code & network

Watching loopback traffic with tcpdump

2025-04-18

Two services on the same machine were talking to each other on a TCP port, and one of them was answering with what looked like the wrong content. I wanted to actually see the bytes going across.

The trick is that tcpdump -i any often skips loopback traffic — you need -i lo explicitly. Adding -A dumps the ASCII payload, which is enough to read HTTP-like protocols by eye.

sudo tcpdump -i lo -nn -A 'port 8080'

Filtering by port keeps the output sane. For multi-port debugging, 'port 8080 or port 9090' works.

One thing I had to look up: loopback frames have a different link layer than ethernet, and some tools confuse themselves over that. If you're piping into Wireshark, save with -w file.pcap and open the file rather than streaming.