PCAP-over-IP explained

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection.^[1] The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

Background and etymology

The first known use of the term PCAP-over-IP is by Packet Forensics in 2011.^[2] However, the concept behind PCAP-over-IP was mentioned already in 2008 as part of a feature request for Wireshark.^[3] The need for this feature was motivated as follows:

"This feature is useful when the capture is generated on a machine which does not have much storage (e.g. embedded system). E.g., ipmb_traced application available on Pigeon Point shelf managers can transmit the capture over the TCP connection without writing it to the filesystem."

Use cases

Common use cases for PCAP-over-IP include:

• Transmitting captured network traffic in real time to one or more remote machines
• Transferring network traffic to other applications on the same host
• Providing decrypted traffic from a TLS interception proxy to a packet analyzer or IDS.

Software with PCAP-over-IP support

• Arkime^[4]
• NetworkMiner^[5]
• pcap-broker^[6]
• PolarProxy
• Wireshark^[7]
• Xplico^[8]
• Zeek^[9]

Workarounds

Software that can sniff network traffic, but doesn't support PCAP-over-IP, can read packets from a PCAP-over-IP provider with help of a netcat and tcpreplay combo.nc [SERVER] 57012 | tcpreplay -i eth0 -t -

Notes and References

1. Web site: Hjelmvik . Erik . What is PCAP over IP? . Netresec Blog . 15 August 2022 . Netresec . 25 August 2022.
2. Web site: Packet Forensics - M1 Device . Wayback Machine (FEB 06 2011) . https://web.archive.org/web/20110206144745/http://www.packetforensics.com:80/pflim1.safe . 26 August 2022. 2011-02-06 .
3. Web site: Neyman . Alexey . Bug 2788 - Allow captures over TCP connections . Wireshark Bug Database . 25 August 2022.
4. Web site: Arkime Settings . 25 August 2022.
5. Web site: Pcap-over-IP in NetworkMiner . 7 September 2011 . 25 August 2022.
6. Web site: PCAP-over-IP server written in Golang . GitHub . 24 October 2023.
7. Web site: Pipes - TCP socket . Wireshark Wiki . 25 August 2022.
8. Web site: PCAP-over-IP . Xplico Wiki . 25 August 2022.
9. Web site: zeek-pcapovertcp-plugin . GitHub . 6 September 2023.