pcap-toolkit 0.1.0

A blazing-fast, data-oriented PCAP manipulation, routing, and transformation tool written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365

//! PCAP output writer with optional time-sliced output.
//!
//! [`PcapWriter`] writes a valid legacy PCAP file by first emitting the global
//! header (mirrored from the source capture) and then appending packet records.
//!
//! [`SlicedWriter`] wraps [`PcapWriter`] and opens a new output file whenever a
//! packet's timestamp crosses a time-slice boundary.

use std::fs::File;
use std::io::{BufWriter, Write};
use std::path::{Path, PathBuf};

use chrono::{DateTime, TimeZone, Utc};

use crate::error::SortError;

// ── GlobalHeader ─────────────────────────────────────────────────────────────

/// Captured fields from the source PCAP global header.
///
/// Used to mirror the header identically on every output chunk so that link
/// type, snap length, and byte-order are preserved.
#[derive(Debug, Clone, Copy)]
pub struct GlobalHeader {
    pub magic_number: u32,
    pub version_major: u16,
    pub version_minor: u16,
    pub thiszone: i32,
    pub sigfigs: u32,
    pub snaplen: u32,
    /// Raw link-type value.
    pub network: i32,
}

impl GlobalHeader {
    /// Returns `true` if the source file used big-endian byte order.
    pub fn is_big_endian(self) -> bool {
        // Big-endian magic values: 0xd4c3b2a1 (usec) and 0x4d3cb2a1 (nsec).
        matches!(self.magic_number, 0xd4c3_b2a1 | 0x4d3c_b2a1)
    }

    /// Returns `true` if the source file used nanosecond timestamp precision.
    pub fn is_nanosecond(self) -> bool {
        matches!(self.magic_number, 0xa1b2_3c4d | 0x4d3c_b2a1)
    }

    /// Serialise to 24 bytes, preserving the source byte order.
    pub fn to_bytes(self) -> [u8; 24] {
        let mut buf = [0u8; 24];
        if self.is_big_endian() {
            buf[0..4].copy_from_slice(&self.magic_number.to_be_bytes());
            buf[4..6].copy_from_slice(&self.version_major.to_be_bytes());
            buf[6..8].copy_from_slice(&self.version_minor.to_be_bytes());
            buf[8..12].copy_from_slice(&self.thiszone.to_be_bytes());
            buf[12..16].copy_from_slice(&self.sigfigs.to_be_bytes());
            buf[16..20].copy_from_slice(&self.snaplen.to_be_bytes());
            buf[20..24].copy_from_slice(&self.network.to_be_bytes());
        } else {
            buf[0..4].copy_from_slice(&self.magic_number.to_le_bytes());
            buf[4..6].copy_from_slice(&self.version_major.to_le_bytes());
            buf[6..8].copy_from_slice(&self.version_minor.to_le_bytes());
            buf[8..12].copy_from_slice(&self.thiszone.to_le_bytes());
            buf[12..16].copy_from_slice(&self.sigfigs.to_le_bytes());
            buf[16..20].copy_from_slice(&self.snaplen.to_le_bytes());
            buf[20..24].copy_from_slice(&self.network.to_le_bytes());
        }
        buf
    }
}

// ── PcapWriter ───────────────────────────────────────────────────────────────

/// Writes a single legacy PCAP output file.
pub struct PcapWriter {
    inner: BufWriter<File>,
    header: GlobalHeader,
    path: PathBuf,
    packets: u64,
}

impl PcapWriter {
    /// Create and open a new PCAP file at `path`, writing the global header.
    ///
    /// # Errors
    /// Returns [`SortError::Io`] if the file cannot be created.
    pub fn create(path: &Path, header: GlobalHeader) -> Result<Self, SortError> {
        if let Some(parent) = path.parent().filter(|p| !p.as_os_str().is_empty()) {
            std::fs::create_dir_all(parent)?;
        }
        let file = File::create(path)?;
        let mut writer = BufWriter::with_capacity(64 * 1024, file);
        writer.write_all(&header.to_bytes())?;
        Ok(Self {
            inner: writer,
            header,
            path: path.to_owned(),
            packets: 0,
        })
    }

