What to do with PCAP files?

PCAP stands for Packet CAPture. A PCAP file holds network traffic/packet information, captured in a certain period.


Network forensics – an average or big company network can generate GBs of traffic daily. This traffic (or at least a part of it) is stored for later analysis. If the security departament has detected a breach/intrusion in the network, PCAP files are essential to look at, in order to better understand the situation and why did it happen

Testing your IDS/NSM – let’s say you just deployed an IDS in your network. What better way to test if not by confronting with the traffic that you want to protect from?

Exercise – PCAP files can be a great learning material for networking/IT security students. By displaying your data properly, all key elements of a packet can be identified and learned about much more interactively and easily than plain courses. 

How to make PCAP files?

Generating your own PCAP files can be done really simple, by using the appropiate tools. Wireshark is probably the most accesible and easy to use for everybody, on both Linux and Windows. Just start capturing, stop when you have everything you need and go to File->Save As , and it will automatically save it in PCAP format.

A command-line approach would imply using tcpdump:

tcpdump -i eth0 -w test.pcap

How to “replay” the traffic in PCAP files

By “replay” i mean making the packets in the PCAP files actually pass through the network. A nice tool to do this is tcpreplay which has versions for both Windows and Linux. Replaying a PCAP file can be done with the following command:

tcpreplay -i eth0 -t PCAP_FILE
Reading from PCAP files
Reading PCAP files can be done as simple as generating them. Using Wireshark, you can open them
Using tcpdump in the command-line:
tcpdump -r PCAP_FILE

How to test Snort with a PCAP file instead of actual traffic

snort -r PCAP_FILE

Where to get PCAP files to play with