PCAP parser

PCAP and PCAPNG parsers

This crate contains several parsers for PCAP and PCAPNG files.

Compared to other similar projects, it is designed to offer a complete support of the many possible formats (legacy pcap, pcapng, little or big-endian, etc.) and features (pcanpng files with multiple sections, interfaces, and endianness) while using only safe code and without copying data (zero-copy).

The code is available on Github and is part of the Rusticata project.

Example: streaming parsers

The following code shows how to parse a file in the pcap-ng format, using a PcapNGReader streaming parser.

```rust use pcapparser::*; use pcapparser::traits::PcapReaderIterator; use std::fs::File; use std::io::Read;

let mut file = File::open(path).unwrap(); let mut numblocks = 0; let mut reader = PcapNGReader::new(65536, file).expect("PcapNGReader"); loop { match reader.next() { Ok((offset, _block)) => { println!("got new block"); numblocks += 1; reader.consume(offset); }, Err(PcapError::Eof) => break, Err(PcapError::Incomplete) => { reader.refill().unwrap(); }, Err(e) => panic!("error while reading: {:?}", e), } } println!("numblocks: {}", numblocks); ``` See PcapNGReader for a complete example, including handling of linktype and accessing packet data.

For legacy pcap files, use similar code with the LegacyPcapReader streaming parser.

See pcap-tools and pcap-parse for more examples.

Example: generic streaming parsing

To create a pcap reader for input in either PCAP or PCAPNG format, use the create_reader function.

Changes

0.8.0

• Add basic support for serialization (little-endian only)
• Add basic support for Wireshark exported PDUs
• Add traits Clone and Debug to PacketData
• Move data parsing functions to a subdirectory

0.7.1

• Fix wrong EOF detection
• Fix handling of incomplete reads (in example)

0.7.0

• Upgrade to nom 5
  • Breaking API changes, mainly for error types

0.6.1

• Make LegacyPcapBlock a regular structure with parser, and add serialization

0.6.0

• Complete rewrite of the crate (breaks API)
• Add streaming parser iterators
• Replace Packet with Blocks
  • Allows handling of non-data blocks
  • Handles correctly timestamps and resolution
  • Remove incorrect or deprecated code
• Better parsing of all variants (BE/LE, block types, etc.)
• Better (and panic-free) functions to extract block contents
• Set edition to 2018
• Better documentation

0.5.1

• Fix computation of timestamp for high-resolution pcap-ng

License

Licensed under either of

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.