PCAP
What is PCAP?
PCAPA binary packet-capture file format produced by libpcap, tcpdump, and Wireshark that stores network packets exactly as they were seen on the wire.
PCAP (packet capture) files record raw frames with per-packet timestamps and link-layer headers and are the lingua franca of network forensics. The classic libpcap format and its successor PCAPNG are written by tcpdump, Wireshark, Zeek, Suricata, and many appliances, and can be replayed or analyzed by hundreds of tools. Defenders use PCAP for deep incident investigation, malware C2 reconstruction, protocol troubleshooting, and forensic preservation of evidence. Operational concerns include capture loss at high rates, disk cost, lawful-interception controls, encryption (TLS often requires key logging or middlebox decryption) and how long to retain full packets versus metadata such as NetFlow.
● Examples
- 01
Replaying a PCAP through Suricata to test a new detection rule against real malicious traffic.
- 02
Reconstructing exfiltrated files from captured packets using Wireshark's Follow TCP Stream.
● Frequently asked questions
What is PCAP?
A binary packet-capture file format produced by libpcap, tcpdump, and Wireshark that stores network packets exactly as they were seen on the wire. It belongs to the Defense & Operations category of cybersecurity.
What does PCAP mean?
A binary packet-capture file format produced by libpcap, tcpdump, and Wireshark that stores network packets exactly as they were seen on the wire.
How does PCAP work?
PCAP (packet capture) files record raw frames with per-packet timestamps and link-layer headers and are the lingua franca of network forensics. The classic libpcap format and its successor PCAPNG are written by tcpdump, Wireshark, Zeek, Suricata, and many appliances, and can be replayed or analyzed by hundreds of tools. Defenders use PCAP for deep incident investigation, malware C2 reconstruction, protocol troubleshooting, and forensic preservation of evidence. Operational concerns include capture loss at high rates, disk cost, lawful-interception controls, encryption (TLS often requires key logging or middlebox decryption) and how long to retain full packets versus metadata such as NetFlow.
How do you defend against PCAP?
Defences for PCAP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PCAP?
Common alternative names include: libpcap file, PCAPNG, Packet capture file.
● Related terms
- defense-ops№ 1245
Wireshark
An open-source network protocol analyzer that captures and inspects packets in real time for troubleshooting, security analysis, and education.
- defense-ops№ 719
NetFlow
A Cisco-originated flow-record protocol, and its successors sFlow and IPFIX, that exports summarized metadata about every conversation crossing a network device.
- network-security№ 295
Deep Packet Inspection (DPI)
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
- forensics-ir№ 722
Network Forensics
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
- defense-ops№ 686
mitmproxy
An open-source interactive TLS-capable proxy used by security and QA engineers to intercept, inspect, modify, and replay HTTP and HTTPS traffic.