Below you can find a few projects that are related to tcpdump or libpcap
in some way. If you think some project should be in this list, please
either open a pull request as explained
subscribe to the mailing list and
make your input there. The new entry should include the name of the
project, a brief (between 200 and 500 characters) description and a link
to the project page.
Socket Sentry is a real-time network traffic
monitor for KDE Plasma in the same spirit as
tools like iftop and netstat.
Submitted by: Rob Hasselbaum
Libnet is a collection of routines to help with the construction and
handling of network packets. It provides a portable framework for
low-level network packet shaping, handling and injection. Libnet
features portable packet creation interfaces at the IP layer and link
layer, as well as a host of supplementary and complementary
functionality. Using libnet, quick and simple packet assembly
applications can be whipped up with little effort.
Tcpreplay is a suite of free Open Source utilities for editing
and replaying previously captured network traffic. Originally
designed to replay malicious traffic patterns to Intrusion
Detection/Prevention Systems, it has seen many evolutions including
capabilities to replay to web servers. Tcpreplay includes
tcpcapinfo, a tool for decoding the structure of a pcap file with
a focus on finding broken pcap files and determining how two
related pcap files might differ.
EtherApe is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays
network activity graphically. Hosts and links change in size
with traffic. Color coded protocols display. It supports
Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can
filter traffic to be shown, and can read traffic from a file as
well as live from the network.
TCPslice is a tool for extracting portions of packet
trace files generated using tcpdump's
-w flag. It
can combine multiple trace files, and/or extract
portions of one or more traces based on time.
TCPslice originally comes from LBL and now is
maintained by The Tcpdump Group.
TCPTrace analyzes the behavior of captured TCP streams, and accepts
many trace file formats (including pcap). It provides connection
statistics and several types of graphs, including the widely-used
tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores the data in a way that is convenient for
protocol analysis or debugging. A program like 'tcpdump' shows a
summary of packets seen on the wire, but usually doesn't store the data
that's actually being transmitted. In contrast, tcpflow reconstructs
the actual data streams and stores each flow in a separate file for
Snort is an open source network intrusion prevention
and detection system (IDS/IPS) developed by Sourcefire.
Combining the benefits of signature, protocol and
anomaly-based inspection, Snort is the most widely
deployed IDS/IPS technology worldwide. With millions
of downloads and approximately 300,000 registered
users, Snort has become the de facto standard for
Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets
of a wide number of protocols, send
them on the wire, capture them, match
requests and replies, and much
more. It can easily handle most
classical tasks like scanning,
tracerouting, probing, unit tests,
attacks or network discovery (it can
replace hping, 85% of nmap, arpspoof,
arp-sk, arping, tcpdump, tethereal,
p0f, etc.). It also performs very well
at a lot of other specific tasks that
most other tools can't handle, like
sending invalid frames, injecting your
own 802.11 frames, combining techniques
(VLAN hopping+ARP cache poisoning,
VoIP decoding on WEP encrypted
channel, …), etc.
Zeek (formerly Bro) is an open-source, Unix-based Network Intrusion
Detection System (NIDS) that passively monitors
network traffic and looks for suspicious activity.
Zeek detects intrusions by first parsing network
traffic to extract its application-level semantics
and then executing event-oriented analyzers that
compare the activity with patterns deemed
troublesome. Its analysis includes detection of
specific attacks (including those defined by
signatures, but also those defined in terms of
events) and unusual activities (e.g., certain
hosts connecting to certain services, or patterns
of failed connection attempts).
ntop is a network traffic probe that shows the
network usage, similar to what the popular top
Unix command does. ntop is based on libpcap and
it has been written in a portable way in order
to virtually run on every Unix platform and on
Win32 as well.
A free network protocol analyzer for Unix and Windows. It allows
you to examine data from a live network or from a capture file on
disk. You can interactively browse the capture data, viewing summary
and detail information for each packet. Wireshark has several powerful
features, including a rich display filter language and the ability
to view the reconstructed stream of a TCP session.
CoralReef is a software suite developed by
CAIDA to analyze data collected
by passive Internet traffic monitors. It provides a programming
library libcoral, similar to libpcap with extensions for ATM and
other network types, which is available from both C and Perl. The
software presently supports dedicated PC boxes using OC3mon and
OC12mon cards that collect traffic data in real time, as well as
reading from pcap tracefiles. Version 3.4 to be released soon
supports listening via bpf enabled devices. CoralReef includes
drivers, analysis, web report generation, examples, and capture
software. This package is maintained by CAIDA developers with the
support and collaboration of the Internet measurement community.
tcpstat reports certain network interface statistics much like vmstat
does for system statistics. tcpstat gets its information by either
monitoring a specific interface, or by reading previously saved tcpdump
data from a file.
netdude (NETwork DUmp data Displayer and Editor).
From their webpage, "it is a GUI-based tool that
allows you to make detailed changes to packets in
The program xplot was written in the late 1980s to support the analysis of TCP packet traces.
MultiTail now has a colorscheme included for monitoring the tcpdump
output. It can also filter, convert timestamps to timestrings and much
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your
daily Linux network plumbing if you will. Its gain of performance is
reached by zero-copy mechanisms, so that on packet reception and
transmission the kernel does not need to copy packets from kernel space to
user space and vice versa.
Submitted by: Daniel Borkmann
Libcrafter is a high level library for
C++ designed to make easier the creation
and decoding of network packets. It is
able to craft or decode packets of most
common network protocols, send them on
the wire, capture them and match requests
Submitted by: Esteban Pellegrino
pcapfix is a repair tool for corrupted pcap and pcapng files. It checks
for an intact pcap global header and packet block and repairs it if there
are any corrupted bytes. If a header is not present, one is created and
added to the beginning of the file. It then tries to find pcap packet
headers or packet blocks, and checks and repairs them.
Packet capture and analysis utility similar to tcpdump for HTTP.
A multiplatform C++ network sniffing, packet parsing and crafting framework.
It provides a lightweight, easy-to-use and efficient C++ wrapper for
libpcap and WinPcap.
A terminal UI for tshark, inspired by Wireshark.
Npcap is the Nmap Project's packet capture (and sending) library
for Microsoft Windows. Npcap began in 2013 as some improvements
to the (now discontinued) WinPcap library, but has been largely
rewritten since then with hundreds of releases improving Npcap's
speed, portability, security, and efficiency.
Awesome PCAP Tools
A list of various projects related to network traffic research.
It currently includes the following groups: Linux commands, traffic
capture, traffic analysis/inspection, DNS utilities, file
extraction and related projects.
SIPp is a performance testing tool for the SIP protocol.
There is a limited support of media plane (RTP).
The "PCAP play" feature makes use of libpcap to replay
pre-recorded RTP streams towards a destination.
RTP streams can be recorded by tools like Wireshark or tcpdump.
ssldump is an SSLv3/TLS network protocol analyzer. It
identifies TCP connections on the chosen network
interface and attempts to interpret them as SSLv3/TLS
traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form
to stdout. If provided with the appropriate keying
material, it will also decrypt the connections and
display the application data traffic. It also includes
a JSON output option, supports JA3 and IPv6.
Publicly available PCAP files
This is a list of public packet capture repositories, which
are freely available on the Internet. Most of the sites
listed below share Full Packet Capture (FPC) files, but some
do unfortunately only have truncated frames.
knock: a port-knocking implementation
This is a port-knocking server/client. Port-knocking is a method
where a server can sniff one of its interfaces for a special "knock"
sequence of port-hits. When detected, it will run a specified event
bound to that port knock sequence. These port-hits need not be on
open ports, since it uses libpcap to sniff the raw interface
iftop does for network usage what top(1) does for CPU usage. It
listens to network traffic on a named interface and displays a table
of current bandwidth usage by pairs of hosts. Handy for answering
the question "why is our ADSL link so slow?".
capstats by Bert Vermeulen
Capstats generates byte and packet counters based on a Berkeley
Packet Filter (BPF) expression. The basic model is that you run
capstats as a daemon (as root), and it will then take commands from
a client. Using a client, you can create new capture sessions,
modify them, pull up stats on running sessions, and so on.
capstats by Zeek Project
capstats is a small tool to collect statistics on the current load
of a network interface, using either libpcap or the native interface
for Endace hardware. It reports statistics per time interval and/or
for the tool's total run-time.
