nCap is a new approach to packet capture that is based on the following principles:

• Ability to capture packets at wire-speed.
• Use only commodity hardware: no custom network cards or hardware platforms.
• Legacy support: allow legacy pcap-based applications to take advantage of nCap without code changes but only recompilation.

• Enhanced device driver for bypassing legacy operating system code.
• Kernel module for bypassing the TCP/IP stack and providing a direct flow of packets towards packet capture applications.
• Enhanced libpcap for enabling legacy applications to transparently use nCap.

Monitoring applications can transparently select at runtime the level of packet capture acceleration they want:

• Standard TCP/IP Stack with accelerated driver
  This is the typical case of a legacy application distributed only in binary format. The lack of source code prevents it from bein recompiled so it can only partially exploit nCap.
• PF_RING with accelerated driver
  Existing applications that can be recompiled against the enhanced libpcap, can take advantage of the acceleration provided by both the device driver and PF_RING.
• Straight packet capture
  This is the faster acceleration that an application can have. The network device is controlled directly by the enhanced libpcap library bypassing completely the operating system kernel and the device driver that is used only to initialize the card and not for packet capture.

At present nCap is available for the Linux operating system on both the 2.4 and 2.6 kernel series.

NEW: if you want to give nCap a sping you can download a live CD so that you can test it without having to install anything on you PC.