I've got three different applications running on the same Windows Server 2008 R2 machine that communicate with eachother over TCP/IP. All three applications use the actual IP address of the server (vs using the loopback interface), which is 192.168.106.1.
When I run Wireshark on the server, I do not see any of the traffic going between the three applications. I added a route to the server to forward traffic destined for 192.168.106.1 to my LAN's gateway, in which case I now see SYN packets for the traffic. However, I don't see anything come back.
Bottom line is… has anyone had success capturing local traffic on a Windows Server 2008 R2 machine?
Best Answer
It's explained here why it's not possible on the Wireshark wiki, together with some workarounds. Basically traffic local to the host is routed within the Windows TCP stack so never makes it to the interface layer which is where Wireshark listens (via winpcap). So without the workarounds behind that link, no it's not possible.