ansaurus

Question

Can traffic on loopback be packet sniffed?

Answer 1

+4 A:

It should be safe from packet sniffing off the network because the traffic never goes on the wire (or airwaves).

A process on that local machine could sniff the packets tho.

VBNight 2009-02-06 20:22:58

+1. But why bother sniffing on the same machine? If it's on the same machine and you can hijack the loopback you probably already have root. Just read the process memory directly :)

JaredPar 2009-02-06 20:25:22

I've been told that Windows loopback traffic would not be visible on the network, but then I've heard Linux loopback was implemented differently and might be prone to being sniffed on the network. Hence trying to see what the collective wisdom of the crowd says. :-)

RogerV 2009-02-06 20:26:56

I'm not personally aware of any issue with linux sending loopback packets over the network. (How would it get those packets back with every device having the same loopback address?)

VBNight 2009-02-06 20:30:59

Answer 2

A:

The loopback interface can be regarded as secure with respect to the external network. It isn't secure within the same host.

chaos 2009-02-06 20:24:51

Answer 3

A:

I'm pretty sure that popular packet sniffers can't sniff the loopback interface (a cause of much grief and annoyance when debugging stuff on localhost).

Assaf Lavie 2009-02-06 20:28:53

Answer 4

A:

The answers so far are correct, but I will phrase it a different way. It is possible to sniff the loopback adapter communications on the localhost itself, but it usually requires special drivers depending on the operating system. Loopback communications is safe from external sniffers though.

I have had cases where I needed to sniff loopback communications and it was not easy to setup, but it was possible (at least on Windows and I would bet so with Linux as well).

Ryan 2009-02-06 20:31:11

loopback sniffing on Linux never requires special drivers

Alnitak 2009-02-07 09:22:30

Answer 5

+7 A:

Yes, this is secure. As VBNight stated, the traffic never hits the wire or air.

But, you can actually sniff localhost traffic on your local machine. For example on my linux box I did the following:

sudo tcpdump -i lo

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
15:29:58.056585 IP localhost.56010 > localhost.16001: S 3572335637:3572335637(0) win 32792 <mss 16396,sackOK,timestamp 132126218 0,nop,wscale 6>
15:29:58.056604 IP localhost.16001 > localhost.56010: R 0:0(0) ack 3572335638 win 0
15:29:59.026016 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.026346 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.126838 IP localhost.41664 > localhost.41664: UDP, length 1
15:29:59.127486 IP localhost.41664 > localhost.41664: UDP, length 1

So, you can use it to sniff your own traffic/IPC messages, but nobody else can see it on the network.

This is a very common case in systems to use a protocol like TCP or UDP for local IPC over the lo interface.

Steve Lazaridis 2009-02-06 20:32:17

ansaurus

tags:

views:

answers:

Can traffic on loopback be packet sniffed?

related questions