Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using RawCap to Sniff localhost on Windows XP, SP3

I am attempting to use RawCap to sniff Windows localhost. However, contrary to its billed ability to do so, it is not working. I am starting it as follows:

rawcap 127.0.0.1 echo.pcap

I then run a little echo TCP client / server test app I wrote. I use the client to send some data over 127.0.0.1, and it indeed gets printed on the server and sent back to the client, where it is also printed. Howver, the packet capture file is empty.

I am running under Windows XP, SP3.

Is anybody aware of any other steps I need to take to get this to work?

Additional information added on 7/20/2011: I contacted the company that produces RawCap, and they suggested making sure that I have administrator privilege, that I try sniffing ping 127.0.0.1, and that I try enabling telnet and sniffing telnet 127.0.0.1. I do indeed have administrator privilege, RawCap sees ping packets, but it did not see telnet packets. I also tried sniffing 127.0.0.1 on another machine, and I failed there also.

Best, Dave

like image 560
Dave Avatar asked Jul 15 '11 19:07

Dave


People also ask

Can Wireshark see localhost?

Wireshark cannot sniff traffic within the same machine (localhost) on Windows. If you need to sniff local traffic on Windows, try Fiddler.

What is RawCap?

RawCap is a free command line network sniffer for Windows that uses raw sockets. Quick RawCap facts: Can sniff any interface that has got an IPv4 address, including 127.0. 0.1 (localhost/loopback)


1 Answers

I've been in contact with the author of RawCap, and he indicated that I found a bug where Windows XP SP 3 can't sniff TCP on localhost. He does not seem hopeful that he can fix it. If any more useful information comes along, I will, in an attempt to help the community, comment on this answer.

like image 159
Dave Avatar answered Sep 20 '22 05:09

Dave