Ask Your Question
0

wireshark is not showing http nor https for a specific IP

asked 2021-02-21 17:41:49 +0000

eliassal gravatar image

I have a web site running on an internal ip which is 192.168.1.4 (configured in my host files in windows as www.mydomain.net) on port 5040/5041, I can access it through HTTP or HTTPS locally or remotely using the FQN www.mydomain.net. Running wireshark, When I access it remotely from my laptop, I see traffic in the capture screen but when I try to browse locally (from same box where application run that has the IP mentioned above), in wireshark nothing happens, no traffic is captured. Any reason for this or is there an option to configure? Thanks

edit retag flag offensive close merge delete

Comments

When you browse locally the packets are probably routed to the application before seen by the capturing mechanism.

Anders gravatar imageAnders ( 2021-02-21 17:50:50 +0000 )edit

any option to fix it? But if I understand well the OSI model it goes through protocols before reaching layer 6/7, no?

eliassal gravatar imageeliassal ( 2021-02-21 18:54:36 +0000 )edit

Have you tried capturing on the loopback interface?
Running Wireshark with the -D option will show a list of available capture interfaces.

Chuckc gravatar imageChuckc ( 2021-02-21 18:59:31 +0000 )edit

You are correct, I chose the loopback and now traffic started to be captured on the IP linked to the HTTPS ip, I am a little bit surprised, why is this? Can you please explain? In fact, when I fire wireshark, I have already all interfaces displayed which I need to chose one of them to start a capture session. I was wondering how can do a session for several interfaces at the same time

eliassal gravatar imageeliassal ( 2021-02-21 21:16:59 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-22 10:02:11 +0000

grahamb gravatar image

Windows will "short-circuit" a packet that is destined for an IP address that is assigned to a local NIC and this bypasses the capture point in the network stack for the NIC you might have expected it to be sent through.

npcap provides a "pseudo loopback" NIC named "Adaptor for loopback traffic capture" that allows this local traffic to be captured.

The Wireshark UI allow capturing on multiple interfaces by Ctrl + Click on the interfaces of interest, similarly multiple interfaces can be selected in the capture options dialog.

edit flag offensive delete link more

Comments

Thanks for the explanation

eliassal gravatar imageeliassal ( 2021-02-22 10:07:27 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-02-21 17:41:49 +0000

Seen: 1,448 times

Last updated: Feb 22 '21