Wireshark – Capture loopback – Windows

How to capture loopback traffic using wireshark and rawcap. Windows quick tutorial.

If you are trying to capture traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it’s being sent to an address on one of the machine’s network adapters. This means that you will not see it if you are trying to capture on.

How to do it

• Install wireshark (https://www.wireshark.org/download.html)
• Download RawCap util (https://www.netresec.com/?page=rawcap)
• Start RawCap (as administrator) and let it write PCAP data to a named pipe called “RawCap”
  • RawCap.exe 127.0.0.1 \\.\pipe\RawCap
• Open wireshark, go in the “manage interface” section and add a new pipe as follow

• then come back to the main menu and double click on it

Useful filters

# Filter only port 8732
tcp.port eq 8732
# Monitor only ip 192.168.0.1
ip.addr == 192.168.0.1
# Keywords: "or", "&&", "!=" to concatenate more filters

References

• https://wiki.wireshark.org/CaptureSetup/Loopback
• https://www.netresec.com/index.ashx?page=RawCap
• https://wiki.wireshark.org/DisplayFilters