13 releases (8 stable)
2.0.0 | Mar 16, 2023 |
---|---|
1.4.0 | Nov 19, 2022 |
1.3.0 | Oct 28, 2022 |
1.2.0 | Jul 13, 2020 |
0.3.0 | Nov 21, 2018 |
#562 in Network programming
1,465 downloads per month
Used in feeless
83KB
1K
SLoC
pcarp
A pure-Rust library for reading pcapng files.
- Correct: Agrees with
tshark
across a broad test suite. - Fast: Performance is similar to
libpcap
. - Flexible: Wraps anything which implements
Read
. - Ergonomic: It's an iterator of
Packet
s - no lifetimes. - Resilient: Handles malformed pcaps as gracefully as possible.
Limitations
libpcap
is full of features; pcarp
just reads packets out of pcapng files.
Limitations compared to libpcap
:
- No support for legacy pcap;
pcarp
is pcapng-only. - No support for writing;
pcarp
is read-only. - No dissection of any kind.
pcarp
gives you the raw packet data. - No filtering. This one follows from "no dissection".
If you want to parse ethernet/IP/TCP/whatever protocol, you need another library. We use etherparse and it works well. There's also pnet or rshark, although I haven't tried them.
Error handling
pcarp
is designed to be very resilient to errors, even given malformed or
malicious input.
- If pcarp sees unexpected flags or options, it will log a warning using the
tracing
crate and carry on. - If a packet is mangled beyond recognition, pcarp will return an error instead, but subsequent packets will still be readable.
- If pcarp encounters corruption in the framing, then the error is not containable, and no more packets can be read.
pcarp should never panic. It's fuzzed to help ensure that this is the case, but fuzzing isn't perfect. If you experience a crash, please report it!
License
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.
Dependencies
~0.7–1.4MB
~26K SLoC