pcap

In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.

Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.

The implementors of the pcap API wrote it in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API; only one partial object-oriented C++ wrapper is currently available from an external source.

Features

libpcap and WinPcap provide the packet-capture and filtering engines of many open source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.

libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump, Wireshark, CA NetMaster, or Microsoft Network Monitor 3.x.

The MIME type for the file format created and read by libpcap and WinPcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.^[2]

libpcap

libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.

WinPcap

WinPcap consists of:

• x86 and x86-64 drivers for the Windows NT family (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, etc.), which use NDIS to read packets directly from a network adapter;
• implementations of a lower-level library for the listed operating systems, to communicate with those drivers;
• a port of libpcap that uses the API offered by the low-level library implementations.

Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. CACE Technologies was acquired by Riverbed Technology on October 21, 2010^[3]

Programs that use libpcap/WinPcap

• tcpdump, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump.
• ngrep, aka "network grep", isolate strings in packets, show packet data in human-friendly output.
• Wireshark (formerly Ethereal), a graphical packet-capture and protocol-analysis tool.
• Snort, a network-intrusion-detection system.
• daemonlogger, a lightweight pcap capture utility.
• Nmap, a port-scanning and fingerprinting network utility
• the Bro IDS and network-monitoring platform.
• URL Snooper, locate the URLs of audio and video files so that they can be recorded.
• Kismet, for 802.11 wireless LANs
• NetworkMiner, a network forenisc analysis tool that creates and parses pcap files
• RawCap, a raw socket sniffer for windows
• L0phtCrack, a password auditing and recovery application.
• iftop, a tool for displaying bandwidth usage (like top for network traffic)
• EtherApe, a graphical tool for monitoring network traffic and bandwidth usage in real time.
• Bit-Twist, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows.
• Pirni, a network security tool for jailbroken iOS devices.
• McAfee ePolicy Orchestrator, Rogue System Detection feature
• XLink Kai Software that allows you to play LAN games from a PS2, PS3, Xbox/Xbox 360, Gamecube and PSP online
• Firesheep, an extension for the Firefox web browser, that intercepts unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities.
• cookie, a Django app to extract cookie information from pcap files for analysis possibly also for session hijacking.
• Xplico, a network forensics analysis tool.
• PegaNet, an open-source network traffic analysys tool. More information at http://lionbatata.pro.br

References

1. ^ "WinPcap Changelog". http://www.winpcap.org/misc/changelog.htm. 
2. ^ "IANA record of application for MIME type application/vnd.tcpdump.pcap". http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap. 
3. ^ "Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies". Riverbed Technology. 2010-10-21. http://www.riverbed.com/us/company/news/press_releases/2010/press_102110.php. Retrieved 2010-10-21. 

External links

Free software portal

• Official site for libpcap (and tcpdump)
• Official site for WinPcap (and WinDump)
• CPAN page for Net::Pcap
• PCAP Collections & PCAP Challenges
• pcapr: Web-based pcap searching, editing, sharing and creation
• Official site for Ruby/Pcap
• Official site for NetworkMiner
• Official site for ssldump
• ngrep on SourceForge
• Official site for RawCap
• Official site for tclpcap
• jpcap on SourceForge
• another jpcap implementation
• jNetPcap a comprehensive Java wrapper
• PLOKAMI pcap for Common Lisp
• WinPcapNET presentation
• SharpPcap capture framework for .NET
• Pcap.Net - .NET wrapper for WinPcap
• Man Page for tcpdump
• List of pcap applications
• Pcap editing and replaying tool
• CloudShark, View pcap files in your web browser
• Kraken PCAP, Java wrapper for libpcap/winpcap and programmable TCP/IP stack
• Official site for Xplico

Python

There are at least four alternative Python extensions offering a Python interface to the pcap library:

• Core Security page for pcapy (C++)
• SourceForge page for python-libpcap (a.k.a. pylibpcap) (C and SWIG)
• Google code page for pypcap (Pyrex)
• SourceForge page for pycap (C)

There is also a Python extension that includes its own code to read and write pcap files without using the pcap library:

• dirtbags py-pcap (C)