How to capture loopback traffic in Windows Server 2008

Question

Setup:

• I have client C connecting to server S
• Both C and S are on the same machine
• In C the server address is hardcoded to 127.0.0.1. Likewise, in S the client address is hardcoded to 127.0.0.1

Problem: I want to be able to sniff the traffic between the client and the server.

• Due to the configuration, I cannot move the client nor the server to different locations (the address are hardcoded)
• Installing the loopback interface and using tools like Wireshark+WinPcap doesn't lead anywhere (was actually already known but was worth a try)
• RawCap, suggested in another topic, doesn't work. IP 127.0.0.1 is listed, but does not record any traffic.
• Using rinetd to route the traffic elsewhere, as suggested here doesn't work (cannot bind on 127.0.0.1)
• Not interested in using a HTTP local proxy, such as Fiddler, because I'd like to capture also other protocols
• Two commercial tools work, specifically CommView and Local Network Monitor, which means it must be possible to do that ;)

How can I do to capture the traffic? Any pointer on functions I should use or documentation I should read?

Thanks!

Answer 1

Use RawCap, which can solve your concerns, see this

Answer 2

Basically you need to write a TDI filter driver to achieve that... for some pointers see:

• http://msdn.microsoft.com/en-us/library/windows/hardware/ff565685%28v=vs.85%29.aspx
• http://msdn.microsoft.com/en-us/library/windows/hardware/ff563317%28v=VS.85%29.aspx

Another option is to write a WinSock LSP.

BEWARE
Since Windows 8 it is strongly encouraged to use WFP (Windows Filtering Platform) for this sort of thing...

Although it might be more cost-effective to just use/buy an existing solution - esp. if you are not a very experienced driver developer...