Click here to Skip to main content
15,172,754 members
Articles / Operating Systems / Windows
Tip/Trick
Posted 15 Sep 2014

Tagged as

Stats

81.1K views
56 bookmarked

How to Capture and View Local Network Traffic

Rate me:
Please Sign up or sign in to vote.
4.92/5 (21 votes)
23 Dec 2014CPOL6 min read
How to Capture and View Local Network Traffic Using Two Free Tools

Getting the Local Traffic Report

It can be problematic and lead to headaches - and possibly even hair loss (your follicles may vary) - if you need to capture local network traffic (sent to your own device or PC) as many tools (even the venerable WireShark) aren't very helpful with that scenario. However, there is a way to do it using two free tools, namely RawCap and the aforementioned WireShark. Once you know how, it's (almost) as easy as pie -- that is, eating a pie, such as an apple pie - not memorizing 3.14....etc)

Get Ready

First, download RawCap here

Next (provided you don't already have it, of course), download Wireshark here

Get Set

Once you have RawCap and Wireshark installed, open a command prompt and navigate to the folder where you downloaded RawCap.

Then, enter a command such as "rawcap.exe 127.0.0.1 platypus.pcap"

which is:

C#
RawCap.exe [IP Address you want to monitor] [name of file].pcap

Actually, you don't need the ".exe" appended to "rawcap" as shown above; unless your pinkies love tickling the plastics, you can omit those bits. In fact:

Don't Bogart Your Joints

You can practice preventive maintenance on your joints and possibly elude the nefarious carpal tunnel syndrome agitator by reducing keystrokes when entering the rawcap command line values. For example, instead of a command line such as:

C#
rawcap.exe 127.0.0.1 someFilename.pcap

...you can omit the ".exe" jazz and use the interface id like so:

C#
rawcap 1 141223.pcap

So the interface is "1". But what is "1"? Find out what's available to you by entering this at the command line:

C#
rawcap --help

You will then be given a list of interface IDs and what they refer to. For example, in my case I see this:

Image 1

So, for me, 0 is my PC's IP address, and 1 is localhost/loopback/127.0.0.1. YIMV (Your Interfaces May Vary).

TIME OUT! Two ways to run RawCap

You can run RawCap one of two ways:

Run cmd as Administrator Proactively

Select Start > All Programs > Accessories > Command Prompt > r-click > Run as Administrator

Run cmd as "Normal" User and Respond to Prompt

Select Start > "cmd" > [ enter command line for rawcap to use ] > accept "User Account Dialog" dialog

If you use the latter option, the feedback (how many packets have been received) will display in a separate command prompt window:

Image 2

IOW, the difference between the two ways of running it is: Do you want to get and dismiss the "User Account Control" dialog before you enter the command line verbiage or after you enter it?

Go

Now, perform the procedure that generates the network traffic you want to capture. Once it is finished, you can go back to the command prompt and mash Ctrl+C. Alternatively, you can specify the count of packets you want it to capture, or the number of seconds for which you want it to capture. Enter "rawcap ?" and mash the Enter key for the syntax for doing either of these. Or, you can take my word for it that it is:

"-c [packet count]<count>" to "stop sniffing after receiving a specified count of <count>packets

-and

"-s [number of seconds]<sec>" to "stop sniffing after a specified number of<sec> seconds

IOW:

C#
rawcap.exe -c 42 meaningOfLifeEtc.pcap

...to capture 42 packets

-and:

C#
rawcap.exe -s 8 rodeo.pcap

...to capture packets until the cowboy either gets bucked off or outlasts the beast.

After mashing the Enter key to start rawcap capturing, then performing the operation to send/receive packets, and finally mashing Ctrl+C at the command prompt to stop capturing, you will see something like this (where the folder to which you downloaded rawcap replaces "MiscInWindows7") there at the command line:

Image 3

After the capture is complete using any of the methodologies delineated above (manually stopping capturing, or setting it to capture a number of packets or for a specified number of seconds), open Wireshark and select File > Open..., navigate to the .pcap file, and open it.

You will then cast your beaming and/or gleaming peepers upon a magnificent cornucopia of information about the network  traffic captured. You can now search through this overgrown forest for individual trees you want to find by select Edit > Find Packet... and then entering what is of interest to you; in my case, I'm expecting some traffic to/from port 7727 on my PC, so I enter that:

Image 4

...and it takes me to the first line with such; Selecting Find > Next (Ctrl+N) takes me to the next one (etc.)

Image 5

Once you narrow the network traffic down to a specific port, you can then right-click any of the "records" in Wireshark and select "Follow TCP Stream"; you will then get the nitty gritty on the whole back-and-forth between the sender and receiver. The sender's data is in red, the receiver's in blue:

Image 6

Ain't that purty! Don't answer that - I hear tell the Wireshark GUI cat is more sensitive than a weak and weary Edgar Allan Poe on a mere 3 hours of slumber.

Note, again, the very handy color-coding feature provided by Wireshark, which makes it obvious "who said wait": the Client's transmission being in red, and the server's response being represented in blue helps you to see what both sides are expecting from each other, and how they respond when they get various packets of data.

Get Gone

And so you have it: a couple of free tools and a modicum of work, and you've got more network traffic information than your local television stations' traffic reporter ever dreamed of having.

Be Kind to Your Fellow Mammals

If you find this tip useful, "pay it forward" by being nice to the next Duckbilled Platypus you come across (Platypi R People, too, you know!) - but beware the poisonous claw on his hind foot! These furry and fluffy critters may look cute and cuddly, but if you're not careful, they will put a world of hurt on you by puncturing your pinky with their poison paw - or even worse, another body member beginning with "p", such as "patellar tendon."

