PCAP is a multi-step process that utilizes a number of tools that enable both packet capture and packet analysis. The process of packet capture starts with packet sniffers, which are tools that are used to conduct the process. Packet sniffers can be physical hardware devices, typically known as taps. More commonly, they are software tools that run on a computer or other device that is connected to the network. Once connected, the packet sniffer creates a PCAP file that will contain the packets that it intercepts. The file should include timestamps of each capture as well as details about the data that has been caught in the process. Once the packet capture process starts, the sniffer will copy packets of data as they move across the network and then store those copies for analysis.
That data can be stored in a number of different formats. The most common are:
- Libpcap: Compatible with macOS and Linux devices
- WinPcap: Made for Windows machines and supports remote use
- Npcap: Used with Windows machines and supports external PCAP analysis tools
- PCAPng: A next-generation capture file format that supports additional scripting and extensions
Once packets have been captured, PCAP analysis tools such as Wireshark, Windump or tcpdump provide an interface to interact with the captured data. Some PCAP analysis tools—Wireshark and tcpdump included—are open source, making them cost-effective and accessible. Some IT departments prefer to use proprietary tools to accomplish more specific tasks and analyses based on their needs. There are also paid tools that may offer more specific, high-level features that some security situations may require.