|This article needs additional citations for verification. (October 2010)|
|Developer(s)||The Tcpdump team|
|Stable release||1.5.3 / January 14, 2014|
|Operating system||Linux, Solaris, FreeBSD, NetBSD, OpenBSD, OS X, additional *NIX systems|
|Type||Library for packet capture|
|Stable release||4.1.3 / March 8, 2013|
|Operating system||Microsoft Windows|
|Type||Library for packet capture|
In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
The pcap API is written in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API or use an object-oriented wrapper.
libpcap and WinPcap provide the packet-capture and filtering engines of many open source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.
libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump, Wireshark, CA NetMaster, or Microsoft Network Monitor 3.x.
libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.
WinPcap consists of:
- x86 and x86-64 drivers for the Windows NT family (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, etc.), which use NDIS to read packets directly from a network adapter;
- implementations of a lower-level library for the listed operating systems, to communicate with those drivers;
- a port of libpcap that uses the API offered by the low-level library implementations.
Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. CACE Technologies was acquired by Riverbed Technology on October 21, 2010.
Programs that use libpcap/WinPcap
- tcpdump, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump.
- ngrep, aka "network grep", isolate strings in packets, show packet data in human-friendly output.
- Wireshark (formerly Ethereal), a graphical packet-capture and protocol-analysis tool.
- Snort, a network-intrusion-detection system.
- Nmap, a port-scanning and fingerprinting network utility
- the Bro IDS and network-monitoring platform.
- URL Snooper, locate the URLs of audio and video files in order to allow recording them.
- Kismet, for 802.11 wireless LANs
- L0phtCrack, a password auditing and recovery application.
- iftop, a tool for displaying bandwidth usage (like top for network traffic)
- EtherApe, a graphical tool for monitoring network traffic and bandwidth usage in real time.
- Bit-Twist, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows.
- Pirni, a network security tool for jailbroken iOS devices.
- McAfee ePolicy Orchestrator, Rogue System Detection feature
- XLink Kai Software that allows various LAN console games to be played online
- Firesheep, an extension for the Firefox web browser, that intercepts unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities.
- Suricata, a network intrusion prevention and analysis platform.
- WhatPulse, a statistical (input, network, uptime) measuring application.
- Xplico, a network forensics analysis tool (NFAT).
- Scapy, a packet manipulation tool for computer networks, written in Python by Philippe Biondi.
- Captcp, a extensive TCP network protocol analyzer
- SourceFire Defense Center, The Defense Center provides centralized management & event database for your SourceFire deployments. You can upload Network PCAP files and play them back to see specific types of network traffic. by Mark Bernard
Wrapper libraries for libpcap/WinPcap
- Perl: Net::Pcap
- Python: python-libpcap, Pcapy
- Ruby: PacketFu
- Tcl: tclpcap, tcap, pktsrc
- Java: jpcap, jNetPcap, Jpcap, Pcap4j
- .NET: WinPcapNET, SharpPcap, Pcap.Net
- Haskell: pcap
- OCaml: mlpcap
- Chicken Scheme: pcap
- Common Lisp: PLOKAMI
- Go: pcap by Andreas Krennmair, pcap fork of the previous by Miek Gieben, pcap developed as part of the gopacket package
- "tcpdump and libpcap latest release". tcpdump & libpcap. Nov 20, 2013/Dec 3, 2013/Jan 14, 2014. Retrieved 2014-05-02.
- "tcpdump and libpcap license". tcpdump & libpcap. 2005-02-20. Retrieved 2012-04-13.
- "WinPcap Changelog".
- "IANA record of application for MIME type application/vnd.tcpdump.pcap".
- Steve McCanne. "libpcap: An Architecture and Optimization Methodology for Packet Capture". Retrieved December 27, 2013.
- "TCPDUMP/LIBPCAP public repository". Retrieved December 27, 2013.
- "WinPcap internals". Retrieved December 27, 2013.
- "Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies". Riverbed Technology. 2010-10-21. Retrieved 2010-10-21.