Struct Analyzer

pub struct Analyzer { /* private fields */ }

Pcap/Pcap-ng analyzer

Read input pcap/pcap-ng data, parse it and call plugin callbacks for each ISO layer (L2 if available, L3 and L4). Flows are created for L4 sessions. Events are sent when plugins are created or destroyed.

The number of worker threads can be configured from the num_threads configuration variable. By default, it is 0 (auto-detect the number of cores and create the same number of threads).

All callbacks for a single ISO layer will be called concurrently before calling the next level callbacks.

Implementations

impl Analyzer

pub fn new(registry: Arc<PluginRegistry>, config: &Config) -> Analyzer

pub fn registry(&self) -> &PluginRegistry

Get a reference to plugin registry

pub fn with_deterministic_rng(self) -> Self

Use deterministic values for random numbers (for ex. flow IDs)

This option is intended for use in testing

Trait Implementations

impl PcapAnalyzer for Analyzer

fn init(&mut self) -> Result<(), Error>

Initialize all plugins

fn handle_packet( &mut self, packet: &Packet<'_>, ctx: &ParseContext, ) -> Result<(), Error>

Dispatch function: given a packet, use link type to get the real data, and call the matching handling function (some pcap blocks encode ethernet, or IPv4 etc.)

fn teardown(&mut self)

Finalize analysis and notify plugins

fn handle_block( &mut self, _block: &PcapBlockOwned<'_>, _block_ctx: &ParseBlockContext, ) -> Result<(), Error>

Optional callback for every block of the pcap/pcapng file

fn before_refill(&mut self)

impl SafePcapAnalyzer for Analyzer