Ethereal-users: Re: [Ethereal-users] Help tracing HTTP (and XML) conversations on same host?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Wed, 12 Jan 2005 12:50:40 -0800 (PST)
Karr, David said:
> I'm trying to use Ethereal to track HTTP and XML conversations where the
> client and server are on the same host (my Wintel laptop).

Does "Wintel" mean that your machine is running Windows?  That's what I'd
expect - I don't consider a PC running Linux or some BSD or Solaris to be
a Wintel machine. I'll assume it's a Windows machine.

> I don't seem to see these packets when I capture a trace.

No, you don't see them - and you might never see them.  Packets sent by a
host to itself are not transmitted on any network device; they are,
instead, "looped back" inside the networking stack on the machine
transmitting and receiving them.

On some OSes, this is done using a "loopback interface".  On some of those
OSes, such as BSDs (including Mac OS X), Linux systems, and Digital UNIX,
libpcap (and thus libpcap-based applications such as Ethereal) can capture
traffic on the loopback interface, and thus can capture that traffic.  On
other such OSes, such as Solaris, they cannot capture traffic on that
interface, as that interface is implemented in a way that doesn't connect
to the mechanism (DLPI, in the case of Solaris) used by libpcap to capture
traffic, so applications *can't* capture that traffic.

Windows doesn't even have such a "loopback interface" (Microsoft have
something called the "Microsoft Loopback Adapter", but it's an optional
component, not the mechanism used for looping back packets - and it
doesn't support capturing in any case), so you can't capture traffic from
a Windows machine to the same machine.

> When I capture a trace
> where my browser visits a URL not on this host (the same app deployed on
> a different host), I see packets with protocol X11, which appear to
> contain both sides of that conversation.

Protocol "X11"?  I wouldn't expect X11 traffic unless you're running an
X11 server on your laptop and running an application on some other machine
using X11 to display windows on your machine and get keyboard and mouse
input from your machine.  If you're running the browser on your machine,
and contacting a Web server on another machine, I wouldn't expect any X11
traffic.