Packet capture (PCAP)
Definition
The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed with tools such as Wireshark or tcpdump. PCAP files contain headers (source/destination IP, port, protocol) and, where traffic is unencrypted, payload content.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Logical acquisition
- An extraction method that uses the device's own operating system interfaces, such as iTunes backup or Android Debug Bridge, to export the...
- Physical acquisition
- An extraction method that reads the raw flash storage of a mobile device, bypassing the operating system. Produces a bit-for-bit image of...
- Beaconing
- Periodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured in...
- Cell site analysis
- The use of records from mobile network operators showing which cell towers a device connected to and when, allowing investigators to establish...
- DNS tunnelling
- Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks...
- Faraday isolation
- Shielding a mobile device from radio frequency signals (cellular, Wi-Fi, Bluetooth, GPS) using a Faraday bag or cage, preventing network connections that...
- IMEI (International Mobile Equipment Identity)
- A unique 15-digit number permanently assigned to a mobile device's hardware. Used by networks to identify and block stolen devices, and by...
- Network flow (NetFlow/IPFIX)
- A summary record of a network conversation, storing source IP, destination IP, source port, destination port, protocol, byte count, and timestamps, without...
- Port number
- A 16-bit integer in the TCP or UDP header that identifies the application-layer service at each endpoint. Well-known ports are assigned by...
- TCP three-way handshake
- The connection establishment sequence in TCP: the client sends SYN, the server responds SYN-ACK, and the client completes with ACK. The timestamps...
- Write blocker
- A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...
Explained in these topics
- Digital Evidence in Mobile and Network ContextsA file format and the process of recording all data packets traversing a network interface. Used in network forensics to reconstruct sessions, extract transfer...
- Mobile and Network Forensics: Scope and DisciplineThe interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed with tools such as Wireshar...
- Network Protocols and Traffic InterpretationA file format that stores raw network frames as captured from a network interface. Tools such as Wireshark and tcpdump produce PCAP files. Each frame contains...