Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to capture http localhost traffic?

From: Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx>
Date: Wed, 9 May 2012 20:25:18 +0200
2012/5/9 Guy Harris <guy@xxxxxxxxxxxx>:
>
> On May 9, 2012, at 1:14 AM, Erik Hjelmvik wrote:
>
>> The best solution is to run RawCap. It's a great command line tool
>> that can capture localhost traffic on Windows machines.
>> You don't even need WinPcap to do it, since it uses raw sockets.
>>
>> http://www.netresec.com/?page=RawCap
>
> ...which means it has both advantages:
>
>> Properties of RawCap:
>>
>>       • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
>
>                ...
>
>>       • No external libraries or DLL's needed other than .NET Framework 2.0
>>       • No installation required, just download RawCap.exe and sniff
>>       • Can sniff most interface types, including WiFi and PPP interfaces
>
> and *dis*advantages:
>
>> Raw sockets limitations (OS dependent)
>>
>> Due to current limitations in the raw sockets implementations for Windows Vista and Windows 7 we suggest running RawCap on Windows XP. The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista).
>
> So there's a tradeoff between using raw sockets and using NDIS (as both WinPcap and the NetMon driver do).

Yes, while building RawCap I noticed that Microsoft have truely
screwed up the ability to sniff traffic by making vital changes
between various service packs (and OS releases) to what is allowed to
do with raw sockets.

I tried to sort this out with Microsoft without success here:
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/65ce9bee-897b-4c19-a4c6-4d3da103be44

However, most problems with raw sockets sniffing on Windows are
associated with sniffing traffic on external interfaces. David wanted
to sniff localhost traffic, which should work just fine with RawCap.

/erik

-- 
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec