I am trying to capture traffic to 127.0.0.1 on a Windows 10 computer with Wireshark. I have installed NPCap but it does not appear to be capturing that tr5affic.
Looking at the interface options in Wireshark for the loopback adapter I see it has IPV4 address of 0.0.0.0. Is this correct and if so, how do I capture the localhost traffic.
Thanks, Sid
On
Wireshark used to be installed with Winpcap behind the scenes, but Winpcap, to my knowledge, never supported packet capture over localhost. And of course, Winpcap has not been updated since 2013 IIRC.
Npcap, which is the supported replacement for Winpcap, does support localhost packet capture. And since Wireshark now delivers Npcap instead of Winpcap, it is capable of capturing and displaying packets captured on localhost.
To use the functionality, open Wireshark. At the bottom of the opening screen, there should be an "Adapter for loopback traffic capture." Double-click that, and you're off!
Two quick points.
I'm using Wireshark v3.2.7.
Packets captured off the loopback adapter do not start with an Ethernet frame, for example. They start with what Wireshark calls a Null/Loopback header. It is a 4-byte header that typically has a value of 2 in big-endian order. Read more here.
HTH
It seems the way to capture localhost traffic for use with Wireshark is to use "RawCap" and then examine the captured data in WireShark.
RawCap.exe may be downloaded from here -> http://www.netresec.com/?page=RawCap
Sid