dakrone-pcap-ffi 0.0.0

data/.gitignore

@@ -0,0 +1,6 @@
+doc
+pkg
+tmp/*
+.DS_Store
+*.swp
+*~

data/History.txt

@@ -0,0 +1,4 @@
+=== 0.1.0 / 2009-04-29
+
+* Initial release.
+

data/Manifest.txt

@@ -0,0 +1,40 @@
+History.txt
+Manifest.txt
+Rakefile
+README.txt
+examples/print_bytes.rb
+lib/pcap.rb
+lib/pcap/exceptions.rb
+lib/pcap/exceptions/read_error.rb
+lib/pcap/typedefs.rb
+lib/pcap/time_val.rb
+lib/pcap/in_addr.rb
+lib/pcap/sock_addr.rb
+lib/pcap/sock_addr_in.rb
+lib/pcap/if.rb
+lib/pcap/addr.rb
+lib/pcap/file_header.rb
+lib/pcap/packet_header.rb
+lib/pcap/packet.rb
+lib/pcap/packets.rb
+lib/pcap/packets/typedefs.rb
+lib/pcap/packets/ethernet.rb
+lib/pcap/packets/ip.rb
+lib/pcap/packets/tcp.rb
+lib/pcap/stat.rb
+lib/pcap/data_link.rb
+lib/pcap/error_buffer.rb
+lib/pcap/handler.rb
+lib/pcap/dumper.rb
+lib/pcap/version.rb
+lib/pcap/ffi.rb
+lib/pcap/pcap.rb
+tasks/spec.rb
+spec/spec_helper.rb
+spec/helpers/dumps.rb
+spec/dumps/simple_tcp.pcap
+spec/error_buffer.rb
+spec/data_link_spec.rb
+spec/handler_examples.rb
+spec/handler_spec.rb
+spec/pcap_spec.rb

data/README.txt

@@ -0,0 +1,41 @@
+= pcap-ffi
+
+* http://github.com/postmodern/pcap-ffi/
+* Postmodern (postmodern.mod3 at gmail.com)
+
+== DESCRIPTION:
+
+Ruby FFI bindings for libpcap.
+
+== FEATURES:
+
+== EXAMPLES:
+
+== INSTALL:
+
+  $ sudo gem install pcap-ffi
+
+== LICENSE:
+
+The MIT License
+
+Copyright (c) 2009 Hal Brodigan
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,24 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require './lib/pcap/version.rb'
+require './tasks/spec.rb'
+
+# Generate a gem using jeweler
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.rubyforge_project = 'pcap-ffi'
+    gemspec.name = "pcap-ffi"
+    gemspec.summary = "FFI bindings for libpcap"
+    gemspec.email = "postmodern.mod3@gmail.com"
+    gemspec.homepage = "http://github.com/postmodern/pcap-ffi"
+    gemspec.description = "Bindings to sniff packets using the FFI interface in Ruby."
+    gemspec.authors = ["Postmodern, Dakrone"]
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end
+
+
+# vim: syntax=Ruby

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/examples/print_bytes.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'pcap'
+
+include FFI
+
+pcap = PCap.open_live(:device => ARGV[0]) do |user,header,bytes|
+  puts "#{header.timestamp}:"
+
+  header.captured.times { |i|
+    print ' %.2x' % bytes.get_uchar(i)
+  }
+  putc "\n"
+end
+
+pcap.loop

data/lib/pcap/addr.rb

@@ -0,0 +1,37 @@
+require 'pcap/typedefs'
+require 'pcap/sock_addr'
+
+require 'ffi/struct'
+
+module FFI
+  module PCap
+    class Addr < FFI::Struct
+      layout :next, :pointer,
+             :addr, :pointer,
+             :netmask, :pointer,
+             :broadaddr, :pointer,
+             :dstaddr, :pointer
+
+      def next
+        Addr.new(self[:next])
+      end
+
+      def addr
+        SockAddr.new(self[:addr])
+      end
+
+      def netmask
+        SockAddr.new(self[:netmask])
+      end
+
+      def broadcast
+        SockAddr.new(self[:broadaddr])
+      end
+
+      def dest_addr
+        SockAddr.new(self[:destaddr])
+      end
+
+    end
+  end
+end

data/lib/pcap/data_link.rb

@@ -0,0 +1,53 @@
+module FFI
+  module PCap
+    class DataLink
+
+      # PCap datalink numeric value
+      attr_reader :value
+
+      # DataLink name
+      attr_reader :name
+
+      #
+      # Creates a new DataLink object with the specified _value_.
+      #
+      def initialize(value)
+        @value = value
+        @name = PCap.pcap_datalink_val_to_name(@value)
+      end
+
+      def self.[](name)
+        PCap.pcap_datalink_name_to_val(name.to_s.downcase)
+      end
+
+      #
+      # Returns the description of the datalink.
+      #
+      def description
+        PCap.pcap_datalink_val_to_description(@value)
+      end
+
+      #
+      # Returns the numeric value of the datalink.
+      #
+      def to_i
+        @value
+      end
+
+      #
+      # Returns the String form of the datalink.
+      #
+      def to_s
+        @name
+      end
+
+      #
+      # Inspects the datalink.
+      #
+      def inspect
+        "#<#{self.class}: #{@name}>"
+      end
+
+    end
+  end
+end

data/lib/pcap/dumper.rb

@@ -0,0 +1,39 @@
+require 'pcap/ffi'
+
+require 'ffi'
+
+module FFI
+  module PCap
+    class Dumper < FFI::MemoryPointer
+
+      def initialize(dumper)
+        @dumper = dumper
+      end
+
+      def write(header,bytes)
+        PCap.pcap_dump(@dumper,header,bytes)
+      end
+
+      def tell
+        PCap.pcap_dump_ftell(@dumper)
+      end
+
+      def flush
+        PCap.pcap_dump_flush(@dumper)
+      end
+
+      def close
+        PCap.pcap_dump_close(@dumper)
+      end
+
+      def to_ptr
+        @dumper
+      end
+
+      def inspect
+        "#<#{self.class}: 0x#{@dumper.address.to_s(16)}>"
+      end
+
+    end
+  end
+end

data/lib/pcap/error_buffer.rb

@@ -0,0 +1,26 @@
+require 'ffi'
+
+module FFI
+  module PCap
+    class ErrorBuffer < FFI::Buffer
+
+      # Size of the error buffers
+      SIZE = 256
+
+      #
+      # Creates a new ErrorBuffer object.
+      #
+      def initialize
+        super(SIZE)
+      end
+
+      #
+      # Returns the error message within the error buffer.
+      #
+      def to_s
+        get_string(SIZE)
+      end
+
+    end
+  end
+end

data/lib/pcap/exceptions/read_error.rb

@@ -0,0 +1,6 @@
+module FFI
+  module PCap
+    class ReadError < RuntimeError
+    end
+  end
+end

data/lib/pcap/exceptions.rb

@@ -0,0 +1 @@
+require 'pcap/exceptions/read_error'

data/lib/pcap/ffi.rb

@@ -0,0 +1,78 @@
+require 'pcap/typedefs'
+
+require 'ffi'
+
+module FFI
+  module PCap
+    extend FFI::Library
+
+    ffi_lib 'libpcap'
+
+    enum :pcap_direction, [
+      :pcap_d_inout,
+      :pcap_d_in,
+      :pcap_d_out
+    ]
+
+    callback :pcap_handler, [:pointer, :pointer, :pointer], :void
+
+    attach_function :pcap_lookupdev, [:pointer], :string
+    attach_function :pcap_lookupnet, [:string, :pointer, :pointer, :pointer], :int
+    attach_function :pcap_open_live, [:string, :int, :int, :int, :pointer], :pointer
+    attach_function :pcap_open_dead, [:int, :int], :pointer
+    attach_function :pcap_open_offline, [:string, :pointer], :pointer
+    attach_function :pcap_fopen_offline, [:pointer, :string], :pointer
+    attach_function :pcap_close, [:pointer], :void
+    attach_function :pcap_loop, [:pointer, :int, :pcap_handler, :pointer], :int
+    attach_function :pcap_dispatch, [:pointer, :int, :pcap_handler, :pointer], :int
+    attach_function :pcap_next, [:pointer, :pointer], :pointer
+    attach_function :pcap_next_ex, [:pointer, :pointer, :pointer], :int
+    attach_function :pcap_breakloop, [:pointer], :void
+    attach_function :pcap_stats, [:pointer, :pointer], :int
+    attach_function :pcap_setfilter, [:pointer, :pointer], :int
+    attach_function :pcap_setdirection, [:pointer, :pcap_direction], :int
+    attach_function :pcap_getnonblock, [:pointer, :pointer], :int
+    attach_function :pcap_setnonblock, [:pointer, :int, :pointer], :int
+    attach_function :pcap_perror, [:pointer, :string], :void
+    attach_function :pcap_inject, [:pointer, :pointer, :int], :int
+    attach_function :pcap_sendpacket, [:pointer, :pointer, :int], :int
+    attach_function :pcap_strerror, [:int], :string
+    attach_function :pcap_geterr, [:pointer], :string
+    attach_function :pcap_compile, [:pointer, :pointer, :string, :int, :bpf_uint32], :int
+    attach_function :pcap_compile_nopcap, [:int, :int, :pointer, :string, :int, :bpf_uint32], :int
+    attach_function :pcap_freecode, [:pointer], :void
+    attach_function :pcap_datalink, [:pointer], :int
+    attach_function :pcap_list_datalinks, [:pointer, :pointer], :int
+    attach_function :pcap_set_datalink, [:pointer, :int], :int
+    attach_function :pcap_datalink_name_to_val, [:string], :int
+    attach_function :pcap_datalink_val_to_name, [:int], :string
+    attach_function :pcap_datalink_val_to_description, [:int], :string
+    attach_function :pcap_snapshot, [:pointer], :int
+    attach_function :pcap_is_swapped, [:pointer], :int
+    attach_function :pcap_major_version, [:pointer], :int
+    attach_function :pcap_minor_version, [:pointer], :int
+
+    attach_function :pcap_file, [:pointer], :pointer
+    attach_function :pcap_fileno, [:pointer], :int
+
+    attach_function :pcap_dump_open, [:pointer, :string], :pointer
+    attach_function :pcap_dump_fopen, [:pointer, :pointer], :pointer
+    attach_function :pcap_dump_file, [:pointer], :pointer
+    attach_function :pcap_dump_ftell, [:pointer], :long
+    attach_function :pcap_dump_flush, [:pointer], :int
+    attach_function :pcap_dump_close, [:pointer], :void
+    attach_function :pcap_dump, [:pointer, :pointer, :pointer], :void
+
+    attach_function :pcap_findalldevs, [:pointer, :pointer], :int
+    attach_function :pcap_freealldevs, [:pointer], :void
+
+    attach_function :pcap_lib_version, [], :string
+
+    attach_function :bpf_filter, [:pointer, :pointer, :uint, :uint], :uint
+    attach_function :bpf_validate, [:pointer, :int], :int
+    attach_function :bpf_image, [:pointer, :int], :string
+    attach_function :bpf_dump, [:pointer, :int], :void
+
+    # TODO: WIN32/MSDOS/UN*X specific definitions
+  end
+end

data/lib/pcap/file_header.rb

@@ -0,0 +1,17 @@
+require 'pcap/typedefs'
+
+require 'ffi/struct'
+
+module FFI
+  module PCap
+    class FileHeader < FFI::Struct
+      layout :magic, :bpf_uint32,
+             :version_major, :ushort,
+             :version_minor, :ushort,
+             :thiszone, :bpf_int32,
+             :sigfigs, :bpf_uint32,
+             :snaplen, :bpf_uint32,
+             :linktype, :bpf_uint32
+    end
+  end
+end

data/lib/pcap/handler.rb

@@ -0,0 +1,170 @@
+require 'pcap/exceptions/read_error'
+require 'pcap/ffi'
+require 'pcap/error_buffer'
+require 'pcap/data_link'
+require 'pcap/packet_header'
+require 'pcap/stat'
+
+require 'ffi'
+
+module FFI
+  module PCap
+    class Handler
+
+      include Enumerable
+
+      # Default snaplen
+      SNAPLEN = 65535
+
+      # Pointer to the pcap opaque type
+      attr_reader :pcap
+
+      # Number of packets to sniff
+      attr_accessor :count
+
+      def initialize(pcap,options={},&block)
+        @pcap = pcap
+        @closed = false
+
+        # Default is to infinitely loop over packets.
+        @count = (options[:count] || -1)
+
+        if options[:direction]
+          self.direction = options[:direction]
+        end
+
+        @callback_wrapper = Proc.new do |user,header,bytes|
+          if @callback
+            @callback.call(user,PacketHeader.new(header),bytes)
+          end
+        end
+
+        callback(&block)
+
+        trap('SIGINT') { self.close }
+      end
+
+      def datalink
+        DataLink.new(PCap.pcap_datalink(@pcap))
+      end
+
+      def callback(&block)
+        @callback = block
+        return @callback
+      end
+
+      def direction=(dir)
+        directions = PCap.enum_type(:pcap_direction)
+
+        return PCap.pcap_setdirection(@pcap,directions[:"pcap_d_#{dir}"])
+      end
+
+      def non_blocking=(mode)
+        errbuf = ErrorBuffer.new
+        mode = if mode
+          1
+        else
+          0
+        end
+
+        if PCap.pcap_setnonblock(@pcap,mode,errbuf) == -1
+          raise(RuntimeError,errbuf.to_s,caller)
+        end
+
+        return mode == 1
+      end
+
+      def non_blocking?
+        errbuf = ErrorBuffer.new
+        mode = PCap.pcap_getnonblock(@pcap,errbuf)
+
+        if mode == -1
+          raise(RuntimeError,errbuf.to_s,caller)
+        end
+
+        return mode == 1
+      end
+
+      def loop(data=nil,&block)
+        callback(&block) if block
+
+        PCap.pcap_loop(@pcap,@count,@callback_wrapper,data)
+      end
+
+      alias each loop
+
+      def dispatch(data=nil,&block)
+        callback(&block) if block
+
+        return PCap.pcap_dispatch(@pcap,@count,@callback_wrapper,data)
+      end
+
+      def next
+        header = PacketHeader.new
+        data = PCap.pcap_next(@pcap,header)
+
+        return [nil, nil] if data.null?
+        return [header, data]
+      end
+
+      def next_extra
+        header_ptr = MemoryPointer.new(:pointer)
+        data_ptr = MemoryPointer.new(:pointer)
+
+        case PCap.pcap_next_ex(@pcap,header_ptr,data_ptr)
+        when -1
+          raise(ReadError,"an error occurred while reading the packet",caller)
+        when -2
+          raise(ReadError,"the 'savefile' contains no more packets",caller)
+        end
+
+        return [header_ptr.get_pointer(0), data_ptr.get_pointer(0)]
+      end
+
+      def open_dump(path)
+        dump_ptr = PCap.pcap_dump_open(@pcap,File.expand_path(path))
+
+        if dump_ptr.null?
+          raise(RuntimeError,error,caller)
+        end
+
+        return Dumper.new(dump_ptr)
+      end
+
+      def stats
+        stats = Stat.new
+
+        PCap.pcap_stats(@pcap,stats)
+        return stats
+      end
+
+      def error
+        PCap.pcap_geterr(@pcap)
+      end
+
+      def stop
+        PCap.pcap_breakloop(@pcap)
+      end
+
+      def closed?
+        @closed == true
+      end
+
+      def close
+        unless @closed
+          @closed = true
+          PCap.pcap_close(@pcap)
+        end
+      end
+
+      def to_ptr
+        @pcap
+      end
+
+      def inspect
+        "#<#{self.class}: 0x#{@pcap.address.to_s(16)}>"
+      end
+
+    end
+  end
+end

data/lib/pcap/if.rb

@@ -0,0 +1,36 @@
+require 'pcap/typedefs'
+require 'pcap/addr'
+
+require 'ffi/struct'
+
+module FFI
+  module PCap
+    class IF < FFI::Struct
+      # interface is loopback
+      LOOPBACK = 0x00000001
+
+      layout :next, :pointer,
+             :name, :string,
+             :description, :string,
+             :addresses, :pointer,
+             :flags, :bpf_uint32
+
+      def next
+        IF.new(self[:next])
+      end
+
+      def name
+        self[:name]
+      end
+
+      def addresses
+        Addr.new(self[:addresses])
+      end
+
+      def to_s
+        self[:name]
+      end
+
+    end
+  end
+end

data/lib/pcap/in_addr.rb

@@ -0,0 +1,13 @@
+require 'pcap/typedefs'
+
+require 'ffi'
+
+module FFI
+  module PCap
+    class InAddr < FFI::Struct
+
+      layout :s_addr, :in_addr_t
+
+    end
+  end
+end

data/lib/pcap/packet_header.rb

@@ -0,0 +1,26 @@
+require 'pcap/typedefs'
+require 'pcap/time_val'
+
+require 'ffi/struct'
+
+module FFI
+  module PCap
+    class PacketHeader < FFI::Struct
+      layout :ts, TimeVal,
+             :caplen, :bpf_uint32,
+             :len, :bpf_uint32
+
+      def timestamp
+        self[:ts]
+      end
+
+      def captured
+        self[:caplen]
+      end
+
+      def length
+        self[:len]
+      end
+    end
+  end
+end

data/lib/pcap/packets/ethernet.rb

@@ -0,0 +1,40 @@
+require 'pcap/packets/typedefs'
+require 'pcap/packet'
+
+require 'ffi'
+
+module FFI
+  module PCap
+    module Packets
+      class Ethernet < FFI::Struct
+
+        include Packet
+
+        # Number of bytes for an ethernet address
+        ADDR_LEN = 6
+
+        # Size of an Ethernet header
+        SIZE = 14
+
+        layout :ether_dhost, [:uchar, ADDR_LEN],
+               :ether_shost, [:uchar, ADDR_LEN],
+               :ether_type, :ushort
+
+        #
+        # Returns the source MAC address.
+        #
+        def src_mac
+          self[:ether_shost]
+        end
+
+        #
+        # Returns the destination MAC address.
+        #
+        def dest_mac
+          self[:ether_dhost]
+        end
+
+      end
+    end
+  end
+end