Pcap

Last updated
libpcap
Developer(s) The Tcpdump team
Stable release
1.10.4 / April 7, 2023;19 months ago (2023-04-07) [1]
Repository libpcap on GitHub
Written in C
Operating system Linux, Solaris, FreeBSD, NetBSD, OpenBSD, macOS, other Unix-like
Type Library for packet capture
License BSD [2]
Website www.tcpdump.org
WinPcap
Developer(s) Riverbed Technology
Final release
4.1.3 / March 8, 2013;11 years ago (2013-03-08) [3]
Operating system Windows
Type Library for packet capture
License Freeware
Website www.winpcap.org
Npcap
Developer(s) the Nmap project
Stable release
1.79 / January 19, 2024;10 months ago (2024-01-19) [4]
Operating system Windows
Type Library for packet capture
License Proprietary (source available)
Website npcap.com

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture , that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

Contents

Monitoring software may use libpcap, WinPcap, or Npcap to capture network packets traveling over a computer network and, in newer versions, to transmit packets on a network at the link layer, and to get a list of network interfaces for possible use with libpcap, WinPcap, or Npcap.

The pcap API is written in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API or make use of an object-oriented wrapper.

Features

libpcap, WinPcap, and Npcap provide the packet-capture and filtering engines of many open-source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.

Most current Unix-like systems provide a mechanism by which a program can capture network traffic to and from the machine running the program and, in some cases, other traffic to which that machine is attached. However, these mechanisms are significantly different from one another; the libpcap library provides a common API to access these mechanisms, allowing programs to be written to capture network traffic without having to worry about the details of all those mechanisms.

libpcap, WinPcap, and Npcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap, WinPcap, or Npcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap, WinPcap, and Npcap use can be read by applications that understand that format, such as tcpdump, Wireshark, CA NetMaster, or Microsoft Network Monitor 3.x. The file format is described by Internet-Draft draft-ietf-opsawg-pcap; [5] the current editors' version of the draft is also available. [6]

The MIME type for the file format created and read by libpcap, WinPcap, and Npcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use. [7]

History

libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. [8] It is now developed by the same tcpdump.org group that develops tcpdump. [9]

pcap libraries for Windows

While libpcap was originally developed for Unix-like operating systems, a successful port for Windows was made, called WinPcap. It has been unmaintained since 2013, [10] and several competing forks have been released with new features and support for newer versions of Windows.

WinPcap

WinPcap consists of: [11]

Programmers at the Politecnico di Torino wrote the original code. As of 2008, CACE Technologies, a company set up by some of the WinPcap developers, developed and maintained the product. CACE was acquired by Riverbed Technology on October 21, 2010. [12]

Because WinPcap uses the older NDIS 5.x APIs, it does not work on some builds of Windows 10, which have deprecated or removed those APIs in favor of the newer NDIS 6.x APIs. It also forces some limitations such as being unable to capture 802.1Q VLAN tags in Ethernet headers.

The WinPcap project has ceased development and WinPcap and WinDump are no longer maintained. The last official WinPcap release was 4.1.3 released March 8, 2013. [13]

Npcap

Npcap is the Nmap Project's packet sniffing library for Windows. [14] It is based on WinPcap, but written to make use of Windows networking improvements in NDIS version 6. Its authors rewrote the WinPcap NDIS 5 Protocol Driver as a Light-Weight Filter (LWF) driver, a change that reduces processing overhead. [15] Npcap maintenance releases updated the version of the included libpcap library to the latest available, allowing software authors to use the newer API features that Linux software had already supported. [16] Most software that used WinPcap can be easily ported to use Npcap with minimal changes. [17]

Npcap introduced several innovations that were not available in WinPcap:

Unlike Nmap, Npcap is proprietary software and requires a special license for use and redistribution except for some limited internal uses. [21]

Win10Pcap

Win10Pcap implementation is also based on the NDIS 6 driver model and works stably with Windows 10. [22] The project, however, has been inactive since 2016. [23]

Programs that use or used libpcap

Wrapper libraries for libpcap

Non-pcap libraries that read pcap files

Other applications or devices that read or write pcap or pcapng files

Related Research Articles

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.

