A pure-Rust library for reading pcap-ng files.
tshark across a broad test suite.libpcap's ballpark.Read.pcarp is a simple library: it reads pcap-ng files and that's it.
Limitations compared to libpcap:
pcarp is pcap-ng-only.pcarp is read-only.pcarp gives you the raw packet data.
If you want to parse ethernet/IP/TCP/whatever protocol, try [pnet] or
[rshark].Are your pcaps gzipped? No problem: Capture::new() takes anything which
implements Read, so just wrap your File in a GzDecoder first.
The output API is streaming-iterator-style (advance() and get()), and
an iterator-style API is also included for convenience.
The integration test suite consists of all the pcapng files I could scrape from the Wireshark wiki. See integration_tests/ for details.
It's our intention that pcarp should never panic, even given malformed or
malicious input. The library is fuzzed to help ensure that this is the case,
but fuzzing isn't perfect. If you experience a crash, please report it to
the authors.
It's currently possible to construct bad blocks which pcarp can't move past.
In other words: you can insert one of these malformed blocks into an otherwise
good pcap and instead of reporting a single error and moving on, pcarp
will give you an infinite series of errors. If your input is untrusted,
don't assume that your stream will terminate.
I've benchmarked the decoding time against the pcap library (which uses
libpcap) over a variety of pcaps. libpcap dominates the benchmarks, but not
by a huge amount. Interestingly, the savings come mostly from spending less
time in the kernel. Somehow libpcap is performing fewer syscalls than pcarp...
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.