ffi-pcap 0.2.0

data/lib/ffi/pcap/copy_handler.rb

@@ -0,0 +1,38 @@
+
+module FFI
+module PCap
+
+  # CopyHandler is a callback handler for use with CaptureWrapper.loop and 
+  # CaptureWrapper.dispatch. When used, it works exactly as normal, 
+  # passing a reference to a pcap wrapper and Packet except for one important
+  # difference. A copy of the Packet is yielded to the callback instead of
+  # the volatile one received in the pcap_loop() and pcap_dispatch() 
+  # callbacks.
+  #
+  # The CopyHandler implements receive_callback to return a _copy_
+  # of the Packet object. It is necessary to make a copy to keep allocated
+  # references to packets supplied by pcap_loop() and pcap_dispatch() 
+  # callbacks outside of the scope of a single callback firing on one
+  # packet.
+  #
+  # This handler interface is used by default by CaptureWrapper, so it is
+  # generally always safe to keep references to received packets after new
+  # packets have been received or even after a pcap interface has been 
+  # closed. See CaptureWrapper for more information.
+  class CopyHandler
+    def receive_pcap(pcap, pkt)
+      return [pcap, pkt.copy]
+    end
+  end
+
+
+  # This class only exists for backward compatibility. Setting
+  # pcap handler to nil has the same effect now.
+  class Handler
+    def receive_pcap(*args)
+      return args
+    end
+  end
+end
+end
+

data/lib/ffi/pcap/crt.rb

@@ -0,0 +1,15 @@
+
+module FFI
+module PCap
+  module CRT
+    extend FFI::Library
+
+    ffi_lib FFI::Library::LIBC
+
+    typedef :ulong, :size_t  # not all platforms have this set for FFI
+
+    attach_function :free, [:pointer], :void
+    attach_function :memcpy, [:pointer, :pointer, :size_t], :pointer
+  end
+end
+end