<span class="mw-page-title-main">Snort (software)</span> Open-source intrusion prevention system

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

<span class="mw-page-title-main">Kismet (software)</span> Network detector, packet sniffer, and intrusion detection system

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and macOS. The client can also run on Microsoft Windows, although, aside from external drones, there's only one supported wireless hardware available as packet source.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master, Managed, Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

<span class="mw-page-title-main">Wireshark</span> Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

The Berkeley Packet Filter is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received, and allows a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.

Microsoft Network Monitor (Netmon) is a deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. Microsoft Network Monitor 1.0 was originally designed and developed by Raymond Patch, a transport protocol and network adapter device driver engineer on the Microsoft LAN Manager development team.

Packet injection in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

<span class="mw-page-title-main">EtherApe</span> Network traffic monitoring tool

EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.

Bit-Twist is a powerful libpcap-based Ethernet packet generator and packet capture editor, written in POSIX-compliant C, designed to complement tcpdump by replaying captured traffic from pcap files onto live networks. It supports Windows, Linux, BSD, and macOS, allowing the editing of key fields in Ethernet, ARP, IPv4, IPv6, ICMP, and TCP/UDP headers. It can also generate pcap files from its built-in templates, enabling packet creation without existing capture files, along with payload generation from uniformly distributed random bytes or fixed bytes, such as hex streams from Wireshark. Ideal for testing firewalls, IDS, IPS, routers, switches, load balancers, and other network equipment, it delivers performance that matches the line rate of NIC, up to 10Gbps.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

Justniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances . The output format of the traffic can be easily customized. An example written in Python stores the transferred contents in an output directory separated by domains. This means that the transferred files like html, css, javascript, images, sounds, etc. can be saved to a directory.

netsniff-ng Linux networking toolkit

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer.

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection. The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

References

  1. "tcpdump and libpcap latest release". tcpdump.org. Retrieved 2023-02-08.
  2. "tcpdump and libpcap license". tcpdump.org. Retrieved 2020-05-02.
  3. "WinPcap Changelog".
  4. "npcap/CHANGELOG.md". GitHub .
  5. PCAP Capture File Format. 23 July 2023. I-D draft-ietf-opsawg-pcap.
  6. "PCAP Capture File Format". 1 March 2024.
  7. Turner, Glen (2011-03-30). "IANA record of application for MIME type application/vnd.tcpdump.pcap". IANA. Retrieved 2023-02-25.
  8. McCanne, Steve. "libpcap: An Architecture and Optimization Methodology for Packet Capture" (PDF). Retrieved December 27, 2013.
  9. "TCPDUMP/LIBPCAP public repository" . Retrieved December 27, 2013.
  10. "WinPcap News" . Retrieved November 6, 2017.
  11. "WinPcap internals" . Retrieved December 27, 2013.
  12. "Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies" (Press release). Riverbed Technology. 2010-10-21. Archived from the original on 2013-03-08. Retrieved 2010-10-21.
  13. "WinPcap · News". WinPcap. 2013-03-08.
  14. "Npcap".
  15. "Filter drivers". 15 December 2021.
  16. "Release Npcap 1.20". GitHub .
  17. "Updating WinPcap software to Npcap". Developing software with Npcap. Retrieved 2023-02-25.
  18. "Graphical installer options". Npcap Users' Guide. Retrieved 2023-02-25.
  19. "For software that uses Npcap loopback feature". Npcap User's Guide. Retrieved 2023-02-25.
  20. "For software that uses Npcap raw 802.11 feature". Npcap User's Guide. Retrieved 2023-02-25.
  21. "Npcap License". GitHub .
  22. "Win10Pcap: WinPcap for Windows 10".
  23. Win10Pcap: WinPcap for Windows 10 (NDIS 6.x driver model): SoftEtherVPN/Win10Pcap, SoftEther VPN Project, 2019-12-31, retrieved 2020-01-09
  24. Bevens, Bridget (July 31, 2017). "Drill 1.11 Released".
  25. Packet.java on GitHub
  26. "What Can Read or Save a PCAP?". What is a PCAP file?. Endace.