DIY-pcap 0.2.5 → 0.2.6

data/lib/diy/parser/mu/pcap/ipv6.rb

@@ -0,0 +1,148 @@
+# http://www.mudynamics.com
+# http://labs.mudynamics.com
+# http://www.pcapr.net
+
+require 'ipaddr'
+
+module Mu
+class Pcap
+
+class IPv6 < IP
+    FORMAT = 'NnCCa16a16'
+
+    attr_accessor :next_header, :hop_limit
+
+    def initialize
+        super
+        @next_header = 0
+        @hop_limit   = 64
+    end
+
+    def v6?
+        return true
+    end
+
+    alias :proto :next_header
+    alias :ttl   :hop_limit
+
+    def flow_id
+        if not @payload or @payload.is_a? String
+            return [:ipv6, @next_header, @src, @dst]
+        else
+            return [:ipv6, @src, @dst, @payload.flow_id]
+        end
+    end
+
+    def self.from_bytes bytes
+        Pcap.assert bytes.length >= 40, 'Truncated IPv6 header: ' +
+            "expected at least 40 bytes, got #{bytes.length} bytes"
+
+        vcl, length, next_header, hop_limit, src, dst = 
+            bytes[0, 40].unpack FORMAT
+        version = vcl >> 28 & 0x0f
+        traffic_class = vcl >> 20 & 0xff
+        flow_label = vcl & 0xfffff
+
+        Pcap.assert version == 6, "Wrong IPv6 version: got (#{version})"
+        Pcap.assert bytes.length >= (40 + length), 'Truncated IPv6 header: ' +
+            "expected #{length + 40} bytes, got #{bytes.length} bytes"
+
+        ipv6 = IPv6.new
+        ipv6.next_header = next_header
+        ipv6.hop_limit = hop_limit
+        ipv6.src = IPAddr.new_ntoh(src).to_s
+        ipv6.dst = IPAddr.new_ntoh(dst).to_s
+
+        ipv6.payload_raw = bytes[40..-1]
+        ipv6.next_header, ipv6.payload =
+            payload_from_bytes ipv6, ipv6.next_header, bytes[40...40+length]
+
+        return ipv6
+    end
+
+    # Parse bytes and returns next_header and payload.  Skips extension
+    # headers.
+    def self.payload_from_bytes ipv6, next_header, bytes
+        begin
+            case next_header
+            when IPPROTO_TCP
+                payload = TCP.from_bytes bytes
+            when IPPROTO_UDP
+                payload = UDP.from_bytes bytes
+            when IPPROTO_SCTP
+                payload = SCTP.from_bytes bytes
+            when IPPROTO_HOPOPTS
+                next_header, payload = eight_byte_header_from_bytes(ipv6,
+                    bytes, 'hop-by-hop options')
+            when IPPROTO_ROUTING
+                next_header, payload = eight_byte_header_from_bytes(ipv6,
+                    bytes, 'routing')
+            when IPPROTO_DSTOPTS
+                next_header, payload = eight_byte_header_from_bytes(ipv6,
+                    bytes, 'destination options')
+            when IPPROTO_FRAGMENT
+                Pcap.assert bytes.length >= 8,
+                    "Truncated IPv6 fragment header"
+                Pcap.assert false, 'IPv6 fragments are not supported'
+            when IPPROTO_AH
+                next_header, payload = ah_header_from_bytes(ipv6,
+                    bytes, 'authentication header')
+            when IPPROTO_NONE
+                payload = ''
+            else
+                payload = bytes
+            end
+        rescue ParseError => e
+            Pcap.warning e
+            payload = bytes
+        end
+        return [next_header, payload]
+    end
+
+    # Parse extension header that's a multiple of 8 bytes
+    def self.eight_byte_header_from_bytes ipv6, bytes, name
+        Pcap.assert bytes.length >= 8, "Truncated IPv6 #{name} header"
+        length = (bytes[1].ord + 1) * 8
+        Pcap.assert bytes.length >= length, "Truncated IPv6 #{name} header"
+        return payload_from_bytes(ipv6, bytes[0].ord, bytes[length..-1])
+    end
+
+    # Parse authentication header (whose length field is interpeted differently)
+    def self.ah_header_from_bytes ipv6, bytes, name
+        Pcap.assert bytes.length >= 8, "Truncated IPv6 #{name} header"
+        length = (bytes[1].ord + 2) * 4
+        Pcap.assert bytes.length >= length, "Truncated IPv6 #{name} header"
+        return payload_from_bytes(ipv6, bytes[0].ord, bytes[length..-1])
+    end
+
+    def write io
+        if @payload.is_a? String
+            payload = @payload
+        else
+            string_io = StringIO.new
+            @payload.write string_io, self
+            payload = string_io.string
+        end
+        src = IPAddr.new(@src, Socket::AF_INET6).hton
+        dst = IPAddr.new(@dst, Socket::AF_INET6).hton
+        header = [0x60000000, payload.length, @next_header, @hop_limit, 
+                  src, dst].pack FORMAT
+        io.write header
+        io.write payload
+    end
+
+    def pseudo_header payload_length
+        return IPAddr.new(@src, Socket::AF_INET6).hton +
+            IPAddr.new(@dst, Socket::AF_INET6).hton +
+            [payload_length, '', @next_header].pack('Na3C')
+    end
+
+    def == other
+        return super &&
+            self.next_header == other.next_header &&
+            self.hop_limit   == other.hop_limit
+    end
+end
+
+end
+end

data/lib/diy/parser/mu/pcap/packet.rb

@@ -0,0 +1,104 @@
+# http://www.mudynamics.com
+# http://labs.mudynamics.com
+# http://www.pcapr.net
+
+module Mu
+class Pcap
+
+class Packet
+    attr_accessor :payload, :payload_raw
+
+    def initialize
+        @payload = ''
+        @payload_raw = ''
+    end
+
+    # Get payload as bytes.  If the payload is a parsed object, returns
+    # raw payload.  Otherwise return unparsed bytes.
+    def payload_bytes
+        if @payload.is_a? String
+            return @payload
+        end
+        return @payload_raw
+    end
+
+    def deepdup
+        dup = self.dup
+        if @payload.respond_to? :deepdup
+            dup.payload = @payload.deepdup
+        else
+            dup.payload = @payload.dup
+        end
+        return dup
+    end
+
+    def flow_id
+        raise NotImplementedError
+    end
+
+    # Reassemble, reorder, and merge packets.
+    def self.normalize packets
+        begin
+            packets = TCP.reorder packets
+        rescue TCP::ReorderError => e
+            Pcap.warning e
+        end
+
+        begin
+            packets = SCTP.reorder packets
+        rescue SCTP::ReorderError => e
+            Pcap.warning e
+        end
+
+        begin
+            packets = TCP.merge packets
+        rescue TCP::MergeError => e
+            Pcap.warning e
+        end
+        return packets
+    end
+
+    # Remove non-L7/DNS/DHCP traffic if there is L7 traffic.  Returns
+    # original packets if there is no L7 traffic.
+    IGNORE_UDP_PORTS = [
+        53,      # DNS
+        67, 68,  # DHCP
+        546, 547 # DHCPv6
+    ]
+    def self.isolate_l7 packets
+        cleaned_packets = []
+        packets.each do |packet|
+            if TCP.tcp? packet
+                cleaned_packets << packet
+            elsif UDP.udp? packet
+                src_port = packet.payload.payload.src_port
+                dst_port = packet.payload.payload.dst_port
+                if not IGNORE_UDP_PORTS.member? src_port and
+                    not IGNORE_UDP_PORTS.member? dst_port
+                    cleaned_packets << packet
+                end
+            elsif SCTP.sctp? packet
+                cleaned_packets << packet
+            end
+        end
+        if cleaned_packets.empty?
+            return packets
+        end
+        return cleaned_packets
+    end
+
+    def to_bytes
+        io = StringIO.new
+        write io
+        io.close
+        return io.string
+    end
+
+    def == other
+        return self.class == other.class && self.payload == other.payload &&
+            self.payload_raw == other.payload_raw
+    end
+end
+
+end
+end

