packetfu 1.1.11 → 1.1.12.pre

data/examples/pcap2pcapng.rb

@@ -0,0 +1,32 @@
+# Usage:
+# rvmsudo ruby examples/pcap2pcapng.rb test.pcap test.pcapng
+
+# Path setting slight of hand:
+$: << File.expand_path("../../lib", __FILE__)
+
+require 'packetfu'
+
+pcap_filename = ARGV[0].chomp
+pcapng_filename = ARGV[1].chomp
+
+unless File.exists?(pcap_filename)
+  puts "PCAP input file #{pcap_filename} could not be found"
+end
+
+if File.exists?(pcapng_filename)
+  puts "PCAP-NG output file #{pcap_filename} already exists"
+  puts "Do you wish to overwrite the file? (Y/N, Default = N)"
+  STDOUT.flush
+  response = $stdin.gets.chomp
+  unless response == "Y"
+    puts "Aborting..."
+    exit 0
+  end
+end
+
+puts "Reading PCAP to packet array from #{File.expand_path(pcap_filename)}"
+packet_array = PacketFu::PcapFile.file_to_array(pcap_filename)
+
+puts "Writing packet array to PCAP-NG at #{File.expand_path(pcapng_filename)}"
+pcapng_file = PacketFu::PcapNG::File.new()
+pcapng_file.array_to_file(:array => packet_array, :file => pcapng_filename)

data/examples/simple-sniffer.rb

@@ -1,11 +1,16 @@
 #!/usr/bin/env ruby
 # -*- coding: binary -*-
-require './examples'
+
+# Usage:
+# rvmsudo ruby examples/simple-sniffer.rb
+
+# Path setting slight of hand:
+$: << File.expand_path("../../lib", __FILE__)
 require 'packetfu'
 
 puts "Simple sniffer for PacketFu #{PacketFu.version}"
 include PacketFu
-iface = ARGV[0] || "eth0"
+iface = ARGV[0] || PacketFu::Utils.default_int
 
 def sniff(iface)
   cap = Capture.new(:iface => iface, :start => true)
@@ -21,7 +26,7 @@ end
 
 sniff(iface)
 
-=begin 
+=begin
 Results look like this:
 145.58.33.95    -> 192.168.11.70   1514 TCP
 212.233.158.76  -> 192.168.11.70   110  UDP
@@ -38,4 +43,4 @@ Results look like this:
 8.8.8.8         -> 192.168.11.70   128  UDP
 8.8.8.8         -> 192.168.11.70   187  UDP
 24.45.247.232   -> 192.168.11.70   70   TCP
-=end 
+=end

data/examples/simple-stats.rb

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 # -*- coding: binary -*-
 
-# Simple-stats.rb takes a pcap file, and gives some simple 
+# Simple-stats.rb takes a pcap file, and gives some simple
 # stastics on the protocols found. It's mainly used to
 # demonstrate a method to parse pcap files.
 #
@@ -10,7 +10,11 @@
 # See new-simple-stats.rb for an example of the streaming
 # parsing method.
 
-require './examples' # For path setting slight-of-hand
+# Usage:
+# ruby examples/simple-stats.rb test/sample.pcap
+
+# Path setting slight of hand:
+$: << File.expand_path("../../lib", __FILE__)
 require 'packetfu'
 
 # Takes a file name, parses the packets, and records the packet
@@ -23,7 +27,7 @@ def count_packet_types(file)
   pcapfile.read(file)
   pcapfile.each do |p|
     # Now it's a PacketFu packet struct.
-    pkt = PacketFu::Packet.parse(p.data) 
+    pkt = PacketFu::Packet.parse(p.data)
     kind = pkt.class.to_s.split("::").last
     if stats[kind]
       stats[kind] += 1
@@ -44,8 +48,3 @@ if File.readable?(infile = (ARGV[0] || 'in.pcap'))
 else
   raise RuntimeError, "Need an infile, like so: #{$0} in.pcap"
 end
-
-
-
-
-

data/examples/slammer.rb

@@ -8,6 +8,8 @@ raise RuntimeError, "Need a target" unless target
 action = ARGV[1]
 raise RuntimeError, "Need an action. Try file or your interface." unless action
 
+# Path setting slight of hand:
+$: << File.expand_path("../../lib", __FILE__)
 require 'packetfu'
 include PacketFu
 
