blackfoundry-pcap 0.1

data/ChangeLog

@@ -0,0 +1,145 @@
+2000-08-13  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.6 released.
+
+	* packet.c (packet_match): Packet#=~ added.
+
+	* Pcap.c (capture_setfilter): Filter object can be used in
+	Capture#setfilter.
+
+	* lib/pcaplet.rb: invoke gzip when reading /\.gz$/ file.
+	Pcaplet.new accept options.
+
+	* Pcap.c: implement Filter logical operation.
+	(filter_source): Filter#source added.
+
+2000-08-09  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (filter_new): use pcap_compile_nopcap() if available.
+
+1999-11-08  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.5 released.
+
+	* Pcap.c: Call Check_SafeStr() before I/O operation.
+
+	* lib/pcaplet.rb: Use getopts instead of parseparg.
+
+1999-11-05  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Filter document added.
+
+1999-11-04  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (filter_match): datalink and caplen check.
+
+1999-10-30  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (Init_pcap): added Pcap.{lookupdev,lookupnet}.
+
+1999-10-29  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c: use RTEST instead of Qtrue/Qfalse test.
+
+1999-08-27  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* ip_packet.c (ipaddr_s_new): changed to use gethostbyname().
+
+	* icmp_packet.c: icmp_type_info lacks type 31-36 hole.
+
+1999-08-26  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.4 released.
+
+	* ICMPPacket document added.
+
+1999-08-25  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* udp_packet.c: UdpPacket renamed to UDPPacket.
+
+	* tcp_packet.c: TcpPacket renamed to TCPPacket.
+
+	* ip_packet.c: IpPacket renamed to IPPacket.
+
+1999-08-24  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* icmp_packet.c: ICMP support.
+
+1999-08-18  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (Init_pcap): PcapStat is now defined as Pcap::Stat.
+
+1999-08-17  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* ip_packet.c (setup_ip_packet): check ip_v == 4
+
+1999-08-14  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* ip_packet.c (setup_ip_packet): ntohs must be used for ip_len.
+
+	* packet.c (Init_packet): Packet#udp? added.
+
+1999-07-23  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* extconf.rb: --with-pcap-prefix is changed to --with-pcap-dir
+
+1999-07-14  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* ip_packet.c (Init_ip_packet): IP address is now represented by
+	new class IPAddress implemented in C.  IpAddress is obsolete but
+	remains for backward compatibility.
+
+1999-07-11  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (Init_pcap): Capture includes Enumerable.
+
+1999-07-02  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.3.1 released.
+
+	* Pcap.c: Filter class is added.
+
+	* tcp_packet.c (tcpp_data): data length bug is fixed.
+
+1999-06-27  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* Pcap.c (capture_loop): improved to be thread-friendly.
+
+1999-05-24  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.3 released.
+
+	* extconf.rb: --with-pcap-prefix option added.
+
+	* changed to based on ruby-1.3.x.
+
+1999-04-20  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.2 released.
+
+1999-04-18  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* UdpPacket documentation added.
+
+1999-02-08  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* udp_packet.c: UDP supprot added.
+
+1998-12-07  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.1.1 released.
+
+	* Document about exception classes added.
+
+	* Pcap.c (CheckClass): CheckClass added.
+	(dumper_dump): check data-link type and caplen.
+
+1998-12-06  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* packet.c: Packet#datalink added.
+
+	* English document added.
+
+1998-12-01  Masaki Fukushima  <fukusima@goto.info.waseda.ac.jp>
+
+	* version 0.1 released.

data/README

@@ -0,0 +1,48 @@
+* Introduction
+
+ruby-pcap is a ruby extension to LBL libpcap (Packet Capture library).
+This library also includes classes to access TCP/IP header.
+
+* Installation
+
+Requirements:
+
+  - ruby-1.4.x
+  - libpcap (http://www.tcpdump.org/)
+
+Compile:
+
+If ruby supports dynamic link of extension module on your OS,
+following commands will install ruby-pcap.
+
+  ruby extconf.rb [options]
+  make
+  make install
+
+You can specify options when you run 'ruby extconf.rb':
+
+`--with-pcap-dir=PREFIX'
+    Directory where libpcap is installed.  Default is '/usr/local'.
+
+If dynamic link isn't available, you can link ruby-pcap statically
+with ruby.  Extract ruby-pcap under the directory 'ext' in ruby source
+tree, then build ruby.
+
+* Usage
+
+See the documentation under the directory 'doc'.
