31

(This is a followup to my previous question about measuring .NET remoting traffic.)

When I am testing our Windows service / service controller GUI combination, it is often most convenient to run both pieces on my development box. With this setup, the remoting traffic between the two is via loopback, not through the Ethernet card.

Are there any software packet sniffers that can capture loopback traffic on a WinXP machine? Wireshark is a great package, but it can only capture external traffic on a Windows machine, not loopback.

Community
  • 1
  • 1
McKenzieG1
  • 13,960
  • 7
  • 36
  • 42
  • 2
    This has been answered well here: http://stackoverflow.com/questions/1566234/sniffer-for-localhost-windows-os/2066819#2066819 – Ohad Schneider Mar 02 '10 at 14:49

7 Answers7

25

What you should do is to run RawCap, which is a sniffer that can capture traffic to/from the loopback interface in Windows. Just start it with "RawCap.exe 127.0.0.1 loopback.pcap".

You can then open up loopback.pcap in Wireshark or NetworkMiner to look at the network traffic.

You can find RawCap here: http://www.netresec.com/?page=RawCap

Good Luck!

Erik
  • 591
  • 6
  • 3
  • Interesting option. Too bad they wait to the bottom of the description page to tell you: "this doesn't work on Vista or Win7 - use XP"! – McKenzieG1 Apr 11 '11 at 15:54
  • 2
    @McKenzieG1: I just used RawCap on my Win 7 x64 machine to capture 127.0.0.1 traffic - so if there was a limitation to XP it's gone now. – Lawrence Dol May 05 '11 at 21:48
  • 2
    Actually: "The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista). If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7." – Adam Nofsinger Dec 14 '11 at 15:57
  • Does not support IPv6 thus doesn't work with Windows 10. – Shaun Luttin Jul 20 '16 at 23:55
12

I second the Microsoft Network Monitor (though this link works better at the time of writing) suggestion from Thomas Owens. Also, this post suggests that to get the loopback address, try doing:

route add <Your Machine's IP> <Your Router's IP>

This takes locally-generated packets for the local interface and sends them off to your router... which sends them back.

NOTE: To get your machine back to normal operation, make sure you delete the route when you're finished using:

route delete <Your Machine's IP>

Peter K.
  • 8,028
  • 4
  • 48
  • 73
  • 1
    +1 - This worked perfectly, I can now use NetMonitor. To add the route I entered this command in the Command Prompt Window (My Machines IP is 192.168.64.222, and the gateway's is 192.168.64.1). route ADD 192.168.64.222 MASK 255.255.255.255 192.168.64.1 – Dunk May 03 '12 at 21:07
  • 1
    This worked great for me. To remove the route just use `route delete `. – sourcenouveau Sep 18 '12 at 20:06
  • 1
    +1 This worked for me as well using Wireshark! You should consider modifying your answer to recommend removing that route when you're done. Perhaps add a `route delete ` command sample. – Drew Chapin Oct 15 '13 at 19:08
  • @Zv_oDD : It saved my bacon on a couple of occasions! Glad it was of some use. :-) – Peter K. Jan 20 '16 at 12:55
  • Wow. Anyone care to explain the recent downvote?!?! – Peter K. Jul 16 '17 at 10:50
9

There is a page on the Wireshark wiki that addresses the problem. Short answer is, you can't do it on a Windows machine, but there might be some workarounds.

Eric Z Beard
  • 37,669
  • 27
  • 100
  • 145
  • 2
    Yes you can, using RawCap to capture and WireShark to analyze the captured data. I have done this under Windows 7 today. See [Erik's](http://stackoverflow.com/questions/46376/windows-packet-sniffer-that-can-capture-loopback-traffic/5610667#5610667) answer – Lawrence Dol May 05 '11 at 21:50
  • 1
    RawCap is a great tool. Unfortunately, it works only with IPv4. It doesn't support IPv6 as of Apr 2014. – Jaywalker Apr 20 '14 at 22:06
3

I'm not sure if it can or not, but have you looked at Microsoft Network Monitor? It might be an option.

Thomas Owens
  • 114,398
  • 98
  • 311
  • 431
  • 1
    I [downloaded](http://www.microsoft.com/en-us/download/details.aspx?id=4865) it but it did not capture packets I sent to my machines IP address. – sourcenouveau Sep 18 '12 at 20:03
2

If you don't care to pay, try this: CommView

It seems to work, however the Evalution version doesn't display the complete packets.

andrecarlucci
  • 5,927
  • 7
  • 52
  • 58
2

Did you try to install the MS Loopback Adapter and try sniffing on that adapter with you favorite sniffing application?

Also if I remember correctluy NAI Sniffer link did use to have loopback sniffing capabilities, but it's been a while I used either solution...

SilverViper
  • 669
  • 2
  • 9
  • 14
0

You should definitely try Npcap, it works perfectly with Wireshark to capture loopback traffic in Windows, see here: https://wiki.wireshark.org/CaptureSetup/Loopback

hsluoyz
  • 2,739
  • 5
  • 35
  • 59