Skip to content
Log in

PCAP / PCAPng

Definition

The standard file formats for storing captured packets. PCAP (libpcap format) is the legacy standard supported by virtually all tools. PCAPng (Next Generation) extends it with per-interface metadata, nanosecond timestamps, and the ability to store captures from multiple interfaces in a single file. Wireshark and tshark write PCAPng by default; tcpdump writes legacy PCAP.

Related terms

BPF (Berkeley Packet Filter)
A kernel-level packet filtering mechanism used by tcpdump, Wireshark, and most capture tools to select which packets are written to disk. BPF...
Network tap
A hardware device inserted inline in a network cable path that passively copies the electrical or optical signal to one or more...
Promiscuous mode
A network interface operating mode in which the card passes all received frames to the capture software, not just frames addressed to...
Ring buffer capture
A capture mode in which the tool writes successive PCAP files of a fixed size or duration, overwriting the oldest when the...
SPAN port (port mirroring)
A switch feature that copies frames from one or more source ports or VLANs to a designated destination port, where a capture...

Explained in

  • Packet Capture Tools and MethodsThe standard file formats for storing captured packets. PCAP (libpcap format) is the legacy standard supported by virtually all tools. PCAPng (Next Generation)...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account