In the field of

computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...

network administration Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...

, pcap is an

application programming interface An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...

(API) for capturing network traffic. While the name is an abbreviation of ''

packet capture A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...

'', that is not the API's proper name.

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

systems implement pcap in the ''libpcap'' library; for

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

, there is a

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...

of libpcap named ''WinPcap'' that is no longer supported or developed, and a port named ''Npcap'' for

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...

and later that is still supported. Monitoring software may use libpcap, WinPcap, or Npcap to capture

network packet In telecommunications and computer networking, a network packet is a formatted unit of Data (computing), data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''Payload ...

s traveling over a

computer network A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...

and, in newer versions, to transmit packets on a network at the

link layer In computer networking, the link layer is the lowest layer in the Internet protocol suite, the networking architecture of the Internet. The link layer is the group of methods and communications protocols confined to the link that a host is phys ...

, and to get a list of network interfaces for possible use with libpcap, WinPcap, or Npcap. The pcap API is written in C, so other languages such as

Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...

.NET The .NET platform (pronounced as "''dot net"'') is a free and open-source, managed code, managed computer software framework for Microsoft Windows, Windows, Linux, and macOS operating systems. The project is mainly developed by Microsoft emplo ...

languages, and

scripting language In computing, a script is a relatively short and simple set of instructions that typically automation, automate an otherwise manual process. The act of writing a script is called scripting. A scripting language or script language is a programming ...

s generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API or make use of an

object-oriented Object-oriented programming (OOP) is a programming paradigm based on the concept of '' objects''. Objects can contain data (called fields, attributes or properties) and have actions they can perform (called procedures or methods and impleme ...

wrapper.

Features

libpcap, WinPcap, and Npcap provide the packet-capture and filtering engines of many

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

and commercial network tools, including protocol analyzers (

packet sniffer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can Traffic analysis, analyze and Logging (computing), log traffic that passes over a computer netwo ...

s), network monitors, network intrusion detection systems, traffic-generators and network-testers. Most current

systems provide a mechanism by which a program can capture network traffic to and from the machine running the program and, in some cases, other traffic to which that machine is attached. However, these mechanisms are significantly different from one another; the libpcap library provides a common API to access these mechanisms, allowing programs to be written to capture network traffic without having to worry about the details of all those mechanisms. libpcap, WinPcap, and Npcap also support saving captured packets to a file, and reading files containing saved packets;

applications Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a ...

can be written, using libpcap, WinPcap, or Npcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap, WinPcap, and Npcap use can be read by applications that understand that format, such as tcpdump,

Wireshark Wireshark is a Free and open-source software, free and open-source packet analyzer. It is used for computer network, network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, ...

, CA NetMaster, or Microsoft Network Monitor 3.x. The file format is described by Internet-Draft draft-ietf-opsawg-pcap; the current editors' version of the draft is also available. The MIME type for the file format created and read by libpcap, WinPcap, and Npcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.

History

libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump.

pcap libraries for Windows

While libpcap was originally developed for Unix-like operating systems, a successful

for Windows was made, called WinPcap. It has been unmaintained since 2013, and several competing

forks In cutlery or kitchenware, a fork (from 'pitchfork') is a Eating utensil, utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tine (structural), tines with whic ...

have been released with new features and support for newer versions of Windows.

WinPcap

WinPcap consists of: *

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

and

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit extension of the x86 instruction set architecture, instruction set. It was announced in 1999 and first available in the AMD Opteron family in 2003. It introduces two new ope ...

drivers for the

Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...

family ( Windows NT 4.0,

2000 2000 was designated as the International Year for the Culture of Peace and the World Mathematics, Mathematical Year. Popular culture holds the year 2000 as the first year of the 21st century and the 3rd millennium, because of a tende ...

, XP, Server 2003, Vista, 7, 8, and 10), which use

Network Driver Interface Specification The Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface controllers (NICs). Specification It was jointly developed by Microsoft and 3Com Corporation and is mostly used in Microsoft Wi ...

(NDIS) 5.x to read packets directly from a

network adapter A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter and physical network interface) is a computer hardware component that connects a computer to a computer network. Early network interface ...

; * implementations of a lower-level library for the listed operating systems, to communicate with those drivers; * a port of libpcap that uses the API offered by the low-level library implementations. Programmers at the

Politecnico di Torino The Polytechnic University of Turin (, abbreviated as PoliTO) is the oldest Italian public technical university. The university offers several courses in the fields of Engineering, Architecture, Urban Planning and Industrial Design, and is consi ...

wrote the original code. As of 2008, CACE Technologies, a company set up by some of the WinPcap developers, developed and maintained the product. CACE was acquired by

Riverbed Technology Riverbed Technology LLC is an American information technology company. Its products consist of software and hardware focused on Unified Observability, Network Visibility, End User Experience Management, Network monitoring, network performance mon ...

on October 21, 2010. Because WinPcap uses the older NDIS 5.x APIs, it does not work on some builds of Windows 10, which have deprecated or removed those APIs in favor of the newer NDIS 6.x APIs. It also forces some limitations such as being unable to capture 802.1Q VLAN tags in

Ethernet Ethernet ( ) is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...

headers. The WinPcap project has ceased development and WinPcap and WinDump are no longer maintained. The last official WinPcap release was 4.1.3 released March 8, 2013.

Npcap

Npcap is the Nmap Project's packet sniffing library for Windows. It is based on WinPcap, but written to make use of Windows networking improvements in NDIS version 6. Its authors rewrote the WinPcap NDIS 5 Protocol Driver as a Light-Weight Filter (LWF) driver, a change that reduces processing overhead. Npcap maintenance releases updated the version of the included libpcap library to the latest available, allowing software authors to use the newer API features that Linux software had already supported. Most software that used WinPcap can be easily ported to use Npcap with minimal changes. Npcap introduced several innovations that were not available in WinPcap: * Npcap can be restricted so that only Administrators can sniff packets. * Npcap is able to sniff and inject loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform. * Npcap can capture 802.11 WiFi frames on a variety of commonly-available network adapters. Unlike Nmap, Npcap is proprietary software and requires a special license for use and redistribution except for some limited internal uses.

Win10Pcap

Win10Pcap implementation is also based on the NDIS 6 driver model and works stably with

Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. The successor to Windows 8.1, it was Software release cycle#Release to manufacturing (RTM), released to manufacturing on July 15, 2015, and later to retail on July 2 ...

. The project, however, has been inactive since 2016.

Programs that use or used libpcap

* Bit-Twist, a libpcap-based Ethernet packet generator and editor for

BSD The Berkeley Software Distribution (BSD), also known as Berkeley Unix or BSD Unix, is a discontinued Unix operating system developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley, beginni ...

, Linux, and Windows. *

Cain and Abel In the biblical Book of Genesis, Cain and Abel are the first two sons of Adam and Eve. Cain, the firstborn, was a farmer, and his brother Abel was a shepherd. The brothers made sacrifices, each from his own fields, to God. God had regard for Ab ...

, a discontinued password recovery tool for Microsoft Windows * EtherApe, a graphical tool for monitoring network traffic and bandwidth usage in real time. * Firesheep, a discontinued extension for the

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

web browser that captured packets and performed

session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a ''session key''—to gain unauthorized access to information or services in a computer s ...

iftop Iftop is a free software command-line system monitor tool developed by Paul Warren. It produces a real-time stream of incoming and outgoing network communications from the operating system iftop is running within. By default, the connections are ...

, a tool for displaying bandwidth usage (like

top Top most commonly refers to: * Top, a basic term of orientation, distinguished from bottom, front, back, and sides * Spinning top, a ubiquitous traditional toy * Top (clothing), clothing designed to be worn over the torso * Mountain top, a moun ...

for network traffic) * Kismet, for 802.11 wireless LANs * L0phtCrack, a

password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...

audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing al ...

ing and recovery application. *

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...

ePolicy Orchestrator, Rogue System Detection feature *

ngrep ngrep (Computer network, network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library. ngrep supports Berkeley Packet Filter (Berkeley Packet Fil ...

, aka "network

grep grep is a command-line utility for searching plaintext datasets for lines that match a regular expression. Its name comes from the ed command g/re/p (global regular expression search and print), which has the same effect. grep was originally de ...

", isolate strings in packets, show packet data in human-friendly output. * Nmap, a port-scanning and

fingerprinting A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfa ...

network utility * Pirni, a discontinued network security tool for

jailbroken iOS jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by Apple on devices running iOS and iOS-based operating systems. It is typically done through a series of kernel patches. A jailbroken device ...

iOS Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...

devices. * Scapy, a packet manipulation tool for computer networks, written in

Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (prog ...

by Philippe Biondi. * Snort, a network-intrusion-detection system. *

Suricata ''Suricata'' is a genus of mongoose that is endemic to Africa. The oldest species known is the extinct '' Suricata major'' that lived about 1.8 million years ago in South Africa. The only species alive is the meerkat The meerkat (''Suri ...

, a network intrusion prevention and analysis platform. *

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

Data Loss Prevention, Used to monitor and identify sensitive data, track its use, and location. Data loss policies allow sensitive data to be blocked from leaving the network or copied to another device. * tcpdump, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump. *

Zeek Zeek is a free and open-source software network analysis framework. Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab. Zeek is a network security monitor (NSM) but can also be used as a network intrusion detecti ...

, an

intrusion detection system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...

and

network monitoring Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages or other trouble. Network monitor ...

platform.
URL Snooper
locate the URLs of audio and video files in order to allow recording them. * WhatPulse, a statistical (input, network, uptime) measuring application. *

(formerly Ethereal), a graphical packet-capture and protocol-analysis tool. * XLink Kai, software that allows various LAN

console game A video game console is an electronic device that outputs a video signal or image to display a video game that can typically be played with a game controller. These may be home consoles, which are generally placed in a permanent location connec ...

s to be played online * Xplico, a network forensics analysis tool (NFAT).

Wrapper libraries for libpcap

* C++
LibtinsLibcrafterPcapPlusPlus
*

Perl Perl is a high-level, general-purpose, interpreted, dynamic programming language. Though Perl is not officially an acronym, there are various backronyms in use, including "Practical Extraction and Reporting Language". Perl was developed ...

Net::Pcap
*

python-libpcapPcapyWinPcapy
*

Ruby Ruby is a pinkish-red-to-blood-red-colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sapph ...

PacketFu
*

Rust Rust is an iron oxide, a usually reddish-brown oxide formed by the reaction of iron and oxygen in the catalytic presence of water or air moisture. Rust consists of hydrous iron(III) oxides (Fe2O3·nH2O) and iron(III) oxide-hydroxide (FeO(OH) ...

pcap
*

Tcl TCL or Tcl or TCLs may refer to: Business * TCL Technology, a Chinese consumer electronics and appliance company ** TCL Electronics, a subsidiary of TCL Technology * Texas Collegiate League, a collegiate baseball league * Trade Centre Limited ...

tclpcaptcap
*

jpcapjNetPcapPcap4jJxnet
*

: WinPcapNET
SharpPcapPcap.Net
*

Haskell Haskell () is a general-purpose, statically typed, purely functional programming language with type inference and lazy evaluation. Designed for teaching, research, and industrial applications, Haskell pioneered several programming language ...

pcap
*

OCaml OCaml ( , formerly Objective Caml) is a General-purpose programming language, general-purpose, High-level programming language, high-level, Comparison of multi-paradigm programming languages, multi-paradigm programming language which extends the ...

mlpcap
*

Chicken The chicken (''Gallus gallus domesticus'') is a domesticated subspecies of the red junglefowl (''Gallus gallus''), originally native to Southeast Asia. It was first domesticated around 8,000 years ago and is now one of the most common and w ...

Scheme
pcap
*

Common Lisp Common Lisp (CL) is a dialect of the Lisp programming language, published in American National Standards Institute (ANSI) standard document ''ANSI INCITS 226-1994 (S2018)'' (formerly ''X3.226-1994 (R1999)''). The Common Lisp HyperSpec, a hyperli ...

PLOKAMI
* Racket
SPeaCAP
* Go
pcap
by Andreas Krennmair
pcap
fork of the previous by Miek Gieben
pcap
developed as part of th
gopacket
package * Erlang
epcap
* Node.js
node_pcap

Non-pcap libraries that read pcap files

pycapfile
*

PyPCAPKit

References

External links

*, libpcap, tcpdump *, Npcap *{{Official website, https://www.winpcap.org/, WinPcap, WinDump
List of publicly available PCAP files
Network analyzers Unix network-related software Windows network-related software MacOS network-related software Windows security software MacOS security software Free software programmed in C Cross-platform free software Free network management software Software using the BSD license