+Directory 'examples' contains some simple scripts.
+
+* Author
+
+Masaki Fukushima <fukusima@goto.info.waseda.ac.jp>
+
+ruby-pcap is copyrighted free software by Masaki Fukushima.
+
+You can redistribute it and/or modify it under the terms of
+the GPL (GNU GENERAL PUBLIC LICENSE).  See COPYING file about GPL.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  See the GPL for
+more details.

data/README.ja

@@ -0,0 +1,50 @@
+* $B35MW(B
+
+ruby-pcap $B$O(B Ruby $B$+$i(B LBL $B$N(B libpcap (Packet Capture library) $B$X%"%/(B
+$B%;%9$9$k$?$a$N3HD%%i%$%V%i%j$G$9!#(BTCP/IP$B$N%X%C%@$N>pJs$K%"%/%;%9$9$k$?(B
+$B$a$N%/%i%9$b4^$s$G$$$^$9!#(B
+
+* $B%$%s%9%H!<%k(B
+
+$BI,MW$J$b$N(B:
+
+  - ruby-1.4.x
+  - libpcap (http://www.tcpdump.org/)
+
+$B%3%s%Q%$%k(B:
+
+ruby $B$,3HD%%i%$%V%i%j$N%@%$%J%_%C%/%j%s%/$r%5%]!<%H$7$F$$$k>l9g$O!"(B
+$B0J2<$N<j=g$G%$%s%9%H!<%k$G$-$^$9!#(B
+
+  ruby extconf.rb [options]
+  make
+  make install
+
+'ruby extconf.rb'$B$r<B9T$9$k;~$K$O0J2<$N%*%W%7%g%s$r;XDj$G$-$^$9!#(B
+
+`--with-pcap-dir=PREFIX'
+    libpcap$B$,%$%s%9%H!<%k$5$l$F$$$k%G%#%l%/%H%j$r;XDj$7$^$9!#(B
+    $B%G%U%)%k%H$O(B'/usr/local'$B$G$9!#(B
+
+$B%@%$%J%_%C%/%j%s%/$,;H$($J$$>l9g$O(B ruby $B$K@EE*$K%j%s%/$7$F2<$5$$!#(B
+$B$=$N>l9g$O(B ruby $B%=!<%9Cf$N(B 'ext' $B%G%#%l%/%H%j$N2<$G(B ruby-pcap $B$rE83+$7(B
+$B$F$+$i(B ruby $B$r%S%k%I$7$F2<$5$$!#(B
+
+* $B;H$$J}(B
+
+doc $B$*$h$S(B doc-ja $B%G%#%l%/%H%j0J2<$K$"$k%U%!%$%k$r8+$F2<$5$$!#(B
+examples $B%G%#%l%/%H%j$K4JC1$J%5%s%W%k%9%/%j%W%H$,$"$j$^$9!#(B
+
+* $B:n<T(B
+
+$BJ!Eh@55!(B <fukusima@goto.info.waseda.ac.jp>
+
+ruby-pcap$B$OJ!Eh@55!$,Cx:n8"$rJ];}$9$k(B free software $B$G$9!#(B
+
+ruby-pcap$B$O(BGPL(GNU GENERAL PUBLIC LICENSE)$B$K=>$C$F:FG[I[$^$?$O(B
+$BJQ99$9$k$3$H$,$G$-$^$9!#(BGPL$B$K$D$$$F$O(BCOPYING$B%U%!%$%k$r;2>H$7$F(B
+$B$/$@$5$$!#(B
+
+ruby-pcap$B$OL5J]>Z$G$9!#:n<T$O(Bruby-pcap$B$N%P%0$J$I$+$iH/@8$9$k(B
+$B$$$+$J$kB;32$KBP$7$F$b@UG$$r;}$A$^$;$s!#>\:Y$K$D$$$F$O(B GPL $B$r(B
+$B;2>H$7$F$/$@$5$$!#(B

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rake'
+
+task :default => [:make]
+
+task :make do
+  puts `ruby extconf.rb`
+  puts `make`
+end
+
+require 'jeweler'
+Jeweler::Tasks.new do |s|
+  s.version = '0.1'
+  s.name = 'blackfoundry-pcap'
+  s.summary = 'extensions to ruby-pcap'
+  s.email = 'david@blackfoundry.com'
+  s.description =<<-eod
+    Some extensions to the pcap library.
