RawCap
use RawCap to capture localhost packets
Raw sockets limitations (OS dependent)
IPv6
RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".
solution: edit c:/windows/system32/drivers/etc/hosts, remove the entry for (::1 localhost), then ping localhost, make sure localhost is resolved to "127.0.0.1", now run RawCap again, packets are captured as normal.
other solution: http://superuser.com/questions/436574/ipv4-vs-ipv6-priority-in-windows-7
Sniffing localhost
Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly
from localhost on newer operating systems like Windows Vista and Windows
7.
External interfaces
Microsoft's newer operating systems (later than WinXP) have limitations associated with raw socket sniffing of external interfaces, i.e. everything that isn't localhost. Known limitations in Windows Vista and Win7 are:
- Windows 7 - Can't capture incoming packets
- Windows Vista - Can't capture outgoing packets
Due to these limitations in the raw sockets implementations of Microsoft's current operating systems we suggest running RawCap on Windows XP if you need to capture from external interfaces.
