RawCap is a free command line network sniffer for Windows that uses raw sockets.
Properties of RawCap:
- Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
- RawCap.exe is just 23 kB
- No external libraries or DLL's needed other than .NET Framework 2.0
- No installation required, just download RawCap.exe and sniff
- Can sniff most interface types, including WiFi and PPP interfaces
- Minimal memory and CPU load
- Reliable and simple to use
You will need to have administrator privileges to run RawCap.
An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:
Interactive Console Dialog
You can also start RawCap without any arguments, this will leave you with an interactive dialog:
Raw sockets limitations (OS dependent)
RawCap cannot capture packets from IPv6 interfaces. This also include the localhost IPv6 interface associated with address ::1. Unfortunately the name "localhost" often resolves to ::1 rather than 127.0.0.1, which can cause confusion. Therefore, when trying to capture application traffic on localhost, make sure the monitored application is connecting to "127.0.0.1" rather than "localhost".
Sniffing localhost/loopback (127.0.0.1) has some limitations under Windows XP. When sniffing localhost traffic in Windows XP you will only be able to capture UDP and ICMP packets, not TCP.
TCP, UDP and ICMP packets can, however, all be sniffed properly from localhost on newer operating systems like Windows Vista and Windows 7.
Windows Vista can't capture outgoing packets, only incoming.
If you, on the other hand, find that you are only able to sniff OUTGOING packets then you probably just need to add an exception for RawCap in your local firewall. To create an exception, simply fillow these steps:
- Run WF.msc (i.e. the "Windows Firewall with Advanced Security")
- Select "Inbound Rules"
- Click "New Rule"
- Select "Program" and press "Next"
- Enter the path of RawCap.exe and press "Next"
- Press "Next" a couple of times more, then you're done!
Firewall rule to allow RawCap to sniff incoming packets.
cmd to add rule to allow RawCap to sniff incoming packets:
netsh advfirewall firewall add rule name="name" dir=in program="c:\sniffer\Rawcap.exe" action=allow