<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

What can GopherCAP do?

  • Parse PCAPs for metadata and timestamp extraction
  • Replay those PCAPs to local capture interface while preserving inter-packet timestamps and accounting for delay between each file beginning in asynchronous sets
  • Extract files from gzipped tar archives directly to compressed file handles, thus saving space when only a subset of PCAP files are needed from a large archive
  • Deduplicate packets by hashing packet IP and TCP/UDP headers

Why did we develop GopherCAP?

Much of the Stamus Networks QA pipeline is data-driven, meaning we rely on replaying PCAPs over and over again to develop our advanced threat detection solutions. Previously we relied on other popular PCAP replay tools, but we found that those tools weren’t capable of replaying larger-than-average PCAPs efficiently.


This led us to develop GopherCAP, a custom PCAP manipulation tool that uses the existing packet decoding abilities of Google’s GoPacket library to perform faster and more flexible packet manipulation. Since the initial development, we have also included additional manipulation features for threat hunters. 

Join the Community Discussion

Have questions or comments about the GopherCAP project?

Interested in contributing to the code or knowledge base?

Open your pull request on the project's GitHub repository.
Or join the discussion on our Discord server.

Go to GopherCAP on GitHub
Join Stamus Labs on Discord

Additional Resources


Introducing GopherCAP: Powerful PCAP Manipulation

Read More

GopherCap Packet De-duplication

Read More

GopherCAP Update: PCAP Filtering and SMB Lateral Detection Research

Read More