packetfu 1.1.11 → 1.1.12.pre

data/spec/packet_spec.rb

@@ -1,4 +1,12 @@
 require 'spec_helper'
+require 'packetfu/packet'
+require 'packetfu/pcap'
+require 'packetfu/protos/eth'
+require 'packetfu/protos/ip'
+require 'packetfu/protos/ipv6'
+require 'packetfu/protos/tcp'
+require 'packetfu/protos/icmp'
+require 'fake_packets'
 
 describe PacketFu::Packet, "abstract packet class behavior" do
 
@@ -72,4 +80,20 @@ describe PacketFu::Packet, "abstract packet class behavior" do
     p7.should == p6
   end
 
+  it "should parse IPv4 packets" do
+    packets = PacketFu::PcapFile.read(File.join(File.dirname(__FILE__), 'ipv4_icmp.pcap'))
+    packets.size.should == 1
+    packet = PacketFu::Packet.parse(packets.first.data.to_s)
+    packet.should be_a(PacketFu::ICMPPacket)
+    packet.headers[1].should be_a(PacketFu::IPHeader)
+  end
+
+  it "should parse IPv6 packets" do
+    packets = PacketFu::PcapFile.read(File.join(File.dirname(__FILE__), 'ipv6_udp.pcap'))
+    packets.size.should == 1
+    packet = PacketFu::Packet.parse(packets.first.data.to_s)
+    packet.should be_a(PacketFu::UDPPacket)
+    packet.headers[1].should be_a(PacketFu::IPv6Header)
+  end
+
 end

data/spec/packetfu_spec.rb

@@ -1,4 +1,9 @@
 require 'spec_helper'
+require 'packetfu/protos/eth'
+require 'packetfu/protos/ip'
+require 'packetfu/protos/tcp'
+require 'packetfu/version'
+require 'fake_packets'
 
 describe PacketFu, "version information" do
   it "reports a version number" do
@@ -49,7 +54,7 @@ describe PacketFu, "protocol requires" do
     PacketFu::EthPacket.should_not be_nil
     PacketFu::IPPacket.should_not be_nil
     PacketFu::TCPPacket.should_not be_nil
-    expect { PacketFu::FakePacket }.to raise_error(NameError, "uninitialized constant PacketFu::FakePacket")
+    expect { PacketFu::FakePacket }.to raise_error(NameError, /uninitialized constant PacketFu::FakePacket/)
   end
 end
 

