Ask Your Question
0

Can Wireshark capture traffic exchanged between two programs through TCP ports on the same machine?

asked 2023-11-27 12:46:09 +0000

redbox gravatar image

As the subject suggest, my question is simply, can Wireshark capture traffic between two programs through TCP ports on the same machine? I am of the opinion that this wouldn't go through the NIC and therefore perhaps it's outside of Wireshark's capabilities. I ask because I have already tried this and my PCAP doesn't appear to contain the packets that I'm interested in. Using NIRSoft's CurrPorts, I can see that one program's listening port has established connections with this other program, however, that program is saying that it can't establish a connection and I'm trying to figure out why. If it's in fact the case that it isn't possible, could someone recommend a program that can capture this traffic? Thank you.

edit retag flag offensive close merge delete

Comments

" I can see that one program's listening port has established connections with this other program"
What are the IP addresses? (Example screenshot: CurrPorts v2.76)

It also helps if you update the question with the output of wireshark -v or Help->About Wireshark:Wireshark to show the versions and operating system.

Chuckc gravatar imageChuckc ( 2023-11-27 12:50:11 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-12-01 08:16:09 +0000

André gravatar image

Yes, select the "Adapter for loopback traffic capture" interface on Windows.

I am of the opinion that this wouldn't go through the NIC and therefore perhaps it's outside of Wireshark's capabilities.

You need the npcap capture library, which is included in the Wireshark's Windows installer.
(Given NIRSoft's CurrPorts is used, the OS must be Windows.)

edit flag offensive delete link more

Comments

(And for those on UN*Xes, you would capture on the loopback interface, called lo on Linux and lo0 on most other UN*Xes.)

Guy Harris gravatar imageGuy Harris ( 2023-12-01 19:29:44 +0000 )edit

(or by using the any interface.)

André gravatar imageAndré ( 2023-12-01 19:34:32 +0000 )edit

(or by using the any interface.)

...if you also want traffic on all the other network adapters, not just traffic between two processes on the same host.

(And the any device is only available on Linux and newer versions of macOS; it requires root privileges in macOS, so it would only show up in Wireshark/TShark if dumpcap were made set-UID root, which it isn't by default.)

Guy Harris gravatar imageGuy Harris ( 2023-12-01 19:43:25 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-11-27 12:46:09 +0000

Seen: 2,234 times

Last updated: Dec 01 '23

Related questions

Getting a PDF file from printing job

Wireshark 2.4.1 GTK Crash on long run

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

Channel and capture VoIP traffic on a dedicated NIC?

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

what determines the final windows scaling factor?

Help to read this trace