Module pcap_parser::pcapng

PCAPNG file format

See https://github.com/pcapng/pcapng for details.

There are several ways of parsing a PCAPNG file. The first method is to use parse_pcapng. This method requires to load the entire file to memory, and thus may not be good for large files.

The second method is to create a PcapNGCapture object, which implements the Capture trait to provide generic methods. However, this method also reads the entire file.

The third (and prefered) method is to use a PcapNGReader object.

The last method is to manually read the blocks using parse_sectionheaderblock, parse_block_le and/or parse_block_be.

File format and parsing

A capture file is organized in blocks. Blocks are organized in sections, each section starting with a Section Header Block (SHB), and followed by blocks (interface description, statistics, packets, etc.). A file is usually composed of one section, but can contain multiple sections. When a SHB is encountered, this means a new section starts (and all information about previous section has to be flushed, like interfaces).

Endianness

The endianness of a block is indicated by the Section Header Block that started the section containing this block. Since a file can contain several sections, a single file can contain both endianness variants.

Structs

• CustomBlock
• DecryptionSecretsBlock
• EnhancedPacketBlock
  An Enhanced Packet Block (EPB) is the standard container for storing the packets coming from the network.
• InterfaceBlockIterator
• InterfaceDescriptionBlock
  An Interface Description Block (IDB) is the container for information describing an interface on which packet data is captured.
• InterfaceStatisticsBlock
• NameRecord
• NameRecordType
• NameResolutionBlock
• OptionCode
• PcapNGHeader
• PcapNGOption
• ProcessInformationBlock
• SecretsType
• Section
  A Section (including all blocks) from a PcapNG file
• SectionBlockIterator
• SectionHeaderBlock
  The Section Header Block (SHB) identifies the beginning of a section of the capture capture file.
• SimplePacketBlock
  The Simple Packet Block (SPB) is a lightweight container for storing the packets coming from the network.
• SystemdJournalExportBlock
• UnknownBlock
  Unknown block (magic not recognized, or not yet implemented)

Enums

• Block
  A block from a PcapNG file

Constants

• BOM_MAGIC
  Byte Order magic
• CB_MAGIC
  Custom Block magic
• DCB_MAGIC
  Do-not-copy Custom Block magic
• DSB_MAGIC
  Decryption Secrets Block magic
• EPB_MAGIC
  Enhanced Packet Block magic
• IDB_MAGIC
  Interface Description Block magic
• ISB_MAGIC
  Interface Statistic Block magic
• NRB_MAGIC
  Name Resolution Block magic
• PIB_MAGIC
  Process Information Block magic (Apple addition, non standardized)
• SHB_MAGIC
  Section Header Block magic
• SJE_MAGIC
  Systemd Journal Export Block magic
• SPB_MAGIC
  Simple Packet Block magic

Functions

• build_ts
  Given the timestamp parameters, return the timestamp seconds and fractional part (in resolution units)
• build_ts_f64
  Given the timestamp parameters, return the timestamp as a f64 value.
• build_ts_resolution
  Compute the timestamp resolution, in units per second
• parse_block_be
  Parse any block, as big-endian
• parse_block_le
  Parse any block, as little-endian
• parse_customblock_be
• parse_customblock_le
• parse_dcb_be
• parse_dcb_le
• parse_decryptionsecretsblock_be
• parse_decryptionsecretsblock_le
• parse_enhancedpacketblock_be
  Parse an Enhanced Packet Block (big-endian)
• parse_enhancedpacketblock_le
  Parse an Enhanced Packet Block (little-endian)
• parse_interfacedescriptionblock_be
  Parse an Interface Packet Block (big-endian)
• parse_interfacedescriptionblock_le
  Parse an Interface Packet Block (little-endian)
• parse_interfacestatisticsblock_be
• parse_interfacestatisticsblock_le
• parse_nameresolutionblock_be
• parse_nameresolutionblock_le
• parse_option_be
• parse_option_le
• parse_processinformationblock_be
• parse_processinformationblock_le
• parse_section
  Parse one section (little or big endian)
• parse_section_content_block_be
  Parse any block from a section (big-endian)
• parse_section_content_block_le
  Parse any block from a section (little-endian)
• parse_sectionheaderblock
  Parse a SectionHeaderBlock (little or big endian)
• parse_sectionheaderblock_be
• parse_sectionheaderblock_le
• parse_sections
  Parse multiple sections (little or big endian)
• parse_simplepacketblock_be
  Parse a Simple Packet Block (big-endian)
• parse_simplepacketblock_le
  Parse a Simple Packet Block (little-endian)
• parse_systemdjournalexportblock_be
• parse_systemdjournalexportblock_le
• parse_unknownblock_be
  Parse an unknown block (big-endian)
• parse_unknownblock_le
  Parse an unknown block (little-endian)