data/spec/pcap_spec.rb

@@ -0,0 +1,286 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+require 'tempfile'
+require 'digest/md5'
+
+include PacketFu
+
+describe PcapHeader do
+  before(:all) do
+    @file = File.open("test/sample.pcap") {|f| f.read}
+    @file.force_encoding "binary" if @file.respond_to? :force_encoding
+    @file_magic = @file[0,4]
+    @file_header = @file[0,24]
+  end
+
+  context "when initializing" do
+    it "should be a good sample file" do
+      expect(@file_magic).to eql("\xd4\xc3\xb2\xa1")
+    end
+
+    it "should have sane defaults (little)" do
+      @pcap_header = PcapHeader.new
+      expect(@pcap_header.sz).to eql(24)
+      expect(@pcap_header.endian).to eql(:little)
+      expect(@pcap_header.magic).to eql(StructFu::Int32le.new(2712847316))
+      expect(@pcap_header.ver_major).to eql(StructFu::Int16le.new(2))
+      expect(@pcap_header.ver_minor).to eql(StructFu::Int16le.new(4))
+      expect(@pcap_header.thiszone).to eql(StructFu::Int32le.new)
+      expect(@pcap_header.sigfigs).to eql(StructFu::Int32le.new)
+      expect(@pcap_header.snaplen).to eql(StructFu::Int32le.new(65535))
+      expect(@pcap_header.network).to eql(StructFu::Int32le.new(1))
+      expect(@pcap_header.to_s[0,4]).to eql("\xD4\xC3\xB2\xA1")
+      expect(@pcap_header.to_s[0,4]).to eql(@file_magic)
+      expect(@pcap_header.to_s[0,24]).to eql("\xD4\xC3\xB2\xA1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x01\x00\x00\x00")
+      expect(@pcap_header.to_s[0,24]).to eql(@file_header)
+    end
+
+    it "should have sane defaults (big)" do
+      @pcap_header = PcapHeader.new(:endian => :big)
+      expect(@pcap_header.sz).to eql(24)
+      expect(@pcap_header.endian).to eql(:big)
+      expect(@pcap_header.magic).to eql(StructFu::Int32be.new(2712847316, :big))
+      expect(@pcap_header.ver_major).to eql(StructFu::Int16be.new(2))
+      expect(@pcap_header.ver_minor).to eql(StructFu::Int16be.new(4))
+      expect(@pcap_header.thiszone).to eql(StructFu::Int32be.new)
+      expect(@pcap_header.sigfigs).to eql(StructFu::Int32be.new)
+      expect(@pcap_header.snaplen).to eql(StructFu::Int32be.new(65535))
+      expect(@pcap_header.network).to eql(StructFu::Int32be.new(1))
+      expect(@pcap_header.to_s[0,4]).to eql("\xA1\xB2\xC3\xD4")
+      expect(@pcap_header.to_s[0,24]).to eql("\xA1\xB2\xC3\xD4\x00\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00\x01")
+    end
+
+    it "should error on bad endian type" do
+      # We want to ensure our endianness is little or big.
+      expect{PcapHeader.new(:endian => :just_right)}.to raise_error(ArgumentError)
+    end
+  end
+
+  context "when reading from string" do
+    it "should be a good sample file" do
+      @pcap_header = PcapHeader.new()
+      @pcap_header.read(@file)
+      expect(@pcap_header.to_s).to eql(@file_header)
+    end
+  end
+end
+
+describe Timestamp do
+  before(:all) do
+    @file = File.open("test/sample.pcap") {|f| f.read}
+    @ts = @file[24,8]
+  end
+
+  context "when initializing" do
+    it "should have sane defaults" do
+      expect(Timestamp.new.size).to eql(3)
+      expect(Timestamp.new.sz).to eql(8)
+    end
+  end
+
+  context "when reading" do
+    it "should parse from a string" do
+      timestamp = Timestamp.new
+      timestamp.read(@ts)
+      expect(timestamp.to_s).to eql(@ts)
+    end
+  end
+end
+
+describe PcapPacket do
+  before(:all) do
+    @file = File.open('test/sample.pcap') {|f| f.read}
+    @file.force_encoding "binary" if @file.respond_to? :force_encoding
+    @header = @file[0,24]
+    @packet = @file[24,100] # pkt is 78 bytes + 16 bytes pcap hdr == 94
+  end
+
+  context "when initializing" do
+    it "should have sane defaults" do
+      pcap_packet = PcapPacket.new(:endian => :little)
+      expect(pcap_packet.endian).to eql(:little)
+      expect(pcap_packet.timestamp).to eql(PacketFu::Timestamp.new(:endian => :little))
+      expect(pcap_packet.incl_len).to eql(StructFu::Int32le.new(0))
+      expect(pcap_packet.orig_len).to eql(StructFu::Int32le.new)
+      expect(pcap_packet.data).to eql("")
+    end
+  end
+
+  context "when reading" do
+    it "should parse from a string" do
+      pcap_packet = PcapPacket.new :endian => :little
+      pcap_packet.read(@packet)
+      expect(pcap_packet.endian).to eql(:little)
+      expect(pcap_packet.timestamp).to eql(
+        PacketFu::Timestamp.new(
+          :endian => :little,
+          :sec => 1255289346,
+          :usec => 244202
+        )
+      )
+      expect(pcap_packet.incl_len).to eql(StructFu::Int32le.new(78))
+      expect(pcap_packet.orig_len).to eql(StructFu::Int32le.new(78))
+      expect(pcap_packet.data).to eql(
+        "\x00\x03/\x1At\xDE\x00\e\x11Q\xB7\xCE\b\x00E\x00\x00@\"" +
+        "\xB4\x00\x00\x80\x11\x94=\xC0\xA8\x01i\xC0\xA8\x01\x02" +
+        "\xD7\xDD\x005\x00,\x8B\xF8\xA6?\x01\x00\x00\x01\x00\x00" +
+        "\x00\x00\x00\x00\x03www\nmetasploit\x03com\x00\x00\x01" +
+        "\x00\x01"
+      )
+