A fully managed, cross platform (Windows, Mac, Linux) .NET library
for capturing packets from live and file based devices.
pmacct is a small set of multi-purpose passive network monitoring tools.
It can account, classify, aggregate, replicate and export forwarding-plane
data, i.e. IPv4 and IPv6 traffic; collect and correlate control-plane data
via BGP and BMP; collect and correlate RPKI data; collect infrastructure
data via Streaming Telemetry. Each component works both as a standalone
daemon and as a thread of execution for correlation purposes (i.e. enrich
NetFlow with BGP data).
Ettercap is a comprehensive suite for man in the middle
attacks. It features sniffing of live connections,
content filtering on the fly and many other interesting
tricks. It supports active and passive dissection of
many protocols and includes many features for network
and host analysis.
This library provides packet decoding capabilities for
Go. It contains many sub-packages with additional
functionality, including C bindings to use
read packets off the wire. Originally forked from the
gopcap project written by Andreas Krennmair.
pypcapfile is a pure Python library for handling libpcap savefiles.
ngrep is like GNU grep applied to the network layer.
It's a PCAP-based tool that allows you to specify an
extended regular or hexadecimal expression to match
against data payloads of packets. It understands many
kinds of protocols, including IPv4/6, TCP, UDP,
ICMPv4/6, IGMP and Raw, across a wide variety of
interface types, and understands BPF filter logic in
the same fashion as more common packet sniffing tools,
such as tcpdump and snoop.
A free/libre toolchain for easing several low level
tasks like forensics, software reverse engineering,
exploiting, debugging… Radare2 can process
compiled BPF bytecode.
NPF is a layer 3 packet filter, supporting stateful
packet inspection, IPv6, NAT, IP sets, extensions and
many more. It uses BPF as its core engine and it was
designed with a focus on high performance, scalability,
multi-threading and modularity. NPF was written from
scratch in 2009. It is written in C99 and distributed
under the 2-clause BSD license.
VoIPmonitor is an open source network packet sniffer
with commercial frontend for SIP, RTP, RTCP, SKINNY
(SCCP), MGCP and WebRTC VoIP protocols running on
Linux. VoIPmonitor is designed to analyze quality of
VoIP calls based on network parameters—delay
variation and packet loss according to ITU-T G.107
E-model, which predicts quality on MOS scale. Calls
with all relevant statistics are saved to a MySQL
database. Optionally each call can be saved to a .pcap
file with either only SIP protocol or
The ipsumdump program summarizes TCP/IP dump files into
a self-describing ASCII format easily readable by
humans and programs. Ipsumdump can read packets from
network interfaces, from .pcap files, and from existing
ipsumdump files. It will transparently uncompress
.pcap or ipsumdump files when necessary. It can
randomly sample traffic, filter traffic based on its
contents, anonymize IP addresses, and sort packets from
multiple dumps by timestamp. Also, it can optionally
create a .pcap file containing actual packet data.
Arping is a util to find out if a specific IP address on
the LAN is 'taken' and what MAC address owns it.
Ostinato is a versatile packet crafter, pcap editor/player
and traffic generator with an intuitive GUI. Add-ons include
high-speed 10/25/40G traffic generation and scripting/automation
Python APIs. Works on all platforms: Windows, macOS,
Linux and the labbing platforms (CML, EVE-NG and GNS3).
arp-scan is a command-line tool for system discovery and
fingerprinting. It constructs and sends ARP requests to the
specified IP addresses, and displays any responses that are
received. arp-scan allows you to:
- Send ARP packets to any number of destination hosts,
using a configurable output bandwidth or packet rate.
- Construct the outgoing ARP packet in a flexible way.
- Decode and display any returned packets.
- Fingerprint IP hosts using the arp-fingerprint tool.