I'm investigating a problem with a process that IPC performs over a socket. The socket is provided through the IP address of the local machine for the network interface, and the connection to the IP address of the local machine is established by another process on the local machine.
I expected that this would drop the Windows network stack at least enough for Wireshark to see the packages. However, this does not seem to be the case. So I can conclude that the socket IPC is higher in the stack [would be interesting to see if any windows event tracing (ETL) facilities would see the traffic as an IP frame], This is not important to this question (since this is not a stackoverflow).
Where does WinPcap / Npcap live in the network stack to monitor and pass packets to Wireshark?