ve just tried it on the Win7 32 bit box I’ve got an it works fine so I’m going to capture the traffic there!

Thanks for you help

(30 Jan ‘14, 06:28) andydavies

Got to the bottom (ish) of it - I’d put RawCap.exe into /Windows/System32 and for some reason it doesn’t like it in there

Get SHIM_NOVERSION_FOUND error - http://support.microsoft.com/kb/2715633

Run it from another folder and it’s fine

(30 Jan ‘14, 10:23) andydavies
1

Thanks for the update.

Just for the records: system32 is where 64bit binaries are expected by windows on a 64bit system. Sounds strange? Yes it is… See the following links

http://blogs.msdn.com/b/joshwil/archive/2004/03/11/88280.aspx
http://blogs.stonesteps.ca/showpost.aspx?pid=4

As rawcap is a 32bit application, it might have confused the .Net loader.

(30 Jan ‘14, 10:52) Kurt Knochner ♦

Cool - I hadn’t thought of that

(30 Jan ‘14, 13:20) andydavies

Hint: If a supplied answer resolves your question can you please “accept” it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(30 Jan ‘14, 13:27) Kurt Knochner ♦
showing 5 of 10 show 5 more comments