PCAP stands for Packet CAPture. A PCAP file holds network traffic/packet information, captured in a certain period.
Uses
Network forensics – an average or big company network can generate GBs of traffic daily. This traffic (or at least a part of it) is stored for later analysis. If the security departament has detected a breach/intrusion in the network, PCAP files are essential to look at, in order to better understand the situation and why did it happen
Testing your IDS/NSM – let’s say you just deployed an IDS in your network. What better way to test if not by confronting with the traffic that you want to protect from?
Exercise – PCAP files can be a great learning material for networking/IT security students. By displaying your data properly, all key elements of a packet can be identified and learned about much more interactively and easily than plain courses.
How to make PCAP files?
Generating your own PCAP files can be done really simple, by using the appropiate tools. Wireshark is probably the most accesible and easy to use for everybody, on both Linux and Windows. Just start capturing, stop when you have everything you need and go to File->Save As , and it will automatically save it in PCAP format.
A command-line approach would imply using tcpdump:
tcpdump -i eth0 -w test.pcap
How to “replay” the traffic in PCAP files
By “replay” i mean making the packets in the PCAP files actually pass through the network. A nice tool to do this is tcpreplay which has versions for both Windows and Linux. Replaying a PCAP file can be done with the following command:
tcpreplay -i eth0 -t PCAP_FILE
tcpdump -r PCAP_FILE
How to test Snort with a PCAP file instead of actual traffic
snort -r PCAP_FILE
Where to get PCAP files to play with