How to capture traffic from the loopback interface using Wireshark in Windows

If you are a Windows user and have ever needed to capture traffic from the loopback interface, you will probably have struggled to do so. Wireshark won't let you do it.

Nonetheless, you can capture traffic from the loopback interface using RawCap. It is a command line tool that will capture the traffic and save it in a file. For analysis, you can use Wireshark to read this file. The problem with RawCap is that you are not able to see live traffic. You need to capture the traffic blindly and analyze it later in Wireshark (similar to what you would do with tcpdump in Linux).

There is a solution for that. When installing Wireshark, it will ask you for permissions to install WinPcap. This is the actual tool that Wireshark uses to capture the traffic. Npcap is a similar tool with a more modern driver mechanism within Windows. Npcap will create a driver for the loopback interface so that you can directly capture the traffic from the loopback interface using Wireshark. Key advantage: you can see live data from the loopback interface!

These are the steps you need to follow:

    1. Uninstall WinPcap from 'Apps & Features':

    2. Uninstall Wireshark from 'Apps & Features':

    3. When asked, choose WinPcap to be uninstalled, too:

    4. Download Npcap.
    5. Install Npcap. You will need to choose the following options:

The first one needs to be selected so that Wireshark can use Npcap as the tool to capture the packets every time we launch Wireshark. The second one will create an adapter so that Wireshark can capture the traffic from the Loopback interface. The latest one will make Wireshark interact with Npcap as if it was WinPcap.

    6. Install Wireshark. The installation will let you know that Wireshark will use Npcap instead of WinPcap:

    7. Reboot your computer.
    8. When you want to capture traffic from the loopback interface, run Wireshark and select 'Npcap Loopback Adapter':

    9. Enjoy.