What is the Adapter for loopback traffic capture in Wireshark?

Leave a Comment / Networking and Computing Tips and Tricks / By /
Post Views: 507

Using a loopback adapter (also called a local loopback interface) for packet capture in Wireshark allows you to capture traffic that stays within your own computer — for example, packets exchanged between local applications via localhost or 127.0.0.1. Normally, this traffic never reaches a physical network interface, so a loopback capture is needed to see it. Here’s how to do it depending on your operating system:

On Windows

If your Windows machine does not show a loopback adapter , you may need to re-install npcap.

  1. Download and install Npcap (the packet capture driver used by Wireshark).
  2. During installation, check the box labeled:
    👉 “Support loopback traffic (‘Npcap Loopback Adapter’)”
  3. After installation, open Wireshark.
  4. You’ll see a new interface called “Npcap Loopback Adapter” in the interface list.
  5. Select it and start capturing — you’ll now see packets to and from 127.0.0.1 or ::1.
On Linux

Linux systems expose a built-in loopback interface by default.

  1. Open Wireshark with capture permissions (see https://wiki.wireshark.org/capturesetup/captureprivileges).
  2. Look for the interface named “lo” in the capture interface list.
  3. Start a capture on lo to see traffic between local processes.
  4. You’ll see packets with source and destination addresses like 127.0.0.1.
On macOS

macOS also includes a loopback interface.

  1. Start Wireshark.
  2. Look for the interface “lo0” (the loopback device).
  3. Begin capturing — you’ll see local traffic just like on Linux.
  4. Generate local connections to test, such as ping 127.0.0.1 or accessing a local web service.
Some Tips for Effective Loopback Captures
  • Use display filters like ip.addr == 127.0.0.1 or tcp.port == 8080 to focus on your test traffic.
  • Loopback traffic does not use ARP or Ethernet headers, so you’ll typically see raw IP packets or pseudo-headers.
  • Use npcap (not WinPcap) on Windows — WinPcap does not support loopback captures.

Example Using the Interface

Let’s walk through a loopback capture example step by step, showing how you can observe local traffic in Wireshark (for instance, between your browser and a local web server).

For Windows (using Npcap Loopback Adapter)
Step 1: Verify Loopback Adapter
  • Open Wireshark → click Capture → Options.
  • Look for an interface named “Npcap Loopback Adapter” or “Adapter for loopback traffic capture”.
  • Select it and click Start.
Step 2: Start a Local Web Server

If you have Python installed, open a Command Prompt and run:

python -m http.server 8080

This starts a simple HTTP server on port 8080 using your local directory.

Step 3: Generate Local Traffic

Open your browser and go to:

http://127.0.0.1:8080

Wireshark should now show packets on the loopback interface. Add the display filter “tcp.port==8080” and you should see something like this:

Note the following items:

  • TCP handshake (SYN, SYN/ACK, ACK)
  • HTTP GET request
  • HTTP response with 200 OK
For Linux (interface lo)
  1. Start capture on the lo interface.
  2. Run: python3 -m http.server 8080
  3. Then in another terminal: curl http://127.0.0.1:8080
  4. Wireshark will display:
    • 127.0.0.1 → 127.0.0.1 TCP (connection setup)
    • HTTP GET / and the response.

You can filter similarly:

http || tcp.port == 8080
For macOS (interface lo0)

Same as Linux — capture on lo0, run a local server with Python or Node.js, then connect via browser or curl.

What You’ll Notice in the Capture
  • No Ethernet or MAC addresses: Loopback uses a pseudo-header instead of real Ethernet framing.
  • Both directions visible: Because both client and server are on the same machine, you’ll see packets in and out on the same interface.
  • Timing accuracy: Loopback captures can show extremely precise timing since there’s no physical transmission delay.

Fantastic. To stop the server, simply return to the CMD window and hit CTRL-C. It will stop.

Some Additional Optional Experiments

You can deepen the learning by:

  • Capturing localhost DNS queries (nslookup localhost).
  • Running two local processes communicating via sockets.
  • Observing HTTP/2 or HTTPS traffic on localhost (you’ll see encrypted TLS).

Comments are welcomed below from registered users.  You can also leave comments at our Discord server

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

Tags: , ,

Leave a Comment

Scroll to Top