pcap_parser/pcapng.rs
1//! PCAPNG file format
2//!
3//! See <https://github.com/pcapng/pcapng> for details.
4//!
5//! There are several ways of parsing a PCAPNG file. The first method is to use
6//! [`parse_pcapng`]. This method requires to load the entire
7//! file to memory, and thus may not be good for large files.
8//!
9//! The second method is to create a [`PcapNGCapture`] object,
10//! which implements the [`Capture`](crate::Capture) trait to provide generic methods.
11//! However, this method also reads the entire file.
12//!
13//! The third (and prefered) method is to use a [`PcapNGReader`]
14//! object.
15//!
16//! The last method is to manually read the blocks using
17//! [`parse_sectionheaderblock`],
18//! [`parse_block_le`] and/or
19//! [`parse_block_be`].
20//!
21//! ## File format and parsing
22//!
23//! A capture file is organized in blocks. Blocks are organized in sections, each section
24//! starting with a Section Header Block (SHB), and followed by blocks (interface description,
25//! statistics, packets, etc.).
26//! A file is usually composed of one section, but can contain multiple sections. When a SHB is
27//! encountered, this means a new section starts (and all information about previous section has to
28//! be flushed, like interfaces).
29//!
30//! ## Endianness
31//!
32//! The endianness of a block is indicated by the Section Header Block that started the section
33//! containing this block. Since a file can contain several sections, a single file can contain
34//! both endianness variants.
35
36// helpers and common modules
37mod block;
38mod capture;
39mod header;
40mod option;
41mod reader;
42mod section;
43mod time;
44
45pub use block::*;
46pub use capture::*;
47pub use header::*;
48pub use option::*;
49pub use reader::*;
50pub use section::*;
51pub use time::*;
52
53/// Blocks
54mod custom;
55mod decryption_secrets;
56mod enhanced_packet;
57mod interface_description;
58mod interface_statistics;
59mod name_resolution;
60mod process_information;
61mod section_header;
62mod simple_packet;
63mod systemd_journal_export;
64mod unknown;
65
66pub use custom::*;
67pub use decryption_secrets::*;
68pub use enhanced_packet::*;
69pub use interface_description::*;
70pub use interface_statistics::*;
71pub use name_resolution::*;
72pub use process_information::*;
73pub use section_header::*;
74pub use simple_packet::*;
75pub use systemd_journal_export::*;
76pub use unknown::*;
77
78/// Section Header Block magic
79pub const SHB_MAGIC: u32 = 0x0A0D_0D0A;
80/// Interface Description Block magic
81pub const IDB_MAGIC: u32 = 0x0000_0001;
82/// Simple Packet Block magic
83pub const SPB_MAGIC: u32 = 0x0000_0003;
84/// Name Resolution Block magic
85pub const NRB_MAGIC: u32 = 0x0000_0004;
86/// Interface Statistic Block magic
87pub const ISB_MAGIC: u32 = 0x0000_0005;
88/// Enhanced Packet Block magic
89pub const EPB_MAGIC: u32 = 0x0000_0006;
90
91/// Systemd Journal Export Block magic
92pub const SJE_MAGIC: u32 = 0x0000_0009;
93
94/// Decryption Secrets Block magic
95pub const DSB_MAGIC: u32 = 0x0000_000A;
96
97/// Custom Block magic
98pub const CB_MAGIC: u32 = 0x0000_0BAD;
99
100/// Do-not-copy Custom Block magic
101pub const DCB_MAGIC: u32 = 0x4000_0BAD;
102
103/// Byte Order magic
104pub const BOM_MAGIC: u32 = 0x1A2B_3C4D;
105
106/// Process Information Block magic
107/// (Apple addition, non standardized)
108pub const PIB_MAGIC: u32 = 0x8000_0001;