PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, DPDK and PF_RING.

Overview

PcapPlusPlus Logo

GitHub Actions Build Status Build Status Build status Language grade: C/C++ Follow PcapPlusPlus

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.

PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, Npcap, DPDK and PF_RING.

Table Of Contents

Download

You can choose between downloading pre-compiled binaries and build PcapPlusPlus yourself. For more details please visit the Download page in PcapPlusPlus web-site.

Pre Compiled Binaries

From Homebrew:

brew install pcapplusplus

From Conan:

conan remote add public-conan https://api.bintray.com/conan/bincrafters/public-conan
conan install pcapplusplus/[email protected]/stable -r public-conan

From GitHub release page:

https://github.com/seladb/PcapPlusPlus/releases/latest

Build It Yourself

Clone the git repository:

git clone https://github.com/seladb/PcapPlusPlus.git

Follow the build instructions according to your platform in the Build From Source page in PcapPlusPlus web-site.

Feature Overview

  • Packet capture through an easy to use C++ wrapper for popular packet capture engines such as libpcap, WinPcap, Npcap, Intel DPDK, ntop’s PF_RING and raw sockets [Learn more]
  • Packet parsing and crafting including detailed analysis of protocols and layers, packet generation and packet edit for a large variety of network protocols [Learn more]
  • Read and write packets from/to files in both PCAP and PCAPNG formats [Learn more]
  • Packet processing in line rate through an efficient and easy to use C++ wrapper for DPDK and PF_RING [Learn more]
  • Multiplatform support - PcapPlusPlus is fully supported on Linux, MacOS, Windows and FreeBSD
  • Packet reassembly - unique implementation of TCP Reassembly which includes TCP retransmission, out-of-order TCP packets and missing TCP data, and IP Fragmentation and Defragmentation to create and reassemble IPv4 and IPv6 fragments [Learn more]
  • Packet filtering that makes libpcap's BPF filters a lot more user-friendly [Learn more]
  • TLS Fingerprinting - a C++ implementation of JA3 and JA3S TLS fingerprinting [Learn more]

Getting Started

Writing applications with PcapPlusPlus is very easy and intuitive. Here is a simple application that shows how to read a packet from a PCAP file and parse it:

#include "IPv4Layer.h"
#include "Packet.h"
#include "PcapFileDevice.h"

int main(int argc, char* argv[])
{
    // open a pcap file for reading
    pcpp::PcapFileReaderDevice reader("1_packet.pcap");
    if (!reader.open())
    {
        printf("Error opening the pcap file\n");
        return 1;
    }

    // read the first (and only) packet from the file
    pcpp::RawPacket rawPacket;
    if (!reader.getNextPacket(rawPacket))
    {
        printf("Couldn't read the first packet in the file\n");
        return 1;
    }

    // parse the raw packet into a parsed packet
    pcpp::Packet parsedPacket(&rawPacket);

    // verify the packet is IPv4
    if (parsedPacket.isPacketOfType(pcpp::IPv4))
    {
        // extract source and dest IPs
        pcpp::IPv4Address srcIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getSrcIPv4Address();
        pcpp::IPv4Address destIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getDstIPv4Address();

        // print source and dest IPs
        printf("Source IP is '%s'; Dest IP is '%s'\n", srcIP.toString().c_str(), destIP.toString().c_str());
    }

    // close the file
    reader.close();

    return 0;
}

You can find much more information in the Getting Started page in PcapPlusPlus web-site. This page will walk you through few easy steps to have an app up and running.

API Documentation

PcapPlusPlus consists of 3 libraries:

  1. Packet++ - a library for parsing, creating and editing network packets
  2. Pcap++ - a library for intercepting and sending packets, providing network and NIC info, stats, etc. It is actually a C++ wrapper for packet capturing engines such as libpcap, WinPcap, Npcap, DPDK and PF_RING
  3. Common++ - a library with some common code utilities used by both Packet++ and Pcap++

You can find an extensive API documentation in the API documentation section in PcapPlusPlus web-site. If you see any missing data please contact us.

Multi Platform Support

PcapPlusPlus is currently supported on Windows, Linux, MacOS and FreeBSD. Please visit PcapPlusPlus web-site to see all of the supported platforms and refer to the Download section to start using PcapPlusPlus on your platform.

Supported Network Protocols

PcapPlusPlus currently supports parsing, editing and creation of packets of the following protocols:

  1. Ethernet II
  2. IEEE 802.3 Ethernet
  3. SLL (Linux cooked capture)
  4. Null/Loopback
  5. Raw IP (IPv4 & IPv6)
  6. IPv4
  7. IPv6
  8. ARP
  9. VLAN
  10. VXLAN
  11. MPLS
  12. PPPoE
  13. GRE
  14. TCP
  15. UDP
  16. GTP (v1)
  17. ICMP
  18. IGMP (IGMPv1, IGMPv2 and IGMPv3 are supported)
  19. IPSec AH & ESP - parsing only (no editing capabilities)
  20. SIP
  21. SDP
  22. Radius
  23. DNS
  24. DHCP
  25. BGP (v4)
  26. SSH - parsing only (no editing capabilities)
  27. HTTP headers (request & response)
  28. SSL/TLS - parsing only (no editing capabilities)
  29. Packet trailer (a.k.a footer or padding)
  30. Generic payload

DPDK And PF_RING Support

The Data Plane Development Kit (DPDK) is a set of data plane libraries and network interface controller drivers for fast packet processing.

PF_RING™ is a new type of network socket that dramatically improves the packet capture speed.

Both frameworks provide very fast packets processing (up to line speed) and are used in many network applications such as routers, firewalls, load balancers, etc. PcapPlusPLus provides a C++ abstraction layer over DPDK & PF_RING. This abstraction layer provides an easy to use interface that removes a lot of the boilerplate involved in using these frameworks. You can learn more by visiting the DPDK & PF_RING support pages in PcapPlusPlus web-site.

Benchmarks

We used Matias Fontanini's packet-capture-benchmarks project to compare the performance of PcapPlusPlus with other similar C++ libraries (such as libtins and libcrafter).

You can see the results in the Benchmarks page in PcapPlusPlus web-site.

Provide Feedback

We'd be more than happy to get feedback, please feel free to reach out to us in any of the following ways:

If you like this project please Star us on GitHub — it helps!

Please visit the PcapPlusPlus web-site to learn more.

Contributing

We would very much appreciate any contribution to this project. If you're interested in contributing please visit the contribution page in PcapPlusPlus web-site.

License

PcapPlusPlus is released under the Unlicense license.

Issues
  • Add TcpSorter to support sorting TCP segments.

    Add TcpSorter to support sorting TCP segments.

    I have performed online capturing test and offline pcap file test. The result looks good.

    Also, I ran valgrind to check memory leak for hours. The shared pointer makes my life easier. I did find pcap library itself has memory leak when lists NIC. I didn't look deeper into the issue since I can't fix libpcap here.

    Regarding to the TCP sorter logic, the TCP packet is flushed to the user once another side sends ACK. You can find more technical detail in the Doxygen header.

    opened by rickyzhang82 34
  • Bug in IDnsResource::decodeName.

    Bug in IDnsResource::decodeName.

    If non-dns packet gets into DnsLayer, then we will get SIGSEGV, because function size_t IDnsResource::decodeName not checking going beyond the limits of the packet.

    bug 
    opened by max197616 32
  • Modifying code cause undefined behavior

    Modifying code cause undefined behavior

    @seladb

    This issue more or less likely reproducible. But I don't know what's the root cause of this.

    Anyway, I modified PcapPlusPlus's SSL as follows,

    On SSLHandshake.cpp I replaced the following code

    SSLCipherSuite* SSLClientHelloMessage::getCipherSuite(int index) const
    {
    	if (index < 0 || index >= getCipherSuiteCount())
    		return NULL;
    
    	size_t cipherSuiteStartOffset = sizeof(ssl_tls_client_server_hello) + sizeof(uint8_t) + getSessionIDLength() + sizeof(uint16_t);
    	if (cipherSuiteStartOffset + sizeof(uint16_t) > m_DataLen)
    		return NULL;
    
