PcapFileEx (pcap_file_ex v0.1.5)

Elixir wrapper for parsing PCAP and PCAPNG network capture files.

This library provides functionality to read packet capture files commonly used with tools like Wireshark, tcpdump, and dumpcap.

Modules

PcapFileEx - Main API with format auto-detection
PcapFileEx.Pcap - PCAP format reader
PcapFileEx.PcapNg - PCAPNG format reader
PcapFileEx.Stats - Statistics and analysis
PcapFileEx.Filter - Packet filtering helpers
PcapFileEx.Validator - File validation

Examples

# Open and read a PCAP file (format auto-detected)
{:ok, reader} = PcapFileEx.open("capture.pcap")

# Read all packets at once
{:ok, packets} = PcapFileEx.read_all("capture.pcap")

# Stream packets lazily (memory efficient for large files)
PcapFileEx.stream("capture.pcap")
|> Stream.filter(fn packet -> byte_size(packet.data) > 1000 end)
|> Enum.take(10)

# Compute statistics
{:ok, stats} = PcapFileEx.Stats.compute("capture.pcap")
IO.inspect(stats.packet_count)

# Filter packets
PcapFileEx.stream("capture.pcap")
|> PcapFileEx.Filter.by_size(100..1500)
|> PcapFileEx.Filter.larger_than(500)
|> Enum.to_list()

# Validate file
{:ok, :pcap} = PcapFileEx.Validator.validate("capture.pcap")

Summary

Functions

open(path)

Opens a PCAP or PCAPNG file for reading with automatic format detection.

read_all(path, opts \\ [])

Reads all packets from a PCAP or PCAPNG file with automatic format detection.

stream(path, opts \\ [])

Creates a lazy stream of packets from a PCAP or PCAPNG file with automatic format detection.

Functions

open(path)

@spec open(Path.t()) ::
  {:ok, PcapFileEx.Pcap.t() | PcapFileEx.PcapNg.t()} | {:error, String.t()}

Opens a PCAP or PCAPNG file for reading with automatic format detection.

This function reads the file's magic number to determine whether it's a PCAP or PCAPNG file and opens it with the appropriate reader.

Examples

{:ok, reader} = PcapFileEx.open("capture.pcap")
{:ok, reader} = PcapFileEx.open("capture.pcapng")

Returns

{:ok, reader} - A reader struct (either Pcap.t() or PcapNg.t())
{:error, reason} - If the file cannot be opened or has an unknown format

read_all(path, opts \\ [])

@spec read_all(
  Path.t(),
  keyword()
) :: {:ok, [PcapFileEx.Packet.t()]} | {:error, String.t()}

Reads all packets from a PCAP or PCAPNG file with automatic format detection.

Warning: This loads all packets into memory. For large files, use stream/1 instead.

Examples

{:ok, packets} = PcapFileEx.read_all("capture.pcap")
{:ok, packets} = PcapFileEx.read_all("capture.pcapng")

stream(path, opts \\ [])

@spec stream(
  Path.t(),
  keyword()
) :: Enumerable.t()

Creates a lazy stream of packets from a PCAP or PCAPNG file with automatic format detection.

This is memory efficient for large files as packets are read on demand. The file is automatically opened and closed.

Examples

PcapFileEx.stream("capture.pcap")
|> Stream.filter(fn packet -> byte_size(packet.data) > 100 end)
|> Enum.count()

PcapFileEx.stream("capture.pcapng")
|> Stream.take(10)
|> Enum.to_list()