PCAP-over-IP
PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.
Background and etymology
[edit | edit source]The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.[3] The need for this feature was motivated as follows:
"This feature is useful when the capture is generated on a machine which does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."
Use cases
[edit | edit source]Common use cases for PCAP-over-IP include:
- Transmitting captured network traffic in real time to one or more remote machines
- Transferring network traffic to other applications on the same host
- Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.
Software with PCAP-over-IP support
[edit | edit source]- Arkime[4]
- NetworkMiner[5]
- pcap-broker[6]
- Pkappa2[7]
- PolarProxy
- Shovel[8]
- Tulip[9]
- Wireshark[10]
- Xplico[11]
- Zeek[12]
Workarounds
[edit | edit source]Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo.
nc [SERVER] 57012 | tcpreplay -i eth0 -t -
References
[edit | edit source]- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).