    	uint16_t* cipherSuiteStartPos = (uint16_t*)(m_Data + cipherSuiteStartOffset);
    	return SSLCipherSuite::getCipherSuiteByID(be16toh(*(cipherSuiteStartPos+index)));
    }
    

    with

    uint16_t SSLClientHelloMessage::getCipherSuiteHexValue(int index) const
    {
    	if (index < 0 || index >= getCipherSuiteCount())
    		return 0;
    
    	size_t cipherSuiteStartOffset = sizeof(ssl_tls_client_server_hello) + sizeof(uint8_t) + getSessionIDLength() + sizeof(uint16_t);
    	if (cipherSuiteStartOffset + sizeof(uint16_t) > m_DataLen)
    		return 0;
    
    	uint16_t* cipherSuiteStartPos = (uint16_t*)(m_Data + cipherSuiteStartOffset);
    	return be16toh(*(cipherSuiteStartPos+index));
    }
    

    Then added following header declaration on SSLHandshake.h

    	/**
    	 * Get hex value of a cipher-suite by index.
    	 * @param[in] index The index of the cipher-suite to return
    	 * @return The hex value of the cipher-suite or NULL if index is out of bounds
    	 */
    
    	uint16_t getCipherSuiteHexValue(int index) const;
    

    Then I just removed tests related to SSL and compiled the lib as usual

    At first Iterations when I run my program, it works fine but after couple of days I noticing it outputs weird cipher suite counts like 1200 and 1500, 9000 and so on when calling the getCipherSuiteCount() method on lib.

    The exact CipherSuiteCount for Chrome is 16 and for Firefox is 18

    The program outputs 16 and 18 at first days but somehow magically it get broken after days even after re-compiled it output same wired numbers.

    I greatly appreciate your opinion on this matter!

    question 
    opened by gerald-dotcom 27
  • Pcap++ test issue related to the RSS hash function 0x41

    Pcap++ test issue related to the RSS hash function 0x41

    Here is the snippet of when we are trying to run the Bin/Pcap++ test.EAL: Detected 24 lcore(s) EAL: Probing VFIO support... EAL: PCI device 0000:01:00.0 on NUMA socket -1 EAL: probe driver: 8086:10d3 net_e1000_em EAL: PCI device 0000:04:00.0 on NUMA socket -1 EAL: probe driver: 8086:1583 net_i40e EAL: PCI device 0000:04:00.1 on NUMA socket -1 EAL: probe driver: 8086:1583 net_i40e PMD: eth_i40e_dev_init(): FW 6.0 API 1.7 NVM 06.00.01 eetrack 800035da [src/DpdkDeviceList.cpp : initDpdkDevices : line:164 ] Found 1 DPDK ports. Constructing DpdkDevice for each one [src/DpdkDevice.cpp : initMemPool : line:623 ] Successfully initialized packets pool of size [16383] for device [DPDK_0] [src/DpdkDevice.cpp : setDeviceInfo : line:722 ] Device [DPDK_0] has 320 RX queues [src/DpdkDevice.cpp : setDeviceInfo : line:723 ] Device [DPDK_0] has 320 TX queues [src/DpdkDeviceList.cpp : initDpdkDevices : line:175 ] DpdkDevice #0: Name='DPDK_0', PCI-slot='0000:04:00.1', PMD='net_i40e', MAC Addr='3c:fd:fe:c3:38:d9' PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkDevice : FAILED. assertion failed: Cannot open DPDK device PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkMultiThread : FAILED. assertion failed: Cannot open DPDK device 'DPDK_0' with 16 RX queues [src/DpdkDevice.cpp : close : line:455 ] Trying to close device [DPDK_0] but device is already closed PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkDeviceSendPackets : FAILED. assertion failed: Cannot open DPDK device 'DPDK_0' with 320 TX queues [src/DpdkDevice.cpp : close : line:455 ] Trying to close device [DPDK_0] but device is already closed PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkMbufRawPacket : FAILED. assertion failed: Cannot open DPDK device TestDpdkDeviceWorkerThreads : FAILED. assertion failed: Couldn't open DPDK device

    Also, about the setup script, I did the setup complete. Here is the current status: [email protected]:~/PcapPlusPlus# ./setup-dpdk.sh -s


