pcarp
A pure-Rust library for reading pcap-ng files.
- Correct: Agrees with
tshark
across a broad test suite. - Fast: Zero-copy. Performance is comparable to
libpcap
. - Flexible input: Takes anything which implements
Read
. - Flexible output: Exposes a streaming-iterator-style API.
- Reliable: No panics, even on malformed input.
Limitations
pcarp
is a simple library: it reads pcap-ng files and that's it.
Limitations compared to libpcap
:
- No support for legacy pcap;
pcarp
is pcap-ng-only. - No support for writing;
pcarp
is read-only. - No dissection of any kind.
pcarp
gives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark. - No filtering. This one follows from "no dissection".
API
Are your pcaps gzipped? No problem: Capture::new()
takes anything which
implements Read
, so just wrap your File
in a GzDecoder
first.
The output API is streaming-iterator-style (advance()
and get()
), and
an iterator-style API is also included for convenience.
Conformance
The integration test suite consists of all the pcapng files I could scrape from the Wireshark wiki. See integration_tests/ for details.
Safety
It's our intention that pcarp
should never panic, even given malformed or
malicious input. The library is fuzzed to help ensure that this is the case,
but fuzzing isn't perfect. If you experience a crash, please report it to
the authors.
It's currently possible to construct bad blocks which pcarp
can't move past.
In other words: you can insert one of these malformed blocks into an otherwise
good pcap and instead of reporting a single error and moving on, pcarp
will give you an infinite series of errors. If your input is untrusted,
don't assume that your stream will terminate.
Performance
Proper benchmarking is a TODO. I have compared the decoding time to
that of the pcap
library (which uses libpcap
) over a variety of pcaps.
On some files pcarp
consistently overperforms, and on some it consistently
underperforms, so it's not really possible to say which of the two performs
better; but I think it's fair to say they're similar.
License
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.