RawCap

RawCap is a free command line network sniffer for Windows that uses raw sockets.

Properties of RawCap:

Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
RawCap.exe is just 17 kB
No external libraries or DLL's needed other than .NET Framework 2.0
No installation required, just download RawCap.exe and sniff
Can sniff most interface types, including WiFi and PPP interfaces
Minimal memory and CPU load
Reliable and simple to use

Usage

You will need to have administrator privileges to run RawCap.

F:\Tools>RawCap.exe --help
NETRESEC RawCap version 0.1.4.0
http://www.netresec.com

Usage: RawCap.exe [OPTION] <interface_nr> <target_pcap_file>

OPTIONS:
-f     Automatically flush data to file after each packet (no buffer)

INTERFACES:
0.     IP        : 192.168.0.17
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

1.     IP        : 192.168.0.47
        NIC Name  : Wireless Network Connection
        NIC Type  : Wireless80211

2.     IP        : 90.130.211.54
        NIC Name  : 3G UMTS Internet
        NIC Type  : Ppp

3.     IP        : 192.168.111.1
        NIC Name  : VMware Network Adapter VMnet1
        NIC Type  : Ethernet

4.     IP        : 192.168.222.1
        NIC Name  : VMware Network Adapter VMnet2
        NIC Type  : Ethernet

5.     IP        : 127.0.0.1
        NIC Name  : Loopback Pseudo-Interface
        NIC Type  : Loopback

Example: RawCap.exe 0 dumpfile.pcap

An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:

RawCap.exe 192.168.0.17 dumpfile.pcap

Interactive Console Dialog

You can also start RawCap without any arguments, this will leave you with an interactive dialog:

F:\Tools>RawCap.exe
Network interfaces:
0.     192.168.0.17    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

Raw sockets limitations (OS dependent)

Due to current limitations in the raw sockets implementations for Windows Vista and Windows 7 we suggest running RawCap on Windows XP. The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista).

If you only wanna sniff from localhost/loopback (127.0.0.1) though, then newer version of Windows actually works better than the old XP. When sniffing from localhost in Windows XP you will only be able to capture UDP and ICMP traffic, and not TCP. But TCP, UDP and ICMP packets can all be sniffed properly from localhost on both Windows Vista as well as Windows 7.

More information

You can read more about RawCap in our blog post "RawCap sniffer for Windows released".

Download RawCap

You can download RawCap.exe here.