10 releases (5 stable)
|1.2.0||Jul 13, 2020|
|1.1.1||Oct 10, 2019|
|1.1.0||Jun 23, 2019|
|1.0.1||Feb 21, 2019|
|0.1.2||Nov 8, 2018|
#234 in Network programming
4,072 downloads per month
Used in feeless
A pure-Rust library for reading pcap-ng files.
- Correct: Agrees with
tsharkacross a broad test suite.
- Fast: Zero-copy. Performance is in
- Flexible input: Takes anything which implements
- Flexible output: Exposes a streaming-iterator-style API.
- Reliable: No panics, even on malformed input.
pcarp is a simple library: it reads pcap-ng files and that's it.
Limitations compared to
- No support for legacy pcap;
- No support for writing;
- No dissection of any kind.
pcarpgives you the raw packet data. If you want to parse ethernet/IP/TCP/whatever protocol, try pnet or rshark.
- No filtering. This one follows from "no dissection".
Are your pcaps gzipped? No problem:
Capture::new() takes anything which
Read, so just wrap your
File in a
The output API is streaming-iterator-style (
an iterator-style API is also included for convenience.
It's our intention that
pcarp should never panic, even given malformed or
malicious input. The library is fuzzed to help ensure that this is the case,
but fuzzing isn't perfect. If you experience a crash, please report it to
It's currently possible to construct bad blocks which
pcarp can't move past.
In other words: you can insert one of these malformed blocks into an otherwise
good pcap and instead of reporting a single error and moving on,
will give you an infinite series of errors. If your input is untrusted,
don't assume that your stream will terminate.
I've benchmarked the decoding time against the
pcap library (which uses
libpcap) over a variety of pcaps. libpcap dominates the benchmarks, but not
by a huge amount. Interestingly, the savings come mostly from spending less
time in the kernel. Somehow libpcap is performing fewer syscalls than pcarp...
The software itself is in the public domain.
Some of the documentation is copied from the pcap spec, so the copyright is owned by the IETF; these places are cleary marked. The pcaps used by the integration tests are distributed by the Wireshark Foundation under the terms of the GNU GPL.