Home » Windows » Windows 7: sniff TCP sockets to localhost

Windows 7: sniff TCP sockets to localhost

Posted by: admin February 27, 2018 Leave a comment

Questions:

I want to capture and analyze TCP communication data between two applications running on local host, which is running Windows 7 OS. I try to use Wireshark, but Wireshark could not capture the data, it seems just monitor the data in/out the network interface.

Could you introduce some useful tools to monitor the local TCP data easily.

Answers:

The reason wireshark doesn’t work is because sniffers rely on the network driver stack, and Windows don’t expose localhost calls through it.

You should use Socket Sniffer, which looks at Winsock calls and monitors network sockets; the download link is at the bottom of the page.

Questions:
Answers:

There are limitations in Windows that prevent libpcap and Microsoft Network Monitor from sniffing localhost/loopback. But you can sniff localhost if you use Raw Sockets.

There is a free tool called RawCap that can sniff localhost and save the captured packets in a PCAP file. This allows you to inspect the traffic in Wireshark later on.

You can download RawCap from here:
http://www.netresec.com/?page=RawCap