    PcapPlusPlus setup DPDK script


    Network devices using DPDK-compatible driver

    0000:04:00.1 'Ethernet Controller XL710 for 40GbE QSFP+' drv=igb_uio unused=uio_pci_generic

    Network devices using kernel driver

    0000:01:00.0 '82574L Gigabit Network Connection' if=eth0 drv=e1000e unused=igb_uio,uio_pci_generic Active

    Other network devices

    0000:04:00.0 'Ethernet Controller XL710 for 40GbE QSFP+' unused=igb_uio,uio_pci_generic

    Crypto devices using DPDK-compatible driver

    Crypto devices using kernel driver

    Other crypto devices

    And we are planning to use one port for now, and we are getting this error:

    PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkDevice : FAILED. assertion failed: Cannot open DPDK device PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkMultiThread : FAILED. assertion failed: Cannot open DPDK device 'DPDK_0' with 16 RX queues [src/DpdkDevice.cpp : close : line:455 ] Trying to close device [DPDK_0] but device is already closed PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkDeviceSendPackets : FAILED. assertion failed: Cannot open DPDK device 'DPDK_0' with 320 TX queues [src/DpdkDevice.cpp : close : line:455 ] Trying to close device [DPDK_0] but device is already closed PMD 'net_i40e' doesn't support the request RSS hash functions 0x41 TestDpdkMbufRawPacket : FAILED. assertion failed: Cannot open DPDK device TestDpdkDeviceWorkerThreads : FAILED. assertion failed: Couldn't open DPDK device

    I have few queries:

    • I can see the traffic moving from one side to another, I am trying to test with the following command: [email protected]:~/PcapPlusPlus/Tests/Pcap++Test# Bin/Pcap++Test -i x.x.x.x -r x.x.x.x -k p1p2 -d
    • May I know why this is happening, why the TestDpdkWorkerThreads test is failing?
    • About the RSS hash 0x41, are there any such hardware constraint which can or cannot support the function?
    • We have classic DPDK huge pages of 1 GB and 16 of them, and while setup I put -p as 16 only.

    Need ur help in this scenario.

    opened by sabhishepalc 24
  • The new classes IPv4Address, IPv6Address and IPAddress (discussion)

    The new classes IPv4Address, IPv6Address and IPAddress (discussion)

    I have developed the new lightweight classes for manipulating the IP addresses. These are very fast and use less memory.

    I have made the tests for the most common use case: creation the address out of byte array (for example: IP/TCP reassembly logic). The tests ran under Core i7 9700K, Win10(x64):

    === Current ===
    Sizeof IPv4 = 68
    Sizeof IPv6 = 80
    IPv4 (uint): duration(ms) = 1803, iterations = 10.000.000, calls per sec = 5.546.000
    IPv6: duration(ms) = 4411, iterations = 10.000.000, calls per sec = 2.267.000
    
    === New ===
    Sizeof IPv4 = 4
    Sizeof IPv6 = 16
    Sizeof IP = 24
    IPv4 (uint): duration(ms) = 12, iterations = 10.000.000, calls per sec = 833.333.000
    IPv6: duration(ms) = 32, iterations = 10.000.000, calls per sec = 312.500.000
    

    Replacing the old classes to the new ones will take some time so I placed the new classes into namespace experimental. First of all I am planning to change the IPReassembly and TCPReassembly.

    Is any chance that this PR will be merged?

    opened by gx740 23
  • TcpReassembly (question)

    TcpReassembly (question)

    I have found that the methods closeConnectionInternal and closeAllConnections have different behavior in relation to m_ConnectionInfo vector. The closeAllConnections clears this vector while closeConnectionInternal does not remove the data from it.

    Should closeConnectionInternal remove data from vector or not?

    bug 
    opened by gx740 23
  • Npcap read + write wastes memory

    Npcap read + write wastes memory

    SKIP THIS POST AND GO TO BOTTOM - I was wrong here!

    Just FYI I am using NPCAP as my capture library behind the scenes and working in Windows 10.

