1*8d23ce8fSStephen Hemminger.. SPDX-License-Identifier: BSD-3-Clause 2*8d23ce8fSStephen Hemminger Copyright(c) 2021 Microsoft Corporation 3*8d23ce8fSStephen Hemminger 4*8d23ce8fSStephen HemmingerPacket Capture Next Generation Library 5*8d23ce8fSStephen Hemminger====================================== 6*8d23ce8fSStephen Hemminger 7*8d23ce8fSStephen HemmingerExchanging packet traces becomes more and more critical every day. 8*8d23ce8fSStephen HemmingerThe de facto standard for this is the format define by libpcap; 9*8d23ce8fSStephen Hemmingerbut that format is rather old and is lacking in functionality 10*8d23ce8fSStephen Hemmingerfor more modern applications. 11*8d23ce8fSStephen HemmingerThe `Pcapng file format`_ is the default capture file format 12*8d23ce8fSStephen Hemmingerfor modern network capture processing tools 13*8d23ce8fSStephen Hemmingersuch as `wireshark`_ (can also be read by `tcpdump`_). 14*8d23ce8fSStephen Hemminger 15*8d23ce8fSStephen HemmingerThe Pcapng library is a an API for formatting packet data 16*8d23ce8fSStephen Hemmingerinto a Pcapng file. 17*8d23ce8fSStephen HemmingerThe format conforms to the current `Pcapng RFC`_ standard. 18*8d23ce8fSStephen HemmingerIt is designed to be integrated with the packet capture library. 19*8d23ce8fSStephen Hemminger 20*8d23ce8fSStephen HemmingerUsage 21*8d23ce8fSStephen Hemminger----- 22*8d23ce8fSStephen Hemminger 23*8d23ce8fSStephen HemmingerBefore the library can be used, the function ``rte_pcapng_init`` 24*8d23ce8fSStephen Hemmingershould be called once to initialize timestamp computation. 25*8d23ce8fSStephen Hemminger 26*8d23ce8fSStephen HemmingerThe output stream is created with ``rte_pcapng_fdopen``, 27*8d23ce8fSStephen Hemmingerand should be closed with ``rte_pcapng_close``. 28*8d23ce8fSStephen Hemminger 29*8d23ce8fSStephen HemmingerThe library requires a DPDK mempool to allocate mbufs. 30*8d23ce8fSStephen HemmingerThe mbufs need to be able to accommodate additional space 31*8d23ce8fSStephen Hemmingerfor the pcapng packet format header and trailer information; 32*8d23ce8fSStephen Hemmingerthe function ``rte_pcapng_mbuf_size`` should be used 33*8d23ce8fSStephen Hemmingerto determine the lower bound based on MTU. 34*8d23ce8fSStephen Hemminger 35*8d23ce8fSStephen HemmingerCollecting packets is done in two parts. 36*8d23ce8fSStephen HemmingerThe function ``rte_pcapng_copy`` is used to format and copy mbuf data 37*8d23ce8fSStephen Hemmingerand ``rte_pcapng_write_packets`` writes a burst of packets to the output file. 38*8d23ce8fSStephen Hemminger 39*8d23ce8fSStephen HemmingerThe function ``rte_pcapng_write_stats`` can be used 40*8d23ce8fSStephen Hemmingerto write statistics information into the output file. 41*8d23ce8fSStephen HemmingerThe summary statistics information is automatically added 42*8d23ce8fSStephen Hemmingerby ``rte_pcapng_close``. 43*8d23ce8fSStephen Hemminger 44*8d23ce8fSStephen Hemminger.. _Tcpdump: https://tcpdump.org/ 45*8d23ce8fSStephen Hemminger.. _Wireshark: https://wireshark.org/ 46*8d23ce8fSStephen Hemminger.. _Pcapng file format: https://github.com/pcapng/pcapng/ 47*8d23ce8fSStephen Hemminger.. _Pcapng RFC: https://datatracker.ietf.org/doc/html/draft-tuexen-opsawg-pcapng 48