How to Read and Analyze PCAP Files in a Human-Friendly Format


2 views

PCAP (Packet Capture) files contain raw network traffic data, which can appear as gibberish when viewed directly with tools like `cat`. For example:

$ cat tcp_dump.pcap
?ò????YVJ?
          JJ
            ?@@.?E

The simplest way to view PCAP content is using `tcpdump`:

tcpdump -ttttnnr file.pcap

This gives timestamped packet headers but doesn't show payload content.

To see actual message content, use:

tcpdump -qns 0 -A -r file.pcap

This shows both hex dump and ASCII representation, though the ASCII can be hard to read.

For cleaner output, `tcpick` is excellent:

tcpick -C -yP -r file.pcap

This formats the output with clear separation between packets and readable payloads.

Other useful tools include:

  • Wireshark (GUI)
  • tshark (command-line Wireshark)
  • ngrep (pattern matching)

To specifically view HTTP messages:

tshark -r file.pcap -Y "http" -T fields -e http.host -e http.request.uri

For large captures, consider filtering first:

tcpdump -r large.pcap -w filtered.pcap 'port 80'

Then analyze the smaller file.

PCAP (Packet Capture) files contain network traffic data in binary format, making them unreadable when opened directly with tools like cat. For analysis, we need specialized tools to parse and display the data meaningfully.

The simplest way to view PCAP content is using tcpdump:

tcpdump -ttttnnr your_file.pcap

This shows packet timestamps, IPs, ports, and flags but omits payload data.

To include payload content (ASCII representation):

tcpdump -qns 0 -A -r your_file.pcap

The -A flag displays ASCII, while -qns 0 shows full packets.

For cleaner output of message contents:

tcpick -C -yP -r your_file.pcap

This command:

  • -C: Colorizes output
  • -yP: Shows payload in ASCII
  • Groups packets by conversation

Wireshark (GUI)

The gold standard for PCAP analysis with:

  • Protocol decoding
  • Flow reconstruction
  • Filtering capabilities

tshark (CLI alternative)

tshark -r your_file.pcap -V

The -V flag provides verbose protocol details.

For programmatic analysis using scapy:

from scapy.all import *

packets = rdpcap('your_file.pcap')
for pkt in packets:
    if pkt.haslayer(Raw):
        print(pkt[Raw].load.decode('utf-8', errors='ignore'))

To extract HTTP requests:

tcpdump -A -r your_file.pcap 'tcp port 80'

Or for DNS queries:

tcpdump -v -r your_file.pcap 'port 53'

Convert PCAP to CSV for analysis:

tshark -r input.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -E header=y -E separator=, > output.csv