PacketCache logo


PacketCache is a free Windows service designed to continuously monitor the network interfaces of a computer and store the captured packets in memory (RAM). The idea is to make full-content packets available for post-event incident response and network forensic analysis. PacketCache can be used either as a complement to solutions for centralized network packet capturing, or without any other network monitoring solution in place.

By default PacketCache reserves 1% of a computer's total physical memory for storing packets. A computer with 4 GB of RAM will thereby allow up to 40 MB of packets to be kept in memory. This might not seem like much, but PacketCache relies on a clever technique that allows it to store only the most important packets. With this technique just 40 MB of storage can be enough to store several days worth of “important” packets.

The “clever technique” we refer to is actually a simple way of removing packets from TCP and UDP sessions as they get older. This way recent communication can be retained in full, while older data us truncated at the end (i.e. only the last packets are removed from a session).

Product name: PacketCache
Latest version:
Download URL:
SHA256: 067CEEF6630C52DCA543D35D5F0327EFCA2108713EFC6E827A64A9724BDC04FE
Signed by: Netresec AB


Follow these steps to install PacketCache:

PacketCache services in services.msc

Reading packets captured by PacketCache

The easiest way to read packets from PacketCache is by using CapLoader:

CapLoader's Read from PacketCache

Alternatively, here's a simple PowerShell script that can be used to read packets from PacketCache:

$pipeStream = new-object System.IO.Pipes.NamedPipeClientStream '.','PacketCache','In';
$file = [System.IO.File]::OpenWrite('PacketCache.pcap');
try {
    $buffer = new-object byte[] 4096;
    $n = $pipeStream.Read($buffer, 0, $buffer.Length);
    while ($n -gt 0) {
        $file.Write($buffer, 0, $n);
        $n = $pipeStream.Read($buffer, 0, $buffer.Length);
finally {

Please note that PacketCache only provides data to users with local admin privileges, so you will have to run the PowerShell script as administrator in order to read the captured packets.


USB broadband modem - Copyright Prolineserver 2010 (cc-by-sa-3.0)


Frequently Asked Questions (FAQ)

Q: If packets are stored in RAM, will all historical traffic be lost when my computer is rebooted?
A: No, PacketCache is designed to dump the packets from RAM into an encrypted file upon reboot. This file will then be read back into RAM when the computers boots up again.

Q: Is it possible to allocate more than 1% of my memory for PacketCache?
A: Yes, when registering PacketCache.exe with sc, simply append a number as an argument to the PacketCache command. For example, in order to allow up to 5% of RAM to be used, register the PacketCache service like this:

sc create PacketCache binPath= "C:\Program Files\PacketCache\PacketCache.exe 5" start= auto

Q: Is PacketCache free? Can I use this software commercially?
A: Yes, and yes. PacketCache is released under a Creative Commons Attribution-NoDerivatives 4.0 International License, which means that you can copy and redistribute PacketCache in any medium or format for any purpose, even commercially.

Creative Commons License

Please feel free to contact info[at] or @netresec if you have any additional questions regarding PacketCache!