In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''

packet capture A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...

'', that is not the API's proper name.

Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

systems implement pcap in the ''libpcap'' library; for

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ser ...

, there is a

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...

of libpcap named ''WinPcap'' that is no longer supported or developed, and a port named ''Npcap'' for

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...

and later that is still supported. Monitoring software may use libpcap, WinPcap, or Npcap to capture

network packet In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''payload''. Control inform ...

s traveling over a

computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...

and, in newer versions, to transmit packets on a network at the link layer, and to get a list of network interfaces for possible use with libpcap, WinPcap, or Npcap. The pcap API is written in C, so other languages such as

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mos ...

, .NET languages, and

scripting language A scripting language or script language is a programming language that is used to manipulate, customize, and automate the facilities of an existing system. Scripting languages are usually interpreted at runtime rather than compiled. A scripting ...

s generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself.

C++ C++ (pronounced "C plus plus") is a high-level general-purpose programming language created by Danish computer scientist Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significan ...

programs may link directly to the C API or use an

object-oriented wrapper Object-oriented programming (OOP) is a programming paradigm based on the concept of "objects", which can contain data and code. The data is in the form of fields (often known as attributes or ''properties''), and the code is in the form of pr ...

Features

libpcap, WinPcap, and Npcap provide the packet-capture and filtering engines of many open-source and commercial network tools, including protocol analyzers (

packet sniffer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...

s),

network monitor Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages or other trouble. Network monitorin ...

network intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

s, traffic-generators and network-testers. libpcap, WinPcap, and Npcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap, WinPcap, or Npcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap, WinPcap, and Npcap use can be read by applications that understand that format, such as

tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distribut ...

Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...

, CA NetMaster, or Microsoft Network Monitor 3.x. The MIME type for the file format created and read by libpcap, WinPcap, and Npcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.

History

libpcap was originally developed by the

developers in the Network Research Group at

Lawrence Berkeley Laboratory Lawrence Berkeley National Laboratory (LBNL), commonly referred to as the Berkeley Lab, is a United States national laboratory that is owned by, and conducts scientific research on behalf of, the United States Department of Energy. Located in ...

. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.

pcap libraries for Windows

While libpcap was originally developed for Unix-like operating systems, a successful

for Windows was made, called WinPcap. It has been unmaintained since 2013, and several competing forks have been released with new features and support for newer versions of Windows.

WinPcap

WinPcap consists of: *

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was intr ...

and

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging ...

drivers for the

Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Win ...

family ( Windows NT 4.0,

2000 File:2000 Events Collage.png, From left, clockwise: Protests against Bush v. Gore after the 2000 United States presidential election; Heads of state meet for the Millennium Summit; The International Space Station in its infant form as seen from S ...

, XP, Server 2003,

Vista Vista usually refers to a distant view. Vista may also refer to: Software *Windows Vista, the line of Microsoft Windows client operating systems released in 2006 and 2007 * VistA, (Veterans Health Information Systems and Technology Architecture) ...

, 7, 8, and 10), which use

Network Driver Interface Specification The Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface controllers (NICs). Specification It was jointly developed by Microsoft and 3Com Corporation and is mostly used in Microsoft Wind ...

(NDIS) 5.x to read packets directly from a

network adapter A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. Ear ...

; * implementations of a lower-level library for the listed operating systems, to communicate with those drivers; * a port of libpcap that uses the API offered by the low-level library implementations. Programmers at the

Politecnico di Torino The Polytechnic University of Turin ( it, Politecnico di Torino) is the oldest Italian public technical university. The university offers several courses in the fields of Engineering, Architecture, Urban Planning and Industrial Design, and is co ...

wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, developed and maintained the product. CACE was acquired by

Riverbed Technology Riverbed Technology is an American information technology company. Its products consist of software and hardware focused on Unified Observability, Network Visibility, End User Experience Management, network performance monitoring, application pe ...

on October 21, 2010. Because WinPcap uses the older NDIS 5.x APIs, it does not work on some builds of Windows 10, which have deprecated or removed those APIs in favor of the newer NDIS 6.x APIs. It also forces some limitations such as being unable to capture 802.1Q VLAN tags in Ethernet headers. The WinPcap project has ceased development and WinPcap and WinDump are no longer maintained. The last official WinPcap release was 4.1.3 released March 8, 2013.

