What are PCAP files and how to use them

Ostinato Team bio photo By Ostinato Team

What is PCAP?

PCAP (short for Packet Capture) is an API for packet capture provided by libpcap (npcap on Windows) and also the name of the file format of the file in which the captured packets are stored.

We have moved on from the original PCAP file format to the newer PCAP-NG file format now, but it is still quite common to refer to any file containing captured network packets as a PCAP file irrespective of the actual file format (and there are many more formats for captured packets other than pcap or pcapng).

What do you use a PCAP file for?

The most common use is to analyze the packets contained within. There are many reasons why one would want to do that -

  • To understand how a networking protocol works
    • The various messages/packets exchanged
    • The various fields within the packets and their values
  • To look for any potential anomalies in a networking protocol that could explain a networking problem like packet loss, failed connections, network outage etc
  • To replay packets from a PCAP file to reproduce, analyze and troubleshoot a network problem

How to create a PCAP file?

To capture packets into a PCAP file, you use any of the several network capture tools, most notably tcpdump (available on all *nix systems) or Wireshark. These tools will allow you to directly capture packets from an ethernet port and save them in a pcap file.

Sample PCAP files

You can also find several sample PCAP files on the Internet. These are good candidates and should be your go-to if you are trying to study network protocols.

Here are some good sample pcap repositories -

There are many more - you can google for them.

Viewing PCAP files

How do you “read” or view a PCAP file? You use a network analyzer tool like tcpdump or Wireshark. These applications decode the packets and show each decoded packet in a hierarchy of protocol and protocol fields and also the raw bytes of each packet.

How to view a PCAP file

They also allow you to filter for specific packets based on protocols or protocol field values. This is a great feature to isolate packets of interest.

PCAP Replay

Tools like tcpreplay and Ostinato can help in replaying the packets in a PCAP file. This can be useful to reproduce a problem reported by a customer in a lab environment to debug and identify the problem.

PCAP Edit

Before you can replay a customer-provided PCAP file in your lab environment, you will likely need to edit the packets to change Mac and IP addresses to match the addresses in your lab topology. Sometimes you may also need to change other packet fields such as VLANs, DSCP, Flow labels etc.

You can read more about PCAP editor tools and their capabilities.

PCAP Replay Limitations

Just blindly replaying the packets (even after editing IP addresses) may not work - especially if the packets belong to an application like HTTP or FTP. We will talk more about PCAP replay, the challenges replaying application traffic and possible solutions in another blog post.

Just blindly replaying the packets (even after editing IP addresses) may not work - especially if the packets belong to an application like HTTP or FTP. See pcap replay challenges and solutions for more.