    /// Write one packet record.
    ///
    /// `timestamp_ns` is split into seconds and fractional units that match
    /// the source file's timestamp precision (usec or nsec).
    ///
    /// # Errors
    /// Returns [`SortError::Io`] on write failure.
    pub fn write_packet(
        &mut self,
        timestamp_ns: u64,
        caplen: u32,
        origlen: u32,
        data: &[u8],
    ) -> Result<(), SortError> {
        let (ts_sec, ts_frac) = if self.header.is_nanosecond() {
            (
                (timestamp_ns / 1_000_000_000) as u32,
                (timestamp_ns % 1_000_000_000) as u32,
            )
        } else {
            (
                (timestamp_ns / 1_000_000_000) as u32,
                ((timestamp_ns % 1_000_000_000) / 1_000) as u32,
            )
        };

        let mut rec = [0u8; 16];
        if self.header.is_big_endian() {
            rec[0..4].copy_from_slice(&ts_sec.to_be_bytes());
            rec[4..8].copy_from_slice(&ts_frac.to_be_bytes());
            rec[8..12].copy_from_slice(&caplen.to_be_bytes());
            rec[12..16].copy_from_slice(&origlen.to_be_bytes());
        } else {
            rec[0..4].copy_from_slice(&ts_sec.to_le_bytes());
            rec[4..8].copy_from_slice(&ts_frac.to_le_bytes());
            rec[8..12].copy_from_slice(&caplen.to_le_bytes());
            rec[12..16].copy_from_slice(&origlen.to_le_bytes());
        }

        self.inner.write_all(&rec)?;
        self.inner.write_all(data)?;
        self.packets += 1;
        Ok(())
    }

    /// Flush and close, returning the path and packet count.
    pub fn finish(mut self) -> Result<(PathBuf, u64), SortError> {
        self.inner.flush()?;
        Ok((self.path, self.packets))
    }
}

// ── SlicedWriter ─────────────────────────────────────────────────────────────

/// Manages one or more [`PcapWriter`] instances, opening a new file whenever a
/// packet's timestamp crosses a time-slice boundary.
///
/// When `slice_secs` is `None`, all packets go to a single output file.
pub struct SlicedWriter {
    header: GlobalHeader,
    output_base: PathBuf,
    slice_secs: Option<u64>,
    current: Option<PcapWriter>,
    current_slice_start_ns: u64,
    pub files: Vec<PathBuf>,
    pub total_packets: u64,
}

impl SlicedWriter {
    /// Create a new `SlicedWriter`.
    ///
    /// - `output_base`: path to the output file (no slicing) or directory (slicing).
    /// - `slice_secs`: slice interval in seconds; `None` writes a single file.
    pub fn new(output_base: PathBuf, header: GlobalHeader, slice_secs: Option<u64>) -> Self {
        Self {
            header,
            output_base,
            slice_secs,
            current: None,
            current_slice_start_ns: 0,
            files: Vec::new(),
            total_packets: 0,
        }
    }

    /// Write one packet, opening a new slice file if necessary.
    ///
    /// # Errors
    /// Returns [`SortError::Io`] on write or file-creation failure.
    pub fn write_packet(
        &mut self,
        timestamp_ns: u64,
        caplen: u32,
        origlen: u32,
        data: &[u8],
    ) -> Result<(), SortError> {
        let need_new = match self.slice_secs {
            None => self.current.is_none(),
            Some(secs) => {
                let slice_ns = secs * 1_000_000_000;
                self.current.is_none() || timestamp_ns >= self.current_slice_start_ns + slice_ns
            }
        };

        if need_new {
            self.rotate(timestamp_ns)?;
        }

        self.current
            .as_mut()
            .unwrap()
            .write_packet(timestamp_ns, caplen, origlen, data)?;
        self.total_packets += 1;
        Ok(())
    }

    /// Flush and close all open output files.
    ///
    /// Returns `(files_written, total_packets)`.
    ///
    /// # Errors
    /// Returns [`SortError::Io`] on flush failure.
    pub fn finish(mut self) -> Result<(Vec<PathBuf>, u64), SortError> {
        if let Some(w) = self.current.take() {
            let (path, _) = w.finish()?;
            self.files.push(path);
        }
        Ok((self.files, self.total_packets))
    }

    // ── private ──────────────────────────────────────────────────────────────

    fn rotate(&mut self, timestamp_ns: u64) -> Result<(), SortError> {
        // Close the previous writer.
        if let Some(w) = self.current.take() {
            let (path, _) = w.finish()?;
            self.files.push(path);
        }

        let path = self.output_path(timestamp_ns);
        self.current = Some(PcapWriter::create(&path, self.header)?);

