[][src]Crate pcap_parser

PCAP and PCAPNG parsers

This crate contains several parsers for PCAP and PCAPNG files.

The code is available on Github and is part of the Rusticata project.

Example: generic parsing

The following code shows how to parse a file either in PCAP or PCAPNG format.

use pcap_parser::*;
use nom::IResult;
use std::fs::File;
use std::io::Read;

let mut file = File::open(path).unwrap();
let mut buffer = Vec::new();
file.read_to_end(&mut buffer).unwrap();
let mut num_packets = 0;
// try pcap first
match PcapCapture::from_file(&buffer) {
    Ok(capture) => {
        println!("Format: PCAP");
        for _packet in capture.iter_packets() {
            num_packets += 1;
        }
        return;
    },
    _ => ()
}
// otherwise try pcapng
match PcapNGCapture::from_file(&buffer) {
    Ok(capture) => {
        println!("Format: PCAPNG");
        // most pcaps have one section, with one interface
        //
        // global iterator - provides a unified iterator over all
        // sections and interfaces. It will usually work only if there
        // is one section with one interface
        // otherwise, the next iteration code is better
        for _packet in capture.iter_packets() {
            // num_packets += 1;
        }
        // The following code iterates all sections, for each section
        // all interfaces, and for each interface all packets.
        // Note that the link type can be different for each interface!
        println!("Num sections: {}", capture.sections.len());
        for (snum,section) in capture.sections.iter().enumerate() {
            println!("Section {}:", snum);
            for (inum,interface) in section.interfaces.iter().enumerate() {
                println!("    Interface {}:", inum);
                println!("        Linktype: {:?}", interface.header.linktype);
                // ...
                for _packet in section.iter_packets() {
                    num_packets += 1;
                }
            }
        }
    },
    _ => ()
}

The above code requires the file to be entirely loaded into memory. Other functions in this crate allows for writing streaming parsers. See pcap-tools for examples.

Re-exports

pub use pcap::*;
pub use pcapng::*;

Modules

pcap

PCAP file format

pcapng

PCAPNG file format

Structs

Linktype

Data link type

Packet

Packet data

PacketHeader

Record (Packet) Header

Traits

Capture

Generic interface for PCAP or PCAPNG file access