pcapflower 1.0.0

High-performance PCAP-to-CSV network flow extractor for edge devices

pcapflower

High-performance PCAP-to-CSV network flow extractor for edge devices.

Converts .pcap / .pcapng captures into bidirectional flow features compatible with the CICFlowMeter feature set — using a fraction of the memory and CPU.

Why pcapflower?

	CICFlowMeter	pcapflower
Packet parser	Scapy	dpkt (~10–25× faster on ARM)
Memory per flow	O(n packets)	O(1) — Welford's online algorithm
Output buffering	1 syscall/row	Batched (1 syscall/500 rows)
pcapng support	✗	✓

Installation

pip install pcapflower

Quick start

from pcapflower import convert_pcap_to_csv

n = convert_pcap_to_csv("capture.pcap", "flows.csv")
print(f"Extracted {n} flows")

API

convert_pcap_to_csv(input_path, output_path, **kwargs) → int

Parameter	Default	Description
input_path	—	Path to .pcap or .pcapng file
output_path	—	Path for the output .csv (created or overwritten)
flow_timeout	120.0	Seconds of inactivity before a flow is evicted
gc_interval	1000	Run idle-flow GC every N packets
buffer_rows	500	Rows buffered in memory before flushing to disk

Returns the number of flow rows written.

Output features

Each row contains 82 features covering:

• Flow identity: source/destination IP, port, protocol, timestamp
• Duration, bytes/s, and packets/s (forward, backward, combined)
• Packet length statistics (mean, std, min, max, variance)
• Inter-arrival time statistics (flow, forward, backward)
• TCP flag counts (FIN, SYN, RST, PSH, ACK, URG, ECE, CWR)
• Active/idle period statistics
• Bulk transfer metrics (forward and backward)
• Subflow metrics
• Initial TCP window sizes

Supported input formats

• pcap — standard libpcap format
• pcapng — next-generation capture format

Only IPv4 TCP and UDP flows are extracted; other protocols are silently skipped.

License

MIT — see LICENSE.