        // Snap the slice boundary to the floor of the slice interval.
        self.current_slice_start_ns = match self.slice_secs {
            None => timestamp_ns,
            Some(secs) => {
                let slice_ns = secs * 1_000_000_000;
                (timestamp_ns / slice_ns) * slice_ns
            }
        };
        Ok(())
    }

    fn output_path(&self, timestamp_ns: u64) -> PathBuf {
        if self.slice_secs.is_none() {
            return self.output_base.clone();
        }
        // Sliced mode: output is a directory, filename encodes the slice start.
        let dt = ns_to_datetime(timestamp_ns);
        let name = dt.format("part_%Y%m%dT%H%M%SZ.pcap").to_string();
        self.output_base.join(name)
    }
}

fn ns_to_datetime(ns: u64) -> DateTime<Utc> {
    let secs = (ns / 1_000_000_000) as i64;
    let nanos = (ns % 1_000_000_000) as u32;
    Utc.timestamp_opt(secs, nanos)
        .single()
        .unwrap_or(DateTime::UNIX_EPOCH)
}

#[cfg(test)]
mod tests {
    use super::*;

    fn make_header() -> GlobalHeader {
        GlobalHeader {
            magic_number: 0xa1b2_c3d4,
            version_major: 2,
            version_minor: 4,
            thiszone: 0,
            sigfigs: 0,
            snaplen: 65535,
            network: 1,
        }
    }

    #[test]
    fn test_global_header_roundtrip_le() {
        let hdr = make_header();
        let bytes = hdr.to_bytes();
        assert_eq!(bytes.len(), 24);
        // Magic in LE
        assert_eq!(&bytes[0..4], &0xa1b2_c3d4u32.to_le_bytes());
        // snaplen = 65535
        assert_eq!(u32::from_le_bytes(bytes[16..20].try_into().unwrap()), 65535);
    }

    #[test]
    fn test_global_header_big_endian() {
        let hdr = GlobalHeader {
            magic_number: 0xd4c3_b2a1,
            ..make_header()
        };
        assert!(hdr.is_big_endian());
        let bytes = hdr.to_bytes();
        assert_eq!(&bytes[0..4], &0xd4c3_b2a1u32.to_be_bytes());
    }

    #[test]
    fn test_pcap_writer_produces_valid_file() {
        let path = std::env::temp_dir().join("pcap_toolkit_writer_test.pcap");
        let hdr = make_header();
        let mut w = PcapWriter::create(&path, hdr).unwrap();
        let data = vec![0xAAu8; 60];
        w.write_packet(1_700_000_000_000_000_000, 60, 60, &data)
            .unwrap();
        let (_, count) = w.finish().unwrap();
        assert_eq!(count, 1);

        // Verify the file starts with the expected magic.
        let bytes = std::fs::read(&path).unwrap();
        assert_eq!(&bytes[0..4], &0xa1b2_c3d4u32.to_le_bytes());
        // File size: 24 (global header) + 16 (record header) + 60 (data) = 100
        assert_eq!(bytes.len(), 100);
        let _ = std::fs::remove_file(&path);
    }

    #[test]
    fn test_sliced_writer_single_file() {
        let path = std::env::temp_dir().join("pcap_toolkit_sliced_single.pcap");
        let mut sw = SlicedWriter::new(path.clone(), make_header(), None);
        let data = vec![0u8; 40];
        sw.write_packet(1_000_000_000_000, 40, 40, &data).unwrap();
        sw.write_packet(2_000_000_000_000, 40, 40, &data).unwrap();
        let (files, total) = sw.finish().unwrap();
        assert_eq!(total, 2);
        assert_eq!(files.len(), 1);
        let _ = std::fs::remove_file(&path);
    }

    #[test]
    fn test_sliced_writer_splits_by_hour() {
        let dir = std::env::temp_dir().join("pcap_toolkit_sliced_hour");
        std::fs::create_dir_all(&dir).unwrap();

        let mut sw = SlicedWriter::new(dir.clone(), make_header(), Some(3600));
        let data = vec![0u8; 40];
        // Packet at T=0s (1970-01-01T00:00:00Z)
        sw.write_packet(0, 40, 40, &data).unwrap();
        // Packet at T=3601s → new hour slice
        sw.write_packet(3_601 * 1_000_000_000, 40, 40, &data)
            .unwrap();
        let (files, total) = sw.finish().unwrap();

        assert_eq!(total, 2);
        assert_eq!(files.len(), 2);

        for f in &files {
            let _ = std::fs::remove_file(f);
        }
        let _ = std::fs::remove_dir(&dir);
    }
}