Npcap

Npcap is the

Nmap Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym ''Fyodor Vaskovich''). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provide ...

Project's packet sniffing library for Windows. It is based on WinPcap, but written to make use of Windows networking improvements in NDIS version 6. Its authors rewrote the WinPcap NDIS 5 Protocol Driver as a Light-Weight Filter (LWF) driver, a change that reduces processing overhead. Npcap maintenance releases updated the version of the included libpcap library to the latest available, allowing software authors to use the newer API features that Linux software had already supported. Most software that used WinPcap can be easily

ported In software engineering, porting is the process of adapting software for the purpose of achieving some form of execution in a computing environment that is different from the one that a given program (meant for such execution) was originally desi ...

to use Npcap with minimal changes. Npcap introduced several innovations that were not available in WinPcap: * Npcap can be restricted so that only

Administrators Administrator or admin may refer to: Job roles Computing and internet * Database administrator, a person who is responsible for the environmental aspects of a database * Forum administrator, one who oversees discussions on an Internet forum * ...

can sniff packets. * Npcap is able to sniff and inject

loopback Loopback (also written loop-back) is the routing of electronic signals or digital data streams back to their source without intentional processing or modification. It is primarily a means of testing the communications infrastructure. There are m ...

packets (transmissions between services on the same machine) by using the Windows Filtering Platform. * Npcap can capture

802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer com ...

WiFi frames on a variety of commonly-available network adapters.

Win10Pcap

Win10Pcap implementation is also based on the NDIS 6 driver model and works stably with

Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...

. The project has however been inactive since 2016.

Programs that use libpcap

* Apache Drill, an open source SQL engine for interactive analysis of large scale datasets. * Bit-Twist, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows. * Cain and Abel, a password recovery tool for Microsoft Windows *

EtherApe EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License. Functionality Network traffic is displayed using a graphical interface. ...

, a graphical tool for monitoring network traffic and bandwidth usage in real time. * Firesheep, an extension for the Firefox web browser that captures packets and performs

session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a '' session key''—to gain unauthorized access to information or services in a computer sy ...

iftop Iftop is a free software command-line system monitor tool that produces a frequently updated list of network connections. By default, the connections are ordered by bandwidth usage, with only the "top" bandwidth consumers shown. It is analogous ...

, a tool for displaying bandwidth usage (like top for network traffic) * Kismet, for 802.11 wireless LANs *

L0phtCrack L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-for ...

, a

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

auditing and recovery application. *

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

ePolicy Orchestrator, Rogue System Detection feature *

ngrep ngrep (network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library. ngrep supports Berkeley Packet Filter ( BPF) logic to select network sou ...

, aka "network

grep grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command ''g/re/p'' (''globally search for a regular expression and print matching lines''), which has the sa ...

", isolate strings in packets, show packet data in human-friendly output. *

, a port-scanning and

fingerprinting A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...

network utility *

Pirni Pirni Pro is a network security tool designed for iOS, and specifically for iPhone and iPod Touch devices. It is capable of intercepting traffic on a wireless network segment, capturing passwords, and regular expressions entered by the user. ...

, a network security tool for jailbroken

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also include ...

devices. * Scapy, a packet manipulation tool for computer networks, written in

Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (pro ...

by Philippe Biondi. * Snort, a network-intrusion-detection system. * Suricata, a network intrusion prevention and analysis platform. * Symantec Data Loss Prevention, Used to monitor and identify sensitive data, track its use, and location. Data loss policies allow sensitive data to be blocked from leaving the network or copied to another device. *

, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump. * Zeek, an

intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

and

network monitoring Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages or other trouble. Network monitorin ...

platform. *

URL Snooper URL Snooper is a program to find URLs of streaming media and data. This allows streamed files download through any download manager. Its scope is the same as that of a stream recorder. It usually uses library such as pcap/Winpcap for packet captu ...

