Pcap
Encyclopedia
In the field of computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...

 network administration, pcap (packet capture) consists of an application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...

 (API) for capturing network traffic
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...

. Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....

 systems implement pcap in the libpcap library; Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 uses a port
Porting
In computer science, porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed...

 of libpcap known as WinPcap.

Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 and, in newer versions, to transmit packets on a network at the link layer
Link Layer
In computer networking, the link layer is the lowest layer in the Internet Protocol Suite , the networking architecture of the Internet . It is the group of methods or protocols that only operate on a host's link...

, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.

The implementors of the pcap API wrote it in C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....

, so other languages such as Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...

, .NET languages, and scripting languages generally use a wrapper
Wrapper library
In computer programming, a library is a collection of subroutines or classes used to develop software. Libraries expose interfaces which clients of the library use to execute library routines. Wrapper libraries consist of a thin layer of code which translates a library's existing interface into a...

; no such wrappers are provided by libpcap or WinPcap itself. C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...

 programs may link directly to the C API; only one partial object-oriented C++ wrapper is currently available from an external source.

Features

libpcap and WinPcap provide the packet-capture and filtering engines of many open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

 and commercial network tools, including protocol analyzers (packet sniffer
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...

s), network monitors, network intrusion detection system
Network intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...

s, traffic-generators and network-testers.

libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...

, Wireshark
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...

, CA NetMaster, or Microsoft Network Monitor 3.x.

The MIME type for the file format created and read by libpcap and WinPcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.

libpcap

libpcap was originally developed by the tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...

 developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.

WinPcap

WinPcap consists of:
  • x86 and x86-64
    X86-64
    x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...

     drivers for the Windows NT
    Windows NT
    Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...

     family (Windows NT 4.0
    Windows NT 4.0
    Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...

    , Windows 2000
    Windows 2000
    Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

    , Windows XP
    Windows XP
    Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...

    , Windows Server 2003
    Windows Server 2003
    Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...

    , Windows Vista
    Windows Vista
    Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

    , Windows 7, etc.), which use NDIS to read packets directly from a network adapter;
  • implementations of a lower-level library for the listed operating systems, to communicate with those drivers;
  • a port of libpcap that uses the API offered by the low-level library implementations.


Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. CACE Technologies was acquired by Riverbed Technology
Riverbed Technology
Riverbed Technology is a technology company that specializes in improving the performance of networks and networked applications. It was founded May 23, 2002 by Jerry Kennelly and Steve McCanne in San Francisco, California where its world headquarters remains...

 on October 21, 2010

Programs that use libpcap/WinPcap

  • tcpdump
    Tcpdump
    tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...

    , a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump.
  • ngrep
    Ngrep
    ngrep is a network packet analyzer written by Jordan Ritter. It runs under the command line, and relies upon the pcap library and the GNU regex library....

    , aka "network grep
    Grep
    grep is a command-line text-search utility originally written for Unix. The name comes from the ed command g/re/p...

    ", isolate strings in packets, show packet data in human-friendly output.
  • Wireshark
    Wireshark
    Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...

     (formerly Ethereal), a graphical packet-capture and protocol-analysis tool.
  • Snort
    Snort (software)
    Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...

    , a network-intrusion-detection system.
  • daemonlogger, a lightweight pcap capture utility.
  • Nmap
    Nmap
    Nmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...

    , a port-scanning and fingerprinting
    TCP/IP stack fingerprinting
    TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications...

     network utility
  • the Bro
    Bro (software)
    Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...

     IDS and network-monitoring platform.
  • URL Snooper
    URL Snooper
    URL Snooper is a Windows program to find URLs of streaming media and data. This allows streamed files download through every download manager. Its scope is the same as that of a stream recorder. It uses Winpcap for packet capturing.- External links :**...

    , locate the URLs of audio and video files so that they can be recorded.
  • Kismet, for 802.11 wireless LANs
  • NetworkMiner, a network forenisc analysis tool that creates and parses pcap files
  • RawCap, a raw socket sniffer for windows
  • L0phtCrack
    L0phtCrack
    L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables...

    , a password
    Password
    A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

     audit
    Audit
    The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...

    ing and recovery
    Password cracking
    Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...

     application.
  • iftop
    Iftop
    iftop is a command-line system monitor tool that produces a frequently-updated list of network connections. By default, the connections are ordered by bandwidth usage, with only the "top" bandwidth consumers shown....

    , a tool for displaying bandwidth usage (like top
    Top (Unix)
    top is a program found in many Unix-like operating systems. It produces an ordered list of running processes selected by user-specified criteria, and updates it periodically. Default ordering by CPU usage, and only the top CPU consumers shown top shows how much processing power and memory are...

     for network traffic)
  • EtherApe
    Etherape
    EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.- Functionality :...

    , a graphical tool for monitoring network traffic and bandwidth usage in real time.
  • Bit-Twist
    Bit-Twist
    Bit-Twist is a libpcap-based packet generator built to complement tcpdump, a libpcap-based packet capturing tool.Bit-Twist allows you to regenerate packets from one or more pcap files. It also comes with a comprehensive pcap file editor to allow advance manipulation of packet information, e.g...

    , a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows.
  • Pirni
    Pirni
    Pirni Pro is a network security tool designed for iOS , and specifically for iPhone and iPod Touch devices. It is capable of intercepting traffic on a wireless network segment, capturing passwords, and regular expressions entered by the user....

    , a network security tool for jailbroken iOS devices.
  • McAfee
    McAfee
    McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...

     ePolicy Orchestrator, Rogue System Detection feature
  • XLink Kai
    XLink Kai
    XLink Kai is a method developed by Team-XLink for online play of certain compatible console games.It enables players on the Xbox 360, Xbox, Playstation 3, PlayStation 2, PlayStation Portable and Nintendo GameCube to play games across the Internet using a network configuration that simulates a...

     Software that allows you to play LAN games from a PS2, PS3, Xbox/Xbox 360, Gamecube and PSP online
  • Firesheep
    Firesheep
    Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities...

    , an extension for the Firefox web browser, that intercepts unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities.
  • cookie, a Django app to extract cookie information from pcap files for analysis possibly also for session hijacking.
  • Xplico, a network forensics analysis tool.
  • PegaNet, an open-source network traffic analysys tool. More information at http://lionbatata.pro.br

External links


Python

There are at least four alternative Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...

 extensions offering a Python interface to the pcap library:

There is also a Python extension that includes its own code to read and write pcap files without using the pcap library:
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK