packetfu 1.1.11 → 1.1.12.pre

data/lib/packetfu/config.rb

@@ -1,10 +1,10 @@
 # -*- coding: binary -*-
 module PacketFu
 
-  # The Config class holds various bits of useful default information 
-  # for packet creation. If initialized without arguments, @iface will be 
+  # The Config class holds various bits of useful default information
+  # for packet creation. If initialized without arguments, @iface will be
   # set to ENV['IFACE'] or Pcap.lookupdev (or lo), and the @pcapfile will
-  # be set to "/tmp/out.pcap" # (yes, it's Linux-biased, sorry, fixing 
+  # be set to "/tmp/out.pcap" # (yes, it's Linux-biased, sorry, fixing
   # this is a TODO.)
   #
   # Any number of instance variables can be passed in to the intialize function (as a
@@ -23,7 +23,7 @@ module PacketFu
   #   obj.config(:baz => "bat")
   #   obj.config #=> {:iface=>"eth0", :baz=>"bat", :pcapfile=>"/tmp/out.pcap", :foo=>"bar"}
   class Config
-    attr_accessor :eth_saddr,	# The discovered eth_saddr 
+    attr_accessor :eth_saddr,	# The discovered eth_saddr
       :eth_daddr,							# The discovered eth_daddr (ie, the gateway)
       :eth_src,								# The discovered eth_src in binary form.
       :eth_dst,								# The discovered eth_dst (gateway) in binary form.
@@ -31,11 +31,11 @@ module PacketFu
       :ip_src,								# The discovered ip_src in binary form.
       :iface,									# The declared interface.
       :pcapfile								# A declared default file to write to.
-  
+
     def initialize(args={})
       if Process.euid.zero?
         @iface = args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo" 
-      end	
+      end
       @pcapfile = "/tmp/out.pcap"
       args.each_pair { |k,v| self.instance_variable_set(("@#{k}"),v) }
     end
@@ -46,9 +46,9 @@ module PacketFu
         arg.each_pair {|k,v| self.instance_variable_set(("@" + k.to_s).intern, v)}
       else
         config_hash = {}
-        self.instance_variables.each do |v| 
+        self.instance_variables.each do |v|
           key = v.to_s.gsub(/^@/,"").to_sym
-          config_hash[key] = self.instance_variable_get(v) 
+          config_hash[key] = self.instance_variable_get(v)
         end
         config_hash
       end

data/lib/packetfu/inject.rb

@@ -4,7 +4,7 @@ module PacketFu
   # The Inject class handles injecting arrays of binary data on the wire.
   #
   # To inject single packets, use PacketFu::Packet.to_w() instead.
-  class Inject 
+  class Inject
     attr_accessor :array, :stream, :show_live # Leave these public and open.
     attr_reader :iface, :snaplen, :promisc, :timeout # Cant change after the init.
 
@@ -19,7 +19,7 @@ module PacketFu
     end
 
     # Takes an array, and injects them onto an interface. Note that
-    # complete packets (Ethernet headers on down) are expected. 
+    # complete packets (Ethernet headers on down) are expected.
     #
     # === Parameters
     #
@@ -48,7 +48,7 @@ module PacketFu
         pkt_count +=1
         puts "Sent Packet \##{pkt_count} (#{pkt.size})" if show_live
       end
-      # Return # of packets sent, array size, and array total size 
+      # Return # of packets sent, array size, and array total size
       [pkt_count, pkt_array.size, pkt_array.join.size]
     end
 

data/lib/packetfu/packet.rb

@@ -1,9 +1,10 @@
 # -*- coding: binary -*-
+
 module PacketFu
 
   # Packet is the parent class of EthPacket, IPPacket, UDPPacket, TCPPacket, and all
   # other packets. It acts as both a singleton class, so things like
-  # Packet.parse can happen, and as an abstract class to provide 
+  # Packet.parse can happen, and as an abstract class to provide
   # subclasses some structure.
   class Packet
 
@@ -24,7 +25,7 @@ module PacketFu
     end
 
     # Parse() creates the correct packet type based on the data, and returns the apporpiate
-    # Packet subclass object. 
+    # Packet subclass object.
     #
     # There is an assumption here that all incoming packets are either EthPacket
     # or InvalidPacket types. This will be addressed pretty soon.
@@ -41,7 +42,10 @@ module PacketFu
       else
         classes = PacketFu.packet_classes_by_layer_without_application
       end
-      p = classes.detect { |pclass| pclass.can_parse?(packet) }.new
+
+      new_args = {}
+      new_args[:on_ipv6] = true if IPv6Packet.can_parse?(packet)
+      p = classes.detect { |pclass| pclass.can_parse?(packet) }.new(new_args)
       parsed_packet = p.read(packet,args)
     end
 
@@ -108,7 +112,7 @@ module PacketFu
       inj.array = [@headers[0].to_s]
       inj.inject
     end
-    
+
     # Recalculates all the calcuated fields for all headers in the packet.
     # This is important since read() wipes out all the calculated fields
     # such as length and checksum and what all.
@@ -142,7 +146,7 @@ module PacketFu
     # A note on the :strip => true argument: If :strip is set, defined lengths of data will
     # be believed, and any trailers (such as frame check sequences) will be chopped off. This
     # helps to ensure well-formed packets, at the cost of losing perhaps important FCS data.
-    # 
+    #
     # If :strip is false, header lengths are /not/ believed, and all data will be piped in.
     # When capturing from the wire, this is usually fine, but recalculating the length before
     # saving or re-transmitting will absolutely change the data payload; FCS data will become
@@ -169,7 +173,7 @@ module PacketFu
 
     # Packets are bundles of lots of objects, so copying them
     # is a little complicated -- a dup of a packet is actually
-    # full of pass-by-reference stuff in the @headers, so 
+    # full of pass-by-reference stuff in the @headers, so
     # if you change one, you're changing all this copies, too.
     #
     # Normally, this doesn't seem to be a big deal, and it's
@@ -215,7 +219,7 @@ module PacketFu
     # format.
     #
     # === Format
-    # 
+    #
     #   * A one or two character protocol initial. It should be unique
     #   * The packet size
     #   * Useful data in a human-usable form.
@@ -229,7 +233,7 @@ module PacketFu
     #    #=> "T  1054 10.10.10.105:55000   ->   192.168.145.105:80 [......] S:adc7155b|I:8dd0"
     #    tcp_packet.peek.size
     #    #=> 79
-    #   
+    #
     def peek_format
       peek_data = ["?  "]
       peek_data << "%-5d" % self.to_s.size
@@ -237,9 +241,9 @@ module PacketFu
       peek_data.join
     end
 
-    # Defines the layer this packet type lives at, based on the number of headers it 
+    # Defines the layer this packet type lives at, based on the number of headers it
     # requires. Note that this has little to do with the OSI model, since TCP/IP
-    # doesn't really have Session and Presentation layers. 
+    # doesn't really have Session and Presentation layers.
     #
     # Ethernet and the like are layer 1, IP, IPv6, and ARP are layer 2,
     # TCP, UDP, and other transport protocols are layer 3, and application
@@ -299,7 +303,7 @@ module PacketFu
     end
 
     # If @inspect_style is :default (or :ugly), the inspect output is the usual
-    # inspect. 
+    # inspect.
     #
     # If @inspect_style is :hex (or :pretty), the inspect output is
     # a much more compact hexdump-style, with a shortened set of packet header
@@ -335,7 +339,7 @@ module PacketFu
         table << [proto,[]]
         header.class.members.each do |elem|
           elem_sym = elem.to_sym # to_sym needed for 1.8
-          next if elem_sym == :body 
+          next if elem_sym == :body
           elem_type_value = []
           elem_type_value[0] = elem
           readable_element = "#{elem}_readable"
@@ -344,7 +348,7 @@ module PacketFu
           else
             elem_type_value[1] = header.send(elem)
           end
-          elem_type_value[2] = header[elem.to_sym].class.name 
+          elem_type_value[2] = header[elem.to_sym].class.name
           table[table_idx][1] << elem_type_value
         end
       end
@@ -364,7 +368,7 @@ module PacketFu
       dtable = self.dissection_table
       hex_body = nil
       if dtable.last.kind_of?(Array) and dtable.last.first == :body
-        body = dtable.pop 
+        body = dtable.pop
         hex_body = hexify(body[1])
       end
       elem_widths = [0,0,0]
@@ -376,11 +380,11 @@ module PacketFu
           end
         end
       end
-      total_width = elem_widths.inject(0) {|sum,x| sum+x} 
+      total_width = elem_widths.inject(0) {|sum,x| sum+x}
       table = ""
       dtable.each do |proto|
         table << "--"
-        table << proto[0] 
+        table << proto[0]
         if total_width > proto[0].size
           table << ("-" * (total_width - proto[0].size + 2))
         else
@@ -464,7 +468,7 @@ module PacketFu
     alias_method :protocol, :proto
     alias_method :length, :size
 
-    # the Packet class should not be instantiated directly, since it's an 
+    # the Packet class should not be instantiated directly, since it's an
     # abstract class that real packet types inherit from. Sadly, this
     # makes the Packet class more difficult to test directly.
     def initialize(args={})
@@ -493,7 +497,7 @@ module PacketFu
 
     #method_missing() delegates protocol-specific field actions to the apporpraite
     #class variable (which contains the associated packet type)
-    #This register-of-protocols style switch will work for the 
+    #This register-of-protocols style switch will work for the
     #forseeable future (there aren't /that/ many packet types), and it's a handy
     #way to know at a glance what packet types are supported.
     def method_missing(sym, *args, &block)

data/lib/packetfu/pcap.rb

@@ -8,6 +8,7 @@ module StructFu
     unless [:little, :big].include? e
       raise ArgumentError, "Unknown endianness for #{self.class}" 
     end
+    @int64 = e == :little ? Int64le : Int64be
     @int32 = e == :little ? Int32le : Int32be
     @int16 = e == :little ? Int16le : Int16be
     return e
@@ -422,7 +423,7 @@ module PacketFu
       end
       arr.each_with_index do |p,i|
         if p.kind_of? Hash # Binary timestamps are included
-          this_ts = p.keys.first
+          this_ts = p.keys.first.dup
           this_incl_len = p.values.first.size
           this_orig_len = this_incl_len
           this_data = p.values.first

data/lib/packetfu/pcapng.rb

@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+module PacketFu
+
+  # Module to handle PCAP-NG file format.
+  # See http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#format_idb
+  module PcapNG
+
+    # Section Header Block type number
+    SHB_TYPE = StructFu::Int32.new(0x0A0D0D0A, :little)
+    # Interface Description Block type number
+    IDB_TYPE = StructFu::Int32.new(1, :little)
+    # Simple Packet Block type number
+    SPB_TYPE = StructFu::Int32.new(3, :little)
+    # Enhanced Packet Block type number
+    EPB_TYPE = StructFu::Int32.new(6, :little)
+
+    # Various LINKTYPE values from http://www.tcpdump.org/linktypes.html
+    # FIXME: only ETHERNET type is defined as this is the only link layer
+    # type supported by PacketFu
+    LINKTYPE_ETHERNET = 1
+
+    class Error < StandardError; end
+    class InvalidFileError < Error; end
+
+  end
+
+end
+
+
+require_relative 'pcapng/block.rb'
+require_relative 'pcapng/unknown_block.rb'
+require_relative 'pcapng/shb.rb'
+require_relative 'pcapng/idb.rb'
+require_relative 'pcapng/epb.rb'
+require_relative 'pcapng/spb.rb'
+require_relative 'pcapng/file.rb'

data/lib/packetfu/pcapng/block.rb

@@ -0,0 +1,25 @@
+# -*- coding: binary -*-
+module PacketFu
+  module PcapNG
+
+    module Block
+
+      # Calculate block length and update :block_len and block_len2 fields
+      def recalc_block_len
+        len = to_a.map(&:to_s).join.size
+        self[:block_len].value = self[:block_len2].value = len
+      end
+
+      # Pad given field to 32 bit boundary, if needed
+      def pad_field(*fields)
+        fields.each do |field|
+          unless self[field].size % 4 == 0
+            self[field] << "\x00" * (4 - (self[field].size % 4))
+          end
+        end
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/pcapng/epb.rb

