Packet capture

Kismet provides endpoints to obtain packets live as a stream in the PCAP-NG format.

PCAP-NG is a standard, extended version of the traditional PCAP format, which offers the ability to include multiple interfaces, multiple link types, and the original radio headers of all the captured packets.

Tools like Wireshark can process the complete PCAP-NG format, while simpler tools like tcpdump and other libpcap-based tools can process single-linktype pcapng directly.

PCAP-NG files can be post-processed with tshark or wireshark to strip the capture to a single interface and link type if necessary.

All packets

DESC

A live stream of packets seen by all datasources, served in PCAP-NG format.

This stream will return all packets seen since the stream was initiated, and will continue streaming packets until the connection is terminated.

To access packets previosuly seen by Kismet, use the kismetdb endpoints.

ROLES
readonly
URI
/pcap/all_packets.pcapng
METHODS
GET
NOTES
This endpoint will return packets forever, until disconnected.

Packets by datasource

DESC

A live stream of packets from a single datasource, served in PCAP-NG format.

This stream will return all packets seen since the stream was initiated, and will continue streaming packets until the connection is terminated.

To access packets previosuly seen by Kismet, use the kismetdb endpoints.

ROLES
readonly
URI
/datasource/pcap/by-uuid/{UUID}/packets.pcapng
METHODS
GET
URI
PARAMETERS
UUID string REQUIRED

Datasource UUID

NOTES
This endpoint will return packets forever, until disconnected.

Packets by device

DESC

A live stream of packets to, from, or otherwise associated with a specific device, served in PCAP-NG format.

This stream will return all packets seen since the stream was initiated, and will continue streaming packets until the connection is terminated.

To access packets previosuly seen by Kismet, use the kismetdb endpoints.

ROLES
readonly
URI
/devices/pcap/by-key/{KEY}/packets.pcapng
METHODS
GET
URI
PARAMETERS
KEY string REQUIRED

Device key

NOTES
This endpoint will return packets forever, until disconnected.

Packets from temporary ring buffer

DESC

When the PCAP-NG memory ringbuffer logging is enabled, trigger a snapshot of the in-memory ringbuffer to a pcapng file.

If the post_seconds JSON parameter is provided, an additional PCAP-NG file is written containing packets seen in the next post_seconds seconds.

ROLES
logon
ADDED
API added 2026-06
URI
/logging/pcapng_ring/snapshot/{LABEL}.cmd
METHODS
POST
JSON
PARAMETERS

This endpoint takes additional parameters by using a `POST` request and supplying a JSON document or json form variable.

You can find more information about API parameters here.

post_seconds number OPTIONAL

Post-trigger window