    In the example live capture code a simple example is given to capture live packets with a callback

    // start capture in async mode. Give a callback function to call to whenever a packet is captured and the stats object as the cookie
    dev->startCapture(onPacketArrives, &stats);
    
    /**
     * A callback function for the async capture which is called each time a packet is captured
     */
    static void onPacketArrives(pcpp::RawPacket* packet, pcpp::PcapLiveDevice* dev, void* cookie)
    {
    	// extract the stats object form the cookie
    	PacketStats* stats = (PacketStats*)cookie;
    
    	// parsed the raw packet
    	pcpp::Packet parsedPacket(packet);
    
    	// collect stats from packet
    	stats->consumePacket(parsedPacket);
    }
    

    When i run this in windows the memory usage seems to be growing unbounded. Granted I have only run it for up to one minute (initial testing and dev) but memory usage is steadily ticking up. I would expect it to more or less reach a steady state and plateau (I am capturing from a sensor device that provides a more or less steady stream).

    Looking at the live PcapLiveDevice code that runs our callback function it creates a RawPacket with the flag NOT to release the packet memory. Why?

    void PcapLiveDevice::onPacketArrives(uint8_t *user, const struct pcap_pkthdr *pkthdr, const uint8_t *packet)
    {
    	PcapLiveDevice* pThis = (PcapLiveDevice*)user;
    	if (pThis == NULL)
    	{
    		LOG_ERROR("Unable to extract PcapLiveDevice instance");
    		return;
    	}
    
    	RawPacket rawPacket(packet, pkthdr->caplen, pkthdr->ts, false, pThis->getLinkType());
    
    	if (pThis->m_cbOnPacketArrives != NULL)
    		pThis->m_cbOnPacketArrives(&rawPacket, pThis, pThis->m_cbOnPacketArrivesUserCookie);
    }
    

    Are we expected to release the raw packet pointer in our callback? That isn't in the example code. Or is there something in the libraries behind the scene the it keeps a cache of captures and eventually cleans that up it self?

    If I recompile the code with the flag swapped to true my memory plateaus at a few MB and stays steady (which is what I originally expected).

    Anyways please let me know how the memory is expected to be managed here.

    enhancement 
    opened by Dysl3xik 23
  • linker error

    linker error

    Platform: Macosx - High Sierra

    First time using this library, I cloned the repository and successfully built it. I am trying to test if it works by copying and running the reading pcap example from the documentation. Here is how i compile and build it

    g++ -Iinclude -c main.cpp --std=c++14
    g++ main.o lib/libCommon++.a lib/libPacket++.a lib/libPcap++.a
    

    And I used the pcaps that was being captured by using wireshark and export it as .pcap file, changed the file name and run it, and this is the output i got:

    screen shot 2018-02-07 at 11 39 40 pm

    question 
    opened by xxhenglyxx 22
  • pfring_recv returned an error: [Err=-1]

    pfring_recv returned an error: [Err=-1]

    Issue ---

    Running resulted complied code that capture packets thru Pf_Ring causes an error

    Error Output

    pfring_recv returned an error: [Err=-1]
    pfring_recv returned an error: [Err=-1]
    pfring_recv returned an error: [Err=-1]
    pfring_recv returned an error: [Err=-1]
    pfring_recv returned an error: [Err=-1]
    pfring_recv returned an error: [Err=-1]
    ....... More 
    Segmentation fault (core dumped)
    

    My environment --

    Ubuntu 16.04.12
    Pf_Ring 6.4.1
    GCC 5.4.0
    

    Here how I loaded pfRing's Kernel Module --

    sudo insmod pf_ring.ko min_num_slots=65536 enable_tx_capture=1 enable_ip_defrag=1

    Of course, I was able to run your PfRing's example and print stats but mine isn't working, here is the code,

    main.cpp ---

    #include <iostream>
    #include <string>
    #include <array>
    #include <vector>
    #include <map>
    #include <chrono>
    #include <time.h>
    #include <cstdint>
    #include <sstream>
    #include <iomanip>
    #include <stdexcept>
    #include <PfRingDevice.h>
    #include <PfRingDeviceList.h>
    #include <Packet.h>
    #include <EthLayer.h>
    #include <IPv4Layer.h>
    #include <PacketUtils.h>
    #include <IPv6Layer.h>
    #include <TcpLayer.h>
    #include <SSLLayer.h>
    #include "dataObjects.h"
    #include <PcapPlusPlusVersion.h>
    
    using namespace pcpp;
    
    void packetArrived(RawPacket* packets, std::uint32_t numOfPackets, std::uint8_t threadId, PfRingDevice* device, void* userCookie) {
        for (uint32_t i = 0; i < numOfPackets; i++) { 
            std::cout << "A packet arrived" << "\n";
            continue;
        }
    }
    
    int main(){
        PfRingDevice *device = NULL;
        PfRingDevice *sendPacketsToIface = NULL;
    
