windows下wireshark本地回路抓包问题

    准备用python的tcp套接字，在网上找了tcp的客户端和服务器的例程，准备测试下效果，比较简单，很快就能通信了。

心血来潮，想用wireshark抓取本地回路的测试包，结果发现怎么都抓不到127.0.0.1的tcp数据包，不管怎么看，都没有127.0.0.1的数据包。呕血弄了一早晨，发现如果是tcp客户端向别的IP通信wireshark都能正常截获，如果是本机则没有一点动静能截获到。

　　不甘心，网上搜搜本地回路用wireshark抓包的说法，才知道，原来是WindowsTCP/IP下没有本地回路的接口，所以不能用常用的windows抓包驱动获取到，比如winpcap,而俺的wireshark是基于winpcap的，所以肯定抓不到数据包了。linux下wireshark应该能看到一个名为“loopback interface”的接口。

(Windows TCP/IP stack does not implement a network loopback interface, as found in other TCP/IP stack like lo* interfaces in BSD systems.Thus, it is not possible to sniff network traffic using the typical Windows packet capture driver, WinPcap.)

参考网址：

http://wiki.wireshark.org/CaptureSetup/Loopback

http://www.hsc.fr/ressources/articles/win_net_srv/missing_loopback.html

当然也不是说windows下就别想抓到本地回路的包了，肯定有别的方法，网上貌似说commview可以抓到本地回路的包。

还有一个绿色，小巧（17K）的开源软件RawCap也可以抓到。（下载地址：http://www.netresec.com/?page=RawCap），将抓到的包保存为pcap后缀，用wireshark打开，就可以继续分析了。

 

 

别的方法比较麻烦，要改IP，路由之类的，过于麻烦，感觉不可取。

=========================================================

RawCap

RawCap is a free command line network sniffer for Windows that uses raw sockets.

Properties of RawCap:

• Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
• RawCap.exe is just 23 kB
• No external libraries or DLL's needed other than .NET Framework 2.0
• No installation required, just download RawCap.exe and sniff
• Can sniff most interface types, including WiFi and PPP interfaces
• Minimal memory and CPU load
• Reliable and simple to use

Usage

You will need to have administrator privileges to run RawCap.

F:\Tools>RawCap.exe --help
NETRESEC RawCap version 0.1.5.0
http://www.netresec.com

Usage: RawCap.exe [OPTIONS] <interface_nr> <target_pcap_file>

OPTIONS:
 -f          Automatically flush data to file after each packet (no buffer)
 -c <count>  Stop sniffing after receiving <count> packets
 -s <sec>    Stop sniffing after <sec> seconds

INTERFACES:
 0.     IP        : 192.168.0.17
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

 1.     IP        : 192.168.0.47
        NIC Name  : Wireless Network Connection
        NIC Type  : Wireless80211

 2.     IP        : 90.130.211.54
        NIC Name  : 3G UMTS Internet
        NIC Type  : Ppp

 3.     IP        : 192.168.111.1
        NIC Name  : VMware Network Adapter VMnet1
        NIC Type  : Ethernet

 4.     IP        : 192.168.222.1
        NIC Name  : VMware Network Adapter VMnet2
        NIC Type  : Ethernet

 5.     IP        : 127.0.0.1
        NIC Name  : Loopback Pseudo-Interface
        NIC Type  : Loopback

Example: RawCap.exe 0 dumpfile.pcap

An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:

RawCap.exe 127.0.0.1 localhost_capture.pcap

Interactive Console Dialog

You can also start RawCap without any arguments, this will leave you with an interactive dialog:

F:\Tools>RawCap.exe
Network interfaces:
0.     192.168.0.17    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

Raw sockets limitations (OS dependent)

IPv6

RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".

Sniffing localhost

Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.

External interfaces

Windows Vista can't capture outgoing packets, only incoming.

If you, on the other hand, find that you are only able to sniff OUTGOING packets then you probably just need to add an exception for RawCap in your local firewall. To create an exception, simply fillow these steps:

• Run WF.msc (i.e. the "Windows Firewall with Advanced Security")
• Select "Inbound Rules"
• Click "New Rule"
• Select "Program" and press "Next"
• Enter the path of RawCap.exe and press "Next"
• Press "Next" a couple of times more, then you're done!

Firewall rule to allow RawCap to sniff incoming packets.

License

RawCap is freeware and can be used by anyone, i.e. even commercial use is allowed.
You are, however, NOT allowed to:

• Re-brand RawCap under a different name or vendor
• Re-distribute RawCap from a website other than netresec.com
• Sell RawCap
• Include RawCap as part of a commercial tool

More information

You can read more about RawCap in our blog post "RawCap sniffer for Windows released".

Download RawCap

You can download RawCap.exe here.