pcap-parser 0.8.0

Parser for the PCAP/PCAPNG format
Documentation

PCAP parser

License: MIT Apache License 2.0 Build Status Crates.io Version

PCAP and PCAPNG parsers

This crate contains several parsers for PCAP and PCAPNG files.

Compared to other similar projects, it is designed to offer a complete support of the many possible formats (legacy pcap, pcapng, little or big-endian, etc.) and features (pcanpng files with multiple sections, interfaces, and endianness) while using only safe code and without copying data (zero-copy).

The code is available on Github and is part of the Rusticata project.

Example: streaming parsers

The following code shows how to parse a file in the pcap-ng format, using a PcapNGReader streaming parser.

use pcap_parser::*;
use pcap_parser::traits::PcapReaderIterator;
use std::fs::File;
use std::io::Read;

let mut file = File::open(path).unwrap();
let mut num_blocks = 0;
let mut reader = PcapNGReader::new(65536, file).expect("PcapNGReader");
loop {
    match reader.next() {
        Ok((offset, _block)) => {
            println!("got new block");
            num_blocks += 1;
            reader.consume(offset);
        },
        Err(PcapError::Eof) => break,
        Err(PcapError::Incomplete) => {
            reader.refill().unwrap();
        },
        Err(e) => panic!("error while reading: {:?}", e),
    }
}
println!("num_blocks: {}", num_blocks);

See PcapNGReader for a complete example, including handling of linktype and accessing packet data.

For legacy pcap files, use similar code with the LegacyPcapReader streaming parser.

See pcap-tools and pcap-parse for more examples.

Example: generic streaming parsing

To create a pcap reader for input in either PCAP or PCAPNG format, use the create_reader function.

Changes

0.8.0

  • Add basic support for serialization (little-endian only)
  • Add basic support for Wireshark exported PDUs
  • Add traits Clone and Debug to PacketData
  • Move data parsing functions to a subdirectory

0.7.1

  • Fix wrong EOF detection
  • Fix handling of incomplete reads (in example)

0.7.0

  • Upgrade to nom 5
    • Breaking API changes, mainly for error types

0.6.1

  • Make LegacyPcapBlock a regular structure with parser, and add serialization

0.6.0

  • Complete rewrite of the crate (breaks API)
  • Add streaming parser iterators
  • Replace Packet with Blocks
    • Allows handling of non-data blocks
    • Handles correctly timestamps and resolution
    • Remove incorrect or deprecated code
  • Better parsing of all variants (BE/LE, block types, etc.)
  • Better (and panic-free) functions to extract block contents
  • Set edition to 2018
  • Better documentation

0.5.1

  • Fix computation of timestamp for high-resolution pcap-ng

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.