A pure-Rust library for reading pcap-ng files.
- Correct: Produces the same results as
tsharkfor all the pcapng files I could scrape from the Wireshark wiki. See integration_tests/ for details.
pcarpis zero-copy. Performance is comparable to
libpcap. Actually, on some files
pcarpconsistently underperforms, and on some it consistently overperforms, so it's not really possible to say which of the two performs better; but it's fair to say they're similar.
- Flexible input: The input can be anything which implements
Read. Are your pcaps gzipped? No problem, just wrap your
GzDecoderbefore you feed it to
- Flexible output: The output API is streaming-iterator-style
get()), which is more general than iterator-style (
next()) when the content is borrowed. An iterator-style API is also included for convenience.
- Reliable: None of the public API should panic, even given malformed
pcarpis fuzzed extensively to ensure that this is the case. (Note that, given pathological input,
pcarpmay give you an infinite series of errors.)
Limitations compared to
- No support for legacy pcap;
- No dissection of any kind.
pcarpgives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark.
- No filtering. This one follows from "no dissection".
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.