Sniff localhost

My WCF services are using basic authentication over https. To prove this is a safe combination I wanted to sniff the trafic between client and host. Problem is a tool like Wireshark cannot sniff localhost. You’ll find good explanation why here.

The solution is to use the Microsoft Loopback adapter. Below the steps I took to get it working on my Windows 7 machine:

  1. install the loopback adapter (not working link)
    install the loopback adapter
  2. assign ip address 10.0.0.10 to the loopback adapter
  3. in WCF use (C# Sample):
    • “localhost” for hosting the service
    • “10.0.0.10” to connect from clients
  4. download rawcap
  5. start commandline rawcap to capture trafic over 10.0.0.10 to loopback.cap file
    rawcap 10.0.0.10 loopback.cap
    
  6. Do your testing. You’ll see the number of rawcap Packets increase
  7. <CTRL> + c to stop rawcap
  8. Load the loopback.cap file in Wireshark for viewing
  9. Select the first packet with source and destination 10.0.0.10 and pick context menu “Follow TCP stream”

Left the unencrypted messages with the Authorization header in the black box. Right the captured SSL trafic, not actual readble. Conversation is about twice the size though.

edit: Added C# Sample

About erictummers

My work as a recruited developer changes almost every month. I like challenges and sharing the solutions with others. On my blog I’ll mostly post about my work, but expect an occasional home project, productivity tip and tooling review.
This entry was posted in Tooling and tagged , , , , , , , , . Bookmark the permalink.

One Response to Sniff localhost

  1. Pingback: Best Off .NET development by Eric | .NET Development by Eric

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s