+  eod
+  s.executables = []
+  s.authors = ['David Turnbull']
+  s.files = ['Rakefile', 'lib'] + Dir['ext/**'] + Dir['lib/**']
+end
+

data/ext/Pcap.c

@@ -0,0 +1,798 @@
+/*
+ *  Pcap.c
+ *
+ *  $Id: Pcap.c,v 1.10 2000/08/13 05:56:31 fukusima Exp $
+ *
+ *  Copyright (C) 1998-2000  Masaki Fukushima
+ */
+
+#include "ruby_pcap.h"
+#include "rubysig.h"
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define DEFAULT_DATALINK	DLT_EN10MB
+#define DEFAULT_SNAPLEN	68
+#define DEFAULT_PROMISC	1
+#define DEFAULT_TO_MS	1000
+static char pcap_errbuf[PCAP_ERRBUF_SIZE];
+
+VALUE mPcap, rbpcap_convert = Qnil;
+VALUE ePcapError;
+VALUE eTruncatedPacket;
+VALUE cFilter;
+static VALUE cCapture;
+static VALUE cPcapStat;
+static VALUE cDumper;
+
+struct filter_object {
+    char *expr;
+    struct bpf_program program;
+    int datalink;
+    int snaplen;
+    VALUE param;
+    VALUE optimize;
+    VALUE netmask;
+};
+
+#define GetFilter(obj, filter) \
+    Data_Get_Struct(obj, struct filter_object, filter)
+
+
+static VALUE
+pcap_s_lookupdev(self)
+    VALUE self;
+{
+    char *dev;
+
+    dev = pcap_lookupdev(pcap_errbuf);
+    if (dev == NULL) {
+	rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    return rb_str_new2(dev);
+}
+
+static VALUE
+pcap_s_lookupnet(self, dev)
+    VALUE self;
+    VALUE dev;
+{
+    bpf_u_int32 net, mask, m;
+    struct in_addr addr;
+
+    Check_Type(dev, T_STRING);
+    if (pcap_lookupnet(STR2CSTR(dev), &net, &mask, pcap_errbuf) == -1) {
+	rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+
+    addr.s_addr = net;
+    m = ntohl(mask);
+    return rb_ary_new3(2, new_ipaddr(&addr), UINT32_2_NUM(m));
+}
+
+static VALUE
+pcap_s_convert(self)
+    VALUE self;
+{
+    return rbpcap_convert;
+}
+
+static VALUE
+pcap_s_convert_set(self, val)
+    VALUE self;
+{
+    rbpcap_convert = val;
+    return Qnil;
+}
+
+/*
+ * Capture object
+ */
+
+struct capture_object {
+    pcap_t	*pcap;
+    bpf_u_int32	netmask;
+    int		dl_type;	/* data-link type (DLT_*)		*/
+};
+
+static void
+closed_capture()
+{
+    rb_raise(rb_eRuntimeError, "device is already closed");
+}
+
+#define GetCapture(obj, cap) {\
+    Data_Get_Struct(obj, struct capture_object, cap);\
+    if (cap->pcap == NULL) closed_capture();\
+}
+
+/* called from GC */
+static void
+free_capture(cap)
+     struct capture_object *cap;
+{
+    DEBUG_PRINT("free_capture");
+    if (cap->pcap != NULL) {
+	DEBUG_PRINT("closing capture");
+	rb_thread_fd_close(pcap_fileno(cap->pcap));
+	pcap_close(cap->pcap);
+	cap->pcap = NULL;
+    }
+    free(cap);
+}
+
+static VALUE
+capture_open_live(argc, argv, class)
+     int argc;
+     VALUE *argv;
+     VALUE class;
+{
+    VALUE v_device, v_snaplen, v_promisc, v_to_ms;
+    char *device;
+    int snaplen, promisc, to_ms;
+    int rs;
+    VALUE self;
+    struct capture_object *cap;
+    pcap_t *pcap;
+    bpf_u_int32 net, netmask;
+
+    DEBUG_PRINT("capture_open_live");
+
+    /* scan arg */
+    rs = rb_scan_args(argc, argv, "13", &v_device, &v_snaplen,
+		      &v_promisc, &v_to_ms);
+
+    /* device */
+    Check_SafeStr(v_device);
+    device = RSTRING(v_device)->ptr;
+    /* snaplen */
+    if (rs >= 2) {
+	Check_Type(v_snaplen, T_FIXNUM);
+	snaplen = FIX2INT(v_snaplen);
+    } else {
+	snaplen = DEFAULT_SNAPLEN;
+    }
+    if (snaplen <  0)
+	rb_raise(rb_eArgError, "invalid snaplen");
+    /* promisc */
+    if (rs >= 3) {
+	promisc = RTEST(v_promisc);
+    } else {
+	promisc = DEFAULT_PROMISC;
+    }
+    /* to_ms */
+    if (rs >= 4) {
+	Check_Type(v_to_ms, T_FIXNUM);
+	to_ms = FIX2INT(v_to_ms);
+    } else
+	to_ms = DEFAULT_TO_MS;
+
+    /* open */
+    pcap = pcap_open_live(device, snaplen, promisc, to_ms, pcap_errbuf);
+    if (pcap == NULL) {
+	rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    if (pcap_lookupnet(device, &net, &netmask, pcap_errbuf) == -1) {
+	netmask = 0;
+	rb_warning("cannot lookup net: %s\n", pcap_errbuf);
+    }
+
+    /* setup instance */
+    self = Data_Make_Struct(class, struct capture_object,
+			    0, free_capture, cap);
+    cap->pcap = pcap;
+    cap->netmask = netmask;
+    cap->dl_type = pcap_datalink(pcap);
+
+    return self;
+}
+
+static VALUE
+capture_open_offline(class, fname)
+     VALUE class;
+     VALUE fname;
+{
+    VALUE self;
+    struct capture_object *cap;
+    pcap_t *pcap;
+
+    DEBUG_PRINT("capture_open_offline");
+
+    /* open offline */
+    Check_SafeStr(fname);
+    pcap = pcap_open_offline(RSTRING(fname)->ptr, pcap_errbuf);
+    if (pcap == NULL) {
+	rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+
+    /* setup instance */
+    self = Data_Make_Struct(class, struct capture_object,
+			    0, free_capture, cap);
+    cap->pcap = pcap;
+    cap->netmask = 0;
+    cap->dl_type = pcap_datalink(pcap);
+
+    return self;
+}
+
+static VALUE
+capture_close(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+
+    DEBUG_PRINT("capture_close");
+    GetCapture(self, cap);
+
+    rb_thread_fd_close(pcap_fileno(cap->pcap));
+    pcap_close(cap->pcap);
+    cap->pcap = NULL;
+    return Qnil;
+}
+
+static void
+handler(cap, pkthdr, data)
+     struct capture_object *cap;
+     const struct pcap_pkthdr *pkthdr;
+     const u_char *data;
+{
+    size_t offset = ftell(pcap_file(cap->pcap)) - pkthdr->caplen;
+    VALUE pkt = new_packet(data, pkthdr, cap->dl_type);
+    rb_yield_values(2, LONG2NUM(offset), pkt);
+}
+
+static VALUE
+capture_dispatch(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    VALUE v_cnt;
+    int cnt;
+    struct capture_object *cap;
+    int ret;
+
+    DEBUG_PRINT("capture_dispatch");
+    GetCapture(self, cap);
+
+
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+	FIXNUM_P(v_cnt);
+	cnt = FIX2INT(v_cnt);
+    } else
+	cnt = -1;
+
+    TRAP_BEG;
+    ret = pcap_dispatch(cap->pcap, cnt, handler, (u_char *)cap);
+    TRAP_END;
+    if (ret == -1)
+	rb_raise(ePcapError, "dispatch: %s", pcap_geterr(cap->pcap));
+
+    return INT2FIX(ret);
+}
+
+int pcap_read(pcap_t *, int cnt, pcap_handler, u_char *); /* pcap-int.h */
+
+static VALUE
+capture_loop(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    VALUE v_cnt;
+    int cnt;
+    struct capture_object *cap;
+    int ret;
+
+    DEBUG_PRINT("capture_loop");
+    GetCapture(self, cap);
+
+
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+	FIXNUM_P(v_cnt);
+	cnt = FIX2INT(v_cnt);
+    } else
+	cnt = -1;
+
+#if 0
+    TRAP_BEG;
+    ret = pcap_loop(cap->pcap, cnt, handler, (u_char *)cap);
+    TRAP_END;
+#else
+    if (pcap_file(cap->pcap) != NULL) {
+	TRAP_BEG;
+	ret = pcap_loop(cap->pcap, cnt, handler, (u_char *)cap);
+	TRAP_END;
+    } else {
+	int fd = pcap_fileno(cap->pcap);
+	fd_set rset;
+	struct timeval tm;
+
+	FD_ZERO(&rset);
+	tm.tv_sec = 0;
+	tm.tv_usec = 0;
+	for (;;) {
+	    do {
+		FD_SET(fd, &rset);
+		if (select(fd+1, &rset, NULL, NULL, &tm) == 0) {
+		    rb_thread_wait_fd(fd);
+		}
+		TRAP_BEG;
+		ret = pcap_read(cap->pcap, 1, handler, (u_char *)cap);
+		TRAP_END;
+	    } while (ret == 0);
+	    if (ret <= 0)
+		break;
+	    if (cnt > 0) {
+		cnt -= ret;
+		if (cnt <= 0)
+		    break;
+	    }
+	}
+    }
+#endif
+    return INT2FIX(ret);
+}
+
+static VALUE
+capture_setfilter(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    struct capture_object *cap;
+    VALUE vfilter, optimize;
+    char *filter;
+    int opt;
+    struct bpf_program program;
+
+    DEBUG_PRINT("capture_setfilter");
+    GetCapture(self, cap);
+
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "11", &vfilter, &optimize) == 1) {
+	optimize = Qtrue;
+    }
+
+    /* check arg */
+    if (IsKindOf(vfilter, cFilter)) {
+	struct filter_object *f;
+	GetFilter(vfilter, f);
+	filter = f->expr;
+    } else {
+	Check_Type(vfilter, T_STRING);
+	filter = RSTRING(vfilter)->ptr;
+    }
+    opt = RTEST(optimize);
+
+    /* operation */
+    if (pcap_compile(cap->pcap, &program, filter,
+		     opt, cap->netmask) < 0)
+	rb_raise(ePcapError, "setfilter: %s", pcap_geterr(cap->pcap));
+    if (pcap_setfilter(cap->pcap, &program) < 0)
+	rb_raise(ePcapError, "setfilter: %s", pcap_geterr(cap->pcap));
+    
+    return Qnil;
+}
+
+static VALUE
+capture_datalink(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+
+    DEBUG_PRINT("capture_datalink");
+    GetCapture(self, cap);
+
+    return INT2NUM(pcap_datalink(cap->pcap));
+}
+
+static VALUE
+capture_snapshot(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+
+    DEBUG_PRINT("capture_snapshot");
+    GetCapture(self, cap);
+
+    return INT2NUM(pcap_snapshot(cap->pcap));
+}
+
+static VALUE
+capture_stats(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+    struct pcap_stat stat;
+    VALUE v_stat;
+
+    DEBUG_PRINT("capture_stats");
+    GetCapture(self, cap);
+
+    if (pcap_stats(cap->pcap, &stat) == -1)
+	return Qnil;
+
+    v_stat = rb_funcall(cPcapStat, rb_intern("new"), 3,
+			UINT2NUM(stat.ps_recv),
+			UINT2NUM(stat.ps_drop),
+			UINT2NUM(stat.ps_ifdrop));
+
+    return v_stat;
+}
+
+/*
+ * Dumper object
+ */
+
+struct dumper_object {
+    pcap_dumper_t *pcap_dumper;
+    int dl_type;
+    bpf_u_int32 snaplen;
+};
+
+static void
+closed_dumper()
+{
+    rb_raise(rb_eRuntimeError, "dumper is already closed");
+}
+
+#define GetDumper(obj, dumper) {\
+    Data_Get_Struct(obj, struct dumper_object, dumper);\
+    if (dumper->pcap_dumper == NULL) closed_dumper();\
+}
+
+/* called from GC */
+static void
+free_dumper(dumper)
+     struct dumper_object *dumper;
+{
+    DEBUG_PRINT("free_dumper");
+    if (dumper->pcap_dumper != NULL) {
+	DEBUG_PRINT("closing dumper");
+	pcap_dump_close(dumper->pcap_dumper);
+	dumper->pcap_dumper = NULL;
+    }
+    free(dumper);
+}
+
+static VALUE
+dumper_open(class, v_cap, v_fname)
+     VALUE class;
+     VALUE v_cap;
+     VALUE v_fname;
+{
+    struct dumper_object *dumper;
+    struct capture_object *cap;
+    pcap_dumper_t *pcap_dumper;
+    VALUE self;
+
+    DEBUG_PRINT("dumper_open");
+
+    CheckClass(v_cap, cCapture);
+    GetCapture(v_cap, cap);
+    Check_SafeStr(v_fname);
+
+    pcap_dumper = pcap_dump_open(cap->pcap, RSTRING(v_fname)->ptr);
+    if (pcap_dumper == NULL) {
+	rb_raise(ePcapError, "dumper_open: %s", pcap_geterr(cap->pcap));
+    }
+
+    self = Data_Make_Struct(class, struct dumper_object, 0,
+			    free_dumper, dumper);
+    dumper->pcap_dumper = pcap_dumper;
+    dumper->dl_type = cap->dl_type;
+    dumper->snaplen = pcap_snapshot(cap->pcap);
+
+    return self;
+}
+
+static VALUE
+dumper_close(self)
+     VALUE self;
+{
+    struct dumper_object *dumper;
+
+    DEBUG_PRINT("dumper_close");
+    GetDumper(self, dumper);
+
+    pcap_dump_close(dumper->pcap_dumper);
+    dumper->pcap_dumper = NULL;
+    return Qnil;
+}
+
+static VALUE
+dumper_dump(self, v_pkt)
+     VALUE self;
+     VALUE v_pkt;
+{
+    struct dumper_object *dumper;
+    struct packet_object *pkt;
+
+    DEBUG_PRINT("dumper_dump");
+    GetDumper(self, dumper);
+
+    CheckClass(v_pkt, cPacket);
+    GetPacket(v_pkt, pkt);
+    if (pkt->hdr.dl_type != dumper->dl_type)
+	rb_raise(rb_eArgError, "Cannot dump this packet: data-link type mismatch");
+    if (pkt->hdr.pkthdr.caplen > dumper->snaplen)
+	rb_raise(rb_eArgError, "Cannot dump this packet: too large caplen");
+
+    pcap_dump((u_char *)dumper->pcap_dumper, &pkt->hdr.pkthdr, pkt->data);
+    return Qnil;
+}
+
+/*
+ * Filter object
+ */
+
+/* called from GC */
+static void
+mark_filter(filter)
+     struct filter_object *filter;
+{
+    rb_gc_mark(filter->param);
+    rb_gc_mark(filter->optimize);
+    rb_gc_mark(filter->netmask);
+}
+
+static void
+free_filter(filter)
+     struct filter_object *filter;
+{
+    free(filter->expr);
+    free(filter);
+    /*
+     * This cause memory leak because filter->program hold some memory.
+     * We overlook it because libpcap does not implement pcap_freecode().
+     */
+}
+
+static VALUE
+filter_new(argc, argv, class)
+     int argc;
+     VALUE *argv;
+     VALUE class;
+{
+    VALUE self, v_expr, v_optimize, v_capture, v_netmask;
+    struct filter_object *filter;
+    struct capture_object *capture;
+    pcap_t *pcap;
+    char *expr;
+    int n, optimize, snaplen, linktype;
+    bpf_u_int32 netmask;
+
+    n = rb_scan_args(argc, argv, "13", &v_expr, &v_capture,
+		     &v_optimize, &v_netmask);
+    /* filter expression */
+    Check_Type(v_expr, T_STRING);
+    expr = STR2CSTR(v_expr);
+    /* capture object */
+    if (IsKindOf(v_capture, cCapture)) {
+	CheckClass(v_capture, cCapture);
+	GetCapture(v_capture, capture);
+	pcap = capture->pcap;
+    } else if (NIL_P(v_capture)) {
+	/* assume most common case */
+	snaplen  = DEFAULT_SNAPLEN;
+	linktype = DEFAULT_DATALINK;
+	pcap = 0;
+    } else {
+	snaplen  = NUM2INT(rb_funcall(v_capture, rb_intern("[]"), 1, INT2FIX(0)));
+	linktype = NUM2INT(rb_funcall(v_capture, rb_intern("[]"), 1, INT2FIX(1)));
+	pcap = 0;
+    }
+    /* optimize flag */
+    optimize = 1;
+    if (n >= 3) {
+	optimize = RTEST(v_optimize);
+    }
+    /* netmask */
+    netmask = 0;
+    if (n >= 4) {
+	bpf_u_int32 mask = NUM2UINT(v_netmask);
+	netmask = htonl(mask);
+    }
+
+    filter = (struct filter_object *)xmalloc(sizeof(struct filter_object));
+    if (pcap) {
+	if (pcap_compile(pcap, &filter->program, expr, optimize, netmask) < 0)
+	    rb_raise(ePcapError, "%s", pcap_geterr(pcap));
+	filter->datalink = pcap_datalink(pcap);
+	filter->snaplen  = pcap_snapshot(pcap);
+    } else {
+#ifdef HAVE_PCAP_COMPILE_NOPCAP
+	if (pcap_compile_nopcap(snaplen, linktype, &filter->program, expr, optimize, netmask) < 0)
+	    /* libpcap-0.5 provides no error report for pcap_compile_nopcap */
+	    rb_raise(ePcapError, "pcap_compile_nopcap error");
+	filter->datalink = linktype;
+	filter->snaplen  = snaplen;
+#else
+	rb_raise(rb_eArgError, "pcap_compile_nopcap needs libpcap-0.5 or later");
+#endif
+    }
+    self = Data_Wrap_Struct(class, mark_filter, free_filter, filter);
+    filter->expr	= strdup(expr);
+    filter->param	= v_capture;
+    filter->optimize	= optimize ? Qtrue : Qfalse;
+    filter->netmask	= INT2NUM(ntohl(netmask));
+
+    return self;
+}
+
+VALUE
+filter_match(self, v_pkt)
+    VALUE self, v_pkt;
+{
+    struct filter_object *filter;
+    struct packet_object *pkt;
+    struct pcap_pkthdr *h;
+
+    GetFilter(self, filter);
+    CheckClass(v_pkt, cPacket);
+    GetPacket(v_pkt, pkt);
+    h = &pkt->hdr.pkthdr;
+
+    if (filter->datalink != pkt->hdr.dl_type)
+	rb_raise(rb_eRuntimeError, "Incompatible datalink type");
+    if (filter->snaplen < h->caplen)
+	rb_raise(rb_eRuntimeError, "Incompatible snaplen");
+
+    if (bpf_filter(filter->program.bf_insns, pkt->data, h->len, h->caplen))
+	return Qtrue;
+    else
+	return Qfalse;
+}
+
+static VALUE
+filter_source(self)
+    VALUE self;
+{
+    struct filter_object *filter;
+
+    GetFilter(self, filter);
+    return rb_str_new2(filter->expr);
+}
+
+static VALUE
+new_filter(expr, param, optimize, netmask)
+    char *expr;
+    VALUE param, optimize, netmask;
+{
+    return rb_funcall(cFilter,
+		      rb_intern("new"), 4,
+		      rb_str_new2(expr), param, optimize, netmask);
+}
+
+static VALUE
+filter_or(self, other)
+    VALUE self, other;
+{
+    struct filter_object *filter, *filter2;
+    char *expr;
+
+    CheckClass(other, cFilter);
+    GetFilter(self, filter);
+    GetFilter(other, filter2);
+
+    expr = ALLOCA_N(char, strlen(filter->expr) + strlen(filter2->expr) + 16); 
+    sprintf(expr, "( %s ) or ( %s )", filter->expr, filter2->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+
+static VALUE
+filter_and(self, other)
+    VALUE self, other;
+{
+    struct filter_object *filter, *filter2;
+    char *expr;
+
+    CheckClass(other, cFilter);
+    GetFilter(self, filter);
+    GetFilter(other, filter2);
+
+    expr = ALLOCA_N(char, strlen(filter->expr) + strlen(filter2->expr) + 16); 
+    sprintf(expr, "( %s ) and ( %s )", filter->expr, filter2->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+
+static VALUE
+filter_not(self)
+    VALUE self;
+{
+    struct filter_object *filter;
+    char *expr;
+
+    GetFilter(self, filter);
+    expr = ALLOCA_N(char, strlen(filter->expr) + 16); 
+    sprintf(expr, "not ( %s )", filter->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+
+/*
+ * Class definition
+ */
+
+void
+Init_pcap(void)
+{
+    DEBUG_PRINT("Init_pcap");
+
+    /* define module Pcap */
+    mPcap = rb_define_module("Pcap");
+    rb_define_module_function(mPcap, "lookupdev", pcap_s_lookupdev, 0);
+    rb_define_module_function(mPcap, "lookupnet", pcap_s_lookupnet, 1);
+    rb_global_variable(&rbpcap_convert);
+    rb_define_singleton_method(mPcap, "convert?", pcap_s_convert, 0);
+    rb_define_singleton_method(mPcap, "convert=", pcap_s_convert_set, 1);
+    rb_define_const(mPcap, "DLT_NULL",   INT2NUM(DLT_NULL));
+    rb_define_const(mPcap, "DLT_EN10MB", INT2NUM(DLT_EN10MB));
+    rb_define_const(mPcap, "DLT_EN3MB", INT2NUM(DLT_EN3MB));
+    rb_define_const(mPcap, "DLT_AX25", INT2NUM(DLT_AX25));
+    rb_define_const(mPcap, "DLT_PRONET", INT2NUM(DLT_PRONET));
+    rb_define_const(mPcap, "DLT_CHAOS", INT2NUM(DLT_CHAOS));
+    rb_define_const(mPcap, "DLT_IEEE802", INT2NUM(DLT_IEEE802));
+    rb_define_const(mPcap, "DLT_ARCNET", INT2NUM(DLT_ARCNET));
+    rb_define_const(mPcap, "DLT_SLIP", INT2NUM(DLT_SLIP));
+    rb_define_const(mPcap, "DLT_PPP", INT2NUM(DLT_PPP));
+    rb_define_const(mPcap, "DLT_FDDI", INT2NUM(DLT_FDDI));
+    rb_define_const(mPcap, "DLT_ATM_RFC1483", INT2NUM(DLT_ATM_RFC1483));
+#ifdef DLT_RAW
+    rb_define_const(mPcap, "DLT_RAW", INT2NUM(DLT_RAW));
+    rb_define_const(mPcap, "DLT_SLIP_BSDOS", INT2NUM(DLT_SLIP_BSDOS));
+    rb_define_const(mPcap, "DLT_PPP_BSDOS", INT2NUM(DLT_PPP_BSDOS));
+#endif
+
+    /* define class Capture */
+    cCapture = rb_define_class_under(mPcap, "Capture", rb_cObject);
+    rb_include_module(cCapture, rb_mEnumerable);
+    rb_define_singleton_method(cCapture, "open_live", capture_open_live, -1);
+    rb_define_singleton_method(cCapture, "open_offline", capture_open_offline, 1);
+    rb_define_method(cCapture, "close", capture_close, 0);
+    rb_define_method(cCapture, "dispatch", capture_dispatch, -1);
+    rb_define_method(cCapture, "loop", capture_loop, -1);
+    rb_define_method(cCapture, "each_packet", capture_loop, -1);
+    rb_define_method(cCapture, "each", capture_loop, -1);
+    rb_define_method(cCapture, "setfilter", capture_setfilter, -1);
+    rb_define_method(cCapture, "datalink", capture_datalink, 0);
+    rb_define_method(cCapture, "snapshot", capture_snapshot, 0);
+    rb_define_method(cCapture, "snaplen", capture_snapshot, 0);
+    rb_define_method(cCapture, "stats", capture_stats, 0);
+
+    /* define class Dumper */
+    cDumper = rb_define_class_under(mPcap, "Dumper", rb_cObject);
+    rb_define_singleton_method(cDumper, "open", dumper_open, 2);
+    rb_define_method(cDumper, "close", dumper_close, 0);
+    rb_define_method(cDumper, "dump", dumper_dump, 1);
+
+    /* define class Filter */
+    cFilter = rb_define_class_under(mPcap, "Filter", rb_cObject);
+    rb_define_singleton_method(cFilter, "new", filter_new, -1);
+    rb_define_singleton_method(cFilter, "compile", filter_new, -1);
+    rb_define_method(cFilter, "=~", filter_match, 1);
+    rb_define_method(cFilter, "===", filter_match, 1);
+    rb_define_method(cFilter, "source", filter_source, 0);
+    rb_define_method(cFilter, "|", filter_or, 1);
+    rb_define_method(cFilter, "&", filter_and, 1);
+    rb_define_method(cFilter, "~@", filter_not, 0);
+    /*rb_define_method(cFilter, "&", filter_and, 1);*/
+
+    /* define class PcapStat */
+    cPcapStat = rb_funcall(rb_cStruct, rb_intern("new"), 4,
+			   Qnil,
+			   INT2NUM(rb_intern("recv")),
+			   INT2NUM(rb_intern("drop")),
+			   INT2NUM(rb_intern("ifdrop")));
+    rb_define_const(mPcap, "Stat", cPcapStat);
+
+    /* define exception classes */
+    ePcapError       = rb_define_class_under(mPcap, "PcapError", rb_eStandardError);
+    eTruncatedPacket = rb_define_class_under(mPcap, "TruncatedPacket", ePcapError);
+
+    Init_packet();
+    rb_f_require(Qnil, rb_str_new2("pcap_misc"));
+}