Sniffnet v1.4 introduces PCAP files import and it’s 2X faster than Wireshark!

I’m delighted to announce that Sniffnet v1.4 is finally available!
This major release brings a bunch of improvements and fixes, making Sniffnet more powerful and reliable than ever before.

One of the most exciting new features is the ability to process network data from PCAP files in addition to network adapters.

PCAP (Packet Capture) is a standardized file format for storing network traffic data, widely used by many renowned network analysis tools, including tcpdump and Wireshark (the de-facto standard when it comes to network packet analyzers).
Supporting PCAP files import not only makes Sniffnet fully compatible with other network monitoring tools, but also enables to inspect historical data, which is crucial for troubleshooting and network forensics.

In the video below, you can see Sniffnet in action processing a PCAP file of 1.6 GB (2.6 million packets), corresponding to a whole day of Internet traffic of my personal computer.

It takes just about 25 seconds to process the file on an 8-years old MacBook Air (1,8 GHz Dual-Core Intel Core i5).
This corresponds to more than 100k packets per second, making it 2.2 times faster than Wireshark on the same machine, which takes about 55 seconds to process the file.

Not only Sniffnet is faster, but it also allows to preview and interact with the data while it’s being processed, as opposed to Wireshark that requires the whole file to be parsed before displaying any information.
This is a notable feature, especially for large files, as it permits you to start examining the traffic immediately, without waiting for the entire file to be read.

But… how is Sniffnet this fast?

Part of the reason is that Sniffnet is based on the Rust programming language (well-known for its efficiency), but this doesn’t tell the whole story.
In fact Wireshark is written in C that, despite not being as safe as Rust, is still characterized by top-tier performance, as shown in the table to the right.
Additionally, Sniffnet uses the pcap crate to process data, which is just a Rust binding library to libpcap (the same underlying engine used by Wireshark).

What really sets Sniffnet apart is that it takes a different approach to process network data: instead of parsing the full packets’ payloads, it focuses on extracting only the most relevant fields from the packets’ headers, such as IP addresses, ports, and protocols.
This minimal amount of information is then used to infer other details like countries, domain names, autonomous systems names, upper layer services, and more.
Considering that nowadays more than 90% of the web traffic uses TLS, this strategy enables having huge performance gains without losing much relevant information: if payloads are encrypted, no meaningful data can be discerned from them anyway.

Besides supporting PCAP files, Sniffnet 1.4 introduces several other features, including:

• support for ARP protocol
• a donut chart reporting overall traffic statistics
• identification and tagging of unassigned/reserved “bogon” IP addresses
• new default themes based on palettes optimized for Accessibility
• enhanced notifications including more details about each event

These are just some of the most relevant changes introduced in this release.
For more details, you can check the release page on GitHub.