Is there a way to get wireshark to capture packets sent from/to localhost?
When I monitor traffic going from my computer to another, or from another computer to my computer, then it works. But from localhost to localhost does not register anything.
Asked
Active
Viewed 4.1k times
5 Answers
24
There's a WIKI Entry about exactly this issue on the wireshark homepage.
They also mention specifics about the loopback interface regarding Windows - you could be running just into that.
You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap.
Nicolas Raoul
- 1,404
serverhorror
- 6,538
6
In Wireshark you need to choose the lo0 interface... not En0 or En1.
Go to:
- Show the capture options
- Under "Interface" choose: lo0
- Capture and you'll see a bunch of 127.0.0.1 communication
l0c0b0x
- 12,187
5
you can use RawCap Application to capture loopback packets and save them in a pcap file ... and then you can open it using Wireshark
Amr Thabet
- 51
2
Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).
hsluoyz
- 121
- 2
1
You want to run wireshark on the "lo" interface or on "any".
With tshark or tcpdump you can use the -i option:
# tcpdump -i any port http
(This is mostly applicable to Linux)
David Pashley
- 23,963