Howto capture loopback UDP traffic from two programs on port 12050? [closed]

  • retag add tags

I have Npcap loopback installed and selected. I want to capture UDP traffic from two programs on port 12050. How do I set that up, I'm not having much success? Using Windows 10 64 bit. Wireshark 2.4.6.

W8LIG's avatar
1
W8LIG
asked 2018-04-09 19:01:21 +0000
Jaap's avatar
13.7k
Jaap
updated 2018-04-09 19:22:57 +0000
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by W8LIG 2018-04-13 14:45:37 +0000

Comments

If the two programs talk to each other on that port locally, your capture filter would be udp port 12050 (if you need it at all, there should not be so much traffic that you would really need a capture filter). Can you see any traffic at all if you start the capture on the loopback interface and from another window run "ping 127.0.0.1"?

sindy's avatar sindy (2018-04-09 19:15:50 +0000) edit
more
  • delete

I must have something wrong. Using the filter I get no packets even with your suggested ping. If I remove the filter I get some capture but nothing like expected traffic on port 12050 and again doing the ping does not generate any captures. I have the Npcap loopback selected so I don't know if there is something in the way it was installed that is not correct or what. The traffic on this port between the two programs should be consistent every 10 sec or so and I'm not seeing anything like that.

W8LIG's avatar W8LIG (2018-04-10 01:14:50 +0000) edit
more
  • delete

Ok I reinstalled Npcap and now I'm seeing traffic on port 12050. Is there a way in Wireshark to see the data packet in a larger ASCII window? I see the normal Hex and ASCII presentation at the bottom but in this case I'm more interested in the format of the data being passed between the two programs. I can see this at the bottom but it's hard to read. Was hoping for more of a text type presentation.

W8LIG's avatar W8LIG (2018-04-12 13:44:57 +0000) edit
more
  • delete

Technically this is a separate Question, but on this new platform I'm not able to convert a Comment into a Question any more, maybe one of the more privileged admins can tidy up afterwards.

Assuming that no existing dissector can be used for the communication between your applications, the payload of the UDP is probably dissected as data. If so, right-click the Data line in the dissection pane (the middle one), choose Protocol Preferences in the pop-up menu, and click at Show data as text.

However, this causes only a single line of text to be shown in the dissection pane. If you need more, you'll have to export the captured packets into a file (apply a display filter udp.port == 12050, go File ->Export Specified Packets -> (o) Displayed, enter the file name etc.) and use tshark to extract the data from that file:

tshark -r your_file ... (more)

sindy's avatar sindy (2018-04-13 10:15:49 +0000) edit
more
  • delete

Thanks for the reply, I guess I should have updated my question. I managed to find if I right clicked on the capture line and clicked copy, it gave me the option as you point out. For me that is exactly what I was trying to do, so I was able to print out in text the data packet. Thanks!

W8LIG's avatar W8LIG (2018-04-13 14:44:47 +0000) edit
more
  • delete
add a comment see more comments