PCAP-over-IP

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.^[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

Background and etymology

The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.^[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.^[3] The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine that does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

Use cases

Common use cases for PCAP-over-IP include:

Transmitting captured network traffic in real time to one or more remote machines
Transferring network traffic to other applications on the same host
Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

Software with PCAP-over-IP support

Arkime^[4]
NetworkMiner^[5]
pcap-broker^[6]
Pkappa2^[7]
PolarProxy
Shovel^[8]
Tulip^[9]
Wireshark^[10]
Xplico^[11]
Zeek^[12]

Workarounds

Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with the help of a netcat and tcpreplay combo.

nc [SERVER] 57012 | tcpreplay -i eth0 -t -

References

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/PCAP-over-IP. Read more

[1] Hjelmvik, Erik (15 August 2022). "What is PCAP over IP?". Netresec. https://www.netresec.com/?page=Blog&month=2022-08&post=What-is-PCAP-over-IP.

[2] "Packet Forensics - M1 Device". http://www.packetforensics.com:80/pflim1.safe.

[3] Neyman, Alexey. "Bug 2788 - Allow captures over TCP connections". https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2788.

[4] "Arkime Settings". https://arkime.com/settings#reader-poi-settings.

[5] "Pcap-over-IP in NetworkMiner". 7 September 2011. https://www.netresec.com/?page=Blog&month=2011-09&post=Pcap-over-IP-in-NetworkMiner.

[6] "PCAP-over-IP server written in Golang". https://github.com/fox-it/pcap-broker.

[7] "pcappa2: Network traffic analysis tool for Attack & Defense CTF's". https://github.com/spq/pkappa2.

[8] "Shovel: Web interface to explore Suricata EVE outputs". https://github.com/FCSC-FR/shovel.

[9] "tulip: Network analysis tool for Attack Defence CTF". https://github.com/OpenAttackDefenseTools/tulip.

[10] "Pipes - TCP socket". https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket.

[11] "PCAP-over-IP". https://wiki.xplico.org/doku.php?id=pcap-over-ip.

[12] "zeek-pcapovertcp-plugin". https://github.com/emnahum/zeek-pcapovertcp-plugin.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

Anonymous

Search

PCAP-over-IP

Namespaces

More

Page actions

Contents

Background and etymology

Use cases

Software with PCAP-over-IP support

Workarounds

References

Navigation

Navigation

Resources

Help

googletranslator

Navigation

Wiki tools

Wiki tools

Anonymous

Search

PCAP-over-IP

Background and etymology

Use cases

Software with PCAP-over-IP support

Workarounds

References

Navigation

Wiki tools

Page tools

Other projects

Categories