Expand description
PCAPNG file format
See https://github.com/pcapng/pcapng for details.
There are several ways of parsing a PCAPNG file. The first method is to use
parse_pcapng. This method requires to load the entire
file to memory, and thus may not be good for large files.
The second method is to create a PcapNGCapture object,
which implements the Capture trait to provide generic methods.
However, this method also reads the entire file.
The third (and prefered) method is to use a PcapNGReader
object.
The last method is to manually read the blocks using
parse_sectionheaderblock,
parse_block_le and/or
parse_block_be.
§File format and parsing
A capture file is organized in blocks. Blocks are organized in sections, each section starting with a Section Header Block (SHB), and followed by blocks (interface description, statistics, packets, etc.). A file is usually composed of one section, but can contain multiple sections. When a SHB is encountered, this means a new section starts (and all information about previous section has to be flushed, like interfaces).
§Endianness
The endianness of a block is indicated by the Section Header Block that started the section containing this block. Since a file can contain several sections, a single file can contain both endianness variants.
Structs§
- Custom
Block - Decryption
Secrets Block - Enhanced
Packet Block - An Enhanced Packet Block (EPB) is the standard container for storing the packets coming from the network.
- Interface
Block Iterator - Interface
Description Block - An Interface Description Block (IDB) is the container for information describing an interface on which packet data is captured.
- Interface
Statistics Block - Name
Record - Name
Record Type - Name
Resolution Block - Option
Code - PcapNG
Capture - Generic interface for PCAPNG file access
- PcapNG
Capture Iterator - Iterator over
PcapNGCapture - PcapNG
Header - PcapNG
Option - PcapNG
Reader - Parsing iterator over pcap-ng data (streaming version)
- PcapNG
Slice - Parsing iterator over pcap-ng data (requires data to be loaded into memory)
- Process
Information Block - Secrets
Type - Section
- A Section (including all blocks) from a PcapNG file
- Section
Block Iterator - Section
Header Block - The Section Header Block (SHB) identifies the beginning of a section of the capture capture file.
- Simple
Packet Block - The Simple Packet Block (SPB) is a lightweight container for storing the packets coming from the network.
- Systemd
Journal Export Block - Unknown
Block - Unknown block (magic not recognized, or not yet implemented)
Enums§
- Block
- A block from a PcapNG file
Constants§
- BOM_
MAGIC - Byte Order magic
- CB_
MAGIC - Custom Block magic
- DCB_
MAGIC - Do-not-copy Custom Block magic
- DSB_
MAGIC - Decryption Secrets Block magic
- EPB_
MAGIC - Enhanced Packet Block magic
- IDB_
MAGIC - Interface Description Block magic
- ISB_
MAGIC - Interface Statistic Block magic
- NRB_
MAGIC - Name Resolution Block magic
- PIB_
MAGIC - Process Information Block magic (Apple addition, non standardized)
- SHB_
MAGIC - Section Header Block magic
- SJE_
MAGIC - Systemd Journal Export Block magic
- SPB_
MAGIC - Simple Packet Block magic
Functions§
- build_
ts - Given the timestamp parameters, return the timestamp seconds and fractional part (in resolution units)
- build_
ts_ f64 - Given the timestamp parameters, return the timestamp as a
f64value. - build_
ts_ resolution - Compute the timestamp resolution, in units per second
- parse_
block_ be - Parse any block, as big-endian
- parse_
block_ le - Parse any block, as little-endian
- parse_
customblock_ be - Parse a Custom Block (big-endian)
- parse_
customblock_ le - Parse a Custom Block (little-endian)
- parse_
dcb_ be - Parse a Do-not-copy Custom Block (big-endian)
- parse_
dcb_ le - Parse a Do-not-copy Custom Block (little-endian)
- parse_
decryptionsecretsblock_ be - Parse a DecryptionSecrets Block (big-endian)
- parse_
decryptionsecretsblock_ le - Parse a DecryptionSecrets Block (little-endian)
- parse_
enhancedpacketblock_ be - Parse an Enhanced Packet Block (big-endian)
- parse_
enhancedpacketblock_ le - Parse an Enhanced Packet Block (little-endian)
- parse_
interfacedescriptionblock_ be - Parse an Interface Packet Block (big-endian)
- parse_
interfacedescriptionblock_ le - Parse an Interface Packet Block (little-endian)
- parse_
interfacestatisticsblock_ be - Parse an InterfaceStatistics Block (big-endian)
- parse_
interfacestatisticsblock_ le - Parse an InterfaceStatistics Block (little-endian)
- parse_
nameresolutionblock_ be - Parse a Name Resolution Block (big-endian)
- parse_
nameresolutionblock_ le - Parse a Name Resolution Block (little-endian)
- parse_
option_ be - Parse a pcap-ng Option (big-endian)
- parse_
option_ le - Parse a pcap-ng Option (little-endian)
- parse_
pcapng - Parse the entire file
- parse_
processinformationblock_ be - Parse a ProcessInformation Block (big-endian)
- parse_
processinformationblock_ le - Parse a ProcessInformation Block (little-endian)
- parse_
section - Parse one section (little or big endian)
- parse_
section_ content_ block_ be - Parse any block from a section (big-endian)
- parse_
section_ content_ block_ le - Parse any block from a section (little-endian)
- parse_
sectionheaderblock - Parse a SectionHeaderBlock (little or big endian)
- parse_
sectionheaderblock_ be - Parse a Section Header Block (big endian)
- parse_
sectionheaderblock_ le - Parse a Section Header Block (little endian)
- parse_
sections - Parse multiple sections (little or big endian)
- parse_
simplepacketblock_ be - Parse a Simple Packet Block (big-endian)
- parse_
simplepacketblock_ le - Parse a Simple Packet Block (little-endian)
- parse_
systemdjournalexportblock_ be - Parse a SystemdJournalExport Block (big-endian)
- parse_
systemdjournalexportblock_ le - Parse a SystemdJournalExport Block (little-endian)
- parse_
unknownblock_ be - Parse an unknown block (big-endian)
- parse_
unknownblock_ le - Parse an unknown block (little-endian)