pcap-processor 0.1.0

CLI tool for extracting and summarizing information from pcap files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

# pcap-processor

A CLI tool for extracting and summarizing information from pcap files. Wraps `tshark` (Wireshark's CLI) to leverage full Wireshark display filter support.

## Installation

### Prerequisites

- **tshark** (Wireshark CLI) must be installed:
  - macOS: `brew install wireshark`
  - Ubuntu/Debian: `apt install tshark`
  - RHEL/Fedora: `dnf install wireshark-cli`

### Build from source

```bash
cargo build --release
```

The binary will be at `./target/release/pcap-processor`.

## Usage

### `unique` - Extract unique field values

```bash
# Basic usage - extract unique source IPs
pcap-processor unique ip.src capture.pcap

# Multiple files or glob patterns
pcap-processor unique ip.src *.pcap

# With display filter
pcap-processor unique ip.src capture.pcap --filter "tcp.port == 80"

# Include occurrence counts
pcap-processor unique ip.src capture.pcap --count

# Sort by count (descending)
pcap-processor unique ip.src capture.pcap --count --sort count

# Output as JSON
pcap-processor unique ip.src capture.pcap --count --format json

# Output as CSV
pcap-processor unique ip.src capture.pcap --format csv

# Disable name resolution (faster)
pcap-processor unique ip.src capture.pcap --no-resolve
```

### Options

| Option | Description |
|--------|-------------|
| `-f, --filter <FILTER>` | Wireshark display filter |
| `-F, --format <FORMAT>` | Output format: `plain` (default), `json`, `csv` |
| `-c, --count` | Include occurrence counts |
| `-s, --sort <ORDER>` | Sort by: `value` (default), `count` |
| `-n, --no-resolve` | Disable name resolution |
| `--tshark <PATH>` | Custom tshark path (or set `PCAP_PROCESSOR_TSHARK` env var) |

### Example Output

**Plain (default):**
```
192.168.1.1
192.168.1.100
10.0.0.1
```

**Plain with counts:**
```
150	192.168.1.1
45	192.168.1.100
12	10.0.0.1
```

**JSON:**
```json
{
  "field": "ip.src",
  "total_unique": 3,
  "values": [
    { "value": "192.168.1.1", "count": 150 },
    { "value": "192.168.1.100", "count": 45 },
    { "value": "10.0.0.1", "count": 12 }
  ]
}
```

## Exit Codes

| Code | Meaning |
|------|---------|
| 0 | Success |
| 2 | tshark not found |
| 3 | Input error (file not found, no files matched) |
| 4 | Syntax error (invalid field or filter) |
| 5 | tshark execution error |

## License

MIT