frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: Pcapsql – SQL interface for PCAP analysis

https://github.com/mtottenh/pcapsql
1•__padding•1h ago
I was chatting with a colleague a while ago, and they wanted to run some SQL queries against a PCAP – aggregate by source IP, that sort of thing. They went looking and found PacketQ (DNS/ICMP only), Apache Drill's PCAP support (outer headers only), DuckDB has a PCAP reader community extension (same deal, limited to outer headers). You can always write a one-off script with scapy or gopacket, but it gets old fast.

We deal a lot with tunneled traffic, none of those tools really seemed very feature rich on that front, e.g. for VXLAN every tool just showed UDP/4789, not the encapsulated packets.

So as a weekend project that got a bit out of hand, I built what they were asking for. Protocol layers become tables, you query with SQL, it parses through tunnels:

      -- Traffic inside VXLAN tunnels
      SELECT ip4_to_string(src_ip) as src, ip4_to_string(dst_ip) as dst, COUNT(*)
      FROM ipv4
      WHERE tunnel_type = 'vxlan'
      GROUP BY 1, 2;

      -- Top talkers
      SELECT ip4_to_string(src_ip) as src, SUM(total_length) as bytes
      FROM ipv4
      GROUP BY 1
      ORDER BY bytes DESC
      LIMIT 10;
Also handles TLS decryption (SSLKEYLOGFILE), HTTP/2 frame parsing, GRE/MPLS/GTP, export to Parquet, and querying directly from S3.

Built with Rust on Apache Arrow and DataFusion.

https://github.com/mtottenh/pcapsql

Comments

__padding•1h ago
Some fun stuff you can do - RTT analysis, just using SQL :-) :

  -- RTT Analysis using TCP timestamp echo
  -- Measures actual network RTT by tracking when our ts_val gets echoed back
  -- For client-side captures: dst_port in (80,443) = outbound, src_port in (80,443) = inbound


  WITH outbound AS (
      -- Packets TO server (dst_port is well-known)
      SELECT
          t.frame_number,
          f.timestamp as send_ts,
          t.dst_port as server_port,
          t.ts_val,
          i.src_ip as local_ip,
          t.src_port as local_port,
          i.dst_ip as remote_ip
      FROM tcp t
      JOIN ipv4 i ON t.frame_number = i.frame_number
      JOIN frames f ON t.frame_number = f.frame_number
      WHERE t.ts_val IS NOT NULL
         AND t.dst_port IN (80, 443, 8080, 8443)
  ),
  inbound AS (
      -- Packets FROM server (src_port is well-known)
      SELECT
          t.frame_number,
          f.timestamp as recv_ts,
          t.src_port as server_port,
          t.ts_ecr,
          i.dst_ip as local_ip,
          t.dst_port as local_port,
          i.src_ip as remote_ip
      FROM tcp t
      JOIN ipv4 i ON t.frame_number = i.frame_number
      JOIN frames f ON t.frame_number = f.frame_number
      WHERE t.ts_ecr IS NOT NULL
        AND t.ts_ecr > 0
        AND t.src_port IN (80, 443, 8080, 8443)
  ),
  -- Match: find when our ts_val was echoed back by the server
  rtt_samples AS (
      SELECT
          o.frame_number as send_frame,
          MIN(i.frame_number) as recv_frame,
          o.server_port,
          o.send_ts,
          MIN(i.recv_ts) as recv_ts
      FROM outbound o
      JOIN inbound i
          ON o.local_ip = i.local_ip
          AND o.local_port = i.local_port
          AND o.remote_ip = i.remote_ip
          AND o.server_port = i.server_port
          AND i.ts_ecr = o.ts_val
          AND i.frame_number > o.frame_number
      GROUP BY o.frame_number, o.server_port, o.send_ts
  ),
  rtt_values AS (
      SELECT
          server_port,
          EXTRACT(EPOCH FROM (recv_ts - send_ts)) * 1000.0 as rtt_ms
      FROM rtt_samples
      WHERE recv_ts > send_ts
  )
  SELECT
      server_port,
      hdr_count(hdr_histogram(rtt_ms)) as samples,
      ROUND(hdr_min(hdr_histogram(rtt_ms)), 2) as min_ms,
      ROUND(hdr_percentile(hdr_histogram(rtt_ms), 0.50), 2) as p50_ms,
      ROUND(hdr_percentile(hdr_histogram(rtt_ms), 0.75), 2) as p75_ms,
      ROUND(hdr_percentile(hdr_histogram(rtt_ms), 0.95), 2) as p95_ms,
      ROUND(hdr_percentile(hdr_histogram(rtt_ms), 0.99), 2) as p99_ms,
      ROUND(hdr_max(hdr_histogram(rtt_ms)), 2) as max_ms,
      ROUND(hdr_mean(hdr_histogram(rtt_ms)), 2) as mean_ms
  FROM rtt_values
  WHERE rtt_ms > 0 AND rtt_ms < 30000
  GROUP BY server_port
  ORDER BY samples DESC;
Results from my local machine to a speedtest server:

