40. Packet Capture Next Generation Library

Exchanging packet traces becomes more and more critical every day. The de facto standard for this is the format define by libpcap; but that format is rather old and is lacking in functionality for more modern applications. The Pcapng file format is the default capture file format for modern network capture processing tools such as wireshark (can also be read by tcpdump).

The Pcapng library is a an API for formatting packet data into a Pcapng file. The format conforms to the current Pcapng RFC standard. It is designed to be integrated with the packet capture library.

40.1. Usage

Before the library can be used, the function rte_pcapng_init should be called once to initialize timestamp computation.

The output stream is created with rte_pcapng_fdopen, and should be closed with rte_pcapng_close.

The library requires a DPDK mempool to allocate mbufs. The mbufs need to be able to accommodate additional space for the pcapng packet format header and trailer information; the function rte_pcapng_mbuf_size should be used to determine the lower bound based on MTU.

Collecting packets is done in two parts. The function rte_pcapng_copy is used to format and copy mbuf data and rte_pcapng_write_packets writes a burst of packets to the output file.

The function rte_pcapng_write_stats can be used to write statistics information into the output file. The summary statistics information is automatically added by rte_pcapng_close.