Wireshark: How to capture localhost traffic on Windows machine

Question

I have server and client socket codes running on my local machine. I want to capture the packets exchanged between the server and client. When I tried to capture using Wireshark, it did not work. Is there any option in Wireshark so that I can capture the localhost traffic. I am running my codes on Windows machine.

Answer 1

I am not sure about the Wireshark options to capture locahost traffic, but you can use RawCap for the localhost traffic. Download RawCap from http://www.netresec.com/?page=RawCap (if not here, search the new URL).

Do the followings to capture packets:

1. Go to the folder where you downloaded RawCap and Click on the .exe file. A window, like command prompt, will pop up.

2. Type 1 for 'Select interface to sniff'. 1 is for the localhost.

3. Type the name of the pcap file and hit ENTER.

4. You are all set to capture the localhost traffic. Run your server code on one terminal and client code on another terminal.

5. You will see that "Packets" count is increasing on Rawcap window. Once you are done, close Rawcap window. If you do not close Rawcap window, the pcap file will have 0 bytes.

6. Open the pcap file in Wireshark -> TCP flow -> Seclect 'Show and save data as "Raw"'. You can see the bytes exchanged between client and server.

7. The text highlighted in red is the data sent from client to server and the text highlighted in blue is the data sent from server to client.

Rawcap seems a bit buggy. If you can't capture packets in one trial, do it a couple of times and the packets will be captured.