@@ -30,5 +32,3 @@ if action == 'file'.downcase
 else
   puts kill_packet.to_w(action.downcase)
 end
-
-

data/examples/uniqpcap.rb

@@ -1,15 +1,25 @@
-# Uniqpcap.rb takes a pcap file, strips out duplicate packets, and 
+# Uniqpcap.rb takes a pcap file, strips out duplicate packets, and
 # writes them to a file.
 #
-# The duplicate pcap problem is common when I'm capturing 
+# The duplicate pcap problem is common when I'm capturing
 # traffic to/from a VMWare image, for some reason.
 #
-# Currently, the timestamp information is lost due to PcapRub's 
-# file read. For me, this isn't a big deal. Future versions 
+# Currently, the timestamp information is lost due to PcapRub's
+# file read. For me, this isn't a big deal. Future versions
 # will deal with timestamps correctly.
-require './examples' # For path setting slight-of-hand
+
+# Usage:
+# ruby examples/uniqcap.rb test/sample.pcap
+
+# Path setting slight of hand:
+$: << File.expand_path("../../lib", __FILE__)
 require 'packetfu'
 
-in_array = PacketFu::Read.f2a(:file => ARGV[0])
-puts PacketFu::Write.a2f(:file => "uniq-" + ARGV[0], :arr => in_array.uniq).inspect
+pcap_file = ARGV[0].chomp
+
+in_array = PacketFu::Read.f2a(:file => pcap_file)
+
+puts "Original Packets: #{in_array.size}"
+puts "Uniq'd Packets: #{in_array.uniq.size}"
 
+puts PacketFu::Write.a2f(:file => pcap_file + ".uniq", :arr => in_array.uniq).inspect