data/lib/diy/parser/mu/pcap/pkthdr.rb

@@ -0,0 +1,155 @@
+# http://www.mudynamics.com
+# http://labs.mudynamics.com
+# http://www.pcapr.net
+
+module Mu
+class Pcap
+
+class Pkthdr
+    attr_accessor :endian, :ts_sec, :ts_usec, :caplen, :len, :pkt, :pkt_raw
+
+    def initialize endian=BIG_ENDIAN, ts_sec=0, ts_usec=0, caplen=0, len=0, pkt=nil
+        @endian = endian
+        @ts_sec = ts_sec
+        @ts_usec = ts_usec
+        @caplen = caplen
+        @len = len
+        @pkt = pkt
+        @pkt_raw = pkt
+    end
+
+    FMT_NNNN = 'NNNN'
+    FMT_VVVV = 'VVVV'
+    def self.read io, endian=BIG_ENDIAN
+        if endian == BIG_ENDIAN
+            format = FMT_NNNN
+        elsif endian == LITTLE_ENDIAN
+            format = FMT_VVVV
+        end
+        bytes = io.read 16
+        if not bytes 
+            raise EOFError, 'Missing PCAP packet header'
+        end
+        if not bytes.length == 16
+            raise ParseError, "Truncated PCAP packet header: expected 16 bytes, got #{bytes.length} bytes"
+        end
+        ts_sec, ts_usec, caplen, len = bytes.unpack format
+        pkt = io.read(caplen)
+        if not pkt 
+            raise ParseError, 'Missing PCAP packet header packet'
+        end
+        if not pkt.length == caplen
+            raise ParseError, "Truncated PCAP packet header: expected #{pkthdr.caplen} bytes, got #{pkthdr.pkt.length} bytes"
+        end
+        pkthdr = Pkthdr.new endian, ts_sec, ts_usec, caplen, len, pkt
+        return pkthdr
+    end
+
+    def write io
+        if @pkt.is_a? String
+            pkt = @pkt
+        else
+            string_io = StringIO.new
+            @pkt.write string_io
+            pkt = string_io.string
+        end
+        len = pkt.length
+        bytes = [@ts_sec, @ts_usec, len, len].pack FMT_NNNN
+        io.write bytes
+        io.write pkt
+    end
+
+    def decode! endian, linktype
+        @pkt = case linktype
+        when DLT_NULL;      Pkthdr.decode_null endian, @pkt
+        when DLT_EN10MB;    Pkthdr.decode_en10mb @pkt
+        when DLT_RAW;       raise NotImplementedError
+        when DLT_LINUX_SLL; Pkthdr.decode_linux_sll @pkt
+        else raise ParseError, "Unknown PCAP linktype: #{linktype}"
+        end
+    end
+
+    # See http://wiki.wireshark.org/NullLoopback
+    # and epan/aftypes.h in wireshark code.
+    BSD_AF_INET6 = [
+        OPENBSD_AF_INET6 = 24,
+        FREEBSD_AF_INET6 = 28,
+        DARWIN_AF_INET6 = 30
+    ]
+
+    def self.decode_null endian, bytes
+        Pcap.assert bytes.length >= 4, 'Truncated PCAP packet header: ' +
+            "expected at least 4 bytes, got #{bytes.length} bytes"
+        if endian == BIG_ENDIAN
+            format = 'N'
+        elsif endian == LITTLE_ENDIAN
+            format = 'V'
+        end
+        family = bytes[0, 4].unpack(format)[0]
+        bytes = bytes[4..-1]
+        ethernet = Ethernet.new
+        ethernet.src = '00:01:01:00:00:01'
+        ethernet.dst = '00:01:01:00:00:02'
+        ethernet.payload = ethernet.payload_raw = bytes
+        if family != Socket::AF_INET and family != Socket::AF_INET6 and
+                not BSD_AF_INET6.include?(family)
+            raise ParseError, "Unknown PCAP packet header family: #{family}"
+        end
+        begin
+            case family
+            when Socket::AF_INET
+                ethernet.type = Ethernet::ETHERTYPE_IP
+                ethernet.payload = IPv4.from_bytes ethernet.payload
+            when Socket::AF_INET6, FREEBSD_AF_INET6, OPENBSD_AF_INET6, DARWIN_AF_INET6
+                ethernet.type = Ethernet::ETHERTYPE_IP6
+                ethernet.payload = IPv6.from_bytes ethernet.payload
+            else
+                raise NotImplementedError
+            end
+        rescue ParseError => e
+            Pcap.warning e
+        end
+        return ethernet
+    end
+
+    def self.decode_en10mb bytes
+        return Ethernet.from_bytes(bytes)
+    end
+
+    def self.decode_linux_sll bytes
+        Pcap.assert bytes.length >= 16, 'Truncated PCAP packet header: ' +
+            "expected at least 16 bytes, got #{bytes.length} bytes"
+        packet_type, link_type, addr_len = bytes.unpack('nnn')
+        type = bytes[14, 2].unpack('n')[0]
+        bytes = bytes[16..-1]
+        ethernet = Ethernet.new
+        ethernet.type = type
+        ethernet.src = '00:01:01:00:00:01'
+        ethernet.dst = '00:01:01:00:00:02'
+        ethernet.payload = ethernet.payload_raw = bytes 
+        begin
+            case type
+            when Ethernet::ETHERTYPE_IP
+                ethernet.payload = IPv4.from_bytes ethernet.payload
+            when Ethernet::ETHERTYPE_IP6
+                ethernet.payload = IPv6.from_bytes ethernet.payload
+            end
+        rescue ParseError => e
+            Pcap.warning e
+        end
+        return ethernet
+    end
+
+    def == other
+        return self.class == other.class &&
+            self.endian   == other.endian &&
+            self.ts_sec   == other.ts_sec &&
+            self.ts_usec  == other.ts_usec &&
+            self.caplen   == other.caplen &&
+            self.len      == other.len &&
+            self.pkt      == other.pkt
+    end
+end
+
+end
+end

data/lib/diy/parser/mu/pcap/reader.rb

@@ -0,0 +1,61 @@
+# http://www.mudynamics.com
+# http://labs.mudynamics.com
+# http://www.pcapr.net
+
+module Mu
+class Pcap
+
+class Reader
+    attr_accessor :pcap2scenario
+
+    FAMILY_TO_READER = {}
+
+    # Returns a reader instance of specified family. Returns nil when family is :none.
+    def self.reader family
+        if family == :none
+            return nil
+        end
+
+        if klass = FAMILY_TO_READER[family]
+            return klass.new
+        end
+
+        raise ArgumentError, "Unknown protocol family: '#{family}'"
+    end
+
+    # Returns family name 
+    def family
+        raise NotImplementedError
+    end
+
+    # Notify parser of bytes written. Parser may update state
+    # to serve as a hint for subsequent reads.
+    def record_write bytes, state=nil
+        begin
+            do_record_write bytes, state
+        rescue
+            nil
+        end
+    end
+
+    # Returns next complete message from byte stream or nil. 
+    def read_message bytes, state=nil
+        read_message! bytes.dup, state
+    end
+
+    # Mutating form of read_message. Removes a complete message
+    # from input stream. Returns the message or nil if there. 
+    # is not a complete message.
+    def read_message! bytes, state=nil
+        begin
+            do_read_message! bytes, state
+        rescue
+            nil
+        end
+    end
+
+end
+end
+end
+
+require 'mu/pcap/reader/http_family'