+      expect(pcap_packet[:incl_len].to_i).to eql(78)
+      expect(pcap_packet.to_s).to eql(@packet[0,94])
+    end
+  end
+end
+
+describe PcapPackets do
+  before(:all) do
+    @file = File.open('test/sample.pcap') {|f| f.read}
+  end
+
+  context "when initializing" do
+    it "should have sane defaults" do
+      pcap_packets = PcapPackets.new()
+      expect(pcap_packets.endian).to eql(:little)
+      expect(pcap_packets.size).to eql(0)
+      expect(pcap_packets).to be_kind_of(Array)
+    end
+  end
+
+  context "when reading" do
+    it "should have read pcap packets" do
+      pcap_packets = PcapPackets.new()
+      pcap_packets.read @file
+      expect(pcap_packets.size).to eql(11)
+      expect(pcap_packets.size).to eql(11)
+      expect(pcap_packets.to_s).to eql(@file[24,@file.size])
+    end
+  end
+end
+
+describe PcapFile do
+  before(:all) do
+    @file = File.open('test/sample.pcap') {|f| f.read}
+    @md5 = '1be3b5082bb135c6f22de8801feb3495'
+  end
+
+  context "when initializing" do
+    it "should have sane defaults" do
+      pcap_file = PcapFile.new()
+      expect(pcap_file.endian).to eql(nil)
+      expect(pcap_file.head).to eql(PcapHeader.new)
+      expect(pcap_file.body).to eql(PcapPackets.new)
+    end
+  end
+
+  context "when reading and writing" do
+    before(:each) { @temp_file = Tempfile.new('pcap_pcap') }
+    after(:each) { @temp_file.close; @temp_file.unlink }
+
+    it "should read via #read and write via #to_file" do
+      pcap_file = PcapFile.new
+      pcap_file.read @file
+      pcap_file.to_file(:filename => @temp_file.path)
+      newfile = File.open(@temp_file.path) {|f| f.read(f.stat.size)}
+      newfile.force_encoding "binary" if newfile.respond_to? :force_encoding
+      expect(newfile).to eql(@file)
+
+      pcap_file.to_file(:filename => @temp_file.path, :append => true)
+      packet_array = PcapFile.new.f2a(:filename => @temp_file.path)
+      expect(packet_array.size).to eql(22)
+    end
+
+    it "should read via #file_to_array and write via #to_f" do
+      # TODO: Figure out why this is failing to write properly when converted to a Tempfile
+      File.unlink('out.pcap') if File.exists? 'out.pcap'
+      pcaps = PcapFile.new.file_to_array(:filename => 'test/sample.pcap')
+      pcaps.each {|pkt|
+        packet = Packet.parse pkt
+        packet.recalc
+        packet.to_f('out.pcap','a')
+      }
+      packet_array = PcapFile.new.f2a(:filename => 'out.pcap')
+      expect(packet_array.size).to eql(11)
+      File.unlink('out.pcap')
+    end
+
+    it "should read via #file_to_array and write via #a2f with timestamp changes" do
+      pcap_file = PcapFile.new
+      packet_array = pcap_file.file_to_array(:filename => 'test/sample.pcap')
+      expect(packet_array.size).to eql(11)
+
+      pcap_file = PcapFile.new
+      pcap_file.a2f(:array => packet_array, :f => @temp_file.path, :ts_inc => 4,
+             :timestamp => Time.now.to_i - 1_000_000)
+      diff_time = pcap_file.body[0].timestamp.sec.to_i - pcap_file.body[1].timestamp.sec.to_i
+      expect(diff_time).to eql(-4)
+
+      packet_array_2 = pcap_file.file_to_array(:filename => @temp_file.path)
+      expect(packet_array_2.size).to eql(11)
+    end
+  end
+
+end
+
+describe Read do
+  context "when initializing" do
+    it "should have sane defaults" do
+      pcap_packets = Read.new()
+      expect(pcap_packets).to be_kind_of(Read)
+    end
+  end
+
+  context "when reading" do
+    it "should read from a string" do
+      pkts = Read.file_to_array(:file => 'test/sample.pcap')
+      expect(pkts).to be_kind_of(Array)
+      expect(pkts.size).to eql(11)
+
+      this_packet = Packet.parse pkts[0]
+      expect(this_packet).to be_kind_of(UDPPacket)
+
+      that_packet = Packet.parse pkts[3]
+      expect(that_packet).to be_kind_of(ICMPPacket)
+    end
+
+    it "should read from a hash" do
+      pkts = Read.file_to_array(:file => 'test/sample.pcap', :ts => true)
+      expect(pkts).to be_kind_of(Array)
+      expect(pkts.size).to eql(11)
+
+      this_packet = Packet.parse pkts[0].values.first
+      expect(this_packet).to be_kind_of(UDPPacket)
+
+      that_packet = Packet.parse pkts[3].values.first
+      expect(that_packet).to be_kind_of(ICMPPacket)
+    end
+  end
+end
+
+describe Write do
+  context "when initializing" do
+    it "should have sane defaults" do
+      pcap_packets = Write.new()
+      expect(pcap_packets).to be_kind_of(Write)
+    end
+  end
+
+  context "when writing" do
+    before(:each) { @temp_file = Tempfile.new('write_pcap') }
+    after(:each) { @temp_file.close; @temp_file.unlink }
+
+    it "should read from a string" do
+      pkts = Read.file_to_array(:file => 'test/sample.pcap')
+      expect(pkts).to be_kind_of(Array)
+      expect(pkts.size).to eql(11)
+
+      Write.array_to_file(:array => pkts, :file => @temp_file.path)
+
+      pkts_new = Read.file_to_array(:file => @temp_file.path)
+      expect(pkts).to be_kind_of(Array)
+      expect(pkts.size).to eql(11)
+    end
+  end
+end

data/spec/pcapng/epb_spec.rb

@@ -0,0 +1,81 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+
+module PacketFu
+  module PcapNG
+    describe EPB do
+      before(:each) { @epb = EPB.new }
+
+      it 'should have correct initialization values' do
+        expect(@epb).to be_a(EPB)
+        expect(@epb.endian).to eq(:little)
+        expect(@epb.type.to_i).to eq(PcapNG::EPB_TYPE.to_i)
+        expect(@epb.interface_id.to_i).to eq(0)
+        expect(@epb.tsh.to_i).to eq(0)
+        expect(@epb.tsl.to_i).to eq(0)
+        expect(@epb.cap_len.to_i).to eq(0)
+        expect(@epb.orig_len.to_i).to eq(0)
+        expect(@epb.block_len.to_i).to eq(EPB::MIN_SIZE)
+        expect(@epb.block_len2).to eq(@epb.block_len)
+      end
+
+      context 'when reading' do
+        it 'should accept a String' do
+          str = ::File.read(::File.join(__dir__, '../..', 'test', 'sample.pcapng'))[84, 112]
+          expect { @epb.read(str) }.to_not raise_error
+          expect(@epb.type.to_i).to eq(PcapNG::EPB_TYPE.to_i)
+          expect(@epb.block_len.to_i).to eq(112)
+          expect(@epb.interface_id.to_i).to eq(0)
+          expect(@epb.tsh.to_i).to eq(0x475ad)
+          expect(@epb.tsl.to_i).to eq(0xd392be6a)
+          expect(@epb.cap_len.to_i).to eq(78)
+          expect(@epb.orig_len.to_i).to eq(@epb.cap_len.to_i)
+          expect(@epb.has_options?).to be(false)
+        end
+
+        it 'should accept an IO' do
+          ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+            f.seek(84, :CUR)
+            @epb.read f
+          end
+          expect(@epb.type.to_i).to eq(PcapNG::EPB_TYPE.to_i)
+          expect(@epb.block_len.to_i).to eq(112)
+          expect(@epb.interface_id.to_i).to eq(0)
+          expect(@epb.tsh.to_i).to eq(0x475ad)
+          expect(@epb.tsl.to_i).to eq(0xd392be6a)
+          expect(@epb.cap_len.to_i).to eq(78)
+          expect(@epb.orig_len.to_i).to eq(@epb.cap_len.to_i)
+          expect(@epb.has_options?).to be(false)
+        end
+
+      end
+
+      it 'should decode packet timestamp with default resolution' do
+        ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+          f.seek(84, :CUR)
+          @epb.read f
+        end
+
+        expect(@epb.timestamp.round).to eq(Time.utc(2009, 10, 11, 19, 29, 6))
+      end
+
+      it 'should decode packet timestamp with interface resolution' do
+        ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+          f.seek(84, :CUR)
+          @epb.read f
+        end
+
+        idb = IDB.new
+        ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+          f.seek(52, :CUR)
+          idb.read f
+        end
+        idb << @epb
+        @epb.interface = idb
+
+        expect(@epb.timestamp.round).to eq(Time.utc(2009, 10, 11, 19, 29, 6))
+      end
+    end
+  end
+end