@@ -0,0 +1,112 @@
+require 'stringio'
+
+module PacketFu
+  module PcapNG
+
+    # Pcapng::EPB represents a Extended Packet Block (EPB) of a pcapng file.
+    #
+    # == Pcapng::EPB Definition
+    #   Int32   :type           Default: 0x00000006
+    #   Int32   :block_len
+    #   Int32   :interface_id
+    #   Int32   :tsh (timestamp high)
+    #   Int32   :tsl (timestamp low)
+    #   Int32   :cap_len
+    #   Int32   :orig_len
+    #   String  :data
+    #   String  :options
+    #   Int32   :block_len2
+    class EPB < Struct.new(:type, :block_len, :interface_id, :tsh, :tsl,
+                           :cap_len, :orig_len, :data, :options, :block_len2)
+      include StructFu
+      include Block
+      attr_accessor :endian
+      attr_accessor :interface
+
+      MIN_SIZE     = 8*4
+
+      def initialize(args={})
+        @endian = set_endianness(args[:endian] || :little)
+        init_fields(args)
+        super(args[:type], args[:block_len], args[:interface_id], args[:tsh],
+              args[:tsl], args[:cap_len], args[:orig_len], args[:data],
+              args[:options], args[:block_len2])
+      end
+
+      # Used by #initialize to set the initial fields
+      def init_fields(args={})
+        args[:type]  = @int32.new(args[:type] || PcapNG::EPB_TYPE.to_i)
+        args[:block_len] = @int32.new(args[:block_len] || MIN_SIZE)
+        args[:interface_id] = @int32.new(args[:interface_id] || 0)
+        args[:tsh] = @int32.new(args[:tsh] || 0)
+        args[:tsl] = @int32.new(args[:tsl] || 0)
+        args[:cap_len] = @int32.new(args[:cap_len] || 0)
+        args[:orig_len] = @int32.new(args[:orig_len] || 0)
+        args[:data] = StructFu::String.new(args[:data] || '')
+        args[:options] = StructFu::String.new(args[:options] || '')
+        args[:block_len2] = @int32.new(args[:block_len2] || MIN_SIZE)
+        args
+      end
+
+      def has_options?
+        self[:options].size > 0
+      end
+
+      # Reads a String or a IO to populate the object
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        self[:type].read io.read(4)
+        self[:block_len].read io.read(4)
+        self[:interface_id].read io.read(4)
+        self[:tsh].read io.read(4)
+        self[:tsl].read io.read(4)
+        self[:cap_len].read io.read(4)
+        self[:orig_len].read io.read(4)
+        self[:data].read io.read(self[:cap_len].to_i)
+        data_pad_len = (4 - (self[:cap_len].to_i % 4)) % 4
+        io.read data_pad_len
+        options_len = self[:block_len].to_i - self[:cap_len].to_i - data_pad_len
+        options_len -= MIN_SIZE
+        self[:options].read io.read(options_len)
+        self[:block_len2].read io.read(4)
+
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Extended Packet Block'
+        end
+      
+        self
+      end
+
+      # Return timestamp as a Time object
+      def timestamp
+        Time.at((self[:tsh].to_i << 32 | self[:tsl].to_i) * ts_resol)
+      end
+
+      # Return the object as a String
+      def to_s
+        pad_field :data, :options
+        recalc_block_len
+        to_a.map(&:to_s).join
+      end
+
+
+      private
+
+      def ts_resol
+        if @interface.nil?
+          1E-6
+        else
+          @interface.ts_resol
+        end
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/pcapng/file.rb

@@ -0,0 +1,316 @@
+require_relative 'shb'
+
+module PacketFu
+  module PcapNG
+
+    # PcapNG::File is a complete Pcap-NG file handler.
+    class File
+      attr_accessor :sections
+
+      def initialize
+        @sections = []
+      end
+
+      # Read a string to populate the object. Note that this appends new blocks to
+      # the Pcapng::File object.
+      def read(str)
+        PacketFu.force_binary(str)
+        io = StringIO.new(str)
+        parse_section(io)
+        self
+      end
+
+      # Clear the contents of the Pcapng::File prior to reading in a new string.
+      # This string should contain a Section Header Block and an Interface Description
+      # Block to create a conform pcapng file.
+      def read!(str)
+        clear
+        PacketFu.force_binary(str)
+        read(str)
+      end
+
+      # Read a given file and analyze it.
+      # If given a block, it will yield PcapNG::EPB or PcapNG::SPB objects.
+      # This is the only way to get packet timestamps.
+      def readfile(fname, &blk)
+        unless ::File.readable?(fname)
+          raise ArgumentError, "cannot read file #{fname}"
+        end
+
+        ::File.open(fname, 'rb') do |f|
+          while !f.eof? do
+            parse_section(f)
+          end
+        end
+
+        if blk
+          count = 0
+          @sections.each do |section|
+            section.interfaces.each do |intf|
+              intf.packets.each { |pkt| count += 1; yield pkt }
+            end
+          end
+          count
+        end
+      end
+
+      # Give an array of parsed packets (raw data from packets).
+      # If a block is given, yield raw packet data from the given file.
+      def read_packet_bytes(fname, &blk)
+        count = 0
+        packets = [] unless blk
+
+        readfile(fname) do |packet|
+          if blk
+            count += 1
+            yield packet.data.to_s
+          else
+            packets << packet.data.to_s
+          end
+        end
+
+        blk ? count : packets
+      end
+
+      # Return an array of parsed packets.
+      # If a block is given, yield parsed packets from the given file.
+      def read_packets(fname, &blk)
+        count = 0
+        packets = [] unless blk
+
+        read_packet_bytes(fname) do |packet|
+          if blk
+            count += 1
+            yield Packet.parse(packet)
+          else
+            packets << Packet.parse(packet)
+          end
+        end
+
+        blk ? count : packets
+      end
+
+      # Return the object as a String
+      def to_s
+        @sections.map { |section| section.to_s }.join
+      end
+
+      # Clear the contents of the Pcapng::File.
+      def clear
+        @sections.clear
+      end
+
+      # #file_to_array translates a Pcap-NG file into an array of packets.
+      # Note that this strips out timestamps -- if you'd like to retain
+      # timestamps and other pcapng file information, you will want to
+      # use #read instead.
+      #
+      # Valid arguments are:
+      #  * :filename           If given, object is cleared and filename is analyzed
+      #                        before generating array. Else, array is generated
+      #                        from self.
+      #  * :keep_timestamps    If true, generates an array of hashes, each one with
+      #                        timestamp as key and packet as value. There is one hash
+      #                        per packet.
+      def file_to_array(args={})
+        filename = args[:filename] || args[:file]
+        if filename
+          clear
+          readfile filename
+        end
+
+        ary = []
+        @sections.each do |section|
+          section.interfaces.each do |itf|
+            if args[:keep_timestamps] || args[:keep_ts]
+              ary.concat itf.packets.map { |pkt| { pkt.timestamp => pkt.data.to_s } }
+            else
+              ary.concat itf.packets.map { |pkt| pkt.data.to_s}
+            end
+          end
+        end
+        ary
+      end
+
+      # Writes the Pcapng::File to a file. Takes the following arguments:
+      #   :filename # The file to write to.
+      #   :append   # If set to true, the packets are appended to the file, rather
+      #             # than overwriting.
+      def to_file(args={})
+        filename = args[:filename] || args[:file]
+        unless (!filename.nil? || filename.kind_of?(String))
+          raise ArgumentError, "Need a :filename for #{self.class}"
+        end
+
+        append = args[:append]
+        mode = ''
+        if append and ::File.exists? filename
+          mode = 'ab'
+        else
+          mode = 'wb'
+        end
+        ::File.open(filename,mode) {|f| f.write(self.to_s)}
+        [filename, self.to_s.size]
+      end
+
+      alias_method :to_f, :to_file
+
+      # Shorthand method for writing to a file. Can take either :file => 'name.pcapng'
+      # or simply 'name.pcapng'
+      def write(filename='out.pcapng')
+        if filename.kind_of?(Hash)
+          f = filename[:filename] || filename[:file] || 'out.pcapng'
+        else
+          f = filename.to_s
+        end
+        self.to_file(:filename => f.to_s, :append => false)
+      end
+
+      # Shorthand method for appendong to a file. Can take either
+      # :file => 'name.pcapng' or simply 'name.pcapng'
+      def append(filename='out.pcapng')
+        if filename.kind_of?(Hash)
+          f = filename[:filename] || filename[:file] || 'out.pcapng'
+        else
+          f = filename.to_s
+        end
+        self.to_file(:filename => f.to_s, :append => true)
+      end
+
+      # Takes an array of packets  or a Hash.
+      #
+      # Array: as generated by file_to_array or Array of Packet objects.
+      #        update Pcapng::File object without writing file on disk
+      # Hash: take packets from args and write them to a file. Valid arguments are:
+      #   :filename   # do not write file on disk if not given
+      #   :array      # Can either be an array of packet data, or a hash-value pair
+      #               # of timestamp => data.
+      #   :timestamp  # Sets an initial timestamp (Time object)
+      #   :ts_inc     # Sets the increment between timestamps. Defaults to 1 second.
+      #   :append     # If true, then the packets are appended to the end of a file.
+      def array_to_file(args={})
+        case args
+        when Hash
+          filename = args[:filename] || args[:file]
+          ary = args[:array] || args[:arr]
+          unless ary.kind_of? Array
+            raise ArgumentError, ':array parameter needs to be an array'
+          end
+          ts = args[:timestamp] || args[:ts] || Time.now
+          ts_inc = args[:ts_inc] || 1
+          append = !!args[:append]
+        when Array
+          ary = args
+          ts = Time.now
+          ts_inc = 1
+          filename = nil
+          append = false
+        else
+          raise ArgumentError, 'unknown argument. Need either a Hash or Array'
+        end
+
+        section = SHB.new
+        @sections << section
+        itf = IDB.new(:endian => section.endian)
+        classify_block section, itf
+
+        ary.each_with_index do |pkt, i|
+          case pkt
+          when Hash
+            this_ts = pkt.keys.first.to_i
+            this_cap_len = pkt.values.first.to_s.size
+            this_data = pkt.values.first.to_s
+          else
+            this_ts = (ts + ts_inc * i).to_i
+            this_cap_len = pkt.to_s.size
+            this_data = pkt.to_s
+          end
+          this_ts = (this_ts / itf.ts_resol).to_i
+          this_tsh = this_ts >> 32
+          this_tsl = this_ts & 0xffffffff
+          this_pkt = EPB.new(:endian       => section.endian,
+                             :interface_id => 0,
+                             :tsh          => this_tsh,
+                             :tsl          => this_tsl,
+                             :cap_len      => this_cap_len,
+                             :orig_len     => this_cap_len,
+                             :data         => this_data)
+          classify_block section, this_pkt
+        end
+
+        if filename
+          self.to_f(:filename => filename, :append => append)
+        else
+          self
+        end
+      end
+
+
+      private
+
+      def parse_section(io)
+        shb = SHB.new
+        type = StructFu::Int32.new(0, shb.endian).read(io.read(4))
+        io.seek(-4, IO::SEEK_CUR)
+        shb = parse(type, io, shb)
+        raise InvalidFileError, 'no Section header found' unless shb.is_a?(SHB)
+
+        if shb.section_len.to_i != 0xffffffffffffffff
+          # Section length is defined
+          section = StringIO.new(io.read(shb.section_len.to_i))
+          while !section.eof? do
+            shb = @sections.last
+            type = StructFu::Int32.new(0, shb.endian).read(section.read(4))
+            section.seek(-4, IO::SEEK_CUR)
+            block = parse(type, section, shb)
+          end
+        else
+          # section length is undefined
+          while !io.eof?
+            shb = @sections.last
+            type = StructFu::Int32.new(0, shb.endian).read(io.read(4))
+            io.seek(-4, IO::SEEK_CUR)
+            block = parse(type, io, shb)
+          end
+        end
+      end
+
+      def parse(type, io, shb)
+        types = PcapNG.constants(false).select { |c| c.to_s =~ /_TYPE/ }.
+          map { |c| [PcapNG.const_get(c).to_i, c] }
+        types = Hash[types]
+
+        if types.has_key?(type.to_i)
+          klass = PcapNG.const_get(types[type.to_i].to_s.gsub(/_TYPE/, '').to_sym)
+          block = klass.new(endian: shb.endian)
+        else
+          block = UnknownBlock.new(endian: shb.endian)
+        end
+
+        classify_block shb, block
+        block.read(io)
+      end
+
+      def classify_block(shb, block)
+        case block
+        when SHB
+          @sections << block
+        when IDB
+          shb << block
+          block.section = shb
+        when EPB
+          shb.interfaces[block.interface_id.to_i] << block
+          block.interface = shb.interfaces[block.interface_id.to_i]
+        when SPB
+          shb.interfaces[0] << block
+          block.interface = shb.interfaces[0]
+        else
+          shb.unknown_blocks << block
+          block.section = shb
+        end
+      end
+
+    end
+
+  end
+end