Packet capture library (libpcap)

Wireshark/TShark uses libpcap to capture live network data.

As capture filter strings are directly passed from Wireshark/TShark to libpcap, the available capture filter syntax depends on the libpcap version installed.

More information can be found at the tcpdump project page; libpcap and tcpdump are both developed by

On most modern UN*X platforms libpcap is available. It comes as part of most non-specialized Linux distributions, the free-software BSDs, and Mac OS X; it's installed by default on the BSDs and OS X, and it might be installed by default on the Linux distributions as well. (Specialized Linux distributions such as those for small embedded boxes might omit it.)

A Windows version of libpcap is also available which is named WinPcap.

The libpcap file format description can be found at: Development/LibpcapFileFormat

