First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can Wireshark capture traffic exchanged between two programs through TCP ports on the same machine?

As the subject suggest, my question is simply, can Wireshark capture traffic between two programs through TCP ports on the same machine? I am of the opinion that this wouldn't go through the NIC and therefore perhaps it's outside of Wireshark's capabilities. I ask because I have already tried this and my PCAP doesn't appear to contain the packets that I'm interested in. Using NIRSoft's CurrPorts, I can see that one program's listening port has established connections with this other program, however, that program is saying that it can't establish a connection and I'm trying to figure out why. If it's in fact the case that it isn't possible, could someone recommend a program that can capture this traffic? Thank you.

redbox's avatar
1
redbox
asked 2023-11-27 12:46:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

" I can see that one program's listening port has established connections with this other program"
What are the IP addresses? (Example screenshot: CurrPorts v2.76)

It also helps if you update the question with the output of wireshark -v or Help->About Wireshark:Wireshark to show the versions and operating system.

Chuckc's avatar Chuckc (2023-11-27 12:50:11 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Yes, select the "Adapter for loopback traffic capture" interface on Windows.

I am of the opinion that this wouldn't go through the NIC and therefore perhaps it's outside of Wireshark's capabilities.

You need the npcap capture library, which is included in the Wireshark's Windows installer.
(Given NIRSoft's CurrPorts is used, the OS must be Windows.)

André's avatar
176
André
answered 2023-12-01 08:16:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

(And for those on UN*Xes, you would capture on the loopback interface, called lo on Linux and lo0 on most other UN*Xes.)

Guy Harris's avatar Guy Harris (2023-12-01 19:29:44 +0000) edit
more
  • delete

(or by using the any interface.)

André's avatar André (2023-12-01 19:34:32 +0000) edit
more
  • delete

(or by using the any interface.)

...if you also want traffic on all the other network adapters, not just traffic between two processes on the same host.

(And the any device is only available on Linux and newer versions of macOS; it requires root privileges in macOS, so it would only show up in Wireshark/TShark if dumpcap were made set-UID root, which it isn't by default.)

Guy Harris's avatar Guy Harris (2023-12-01 19:43:25 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer