dsct

dsct

dsct is a packet dissector CLI for LLMs and large captures.

It is built around two ideas:

• machine-readable output by default
• predictable memory use on big pcap / pcapng files

dsct read streams packet records as JSONL, dsct stats scans captures in a single pass, and the optional TUI opens large files with memory mapping and on-demand dissection instead of decoding the whole capture up front.

Why dsct

LLM-friendly by default

• dsct read emits JSONL packet records
• dsct stats, dsct list, dsct fields, dsct version, and dsct schema emit JSON
• errors, warnings, and progress updates are structured JSON on stderr
• capabilities and schemas can be discovered from the CLI itself

Works well on large captures

• read and stats process captures one packet at a time
• stdin is supported, so tcpdump -w - | dsct ... works naturally
• no human-oriented table parsing is required before automation can start

MCP server built in

dsct mcp starts a Model Context Protocol server over stdio. AI agents can call tools like dsct_read_packets and dsct_get_stats directly, without shelling out to the CLI.

Low-memory TUI for large files

The optional TUI is designed for large captures too:

• capture files are opened with memory-mapped I/O
• indexing starts from packet headers instead of fully decoding every packet
• packet list rows are dissected on demand for visible rows
• the selected packet is decoded in detail only when needed
• the hex view reads directly from the mapped file

Installation

CLI only:

cargo install dsct

With the optional TUI:

cargo install dsct --features tui

brew install higebu/tap/dsct

AI coding agent plugins

Install as a plugin via the marketplace to get the MCP server and the analyze-packets skill automatically:

Claude Code

claude plugin marketplace add higebu/dsct
claude plugin install dsct@dsct

GitHub Copilot CLI

copilot plugin marketplace add higebu/dsct
copilot plugin install dsct@dsct

OpenAI Codex CLI

Add the MCP server, then install the analyze-packets skill inside Codex:

codex mcp add dsct -- dsct mcp

$skill-installer higebu/dsct skills/analyze-packets

Gemini CLI

gemini extensions install https://github.com/higebu/dsct

Quick start

Get a capture overview:

dsct stats capture.pcap

Read packets as JSONL:

dsct read capture.pcap

By default, dsct read outputs at most 1 000 packets. Use --count to change the limit or --no-limit to remove it:

dsct read capture.pcap --count 50
dsct read capture.pcap --no-limit

Filter packets:

dsct read capture.pcap -f dns --count 10
dsct read capture.pcap -f "dns AND dns.qr = 'Query'"

Filter expressions use SQL syntax with AND, OR, NOT, parentheses, and comparison operators (=, !=, >, <, >=, <=):

dsct read capture.pcap -f "dns OR (tcp AND ipv4.src = '10.0.0.1')"
dsct read capture.pcap -f "tcp.dst_port > 1024 AND NOT dns"

Sample evenly across the capture:

dsct read capture.pcap --sample-rate 100
dsct read capture.pcap -f dns --sample-rate 10 --count 50

Read from a pipe:

tcpdump -w - -c 1000 | dsct read -
tcpdump -w - -i eth0 udp port 53 | dsct read - -f dns

Include the original packet bytes (link-layer included) as a hex string under raw_bytes for downstream parsing or reconstruction:

dsct read capture.pcap --raw-bytes --count 1

Speed up filter evaluation on large files with --threads:

dsct read capture.pcap -f "udp" --no-limit --threads 4
DSCT_THREADS=4 dsct read capture.pcap -f "tcp.dst_port > 1024" --no-limit

--threads distributes dissection and filter evaluation across N worker threads when the filter is stateless (L2–L4 protocols: tcp, udp, ipv4, etc.). Filters that require TCP reassembly such as http, dns, tls, and tcp.stream_id automatically fall back to sequential processing regardless of --threads. Stdin input always uses the sequential path.

Inspect available fields and schemas:

dsct fields dns
dsct schema read

Open the TUI for a large file (when built with --features tui):

dsct tui capture.pcap

In the TUI, press ? to open the built-in help overlay and q to quit.

Typical workflow