data/spec/pcapng/file_spec.rb

@@ -0,0 +1,295 @@
+# -*- coding: binary -*-
+require 'tempfile'
+require 'spec_helper'
+require 'packetfu'
+require_relative 'file_spec_helper'
+
+module PacketFu
+  module PcapNG
+    describe File do
+      before(:all) do
+        @file = ::File.join(__dir__, '../..', 'test', 'sample.pcapng')
+        @file_spb = ::File.join(__dir__, '../..', 'test', 'sample-spb.pcapng')
+      end
+      before(:each) { @pcapng = File.new }
+
+      context '#readfile' do
+        it 'reads a Pcap-NG file' do
+          @pcapng.readfile @file
+          expect(@pcapng.sections.size).to eq(1)
+          expect(@pcapng.sections[0].unknown_blocks.size).to eq(0)
+
+          expect(@pcapng.sections.first.interfaces.size).to eq(1)
+          intf = @pcapng.sections.first.interfaces.first
+          expect(intf.section).to eq(@pcapng.sections.first)
+
+          expect(intf.packets.size).to eq(11)
+          packet = intf.packets.first
+          expect(packet.interface).to eq(intf)
+        end
+
+        it 'reads a Pcap-NG file with Simple Packet blocks' do
+          @pcapng.readfile @file_spb
+          expect(@pcapng.sections.size).to eq(1)
+          expect(@pcapng.sections[0].unknown_blocks.size).to eq(0)
+          expect(@pcapng.sections.first.interfaces.size).to eq(1)
+          intf = @pcapng.sections.first.interfaces.first
+          expect(intf.section).to eq(@pcapng.sections.first)
+          expect(intf.packets.size).to eq(4)
+          expect(intf.snaplen.to_i).to eq(0)
+          packet = intf.packets.first
+          expect(packet.interface).to eq(intf)
+          expect(packet.data.size).to eq(packet.orig_len.to_i)
+        end
+
+        it 'yields xPB object per read packet' do
+          idx = 0
+          @pcapng.readfile(@file) do |pkt|
+            expect(pkt).to be_a(@Pcapng::EPB)
+            idx += 1
+          end
+          expect(idx).to eq(11)
+        end
+
+        it 'reads many kinds of pcapng file' do
+          [:little, :big].each do |endian|
+            base_dir = ::File.join(__dir__, '..', '..', 'test', 'pcapng-test',
+                                   endian == :little ? 'output_le' : 'output_be')
+            PCAPNG_TEST_FILES.each do |file, sections|
+              next if file == 'difficult/test202.pcapng'
+              @pcapng.clear
+              @pcapng.readfile ::File.join(base_dir, file)
+              expect(@pcapng.sections[0].endian).to eq(endian)
+              expect(@pcapng.sections.size).to eq(sections.size)
+              sections.each_with_index do |section, i|
+                expect(@pcapng.sections[i].unknown_blocks.size).to eq(section[:unknown])
+                expect(@pcapng.sections[i].interfaces.size).to eq(section[:idb])
+                packets = @pcapng.sections[i].interfaces.map(&:packets).flatten
+                expect(packets.grep(EPB).size).to eq(section[:epb])
+                expect(packets.grep(SPB).size).to eq(section[:spb])
+              end
+            end
+          end
+        end
+
+        it 'reads a file with different sections, with different endians' do
+          sections = PCAPNG_TEST_FILES['difficult/test202.pcapng']
+          [:little, :big].each do |endian|
+            other_endian = endian == :little ? :big : :little
+            base_dir = ::File.join(__dir__, '..', '..', 'test', 'pcapng-test',
+                                   endian == :little ? 'output_le' : 'output_be')
+
+            @pcapng.clear
+            @pcapng.readfile ::File.join(base_dir, 'difficult', 'test202.pcapng')
+
+            expect(@pcapng.sections.size).to eq(sections.size)
+            expect(@pcapng.sections[0].endian).to eq(endian)
+            expect(@pcapng.sections[1].endian).to eq(other_endian)
