Packet Manipulation Framework: PcapPlusPlus

ID N0WHERE:172039
Type n0where
Reporter N0where
Modified 2017-08-10T17:59:51


PcapPlusPlus is a multiplatform C++ network sniffing and packet parsing and manipulation framework. PcapPlusPlus is meant to be lightweight, efficient and easy to use.

What makes PcapPlusPlus different from similar C++ wrappers for libpcap/WinPcap?

  • Designed to be lightweight and efficient
  • Support for DPDK fast packet processing engine which enables packet capturing and transmition in line rate using kernel bypass
  • Support for ntop’s PF_RING packet capturing engine that dramatically improves the packet capture speed
  • Support for parsing and editing of many protocols, including L7 protocols like HTTP and SSL/TLS
  • Unique implementation of TCP reassembly logic which includes support of TCP retransmission, out-of-order TCP packets and missing TCP data
  • Support for Remote Capture capabilities on Windows (using RPCAP protocol supported in WinPcap)
  • Support for reading and writing PCAPNG files (a lot more more than currently supported in WinPcap/libpcap)
  • Vast object-oriented filtering mechanism that makes libpcap filters a lot more user-friendly (no need to know the exact filter string to use)

PcapPlusPlus is currently supported on Windows , Linux and Mac OS X . It was tested on the following platforms:

  • Windows:
    • Microsoft Visual Studio 2015 (32-bit + 64-bit compilation)
    • MinGW32 (32-bit compilation only)
    • MinGW-w64 (32-bit compilation only)
  • Linux:
    • Ubuntu (12.04 LTS, 14.04 LTS, 16.04 LTS, 14.10)
    • Fedora
    • CentOS
    • It should work on other Linux distributions as well
  • Mac OS X:
    • Yosemite (10.10)
    • El Capitan (10.11)
    • Sierra (10.12)

Supported packet capture engines

PcapPlusPlus currently works with the following packet capture engines:

  • libpcap live capture (on Linux and Mac OS X)
  • WinPcap live capture (on Windows)
  • ntop’s Vanilla PF_RING engine (on Linux)
  • Intel DPDK engine (on Linux)
  • WinPcap Remote live capture (on Windows)
  • PCAP and PCAPNG file devices (reading and writing)

Supported protocols

The Packet++ library currently supports parsing, editing and creation of packets of the following protocols:

  • Ethernet
  • SLL (Linux cooked capture)
  • Null/Loopback
  • Raw IP (IPv4 & IPv6)
  • IPv4
  • IPv6
  • ARP
  • VLAN
  • MPLS
  • PPPoE
  • GRE
  • TCP
  • UDP
  • ICMP
  • IGMP (IGMPv1, IGMPv2 and IGMPv3 are supported)
  • DNS
  • DHCP
  • HTTP headers (request & response)
  • SSL/TLS – parsing only (no editing capabilities)
  • Generic payload

Packet And Network Utilities

  • TCP reassembly logic
  • Packet hash key creation (by 5-tuple and 2-tuple)
  • Retrieve remote machine MAC address using ARP protocol
  • Retrieve host IPv4 address by using DNS protocol
  • Checksum calculation

Packet Manipulation Framework: PcapPlusPlus Download