RawCap is a free command line network sniffer for Windows that uses raw sockets.
Quick RawCap facts:
- Can sniff any interface that has got an IPv4 address, including 127.0.0.1 (localhost/loopback)
- RawCap.exe is just 48 kB
- No external libraries or DLL's needed other than .NET Framework
- No installation required, just download RawCap.exe and sniff
- Can sniff most interface types, including WiFi, WWAN (Mobile Broadband) and PPP interfaces
- Simple to use
You will need administrator privileges to run RawCap.
NETRESEC RawCap version 0.2.0.0
Usage: RawCap.exe [OPTIONS] <interface> <pcap_target>
<interface> can be an interface number or IP address
<pcap_target> can be filename, stdout (-) or named pipe (starting with \\.\pipe\)
-f Flush data to file after each packet (no buffer)
-c <count> Stop sniffing after receiving <count> packets
-s <sec> Stop sniffing after <sec> seconds
-m Disable automatic creation of RawCap firewall entry
-q Quiet, don't print packet count to standard out
0. IP : 169.254.63.243
NIC Name : Local Area Connection
NIC Type : Ethernet
1. IP : 192.168.1.129
NIC Name : WiFi
NIC Type : Wireless80211
2. IP : 127.0.0.1
NIC Name : Loopback Pseudo-Interface 1
NIC Type : Loopback
3. IP : 10.165.240.132
NIC Name : Mobile 12
NIC Type : Wwanpp
Example 1: RawCap.exe 0 dumpfile.pcap
Example 2: RawCap.exe -s 60 127.0.0.1 localhost.pcap
Example 3: RawCap.exe 127.0.0.1 \\.\pipe\RawCap
Example 4: RawCap.exe -q 127.0.0.1 - | Wireshark.exe -i - -k
An alternative to supplying the interface number is to supply the IP address of the preferred interface instead, i.e. like this:
RawCap.exe 127.0.0.1 localhost_capture.pcap
Interactive Console Dialog
You can also start RawCap without any arguments, this will leave you with an interactive dialog:
0. 192.168.0.17 Local Area Connection
1. 192.168.0.47 Wireless Network Connection
2. 18.104.22.168 3G UMTS Internet
3. 192.168.111.1 VMware Network Adapter VMnet1
4. 192.168.222.1 VMware Network Adapter VMnet2
5. 127.0.0.1 Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
Output File : dumpfile.pcap
--- Press [Ctrl]+C to stop ---
Packets : 1337
Streaming PCAP to Wireshark
The easiest way to analyze packets captured by RawCap in Wireshark is to save them to a capture file and open it in Wireshark.
But you can also use alternative output methods to analyze the captured packets using Wireshark in real-time.
The simplest way to analyze packets in real-time is to write the PCAP data to standard output (stdout) using the "-" switch, and then reading that data in Wireshark with the "-i -" switch.
RawCap.exe -q 127.0.0.1 - | Wireshark.exe -i - -k
Another alternative is to write the PCAP data to a named pipe, and then let Wireshark "sniff" packets from that named pipe.
Start RawCap and let it write PCAP data to a named pipe called "RawCap".
RawCap.exe 127.0.0.1 \\.\pipe\RawCap
- Start Wireshark (version 2.3.0 or later)
- Press: Capture > Options
- Click "Manage Interfaces..."
- Select the "Pipes" tab
- Press the "+" button to add a named pipe
- Name the pipe "\\.\pipe\RawCap" and press ENTER to save it
- Press "OK" in the Manage Interface window
- Press "Start" to see the packets sniffed by RawCap in real-time
Old vs. New RawCap Version
The new RawCap version (0.2.0.0) is better than the previous version (0.1.5.0) in many ways, but there are a couple of drawbacks.
We therefore let the user choose which version to download.
||RawCap 0.1.5.0 (old)
||RawCap 0.2.0.0 (new)
|Save packets in PCAP file
|Write packets to standard output (stdout)
|Write packets to named pipe
|Automatic firewall configuration
|Capture from any IPv4 address
Target .NET framework
.NET Framework 2.0
||.NET Framework 4.7.2
Download Old Version
Download New Version
Raw sockets limitations (OS dependent)
RawCap cannot capture packets from IPv6 interfaces.
This also include the localhost IPv6 interface associated with address ::1.
Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion.
Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".
Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP.
When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.
Windows Vista can't capture outgoing packets, only incoming.
If you, on the other hand, find that you are only able to sniff OUTGOING packets
then you probably just need to add an exception for RawCap in your local firewall.
To create an exception, simply follow these steps:
Firewall rule to allow RawCap to sniff incoming packets.
- Run WF.msc (i.e. the "Windows Firewall with Advanced Security")
- Select "Inbound Rules"
- Click "New Rule"
- Select "Program" and press "Next"
- Enter the path of RawCap.exe and press "Next"
- Press "Next" a couple of times more, then you're done!
RawCap is freeware and can be used by anyone, i.e. even commercial use is allowed.
You are, however, NOT allowed to:
- Re-brand RawCap under a different name or vendor
- Re-distribute RawCap from a website other than netresec.com
- Sell RawCap
- Include RawCap as part of a commercial tool
You can read more about RawCap in our blog posts
"RawCap sniffer for Windows released" (2011) and
"RawCap Redux" (2020).
As well as other blog posts tagged with RawCap.