This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

observe localhost UDP packet

0

Hello Everyone, I'd like to observe UDP paquets which transit inside a same network card(in my case a virtual ethernet adapter) between 2 IP addresses declared on the same card, Is there any option to activate in Wireshark to observe them? Thx

EDIT: I'd like to update this post to find a solution to be able to capture my UDP packed online. Rawpcap save ths packets into a .pcap file that is opened in wireshark after recording. That's not I want. I've already tried Windows Loopback adapter and Npcap loopback adapter, but still not able to see any packet in wireshark, maybe I don't configure correctly my sender/receiver IP address.

To sum up my purpose: I want to see packets exchange between 2 differents static IP addresses defined on the same virtual network card

Thk

asked 24 Oct '16, 06:50

1422959828's gravatar image

1422959828
6111
accept rate: 0%

edited 28 Nov '16, 08:33

sindy's gravatar image

sindy
6.0k4851


One Answer:

0

Local loopback capture works well on Linux and macOS, but not so well on Windows, simply capture from the loopback interface (usually lo or lo0).

On Windows, there are various kludgy options with the Microsoft Loopback adaptor which doesn't work too well in my experience, or use npcap (a new experimental replacement for WinPcap) which creates a separate loopback interface to capture on.

answered 24 Oct '16, 07:08

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you, I'm on Windows, and I've tried npcap solution, but still not able to see paquet with wireshark. I've declared 2 IP addreses on the npcap loopback adapter card, and send UDP paquets from one to the other and observe with wireshark on this card, no UDP paquet.

(24 Oct '16, 07:17) 1422959828
1

Another option that may or may not work:

http://www.netresec.com/?page=RawCap

(24 Oct '16, 07:20) Bob Jones

You should not "declare" IP addresses on the npcap loopback adaptor, whatever that means. If your UDP packets are sent to a local IP (configured on another interface) or directly to 127.0.0.1 (or::1), then they will "appear" on the Npcap Loopback adaptor.

(24 Oct '16, 07:28) grahamb ♦

@grahamb: I've already tried to declare my 2 addresses on the virtual network card and spy on the loopback card, always nothing. Netresec solution seems working for me. But it's an offline tool.

(24 Oct '16, 07:47) 1422959828

I don't understand your comment about "declaring my 2 addresses on the virtual network card", normally you don't need to declare additional addresses just to capture local loopback traffic.

When you install npcap, it creates a new NIC, "npcap Loopback adaptor", if you capture on this NIC, then it shows all "local" traffic. If you then ping the local host by name, or "localhost" or an IP configured on another NIC, e.g. your wired or wireless NIC, or 127.0.0.1 or ::1 then you should see the ICMP echo requests and replies. The same will also hold true for applications that attempt to send data to one of those names or addresses.

Can you please edit your question and provide more information about your system e.g. what NIC's do you have (list them with dumpcap -D) and what IP addresses you have assigned to those NIC's.

(24 Oct '16, 09:10) grahamb ♦

I'm running Windows 10 Enterprise Version 1511 (OS Build 10586.494) 64-bit with npcap v0.10r9, and I can't capture loopback traffic either with it. For now, I still use RawCap for this purpose.

(24 Oct '16, 09:30) cmaynard ♦♦

@grahamb: My purpose is to see the communication between address A (ex: 10.10.10.10) and address B (ex: 10.10.10.9) that are declared on the same adapter(a virtual adapter). Both A and B could be UDP sender or receiver

(24 Oct '16, 09:31) 1422959828

I've just tested this on both a Win10 physical machine and a Win 10 VM (using Virtualbox) and other colleagues have used npcap loopback capture (although probably not UDP) on Win 7 at least.

Have you tried a basic ping to 127.0.0.1, and then to either of the IP's on the virtual NIC adaptor?

(24 Oct '16, 10:08) grahamb ♦

Hello everyone, I'd like to update this post to find a solution to be able to capture my UDP packed online. Rawpcap save ths packets into a .pcap file that is opened in wireshark after recording. That's not I want. I've already tried Windows Loopback adapter and Npcap loopback adapter, but still not able to see any packet in wireshark, maybe I don't configure correctly my sender/receiver IP address.

To sum up my purpose: I want to see packets exchange between 2 differents static IP addresses defined on the same virtual network card

Thk

(28 Nov '16, 08:23) 1422959828

You're talking about a "virtual network card", so presumably that means the network adapter is on a virtual machine. Are you running Wireshark (or TShark) on the guest machine or the host machine?

(28 Nov '16, 18:40) Guy Harris ♦♦

I found the solution with NPCAP, option "compatibility with Winpcap" should be checked during installation to be able to see packet with wireshark online

(29 Nov '16, 01:11) 1422959828

Hi @1422959828

  1. Wireshark will use WinPcap first when both WinPcap and Npcap exist. So if you want to use Npcap in Wireshark, please uninstall WinPcap before using it.
  2. Wireshark supports Npcap with or without "compatibility with Winpcap" option. The "compatibility with Winpcap" option installs two drivers: npf driver and npcap driver. For better performance, please install Npcap without that option. So Npcap will only install the npcap driver.
(29 Nov '16, 17:20) Yang Luo
showing 5 of 12 show 7 more comments