pcarp
A pure-Rust library for reading pcap-ng files.
- Correct: Produces the same results as
tshark
for all the pcapng files I could scrape from the Wireshark wiki. See integration_tests/ for details. - Fast:
pcarp
is zero-copy. Performance is comparable tolibpcap
. Actually, on some filespcarp
consistently underperforms, and on some it consistently overperforms, so it's not really possible to say which of the two performs better; but it's fair to say they're similar. - Flexible input: The input can be anything which implements
Read
. Are your pcaps gzipped? No problem, just wrap yourFile
in aGzDecoder
before you feed it toCapture::new()
. - Flexible output: The output API is streaming-iterator-style
(
advance()
andget()
), which is more general than iterator-style (next()
) when the content is borrowed. An iterator-style API is also included for convenience. - Reliable: None of the public API should panic, even given malformed
input.
pcarp
is fuzzed extensively to ensure that this is the case. (Note that, given pathological input,pcarp
may give you an infinite series of errors.)
Limitations compared to libpcap
:
- No support for legacy pcap;
pcarp
is pcap-ng-only. - No dissection of any kind.
pcarp
gives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark. - No filtering. This one follows from "no dissection".
License
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.