Crate pcarp

source ·
Expand description

pcarp is pure-Rust library for reading pcap-ng files.

  • Correct: Agrees with tshark across a broad test suite.
  • Fast: Performance is comparable to libpcap, although YMMV.
  • Flexible: Takes anything which implements Read; returns packets with a streaming-iterator-style API.

Limitations compared to libpcap:

  • No support for legacy pcap; pcarp is pcap-ng-only.
  • No dissection of any kind. pcarp gives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark.
  • No filtering. This one follows from “no dissection”.

The entry point is Capture.

Example

let file = File::open("integration_tests/10_sqldeveloper10_2016.pcapng.xz").unwrap();
let uncompressed = xz2::read::XzDecoder::new(file);
let mut pcap = Capture::new(uncompressed).unwrap();
while let Some(pkt) = pcap.next() {
    let pkt = pkt.unwrap();
    let ts = pkt.timestamp.unwrap_or(UNIX_EPOCH);
    println!("[{:?}] Packet with length {}", ts, pkt.data.len());
}

Modules

Block definitions. Not meant for consumption.

Structs

A packet capture which can be iterated over.
A network interface.
A single captured packet.

Enums

The type of physical link backing a network interface.