PCAP stands for Packet CAPture.
PCAP is a file format containing network-related packet-based data capture. PCAP is also a filetype.
Questions tagged [pcap]
80 questions
163
votes
6 answers
How can I read pcap files in a friendly format?
a simple cat on the pcap file looks terrible:
$cat tcp_dump.pcap
?ò????YVJ?
JJ
?@@.?E
Tony
- 4,053
- 10
- 34
- 29
53
votes
5 answers
how to split a pcap file into a set of smaller ones
I have a huge pcap file (generated by tcpdump). When I try to open it in wireshark, the program just gets unresponsive. Is there a way to split a file in set of smaller ones to open them one by one?
The traffic captured in a file is generated by two…
facha
- 1,298
- 2
- 16
- 26
19
votes
6 answers
tool for splitting pcap files by TCP connection?
Is there tool to split a packet capture file (in pcap format) into separate files for each TCP connection ? (other than a home grown shell script which probably needs to run twice over the capture...). Something like wireshark's 'follow TCP stream'…
Andre Holzner
- 529
- 2
- 4
- 14
9
votes
2 answers
Packet captures: filtering on RX vs TX
I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host - an apparent duplicate MAC, or loop, or other L2 problem.
I believe this is the situation because the MAC tables (CAM…
Joshua Miller
- 1,368
- 2
- 11
- 14
7
votes
3 answers
snort analysis of wireshark capture
I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to…
Ben Voigt
- 473
- 5
- 20
6
votes
3 answers
How would a PCAP filter look like to capture all DHCP related traffic?
As I understand it, for IPv4 I would need to capture
UDP port 67 and 68,
ARP,
ICMP echo request and reply,
and for IPv6 I would need
UDP port 546 and 547,
all DHCP-related multicast addresses,
ICMPv6 neighbor discovery.
I want to capture DHCP…
Mathias Weidner
- 417
- 3
- 10
6
votes
1 answer
tcpdump filter for tcp zero window messages
Is there a pcap filter for TCPDump that will allow be to filter zero window messages?
I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I need to work with easily crashes wireshark (at least…
Kyle Brandt
- 82,107
- 71
- 302
- 444
5
votes
1 answer
How to filter ANY dns requests with tshark
Does anyone know how I might be able to filter DNS requests in tshark which ask for the ANY record?
So far I am able to filter DNS queries with:
tshark -r capture.cap -T fields -e ip.src -e ip.dst -e dns.qry.name -R "dns.flags.response eq 0"
How…
user2284355
- 455
- 2
- 10
- 23
5
votes
1 answer
Bandwith usage from pcap files
I've got a huge pcap file (many GBs) that I just can't load in wireshark. What I need is extracting bandwidth usage information, both total and per-protocol (in both incoming and outgoing direction), from it, and possibly graph it in a…
persson
- 51
- 2
5
votes
3 answers
Extracting SSL certificates from the network or pcap files
I will appreciate if someone can point me to a tool or approach to extract SSL/TLS certificates from live HTTPS connections (directly from the network) or from a network trace file (pcap file). I tried using ssldump but I was not able to extract the…
Apakoh
- 53
- 1
- 1
- 3
4
votes
2 answers
Compressing the output of tshark when in multiple files mode
I'm running tshark to dump wireless traffic. I am currently running in multiple files mode, splitting output into 50MB chunks. Is there any way to also have these 50MB chunks compressed with something like gzip or lzma?
I'm aware that in single file…
Daniel Murphy
- 41
- 1
- 3
4
votes
1 answer
How to make tshark to output valid pcap file used for other max GUI pcap viewer
sudo tshark -i en0 -x -w icmp_sample.pcap
This command output a pcap file, but the it doesn't seem to be valid, Because CocoaPacket Analyzer can't open it
Any idea?
mko
- 141
- 1
- 4
4
votes
2 answers
Best way to analyze pcap files from Wireshark?
I've got 50-100MB pcap files captured from Wireshark and need to analyze where most of the traffic is going to/coming from.
What's the best way of doing this? Ideally I'd like to end up with an Excel csv file showing the top 50 or so IP addresses…
Michael
- 506
- 2
- 8
- 19
4
votes
1 answer
Other PCAP network software other than TCPREPLAY?
I would like to find out if there are more other useful softwares with the same functions or more like TCPREPLAY which has the ability to "playback" PCAP files? Thanks for your suggestions!
VMNoob
3
votes
4 answers
How can i see packets while capturing with tcpdump
How can I see traffic while I am capturing it with tcpdump.
When I use -w, it doesn't show the packets during the capture.
sudo tcpdump -i enp2s0 -w test.pcap
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6…
Olivier Lasne
- 221
- 2
- 6