In an application working with PCAPs I am using rtshark both for the inspection of individual packets, as well as a frontend for tshark to produce filtered PCAPs. The filtering part looks roughly like this:
let mut s = rtshark::RTSharkBuilder::builder()
.input_path(input)
.display_filter(filter)
.output_path(output)
.spawn()?;
loop {
let Some(_) = s.read()? else { break };
}
// Output files does exist here.
This works but can be slow (very slow for packets with many layers like e.g., SMB). This is due to the need to use RTShark's read interface which always extracts and makes available the packets (created by tshark and parsed by rtshark, only to be dropped on the floor by me).
What I would much prefer for this use case would be "batch interface" which prevents packet creation (both the part causing tshark to emit them as well as deserializing them into Packets), e.g.,
// Imaginary API.
let _: Result<()> = rtshark::RTSharkBuilder::builder()
.input_path(input)
.display_filter(filter)
.output_path(output)
.batch();
// Output files does exist here.
Would you be open to adding something like this, or accept a PR implementing it?
In an application working with PCAPs I am using
rtsharkboth for the inspection of individual packets, as well as a frontend fortsharkto produce filtered PCAPs. The filtering part looks roughly like this:This works but can be slow (very slow for packets with many layers like e.g., SMB). This is due to the need to use
RTShark'sreadinterface which always extracts and makes available the packets (created bytsharkand parsed byrtshark, only to be dropped on the floor by me).What I would much prefer for this use case would be "batch interface" which prevents packet creation (both the part causing
tsharkto emit them as well as deserializing them intoPackets), e.g.,Would you be open to adding something like this, or accept a PR implementing it?
Thanks for making
rtsharkavailable!