19

Is there a way to get wireshark to capture packets sent from/to localhost?

When I monitor traffic going from my computer to another, or from another computer to my computer, then it works. But from localhost to localhost does not register anything.

Brian R. Bondy
  • 753
  • 2
  • 10
  • 16

5 Answers5

24

There's a WIKI Entry about exactly this issue on the wireshark homepage.

They also mention specifics about the loopback interface regarding Windows - you could be running just into that.

You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap.

Nicolas Raoul
  • 1,334
  • 7
  • 22
  • 43
serverhorror
  • 6,478
  • 2
  • 25
  • 42
  • Care to elaborate why this is getting voted down? – serverhorror Jun 09 '09 at 22:48
  • I did not vote down but probably because even basic questions that have easily findable solutions are encouraged on this site and stackoverflow.com. The answer is good but the tone is not. Consider editing it and I think it will be voted up. – Brian R. Bondy Jun 09 '09 at 22:53
  • I'm sorry I'm not a native english speaker (guess I'm not the only one). I'll try to think about that in the future. – serverhorror Jun 09 '09 at 22:55
  • +1 for knowing and adding the link. – l0c0b0x Jun 09 '09 at 23:00
  • Upvote, good answer/link and Je comprends :) – Greg Meehan Jun 10 '09 at 01:30
  • 2
    Might want to add the quick quote "You can't capture on the local loopback address 127.0.0.1 with a Windows packet capture driver like WinPcap." from the linked page to save us the suspense... – andersoj May 28 '12 at 11:44
6

In Wireshark you need to choose the lo0 interface... not En0 or En1.

Go to:

  • Show the capture options
  • Under "Interface" choose: lo0
  • Capture and you'll see a bunch of 127.0.0.1 communication
l0c0b0x
  • 11,867
  • 7
  • 47
  • 76
  • on windows, of course, i dont believe you can do that without somehow adding a loopback interface manually. – djangofan Apr 21 '10 at 22:02
  • yes, the document said: `you can capture on the loopback interface on Linux, on various BSDs including Mac OS X, and on Digital/Tru64 UNIX, and you might be able to do it on Irix and AIX, but you definitely cannot do so on Solaris, HP-UX, or Windows.` – Allan Ruin Mar 19 '14 at 06:43
  • On OSX yosemite this worked! – James111 Oct 08 '15 at 23:19
  • Yes, for most Linux. – Anton Apr 13 '22 at 18:12
5

you can use RawCap Application to capture loopback packets and save them in a pcap file ... and then you can open it using Wireshark

Amr Thabet
  • 51
  • 1
  • 1
2

Please try Npcap: https://github.com/nmap/npcap, it is based on WinPcap and supports loopback traffic capturing on Windows. Npcap is a subproject of Nmap (http://nmap.org/), so please report any issues on Nmap's development list (http://seclists.org/nmap-dev/).

hsluoyz
  • 121
  • 2
1

You want to run wireshark on the "lo" interface or on "any".

With tshark or tcpdump you can use the -i option:

# tcpdump -i any port http

(This is mostly applicable to Linux)

David Pashley
  • 23,497
  • 2
  • 46
  • 73