libpnet VS tcpflow

Hey, I'm looking for the best way to do packet capture in Rust. I've looked at both libpnet and pcap crates, and they both seem way less mature and with less functionality than the PcapPlusPlus library, which seems to be the golden suite of packet capture and manipulation.

> I mentioned really briefly that tcpdump lets you save pcap files. This is awesome because literally every network analysis tool in the universe understands pcap files. pcap files are like freshly baked chocolate chip cookies. Everybody loves them.

OMG, yes, very well put. When I get a bug report with a pcap file I know I'll be able to know exactly what happened.

Speaking of which: for one of my libraries, I want to make a diagnostic tool that replays an interaction. My library mostly operates at the TCP level (also some UDP), so I need to reconstruct the TCP flows in my tool to feed to my library. Either I need an easy-to-use Rust library to do that directly from pcap files [1] or some format that represents bytes moving over the flow (like sets of lines with a timestamp, flow id, and pretty hexdump of the bytes) with a tool that produces it from pcap. This seems like something that should exist? Wireshark's “Analyze > Follow > TCP Stream”’s “Save As…” with "hex dump" is kind of what I want, but it doesn't have timestamps, and it doesn't have a way to put everything (multiple flows, UDP packets also) in one file.

[1] https://crates.io/crates/pnet looks promising but it wasn't as obvious as I hoped how to plug it in for what I want.

libpnet provides a cross-platform API for low level networking using Rust.

> where: timestamp is an optional timestamp of the time that the first packet was seen

https://github.com/simsong/tcpflow/blob/master/doc/tcpflow.1...

.B t

tcpflow

Mentioning tcpflow here b/c it's one of the most useful networking related tools I know of that very few people even know about.

What does it do?

It can reassemble TCP packets back into the FULL body of the original message sent. e.g. if you make a HTTP GET request, it will show you the full text in a file stamped with the time, source and dest ips and port.

Things I've found it REALLY useful for:

- migrating a data center

- for some reason, connection works fine on the old DC but seems to time out in weird ways in the new DC

- No one can figure it out

- I suggest using tcpflow

- Turn out there was a setting in the new DC network hardware that was truncating larger packets and the authorization message was just over the threshold

People always say "yeah, but Wireshark" which is true, that's a good tool too. That being said, there is just something about seeing the "raw" text of a message sent by a machine over the wire and being able to see it in text from the command line.

https://github.com/simsong/tcpflow

There seems to be an issue open for this https://github.com/simsong/tcpflow/issues/58