PCAP-over-IP

From HandWiki
Short description: Method for transmitting captured network traffic over TCP

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

Background and etymology

The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.[3] The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine which does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

Use cases

Common use cases for PCAP-over-IP include:

  • Transmitting captured network traffic in real time to one or more remote machines
  • Transferring network traffic to other applications on the same host
  • Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

Software with PCAP-over-IP support

Workarounds

Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo. 

nc [SERVER] 57012 | tcpreplay -i eth0 -t -

References

  1. Hjelmvik, Erik. "What is PCAP over IP?". Netresec. https://www.netresec.com/?page=Blog&month=2022-08&post=What-is-PCAP-over-IP. 
  2. "Packet Forensics - M1 Device". https://web.archive.org/web/20110206144745/http://www.packetforensics.com:80/pflim1.safe. 
  3. Neyman, Alexey. "Bug 2788 - Allow captures over TCP connections". https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2788. 
  4. "Arkime Settings". https://arkime.com/settings#reader-poi-settings. 
  5. "Pcap-over-IP in NetworkMiner". https://www.netresec.com/?page=Blog&month=2011-09&post=Pcap-over-IP-in-NetworkMiner. 
  6. "PCAP-over-IP server written in Golang". https://github.com/fox-it/pcap-broker. 
  7. "Pipes - TCP socket". https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket. 
  8. "PCAP-over-IP". https://wiki.xplico.org/doku.php?id=pcap-over-ip. 
  9. "zeek-pcapovertcp-plugin". https://github.com/emnahum/zeek-pcapovertcp-plugin. 



Retrieved from "https://handwiki.org/wiki/index.php?title=PCAP-over-IP&oldid=3385185"