Clone wiki

ecap / Home


Ecap (external capture) is a distributed network sniffer with a web front-end.

Ecap was written many years ago in 2005, but I saw a post on the tcpdump-workers mailing list for a request for a similar application... so here it is. I wrote it and used it internally at work to help our 2nd-tier support staff troubleshoot network issues. I should have released it a long time ago.

It would be fun to update it and work on it again if there's any interest.

Download the code which contains installation instructions from the "Downloads" section.


Ecap is a simple web-based application for users to initiate and view network traffic captures in a web browser. It requires quite a bit of configuration to setup since it uses SSH to transfer capture requests and capture data between the capture agent hosts and www/requestor host; after all, it is a distributed sniffer.


The way the code works currently, the captures are done on the agent machines and the output is a text summary line generated by tshark. The actual binary capture file is not sent back to the www machine. This is an obvious limitation that prevents the web server CGI scripts from displaying additional capture data to the user. This is probably one of the first enhancements that should be made to the code; if the binary capture file is sent back to the www machine, the capture viewer CGI code could be enhanced to display additional capture data to the user.

In other words, you may find the capture viewer in the browser to be too simplistic for your needs. Ecap was originally written to help troubleshoot basic tcp connectivity issues and validate icmp messages, e.g. icmp echo requests/replies.


  • Unix-like OS (Linux, *BSD, etc.)
  • Tcl (8.3 and 8.4 tested)
  • TclX (Extended Tcl)
  • Apache (www machine only, 1.3 and 2.2 tested)
    • Could be another web server if you know how to configure CGI and map an alias dir to "/ecap/".
  • tshark (agent machine only, part of Wireshark)
  • SSH client and server (ssh publickey authentication and scp)
  • This shouldn't be a requirement, but it is at this early stage:
    • Unless you want to do a lot of manual editing of source and configuration files, you should plan on using the default installation directory of "/usr/local/ecap".