Module pcap_parser::pcapng [−][src]
PCAPNG file format
See https://github.com/pcapng/pcapng for details.
There are several ways of parsing a PCAPNG file. The first method is to use
parse_pcapng. This method requires to load the entire
file to memory, and thus may not be good for large files.
The second method is to create a PcapNGCapture object,
which implements the Capture trait to provide generic methods.
However, this method also reads the entire file.
The third (and prefered) method is to use a PcapNGReader
object.
The last method is to manually read the blocks using
parse_sectionheaderblock,
parse_block_le and/or
parse_block_be.
File format and parsing
A capture file is organized in blocks. Blocks are organized in sections, each section starting with a Section Header Block (SHB), and followed by blocks (interface description, statistics, packets, etc.). A file is usually composed of one section, but can contain multiple sections. When a SHB is encountered, this means a new section starts (and all information about previous section has to be flushed, like interfaces).
Endianness
The endianness of a block is indicated by the Section Header Block that started the section containing this block. Since a file can contain several sections, a single file can contain both endianness variants.
Structs
| CustomBlock | |
| DecryptionSecretsBlock | |
| EnhancedPacketBlock | An Enhanced Packet Block (EPB) is the standard container for storing the packets coming from the network. |
| InterfaceBlockIterator | |
| InterfaceDescriptionBlock | An Interface Description Block (IDB) is the container for information describing an interface on which packet data is captured. |
| InterfaceStatisticsBlock | |
| NameRecord | |
| NameRecordType | |
| NameResolutionBlock | |
| OptionCode | |
| PcapNGHeader | |
| PcapNGOption | |
| SecretsType | |
| Section | A Section (including all blocks) from a PcapNG file |
| SectionBlockIterator | |
| SectionHeaderBlock | The Section Header Block (SHB) identifies the beginning of a section of the capture capture file. |
| SimplePacketBlock | The Simple Packet Block (SPB) is a lightweight container for storing the packets coming from the network. |
| SystemdJournalExportBlock | |
| UnknownBlock | Unknown block (magic not recognized, or not yet implemented) |
Enums
| Block | A block from a PcapNG file |
Constants
| BOM_MAGIC | Byte Order magic |
| CB_MAGIC | Custom Block magic |
| DCB_MAGIC | Do-not-copy Custom Block magic |
| DSB_MAGIC | Decryption Secrets Block magic |
| EPB_MAGIC | Enhanced Packet Block magic |
| IDB_MAGIC | Interface Description Block magic |
| ISB_MAGIC | Interface Statistic Block magic |
| NRB_MAGIC | Name Resolution Block magic |
| SHB_MAGIC | Section Header Block magic |
| SJE_MAGIC | Systemd Journal Export Block magic |
| SPB_MAGIC | Simple Packet Block magic |
Functions
| build_ts | Given the timestamp parameters, return the timestamp seconds, fractional part and precision (unit) of the fractional part. |
| parse_block | Deprecated |
| parse_block_be | Parse any block, as big-endian |
| parse_block_le | Parse any block, as little-endian |
| parse_customblock_be | |
| parse_customblock_le | |
| parse_dcb_be | |
| parse_dcb_le | |
| parse_decryptionsecretsblock_be | |
| parse_decryptionsecretsblock_le | |
| parse_enhancedpacketblock_be | Parse an Enhanced Packet Block (big-endian) |
| parse_enhancedpacketblock_le | Parse an Enhanced Packet Block (little-endian) |
| parse_interfacedescriptionblock_be | Parse an Interface Packet Block (big-endian) |
| parse_interfacedescriptionblock_le | Parse an Interface Packet Block (little-endian) |
| parse_interfacestatisticsblock_be | |
| parse_interfacestatisticsblock_le | |
| parse_nameresolutionblock_be | |
| parse_nameresolutionblock_le | |
| parse_option_be | |
| parse_option_le | |
| parse_section | Parse one section (little or big endian) |
| parse_section_content_block | Deprecated |
| parse_section_content_block_be | Parse any block from a section (big-endian) |
| parse_section_content_block_le | Parse any block from a section (little-endian) |
| parse_sectionheader | Deprecated Parse a SectionHeaderBlock (little or big endian) |
| parse_sectionheaderblock | Parse a SectionHeaderBlock (little or big endian) |
| parse_sectionheaderblock_be | |
| parse_sectionheaderblock_le | |
| parse_sections | Parse multiple sections (little or big endian) |
| parse_simplepacketblock_be | Parse a Simple Packet Block (big-endian) |
| parse_simplepacketblock_le | Parse a Simple Packet Block (little-endian) |
| parse_systemdjournalexportblock_be | |
| parse_systemdjournalexportblock_le | |
| parse_unknownblock_be | Parse an unknown block (big-endian) |
| parse_unknownblock_le | Parse an unknown block (little-endian) |