data/lib/packetfu.rb

@@ -1,176 +1,11 @@
 # -*- coding: binary -*-
-
-# :title: PacketFu Documentation
-# :main: README
-
-cwd = File.expand_path(File.dirname(__FILE__))
-
-$: << cwd
-
-require File.join(cwd,"packetfu","structfu")
-require "ipaddr"
-require 'rubygems' if RUBY_VERSION =~ /^1\.[0-8]/
-
-module PacketFu
-
-  # Picks up all the protocols defined in the protos subdirectory
-  def self.require_protos(cwd)
-    protos_dir = File.join(cwd, "packetfu", "protos")
-    Dir.new(protos_dir).each do |fname|
-      next unless fname[/\.rb$/]
-      begin 
-        require File.join(protos_dir,fname)
-      rescue
-        warn "Warning: Could not load `#{fname}'. Skipping."
-      end
-    end
-  end
-
-  # Deal with Ruby's encoding by ignoring it.
-  def self.force_binary(str)
-    str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
-  end
-
-  # Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
-  @byte_order = :little
-
-  # Checks if pcaprub is loaded correctly.
-  @pcaprub_loaded = false
-
-  # PacketFu works best with Pcaprub version 0.8-dev (at least)
-  # The current (Aug 01, 2010) pcaprub gem is 0.9, so should be fine.
-  def self.pcaprub_platform_require
-    begin
-      require 'pcaprub'
-    rescue LoadError
-      return false
-    end
-    @pcaprub_loaded = true 
-  end
-
-  pcaprub_platform_require
-
-  if @pcaprub_loaded
-    pcaprub_regex = /[0-9]\.([8-9]|[1-7][0-9])(-dev)?/ # Regex for 0.8 and beyond.
-    if Pcap.version !~ pcaprub_regex 
-      @pcaprub_loaded = false # Don't bother with broken versions
-      raise LoadError, "PcapRub not at a minimum version of 0.8-dev"
-    end
-    require "packetfu/capture" 
-    require "packetfu/inject"
-  end
-
-  # Returns the status of pcaprub
-  def self.pcaprub_loaded?
-    @pcaprub_loaded
-  end
-
-  # Returns an array of classes defined in PacketFu
-  def self.classes
-    constants.map { |const| const_get(const) if const_get(const).kind_of? Class}.compact
-  end
-
-  # Adds the class to PacketFu's list of packet classes -- used in packet parsing.
-  def self.add_packet_class(klass)
-    raise "Need a class" unless klass.kind_of? Class
-    if klass.name !~ /[A-Za-z0-9]Packet/
-      raise "Packet classes should be named 'ProtoPacket'"
-    end
-    @packet_classes ||= []
-    @packet_classes << klass
-    self.clear_packet_groups
-    @packet_classes.sort_by! { |x| x.name }
-  end
-
-  # Presumably, there may be a time where you'd like to remove a packet class.
-  def self.remove_packet_class(klass)
-    raise "Need a class" unless klass.kind_of? Class
-    @packet_classes ||= []
-    @packet_classes.delete klass
-    self.clear_packet_groups
-    @packet_classes 
-  end
-
-  # Returns an array of packet classes
-  def self.packet_classes
-    @packet_classes || []
-  end
-
-  # Returns an array of packet types by packet prefix.
-  def self.packet_prefixes
-    return [] if @packet_classes.nil?
-    self.reset_packet_groups unless @packet_class_prefixes
-    @packet_class_prefixes
-  end
-  
-  def self.packet_classes_by_layer
-    return [] if @packet_classes.nil?
-    self.reset_packet_groups unless @packet_classes_by_layer
-    @packet_classes_by_layer
-  end
-  
-  def self.packet_classes_by_layer_without_application
-    return [] if @packet_classes.nil?
-    self.reset_packet_groups unless @packet_classes_by_layer_without_application
-    @packet_classes_by_layer_without_application
-  end
-  
-  def self.clear_packet_groups
-    @packet_class_prefixes = nil
-    @packet_classes_by_layer = nil
-    @packet_classes_by_layer_without_application = nil
-  end		
-
-  def self.reset_packet_groups
- 		@packet_class_prefixes = @packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
-    @packet_classes_by_layer = @packet_classes.sort_by { |pclass| pclass.layer }.reverse
-    @packet_classes_by_layer_without_application = @packet_classes_by_layer.reject { |pclass| pclass.layer_symbol == :application }
-  end
-
-  # The current inspect style. One of :hex, :dissect, or :default
-  # Note that :default means Ruby's default, which is usually
-  # far too long to be useful.
-  def self.inspect_style
-    @inspect_style ||= :dissect
-  end
-
-  # Setter for PacketFu's @inspect_style
-  def self.inspect_style=(arg)
-    @inspect_style = case arg
-      when :hex, :pretty
-        :hex
-      when :dissect, :verbose
-        :dissect
-      when :default, :ugly
-        :default
-      else
-        :dissect
-      end
-  end
-
-  # Switches inspect styles in a round-robin fashion between 
-  # :dissect, :default, and :hex
-  def toggle_inspect
-    case @inspect_style
-    when :hex, :pretty
-      @inspect_style = :dissect
-    when :dissect, :verbose
-      @inspect_style = :default
-    when :default, :ugly
-      @inspect_style = :hex
-    else
-      @inspect_style = :dissect
-    end
-  end
-
-
-end
-
-require File.join(cwd,"packetfu","version")
-require File.join(cwd,"packetfu","pcap")
-require File.join(cwd,"packetfu","packet")
-PacketFu.require_protos(cwd)
-require File.join(cwd,"packetfu","utils")
-require File.join(cwd,"packetfu","config")
-
-# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby
+require 'ipaddr'
+require 'packetfu/common'
+require 'packetfu/structfu'
+require 'packetfu/version'
+require 'packetfu/pcap'
+require 'packetfu/packet'
+require 'packetfu/protos'
+require 'packetfu/utils'
+require 'packetfu/config'
+require 'packetfu/pcapng'

data/lib/packetfu/capture.rb

@@ -4,7 +4,7 @@ module PacketFu
   # The Capture class is used to construct PcapRub objects in order to collect
   # packets from an interface.
   #
-  # This class requires PcapRub. In addition, you will need root (or root-like) privileges 
+  # This class requires PcapRub. In addition, you will need root (or root-like) privileges
   # in order to capture from the interface.
   #
   # Note, on some wireless cards, setting :promisc => true will disable capturing.
@@ -83,7 +83,7 @@ module PacketFu
     # clear() clears the @stream and @array variables, essentially starting the
     # capture session over. Valid arguments are:
     #
-    #   :array 
+    #   :array
     #     If true, the @array is cleared.
     #   :stream
     #     If true, the @stream is cleared.

data/lib/packetfu/common.rb

@@ -0,0 +1,142 @@
+require 'packetfu/structfu'
+require 'packetfu/packet'
+
+module PacketFu
+
+  # Deal with Ruby's encoding by ignoring it.
+  def self.force_binary(str)
+    str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
+  end
+
+  # Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
+  @byte_order = :little
+
+  # Checks if pcaprub is loaded correctly.
+  @pcaprub_loaded = false
+
+  # PacketFu works best with Pcaprub version 0.8-dev (at least)
+  # The current (Aug 01, 2010) pcaprub gem is 0.9, so should be fine.
+  def self.pcaprub_platform_require
+    begin
+      require 'pcaprub'
+    rescue LoadError
+      return false
+    end
+    @pcaprub_loaded = true
+  end
+
+  pcaprub_platform_require
+
+  if @pcaprub_loaded
+    pcaprub_regex = /[0-9]\.([8-9]|[1-7][0-9])(-dev)?/ # Regex for 0.8 and beyond.
+    if Pcap.version !~ pcaprub_regex
+      @pcaprub_loaded = false # Don't bother with broken versions
+      raise LoadError, "PcapRub not at a minimum version of 0.8-dev"
+    end
+    require "packetfu/capture"
+    require "packetfu/inject"
+  end
+
+  # Returns the status of pcaprub
+  def self.pcaprub_loaded?
+    @pcaprub_loaded
+  end
+
+  # Returns an array of classes defined in PacketFu
+  def self.classes
+    constants.map { |const| const_get(const) if const_get(const).kind_of? Class}.compact
+  end
+
+  # Adds the class to PacketFu's list of packet classes -- used in packet parsing.
+  def self.add_packet_class(klass)
+    raise "Need a class" unless klass.kind_of? Class
+    if klass.name !~ /[A-Za-z0-9]Packet/
+      raise "Packet classes should be named 'ProtoPacket'"
+    end
+    @packet_classes ||= []
+    @packet_classes << klass
+    self.clear_packet_groups
+    @packet_classes.sort_by! { |x| x.name }
+  end
+
+  # Presumably, there may be a time where you'd like to remove a packet class.
+  def self.remove_packet_class(klass)
+    raise "Need a class" unless klass.kind_of? Class
+    @packet_classes ||= []
+    @packet_classes.delete klass
+    self.clear_packet_groups
+    @packet_classes
+  end
+
+  # Returns an array of packet classes
+  def self.packet_classes
+    @packet_classes || []
+  end
+
+  # Returns an array of packet types by packet prefix.
+  def self.packet_prefixes
+    return [] if @packet_classes.nil?
+    self.reset_packet_groups unless @packet_class_prefixes
+    @packet_class_prefixes
+  end
+
+  def self.packet_classes_by_layer
+    return [] if @packet_classes.nil?
+    self.reset_packet_groups unless @packet_classes_by_layer
+    @packet_classes_by_layer
+  end
+
+  def self.packet_classes_by_layer_without_application
+    return [] if @packet_classes.nil?
+    self.reset_packet_groups unless @packet_classes_by_layer_without_application
+    @packet_classes_by_layer_without_application
+  end
+
+  def self.clear_packet_groups
+    @packet_class_prefixes = nil
+    @packet_classes_by_layer = nil
+    @packet_classes_by_layer_without_application = nil
+  end
+
+  def self.reset_packet_groups
+ 		@packet_class_prefixes = @packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
+    @packet_classes_by_layer = @packet_classes.sort_by { |pclass| pclass.layer }.reverse
+    @packet_classes_by_layer_without_application = @packet_classes_by_layer.reject { |pclass| pclass.layer_symbol == :application }
+  end
+
+  # The current inspect style. One of :hex, :dissect, or :default
+  # Note that :default means Ruby's default, which is usually
+  # far too long to be useful.
+  def self.inspect_style
+    @inspect_style ||= :dissect
+  end
+
+  # Setter for PacketFu's @inspect_style
+  def self.inspect_style=(arg)
+    @inspect_style = case arg
+      when :hex, :pretty
+        :hex
+      when :dissect, :verbose
+        :dissect
+      when :default, :ugly
+        :default
+      else
+        :dissect
+      end
+  end
+
+  # Switches inspect styles in a round-robin fashion between
+  # :dissect, :default, and :hex
+  def toggle_inspect
+    case @inspect_style
+    when :hex, :pretty
+      @inspect_style = :dissect
+    when :dissect, :verbose
+      @inspect_style = :default
+    when :default, :ugly
+      @inspect_style = :hex
+    else
+      @inspect_style = :dissect
+    end
+  end
+end