A Word to the Wise: Beware the Seaside Police!

Unless you are a perfect programmer, and can prove such in a court of law, you'd best avoid Seaside, California, where coding mistakes have apparently been criminalized, as can be seen by this photo I shot yesterday in the City Hall parking lot:

Image 7

AFAIK, it's still safe to visit Monterey, Carmel, Big Sur, etc., but if you are prone to writing problematic code, Seaside would best be avoided, unless you want to wind up in the slammer/calaboose.

Unobtrusive Hint

I have been writing these splendiferous tips that have helped millions of people save trillions of dollars, and have not as yet received a choctypus (a chocolate duckbilled platypus, of course) from anyone (I know - hard to believe!). Note: now that y'all are aware of the choctypus shortage at my domicile, I'm sure you will know what to do. Please, though, if you drone it in, make sure to pack it with some shock-absorbing material, like peanuts (not the fake ones - real ones!)

No need to worry about subterfuge leading to litigiousness: I HAVE NO PEANUT ALLERGIES!!!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

B. Clay Shannon
Founder Across Time & Space
United States United States
I am in the process of morphing from a software developer into a portrayer of Mark Twain. My monologue (or one-man play, entitled "The Adventures of Mark Twain: As Told By Himself" and set in 1896) features Twain giving an overview of his life up till then. The performance includes the relating of interesting experiences and humorous anecdotes from Twain's boyhood and youth, his time as a riverboat pilot, his wild and woolly adventures in the Territory of Nevada and California, and experiences as a writer and world traveler, including recollections of meetings with many of the famous and powerful of the 19th century - royalty, business magnates, fellow authors, as well as intimate glimpses into his home life (his parents, siblings, wife, and children).

Peripatetic and picaresque, I have lived in eight states; specifically, besides my native California (where I was born and where I now again reside) in chronological order: New York, Montana, Alaska, Oklahoma, Wisconsin, Idaho, and Missouri.

I am also a writer of both fiction (for which I use a nom de plume, "Blackbird Crow Raven", as a nod to my Native American heritage - I am "½ Cowboy, ½ Indian") and nonfiction, including a two-volume social and cultural history of the U.S. which covers important events from 1620-2006: http://www.lulu.com/spotlight/blackbirdcraven

Comments and Discussions

 
QuestionYou Got My 5, Great Article Pin
Bill SerGio, The Infomercial King17-May-15 6:42
professionalBill SerGio, The Infomercial King17-May-15 6:42 
GeneralMy vote of 3 Pin
Member 1130734225-Dec-14 6:18
MemberMember 1130734225-Dec-14 6:18 
QuestionSome advice from people that are smarter than me. Pin
Member 1130734225-Dec-14 6:14
MemberMember 1130734225-Dec-14 6:14 
AnswerRe: Some advice from people that are smarter than me. Pin
B. Clay Shannon25-Dec-14 16:46
professionalB. Clay Shannon25-Dec-14 16:46 
GeneralRe: Some advice from people that are smarter than me. Pin
Member 1130734226-Mar-15 11:03
MemberMember 1130734226-Mar-15 11:03 
AnswerRe: Some advice from people that are smarter than me. Pin
dmjm-h26-Dec-14 6:54
Memberdmjm-h26-Dec-14 6:54 
GeneralMy vote of 5 Pin
wkiess0118-Dec-14 13:05
Memberwkiess0118-Dec-14 13:05 
GeneralRe: My vote of 5 Pin
B. Clay Shannon18-Dec-14 13:13
professionalB. Clay Shannon18-Dec-14 13:13 
QuestionWireshark and rawcap Pin
Member 1076067416-Dec-14 15:20
MemberMember 1076067416-Dec-14 15:20 
GeneralMy vote of 1 Pin
fdkjhfds23-Sep-14 10:32
Memberfdkjhfds23-Sep-14 10:32 
SuggestionRe: My vote of 1 Pin
Philip Liebscher25-Sep-14 8:44
MemberPhilip Liebscher25-Sep-14 8:44 
GeneralRe: My vote of 1 Pin
B. Clay Shannon25-Sep-14 9:10
professionalB. Clay Shannon25-Sep-14 9:10 
Question[My vote of 2] Poor Choice of Words Pin
Ted Goulden22-Sep-14 13:43
MemberTed Goulden22-Sep-14 13:43 
SuggestionRe: [My vote of 2] Poor Choice of Words Pin
Philip Liebscher25-Sep-14 8:37
MemberPhilip Liebscher25-Sep-14 8:37 
GeneralRe: [My vote of 2] Poor Choice of Words Pin
B. Clay Shannon25-Sep-14 9:09
professionalB. Clay Shannon25-Sep-14 9:09 
QuestionWhy use RawCap for capture instead of Wireshark? Pin
joeott16-Sep-14 9:23
professionaljoeott16-Sep-14 9:23 
AnswerRe: Why use RawCap for capture instead of Wireshark? Pin
B. Clay Shannon16-Sep-14 9:31
professionalB. Clay Shannon16-Sep-14 9:31 
Question+5! Pin
Volynsky Alex15-Sep-14 11:28
professionalVolynsky Alex15-Sep-14 11:28 
AnswerRe: +5! Pin
B. Clay Shannon16-Sep-14 9:32
professionalB. Clay Shannon16-Sep-14 9:32 
GeneralRe: +5! Pin
Volynsky Alex16-Sep-14 10:14
professionalVolynsky Alex16-Sep-14 10:14 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.