, locate the URLs of audio and video files in order to allow recording them. *

WhatPulse WhatPulse is a key-counting computer program, program that monitors computer uptime, bandwidth usage and the number of keystrokes and Mouse (computing), mouse clicks made by a user over a period of time. Unlike keystroke logging, keyloggers, the a ...

, a statistical (input, network, uptime) measuring application. *

(formerly Ethereal), a graphical packet-capture and protocol-analysis tool. *

XLink Kai XLink Kai is a program developed by Team XLink allowing for online play of video games with support for LAN multiplayer modes. It enables players on the GameCube, Nintendo Switch, PlayStation 2, PlayStation 3, PlayStation 4, PlayStation Portable ...

Software that allows various LAN console games to be played online *

Xplico Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng). Unlike the protocol analyzer, whose main characteristic ...

, a network forensics analysis tool (NFAT).

Wrapper libraries for libpcap

LibtinsLibcrafterPcapPlusPlus
*

Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offici ...

Net::Pcap
*

python-libpcapPcapyWinPcapy
*

Ruby A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sa ...

PacketFu
*

Rust Rust is an iron oxide, a usually reddish-brown oxide formed by the reaction of iron and oxygen in the catalytic presence of water or air moisture. Rust consists of hydrous iron(III) oxides (Fe2O3·nH2O) and iron(III) oxide-hydroxide (FeO(OH ...

pcap
*

Tcl TCL or Tcl or TCLs may refer to: Business * TCL Technology, a Chinese consumer electronics and appliance company **TCL Electronics, a subsidiary of TCL Technology * Texas Collegiate League, a collegiate baseball league * Trade Centre Limited ...

tclpcaptcap
*

jpcapjNetPcapPcap4jJxnet
* .NET: WinPcapNET
SharpPcapPcap.Net
*

Haskell Haskell () is a general-purpose, statically-typed, purely functional programming language with type inference and lazy evaluation. Designed for teaching, research and industrial applications, Haskell has pioneered a number of programming lan ...

pcap
*

OCaml OCaml ( , formerly Objective Caml) is a general-purpose programming language, general-purpose, multi-paradigm programming language which extends the Caml dialect of ML (programming language), ML with object-oriented programming, object-oriented ...

mlpcap
*

Chicken The chicken (''Gallus gallus domesticus'') is a domesticated junglefowl species, with attributes of wild species such as the grey and the Ceylon junglefowl that are originally from Southeastern Asia. Rooster or cock is a term for an adult m ...

Scheme
pcap
*

Common Lisp Common Lisp (CL) is a dialect of the Lisp programming language, published in ANSI standard document ''ANSI INCITS 226-1994 (S20018)'' (formerly ''X3.226-1994 (R1999)''). The Common Lisp HyperSpec, a hyperlinked HTML version, has been derived fro ...

PLOKAMI
* Racket
SPeaCAP
* Go
pcap
by Andreas Krennmair
pcap
fork of the previous by Miek Gieben
pcap
developed as part of th
gopacket
package * Erlang
epcap
*

Node.js Node.js is an open-source server environment. Node.js is cross-platform and runs on Windows, Linux, Unix, and macOS. Node.js is a back-end JavaScript runtime environment. Node.js runs on the V8 JavaScript Engine and executes JavaScript code o ...

node_pcap

Non-pcap code that reads pcap files

pycapfile
*

PyPCAPKit

References

External links

*, libpcap, tcpdump *, Npcap *{{Official website, https://www.winpcap.org/, WinPcap, WinDump
List of publicly available PCAP files
Network analyzers Unix network-related software Windows network-related software MacOS network-related software Windows security software MacOS security software Free software programmed in C Cross-platform free software Free network management software Software using the BSD license