On May 9, 2012, at 1:14 AM, Erik Hjelmvik wrote:
> The best solution is to run RawCap. It's a great command line tool
> that can capture localhost traffic on Windows machines.
> You don't even need WinPcap to do it, since it uses raw sockets.
>
> http://www.netresec.com/?page=RawCap
...which means it has both advantages:
> Properties of RawCap:
>
> • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
...
> • No external libraries or DLL's needed other than .NET Framework 2.0
> • No installation required, just download RawCap.exe and sniff
> • Can sniff most interface types, including WiFi and PPP interfaces
and *dis*advantages:
> Raw sockets limitations (OS dependent)
>
> Due to current limitations in the raw sockets implementations for Windows Vista and Windows 7 we suggest running RawCap on Windows XP. The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista).
So there's a tradeoff between using raw sockets and using NDIS (as both WinPcap and the NetMon driver do).