PcapPlusPlus
September
PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.
PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, Npcap, DPDK, eBPF AF_XDP and PF_RING.
Table Of Contents
Download
GitHub Release Page
Homebrew
Vcpkg
Conan
Build It Yourself
Verify your packages
Feature Overview
Getting Started
API Documentation
Multi Platform Support
Supported Network Protocols
Data Link Layer (L2)
Network Layer (L3)
Transport Layer (L4)
Session Layer (L5)
Presentation Layer (L6)
Application Layer (L7)
DPDK And PF_RING Support
Benchmarks
Provide Feedback
Contributing
License
You can choose between downloading from GitHub release page, use a package manager or build PcapPlusPlus yourself. For more details please visit the Download page in PcapPlusPlus web-site.
https://github.com/seladb/PcapPlusPlus/releases/latest
brew install pcapplusplus
Homebrew formulae: https://formulae.brew.sh/formula/pcapplusplus
Windows:
.vcpkg install pcapplusplusMacOS/Linux:
vcpkg install pcapplusplusVcpkg port: https://github.com/microsoft/vcpkg/tree/master/ports/pcapplusplus
conan install "pcapplusplus/[>0]@" -uThe package in ConanCenter: https://conan.io/center/pcapplusplus
Clone the git repository:
git clone https://github.com/seladb/PcapPlusPlus.git
Follow the build instructions according to your platform in the Build From Source page in PcapPlusPlus web-site.
PcapPlusPlus releases which newer than v23.09 are signed with GitHub attestation. All of the attestations can be found here. You can verify the attestation of these packages with GitHub CLI. To verify packages you can follow the most recent instructions from gh attestation verify. For simple instructions you can use the following command:
gh attestation verify <path-to-package-file> --repository seladb/PcapPlusPlus
and you should see the following output in your terminal:
✓ Verification succeeded!
Packet capture through an easy to use C++ wrapper for popular packet capture engines such as libpcap, WinPcap, Npcap, Intel DPDK, eBPF AF_XDP, ntop’s PF_RING and raw sockets [Learn more]
Packet parsing and crafting including detailed analysis of protocols and layers, packet generation and packet edit for a large variety of network protocols [Learn more]
Read and write packets from/to files in both PCAP and PCAPNG formats [Learn more]
Packet processing in line rate through an efficient and easy to use C++ wrapper for DPDK, eBPF AF_XDP and PF_RING [Learn more]
Multiplatform support - PcapPlusPlus is fully supported on Linux, MacOS, Windows, Android and FreeBSD
Packet reassembly - unique implementation of TCP Reassembly which includes TCP retransmission, out-of-order TCP packets and missing TCP data, and IP Fragmentation and Defragmentation to create and reassemble IPv4 and IPv6 fragments [Learn more]
Packet filtering that makes libpcap's BPF filters a lot more user-friendly [Learn more]
TLS Fingerprinting - a C++ implementation of JA3 and JA3S TLS fingerprinting [Learn more]
Writing applications with PcapPlusPlus is very easy and intuitive. Here is a simple application that shows how to read a packet from a PCAP file and parse it:
#include <iostream>#include "IPv4Layer.h"#include "Packet.h"#include "PcapFileDevice.h"int main(int argc, char* argv[])
{// open a pcap file for readingpcpp::PcapFileReaderDevice reader("1_packet.pcap");if (!reader.open())
{
std::cerr << "Error opening the pcap file" << std::endl;return 1;
}// read the first (and only) packet from the filepcpp::RawPacket rawPacket;if (!reader.getNextPacket(rawPacket))
{
std::cerr << "Couldn't read the first packet in the file" << std::endl;return 1;
}// parse the raw packet into a parsed packetpcpp::Packet parsedPacket(&rawPacket);// verify the packet is IPv4if (parsedPacket.isPacketOfType(pcpp::IPv4))
{// extract source and dest IPspcpp::IPv4Address srcIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getSrcIPv4Address();
pcpp::IPv4Address destIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getDstIPv4Address();// print source and dest IPsstd::cout << "Source IP is '" << srcIP << "'; Dest IP is '" << destIP << "'" << std::endl;
}// close the filereader.close();return 0;
}You can find much more information in the Getting Started page in PcapPlusPlus web-site. This page will walk you through few easy steps to have an app up and running.
PcapPlusPlus consists of 3 libraries:
Packet++ - a library for parsing, creating and editing network packets
Pcap++ - a library for intercepting and sending packets, providing network and NIC info, stats, etc. It is actually a C++ wrapper for packet capturing engines such as libpcap, WinPcap, Npcap, DPDK and PF_RING
Common++ - a library with some common code utilities used by both Packet++ and Pcap++
You can find an extensive API documentation in the API documentation section in PcapPlusPlus web-site. If you see any missing data please contact us.
PcapPlusPlus is currently supported onWindows
PcapPlusPlus currently supports parsing, editing and creation of packets of the following protocols:
Ethernet II
IEEE 802.3 Ethernet
LLC (Only BPDU supported)
Null/Loopback
Packet trailer (a.k.a footer or padding)
PPPoE
SLL (Linux cooked capture)
SLL2 (Linux cooked capture v2)
STP
VLAN
VXLAN
Wake on LAN (WoL)
NFLOG (Linux Netfilter NFLOG) - parsing only (no editing capabilities)
ARP
GRE
ICMP
ICMPv6
IGMP (IGMPv1, IGMPv2 and IGMPv3 are supported)
IPv4
IPv6
MPLS
NDP
Raw IP (IPv4 & IPv6)
VRRP (IPv4 & IPv6)
WireGuard
COTP
GTP (v1)
IPSec AH & ESP - parsing only (no editing capabilities)
TCP
TPKT
UDP
SDP
SIP
SSL/TLS - parsing only (no editing capabilities)
ASN.1 decoder and encoder
BGP (v4)
DHCP
DHCPv6
DNS
FTP
HTTP headers (request & response)
LDAP
NTP (v3, v4)
Radius
S7 Communication (S7comm)
SMTP
SOME/IP
SSH - parsing only (no editing capabilities)
Telnet - parsing only (no editing capabilities)
Generic payload
The Data Plane Development Kit (DPDK) is a set of data plane libraries and network interface controller drivers for fast packet processing.
PF_RING™ is a new type of network socket that dramatically improves the packet capture speed.
Both frameworks provide very fast packets processing (up to line speed) and are used in many network applications such as routers, firewalls, load balancers, etc. PcapPlusPLus provides a C++ abstraction layer over DPDK & PF_RING. This abstraction layer provides an easy to use interface that removes a lot of the boilerplate involved in using these frameworks. You can learn more by visiting the DPDK & PF_RING support pages in PcapPlusPlus web-site.
We used Matias Fontanini's packet-capture-benchmarks project to compare the performance of PcapPlusPlus with other similar C++ libraries (such as libtins and libcrafter).
You can see the results in the Benchmarks page in PcapPlusPlus web-site.
We'd be more than happy to get feedback, please feel free to reach out to us in any of the following ways:
Open a GitHub ticket
Post a message in PcapPlusPlus Google group: https://groups.google.com/d/forum/pcapplusplus-support
Ask a question on Stack Overflow: https://stackoverflow.com/questions/tagged/pcapplusplus
Send an email to: [email protected]
Follow us on X: https://x.com/seladb
If you like this project please Star us on GitHub — it helps! ⭐ ⭐
Please visit the PcapPlusPlus web-site to learn more.
We would very much appreciate any contribution to this project. If you're interested in contributing please visit the contribution page in PcapPlusPlus web-site.
PcapPlusPlus is released under the Unlicense license.