        // Get Default Interface Name using Shell
        std::string defaultInterface;
        execute("sudo ip r | awk '/^default/ {print $5}'", defaultInterface);
    
        // Get Instance of Default Interface
        device = pcpp::PfRingDeviceList::getInstance().getPfRingDeviceByName(defaultInterface.c_str());
    
        if (device == NULL)
        {
            std::cout << "Couldn't locate default Network Driver"
                      << "\n";
            return 1;
        }
    
        int systemCores = pcpp::getNumOfCores();
        int numOfCaptureThreads = systemCores-1;
    
    
        pcpp::CoreMask cores = 0;
    
        int threadId = 0;
        int threadCount = 0;
    
        while (threadCount < numOfCaptureThreads)
    	{
    		if (SystemCores::IdToSystemCore[threadId].Id != device->getCurrentCoreId().Id)
    		{
    			cores |= SystemCores::IdToSystemCore[0].Mask;
    			threadCount++;
    		}
    
    		threadId++;
    	}
    
    
        if (!device->openMultiRxChannels(numOfCaptureThreads, PfRingDevice::PerFlow)) {
            std::cout << "Couldn't open RX Channels"
                      << "\n";
            return 1;
        }
    
        // Create a flow table for each core
    	std::map<std::uint32_t, bool> flowTables[1];
    
        // Initialize Data Object
    
        packetFingerprint dObj;
    
        // Initialize flow tables on Fingerprint Object
    
        dObj.flowTables = flowTables;
    
        // Start Packet Capturing
    
        std::cout << "Started Packet Capturing"
                  << "\n";
    
    
        if(!device->startCaptureMultiThread(packetArrived, &dObj, cores)) {
            std::cout << "Unable To Start Packet Capturing" << "\n";
        }
    
    }
    

    Makefile ---

    include /home/cornelius/PcapPlusPlusSource/mk/platform.mk
    include /home/cornelius/PcapPlusPlusSource/mk/PcapPlusPlus.mk
    
    
    # All Target
    all:
    	g++ -std=c++11 $(PCAPPP_INCLUDES) -c -o main.o main.cpp
    	g++ -DUSE_PF_RING $(PCAPPP_LIBS_DIR) -o packetObserver main.o $(PCAPPP_LIBS)
    
    # Clean Target
    clean:
    	rm main.o
    	rm packetObserver
    
    
    question 
    opened by gerald-dotcom 21
  • Sending packet exceeds MTU due to Ethernet layer

    Sending packet exceeds MTU due to Ethernet layer

    I have a PCAP containing UDP packets that have been fragmented due to being well over the MTU. The first fragments fully use the MTU, meaning the IP layer is 1500 bytes long (IP header + payload). Then, when they were sent, an traditional 14 bytes Ethernet layer was added, so the packet is 1514 bytes long in total.

    However, now that I want to send them back over the network, I'm having trouble with PcapLiveDevice::sendPacket(). It takes the whole raw packet, including the 14 bytes link layer, and determines that the packet is bigger than the 1500 bytes MTU, when I believe the Ethernet header should not be taken into consideration.

    I tried sending only the data starting at the IP layer (so exactly 1500 bytes), no error is shown but I can't see any packets on wireshark. The only temporary solution was to increase the MTU to 1514 so that the checks in sendPacket() passes.

    Am I doing something wrong ? Or should sendPacket() only count the data length at the IP layer ?

    All of this is tried on Linux (CentOS 8.2), with a default MTU of 1500.

    bug 
    opened by The7Tycoon 20
  • RAII?

    RAII?

    Does this Library use RAII? Do I have to manually clean memory?

