60

I am looking for a sniffer that can work with the loopback address in Windows.

So far, I found Microsoft Network Monitor which is a nice tool, but for localhost it's useless because on Windows, localhost packets don't pass through the regular network stack, so they're invisible to an ethernet sniffer like MS Network Monitor.

How do you debug applications that send data in the loopback mechanism? Any good (open source) sniffers that can work with localhost?

UPDATE: If you have experience with a tool, it would be nice to have a short description for future reference

Kara
  • 6,115
  • 16
  • 50
  • 57
citn
  • 1,522
  • 3
  • 18
  • 29
  • 1
    Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/). – hsluoyz Aug 25 '15 at 13:02

5 Answers5

60

I was faced with this issue and got nowhere after a lot of research. Basically all available sniffers rely on the network driver stack, and Windows don't expose localhost calls through it.

What I ended up using was a tool called SocketSniffer, that peeks at Winsock's calls and monitor TCP, UDP socket connections. It helped me debug an application problem that only occurred in win 2k3.

Its download site is at http://www.nirsoft.net/utils/socket_sniffer.html

Note that this no longer works in Windows 8. Microsoft Message Analyzer is now capable of sniffing loopback traffic out of the box. Official blog post here: Link

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Rafael Nobre
  • 5,062
  • 40
  • 40
  • 2
    Yes, now I see my localhost packets. Thank you for the sniffer tool. I will added it to my debugging "toolbox". – citn Jan 15 '10 at 07:25
  • doesn't see some system processes (ie, smtp server) – Robert Ivanc Jan 10 '11 at 14:31
  • 1
    This is very useful. But for more in-depth analysis you can use RawCap + Wireshark. See [Erik's answer](http://stackoverflow.com/questions/1566234/sniffer-for-localhost-windows-os/5610692#5610692). – Lawrence Dol May 05 '11 at 22:01
  • Actually: "The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista). If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7." (From http://www.netresec.com/?page=RawCap) – Adam Nofsinger Dec 14 '11 at 15:55
  • 1
    I've tested it(SocketSniff) on windows 2008 R2, can capture address of 127.0.0.1 but not localhost. – zhaorufei Jun 13 '12 at 10:51
  • Doesn't work for me on Windows 8 `Failed to start the socket sniffer: Error code: 65521 This error may occur if the socket dll in the selected process is not initialized` – My-Name-Is May 29 '13 at 10:56
  • Does not work anymore with W8 – singe3 Jul 02 '15 at 08:02
  • 3
    Microsoft Message Analyzer is now capable of sniffing loopback traffic out of the box. Official blog post here: http://blogs.msdn.com/b/winsdk/archive/2014/08/15/rejoice-we-can-now-capture-loopback-traffic.aspx – S.Richmond Sep 03 '15 at 14:28
  • 1
    Microsoft Message Analyzer did it very well for me... Didn't know this software :) – Onsokumaru Jul 28 '17 at 11:43
  • New download URL for Message Analyzer: https://www.microsoft.com/en-us/download/details.aspx?id=44226 – yallie Aug 25 '17 at 18:21
34

There is a new tool available for Windows that can capture looback / localhost network traffic. It is called RawCap and is available here: http://www.netresec.com/?page=RawCap

Just start RawCap like this to sniff the loopback interface: RawCap.exe 127.0.0.1 localhost.pcap

You can then open localhost.pcap in Wireshark or any other pcap analyzer to look at the capured traffic.

Btw. not only is RawCap able to sniff loopback traffic on Windows, it can also sniff your WiFi interface as well as PPP interfaces such as 3G/UMTS connections.

Erik
  • 591
  • 6
  • 3
  • 3
    Note though: "The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista). If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7." – Adam Nofsinger Dec 14 '11 at 15:57
  • 2
    I've noticed that I can only capture UDP packets, and TCP SYN packets under Windows 7 x86-64 using RawCap, for what it's worth - which makes it useless. – Tyson Apr 22 '12 at 14:06
  • I've test it on windows 2008 R2, cannot capture traffic via HTTP urls of localhost and 127.0.0.1 – zhaorufei Jun 13 '12 at 10:50
  • @Tyson I'm getting all TCP packets on Windows 7 64-bit with RawCap. Perhaps there was a bug in the version you used at the time? – Brad Apr 27 '14 at 14:13
6

I believe you can do http://localhost./ (note the period at the end) to force localhost packets through the regular network stack.

This works for getting http to be recognized by a tool like fiddler - not sure about other protocols.

Michael Gattuso
  • 13,020
  • 2
  • 25
  • 29
  • 1
    With Fiddler, you can also simply use http://ipv4.fiddler Of course, the OP didn't mention if he wants to see HTTP(S) traffic. – EricLaw Oct 16 '09 at 00:26
  • I didn't know that, thanks for the info Eric. It looks like this only works when fiddler is running though, correct? – Michael Gattuso Oct 16 '09 at 12:32
  • Yes, "ipv4.fiddler" is implemented by Fiddler, so it only resolves when Fiddler is running. – EricLaw Oct 22 '09 at 16:28
3

I have had such a issue when I want to monitor traffic on localhost after setting up SelfSSL on it. After searching about other useful tools, I found fidllre somehow suitable for my issue you should try this Fiddler for Http and Https

Hope this help you!

Gholamreza Fathpour
  • 157
  • 1
  • 4
-4

I would recommend Wireshark, it can attach to any network device and offers some nice utilities to analize the traffic, plus it is free software.

psychoschlumpf
  • 3,049
  • 1
  • 15
  • 4
  • plus wireshark is available for Windows, Mac OSX (Intel and PPC) and Linux -- we use it all the time (well, monthly at least). – OldTroll Oct 14 '09 at 13:40
  • I found a interesting remark on http://wiki.wireshark.org/CaptureSetup/Loopback: "You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results as expected either.". So, this means it has some drawbacks. Anyway, it looks promising. – citn Oct 14 '09 at 13:50
  • 4
    I can't see a thing with Wireshark when it comes to localhost. – mackenir Nov 10 '09 at 12:25
  • 9
    Wireshark doesn't work for the loopback address under Windows as requested by the O.P. – Nick Feb 14 '11 at 12:33
  • 2
    Using the LoopBack Adapter did not work at all for me. I ended up using RawCap to capture and WireShark to analyze. – Lawrence Dol May 05 '11 at 22:12
  • 2
    Wireshark supports loopback capture when used in conjunction with NPcap. – Gerald Combs Nov 16 '17 at 18:35