RawCap and Wireshark: How to capture and analyze local traffic from host machine to itself

Wireshark is an incredible resource when it comes to capturing and analyzing network packets or traffic. Unfortunately, on Windows, Wireshark is unable to capture packets or traffic sent from a host machine to that same host machine. This is due to the fact that such local traffic is not sent over a real network interface, but instead (in many cases) is sent over a “loopback interface”. Loopback traffic can be captured on a variety of operating systems including Linux, BSD (including MacOS), however loopback traffic cannot be captured on Windows, Solaris, and HP-UX. In this post we will address how to capture local traffic on Windows and how to analyze that traffic using Wireshark.

Before we get started, it’s worthwhile to point out that Wireshark uses libpcap to capture live network data. libpcap is a library present on most modern UN*X platforms. On Windows, Wireshark uses WinPcap which is a version of libpcap for Windows. WinPcap is not present in vanilla Windows installations, but fear not, the Wireshark installation simplifies this by prompting to also install WinPcap. Packet capture tools like Wireshark also typically allow you to save packet capture data to a file. These files have general have the extension .pcap, although .cap and .dmp are also common extensions.

The reason Wireshark cannot capture loopback traffic on Windows, is in part due to the fact that Winpcap relies on the network driver stack. On Windows, this stack does not expose localhost calls.

So, What do we do?

We can use a raw packet analyzer, for example RawCap. RawCap can sniff any interface that has an IP address, including 127.0.0.1 (localhost/loopback). RawCap also enables you to save captured traffic as .pcap file! This means we can still use Wireshark to analyze our captures! Awesome!!

Using RawCap is easy simply execute C:\> RawCap.exe

Here is an example RawCap run:
RawCap

Once you complete the packet capture using RawCap, the contents are stored in a .pcap file e.g. dumpfile.pcap

We can then analyze the pcap file using Wireshark:
Wireshark

Voila! We’ve capture localhost traffic.

Thank you!

You may also like...

3 Responses

  1. Yang Luo says:

    Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap’s development list (http://seclists.org/nmap-dev/).

  2. Johnson says:

    Thanks it worked 🙂 Able to capture Localhost Packets in Windows 7 using Npcap and Wireshark.

  3. I have not been able to get Npcap to capture from 127.0.0.1 on wireshark. there is very little help or documentation on what I need to do to get it to work but it did not work right after install and reboot.

Leave a Reply