Thu. Nov 26th, 2020

A new version of
RawCap has been released today.
This portable little sniffer now supports writing PCAP data to stdout and named pipes as an alternative to saving the captured packets to disk.
We have also changed the target .NET Framework version from 2.0 to 4.7.2, so that you can run RawCap on a modern Windows OS without having to install a legacy .NET Framework.

Here’s a summary of the improvements in the new RawCap version ( compared to the old version (

  • Uses .NET 4.7.2 instead of 2.0
  • Support for writing to stdout
  • Support for writing to named pipes
  • Large (64 MB) ring buffer to prevent packet drops
  • Automatic firewall configuration

Out of the software we develop and maintain here at Netresec,
NetworkMiner is the most popular one.
But you’re probably not aware that
RawCap is our second most popular tool in terms of downloads,
with around 100 unique downloads every day.
RawCap started out as just being a quick hack that we
released for free to the community in 2011 without expecting it to gain much attention.
However, it quickly gained popularity, maybe due to the fact that it’s just a tiny .exe file and that it doesn’t require any external libraries or DLL’s to sniff network traffic (other than the .NET Framework).

RawCap embraces the Unix philosophy
to do only one thing, and do it well.
Thanks to RawCap’s simplicity we have only needed to make a few minor updates of the tool since its first release 9 years ago.
However, today we’re finally adding some new features that have been requested by users over the years.
One such feature is that RawCap now automatically creates a Windows firewall rule when the tool is started.
Before this feature was introduced users would have to run wf.msc (i.e. the “Windows Defender Firewall with Advanced Security”) and manually create an inbound rule to allow RawCap.exe to receive incoming traffic.
Without such a firewall rule RawCap would only be able to capture outgoing traffic.

RawCap can be started in two different modes. Either as an interactive console application, or as a “normal” command line utility. Run RawCap.exe without any arguments, or simply double click the RawCap.exe icon to use the interactive mode. You will then be asked which interface to capture packets from and what filename you’d like to save them to.

Network interfaces:
0.    Local Area Connection
1.    Wireless Network Connection
2.   3G UMTS Internet
3.   VMware Network Adapter VMnet1
4.   VMware Network Adapter VMnet2
5.       Loopback Pseudo-Interface
Select network interface to sniff [default ‘0’]: 1
Output path or filename [default ‘dumpfile.pcap’]:
Sniffing IP :
Output File : dumpfile.pcap
 — Press [Ctrl]+C to stop —
Packets     : 1337

The other alternative is to supply all the arguments to RawCap when it is started. Use “RawCap –help” to show which arguments you can use. You’ll need to use this mode if you want to write the captured traffic to standard output (stdout) or a named pipe, or if you want RawCap to automatically stop capturing after a certain time or packet count.

F:Tools>RawCap.exe –help
NETRESEC RawCap version

Usage: RawCap.exe [OPTIONS] <interface> <pcap_target>
 <interface> can be an interface number or IP address
 <pcap_target> can be filename, stdout (-) or named pipe (starting with \.pipe)

 -f          Flush data to file after each packet (no buffer)
 -c <count>  Stop sniffing after receiving <count> packets
 -s <sec>    Stop sniffing after <sec> seconds
 -m          Disable automatic creation of RawCap firewall entry
 -q          Quiet, don’t print packet count to standard out

 0.     IP        :
        NIC Name  : Local Area Connection
        NIC Type  : Ethernet

 1.     IP        :
        NIC Name  : WiFi
        NIC Type  : Wireless80211

 2.     IP        :
        NIC Name  : Loopback Pseudo-Interface 1
        NIC Type  : Loopback

 3.     IP        :
        NIC Name  : Mobile 12
        NIC Type  : Wwanpp

Example 1: RawCap.exe 0 dumpfile.pcap
Example 2: RawCap.exe -s 60 localhost.pcap
Example 3: RawCap.exe \.pipeRawCap
Example 4: RawCap.exe -q – | Wireshark.exe -i – -k

As you can see, running “RawCap.exe -s 60 localhost.pcap” will capture packets from localhost to a file called “localhost.pcap” for 60 seconds and then exit.

There are a couple of drawbacks with the new RawCap version though,
it is a larger binary (48kB instead of 23kB) and it uses more CPU and RAM compared to the old version. We will therefore continue making the old RawCap version available to anyone who might need it.

Visit the RawCap product page to download this tool and learn more.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to