What is pcapd?

pcapd appears when someone is recording network traffic on your Mac.

What is pcapd?

pcapd stands for "packet capture daemon". It records the raw data flowing through your Mac's network connections. Apple built it to work with Xcode and other development tools.

When does it run?

pcapd typically runs when:

• A developer uses Xcode's network debugging tools to capture traffic from an iOS device through the Mac
• Someone uses rvictl (Remote Virtual Interface Tool) to record network traffic from a connected iPhone or iPad
• Network diagnostic tools are actively capturing packets

It does not run by default. It starts only when a capture session begins.

Is it the same as Wireshark or tcpdump?

It does a similar job but is built for Apple's development workflow. For general packet capture, most people use tcpdump (included with macOS) or Wireshark. pcapd is mainly for capturing traffic from iOS devices connected by USB.

Should you worry?

If you did not start a packet capture and you see pcapd running, it is worth looking into. On a normal Mac, it should not be running unless you or a development tool started it. Check whether any development or diagnostic tools are open.

If you are a developer, it is perfectly normal during debugging.

Enjoyed this post?

Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.

Tags