Expand description
Pcap stream framer for debug packet capture (CapturePcap).
Pcap stream framer for debug packet capture (CapturePcap).
This is the format half of Tailscale’s debug packet capture: a PcapSink that frames
captured packets into a byte stream and writes them to any std::io::Write. A separate seam
tees packets into the sink; this module is only concerned with producing bytes.
The on-the-wire format is classic pcap (not pcapng), little-endian, byte-faithful to Go
Tailscale’s feature/capture (capture.go):
- a 24-byte classic pcap global header, written once on construction, using link type
LINKTYPE_USER0(147); - per packet, a 16-byte classic pcap record header, followed by Tailscale’s custom 4-byte path
preamble (a
u16little-endian path code, then a SNAT length byte and a DNAT length byte), followed by the raw IP packet bytes.
Because this fork never performs SNAT/DNAT on the captured path, both NAT length bytes in the
preamble are always 0 (the no-NAT common case). A file produced here is readable in
Wireshark; with Tailscale’s ts-dissector.lua the per-record path/preamble decodes, and without
it the records are still walkable but shown as opaque USER0 data.
Structs§
- Pcap
Sink - A pcap stream framer that writes captured packets to a writer in Go-Tailscale-faithful classic
pcap (USER0 link type + a 4-byte path preamble per record). Construct with
PcapSink::new(which emits the global header), then callPcapSink::log_packetper packet.
Constants§
- LINKTYPE_
USER0 - LINKTYPE_USER0 — the link-layer type Go Tailscale uses for its capture stream. Wireshark needs
Tailscale’s
ts-dissector.luato decode the per-record path/preamble; without it the records are still walkable but shown as opaque USER0 data.