Wireshark-dev: [Wireshark-dev] Capturing loopback traffic on Windows

From: Chris Maynard <chris.maynard@xxxxxxxxx>
Date: Thu, 24 Mar 2011 16:40:45 +0000 (UTC)
As probably most of you know, it's not possible to capture loopback traffic on
Windows ... or is it?

The Wireshark Loopback wiki page provides some information and potential
work-arounds for this problem, such as installing the "Microsoft Loopback
Adapter", but it also indicates that "... in most cases that might not give
results as expected either."  In my case, it certainly does not give me the
desired results.

Recently I came across a tool called proxocket, written by Luigi Auriemma. 
After installing the ws2_32.dll from proxocket into a directory containing 3
binaries that communicate with each other over the loopback interface and
starting them all up, it generated 3 separate capture files, one for each
process, which I was then able to merge together into a single capture file
using mergecap.  After filtering out the duplicate packets in the file, which
contained the source IP address of 0.0.0.0, I had a pretty good capture file
containing loopback traffic on Windows.  Some packets were clearly ordered
incorrectly, but it was easy enough for me to spot them and tell what was going 
on.

While certainly not as good/easy as capturing loopback traffic on a *NIX
platform, so far this has been by far the best way for me to obtain loopback
traffic on Windows.  Maybe others will find this tool useful as well.

- Chris

References:
[1] http://wiki.wireshark.org/CaptureSetup/Loopback
[2] http://en.wikipedia.org/wiki/Layered_Service_Provider#cite_note-0
[3]
http://www.netresec.com/?page=Blog&month=2011-01&post=Proxocket---A-Winsock-Proxy-Sniffer
[4] http://aluigi.altervista.org/mytoolz.htm#proxocket