Pcap
Encyclopedia
In the field of computer
network administration, pcap (packet capture) consists of an application programming interface
(API) for capturing network traffic
. Unix-like
systems implement pcap in the libpcap library; Windows
uses a port
of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network
and, in newer versions, to transmit packets on a network at the link layer
, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
The implementors of the pcap API wrote it in C
, so other languages such as Java
, .NET languages, and scripting languages generally use a wrapper
; no such wrappers are provided by libpcap or WinPcap itself. C++
programs may link directly to the C API; only one partial object-oriented C++ wrapper is currently available from an external source.
and commercial network tools, including protocol analyzers (packet sniffer
s), network monitors, network intrusion detection system
s, traffic-generators and network-testers.
libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump
, Wireshark
, CA NetMaster, or Microsoft Network Monitor 3.x.
The MIME type for the file format created and read by libpcap and WinPcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.
developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.
Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. CACE Technologies was acquired by Riverbed Technology
on October 21, 2010
extensions offering a Python interface to the pcap library:
There is also a Python extension that includes its own code to read and write pcap files without using the pcap library:
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
network administration, pcap (packet capture) consists of an application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
(API) for capturing network traffic
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
. Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems implement pcap in the libpcap library; Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
uses a port
Porting
In computer science, porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed...
of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
and, in newer versions, to transmit packets on a network at the link layer
Link Layer
In computer networking, the link layer is the lowest layer in the Internet Protocol Suite , the networking architecture of the Internet . It is the group of methods or protocols that only operate on a host's link...
, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
The implementors of the pcap API wrote it in C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
, so other languages such as Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, .NET languages, and scripting languages generally use a wrapper
Wrapper library
In computer programming, a library is a collection of subroutines or classes used to develop software. Libraries expose interfaces which clients of the library use to execute library routines. Wrapper libraries consist of a thin layer of code which translates a library's existing interface into a...
; no such wrappers are provided by libpcap or WinPcap itself. C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
programs may link directly to the C API; only one partial object-oriented C++ wrapper is currently available from an external source.
Features
libpcap and WinPcap provide the packet-capture and filtering engines of many open sourceOpen source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
and commercial network tools, including protocol analyzers (packet sniffer
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
s), network monitors, network intrusion detection system
Network intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
s, traffic-generators and network-testers.
libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, Wireshark
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
, CA NetMaster, or Microsoft Network Monitor 3.x.
The MIME type for the file format created and read by libpcap and WinPcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.
libpcap
libpcap was originally developed by the tcpdumpTcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.
WinPcap
WinPcap consists of:- x86 and x86-64X86-64x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
drivers for the Windows NTWindows NTWindows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
family (Windows NT 4.0Windows NT 4.0Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
, Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XPWindows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
, Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows 7, etc.), which use NDIS to read packets directly from a network adapter; - implementations of a lower-level library for the listed operating systems, to communicate with those drivers;
- a port of libpcap that uses the API offered by the low-level library implementations.
Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. CACE Technologies was acquired by Riverbed Technology
Riverbed Technology
Riverbed Technology is a technology company that specializes in improving the performance of networks and networked applications. It was founded May 23, 2002 by Jerry Kennelly and Steve McCanne in San Francisco, California where its world headquarters remains...
on October 21, 2010
Programs that use libpcap/WinPcap
- tcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump. - ngrepNgrepngrep is a network packet analyzer written by Jordan Ritter. It runs under the command line, and relies upon the pcap library and the GNU regex library....
, aka "network grepGrepgrep is a command-line text-search utility originally written for Unix. The name comes from the ed command g/re/p...
", isolate strings in packets, show packet data in human-friendly output. - WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
(formerly Ethereal), a graphical packet-capture and protocol-analysis tool. - SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
, a network-intrusion-detection system. - daemonlogger, a lightweight pcap capture utility.
- NmapNmapNmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...
, a port-scanning and fingerprintingTCP/IP stack fingerprintingTCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications...
network utility - the BroBro (software)Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...
IDS and network-monitoring platform. - URL SnooperURL SnooperURL Snooper is a Windows program to find URLs of streaming media and data. This allows streamed files download through every download manager. Its scope is the same as that of a stream recorder. It uses Winpcap for packet capturing.- External links :**...
, locate the URLs of audio and video files so that they can be recorded. - Kismet, for 802.11 wireless LANs
- NetworkMiner, a network forenisc analysis tool that creates and parses pcap files
- RawCap, a raw socket sniffer for windows
- L0phtCrackL0phtCrackL0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables...
, a passwordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
auditAuditThe general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...
ing and recoveryPassword crackingPassword cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...
application. - iftopIftopiftop is a command-line system monitor tool that produces a frequently-updated list of network connections. By default, the connections are ordered by bandwidth usage, with only the "top" bandwidth consumers shown....
, a tool for displaying bandwidth usage (like topTop (Unix)top is a program found in many Unix-like operating systems. It produces an ordered list of running processes selected by user-specified criteria, and updates it periodically. Default ordering by CPU usage, and only the top CPU consumers shown top shows how much processing power and memory are...
for network traffic) - EtherApeEtherapeEtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.- Functionality :...
, a graphical tool for monitoring network traffic and bandwidth usage in real time. - Bit-TwistBit-TwistBit-Twist is a libpcap-based packet generator built to complement tcpdump, a libpcap-based packet capturing tool.Bit-Twist allows you to regenerate packets from one or more pcap files. It also comes with a comprehensive pcap file editor to allow advance manipulation of packet information, e.g...
, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows. - PirniPirniPirni Pro is a network security tool designed for iOS , and specifically for iPhone and iPod Touch devices. It is capable of intercepting traffic on a wireless network segment, capturing passwords, and regular expressions entered by the user....
, a network security tool for jailbroken iOS devices. - McAfeeMcAfeeMcAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
ePolicy Orchestrator, Rogue System Detection feature - XLink KaiXLink KaiXLink Kai is a method developed by Team-XLink for online play of certain compatible console games.It enables players on the Xbox 360, Xbox, Playstation 3, PlayStation 2, PlayStation Portable and Nintendo GameCube to play games across the Internet using a network configuration that simulates a...
Software that allows you to play LAN games from a PS2, PS3, Xbox/Xbox 360, Gamecube and PSP online - FiresheepFiresheepFiresheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities...
, an extension for the Firefox web browser, that intercepts unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. - cookie, a Django app to extract cookie information from pcap files for analysis possibly also for session hijacking.
- Xplico, a network forensics analysis tool.
- PegaNet, an open-source network traffic analysys tool. More information at http://lionbatata.pro.br
External links
- Official site for libpcap (and tcpdump)
- Official site for WinPcap (and WinDump)
- CPAN page for Net::Pcap
- PCAP Collections & PCAP Challenges
- pcapr: Web-based pcap searching, editing, sharing and creation
- Official site for Ruby/Pcap
- Official site for NetworkMiner
- Official site for ssldump
- ngrep on SourceForge
- Official site for RawCap
- Official site for tclpcap
- jpcap on SourceForge
- another jpcap implementation
- jNetPcap a comprehensive Java wrapper
- PLOKAMI pcap for Common Lisp
- WinPcapNET presentation
- SharpPcap capture framework for .NET
- Pcap.Net - .NET wrapper for WinPcap
- Man Page for tcpdump
- List of pcap applications
- Pcap editing and replaying tool
- CloudShark, View pcap files in your web browser
- Kraken PCAP, Java wrapper for libpcap/winpcap and programmable TCP/IP stack
- Official site for Xplico
Python
There are at least four alternative PythonPython (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
extensions offering a Python interface to the pcap library:
- Core Security page for pcapy (C++)
- SourceForge page for python-libpcap (a.k.a. pylibpcap) (C and SWIGSWIGSWIG is an open source software tool used to connect computer programs or libraries written in C or C++ with scripting languages such as Lua, Perl, PHP, Python, R, Ruby, Tcl, and other languages like C#, Java, Modula-3, Objective Caml, Octave, and Scheme...
) - Google code page for pypcap (Pyrex)
- SourceForge page for pycap (C)
There is also a Python extension that includes its own code to read and write pcap files without using the pcap library:
- dirtbags py-pcap (C)