RawCap and Wireshark: How to capture and analyze local traffic from host machine to itself
Wireshark is an incredible resource when it comes to capturing and analyzing network packets or traffic. Unfortunately, on Windows, Wireshark is unable to capture packets or traffic sent from a host machine to that same host machine. This is due to the fact that such local traffic is not sent over a real network interface, but instead (in many cases) is sent over a “loopback interface”. Loopback traffic can be captured on a variety of operating systems including Linux, BSD (including MacOS), however loopback traffic cannot be captured on Windows, Solaris, and HP-UX. In this post we will address how to capture local traffic on Windows and how to analyze that traffic using Wireshark.
Before we get started, it’s worthwhile to point out that Wireshark uses libpcap to capture live network data. libpcap is a library present on most modern UN*X platforms. On Windows, Wireshark uses WinPcap which is a version of libpcap for Windows. WinPcap is not present in vanilla Windows installations, but fear not, the Wireshark installation simplifies this by prompting to also install WinPcap. Packet capture tools like Wireshark also typically allow you to save packet capture data to a file. These files have general have the extension .pcap, although .cap and .dmp are also common extensions.
The reason Wireshark cannot capture loopback traffic on Windows, is in part due to the fact that Winpcap relies on the network driver stack. On Windows, this stack does not expose localhost calls.
So, What do we do?
We can use a raw packet analyzer, for example RawCap. RawCap can sniff any interface that has an IP address, including 127.0.0.1 (localhost/loopback). RawCap also enables you to save captured traffic as .pcap file! This means we can still use Wireshark to analyze our captures! Awesome!!
Once you complete the packet capture using RawCap, the contents are stored in a .pcap file e.g. dumpfile.pcap
Voila! We’ve capture localhost traffic.