Submitted by admin on Sat, 02/15/2014 - 16:12

ncap is a network capture utility like libpcap (on which it is based) and tcpdump. It produces binary data in ncap(3) format, either on standard output (by default) or in successive dump files. This utility is similar to tcpdump(1), but performs IP reassembly and generates framing-independent portable output. ncap is expected to be used for gathering continuous research or audit traces.


Getting ncap

You can download ncap tarballs from

Use with SIE

ncap is used within ISC's Security Information Exchange to transfer packet traces from sensors to collectors. See file README.isc-sie in the ncap distribution for more information.

Use in Detecting DNS Cache Poisoning

An ncap module, named mod_urstate attempts to detect unsolicited dns responses that may be indicative of cache poisoning attempts. it does this by statefully tracking the application layer state of the dns transactions between recursive and authoritative dns servers. it gracefully handles query retransmissions due to client timeouts and byte identical responses from dns authorities. See the initial announcement and HOWTO.urstate.txt for more information.