pktbaffle

A pure-Rust ecosystem for packet filtering and capture.

Crate	Description
pktbaffle	Compile libpcap-style filter expressions to cBPF / eBPF bytecode
pkttap	Cross-platform packet capture (live + pcap/pcapng file)

---

pktbaffle

Parses the same filter syntax used by tcpdump and Wireshark and produces classic BPF (cBPF) or extended BPF (eBPF) bytecode with zero C dependencies.

[dependencies]
pktbaffle = "0.1"

use pktbaffle::{compile, codegen::LinkType, Target};

let prog = compile("tcp port 443", LinkType::Ethernet, Target::Classic)?;

See pktbaffle/README.md for the full filter expression reference.

---

pkttap

Wraps platform-specific live capture (Linux AF_PACKET, macOS /dev/bpf, Windows Npcap) and pcap/pcapng file I/O behind a unified API, using pktbaffle to compile filter expressions.

[dependencies]
pkttap = "0.1"

use pkttap::Capture;

let mut cap = Capture::live("eth0")
    .promiscuous(true)
    .filter("tcp port 443")
    .open()?;

while let Some(pkt) = cap.next()? {
    println!("{} bytes", pkt.data.len());
}

See pkttap/README.md for full documentation.

---

License

Licensed under the MIT license.