= PCAP-over-IP =

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection. The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

== Background and etymology ==
The first known use of the term PCAP-over-IP is by Packet Forensics in 2011. However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark. The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine that does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

== Use cases ==
Common use cases for PCAP-over-IP include:
- Transmitting captured network traffic in real time to one or more remote machines
- Transferring network traffic to other applications on the same host
- Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

== Software with PCAP-over-IP support ==
- Arkime
- NetworkMiner
- pcap-broker
- Pkappa2
- PolarProxy
- Shovel
- Tulip
- Wireshark
- Xplico
- Zeek

== Workarounds ==
Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with the help of a netcat and tcpreplay combo.
<syntaxhighlight lang="console">
nc [SERVER] 57012 | tcpreplay -i eth0 -t -
</syntaxhighlight>
