20/7/2014 CaptureSetup/Loopback - The Wireshark Wiki

Loopback capture setup

The following will explain capturing on loopback interfaces a bit.

If you are trying to capture traffic from a machine to itself, that traffic will not be sent over a real network interface,
even if it's being sent to an address on one of the machine's network adapters. This means that you will not see it if
you are trying to capture on, for example, the interface device for the adapter to which the destination address is
assigned. You will only see it if you capture on the "loopback interface", if there is such an interface and it is
possible to capture on it; see the next section for information on the platforms on which you can capture on the
"loopback interface".

S upported Platforms

See CaptureSetup/NetworkM edia for Wireshark capturing support on various platforms. Summary: you can
capture on the loopback interface on Linux, on various BSDs including M ac OS X, and on Digital/Tru64 UNIX,
and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows.

Windows

IP 127.0.0.1

You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap. The
following page from "Windows network services internals" explains why: The missing network loopback interface.

You can, however, use a raw socket sniffer like RawCap to capture localhost network traffic in Windows. Read
more here: http://www.netresec.com/?page=Blog&month=2011-04&post=RawCap-sniffer-for-Windows-released

IP othe r

You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results
as expected either.

This adapter is available from M icrosoft:

M icrosoft: How to install the M icrosoft Loopback Adapter in M icrosoft Windows Server 2003
M icrosoft: How to install the M icrosoft Loopback adapter in Windows XP
M icrosoft: How To Install M icrosoft Loopback Adapter in Windows 2000

... and is quite different than the ones available for various UN*X systems. This adapter is a virtual network
adapter you can add, but it will not work on the 127.0.0.1 IP addresses; it will take its own IP address. BTW: You
can only add one Loopback Adapter to the system!

Beware: Capturing from this Loopback Adapter requires the WinPcap 3.1 release, 3.1 beta versions won't
work!

Let's suppose you have set the IP address of the loopback adapter to 10.0.0.10 and are capturing on that interface.
If you ping to this 10.0.0.10 address the ping will get ping replies, but you won't see any of this traffic in
Wireshark (much like the 127.0.0.1 problem). If you ping on 10.0.0.11, you won't get ping replies as there is
obviously no remote host, but you will see the corresponding ARP requests in Wireshark.

The only benefit I can see so far is if you use it with colinux (and probably other PC virtualization software) to
capture the traffic between Windows and the virtual machine. - UlfLamping

Recipe (to capture traffic on ms loopback adapter / Windows XP): --- by mitra

1. go to MS Loopback adapter properties, set IP 10.0.0.10, MASK

http://wiki.wireshark.org/CaptureSetup/Loopback 1/3
20/7/2014 CaptureSetup/Loopback - The Wireshark Wiki
255.255.255.0
2. ipconfig /all and look at the MAC-ID for your new adapter.
3. arp -s 10.0.0.10 <MAC-ID>
4. route add 10.0.0.10 10.0.0.10 mask 255.255.255.255
5. to test: "telnet 10.0.0.10"

I am now using the loopback adapter to capture traffic that I source into a Dyanmips/Dynagen virtual router
network. This is a potentially very useful tool/feature that I will be testing further in the weeks to come. As it
stands, I can connect my loopback adapter to a virtual router interface and capture ping, arp, etc. In the near future,
I hope to tie a server w/ a loopback adapter to a virtual router and then capture a full client/server type of exchange
across a Dynamips/Dynagen emulated network. -- Scott Vermillion

NOTE: To get to the M icrosoft Loopback Adapter Properties: Start -> Settings -> Control Panel -> System ->
Device M anager -> Network Adapters and right click M icrosoft Loopback Adapter to select Properties. -- saran

Commercial Alternatives

A commercial network sniffer called CommView (from TamoSoft) allows you to capture packets on the
localhost network adapter but it dissects fewer protocols, so you can capture packets with CommView and save
them into a file and open it with Wireshark.
Local Network M onitor 3.2
Atelier Web Ports Traffic Analyzer

Other Alternatives

Add a route to your local machine going through the network gateway:

route add <your_IP> mask 255.255.255.255 <the_gateway> metric 1

with <your_IP> being different from 127.0.0.1. It should (has to) be the result of ipconfig command (ip address
field) <the_gateway> has to be the default gateway field taken from ipconfig /all result.

Doing so, every network traffic from your machine to itself will use the physical network interface, it will then go
to the gateway, back to you. Therefor, you will see each packet twice, but it can be filtered on the view.

Be careful, since your machine will use the actual network to talk to itself, it may overload the network. It may be
wise to remove the new route once you are done with the tests:

route delete <your_IP>

Proxocket - A Winsock Proxy Sniffer Written by Luigi Auriemma, this great tool appears to be a Layered
Service Provider that can be used to capture calls between an application and the Winsock functions in
Windows. By doing this, one is able to effectively capture loopback traffic on a per-process basis.

M y own experience with proxocket is as follows: After installing the ws2_32.dll from proxocket into a directory
containing 3 binaries that communicate with each other over the loopback interface and starting them all up, it
generated 3 separate capture files, one for each process, which I was then able to merge together into a single
capture file using mergecap. After filtering out the duplicate packets in the file, which contained the source IP
address of 0.0.0.0, I had a pretty good capture file containing loopback traffic on Windows. Some packets were
clearly ordered incorrectly, but it was easy enough for me to spot them and tell what was going on.

While certainly not as good/easy as capturing loopback traffic on a *NIX platform, prior to using RawCap, this
was the best way for me to obtain loopback traffic on Windows. Having said that, after using RawCap, I don't see
why anyone would want to use this.

S etup localhost capturing from powershell

http://wiki.wireshark.org/CaptureSetup/Loopback 2/3
20/7/2014 CaptureSetup/Loopback - The Wireshark Wiki
Recipes and explanation is here.

This is translated from French, based on the method described here.

S ee Also

Capturing on Ethernet Networks

Capturing on 802.11 Wireless Networks
Capturing on Token Ring Networks
Capturing on VLAN Protected Networks
Capturing on PPP Networks
Capturing on Frame Relay Networks
Capturing DOCSIS Traffic
Capturing Bluetooth Traffic
Capturing on ATM Networks
Capturing USB Traffic
Capturing IrDA Traffic
Capturing on Cisco HDLC Networks
Capturing SS7 Traffic

CategoryHowTo

CaptureSetup/Loopback (ltima edicin 2013-10-24 02:34:56 efectuada por WilliamMook)

http://wiki.wireshark.org/CaptureSetup/Loopback 3/3