Expand description
pcarp is pure-Rust library for reading pcap-ng files.
- Correct: Agrees with
tshark
across a broad test suite. - Fast: Performance is comparable to
libpcap
, although YMMV. - Flexible: Takes anything which implements
Read
; returns packets with a streaming-iterator-style API.
Limitations compared to libpcap
:
- No support for legacy pcap;
pcarp
is pcap-ng-only. - No dissection of any kind.
pcarp
gives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark. - No filtering. This one follows from “no dissection”.
The entry point is Capture
.
Example
let file = File::open("integration_tests/10_sqldeveloper10_2016.pcapng.xz").unwrap();
let uncompressed = xz2::read::XzDecoder::new(file);
let mut pcap = Capture::new(uncompressed).unwrap();
while let Some(pkt) = pcap.next() {
let pkt = pkt.unwrap();
let ts = pkt.timestamp.unwrap_or(UNIX_EPOCH);
println!("[{:?}] Packet with length {}", ts, pkt.data.len());
}
Modules
Block definitions. Not meant for consumption.
Structs
A packet capture which can be iterated over.
A network interface.
A single captured packet.