Capturing and viewing loopback and external traffic in Windows

I am working on an issue at the moment that requires me not only to observe TCP/IP traffic leaving a box, but also going in-between processes on the same box.

Wireshark installs WinPcap in Windows, which unfortunately doesn’t allow you to capture traffic on the loopback (127.0.0.1) interface.

Thankfully, there is a very useful piece of software available called RawCap. This is a tiny freeware application that lets you use raw sockets to capture loopback traffic on a Windows machine, like so:

RawCap.exe 127.0.0.1 localhost_capture.pcap

The problem with RawCap is that it only lets you capture a single interface at a time (and it also seems to have a number of issues collecting traffic for interfaces other than loopback unless you are running XP).

So we use RawCap to capture loopback. At the same time, start a capture in Wireshark as usual.

Stop the capture in Wireshark, and save it. Go to File->Merge… and select the file created by RawCap.

The two captures will now be interleaved, courtesy of the absolute timestamps used in pcap files.

(note, merge really doesn’t seem to work well if you capture from different machines, probably due to clock differences).