User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome PCAPTools

A collection of tools developed by other researchers in the Computer Science area to process network traces. All the right reserved for the original authors.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you caesar0301 & contributors
View Topic on GitHub:
caesar0301/awesome-pcaptools

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

546
74
2y 8m
n/a

A wrapper/facade/whatever to enable/ease the use of jNetPcap (a libpcap based packet sniffing lib) in Clojure

61
26
2y 7m
n/a

A toolset for network packet capture in Cloud/Kubernetes and Virtualized environment.

417
141
11m
BSD-3-Clause

OpenFPC, Open Source Full Packet Capture

61
11
2y 8m
n/a

Network Analysis Tool

1.72K
214
39d
GPL-3.0

Malicious HTTP traffic explorer

648
161
1y 17d
GPL-3.0

Protocol Analysis/Decoder Framework

441
111
2y 6m
n/a

fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols

780
216
8m
n/a

A multi-threading tool to sniff TCP flow statistics and embedded HTTP headers from PCAP file. Each TCP flow carrying HTTP is exported to text file in json format.

159
48
2y 10m
n/a

Ipsumdump and other programs for command-line network trace manipulation.

27
10
10m
n/a

A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring.

1.03K
282
1y 11m
n/a

A high level C++ network packet sniffing and crafting library.

257
81
1y 96d
n/a

A portable framework for low-level network packet construction

673
222
68d
BSD-2-Clause

NFStream: a Flexible Network Data Analysis Framework.

706
71
46d
LGPL-3.0

A tool that provides a basic SQL-frontend to PCAP-files

361
47
12m
GPL-3.0

A convertor from .pcap network capture files to HTTP Archive files.

201
66
7y 12m
BSD-2-Clause

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, DPDK and PF_RING.

1.3K
355
7m
Unlicense

A simple utility to classify packets into flows. It's so simple that only one task is aimed to finish. For Deep Packet Inspection or flow classification, it's so common to analyze the feature of one specific flow. I have make the attempt to use made-ready tools like tcpflows, tcpslice, tcpsplit, but all these tools try to either decrease the trace volume (under requirement) or resemble the packets into flow payloads (over requirement). I have not found a simple tool to classify the packets into flows without further processing. This is why this program is born.

113
40
2y 7m
MIT

Potiron - Normalize, Index and Visualize Network Capture

66
21
2y 7m
n/a

Automatically exported from code.google.com/p/socket-sentry

1
1
2y 9m
GPL-3.0

TCP/IP packet demultiplexer. Download from:

1.22K
209
7m
GPL-3.0

Pcap editing and replay tools for *NIX and Windows - Users please download source from

736
207
1y 4m
n/a

High bandwidth for high-latency TCP connections

4
2
4m
n/a

split a pcap file into smaller files on TCP flow boundaries

3
2
5y 72d
n/a

tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files.

57
22
8y 112d
n/a

Process HTTP Pcaps With YARA

79
26
8y 84d
n/a

Yara is awesome, but sometimes you need to manipulate the data streams you're scanning in different ways.

86
11
7y 0d
n/a

An any-snarf program that processes application protocols (HTTP/FTP/...) from tcpdump or snoop files and stores session and file data

175
39
7y 4m
n/a

Foremost is a console program to recover files based on their headers, footers, and internal data structures. c.f., http://foremost.sourceforge.net/

25
8
8y 9m
n/a

'Packet Capture Forensic Evidence eXtractor' is a tool that finds and extracts files from packet capture files

178
39
1y 8m
Apache-2.0

Scalpel is an open source data carving tool.

442
82
7y 18d
Apache-2.0

Yaf

It's a reliable piece of software, quite solid and able to generate flow records from pcap. This is very nice for indexing huge pcap or even doing packet capture. The recent version can even extract payloads and put in the flow records.

AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.

CapAnalysis is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic. A live web demo is available for testing.

designed by Rafal Wojtczuk, is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection. The most valuable feature of libnids is reliability. A number of tests were conducted, which proved that libnids predicts behaviour of protected Linux hosts as closely as possible.

NETwork DUmp data Displayer and Editor). From their webpage, "it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles."

Ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.

Scapy is a powerful interactive packet manipulation program.

Makes output from the tcpdump program easier to read and parse.

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time".

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

TCP-Reduce is a collection of Bourne shell scripts for reducing tcpdump traces to one-line summaries of each TCP connection present in the trace. The scripts look only at TCP SYN/FIN/RST packets. Connections without SYN packets in the trace (such as those on- going at the beginning of the trace) will not appear in the summary. Garbaged packets (those missing some of their contents) are reported to stderr as bogon's and are discarded. Occasionally the script gets fooled by retransmissions with altered sequence numbers, and reports erroneous huge connection sizes - always check large connections (say 100 MB or more) for plausibility.

Tcpdpriv is program for eliminating confidential information (user data and addresses) from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump). Tcpdpriv removes the payload of TCP and UDP, and the entire IP payload for other protocols. It implements several address scrambling methods; the sequential numbering method and its variants, and a hash method with preserving address prefix.

Tracelook is an Tcl/TK program for graphically viewing the contents of trace files created using the -w argument to tcpdump. Tracelook should look at all protocols, but presently only looks at TCP connections. The program is slow and uses system resources prodigiously.

TraceWrangler is a network capture file toolkit running on Windows (or on Linux, using WINE) that supports PCAP as well as the new PCAPng file format, which is now the standard file format used by Wireshark. The most prominent use case for TraceWrangler is the easy sanitization and anonymization of PCAP and PCAPng files (sometimes called "trace files", "capture files" or "packet captures"), removing or replacing sensitive data while being easy to use.

A passive sniffer able to provide several insight on the traffic patterns at both the network and transport levels with a tremendous set of flow features.

WireEdit is a free desktop WYSIWYG editor for network packets. It allows editing any stack layer as "rich text" without having any knowledge of packets syntax and encoding rules. The input and output file format is Pcap.

The program xplot was written in the late 1980s to support the analysis of TCP packet traces.

Powerful network analysis framework focused on security monitoring, formerly known as Bro.

Trach and reassemble TCP streams

Extract files from network

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn't a network protocol analyzer. Xplico is an open source Network Forensic An alysis Tool (NFAT). Xplico is released under the GNU General Public License and with some scripts under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License.

Capture tools

USB packet capture for Windows

526
134
1y 5m
n/a

Analysis

Some set of scripts to unpack odin packets into separate files

1
2
3y 11m
Unlicense

Hadoop library to read packet capture (PCAP) files

194
104
9m
LGPL-3.0

An open source security oriented