Skip to main content

Crate capfile

Crate capfile 

Source
Expand description

Capfile - Pure Rust crate for reading/writing pcap/pcapng files

This crate provides zero-copy parsing of pcap and pcapng files with support for packet dissection and writing capture files.

§Features

  • Zero-copy parsing: Data is parsed without copying where possible, making it efficient for large capture files
  • Both formats: Supports legacy PCAP and modern PCAPNG formats
  • Packet dissection: Built-in support for dissecting Ethernet, IPv4, IPv6, TCP, UDP, ICMP, and DNS protocols
  • Write support: Create new PCAP and PCAPNG files

§Quick Start

§Reading a PCAP file

use capfile::PcapReader;

// Open a pcap file (requires std feature)
let mut reader = PcapReader::open("capture.pcap")?;

// Iterate over packets
while let Some(pkt) = reader.next_packet()? {
    println!("{} bytes at {}", pkt.len(), pkt.timestamp_ns());
}

§Reading from bytes (no_std/WASM)

use capfile::PcapReader;
use std::io::Cursor;

let data = include_bytes!("capture.pcap");
let mut reader = PcapReader::from_reader(Cursor::new(data))?;

while let Some(pkt) = reader.next_packet()? {
    // Process packet
}

§Reading a PCAPNG file

use capfile::PcapngReader;
use capfile::format::pcapng::Block;

let mut reader = PcapngReader::open("capture.pcapng")?;

// Get interface information
for (i, iface) in reader.interfaces().iter().enumerate() {
    println!("Interface {}: link_type={}", i, iface.link_type);
}

// Iterate over blocks
while let Some(block) = reader.next_block()? {
    match block {
        Block::EnhancedPacket(epb) => {
            println!("Packet: {} bytes", epb.captured_length);
        }
        Block::InterfaceStatistics(stats) => {
            println!("Stats: {} packets", stats.packets_received);
        }
        _ => {}
    }
}

§Packet Dissection

use capfile::{PcapReader, dissect::{Ethernet, Ipv4, Tcp}};

let mut reader = PcapReader::open("capture.pcap")?;

if let Some(pkt) = reader.next_packet()? {
    // Dissect Ethernet
    let eth = Ethernet::new(pkt.data())?;
    println!("{} -> {}", format_mac(eth.src()), format_mac(eth.dst()));

    // Dissect IPv4
    let ip = Ipv4::new(eth.payload())?;
    println!("{} -> {}", ip.src_str(), ip.dst_str());

    // Dissect TCP
    if let Ok(tcp) = Tcp::new(ip.payload()) {
        println!("{} -> {}", tcp.src_port(), tcp.dst_port());
    }
}

§Writing a PCAP file

use capfile::PcapWriter;

let mut writer = PcapWriter::create("output.pcap", 1)?; // Ethernet

// Write a packet
writer.write_packet(b"packet data", 1000000000, 100)?;

§Modules

  • error - Error types for operations
  • [format] - File format parsing (PCAP and PCAPNG)
  • reader - PCAP and PCAPNG readers
  • writer - PCAP and PCAPNG writers
  • dissect - Packet dissection for various protocols

Re-exports§

pub use error::Error;
pub use reader::mmap::PcapReaderMmap;
pub use reader::Interface;
pub use reader::PacketRef;
pub use reader::PcapReader;
pub use reader::PcapngReader;
pub use writer::PcapWriter;
pub use writer::PcapngWriter;

Modules§

dissect
Packet dissection module
error
Unified error types for capfile
format
File format parsing for pcap and pcapng
reader
PCAP and PCAPNG readers
writer
PCAP and PCAPNG writers