PCAP-over-IP

Method for transmitting captured network traffic over TCP From Wikipedia, the free encyclopedia

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.^[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

Background and etymology

The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.^[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.^[3] The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine that does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

Use cases

Common use cases for PCAP-over-IP include:

Transmitting captured network traffic in real time to one or more remote machines
Transferring network traffic to other applications on the same host
Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

Software with PCAP-over-IP support

Arkime^[4]
NetworkMiner^[5]
pcap-broker^[6]
Pkappa2^[7]
PolarProxy
Shovel^[8]
Tulip^[9]
Wireshark^[10]
Xplico^[11]
Zeek^[12]

Workarounds

Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with the help of a netcat and tcpreplay combo.

nc [SERVER] 57012 | tcpreplay -i eth0 -t -

References

Related Articles

Wikiwand AI