Module pcap_parser::pcapng [−][src]
Expand description
PCAPNG file format
See https://github.com/pcapng/pcapng for details.
There are several ways of parsing a PCAPNG file. The first method is to use
parse_pcapng. This method requires to load the entire
file to memory, and thus may not be good for large files.
The second method is to create a PcapNGCapture object,
which implements the Capture trait to provide generic methods.
However, this method also reads the entire file.
The third (and prefered) method is to use a PcapNGReader
object.
The last method is to manually read the blocks using
parse_sectionheaderblock,
parse_block_le and/or
parse_block_be.
File format and parsing
A capture file is organized in blocks. Blocks are organized in sections, each section starting with a Section Header Block (SHB), and followed by blocks (interface description, statistics, packets, etc.). A file is usually composed of one section, but can contain multiple sections. When a SHB is encountered, this means a new section starts (and all information about previous section has to be flushed, like interfaces).
Endianness
The endianness of a block is indicated by the Section Header Block that started the section containing this block. Since a file can contain several sections, a single file can contain both endianness variants.
Structs
An Enhanced Packet Block (EPB) is the standard container for storing the packets coming from the network.
An Interface Description Block (IDB) is the container for information describing an interface on which packet data is captured.
A Section (including all blocks) from a PcapNG file
The Section Header Block (SHB) identifies the beginning of a section of the capture capture file.
The Simple Packet Block (SPB) is a lightweight container for storing the packets coming from the network.
Unknown block (magic not recognized, or not yet implemented)
Enums
A block from a PcapNG file
Constants
Byte Order magic
Custom Block magic
Do-not-copy Custom Block magic
Decryption Secrets Block magic
Enhanced Packet Block magic
Interface Description Block magic
Interface Statistic Block magic
Name Resolution Block magic
Section Header Block magic
Systemd Journal Export Block magic
Simple Packet Block magic
Functions
Given the timestamp parameters, return the timestamp seconds, fractional part and precision (unit) of the fractional part.
Parse any block, as big-endian
Parse any block, as little-endian
Parse an Enhanced Packet Block (big-endian)
Parse an Enhanced Packet Block (little-endian)
Parse an Interface Packet Block (big-endian)
Parse an Interface Packet Block (little-endian)
Parse one section (little or big endian)
Parse any block from a section (big-endian)
Parse any block from a section (little-endian)
Parse a SectionHeaderBlock (little or big endian)
Parse a SectionHeaderBlock (little or big endian)
Parse multiple sections (little or big endian)
Parse a Simple Packet Block (big-endian)
Parse a Simple Packet Block (little-endian)
Parse an unknown block (big-endian)
Parse an unknown block (little-endian)