data/lib/ffi/pcap/data_link.rb

@@ -0,0 +1,173 @@
+module FFI
+module PCap
+
+  class DataLink
+
+    # Several DLT names harvested out of the pcap-bpf.h header file. These
+    # are in alphabetical order. Their Array index _does_ _not_ match their 
+    # pcap DLT value.
+    #
+    # Don't use this Array for anything except quick reference.  Use the 
+    # 'lookup' class methods for actually resolving name to value 
+    # mappings or such.
+    SOME_DLTS = %w[A429 A653_ICM AIRONET_HEADER APPLE_IP_OVER_IEEE1394 
+    ARCNET ARCNET_LINUX ATM_CLIP ATM_RFC1483 AURORA AX25 BACNET_MS_TP 
+    BLUETOOTH_HCI_H4 BLUETOOTH_HCI_H4_WITH_PHDR CAN20B CHAOS CHDLC CISCO_IOS 
+    C_HDLC DOCSIS ECONET EN10MB EN3MB ENC ERF ERF_ETH ERF_POS FDDI FRELAY 
+    GCOM_SERIAL GCOM_T1E1 GPF_F GPF_T GPRS_LLC HHDLC IBM_SN IBM_SP IEEE802 
+    IEEE802_11 IEEE802_11_RADIO IEEE802_11_RADIO_AVS IEEE802_15_4 
+    IEEE802_15_4_LINUX IEEE802_16_MAC_CPS IEEE802_16_MAC_CPS_RADIO IPFILTER 
+    IPMB IP_OVER_FC JUNIPER_ATM1 JUNIPER_ATM2 JUNIPER_CHDLC JUNIPER_ES 
+    JUNIPER_ETHER JUNIPER_FRELAY JUNIPER_GGSN JUNIPER_ISM JUNIPER_MFR 
+    JUNIPER_MLFR JUNIPER_MLPPP JUNIPER_MONITOR JUNIPER_PIC_PEER JUNIPER_PPP 
+    JUNIPER_PPPOE JUNIPER_PPPOE_ATM JUNIPER_SERVICES JUNIPER_ST JUNIPER_VP 
+    LINUX_IRDA LINUX_LAPD LINUX_PPP_WITHDIRECTION LINUX_SLL LOOP LTALK MFR 
+    MTP2 MTP2_WITH_PHDR MTP3 NULL OLD_PFLOG PCI_EXP PFLOG PFSYNC PPI PPP 
+    PPP_BSDOS PPP_ETHER PPP_PPPD PPP_SERIAL PPP_WITH_DIRECTION PRISM_HEADER 
+    PRONET RAIF1 RAW REDBACK_SMARTEDGE RIO SCCP SITA SLIP SLIP_BSDOS SUNATM 
+    SYMANTEC_FIREWALL TZSP USB USB_LINUX USER0 USER1 USER10 USER11 USER12 
+    USER13 USER14 USER15 USER2 USER3 USER4 USER5 USER6 USER7 USER8 USER9]
+
+    # Uses the pcap_datalnk_* functions to lookup a datalink name and value 
+    # pair.
+    # 
+    # @param [String, Symbol or Integer] l
+    #   The name or value to lookup. A Symbol is converted to String. Names 
+    #   are case-insensitive.
+    #
+    # @return [Array]
+    #   A 2-element array containing [value, name]. Both elements are nil
+    #   if the lookup failed.
+    #
+    def self.lookup(l)
+      val, name = nil
+      l = l.to_s if l.kind_of? Symbol
+
+      case l
+      when String
+        if v=name_to_val(l)
+          name = val_to_name(v)  # get the canonical name
+          val = v
+        end
+      when Integer
+        name = val_to_name(l)
+        val = l
+      else
+        raise(ArgumentError, "lookup takes either a String or Integer")
+      end
+      return [val, name]
+    end
+
+    # Translates a data link type name, which is a DLT_ name with the DLT_ 
+    # removed, to the corresponding data link type numeric value.
+    #
+    # @param [String or Symbol] n
+    #   The name to lookup. Names are case-insensitive.
+    #
+    # @return [Integer or nil] 
+    #   The numeric value for the datalink name or nil on failure.
+    def self.name_to_val(n)
+      n = n.to_s if n.kind_of?(Symbol)
+      if (v=FFI::PCap.pcap_datalink_name_to_val(n)) >= 0
+        return v
+      end
+    end
+
+    # Translates a data link type  value  to  the corresponding data link 
+    # type name.
+    #
+    # @return [String or nil]
+    #   The string name of the data-link or nil on failure.
+    # 
+    def self.val_to_name(v)
+      FFI::PCap.pcap_datalink_val_to_name(v)
+    end
+
+    # @param [String, Symbol or Integer] l
+    #   The name or value to lookup. A Symbol is converted to String. Names 
+    #   are case-insensitive.
+    def self.describe(l)
+      l = l.to_s if l.kind_of?(Symbol)
+      l = FFI::PCap.pcap_datalink_name_to_val(l) if l.kind_of?(String) 
+      FFI::PCap.pcap_datalink_val_to_description(l)
+    end
+    
+    # FFI::PCap datalink numeric value
+    attr_reader :value
+
+    # Creates a new DataLink object with the specified value or name.
+    # The canonical name, value, and description are can be looked up on 
+    # demand. 
+    #
+    # @param [String or Integer] arg
+    #   Arg can be a string or number which will be used to look up the
+    #   datalink.
+    #
+    # @raise [UnsupportedDataLinkError]
+    #   An exception is raised if a name is supplied and a lookup for its
+    #   value fails or if the arg parameter is an invalid type.
+    #
+    def initialize(arg)
+      if arg.kind_of? String or arg.kind_of? Symbol
+        unless @value = self.class.name_to_val(arg.to_s)
+          raise(UnsupportedDataLinkError, "Invalid DataLink: #{arg.to_s}")
+        end
+      elsif arg.kind_of? Numeric
+        @value = arg
+      else
+        raise(UnsupportedDataLinkError, "Invalid DataLink: #{arg.inspect}")
+      end
+      @name = self.class.val_to_name(@value)
+    end
+
+    # Overrides the equality operator so that quick comparisons can be
+    # made against other DataLinks, name by String, or value by Integer.
+    def ==(other)
+      case other
+      when DataLink
+        return (self.value == other.value)
+      when Numeric
+        return (self.value == other)
+      when Symbol
+        return (@value == self.class.name_to_val(other.to_s))
+      when String
+        return (@value == self.class.name_to_val(other))
+      else
+        return false
+      end
+    end
+
+    # Overrides the sort comparison operator to sort by DLT value.
+    def <=>(other)
+      self.value <=> other.value
+    end
+
+    # Returns the description of the datalink.
+    def description
+      @desc ||= self.class.describe(@value)
+    end
+
+    alias desc description
+    alias describe description
+
+    # Returns the canonical String name of the DataLink object
+    def name
+      @name
+    end
+
+    # Override 'inspect' we'll to always provide the name for irb, 
+    # pretty_print, etc.
+    def inspect
+      "<#{self.class}:#{"0x%0.8x" % self.object_id} @value=#{@value}, @name=#{name().inspect}>"
+    end
+
+    alias to_s name
+    alias to_i value
+  end
+
+  attach_function :pcap_datalink_name_to_val, [:string], :int
+  attach_function :pcap_datalink_val_to_name, [:int], :string
+  attach_function :pcap_datalink_val_to_description, [:int], :string
+
+end
+end

data/lib/ffi/pcap/dead.rb

@@ -0,0 +1,37 @@
+require 'ffi/pcap/common_wrapper'
+
+module FFI
+module PCap
+  # A wrapper class for pcap devices opened with open_dead()
+  class Dead < CommonWrapper
+    attr_reader :datalink
+
+    # Creates a fake pcap interface for compiling filters or opening a
+    # capture for output.
+    #
+    # @param [Hash] opts
+    #   Options are ignored and passed to the super-class except those below.
+    #
+    # @option opts [optional, String, Symbol, Integer] :datalink
+    #   The link-layer type for pcap. nil is equivalent to 0 (aka DLT_NULL).
+    #
+    # @option opts [optional, Integer] :snaplen
+    #   The snapshot length for the pcap object. Defaults to FFI::PCap::DEFAULT_SNAPLEN
+    #
+    # @return [Dead]
+    #   A FFI::PCap::Dead wrapper.
+    #
+    def initialize(opts={}, &block)
+      dl = opts[:datalink] || DataLink.new(0)
+      @datalink = dl.kind_of?(DataLink) ? dl : DataLink.new(dl)
+      @snaplen  = opts[:snaplen] || DEFAULT_SNAPLEN
+      @pcap = FFI::PCap.pcap_open_dead(@datalink.value, @snaplen)
+      raise(LibError, "pcap_open_dead(): returned a null pointer") if @pcap.null?
+      super(@pcap, opts, &block)
+    end
+  end
+
+  attach_function :pcap_open_dead, [:int, :int], :pcap_t
+
+end
+end

data/lib/ffi/pcap/dumper.rb

@@ -0,0 +1,55 @@
+
+module FFI
+module PCap
+
+  # See pcap_dumper_t in pcap.h
+  #
+  # A pcap_dumper, or FFI::PCap::Dumper is handled opaquely so that it can
+  # be implemented differently on different platforms. In FFI::PCap, we
+  # simply wrap the pcap_dumper_t pointer with a ruby interface.
+  class Dumper
+
+    def initialize(dumper)
+      @dumper = dumper
+    end
+
+    def _write(header, bytes)
+      FFI::PCap.pcap_dump(@dumper, header, bytes)
+    end
+
+    def write(*args)
+      if args.first.is_a? Packet
+        write_pkt(*args)
+      else
+        _write(*args)
+      end
+    end
+
+    def write_pkt(pkt)
+      _write(pkt.header, pkt.body_ptr)
+    end
+
+    def tell
+      FFI::PCap.pcap_dump_ftell(@dumper)
+    end
+
+    def flush
+      FFI::PCap.pcap_dump_flush(@dumper)
+    end
+
+    def close
+      FFI::PCap.pcap_dump_close(@dumper)
+    end
+
+  end
+
+  # XXX not sure if we even want file FILE IO stuff yet
+  #attach_function :pcap_dump_file, [:pcap_dumper_t], :FILE
+
+  attach_function :pcap_dump_ftell, [:pcap_dumper_t], :long
+  attach_function :pcap_dump_flush, [:pcap_dumper_t], :int
+  attach_function :pcap_dump_close, [:pcap_dumper_t], :void
+  attach_function :pcap_dump, [:pointer, PacketHeader, :pointer], :void
+
+end
+end

data/lib/ffi/pcap/error_buffer.rb

@@ -0,0 +1,44 @@
+module FFI
+module PCap
+  class ErrorBuffer < FFI::MemoryPointer
+
+    # Size of the error buffers
+    SIZE = 256
+
+    #  Creates a new ErrorBuffer object. Because of wierdness in JRuby
+    #  when trying to subclass FFI::Buffer, always use this instead of 
+    #  'new()'
+    #
+    #  See http://github.com/ffi/ffi/issues#issue/27
+    def self.create()
+      new(SIZE)
+    end
+
+    #
+    # Creates a new ErrorBuffer object.
+    # The argument is nil and is only present for compatability with JRuby.
+    #
+    # See http://github.com/ffi/ffi/issues#issue/27
+    def initialize(arg=nil)
+      super(SIZE)
+    end
+
+    #
+    # Returns the error message within the error buffer.
+    #
+    def to_s
+      get_string(0)
+    end
+
+    # Older JRuby/ffi versions of MemoryPointer and Buffer don't have a size 
+    # method. We override it here to ensure we can use it.
+    def size
+      begin
+        super()
+      rescue NoMethodError
+        SIZE
+      end
+    end
+  end
+end
+end

data/lib/ffi/pcap/exceptions.rb

@@ -0,0 +1,21 @@
+module FFI
+module PCap
+  # A FFI::PCap::UnsupportedDataLinkError indicates an invalid or unsupported
+  # DataLink Layer Type (DLT) value or name.
+  class UnsupportedDataLinkError < StandardError
+  end
+
+  # A FFI::PCap::LibError is used to convey errors detected by the libpcap
+  # native library.
+  class LibError < StandardError
+  end
+
+  # A FFI::PCap::ReadError is a sub-class of FFI::PCap::LibError that indicates a 
+  # problem reading from a pcap device.
+  class ReadError < LibError
+  end
+
+  class TimeoutError < LibError
+  end
+end
+end

data/lib/ffi/pcap/file_header.rb

@@ -0,0 +1,26 @@
+
+module FFI
+module PCap
+  class FileHeader < FFI::Struct
+    include FFI::DRY::StructHelper
+
+    dsl_layout do
+      field :magic,         :bpf_uint32
+      field :version_major, :ushort
+      field :version_minor, :ushort
+      field :thiszone,      :bpf_int32
+      field :sigfigs,       :bpf_uint32
+      field :snaplen,       :bpf_uint32
+      field :linktype,      :bpf_uint32
+    end
+
+    def datalink
+      DataLink.new(self.linktype)
+    end
+
+    def version
+      "#{self.version_major}.#{self.version_minor}"
+    end
+  end
+end
+end

data/lib/ffi/pcap/in_addr.rb

@@ -0,0 +1,9 @@
+module FFI
+module PCap
+  class InAddr < FFI::Struct
+
+    layout :s_addr, [NativeType::UINT8, 4]
+
+  end
+end
+end

data/lib/ffi/pcap/interface.rb

@@ -0,0 +1,29 @@
+
+module FFI
+module PCap
+
+  # Item in a list of interfaces.
+  #
+  # See pcap_if struct in pcap.h
+  class Interface < FFI::Struct
+    include FFI::DRY::StructHelper
+
+    # interface is loopback
+    LOOPBACK = 0x00000001
+
+    dsl_layout do
+      p_struct  :next, ::FFI::PCap::Interface
+      field     :name,        :string, :desc => 'name used by pcap_open_live()'
+      field     :description, :string, :desc => 'text description, or NULL'
+      p_struct  :addresses, ::FFI::PCap::Addr,    :desc => 'address linked list'
+      field     :flags,   :bpf_uint32, :desc => 'PCAP_IF_ interface flags'
+    end
+
+    def loopback?
+      self.flags & LOOPBACK == LOOPBACK
+    end
+
+  end
+
+end
+end