    I noted that running my application long hours results in corrupted data and I must be doing something wrong.

    opened by jeffRTC 20
  • C++11 / Remove pthread requirement for Windows

    C++11 / Remove pthread requirement for Windows

    Hi,

    This MR try to remove pthread requiement on Windows by switching to C++ Threads introduce in C++11.

    I keep pthread on Linux as we use the 'pthread_setaffinity_np()' and there is no equivalement with C++ threads.

    This is untested!

    opened by clementperon 0
  • 22.05 build fails on dpdk

    22.05 build fails on dpdk

    Using openSUSE Tumbleweed on x86_64, after the 22.05 update I'm seeing this error:

    ==== Building target: Pcap++ ====
    Building file: src/DpdkDevice.cpp
    src/DpdkDevice.cpp: In member function 'bool pcpp::DpdkDevice::configurePort(uint8_t, uint8_t)':
    src/DpdkDevice.cpp:44:57: error: 'ETH_RSS' was not declared in this scope; did you mean 'ETH_RSS_AH'?
       44 | #define DPDK_CONFIG_MQ_MODE                             ETH_RSS
          |                                                         ^~~~~~~
    src/DpdkDevice.cpp:249:35: note: in expansion of macro 'DPDK_CONFIG_MQ_MODE'
      249 |         portConf.rxmode.mq_mode = DPDK_CONFIG_MQ_MODE;
          |                                   ^~~~~~~~~~~~~~~~~~~
    src/DpdkDevice.cpp: In member function 'bool pcpp::DpdkDevice::startCaptureSingleThread(pcpp::OnDpdkPacketsArriveCallback, void*)':
    src/DpdkDevice.cpp:566:36: error: 'rte_get_master_lcore' was not declared in this scope; did you mean 'rte_get_main_lcore'?
      566 |                 if (coreId == (int)rte_get_master_lcore() || !rte_lcore_is_enabled(coreId))
          |                                    ^~~~~~~~~~~~~~~~~~~~
          |                                    rte_get_main_lcore
    

    Using dpdk 21.11.1.

    opened by lgbaldoni 3
  • intel XL710 i40e driver got PMD 'net_i40e' doesn't support the request RSS hash functions 0x41

    intel XL710 i40e driver got PMD 'net_i40e' doesn't support the request RSS hash functions 0x41

    Just as title, I got issue of intel XL710 NIC

    Envirorment dpdk 20.11 LTS PcapPlusPlus 21.11 Ubuntu 20.04

    setup command ./setup_dpdk.py setup -g 2048 -i enp11s0f0

    execute command

    ./PcapPlusPlus-21.11/Dist/DpdkExample-FilterTraffic -d 0
    

    envirorment

    driver: i40e
    version: 2.14.13
    firmware-version: 8.60 0x8000bd7c 1.3140.0
    expansion-rom-version: 
    bus-info: 0000:0b:00.0
    supports-statistics: yes
    supports-test: yes
    supports-eeprom-access: yes
    supports-register-dump: yes
    supports-priv-flags: yes
    

    How can i fix it?

    opened by laskdjlaskdj12 16
  • pcapng damaged files

    pcapng damaged files

    Hello, I have recently discovered, that LightPcapNg (that used as 3d party dependency for PcapPlusPlus) does not support truncated or damaged files. I was implemented that support by using more clever system of return statuses. I can improve it and make a pull request. Does this feature required for PcapPlusPlus?

    enhancement 
    opened by Beatle95 3
  • SOME/IP protocol support

    SOME/IP protocol support

    • Add SomeIpLayer class to process SOME/IP messages
    • Add SomeIpSdLayer class to process SOME/IP SD messages
    • Update README.md file
    • Add sample SOME/IP pcapng trace for tests

    Protocol specification

    • https://www.autosar.org/fileadmin/user_upload/standards/foundation/1-0/AUTOSAR_PRS_SOMEIPProtocol.pdf
    • https://www.autosar.org/fileadmin/user_upload/standards/foundation/1-2/AUTOSAR_PRS_SOMEIPServiceDiscoveryProtocol.pdf
    opened by miketsukerman 0
  • Cant run the DpdkExample-FilterTraffic

