0

I'm using procmon to analyze the behavior of a program.
I can see that the program is communicating with another program locally over TCP:

enter image description here

This "Windows Process Monitor" does not log the actual content sent between the two programs. Therefore, I'll use Wireshark and sniff every available capture interface (LAN being where I expect to see the message traffic).

Unfortuntely, Wireshark is not logging any of the traffic that procmon is claiming.

I've tried various filters, and I'm confident that I'm not overlooking the results generated by Wireshark. 

(tcp.port == 60882)
(ip == 127.0.0.1)

Are there reasons Wireshark would be unable to sniff these messages?
Is there anything I can do to see complimentary results between procmon and Wireshark?

Trevor Hickey
  • 36,288
  • 32
  • 162
  • 271
  • I've seen this before, but it was years ago. I believe that you need a special adaptor to see requests in the loopback address. Try searching for wireshark loopback or wireshark localhost. Doh! just realised the question was 3 years old. – Wes Jul 17 '20 at 19:41

1 Answers1

2

If you're looking to sniff loopback traffic on Windows, there are some challenges. Basically, WinPcap, which is the usual packet capture library that Wireshark relies upon to capture packets on Windows, doesn't support this.

The Wireshark CaptureSetup/Loopback wiki page provides some options for you though, the best two options (in my opinion) being to uninstall WinPcap and use npcap instead, or to simply use RawCap for the capturing and then use Wireshark for post-capturing analysis.

You could also use Microsoft's Network Monitor tool or the newer Microsoft Message Analyzer. Both of these tools should be able to capture loopback traffic.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23