curl -fsSL https://pktool.dev/install.sh | bash
Or via package manager:
apt install pktool # Debian/Ubuntu
brew install pktool # macOS
Because pktool v2.0 can intercept sensitive data, the maintainers have added several safeguards:
It is recommended to run pktool v2.0 with the minimum necessary privileges, though it does support CAP_NET_RAW on Linux to avoid full root access.
For security analysts, pktool v2.0 introduces --forensic. In this mode, every captured packet is hashed (SHA-256) upon ingestion, and an index file is created separately from the raw PCAP. This allows you to rapidly verify integrity, deduplicate identical packets across large captures, and even search for a specific packet by its hash—something no other command-line tool offers natively. pktool v2.0
Arguably the most powerful addition is FlowScript—a domain-specific language (DSL) embedded within pktool v2.0. FlowScript lets you write small scripts that run inside the capture engine, filtering, modifying, or alerting on flows in real time. Unlike tcpdump filters (BPF), which are stateless, FlowScript maintains session state.
Example FlowScript (detect port scans):
if (src_ip changes port every 1 sec)
alert("Potential SYN scan from $src_ip");
annotate(flow, "suspicious");
Scripts are compiled to bytecode at startup, ensuring zero-copy performance even at 10 Gbps line rates. curl -fsSL https://pktool
Following the footsteps of tools like foremost and scalpel, v2.0 can extract files from streams. Use the --extract flag to carve out HTTP objects, email attachments, or SMB transfers. The new --smart-carve option uses entropy analysis to identify encrypted vs. plaintext files, making it an excellent tool for data leak prevention (DLP) checks.
pktool v2.0 is a next-generation CLI utility designed for network engineers, security analysts, and developers to capture, filter, parse, modify, and replay network packets with high performance and scripting-friendly output.
Building on the legacy of v1.x, v2.0 introduces BPF filter enhancements, live traffic analysis, PCAPng support, packet crafting, and JSON/YAML output. Or via package manager: apt install pktool #
The jump from version 1.x to 2.0 brings dozens of new capabilities. Here are the most transformative features:
PKTool offers a simple and intuitive command-line interface, allowing users to perform package management tasks using a consistent set of commands. The tool supports various package formats, including RPM, DEB, and APK, making it a versatile solution for different Linux distributions.