Sniffer for localhost (Windows OS) [closed]

Asked 14/10, 2009 at 13:28 Answered 17/5, 2012 at 23:43

Solved windows debugging tcp packet-sniffers

I am looking for a sniffer that can work with the loopback address in Windows.

So far, I found Microsoft Network Monitor which is a nice tool, but for localhost it's useless because on Windows, localhost packets don't pass through the regular network stack, so they're invisible to an ethernet sniffer like MS Network Monitor.

How do you debug applications that send data in the loopback mechanism? Any good (open source) sniffers that can work with localhost?

UPDATE: If you have experience with a tool, it would be nice to have a short description for future reference

Oeildeboeuf answered 14/10, 2009 at 13:28 Comment(1)

Please try Npcap: github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (nmap.org), so please report any issues on Nmap's development list (seclists.org/nmap-dev). – Shuntwound 25/8, 2015 at 13:2

I was faced with this issue and got nowhere after a lot of research. Basically all available sniffers rely on the network driver stack, and Windows don't expose localhost calls through it.

What I ended up using was a tool called SocketSniffer, that peeks at Winsock's calls and monitor TCP, UDP socket connections. It helped me debug an application problem that only occurred in win 2k3.

Its download site is at http://www.nirsoft.net/utils/socket_sniffer.html

Note that this no longer works in Windows 8. Microsoft Message Analyzer is now capable of sniffing loopback traffic out of the box. Official blog post here: Link

Muckraker answered 14/1, 2010 at 19:11 Comment(11)

Yes, now I see my localhost packets. Thank you for the sniffer tool. I will added it to my debugging "toolbox". – Oeildeboeuf 15/1, 2010 at 7:25

doesn't see some system processes (ie, smtp server) – Burgonet 10/1, 2011 at 14:31

This is very useful. But for more in-depth analysis you can use RawCap + Wireshark. See Erik's answer. – Surmullet 5/5, 2011 at 22:1

Actually: "The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista). If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7." (From netresec.com/?page=RawCap) – Washery 14/12, 2011 at 15:55

I've tested it(SocketSniff) on windows 2008 R2, can capture address of 127.0.0.1 but not localhost. – Nobell 13/6, 2012 at 10:51

Doesn't work for me on Windows 8

Failed to start the socket sniffer: Error code: 65521 This error may occur if the socket dll in the selected process is not initialized

– Soloma 29/5, 2013 at 10:56

Does not work anymore with W8 – Kemeny 2/7, 2015 at 8:2

Microsoft Message Analyzer is now capable of sniffing loopback traffic out of the box. Official blog post here: blogs.msdn.com/b/winsdk/archive/2014/08/15/… – Parsimonious 3/9, 2015 at 14:28

Microsoft Message Analyzer did it very well for me... Didn't know this software :) – Mcdade 28/7, 2017 at 11:43

New download URL for Message Analyzer: microsoft.com/en-us/download/details.aspx?id=44226 – Irwinirwinn 25/8, 2017 at 18:21

Microsoft Message Analyzer is dead and gone. This should not be hard. – Endometriosis 6/1 at 23:2

There is a new tool available for Windows that can capture looback / localhost network traffic. It is called RawCap and is available here: http://www.netresec.com/?page=RawCap

Just start RawCap like this to sniff the loopback interface: RawCap.exe 127.0.0.1 localhost.pcap

You can then open localhost.pcap in Wireshark or any other pcap analyzer to look at the capured traffic.

Btw. not only is RawCap able to sniff loopback traffic on Windows, it can also sniff your WiFi interface as well as PPP interfaces such as 3G/UMTS connections.

Blaisdell answered 10/4, 2011 at 8:47 Comment(4)

Note though: "The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista). If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7." – Washery 14/12, 2011 at 15:57

I've noticed that I can only capture UDP packets, and TCP SYN packets under Windows 7 x86-64 using RawCap, for what it's worth - which makes it useless. – Katlynkatmai 22/4, 2012 at 14:6

I've test it on windows 2008 R2, cannot capture traffic via HTTP urls of localhost and 127.0.0.1 – Nobell 13/6, 2012 at 10:50

@Katlynkatmai I'm getting all TCP packets on Windows 7 64-bit with RawCap. Perhaps there was a bug in the version you used at the time? – Kt 27/4, 2014 at 14:13

I believe you can do http://localhost./ (note the period at the end) to force localhost packets through the regular network stack.

This works for getting http to be recognized by a tool like fiddler - not sure about other protocols.

Thirtythree answered 14/10, 2009 at 13:31 Comment(3)

With Fiddler, you can also simply use ipv4.fiddler Of course, the OP didn't mention if he wants to see HTTP(S) traffic. – Milt 16/10, 2009 at 0:26

I didn't know that, thanks for the info Eric. It looks like this only works when fiddler is running though, correct? – Thirtythree 16/10, 2009 at 12:32

Yes, "ipv4.fiddler" is implemented by Fiddler, so it only resolves when Fiddler is running. – Milt 22/10, 2009 at 16:28

I have had such a issue when I want to monitor traffic on localhost after setting up SelfSSL on it. After searching about other useful tools, I found fidllre somehow suitable for my issue you should try this Fiddler for Http and Https

Hope this help you!

Golconda answered 17/5, 2012 at 23:43 Comment(1)

I like the Fiddler too! – Fessler 6/1, 2017 at 13:35

-4

I would recommend Wireshark, it can attach to any network device and offers some nice utilities to analize the traffic, plus it is free software.

Sacramentalist answered 14/10, 2009 at 13:31 Comment(6)

plus wireshark is available for Windows, Mac OSX (Intel and PPC) and Linux -- we use it all the time (well, monthly at least). – Firm 14/10, 2009 at 13:40

I found a interesting remark on wiki.wireshark.org/CaptureSetup/Loopback: "You can add a virtual network card called Microsoft Loopback Adapter, but in most cases that might not give results as expected either.". So, this means it has some drawbacks. Anyway, it looks promising. – Oeildeboeuf 14/10, 2009 at 13:50

I can't see a thing with Wireshark when it comes to localhost. – Upright 10/11, 2009 at 12:25

Wireshark doesn't work for the loopback address under Windows as requested by the O.P. – Downswing 14/2, 2011 at 12:33

Using the LoopBack Adapter did not work at all for me. I ended up using RawCap to capture and WireShark to analyze. – Surmullet 5/5, 2011 at 22:12

Wireshark supports loopback capture when used in conjunction with NPcap. – Deficiency 16/11, 2017 at 18:35

Recommended topics

Hot tags