RawCap is a free command line network sniffer for Windows that uses raw sockets.
Quick RawCap facts:
You will need administrator privileges to run RawCap.
An alternative to supplying the interface number is to supply the IP address of the preferred interface instead, i.e. like this:
You can also start RawCap without any arguments, this will leave you with an interactive dialog:
The easiest way to analyze packets captured by RawCap in Wireshark is to save them to a capture file and open it in Wireshark. But you can also use alternative output methods to analyze the captured packets using Wireshark in real-time.
The simplest way to analyze packets in real-time is to write the PCAP data to standard output (stdout) using the "-" switch, and then reading that data in Wireshark with the "-i -" switch.
Another alternative is to write the PCAP data to a named pipe, and then let Wireshark "sniff" packets from that named pipe.
The new RawCap versionis better than the previous version in many ways, but there are a couple of drawbacks. We therefore let the user choose which version to download.
|RawCap 0.1.5.0 (old)||RawCap 0.2.1.0 (new)|
|Save packets in PCAP file|
|Write packets to standard output (stdout)|
|Write packets to named pipe|
|Automatic firewall configuration|
|Capture from any IPv4 address|
|Target .NET framework||.NET Framework 2.0||.NET Framework 4.7.2|
|File size||23 kB||54 kB|
|Download Old Version||Download New Version|
RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".
Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP.
When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.
Windows Vista can't capture outgoing packets, only incoming.
If you, on the other hand, find that you are only able to sniff OUTGOING packets then you probably just need to add an exception for RawCap in your local firewall. To create an exception, simply follow these steps:
Gigantic Packets due to Offloading
If you get a SocketException saying something like "the buffer used to receive a datagram into was smaller than the datagram itself", then you probably have Large Send Offload (LSO) enabled on your network interface. This feature is also known as TCP Segmentation Offload (TSO) and is used to reduce CPU overhead for packet processing, in particular on virtual machines.
Newer versions of RawCap will print the following error message when a too large packet is received:
You can disable LSO by changing the value for "Large Send Offload V2 (IPv4)" in the network adapter's advanced settings, as show in this screenshot:
LSO can also be dissabled programmatically using PowerShell:
PCAP files created with RawCap use the "DLT_RAW" aka "RAW_IP" encapsulation type. This means that all frames in the capture file start with an IP header instead of, for example, an Ethernet header. Unfortunately not all tools support the Raw IP encap type. But you can prepend a fake Ethernet header to all frames in a PCAP file by using tcprewrite like this:
RawCap is freeware and can be used by anyone, i.e. even commercial use is allowed.
You are, however, NOT allowed to: