PCAP-over-IP

Last updated November 29, 2025

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.^[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

Background and etymology

The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.^[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.^[3] The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine which does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

Use cases

Common use cases for PCAP-over-IP include:

Transmitting captured network traffic in real time to one or more remote machines
Transferring network traffic to other applications on the same host
Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

Software with PCAP-over-IP support

Arkime^[4]
NetworkMiner^[5]
pcap-broker^[6]
Pkappa2^[7]
PolarProxy
Shovel^[8]
Tulip^[9]
Wireshark ^[10]
Xplico ^[11]
Zeek ^[12]

Workarounds

Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo.

nc [SERVER] 57012 | tcpreplay -i eth0 -t -

References

↑ Hjelmvik, Erik (15 August 2022). "What is PCAP over IP?". Netresec Blog. Netresec. Retrieved 25 August 2022.
↑ "Packet Forensics - M1 Device". Wayback Machine (FEB 06 2011). Archived from the original on 2011-02-06. Retrieved 26 August 2022.
↑ Neyman, Alexey. "Bug 2788 - Allow captures over TCP connections". Wireshark Bug Database. Retrieved 25 August 2022.
↑ "Arkime Settings" . Retrieved 25 August 2022.
↑ "Pcap-over-IP in NetworkMiner". 7 September 2011. Retrieved 25 August 2022.
↑ "PCAP-over-IP server written in Golang". GitHub. Retrieved 24 October 2023.
↑ "pcappa2: Network traffic analysis tool for Attack & Defense CTF's". GitHub. Retrieved 28 November 2025.
↑ "Shovel: Web interface to explore Suricata EVE outputs". GitHub. Retrieved 28 November 2025.
↑ "tulip: Network analysis tool for Attack Defence CTF". GitHub. Retrieved 28 November 2025.
↑ "Pipes - TCP socket". Wireshark Wiki. Retrieved 25 August 2022.
↑ "PCAP-over-IP". Xplico Wiki. Retrieved 25 August 2022.
↑ "zeek-pcapovertcp-plugin". GitHub. Retrieved 6 September 2023.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Hjelmvik, Erik (15 August 2022). "What is PCAP over IP?". Netresec Blog. Netresec. Retrieved 25 August 2022.

[2] "Packet Forensics - M1 Device". Wayback Machine (FEB 06 2011). Archived from the original on 2011-02-06. Retrieved 26 August 2022.

[3] Neyman, Alexey. "Bug 2788 - Allow captures over TCP connections". Wireshark Bug Database. Retrieved 25 August 2022.

[4] "Arkime Settings" . Retrieved 25 August 2022.

[5] "Pcap-over-IP in NetworkMiner". 7 September 2011. Retrieved 25 August 2022.

[6] "PCAP-over-IP server written in Golang". GitHub. Retrieved 24 October 2023.

[7] "pcappa2: Network traffic analysis tool for Attack & Defense CTF's". GitHub. Retrieved 28 November 2025.

[8] "Shovel: Web interface to explore Suricata EVE outputs". GitHub. Retrieved 28 November 2025.

[9] "tulip: Network analysis tool for Attack Defence CTF". GitHub. Retrieved 28 November 2025.

[10] "Pipes - TCP socket". Wireshark Wiki. Retrieved 25 August 2022.

[11] "PCAP-over-IP". Xplico Wiki. Retrieved 25 August 2022.

[12] "zeek-pcapovertcp-plugin". GitHub. Retrieved 6 September 2023.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]