+            expect(@pcapng.sections[2].endian).to eq(endian)
+            sections.each_with_index do |section, i|
+              expect(@pcapng.sections[i].unknown_blocks.size).to eq(section[:unknown])
+              expect(@pcapng.sections[i].interfaces.size).to eq(section[:idb])
+              @pcapng.sections[i].unknown_blocks.each do |block|
+                expect(block.endian).to eq(@pcapng.sections[i].endian)
+              end
+              @pcapng.sections[i].interfaces.each do |interface|
+                expect(interface.endian).to eq(@pcapng.sections[i].endian)
+                interface.packets.each do |packet|
+                  expect(packet.endian).to eq(@pcapng.sections[i].endian)
+                end
+              end
+              packets = @pcapng.sections[i].interfaces.map(&:packets).flatten
+              expect(packets.grep(EPB).size).to eq(section[:epb])
+              expect(packets.grep(SPB).size).to eq(section[:spb])
+            end
+          end
+        end
+      end
+
+      context '#read_packets' do
+        before(:all) do
+          @expected = [UDPPacket] * 2 + [ICMPPacket] * 3 + [ARPPacket] * 2 +
+            [TCPPacket] * 3 + [ICMPPacket]
+        end
+
+        it 'returns an array of Packets' do
+          packets = @pcapng.read_packets(@file)
+          expect(packets.map(&:class)).to eq(@expected)
+
+          icmp = packets[2]
+          expect(icmp.ip_saddr).to eq('192.168.1.105')
+          expect(icmp.ip_daddr).to eq('216.75.1.230')
+          expect(icmp.icmp_type).to eq(8)
+          expect(icmp.icmp_code).to eq(0)
+        end
+
+        it 'yields Packet object per read packet' do
+          idx = 0
+          @pcapng.read_packets(@file) do |pkt|
+            expect(pkt).to be_a(@expected[idx])
+            idx += 1
+          end
+          expect(idx).to eq(11)
+        end
+      end
+
+      context '#file_to_array' do
+        it 'generates an array from object state' do
+          @pcapng.readfile @file
+          ary = @pcapng.file_to_array
+          expect(ary).to be_a(Array)
+          ary.each do |p|
+            expect(p).to be_a(String)
+          end
+          expect(ary[0]).to eq(@pcapng.sections[0].interfaces[0].packets[0].data)
+        end
+
+        it 'generates an array from given file, clearing object state' do
+          @pcapng.readfile @file
+          ary = @pcapng.file_to_array(filename: @file_spb)
+          expect(@pcapng.sections.size).to eq(1)
+          expect(@pcapng.sections[0].interfaces[0].packets[0]).to be_a(SPB)
+
+          expect(ary).to be_a(Array)
+          ary.each do |p|
+            expect(p).to be_a(String)
+          end
+          expect(ary[0]).to eq(@pcapng.sections[0].interfaces[0].packets[0].data)
+        end
+
+        it 'generates an array with timestamps' do
+          @pcapng.readfile @file
+          ary = @pcapng.file_to_array(keep_timestamps: true)
+          expect(ary).to be_a(Array)
+          ary.each do |p|
+            expect(p).to be_a(Hash)
+            expect(p.keys.first).to be_a(Time)
+            expect(p.values.first).to be_a(String)
+          end
+
+          packet1 = @pcapng.sections[0].interfaces[0].packets[0]
+          expect(ary[0].keys.first).to eq(packet1.timestamp)
+          expect(ary[0].values.first).to eq(packet1.data)
+        end
+      end
+
+      context '#to_file' do
+        before(:each) { @write_file = Tempfile.new('pcapng') }
+        after(:each) { @write_file.close; @write_file.unlink }
+
+        it 'creates a file and write self to it' do
+          @pcapng.readfile @file
+          @pcapng.to_file :filename => @write_file.path
+          @write_file.rewind
+          expect(@write_file.read).to eq(::File.read(@file))
+        end
+