  +-------------+---------+--------+--------+--------+--------+--------+--------+---------+
     | server_port | samples | min_ms | p50_ms | p75_ms | p95_ms | p99_ms | max_ms | mean_ms |
     +=======================================================================================+
     | 443         | 315     | 1.0    | 75.0   | 263.0  | 349.0  | 3007.0 | 3007.0 | 177.27  |
     |-------------+---------+--------+--------+--------+--------+--------+--------+---------|
     | 80          | 6       | 70.0   | 71.0   | 72.0   | 72.0   | 72.0   | 72.0   | 71.17   |
     +-------------+---------+--------+--------+--------+--------+--------+--------+---------+

America's fight back against China starts in Los Angeles

https://www.economist.com/christmas-specials/2025/12/18/americas-fight-back-against-china-starts-...
1•andsoitis•22s ago•0 comments

The Next Thing Will Not Be Big

https://blog.glyph.im/2026/01/the-next-thing-will-not-be-big.html
1•vortex_ape•1m ago•0 comments

Pebble Round 2 – The Most Stylish Pebble Ever

https://repebble.com/blog/pebble-round-2-the-most-stylish-pebble-ever
1•jackwilsdon•1m ago•0 comments

Show HN: Ultrasync – faster indexing, search, memory, and more for coding agents

https://ultrasync.dev
1•darvid•1m ago•0 comments

IPv6 just turned 30 and still hasn't taken over the world

https://www.theregister.com/2025/12/31/ipv6_at_30/
1•Brajeshwar•2m ago•0 comments

Chemical-Hygiene

https://karpathy.bearblog.dev/chemical-hygiene/
1•varunr89•3m ago•0 comments

So Long, GPT-5. Hello, Qwen

https://www.wired.com/story/expired-tired-wired-gpt-5/
1•voxleone•4m ago•0 comments

First new motion sickness drug arrives after nearly half a century

https://newatlas.com/disease/first-motion-sickness-drug/
1•Brajeshwar•4m ago•0 comments

Stranger Things 5 Finale Ending Explained

https://www.netflix.com/tudum/articles/stranger-things-5-episode-8-ending-explained
2•HelloUsername•11m ago•1 comments

Bees – Best-Effort Extent-Same, a btrfs dedupe agent

https://github.com/Zygo/bees
1•embedding-shape•14m ago•0 comments

Investigating and fixing a nasty clone bug

https://kobzol.github.io/rust/2025/12/30/investigating-and-fixing-a-nasty-clone-bug.html
1•r4um•15m ago•0 comments

Show HN: Linvisual – A simple to use Linear Algebra Visualization library

https://github.com/Jeditrix/Linvisual
1•jeditrix•16m ago•0 comments

Show HN: LoginLlama – behaviour-based login anomaly detection for small teams

https://loginllama.app
1•joshghent•21m ago•0 comments

ARKit Testing with RobotKit

https://www.chrisdavis.com/articles/arkit_robotkit.html
1•nthState•22m ago•1 comments

We Become What We Behold (2016)

https://github.com/ncase/wbwwb
1•Lwrless•24m ago•0 comments

You are already behind by not having read this post

https://christianheilmann.com/2026/01/02/you-are-already-behind-by-not-having-read-this-post/
2•ArmageddonIt•25m ago•1 comments

Show HN: I built a countdown app because system alarms gave my friend anxiety

https://apps.apple.com/us/app/duepal-visual-countdown-timer/id6756181712
1•elevenapril•26m ago•2 comments

Ask HN: Successful one-person online businesses in 2026?

2•vekker•26m ago•1 comments

Street Fighter 2 fixed a typo with a human leg [video]

https://www.youtube.com/watch?v=dUkLYOPRYH4
1•sd9•26m ago•0 comments

The Kimwolf Botnet Is Stalking Your Local Network

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
1•todsacerdoti•27m ago•0 comments

Do you want a prompt saver and fantastic organizer?

1•SRMohitkr•27m ago•0 comments

Stardust study resets how life's atoms spread through space

https://www.chalmers.se/en/current/news/see-stardust-study-resets-how-life-s-atoms-spread-through...
3•geox•29m ago•0 comments

Matryoshka embeddings: How to make vector search 5x faster

https://sderosiaux.substack.com/p/matryoshka-embeddings-how-to-make
3•chtefi•30m ago•0 comments

Tesla sales fall for the second year in a row

https://www.businessinsider.com/tesla-sales-fall-second-year-ev-elon-musk-2026-1
4•jrpelkonen•30m ago•2 comments

DeepSeek's new AI training method is a 'breakthrough' for scaling

https://www.businessinsider.com/deepseek-new-ai-training-models-scale-manifold-constrained-analys...
2•ryan_j_naughton•30m ago•0 comments

Reward

https://taylor.town/reward
3•surprisetalk•33m ago•2 comments

Software Dispatch Network

https://shadily-absolvable-jayla.ngrok-free.dev
1•iabdullah2025•33m ago•1 comments

How much energy do Microsoft and Google consume? The Dutch don't know

https://www.techzine.eu/news/infrastructure/137595/how-much-energy-do-microsoft-and-google-consum...
2•amirmasoudabdol•34m ago•1 comments

The Janus Protocol

https://yusufaytas.com/the-janus-protocol/
7•yusufaytas•36m ago•0 comments

I'm having the worst career winter of my life

4•mariogintili•38m ago•8 comments