Howto capture loopback UDP traffic from two programs on port 12050? [closed]

asked 2018-04-09 19:01:21 +0000

W8LIG gravatar image

updated 2018-04-09 19:22:57 +0000

Jaap gravatar image

I have Npcap loopback installed and selected. I want to capture UDP traffic from two programs on port 12050. How do I set that up, I'm not having much success? Using Windows 10 64 bit. Wireshark 2.4.6.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by W8LIG
close date 2018-04-13 14:45:37.116815

Comments

If the two programs talk to each other on that port locally, your capture filter would be udp port 12050 (if you need it at all, there should not be so much traffic that you would really need a capture filter). Can you see any traffic at all if you start the capture on the loopback interface and from another window run "ping 127.0.0.1"?

sindy gravatar imagesindy ( 2018-04-09 19:15:50 +0000 )edit

I must have something wrong. Using the filter I get no packets even with your suggested ping. If I remove the filter I get some capture but nothing like expected traffic on port 12050 and again doing the ping does not generate any captures. I have the Npcap loopback selected so I don't know if there is something in the way it was installed that is not correct or what. The traffic on this port between the two programs should be consistent every 10 sec or so and I'm not seeing anything like that.

W8LIG gravatar imageW8LIG ( 2018-04-10 01:14:50 +0000 )edit

Ok I reinstalled Npcap and now I'm seeing traffic on port 12050. Is there a way in Wireshark to see the data packet in a larger ASCII window? I see the normal Hex and ASCII presentation at the bottom but in this case I'm more interested in the format of the data being passed between the two programs. I can see this at the bottom but it's hard to read. Was hoping for more of a text type presentation.

W8LIG gravatar imageW8LIG ( 2018-04-12 13:44:57 +0000 )edit

Technically this is a separate Question, but on this new platform I'm not able to convert a Comment into a Question any more, maybe one of the more privileged admins can tidy up afterwards.

Assuming that no existing dissector can be used for the communication between your applications, the payload of the UDP is probably dissected as data. If so, right-click the Data line in the dissection pane (the middle one), choose Protocol Preferences in the pop-up menu, and click at Show data as text.

However, this causes only a single line of text to be shown in the dissection pane. If you need more, you'll have to export the captured packets into a file (apply a display filter udp.port == 12050, go File ->Export Specified Packets -> (o) Displayed, enter the file name etc.) and use tshark to extract the data from that file:

tshark -r your_file ...(more)

sindy gravatar imagesindy ( 2018-04-13 10:15:49 +0000 )edit

Thanks for the reply, I guess I should have updated my question. I managed to find if I right clicked on the capture line and clicked copy, it gave me the option as you point out. For me that is exactly what I was trying to do, so I was able to print out in text the data packet. Thanks!

W8LIG gravatar imageW8LIG ( 2018-04-13 14:44:47 +0000 )edit
add a comment