Is there a way to get wireshark to capture packets sent from/to localhost on Windows?

Question

Is there a way to get wireshark to capture packets sent from/to localhost?

When I monitor traffic going from my computer to another, or from another computer to my computer, then it works. But from localhost to localhost does not register anything.

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/). — hsluoyz, Aug 25 '15 at 13:50

score 23 · Accepted Answer · edited Dec 01 '16 at 05:31

23

There's a WIKI Entry about exactly this issue on the wireshark homepage.

They also mention specifics about the loopback interface regarding Windows - you could be running just into that.

You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap.

edited Dec 01 '16 at 05:31

Nicolas Raoul

1,314
7
22
43

answered Jun 09 '09 at 22:45

Martin M.

6,428
2
24
42

Care to elaborate why this is getting voted down? – Martin M. Jun 09 '09 at 22:48
I did not vote down but probably because even basic questions that have easily findable solutions are encouraged on this site and stackoverflow.com. The answer is good but the tone is not. Consider editing it and I think it will be voted up. – Brian R. Bondy Jun 09 '09 at 22:53
I'm sorry I'm not a native english speaker (guess I'm not the only one). I'll try to think about that in the future. – Martin M. Jun 09 '09 at 22:55
+1 for knowing and adding the link. – l0c0b0x Jun 09 '09 at 23:00
Upvote, good answer/link and Je comprends :) – Greg Meehan Jun 10 '09 at 01:30
2

Might want to add the quick quote "You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap." from the linked page to save us the suspense... – andersoj May 28 '12 at 11:44

score 6 · Answer 2 · answered Jun 09 '09 at 22:55

6

In Wireshark you need to choose the lo0 interface... not En0 or En1.

Go to:

Show the capture options
Under "Interface" choose: lo0
Capture and you'll see a bunch of 127.0.0.1 communication

answered Jun 09 '09 at 22:55

l0c0b0x

11,697
6
46
76

on windows, of course, i dont believe you can do that without somehow adding a loopback interface manually. – djangofan Apr 21 '10 at 22:02
yes, the document said: `you can capture on the loopback interface on Linux, on various BSDs including Mac OS X, and on Digital/Tru64 UNIX, and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows.` – Allan Ruin Mar 19 '14 at 06:43
On OSX yosemite this worked! – James111 Oct 08 '15 at 23:19
Yes, for most Linux. – Anton Apr 13 '22 at 18:12

score 4 · Answer 3 · answered Feb 20 '13 at 08:37

4

you can use RawCap Application to capture loopback packets and save them in a pcap file ... and then you can open it using Wireshark

answered Feb 20 '13 at 08:37

Amr Thabet

41
1

score 1 · Answer 4 · answered Jun 09 '09 at 22:54

1

You want to run wireshark on the "lo" interface or on "any".

With tshark or tcpdump you can use the -i option:

# tcpdump -i any port http

(This is mostly applicable to Linux)

answered Jun 09 '09 at 22:54

David Pashley

23,151
2
41
71

score 1 · Answer 5 · answered Aug 25 '15 at 13:50

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).

Is there a way to get wireshark to capture packets sent from/to localhost on Windows?

5 Answers5

Linked

Related