Read and analyze PCAP network capture files directly in DuckDB using a native C++ implementation based on libpcap.
Maintainer(s):
siara-in
Installing and Loading
INSTALL pcap_duckdb FROM community;
LOAD pcap_duckdb;
Example
INSTALL pcap_duckdb FROM community;
LOAD pcap_duckdb;
SELECT *
FROM read_pcap('capture.pcap')
LIMIT 10;
About pcap_duckdb
The pcap_duckdb extension enables direct querying of PCAP packet capture files from DuckDB using SQL. Unlike several existing PCAP processing approaches that rely on Rust runtimes or external shell commands such as tcpdump/tshark, this extension is implemented entirely in modern C++ using libpcap via vcpkg. This provides:
- Native DuckDB integration
- No external shell command execution
- No Rust dependency chain
- Cross-platform builds through the DuckDB extension toolchain
- Efficient packet-level analytics directly in SQL
Added Functions
| function_name | function_type | description | comment | examples |
|---|---|---|---|---|
| read_pcap_packets | table | NULL | NULL |
Overloaded Functions
This extension does not add any function overloads.
Added Types
This extension does not add any types.
Added Settings
This extension does not add any settings.