Related Documents

BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture
By Andrew Begel, Steven McCanne, and Susan Graham.
A paper presented at SIGCOMM '96 on an enhanced version of BPF.
Win32 info
An extract of a message from Guy Harris on state of WinPcap and WinDump.
An old example of a minimal libpcap client.
How to write a libpcap module
A draft HOWTO by Guy Harris.

Related Projects

Below you can find a few projects that are related to tcpdump or libpcap in some way. If you think some project should be in this list, please subscribe to the mailing list and send a request with the name of the project, a brief (between 200 and 500 characters) description and a link to the project page.

Socket Sentry
Socket Sentry is a real-time network traffic monitor for KDE Plasma in the same spirit as tools like iftop and netstat.
Submitted by: Rob Hasselbaum
Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort.
Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic. Originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems, it has seen many evolutions including capabilities to replay to web servers. Tcpreplay includes tcpcapinfo, a tool for decoding the structure of a pcap file with a focus on finding broken pcap files and determining how two related pcap files might differ.
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
TCPslice is a tool for extracting portions of packet trace files generated using tcpdump's -w flag. It can combine multiple trace files, and/or extract portions of one or more traces based on time. TCPslice originally comes from LBL and now is maintained by The Tcpdump Group.
TCPTrace analyzes the behavior of captured TCP streams, and accepts many trace file formats (including pcap). It provides connection statistics and several types of graphs, including the widely-used time-sequence graphs.
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 300,000 registered users, Snort has become the de facto standard for IPS.
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VoIP decoding on WEP encrypted channel, …), etc.
Zeek (formerly Bro) is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Zeek detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).
Network Top
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.
A free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
CoralReef is a software suite developed by CAIDA to analyze data collected by passive Internet traffic monitors. It provides a programming library libcoral, similar to libpcap with extensions for ATM and other network types, which is available from both C and Perl. The software presently supports dedicated PC boxes using OC3mon and OC12mon cards that collect traffic data in real time, as well as reading from pcap tracefiles. Version 3.4 to be released soon supports listening via bpf enabled devices. CoralReef includes drivers, analysis, web report generation, examples, and capture software. This package is maintained by CAIDA developers with the support and collaboration of the Internet measurement community.
tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.
netdude (NETwork DUmp data Displayer and Editor). From their webpage, "it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles."
The program xplot was written in the late 1980s to support the analysis of TCP packet traces.
MultiTail now has a colorscheme included for monitoring the tcpdump output. It can also filter, convert timestamps to timestrings and much more.
netsniff-ng is a free, performant Linux network analyzer and networking toolkit.
Submitted by: Daniel Borkmann
Libcrafter is a high level library for C++ designed to make easier the creation and decoding of network packets. It is able to craft or decode packets of most common network protocols, send them on the wire, capture them and match requests and replies.
Submitted by: Esteban Pellegrino
pcapfix is a repair tool for corrupted pcap and pcapng files. It checks for an intact pcap global header and packet block and repairs it if there are any corrupted bytes. If a header is not present, one is created and added to the beginning of the file. It then tries to find pcap packet headers or packet blocks, and checks and repairs them.
Packet capture and analysis utility similar to tcpdump for HTTP.
A multiplatform C++ network sniffing, packet parsing and crafting framework. It provides a lightweight, easy-to-use and efficient C++ wrapper for libpcap and WinPcap.
A terminal UI for tshark, inspired by Wireshark.
Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows. Npcap began in 2013 as some improvements to the (now discontinued) WinPcap library, but has been largely rewritten since then with hundreds of releases improving Npcap's speed, portability, security, and efficiency.
Awesome PCAP Tools
A list of various projects related to network traffic research. It currently includes the following groups: Linux commands, traffic capture, traffic analysis/inspection, DNS utilities, file extraction and related projects.
SIPp is a performance testing tool for the SIP protocol. There is a limited support of media plane (RTP). The "PCAP play" feature makes use of libpcap to replay pre-recorded RTP streams towards a destination. RTP streams can be recorded by tools like Wireshark or tcpdump.
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.
Publicly available PCAP files
This is a list of public packet capture repositories, which are freely available on the Internet. Most of the sites listed below share Full Packet Capture (FPC) files, but some do unfortunately only have truncated frames.
knock: a port-knocking implementation
This is a port-knocking server/client. Port-knocking is a method where a server can sniff one of its interfaces for a special "knock" sequence of port-hits. When detected, it will run a specified event bound to that port knock sequence. These port-hits need not be on open ports, since it uses libpcap to sniff the raw interface traffic.
iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question "why is our ADSL link so slow?".
capstats by Bert Vermeulen
Capstats generates byte and packet counters based on a Berkeley Packet Filter (BPF) expression. The basic model is that you run capstats as a daemon (as root), and it will then take commands from a client. Using a client, you can create new capture sessions, modify them, pull up stats on running sessions, and so on.
capstats by Zeek Project
capstats is a small tool to collect statistics on the current load of a network interface, using either libpcap or the native interface for Endace hardware. It reports statistics per time interval and/or for the tool's total run-time.
A Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets from live and file based devices.