{{Short description|Application programming interface for capturing network traffic}} {{about|the packet sniffing API|the projected capacitance technology for touchscreens|Projected capacitance|the chess league|Professional Chess Association of the Philippines}} {{Lowercase title}} {{Infobox software |name = libpcap |developer = The Tcpdump team |repo = {{GitHub|the-tcpdump-group/libpcap}} |latest release version = 1.10.4 |latest release date = {{Start date and age|2023|04|07}}<ref>{{cite web|url=https://www.tcpdump.org/#latest-release|title=tcpdump and libpcap latest release|publisher=tcpdump.org |access-date=2023-02-08}}</ref> |programming language = [[C (programming language)|C]] |operating system = [[Linux]], [[Solaris (operating system)|Solaris]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[macOS]], other [[Unix-like]] |genre = [[Library (computing)|Library]] for [[packet capture]] |license = [[BSD licenses|BSD]]<ref>{{cite web|url=https://www.tcpdump.org/license.html|title=tcpdump and libpcap license|publisher=tcpdump.org|access-date=2020-05-02}}</ref> |website = {{URL|www.tcpdump.org}} }} {{Infobox software |name = WinPcap |developer = [[Riverbed Technology]] |latest release version = 4.1.3 |latest release date = {{Start date and age|2013|03|08}}<ref>{{cite web|url=https://www.winpcap.org/misc/changelog.htm|title=WinPcap Changelog}}</ref> |discontinued = yes |operating system = [[Microsoft Windows|Windows]] |genre = [[Library (computing)|Library]] for [[packet capture]] |license = [[Freeware]] |website = {{URL|https://www.winpcap.org/}} }} {{Infobox software | name = Npcap | developer = the [[Nmap]] project | latest release version = 1.79 | latest release date = {{Start date and age|2024|01|19}}<ref>{{cite web|url=https://github.com/nmap/npcap/blob/master/CHANGELOG.md|title=npcap/CHANGELOG.md|website=[[GitHub]] }}</ref> | operating system = [[Microsoft Windows|Windows]] | genre = [[Library (computing)|Library]] for [[packet capture]] | license = [[Proprietary software|Proprietary]] ([[Source-available software|source available]]) | website = {{URL|https://npcap.com}} }}

In the field of [[computer]] [[network administration]], '''pcap''' is an [[application programming interface]] (API) for [[packet sniffer|capturing network traffic]]. While the name is an abbreviation of ''[[packet capture]]'', that is not the API's proper name. [[Unix-like]] systems implement pcap in the ''libpcap'' library; for [[Microsoft Windows|Windows]], there is a [[Porting|port]] of libpcap named ''WinPcap'' that is no longer supported or developed, and a port named ''Npcap'' for [[Windows 7]] and later that is still supported.

Monitoring software may use libpcap, WinPcap, or Npcap to capture [[network packet]]s traveling over a [[computer network]] and, in newer versions, to transmit packets on a network at the [[link layer]], and to get a list of network interfaces for possible use with libpcap, WinPcap, or Npcap.

The pcap API is written in [[C (programming language)|C]], so other languages such as [[Java (programming language)|Java]], [[.NET Framework|.NET]] languages, and [[scripting language]]s generally use a [[wrapper library|wrapper]]; no such wrappers are provided by libpcap or WinPcap itself. [[C++]] programs may link directly to the C API or make use of an [[Object-oriented programming|object-oriented]] wrapper.

==Features== libpcap, WinPcap, and Npcap provide the packet-capture and filtering engines of many [[open-source software|open-source]] and commercial network tools, including protocol analyzers ([[packet sniffer]]s), [[network monitor]]s, [[network intrusion detection system]]s, traffic-generators and network-testers.

Most current [[Unix-like]] systems provide a mechanism by which a program can capture network traffic to and from the machine running the program and, in some cases, other traffic to which that machine is attached. However, these mechanisms are significantly different from one another; the libpcap library provides a common API to access these mechanisms, allowing programs to be written to capture network traffic without having to worry about the details of all those mechanisms.

libpcap, WinPcap, and Npcap also support saving captured [[Network packet|packets]] to a file, and reading files containing saved packets; [[Application software|applications]] can be written, using libpcap, WinPcap, or Npcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap, WinPcap, and Npcap use can be read by applications that understand that format, such as [[tcpdump]], [[Wireshark]], CA NetMaster, or [[Microsoft Network Monitor]] 3.x. The file format is described by [[Internet-Draft]] draft-ietf-opsawg-pcap;<ref>{{cite IETF |draft=draft-ietf-opsawg-pcap |title=PCAP Capture File Format |date=23 July 2023}}</ref> the current editors' version of the draft is also available.<ref>{{cite web |url=https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html |title=PCAP Capture File Format |date=1 March 2024}}</ref>

The [[MIME type]] for the file format created and read by libpcap, WinPcap, and Npcap is application/vnd.tcpdump.pcap. The typical file extension is .pcap, although .cap and .dmp are also in common use.<ref>{{cite web |last=Turner |first=Glen |date=2011-03-30 |title=IANA record of application for MIME type application/vnd.tcpdump.pcap |url=https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap |access-date=2023-02-25 |website=IANA}}</ref>

==History== libpcap was originally developed by the [[tcpdump]] developers in the Network Research Group at [[Lawrence Berkeley Laboratory]]. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked.<ref>{{cite web|url=https://sharkfest.wireshark.org/retrospective/sfus/presentations11/McCanne-Sharkfest'11_Keynote_Address.pdf|title=libpcap: An Architecture and Optimization Methodology for Packet Capture|first=Steve|last=McCanne|access-date=December 27, 2013}}</ref> It is now developed by the same tcpdump.org group that develops tcpdump.<ref>{{cite web|url=https://www.tcpdump.org/|title=TCPDUMP/LIBPCAP public repository|access-date=December 27, 2013}}</ref>

==pcap libraries for Windows== While libpcap was originally developed for Unix-like operating systems, a successful [[Porting|port]] for Windows was made, called WinPcap. It has been unmaintained since 2013,<ref>{{cite web|url=https://www.winpcap.org/news.htm|title=WinPcap News|access-date=November 6, 2017}}</ref> and several competing [[Fork (software development)|forks]] have been released with new features and support for newer versions of Windows.

===WinPcap=== WinPcap consists of:<ref>{{cite web|url=https://www.winpcap.org/docs/docs_412/html/group__internals.html|title=WinPcap internals|access-date=December 27, 2013}}</ref>

* [[x86]] and [[x86-64]] drivers for the [[Windows NT]] family ([[Windows NT 4.0]], [[Windows 2000|2000]], [[Windows XP|XP]], [[Windows Server 2003|Server 2003]], [[Windows Vista|Vista]], [[Windows 7|7]], [[Windows 8|8]], and [[Windows 10|10]]), which use [[Network Driver Interface Specification]] (NDIS) 5.x to read packets directly from a [[network adapter]]; * implementations of a lower-level library for the listed operating systems, to communicate with those drivers; * a port of libpcap that uses the API offered by the low-level library implementations.

Programmers at the [[Politecnico di Torino]] wrote the original code. As of 2008, CACE Technologies, a company set up by some of the WinPcap developers, developed and maintained the product. CACE was acquired by [[Riverbed Technology]] on October 21, 2010.<ref>{{cite press release|url=http://www.riverbed.com/us/company/news/press_releases/2010/press_102110.php|title=Riverbed Expands Further Into The Application-Aware Network Performance Management Market with the Acquisition of CACE Technologies|publisher=[[Riverbed Technology]]|date=2010-10-21|access-date=2010-10-21|archive-url=https://web.archive.org/web/20130308100122/http://www.riverbed.com/us/company/news/press_releases/2010/press_102110.php|archive-date=2013-03-08|url-status=dead}}</ref>

Because WinPcap uses the older NDIS 5.x APIs, it does not work on some builds of Windows 10, which have deprecated or removed those APIs in favor of the newer NDIS 6.x APIs. It also forces some limitations such as being unable to capture [[IEEE 802.1Q|802.1Q VLAN tags]] in [[Ethernet]] headers.

The WinPcap project has ceased development and WinPcap and WinDump are no longer maintained. The last official WinPcap release was 4.1.3 released March 8, 2013.<ref>{{cite web |date=2013-03-08 |title=WinPcap · News |url=https://www.winpcap.org/news.htm |website=WinPcap}}</ref>

===Npcap=== Npcap is the [[Nmap]] Project's packet sniffing library for Windows.<ref>{{cite web|url=https://npcap.com|title=Npcap}}</ref> It is based on WinPcap, but written to make use of Windows networking improvements in [[Network Driver Interface Specification|NDIS]] version 6. Its authors rewrote the WinPcap NDIS 5 Protocol Driver as a Light-Weight Filter (LWF) driver, a change that reduces processing overhead.<ref>{{cite web |url=https://docs.microsoft.com/en-us/windows-hardware/drivers/network/ndis-filter-drivers|title=Filter drivers|date=15 December 2021 }}</ref> Npcap maintenance releases updated the version of the included libpcap library to the latest available, allowing software authors to use the newer API features that Linux software had already supported.<ref>{{cite web |url=https://github.com/nmap/npcap/releases/tag/v1.20|title=Release Npcap 1.20|website=[[GitHub]] }}</ref> Most software that used WinPcap can be easily [[Porting|ported]] to use Npcap with minimal changes.<ref>{{cite web |url=https://npcap.com/guide/npcap-devguide.html#npcap-devguide-updating|work=Developing software with Npcap |title=Updating WinPcap software to Npcap |access-date=2023-02-25}}</ref>

Npcap introduced several innovations that were not available in WinPcap: * Npcap can be restricted so that only [[Superuser#Microsoft Windows|Administrators]] can sniff packets.<ref>{{cite web |work=Npcap Users' Guide |title=Graphical installer options |url=https://npcap.com/guide/npcap-users-guide.html#npcap-installer-options-gui |access-date=2023-02-25}}</ref> * Npcap is able to sniff and inject [[Localhost#Loopback|loopback]] packets (transmissions between services on the same machine) by using the [[Windows Filtering Platform]].<ref>{{cite web |url=https://npcap.com/guide/npcap-devguide.html#npcap-feature-loopback|work=Npcap User's Guide |title=For software that uses Npcap loopback feature|accessdate=2023-02-25}}</ref> * Npcap can capture [[IEEE 802.11|802.11]] WiFi frames on a variety of commonly-available network adapters.<ref>{{cite web |url=https://npcap.com/guide/npcap-devguide.html#npcap-feature-dot11|work=Npcap User's Guide |title=For software that uses Npcap raw 802.11 feature|access-date=2023-02-25}}</ref>

Unlike [[Nmap]], Npcap is proprietary software and requires a special license for use and redistribution except for some limited internal uses.<ref>{{cite web|url=https://github.com/nmap/npcap/blob/master/LICENSE|title=Npcap License|website=[[GitHub]] }}</ref>

===Win10Pcap=== Win10Pcap implementation is also based on the NDIS 6 driver model and works stably with [[Windows 10]].<ref>{{cite web|url=https://www.win10pcap.org|title=Win10Pcap: WinPcap for Windows 10}}</ref> The project, however, has been inactive since 2016.<ref>{{Citation|title=Win10Pcap: WinPcap for Windows 10 (NDIS 6.x driver model): SoftEtherVPN/Win10Pcap|date=2019-12-31|url=https://github.com/SoftEtherVPN/Win10Pcap|publisher=SoftEther VPN Project|access-date=2020-01-09}}</ref>

==Programs that use or used libpcap== * [[Bit-Twist]], a libpcap-based Ethernet packet generator and editor for [[Berkeley Software Distribution|BSD]], Linux, and Windows. * [[Cain and Abel (software)|Cain and Abel]], a discontinued password recovery tool for Microsoft Windows * [[EtherApe]], a graphical tool for monitoring network traffic and bandwidth usage in real time. * [[Firesheep]], a discontinued extension for the [[Firefox]] web browser that captured packets and performed [[session hijacking]] * [[iftop]], a tool for displaying bandwidth usage (like [[top (software)|top]] for network traffic) * [[Kismet (software)|Kismet]], for 802.11 wireless [[local area network|LANs]] * [[L0phtCrack]], a [[password]] [[audit]]ing and [[password cracking|recovery]] application. * [[McAfee]] ePolicy Orchestrator, Rogue System Detection feature * [[ngrep]], aka "network [[grep]]", isolate strings in packets, show packet data in human-friendly output. * [[Nmap]], a [[port scan|port-scan]]ning and [[TCP/IP stack fingerprinting|fingerprinting]] network utility * Pirni, a discontinued network security tool for [[iOS jailbreaking|jailbroken]] [[iOS (Apple)|iOS]] devices. * [[Scapy]], a packet manipulation tool for computer networks, written in [[Python (programming language)|Python]] by Philippe Biondi. * [[Snort (software)|Snort]], a network-intrusion-detection system. * [[Suricata (software)|Suricata]], a network intrusion prevention and analysis platform. * [[NortonLifeLock|Symantec]] Data Loss Prevention, Used to monitor and identify sensitive data, track its use, and location. Data loss policies allow sensitive data to be blocked from leaving the network or copied to another device. * [[tcpdump]], a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump. * [[Zeek]], an [[intrusion detection system]] and [[network monitoring]] platform. * [https://www.techopedia.com/definition/26915/url-snooping URL Snooper], locate the URLs of audio and video files in order to allow recording them. * [[WhatPulse]], a statistical (input, network, uptime) measuring application. * [[Wireshark]] (formerly Ethereal), a graphical packet-capture and protocol-analysis tool. * [[XLink Kai]], software that allows various LAN [[console game]]s to be played online * [[Xplico]], a network forensics analysis tool (NFAT). * [https://comoe-networks.com PCAP Analyzer] designed to process captured network traffic and provide protocol-level decoding and metadata extraction.

