Home

pcap

pcap refers to packet capture, a common term for the software interfaces and file formats used to capture network traffic for analysis. A pcap file typically stores a sequence of packets along with per-packet metadata such as timestamps and length fields, enabling subsequent examination by analysis tools.

Most captures use the pcap file format, which starts with a global header describing the capture and

Libpcap is the de facto cross-platform library for capturing packets on Unix-like systems; its Windows port,

pcap is widely used in network analysis, troubleshooting, security monitoring, and performance measurement. It supports real-time

the
link-layer
type,
followed
by
a
sequence
of
records.
Each
record
has
a
timestamp,
the
number
of
octets
captured,
the
original
packet
length,
and
the
packet
data.
A
newer
variant,
pcapng,
adds
sections
and
richer
metadata
and
is
increasingly
common.
historically
WinPcap,
has
largely
been
superseded
by
Npcap.
These
libraries
provide
an
API
to
open
network
devices,
start
and
stop
captures,
and
apply
Berkeley
Packet
Filter
(BPF)
expressions
to
limit
what
is
recorded.
Tools
such
as
tcpdump
and
Wireshark
read
and
write
pcap
files,
with
Tshark
offering
a
text-based
interface.
capture
and
offline
analysis,
and
is
compatible
with
many
protocol
decoders
and
visualization
tools.
Users
should
be
aware
of
privileges
required
to
capture
traffic
and
of
data
privacy
and
legal
considerations
when
recording
network
traffic.