Comment by touisteur

There's a layer above that, when CLI and bash and sed and tshark are becoming too hairy or slow, and it's 'just' parsing the pcap frames in your language of productivity. Over the years I've built layer over layer of optimized Java code to parse and analyze pcap/pcapng files with either visitor patterns or active iterations (and multi-pass analyses through indexation, or just interfacing with duckdb for months-long-capture analysis to surface low signal-to-noise-ratio events). It builds a good understanding of all the layers and brings the power of a full-featured workbench (language, IDE, libraries, visualization options...).

Built it in Java, and rebuilt it in Ada, and Rust. I find it's a good exercise to learn about a programming language... bonus point, once I have a parser, plugging it live behind libpcap, dpdk, xdp, or just raw sockets is easy.