==Wrapper libraries for libpcap== * [[C++]]: [https://libtins.github.io/ Libtins], [https://github.com/pellegre/libcrafter Libcrafter], [https://pcapplusplus.github.io/ PcapPlusPlus] * [[Perl]]: [http://search.cpan.org/~saper/Net-Pcap/Pcap.pm Net::Pcap] * [[Python (programming language)|Python]]: [https://sourceforge.net/projects/pylibpcap/ python-libpcap], [https://www.coresecurity.com/corelabs-research/open-source-tools/pcapy Pcapy], [http://github.com/orweis/winpcapy WinPcapy] * [[Ruby (programming language)|Ruby]]: [https://github.com/packetfu/packetfu PacketFu] * [[Rust (programming language)|Rust]]: [https://github.com/ebfull/pcap pcap] * [[Tcl (programming language)|Tcl]]: [https://tclpcap.sourceforge.net/ tclpcap], [https://monkey.org/~jose/software/tcap/ tcap], [http://home.roadrunner.com/~maccody/pktsrc.html pktsrc] * [[Java (programming language)|Java]]: [https://jpcap.sourceforge.net/ jpcap], [https://web.archive.org/web/20121104024808/http://jnetpcap.com/ jNetPcap], [https://archive.today/20101017042631/http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html Jpcap], [https://github.com/kaitoy/pcap4j Pcap4j], [https://github.com/jxnet/Jxnet Jxnet] * [[.NET Framework|.NET]]: WinPcapNET, [https://github.com/chmorgan/sharppcap SharpPcap], [http://pcapdot.net Pcap.Net] * [[Haskell (programming language)|Haskell]]: [https://hackage.haskell.org/package/pcap pcap] * [[OCaml]]: [https://web.archive.org/web/20110830000918/http://www.drugphish.ch/~jonny/mlpcap.html mlpcap] * [[Chicken (Scheme implementation)|Chicken]] Scheme: [https://wiki.call-cc.org/eggref/3/pcap pcap] * [[Common Lisp]]: [https://github.com/atomontage/plokami PLOKAMI] * [[Racket (programming language)|Racket]]: [http://planet.racket-lang.org/display.ss?package=SPeaCAP.plt&owner=evanfarrer SPeaCAP] * [[Go (programming language)|Go]]: [https://github.com/akrennmair/gopcap pcap] by Andreas Krennmair, [https://godoc.org/github.com/miekg/pcap pcap] fork of the previous by Miek Gieben, [http://godoc.org/code.google.com/p/gopacket/pcap pcap] developed as part of the [https://pkg.go.dev/github.com/google/gopacket gopacket] package * [[Erlang (programming language)|Erlang]]: [https://github.com/msantos/epcap epcap] * [[Node.js]]: [https://github.com/node-pcap/node_pcap node_pcap]

==Non-pcap libraries that read pcap files== * [[Python (programming language)|Python]]: [https://pypi.python.org/pypi/pypcapfile pycapfile] * [[Python (programming language)|Python]]: [https://pypi.python.org/pypi/pypcapkit PyPCAPKit]

==Other applications or devices that read or write pcap or pcapng files== * [[Apache Drill]], an open source SQL engine for interactive analysis of large scale datasets.<ref>{{cite web|url=https://drill.apache.org/blog/2017/07/31/drill-1.11-released/|title=Drill 1.11 Released|first=Bridget|last=Bevens|date=July 31, 2017}}</ref><ref>{{github|https://github.com/apache/drill/blob/master/contrib/format-pcapng/src/main/java/org/apache/drill/exec/store/pcap/decoder/Packet.java}}</ref> * [[Endace]]'s EndaceProbe, a high scale packet capture system that continuously records weeks or months of network traffic.<ref>{{cite web|url=https://www.endace.com/learn/what-is-a-pcap-file|title=What Can Read or Save a PCAP?|work=What is a PCAP file?|publisher=[[Endace]]}}</ref>

==References== {{Reflist|30em}}

==External links== {{Portal|Free and open-source software}} *{{Official website|https://tcpdump.org}}, libpcap, tcpdump *{{Official website|https://npcap.com}}, Npcap *{{Official website|https://www.winpcap.org/}}, WinPcap, WinDump *[https://www.netresec.com/?page=PcapFiles List of publicly available PCAP files]

[[Category:Network analyzers]] [[Category:Unix network-related software]] [[Category:Windows network-related software]] [[Category:MacOS network-related software]] [[Category:Windows security software]] [[Category:MacOS security software]] [[Category:Free software programmed in C]] [[Category:Cross-platform free software]] [[Category:Free network management software]] [[Category:Software using the BSD license]]