Struct pcap_parser::PcapNGReader

pub struct PcapNGReader<R> where
    R: Read,  { /* fields omitted */ }

Parsing iterator over pcap-ng data (streaming version)

This iterator a streaming parser based on a circular buffer, so any input providing the Read trait can be used.

The first call to next should return the a Section Header Block (SHB), marking the start of a new section. For each section, calls to next will return blocks, some of them containing data (SPB, EPB), and others containing information (IDB, NRB, etc.).

Some information must be stored (for ex. the data link type from the IDB) to be able to parse following block contents. Usually, a list of interfaces must be stored, with the data link type and capture length, for each section. These values are used when parsing Enhanced Packet Blocks (which gives an interface ID - the index, starting from 0) and Simple Packet Blocks (which assume an interface index of 0).

The size of the circular buffer has to be big enough for at least one complete block. Using a larger value (at least 65k) is advised to avoid frequent reads and buffer shifts.

use pcap_parser::*;
use pcap_parser::traits::PcapReaderIterator;
use nom::{ErrorKind, IResult};
use std::fs::File;
use std::io::{BufReader, Read};

let mut file = File::open(path).unwrap();
let mut num_blocks = 0;
let mut reader = PcapNGReader::new(65536, file).expect("PcapNGReader");
let mut if_linktypes = Vec::new();
loop {
    match reader.next() {
        Ok((offset, block)) => {
            println!("got new block");
            num_blocks += 1;
            match block {
            PcapBlockOwned::NG(Block::SectionHeader(ref _shb)) => {
                // starting a new section, clear known interfaces
                if_linktypes = Vec::new();
            },
            PcapBlockOwned::NG(Block::InterfaceDescription(ref idb)) => {
                if_linktypes.push(idb.linktype);
            },
            PcapBlockOwned::NG(Block::EnhancedPacket(ref epb)) => {
                assert!((epb.if_id as usize) < if_linktypes.len());
                let linktype = if_linktypes[epb.if_id as usize];
                #[cfg(feature="data")]
                let res = pcap_parser::data::get_packetdata(epb.data, linktype, epb.caplen as usize);
            },
            PcapBlockOwned::NG(Block::SimplePacket(ref spb)) => {
                assert!(if_linktypes.len() > 0);
                let linktype = if_linktypes[0];
                let blen = (spb.block_len1 - 16) as usize;
                #[cfg(feature="data")]
                let res = pcap_parser::data::get_packetdata(spb.data, linktype, blen);
            },
            PcapBlockOwned::NG(_) => {
                // can be statistics (ISB), name resolution (NRB), etc.
                eprintln!("unsupported block");
            },
            PcapBlockOwned::Legacy(_)
            | PcapBlockOwned::LegacyHeader(_) => unreachable!(),
            }
            reader.consume(offset);
        },
        Err(ErrorKind::Eof) => break,
        Err(ErrorKind::Complete) => {
            eprintln!("Could not read complete data block.");
            eprintln!("Hint: the reader buffer size may be too small, or the input file nay be truncated.");
            break;
        },
        Err(e) => panic!("error while reading: {:?}", e),
    }
}
println!("num_blocks: {}", num_blocks);

Methods

impl<R> PcapNGReader<R> where
    R: Read, 

pub fn new(
    capacity: usize,
    reader: R
) -> Result<PcapNGReader<R>, ErrorKind<u32>>

pub fn from_buffer(
    buffer: Buffer,
    reader: R
) -> Result<PcapNGReader<R>, ErrorKind<u32>>

Trait Implementations

impl<R> PcapReaderIterator<R> for PcapNGReader<R> where
    R: Read, 

fn next(&mut self) -> Result<(usize, PcapBlockOwned), ErrorKind<u32>>

fn consume(&mut self, offset: usize)

fn consume_noshift(&mut self, offset: usize)

fn refill(&mut self) -> Result<(), &'static str>

fn position(&self) -> usize

fn grow(&mut self, new_size: usize) -> bool