Expand description
Ethernet frames.
This is a packet-level subscription that delivers raw Ethernet frames in the order of arrival.
§Example
Prints IPv4 packets with a TTL greater than 64:
#[filter("ipv4.time_to_live > 64")]
fn main() {
let config = default_config();
let cb = |frame: Frame| {
println!("{:?}", frame.data);
};
let mut runtime = Runtime::new(config, filter, cb).unwrap();
runtime.run();
}§Remarks
The Frame type is most suited for packet-specific analysis with filters that do not require
connection tracking or stream-level protocol parsing. While all types of filters are technically
allowed, some may introduce subtle behaviors.
For example, take the filter tcp.port = 80 or http. Packet-level filters take precedence in
Retina, meaning that if a packet satisfies the filter, the callback will immediately be invoked.
In this example, Retina will deliver all TCP packets where the source or destination port is 80,
as well as packets associated with HTTP request/response messages (not including control
packets) in connections not on port 80. For HTTP connections on port 80, Retina will deliver all
packets in the connection (including control packets) by virtue of satisfying the tcp.port = 80 predicate.
To subscribe to all packets in the connection by default (with connection-level semantics), use
ConnectionFrame instead.
Structs§
- Frame
- An Ethernet Frame.