+        it 'appends a section to an existing file' do
+          @pcapng.readfile @file
+          @pcapng.to_file :filename => @write_file.path
+
+          @pcapng.to_file :filename => @write_file.path, :append => true
+
+          @pcapng.clear
+          @pcapng.readfile @write_file.path
+          expect(@pcapng.sections.size).to eq(2)
+          expect(@pcapng.sections[0].to_s).to eq(@pcapng.sections[1].to_s)
+        end
+      end
+
+      context '#array_to_file' do
+        before(:each) do
+          tmpfile = Tempfile.new('packetfu')
+          @tmpfilename = tmpfile.path
+          tmpfile.close
+          tmpfile.unlink
+        end
+        after(:each) { ::File.unlink @tmpfilename if ::File.exist? @tmpfilename }
+
+        it 'gets an array of Packet objects' do
+          packets = @pcapng.read_packets(@file)
+
+          @pcapng.clear
+          @pcapng.array_to_file(packets)
+          @pcapng.write @tmpfilename
+
+          @pcapng.clear
+          packets2 = @pcapng.read_packets(@tmpfilename)
+          expect(packets2.map(&:to_s).join).to eq(packets.map(&:to_s).join)
+        end
+
+        it 'gets a hash containing an array of Packet objects' do
+          packets = @pcapng.read_packets(@file)[0..1]
+
+          @pcapng.clear
+          @pcapng.array_to_file(:array => packets)
+          @pcapng.write @tmpfilename
+
+          @pcapng.clear
+          packets2 = @pcapng.read_packets(@tmpfilename)
+          expect(packets2.map(&:to_s).join).to eq(packets.map(&:to_s).join)
+        end
+
+        it 'gets a hash containing an array of Packet objects and a :timestamp key' do
+          packets = @pcapng.read_packets(@file)[0..1]
+
+          @pcapng.clear
+          @pcapng.array_to_file(:array => packets,
+                                :timestamp => Time.utc(2000, 1, 1),
+                                :ts_inc => 3600*24)
+          @pcapng.write @tmpfilename
+
+          @pcapng.clear
+          @pcapng.readfile(@tmpfilename)
+          @pcapng.sections[0].interfaces[0].packets.each_with_index do |pkt, i|
+            expect(pkt.data).to eq(packets[i].to_s)
+            expect(pkt.timestamp).to eq(Time.utc(2000, 1, 1+i))
+          end
+        end
+
+        it 'gets a hash containing couples of Time and Packet objects' do
+          packets = @pcapng.read_packets(@file)[0..3]
+          timestamp = Time.utc(2000, 1, 1)
+          ts_inc = 3600*24 * 2
+          array = []
+          packets.each_with_index do |pkt, i|
+            array << { (timestamp + ts_inc * i) => pkt }
+          end
+
+          @pcapng.clear
+          @pcapng.array_to_file(:array => array)
+          @pcapng.write @tmpfilename
+
+          @pcapng.clear
+          @pcapng.readfile(@tmpfilename)
+          @pcapng.sections[0].interfaces[0].packets.each_with_index do |pkt, i|
+            expect(pkt.data).to eq(packets[i].to_s)
+            expect(pkt.timestamp).to eq(Time.utc(2000, 1, 1+2*i))
+          end
+        end
+
+        it 'gets a hash containing a :filename key' do
+          packets = @pcapng.read_packets(@file)[0..2]
+
+          @pcapng.clear
+          @pcapng.array_to_file(:array => packets, :filename => @tmpfilename)
+
+          @pcapng.clear
+          packets2 = @pcapng.read_packets(@tmpfilename)
+          expect(packets2.map(&:to_s).join).to eq(packets.map(&:to_s).join)
+        end
+      end
+
+      it '#to_s returns object as a String' do
+        orig_str = PacketFu.force_binary(::File.read(@file))
+        @pcapng.read orig_str
+        expect(@pcapng.to_s).to eq(orig_str)
+
+        @pcapng.clear
+        orig_str = PacketFu.force_binary(::File.read(@file_spb))
+        @pcapng.read orig_str
+        expect(@pcapng.to_s).to eq(orig_str)
+      end
+    end
+  end
+end