PcapPlusPlus

<div align="center">

</div>

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.

PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, Npcap, DPDK, eBPF AF_XDP, WinDivert and PF_RING.

Translations: English · 正體中文 · 한국어

Table Of Contents

• Table Of Contents
• Download
  • GitHub Release Page
  • Homebrew
  • Vcpkg
  • Conan
  • Build It Yourself
  • Verify your packages
• Feature Overview
• Getting Started
• API Documentation
• Multi Platform Support
• Supported Network Protocols
  • Data Link Layer (L2)
  • Network Layer (L3)
  • Transport Layer (L4)
  • Session Layer (L5)
  • Presentation Layer (L6)
  • Application Layer (L7)
• DPDK And PF_RING Support
• Benchmarks
• Provide Feedback
• Contributing
• License

Download

You can choose between downloading from GitHub release page, use a package manager or build PcapPlusPlus yourself. For more details please visit the Download page in PcapPlusPlus web-site.

GitHub Release Page

https://github.com/seladb/PcapPlusPlus/releases/latest

Homebrew

brew install pcapplusplus

Homebrew formulae: https://formulae.brew.sh/formula/pcapplusplus

Vcpkg

Windows:

.\vcpkg install pcapplusplus

MacOS/Linux:

vcpkg install pcapplusplus

Vcpkg port: https://github.com/microsoft/vcpkg/tree/master/ports/pcapplusplus

Conan

conan install "pcapplusplus/[>0]@" -u

The package in ConanCenter: https://conan.io/center/pcapplusplus

Build It Yourself

Clone the git repository:

git clone https://github.com/seladb/PcapPlusPlus.git

Follow the build instructions according to your platform in the Build From Source page in PcapPlusPlus web-site.

Verify your packages

PcapPlusPlus releases which newer than v23.09 are signed with GitHub attestation. All of the attestations can be found here. You can verify the attestation of these packages with GitHub CLI. To verify packages you can follow the most recent instructions from gh attestation verify. For simple instructions you can use the following command:

gh attestation verify <path-to-package-file> --repository seladb/PcapPlusPlus

and you should see the following output in your terminal:

✓ Verification succeeded!

Feature Overview

• Packet capture through an easy to use C++ wrapper for popular packet capture engines such as libpcap, WinPcap, Npcap, Intel DPDK, eBPF AF_XDP, WinDivert, ntop’s PF_RING and raw sockets [Learn more]
• Packet parsing and crafting including detailed analysis of protocols and layers, packet generation and packet edit for a large variety of network protocols [Learn more]
• Read and write packets from/to files in both PCAP and PCAPNG formats [Learn more]
• Packet processing in line rate through an efficient and easy to use C++ wrapper for DPDK, eBPF AF_XDP and PF_RING [Learn more]
• Multiplatform support - PcapPlusPlus is fully supported on Linux, MacOS, Windows, Android and FreeBSD
• Packet reassembly - unique implementation of TCP Reassembly which includes TCP retransmission, out-of-order TCP packets and missing TCP data, and IP Fragmentation and Defragmentation to create and reassemble IPv4 and IPv6 fragments [Learn more]
• Packet filtering that makes libpcap's BPF filters a lot more user-friendly [Learn more]
• TLS Fingerprinting - a C++ implementation of JA3 and JA3S TLS fingerprinting [Learn more]

Getting Started

Writing applications with PcapPlusPlus is very easy and intuitive. Here is a simple application that shows how to read a packet from a PCAP file and parse it:

#include <iostream>
#include "IPv4Layer.h"
#include "Packet.h"
#include "PcapFileDevice.h"

int main(int argc, char* argv[])
{
    // open a pcap file for reading
    pcpp::PcapFileReaderDevice reader("1_packet.pcap");
    if (!reader.open())
    {
        std::cerr << "Error opening the pcap file" << std::endl;
        return 1;
    }

    // read the first (and only) packet from the file
    pcpp::RawPacket rawPacket;
    if (!reader.getNextPacket(rawPacket))
    {
        std::cerr << "Couldn't read the first packet in the file" << std::endl;
        return 1;
    }

    // parse the raw packet into a parsed packet
    pcpp::Packet parsedPacket(&rawPacket);

    // verify the packet is IPv4
    if (parsedPacket.isPacketOfType(pcpp::IPv4))
    {
        // extract source and dest IPs
        pcpp::IPv4Address srcIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getSrcIPv4Address();
        pcpp::IPv4Address destIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getDstIPv4Address();

        // print source and dest IPs
        std::cout << "Source IP is '" << srcIP << "'; Dest IP is '" << destIP << "'" << std::endl;
    }

    // close the file
    reader.close();

    return 0;
}

You can find much more information in the Getting Started page in PcapPlusPlus web-site. This page will walk you through few easy steps to have an app up and running.

API Documentation

PcapPlusPlus consists of 3 libraries:

1. Packet++ - a library for parsing, creating and editing network packets
2. Pcap++ - a library for intercepting and sending packets, providing network and NIC info, stats, etc. It is actually a C++ wrapper for packet capturing engines such as libpcap, WinPcap, Npcap, DPDK, AF_XDP, WinDivert and PF_RING
3. Common++ - a library with some common code utilities used by both Packet++ and Pcap++

You can find an extensive API documentation in the API documentation section in PcapPlusPlus web-site. If you see any missing data please contact us.

Multi Platform Support

PcapPlusPlus is currently supported on Windows <picture> <img src="https://github.com/PcapPlusPlus/pcapplusplus.github.io/raw/master/static/img/os-logos/logo-windows.png" alt="" width="16" height="16"/> </picture>, Linux <picture> <img