RawCap is a free command line network sniffer for Windows that uses raw sockets.

Quick RawCap facts:


You will need administrator privileges to run RawCap.

F:\Tools>RawCap.exe --help
NETRESEC RawCap version

Usage: RawCap.exe [OPTIONS] <interface> <pcap_target>
 <interface> can be an interface number or IP address
 <pcap_target> can be filename, stdout (-) or named pipe (starting with \\.\pipe\)

 -f          Flush data to file after each packet (no buffer)
 -c <count>  Stop sniffing after receiving <count> packets
 -s <sec>    Stop sniffing after <sec> seconds
 -m          Disable automatic creation of RawCap firewall entry
 -q          Quiet, don't print packet count to standard out

 0.     IP        :
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

 1.     IP        :
        NIC Name  : WiFi
        NIC Type  : Wireless80211

 2.     IP        :
        NIC Name  : Loopback Pseudo-Interface 1
        NIC Type  : Loopback

 3.     IP        :
        NIC Name  : Mobile 12
        NIC Type  : Wwanpp

Example 1: RawCap.exe 0 dumpfile.pcap
Example 2: RawCap.exe -s 60 localhost.pcap
Example 3: RawCap.exe \\.\pipe\RawCap
Example 4: RawCap.exe -q - | Wireshark.exe -i - -k

An alternative to supplying the interface number is to supply the IP address of the preferred interface instead, i.e. like this:

RawCap.exe localhost_capture.pcap

Interactive Console Dialog

You can also start RawCap without any arguments, this will leave you with an interactive dialog:

Network interfaces:
0.    Local Area Connection
1.    Wireless Network Connection
2.   3G UMTS Internet
3.   VMware Network Adapter VMnet1
4.   VMware Network Adapter VMnet2
5.       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP :
Output File : dumpfile.pcap
 --- Press [Ctrl]+C to stop ---
Packets     : 1337

Streaming PCAP to Wireshark

The easiest way to analyze packets captured by RawCap in Wireshark is to save them to a capture file and open it in Wireshark. But you can also use alternative output methods to analyze the captured packets using Wireshark in real-time.

The simplest way to analyze packets in real-time is to write the PCAP data to standard output (stdout) using the "-" switch, and then reading that data in Wireshark with the "-i -" switch.

RawCap.exe -q - | Wireshark.exe -i - -k

Another alternative is to write the PCAP data to a named pipe, and then let Wireshark "sniff" packets from that named pipe.

  1. Start RawCap and let it write PCAP data to a named pipe called "RawCap".
    RawCap.exe \\.\pipe\RawCap
  2. Start Wireshark (version 2.3.0 or later)
  3. Click: Capture > Options
  4. Click "Manage Interfaces..."
  5. Select the "Pipes" tab
  6. Click the "+" button to add a named pipe
  7. Name the pipe "\\.\pipe\RawCap" and press ENTER to save it
  8. RawCap named pipe interface added in Wireshark
  9. Click "OK" in the Manage Interface window
  10. Wireshark with a PacketCache pipe interface
  11. Click "Start" to see the packets sniffed by RawCap in real-time

Old vs. New RawCap Version

The new RawCap versionis better than the previous version in many ways, but there are a couple of drawbacks. We therefore let the user choose which version to download.

RawCap (old) RawCap (new)
Release year 2013 2022
Save packets in PCAP file
Write packets to standard output (stdout)
Write packets to named pipe
Automatic firewall configuration
Capture from any IPv4 address
IPv6 support
Target .NET framework .NET Framework 2.0 .NET Framework 4.7.2
File size 23 kB 54 kB
Download Old Version Download New Version

Raw sockets limitations (OS dependent)


RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "" rather than "localhost".

Sniffing localhost

Sniffing localhost/loopback ( has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.

External interfaces

Windows Vista can't capture outgoing packets, only incoming.

If you, on the other hand, find that you are only able to sniff OUTGOING packets then you probably just need to add an exception for RawCap in your local firewall. To create an exception, simply follow these steps:

RawCap Firewall Rule to allow sniffing of incoming packets
Firewall rule to allow RawCap to sniff incoming packets.

Gigantic Packets due to Offloading

If you get a SocketException saying something like "the buffer used to receive a datagram into was smaller than the datagram itself", then you probably have Large Send Offload (LSO) enabled on your network interface. This feature is also known as TCP Segmentation Offload (TSO) and is used to reduce CPU overhead for packet processing, in particular on virtual machines.

Newer versions of RawCap will print the following error message when a too large packet is received:

Warning: Skipped packet larger than 65536. Consider disabling Large Send Offload (LSO) on NIC.

You can disable LSO by changing the value for "Large Send Offload V2 (IPv4)" in the network adapter's advanced settings, as show in this screenshot:

Disable Large Send Offload V2 (IPv4)
Image credit: Rene Perraux

LSO can also be dissabled programmatically using PowerShell:

Disable-NetAdapterLso -Name "MyAdapter" -IPv4

Adding Fake Ethernet Headers

PCAP files created with RawCap use the "DLT_RAW" aka "RAW_IP" encapsulation type. This means that all frames in the capture file start with an IP header instead of, for example, an Ethernet header. Unfortunately not all tools support the Raw IP encap type. But you can prepend a fake Ethernet header to all frames in a PCAP file by using tcprewrite like this:

tcprewrite --infile dumpfile.pcap --outfile ethernet.pcap --dlt=enet --enet-smac=00 --enet-dmac=00


RawCap is freeware and can be used by anyone, i.e. even commercial use is allowed.
You are, however, NOT allowed to:

More information

You can read more about RawCap in our blog posts "RawCap sniffer for Windows released" (2011) and "RawCap Redux" (2020). As well as other blog posts tagged with RawCap.

Download RawCap.exe