    Cant run the DpdkExample-FilterTraffic

    Hey, we arent able to run the DpdkExample-Filter for some reason. We are able to run other dpdk applications like the DpdkBridge app and other dpdk example apps, but not this Example app. We added a few debug print statements and the output is as follows image We tried reducing the mbuf by reducing 'DEFAULT_MBUF_POOL_SIZE' but still we still are getting this error.

    opened by AlienX2001 7
Releases(v22.05)
the LIBpcap interface to various kernel packet capture mechanism

LIBPCAP 1.x.y by The Tcpdump Group To report a security issue please send an e-mail to [email protected] To report bugs and other problems, contri

The Tcpdump Group 1.9k May 18, 2022
DPDK / Packet processing experimentation project

flow-orchestrator About This is currently just a platform for me to learn more about DPDK and to have a foundation for some experiments. Building Buil

stefan 4 May 6, 2022
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Apr 14, 2022
A special version of Packet Batch that utilizes AF_XDP Linux sockets (this should be faster than the standard version, but not as fast as the DPDK).

Packet Batch (AF_XDP) Description This is a special version of Packet Batch that utilizes AF_XDP sockets instead of AF_PACKETv3 (which is what the sta

Packet Batch 9 Feb 24, 2022
A special version of Packet Batch that utilizes the DPDK (this should be faster than the standard version).

Packet Batch (DPDK) Description This is a special version of Packet Batch that utilizes the DPDK, a kernel-bypass library. This does not use any form

Packet Batch 6 Feb 24, 2022
The standard Packet Batch application that uses standard Linux sockets (AF_PACKETv3) for packet generation.

Packet Batch (Standard) Description This is the standard Packet Batch application that utilizes AF_PACKETv3 Linux sockets. Due to AF_PACKETv3 Linux so

Packet Batch 5 Feb 24, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 738 May 16, 2022
🌱Light and powerful C++ web framework for highly scalable and resource-efficient web application. It's zero-dependency and easy-portable.

Oat++ News Hey, meet the new oatpp version 1.2.5! See the changelog for details. Check out the new oatpp ORM - read more here. Oat++ is a modern Web F

Oat++ 5.3k May 15, 2022
High-speed packet processing framework

PF_RING™ Introduction PF_RING™ is a Linux kernel module and user-space framework that allows you to process packets at high-rates while providing you

ntop 2.2k May 13, 2022
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 168 Apr 26, 2022
network packet indexing and querying

_______ _____.___. ________ _____ _____ \ \\__ | |/ _____/ / \ / _ \ / | \/ | / \ ___ / \ / \ / /_\

64k & stackless-goto 18 Dec 15, 2021
A Simple CLI Network Packet Sniffer

packt packt is a simple CL(command line) network packet sniffer which can run on any unix-like OS including termux (Android). packt works by first ope

null 6 Feb 7, 2022
An easy to use and powerful open source websocket library written in C.

libwebsock Easy to use C library for websockets This library allows for quick and easy development of applications that use the websocket protocol, wi

Jonathan Hall 46 May 4, 2022
A high-performance and easy-to-use C++ network library.

pine A high-performance and easy-to-use C++ network library. Now this is just a toy library for education purpose, do not use in production. example A

Baroquer 31 May 7, 2022
This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphone.

RadioSploit 1.0 - Patches This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject

Romain Cayre 11 Aug 29, 2021
Examples and test programs I made while learning the DPDK.

The DPDK Examples (WIP) Description A small repository I will be using to store my progress and test programs from the DPDK, a kernel bypass library v

Christian Deacon 12 Apr 14, 2022
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Robert David Graham 19k May 11, 2022
XDP programs that increment stat counters for packets/bytes.

XDP Stats Description This is a program that calculates stats inside of an XDP program (support for both XDP_DROP and XDP_TX). As of right now, the st

Christian Deacon 8 Apr 11, 2022
A program that implements the forwading of packets from a router.

Nume: Dragne Lavinia-Stefana Grupa: 324 CA PROTOCOALE DE COMUNICATIE Tema #1 - Router Continutul proiectului este urmatorul: - dir

null 1 Oct 15, 2021