Pcap files are pocket capture files. They usually contain raw log of network connections and packets. It is the most popular format and it available in almost all network analysis tool.
To play around *.pcap
, you have to get such file somehow. There are two opposite ways: to generate it by yourself or to pick a ready one. To generate it by yourself, you can use wireshark or tcpdump in terminal:
tcpdump -w capture.pcap -i eth1
replace capture.pcap
with desired output filename, -i eth1
indicates the interface for the logging to be done.
As soon as your *.pcap
is created, it must be parsed for valuable data. Wireshark fits this task but let’s focuse on terminal utilities. I’ve found four ones, but I’m sure there is much more of them.
tcpick is able to capture network traffic, store data in different files for each connection and trace stored files. Colorful output in terminal is really neat.
Reading *.pcap
file:
tcpick -C -r capture.pcap
Wireshark has a terminal twin names tshark. Latter is useful on old computers, for scripting and more convenient for console-boys. Can capture traffic and analyze captured files as well.
Reading *.pcap
file with specified fields to display:
tshark -n -r capture.pcap -T fields -e ip.dst_host -e frame.time_delta
tcptrace is created for analysis of captured files. Has many options.
Reading *.pcap
file:
tcptrace --tsv -xHTTP -f''port=80'' -btn capture.pcap
tcpdump was already mentioned as a tool for capturing traffic to pcap-file. It also can be used as analyser.
Reading *.pcap
file:
tcpdump -ttttnr capture.pcap