First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

wireshark is not showing http nor https for a specific IP

I have a web site running on an internal ip which is 192.168.1.4 (configured in my host files in windows as www.mydomain.net) on port 5040/5041, I can access it through HTTP or HTTPS locally or remotely using the FQN www.mydomain.net. Running wireshark, When I access it remotely from my laptop, I see traffic in the capture screen but when I try to browse locally (from same box where application run that has the IP mentioned above), in wireshark nothing happens, no traffic is captured. Any reason for this or is there an option to configure? Thanks

eliassal's avatar
1
eliassal
asked 2021-02-21 17:41:49 +0000
edit flag offensive 0 remove flag close merge delete

Comments

When you browse locally the packets are probably routed to the application before seen by the capturing mechanism.

Anders's avatar Anders (2021-02-21 17:50:50 +0000) edit
more
  • delete

any option to fix it? But if I understand well the OSI model it goes through protocols before reaching layer 6/7, no?

eliassal's avatar eliassal (2021-02-21 18:54:36 +0000) edit
more
  • delete

Have you tried capturing on the loopback interface?
Running Wireshark with the -D option will show a list of available capture interfaces.

Chuckc's avatar Chuckc (2021-02-21 18:59:31 +0000) edit
more
  • delete

You are correct, I chose the loopback and now traffic started to be captured on the IP linked to the HTTPS ip, I am a little bit surprised, why is this? Can you please explain? In fact, when I fire wireshark, I have already all interfaces displayed which I need to chose one of them to start a capture session. I was wondering how can do a session for several interfaces at the same time

eliassal's avatar eliassal (2021-02-21 21:16:59 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Windows will "short-circuit" a packet that is destined for an IP address that is assigned to a local NIC and this bypasses the capture point in the network stack for the NIC you might have expected it to be sent through.

npcap provides a "pseudo loopback" NIC named "Adaptor for loopback traffic capture" that allows this local traffic to be captured.

The Wireshark UI allow capturing on multiple interfaces by Ctrl + Click on the interfaces of interest, similarly multiple interfaces can be selected in the capture options dialog.

grahamb's avatar
23.8k
grahamb
answered 2021-02-22 10:02:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the explanation

eliassal's avatar eliassal (2021-02-22 10:07:27 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer