PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.
PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, Npcap, DPDK, eBPF AF_XDP and PF_RING.
You can choose between downloading from GitHub release page, use a package manager or build PcapPlusPlus yourself. For more details please visit the Download page in PcapPlusPlus web-site.
https://github.com/seladb/PcapPlusPlus/releases/latest
brew install pcapplusplus
Homebrew formulae: https://formulae.brew.sh/formula/pcapplusplus
Windows:
.\vcpkg install pcapplusplus
MacOS/Linux:
vcpkg install pcapplusplus
Vcpkg port: https://github.com/microsoft/vcpkg/tree/master/ports/pcapplusplus
conan install "pcapplusplus/[>0]@" -u
The package in ConanCenter: https://conan.io/center/pcapplusplus
Clone the git repository:
git clone https://github.com/seladb/PcapPlusPlus.git
Follow the build instructions according to your platform in the Build From Source page in PcapPlusPlus web-site.
Writing applications with PcapPlusPlus is very easy and intuitive. Here is a simple application that shows how to read a packet from a PCAP file and parse it:
#include <iostream>
#include "IPv4Layer.h"
#include "Packet.h"
#include "PcapFileDevice.h"
int main(int argc, char* argv[])
{
// open a pcap file for reading
pcpp::PcapFileReaderDevice reader("1_packet.pcap");
if (!reader.open())
{
std::cerr << "Error opening the pcap file" << std::endl;
return 1;
}
// read the first (and only) packet from the file
pcpp::RawPacket rawPacket;
if (!reader.getNextPacket(rawPacket))
{
std::cerr << "Couldn't read the first packet in the file" << std::endl;
return 1;
}
// parse the raw packet into a parsed packet
pcpp::Packet parsedPacket(&rawPacket);
// verify the packet is IPv4
if (parsedPacket.isPacketOfType(pcpp::IPv4))
{
// extract source and dest IPs
pcpp::IPv4Address srcIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getSrcIPv4Address();
pcpp::IPv4Address destIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getDstIPv4Address();
// print source and dest IPs
std::cout << "Source IP is '" << srcIP << "'; Dest IP is '" << destIP << "'" << std::endl;
}
// close the file
reader.close();
return 0;
}
You can find much more information in the Getting Started page in PcapPlusPlus web-site. This page will walk you through few easy steps to have an app up and running.
PcapPlusPlus consists of 3 libraries:
You can find an extensive API documentation in the API documentation section in PcapPlusPlus web-site. If you see any missing data please contact us.
PcapPlusPlus is currently supported on Windows
, __Linux__ , __MacOS__ , __Android__ and __FreeBSD__ . Please visit PcapPlusPlus web-site to see all of the [supported platforms](https://pcapplusplus.github.io/docs/platforms) and refer to the [Download](#download) section to start using PcapPlusPlus on your platform. ## Supported Network Protocols PcapPlusPlus currently supports parsing, editing and creation of packets of the following protocols: ### Data Link Layer (L2) 1. Ethernet II 2. IEEE 802.3 Ethernet 3. LLC (Only BPDU supported) 4. Null/Loopback 5. Packet trailer (a.k.a footer or padding) 6. PPPoE 7. SLL (Linux cooked capture) 8. SLL2 (Linux cooked capture v2) 9. STP 10. VLAN 11. VXLAN 12. Wake on LAN (WoL) 13. NFLOG (Linux Netfilter NFLOG) - parsing only (no editing capabilities) ### Network Layer (L3) 14. ARP 15. GRE 16. ICMP 17. ICMPv6 18. IGMP (IGMPv1, IGMPv2 and IGMPv3 are supported) 19. IPv4 20. IPv6 21. MPLS 22. NDP 23. Raw IP (IPv4 & IPv6) 24. VRRP (IPv4 & IPv6) ### Transport Layer (L4) 25. COTP 26. GTP (v1) 27. IPSec AH & ESP - parsing only (no editing capabilities) 28. TCP 29. TPKT 30. UDP ### Session Layer (L5) 31. SDP 32. SIP ### Presentation Layer (L6) 33. SSL/TLS - parsing only (no editing capabilities) ### Application Layer (L7) 34. ASN.1 decoder and encoder 35. BGP (v4) 36. DHCP 37. DHCPv6 38. DNS 39. FTP 40. HTTP headers (request & response) 41. LDAP 42. NTP (v3, v4) 43. Radius 44. S7 Communication (S7comm) 45. SMTP 46. SOME/IP 47. SSH - parsing only (no editing capabilities) 48. Telnet - parsing only (no editing capabilities) 49. Generic payload ## DPDK And PF_RING Support [The Data Plane Development Kit (DPDK)](https://www.dpdk.org/) is a set of data plane libraries and network interface controller drivers for fast packet processing. [PF_RING™](https://www.ntop.org/products/packet-capture/pf_ring/) is a new type of network socket that dramatically improves the packet capture speed. Both frameworks provide very fast packets processing (up to line speed) and are used in many network applications such as routers, firewalls, load balancers, etc. PcapPlusPLus provides a C++ abstraction layer over DPDK & PF_RING. This abstraction layer provides an easy to use interface that removes a lot of the boilerplate involved in using these frameworks. You can learn more by visiting the [DPDK](https://pcapplusplus.github.io/docs/dpdk) & [PF_RING](https://pcapplusplus.github.io/docs/features#pf_ring-support) support pages in PcapPlusPlus web-site. ## Benchmarks We used Matias Fontanini's [packet-capture-benchmarks](https://github.com/mfontanini/packet-capture-benchmarks) project to compare the performance of PcapPlusPlus with other similar C++ libraries (such as `libtins` and `libcrafter`). You can see the results in the [Benchmarks](https://pcapplusplus.github.io/docs/benchmark) page in PcapPlusPlus web-site. ## Provide Feedback We'd be more than happy to get feedback, please feel free to reach out to us in any of the following ways: - Open a GitHub ticket - Post a message in PcapPlusPlus Google group: