pcap-processor

A CLI tool for extracting and summarizing information from pcap files. Wraps tshark (Wireshark's CLI) to leverage full Wireshark display filter support.

Installation

Prerequisites

• tshark (Wireshark CLI) must be installed:
  • macOS: brew install wireshark
  • Ubuntu/Debian: apt install tshark
  • RHEL/Fedora: dnf install wireshark-cli

Build from source

cargo build --release

The binary will be at ./target/release/pcap-processor.

Usage

unique - Extract unique field values

# Basic usage - extract unique source IPs
pcap-processor unique ip.src capture.pcap

# Multiple files or glob patterns
pcap-processor unique ip.src *.pcap

# With display filter
pcap-processor unique ip.src capture.pcap --filter "tcp.port == 80"

# Include occurrence counts
pcap-processor unique ip.src capture.pcap --count

# Sort by count (descending)
pcap-processor unique ip.src capture.pcap --count --sort count

# Output as JSON
pcap-processor unique ip.src capture.pcap --count --format json

# Output as CSV
pcap-processor unique ip.src capture.pcap --format csv

# Disable name resolution (faster)
pcap-processor unique ip.src capture.pcap --no-resolve

Options

Example Output

Plain (default):

192.168.1.1
192.168.1.100
10.0.0.1

Plain with counts:

150	192.168.1.1
45	192.168.1.100
12	10.0.0.1

JSON:

{
  "field": "ip.src",
  "total_unique": 3,
  "values": [
    { "value": "192.168.1.1", "count": 150 },
    { "value": "192.168.1.100", "count": 45 },
    { "value": "10.0.0.1", "count": 12 }
  ]
}

Exit Codes

License

MIT