Packet Capture (PCAP)

Network Security 🌐 • Security Operations 🛡️ • Security Testing 🔍 • Protocols 🔗 • Security+ 🏆 • Difficulty: free

What is Packet Capture (PCAP)?

Packet capture, often called PCAP, is the process and file format used to record network packets so traffic can be examined, analyzed, and investigated later.

Examples

A security analyst captures traffic from a suspicious workstation and later reviews the PCAP file to see whether the device contacted a malicious server.
A network engineer uses packet capture during troubleshooting to confirm whether a server is replying to client requests correctly.

Discover 🔎

Most network problems and many security incidents leave traces in traffic. A device sends a request, a server responds, a connection fails, a suspicious domain is contacted, or a tool on the network starts behaving in ways no one expected. If that traffic can be recorded, defenders and engineers gain something extremely valuable: evidence.

That is why packet capture matters. It gives teams a way to preserve network activity and inspect it in detail instead of guessing what happened. In troubleshooting, this can reveal why a service failed. In security, it can show how an attack moved, what data was exchanged, or whether suspicious communication actually took place.

Remember: A PCAP is often the closest thing to a recording of what really happened on the network at a specific moment.

Summary 📝

Packet capture is the practice of recording network packets so traffic can be reviewed and analyzed later. It is valuable because it preserves detailed evidence about how systems communicated, which helps with troubleshooting, investigation, and security validation. A PCAP can reveal far more than a simple alert or summary log, but it must be collected carefully and handled securely because it may contain sensitive data.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.