15

Can any data exchanged on a local machine using the loopback IP 127.0.0.1 (localhost) be packet sniffed if the PC is also connected to a network (wireless or landline)?

Would like to know if the loopback, as a means of interprocess communication for locally running processes, can be regarded as a secure means of exchanging data (i.e., not privy to ease-dropping by anyone that resides externally on the network with a packet sniffer program).

This question is being asked in respect to all the pertinent OS platforms:

  • Win2K/WinXP
  • Vista
  • Windows 7
  • Mac OS X
  • Linux
George Stocker
  • 57,289
  • 29
  • 176
  • 237
RogerV
  • 3,826
  • 4
  • 28
  • 32

6 Answers6

25

Yes, this is secure. As VBNight stated, the traffic never hits the wire or air.

But, you can actually sniff localhost traffic on your local machine. For example on my linux box I did the following:

sudo tcpdump -i lo

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
15:29:58.056585 IP localhost.56010 > localhost.16001: S 3572335637:3572335637(0) win 32792 <mss 16396,sackOK,timestamp 132126218 0,nop,wscale 6>
15:29:58.056604 IP localhost.16001 > localhost.56010: R 0:0(0) ack 3572335638 win 0
15:29:59.026016 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.026346 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.126838 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.127486 IP localhost.41664 > localhost.41664: UDP, length 1

So, you can use it to sniff your own traffic/IPC messages, but nobody else can see it on the network.

This is a very common case in systems to use a protocol like TCP or UDP for local IPC over the lo interface.

Steve Lazaridis
  • 2,210
  • 1
  • 15
  • 15
  • 2
    Can you sniff localhost traffic as non-root too? For instance, cuold non-root user A snif non-root user B's loopback IPC data? – kralyk Nov 29 '12 at 10:41
  • @kralyk no. `tcpdump: lo: You don't have permission to capture on that device (socket: Operation not permitted)` – sourcejedi Jan 26 '16 at 16:48
  • @kralyk, you need to have root permissions in order to put a network interface in promiscuous mode. try sudo tcpdump -i lo – Steve Lazaridis Jan 26 '16 at 18:23
15

It should be safe from packet sniffing off the network because the traffic never goes on the wire (or airwaves).

A process on that local machine could sniff the packets tho.

VBNight
  • 1,744
  • 14
  • 12
  • +1. But why bother sniffing on the same machine? If it's on the same machine and you can hijack the loopback you probably already have root. Just read the process memory directly :) – JaredPar Feb 06 '09 at 20:25
  • I've been told that Windows loopback traffic would not be visible on the network, but then I've heard Linux loopback was implemented differently and might be prone to being sniffed on the network. Hence trying to see what the collective wisdom of the crowd says. :-) – RogerV Feb 06 '09 at 20:26
  • 3
    I'm not personally aware of any issue with linux sending loopback packets over the network. (How would it get those packets back with every device having the same loopback address?) – VBNight Feb 06 '09 at 20:30
2

You can use RawCap (a raw socket sniffer) to sniff localhost traffic in Windows. RawCap will create a pcap file that you can load into Wireshark, NetworkMiner or whatever you'd like.

You'll find more info on this StackOverflow thread: Sniffer for localhost (Windows OS)

Community
  • 1
  • 1
Erik
  • 21
  • 1
1

I'm pretty sure that popular packet sniffers can't sniff the loopback interface (a cause of much grief and annoyance when debugging stuff on localhost).

Assaf Lavie
  • 73,079
  • 34
  • 148
  • 203
0

The loopback interface can be regarded as secure with respect to the external network. It isn't secure within the same host.

chaos
  • 122,029
  • 33
  • 303
  • 309
0

The answers so far are correct, but I will phrase it a different way. It is possible to sniff the loopback adapter communications on the localhost itself, but it usually requires special drivers depending on the operating system. Loopback communications is safe from external sniffers though.

I have had cases where I needed to sniff loopback communications and it was not easy to setup, but it was possible (at least on Windows and I would bet so with Linux as well).

Ryan
  • 7,835
  • 2
  • 29
  • 36