RawCap is a free command line network sniffer for Windows that uses raw sockets.

Properties of RawCap:


You will need to have administrator privileges to run RawCap.

F:\Tools>RawCap.exe --help
NETRESEC RawCap version

Usage: RawCap.exe [OPTIONS] <interface_nr> <target_pcap_file>

 -f          Automatically flush data to file after each packet (no buffer)
 -c <count>  Stop sniffing after receiving <count> packets
 -s <sec>    Stop sniffing after <sec> seconds

 0.     IP        :
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

 1.     IP        :
        NIC Name  : Wireless Network Connection
        NIC Type  : Wireless80211

 2.     IP        :
        NIC Name  : 3G UMTS Internet
        NIC Type  : Ppp

 3.     IP        :
        NIC Name  : VMware Network Adapter VMnet1
        NIC Type  : Ethernet

 4.     IP        :
        NIC Name  : VMware Network Adapter VMnet2
        NIC Type  : Ethernet

 5.     IP        :
        NIC Name  : Loopback Pseudo-Interface
        NIC Type  : Loopback

Example: RawCap.exe 0 dumpfile.pcap

An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:

RawCap.exe localhost_capture.pcap

Interactive Console Dialog

You can also start RawCap without any arguments, this will leave you with an interactive dialog:

Network interfaces:
0.    Local Area Connection
1.    Wireless Network Connection
2.   3G UMTS Internet
3.   VMware Network Adapter VMnet1
4.   VMware Network Adapter VMnet2
5.       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP :
File        : dumpfile.pcap
Packets     : 1337

Raw sockets limitations (OS dependent)


RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "" rather than "localhost".

Sniffing localhost

Sniffing localhost/loopback ( has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.

External interfaces

Windows Vista can't capture outgoing packets, only incoming.

If you, on the other hand, find that you are only able to sniff OUTGOING packets then you probably just need to add an exception for RawCap in your local firewall. To create an exception, simply fillow these steps:

RawCap Firewall Rule to allow sniffing of incoming packets
Firewall rule to allow RawCap to sniff incoming packets.


RawCap is freeware and can be used by anyone, i.e. even commercial use is allowed.
You are, however, NOT allowed to:

More information

You can read more about RawCap in our blog post "RawCap sniffer for Windows released".

Download RawCap.exe