PcapConstrictorAFPacket is the practical Linux userspace live recorder in the PcapConstrictor project family. It captures packets from live Linux interfaces with AF_PACKET and applies PcapConstrictor-style TLS/QUIC-aware adaptive PCAP capture in userspace.
Compared with the main offline tool, it has a smaller policy surface today, but it is intended to be the practical Linux live-capture path without eBPF verifier constraints.
| Project | Role | Use when |
|---|---|---|
| PcapConstrictor | Main offline PCAP/PCAPNG constriction tool | You already have capture files and want the richest policy support, including TLS final_only/stream/bulk, QUIC, PCAPNG, reinflate/restore, checksum policies, stats, and decision logs. |
| PcapConstrictorAFPacket | Linux AF_PACKET live recorder | You want practical Linux live capture with userspace PcapConstrictor-style policy. Supports TLS final_only and QUIC CID-aware short-header constriction, but not TLS stream/bulk. |
| PcapConstrictorWinPacket | Windows Npcap/libpcap live recorder | You want practical Windows live capture with Npcap and a policy scope similar to AFPacket. Supports TLS final_only and QUIC known-DCID constriction, but not TLS stream/bulk. |
| PcapConstrictorBPF | Experimental Linux TC eBPF recorder | You want a research eBPF project demonstrating TC hooks, BPF maps, verifier-friendly parsing, and a much smaller live-capture policy subset. |
The project is experimental but functional.
- Live capture has been smoke-tested on loopback and a real interface.
- Both
recvmsgandtpacket_v3/PACKET_MMAPbackends are available. - Optional promiscuous mode, bounded capture, clean shutdown, and final stats are implemented.
- TLS
final_onlycontinuation behavior is aligned with the current upstream PcapConstrictor runtime behavior. - TLS
streamandbulkpolicies are recognized in config but are not supported yet. - QUIC matched short-header constriction is intended to stay close to PcapConstrictor behavior for learned-CID flows.
- For practical Linux live capture, this project is the main userspace recorder; the BPF project is narrower and more experimental.
- Linux AF_PACKET live capture
recvmsgbackendTPACKET_V3/PACKET_MMAPbackend- Optional promiscuous mode
- Classic PCAP output (
DLT_EN10MB, microsecond timestamps) - INI-style config file
- Bounded live capture with
max_packetsandduration_sec - Final stats on normal stop, bounded stop, or signal stop
- Offline classic-PCAP feed mode
- Golden offline compatibility tests using inherited PcapConstrictor fixtures
- Ethernet/VLAN/IPv4/IPv6/TCP/UDP decode
- TLS Application Data constriction with upstream-compatible
final_onlycontinuation handling - QUIC Long Header CID learning and matched Short Header constriction
This repository writes classic PCAP, supports offline compatibility mode for deterministic regression testing, and intentionally does not claim the full offline policy scope of PcapConstrictor.
Live capture:
sudo ./PcapConstrictorAFPacket --config config.iniOffline feed mode:
./PcapConstrictorAFPacket --config config.ini --offline-input input.pcapThe offline path is deterministic:
input.pcap -> PcapReader -> LiveCapturePolicy -> PcapWriter -> output.pcap
[general]
min_saved_bytes_per_packet = 16
[capture]
backend = recvmsg
# backend = tpacket_v3
interface = eth0
output = output.pcap
promiscuous = false
default_snaplen = 65535
max_capture_len = 65535
max_packets = 0
duration_sec = 0
ring_block_size = 1048576
ring_block_count = 64
ring_frame_size = 2048
block_timeout_ms = 64
[tls]
enabled = true
ports = 443, 8443
app_data_keep_record_bytes = 256
app_data_continuation_keep_bytes = 64
app_data_continuation_policy = final_only
[quic]
enabled = true
ports = 443
short_header_keep_packet_bytes = 128
require_dcid_match = false
allow_short_header_without_known_dcid = true
[stats]
enabled = truerecvmsgis the simpler backend and the default.tpacket_v3uses a LinuxPACKET_MMAPRX ring and is intended for lower-overhead capture.tpacket_v3is still experimental.- Ring settings should usually be left at their defaults unless you are tuning for a specific environment.
Using sudo is the simplest way to run live capture:
sudo ./PcapConstrictorAFPacket --config config.iniCAP_NET_RAW can also be granted to the binary:
sudo setcap cap_net_raw+ep ./PcapConstrictorAFPacketBoth live backends use the same AF_PACKET permissions. Promiscuous mode does not require a different execution model, but it may not be meaningful on loopback or some virtual interfaces.
TLS:
tls.app_data_continuation_policy = final_onlyis supported.streamandbulkare recognized but intentionally unsupported for now.- Malformed or ambiguous TLS falls back conservatively to normal
default_snaplen/max_capture_lenbehavior. - No TLS decryption is performed.
QUIC:
- Current handling is invariant-header/CID based.
- The policy learns source CIDs from Long Header packets and constricts only matched Short Header packets.
- For matched short-header packets, the goal is to stay close to PcapConstrictor behavior while remaining practical for live userspace capture.
- Unknown, malformed, unmapped, or mismatched packets fall back conservatively.
- No QUIC decryption or connection migration support is implemented.
The final stats block may include:
packets_total: packets accepted into the policy pipeline.packets_written: packets emitted to the output PCAP.bytes_input: total original input bytes observed by the pipeline.bytes_output: total saved bytes written to the output PCAP.bytes_saved:bytes_input - bytes_output.receive_errors: internal receive/setup or malformed-capture-structure errors.kernel_packets: kernel-side packet count fromPACKET_STATISTICSwhen available.kernel_drops: kernel-side drop count fromPACKET_STATISTICSwhen available.tls_appdata_constricted: TLS packets shortened by policy.tls_fallback: TLS candidates that fell back conservatively.quic_long_header: QUIC Long Header packets observed.quic_short_matched: QUIC Short Header packets matched against learned CID state.quic_short_constricted: QUIC Short Header packets actually shortened.quic_fallback: QUIC candidates that fell back conservatively.
- Linux only
- Classic PCAP output only
- No pcapng output
- No full TCP stream reassembly
- TLS supports conservative
final_onlycontinuation behavior only - TLS
streamandbulkpolicies are not supported yet - No TLS decryption
- QUIC handling is invariant-header/CID based, without decryption
- No QUIC connection migration support
TPACKET_V3backend is experimental- Not a replacement for
tcpdumpor Wireshark - Malformed or ambiguous packets fall back conservatively
- Fewer policy modes than the main
PcapConstrictoroffline tool
- Unit tests cover config parsing, PCAP I/O, decode, TLS, QUIC, and helper logic.
- Offline feed tests validate the deterministic offline pipeline.
- Golden PCAP compatibility tests compare constrained output byte-for-byte against inherited PcapConstrictor fixtures.
- Manual Linux smoke testing has been done on loopback and a real interface, with both
recvmsgandtpacket_v3, plus basic promiscuous-mode and live TLS checks.
Apache License 2.0. See LICENSE.
Copyright 2026 Alexey Vasilev.