Struct EnhancedPacketBlock

pub struct EnhancedPacketBlock<'a> {
    pub block_type: u32,
    pub block_len1: u32,
    pub if_id: u32,
    pub ts_high: u32,
    pub ts_low: u32,
    pub caplen: u32,
    pub origlen: u32,
    pub data: &'a [u8],
    pub options: Vec<PcapNGOption<'a>>,
    pub block_len2: u32,
}

An Enhanced Packet Block (EPB) is the standard container for storing the packets coming from the network.

This struct is a thin abstraction layer, and stores the raw block data. For ex the data field is stored with the padding. It implements the PcapNGPacketBlock trait, which provides helper functions.

Examples

use pcap_parser::pcapng::parse_enhancedpacketblock_le;
use pcap_parser::traits::PcapNGPacketBlock;

let (i, epb) = parse_enhancedpacketblock_le(pcap_data).unwrap();
let packet_data = epb.packet_data();
if packet_data.len() < epb.orig_len() as usize {
    // packet was truncated
} else {
    // we have a full packet
}

Fields

block_type: u32

block_len1: u32

if_id: u32

ts_high: u32

ts_low: u32

caplen: u32

Captured packet length

origlen: u32

Original packet length

data: &'a [u8]

Raw data from packet (with padding)

options: Vec<PcapNGOption<'a>>

block_len2: u32

Implementations

impl EnhancedPacketBlock<'_>

pub fn decode_ts(&self, ts_offset: u64, resolution: u64) -> (u32, u32)

Decode the packet timestamp

To decode the timestamp, the raw values if_tsresol and if_tsoffset are required. These values are stored as options in the InterfaceDescriptionBlock matching the interface ID.

Return the timestamp seconds and fractional part (in resolution units)

pub fn decode_ts_f64(&self, ts_offset: u64, resolution: u64) -> f64

Decode the packet timestamp as f64

To decode the timestamp, the resolution and offset are required. These values are stored as options in the InterfaceDescriptionBlock matching the interface ID.

Trait Implementations

impl<'a> Debug for EnhancedPacketBlock<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PcapNGPacketBlock for EnhancedPacketBlock<'_>

fn big_endian(&self) -> bool

Return true if block is encoded as big-endian

fn truncated(&self) -> bool

Return true if block data was truncated (typically when snaplen < origlen)

fn orig_len(&self) -> u32

Return the original length of the packet

fn raw_packet_data(&self) -> &[u8]

Return the raw captured packet data, with padding if present, and eventually truncated.

fn packet_data(&self) -> &[u8]

Return the captured packet data without padding

impl ToVec for EnhancedPacketBlock<'_>

Available on crate feature serialize only.

fn fix(&mut self)

Check and correct all fields: use magic, version and fix lengths fields

fn to_vec_raw(&self) -> Result<Vec<u8>, GenError>

Serialize to bytes representation (little-endian). Do not check values

fn to_vec(&mut self) -> Result<Vec<u8>, GenError>

Serialize to bytes representation (little-endian). Check values and fix all fields before serializing.