packetfu 1.1.11 → 1.1.12.pre

data/spec/pcapng/file_spec_helper.rb

@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+
+module PacketFu
+  module PcapNG
+
+    # Hash containing attended structure for each test file.
+    # Hash's values are arrays. Each element of these arrays are a section in
+    # pcapng file. A section is described as a hash which keys are block types
+    # and values number of each type in a section.
+    PCAPNG_TEST_FILES = {
+      "basic/test001.pcapng"=>[{:idb=>1, :epb=>4, :spb=>0, :unknown=>0}],
+      "basic/test002.pcapng"=>[{:idb=>0, :epb=>0, :spb=>0, :unknown=>0}],
+      "basic/test003.pcapng"=>[{:idb=>1, :epb=>0, :spb=>0, :unknown=>0}],
+      "basic/test004.pcapng"=>[{:idb=>2, :epb=>4, :spb=>0, :unknown=>0}],
+      "basic/test005.pcapng"=>[{:idb=>2, :epb=>4, :spb=>0, :unknown=>0}],
+      "basic/test006.pcapng"=>[{:idb=>2, :epb=>5, :spb=>0, :unknown=>0}],
+      "basic/test007.pcapng"=>[{:idb=>1, :epb=>1, :spb=>0, :unknown=>0}],
+      "basic/test008.pcapng"=>[{:idb=>2, :epb=>4, :spb=>0, :unknown=>0}],
+      "basic/test009.pcapng"=>[{:idb=>1, :epb=>2, :spb=>0, :unknown=>0}],
+      "basic/test010.pcapng"=>[{:idb=>1, :epb=>0, :spb=>4, :unknown=>0}],
+      "basic/test011.pcapng"=>[{:idb=>1, :epb=>2, :spb=>2, :unknown=>0}],
+      "basic/test012.pcapng"=>[{:idb=>1, :epb=>2, :spb=>2, :unknown=>0}],
+      "basic/test013.pcapng"=>[{:idb=>1, :epb=>0, :spb=>0, :unknown=>1}],
+      "basic/test014.pcapng"=>[{:idb=>3, :epb=>0, :spb=>0, :unknown=>3}],
+      "basic/test015.pcapng"=>[{:idb=>1, :epb=>0, :spb=>0, :unknown=>1}],
+      "basic/test016.pcapng"=>[{:idb=>1, :epb=>2, :spb=>2, :unknown=>3}],
+      "basic/test017.pcapng"=>[{:idb=>0, :epb=>0, :spb=>0, :unknown=>4}],
+      "basic/test018.pcapng"=>[{:idb=>1, :epb=>2, :spb=>2, :unknown=>4}],
+      "advanced/test100.pcapng"=>[{:idb=>3, :epb=>3, :spb=>2, :unknown=>5}],
+      "advanced/test101.pcapng"=>[{:idb=>3, :epb=>3, :spb=>1, :unknown=>6}],
+      "advanced/test102.pcapng"=>[{:idb=>3, :epb=>4, :spb=>1, :unknown=>12}],
+      "difficult/test200.pcapng"=>[{:idb=>1, :epb=>0, :spb=>0, :unknown=>0},
+                                   {:idb=>1, :epb=>0, :spb=>0, :unknown=>0},
+                                   {:idb=>1, :epb=>0, :spb=>0, :unknown=>0}],
+      "difficult/test201.pcapng"=>[{:idb=>2, :epb=>1, :spb=>0, :unknown=>1},
+                                   {:idb=>1, :epb=>1, :spb=>1, :unknown=>1},
+                                   {:idb=>2, :epb=>1, :spb=>0, :unknown=>2}],
+      "difficult/test202.pcapng"=>[{:idb=>2, :epb=>3, :spb=>0, :unknown=>4},
+                                   {:idb=>1, :epb=>2, :spb=>2, :unknown=>4},
+                                   {:idb=>2, :epb=>1, :spb=>0, :unknown=>4}]
+    }
+
+  end
+end
+

data/spec/pcapng/idb_spec.rb

@@ -0,0 +1,53 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+
+module PacketFu
+  module PcapNG
+    describe IDB do
+      before(:each) { @idb = IDB.new }
+
+      it 'should have correct initialization values' do
+        expect(@idb).to be_a(IDB)
+        expect(@idb.endian).to eq(:little)
+        expect(@idb.type.to_i).to eq(PcapNG::IDB_TYPE.to_i)
+        expect(@idb.link_type.to_i).to eq(PcapNG::LINKTYPE_ETHERNET)
+        expect(@idb.snaplen.to_i).to eq(0)
+        expect(@idb.block_len.to_i).to eq(IDB::MIN_SIZE)
+        expect(@idb.block_len2).to eq(@idb.block_len)
+      end
+
+      it 'should decode tsresol on demand from its options' do
+        @idb.options.read [9, 1, 4].pack('vvC')
+        expect(@idb.ts_resol).to eq(1E-4)
+
+        @idb.options.read [9, 1, 0x83].pack('vvC')
+        expect(@idb.ts_resol(true)).to eq(2**-3)
+      end
+
+      context 'when reading' do
+        it 'should accept a String' do
+          str = ::File.read(::File.join(__dir__, '../..', 'test', 'sample.pcapng'))[52, 32]
+          expect { @idb.read(str) }.to_not raise_error
+          expect(@idb.type.to_i).to eq(PcapNG::IDB_TYPE.to_i)
+          expect(@idb.block_len.to_i).to eq(32)
+          expect(@idb.link_type.to_i).to eq(PcapNG::LINKTYPE_ETHERNET)
+          expect(@idb.snaplen.to_i).to eq(0xffff)
+          expect(@idb.has_options?).to be(true)
+        end
+
+        it 'should accept an IO' do
+          ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+            f.seek(52, :CUR)
+            @idb.read f
+          end
+          expect(@idb.type.to_i).to eq(PcapNG::IDB_TYPE.to_i)
+          expect(@idb.block_len.to_i).to eq(32)
+          expect(@idb.link_type.to_i).to eq(PcapNG::LINKTYPE_ETHERNET)
+          expect(@idb.snaplen.to_i).to eq(0xffff)
+          expect(@idb.has_options?).to be(true)
+        end
+      end
+    end
+  end
+end

data/spec/pcapng/shb_spec.rb

@@ -0,0 +1,42 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+
+module PacketFu
+  module PcapNG
+    describe SHB do
+      before(:each) { @shb = SHB.new }
+
+      it 'should have correct initialization values' do
+        expect(@shb).to be_a(SHB)
+        expect(@shb.endian).to eq(:little)
+        expect(@shb.type.to_i).to eq(PcapNG::SHB_TYPE.to_i)
+        expect(@shb.block_len.to_i).to eq(SHB::MIN_SIZE)
+        expect(@shb.magic.to_s).to eq(SHB::MAGIC_LITTLE)
+        expect(@shb.ver_major.to_i).to eq(1)
+        expect(@shb.ver_minor.to_i).to eq(0)
+        expect(@shb.section_len.to_i).to eq(0xffffffff_ffffffff)
+        expect(@shb.block_len2).to eq(@shb.block_len)
+        expect(@shb.interfaces).to eq([])
+        expect(@shb.unknown_blocks).to eq([])
+      end
+
+      context 'when reading' do
+        it 'should accept a String' do
+          str = ::File.read(::File.join(__dir__, '../..', 'test', 'sample.pcapng'), 52)
+          expect { @shb.read(str) }.to_not raise_error
+          expect(@shb.block_len.to_i).to eq(52)
+          expect(@shb.has_options?).to be(true)
+        end
+
+        it 'should accept an IO' do
+          ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+            @shb.read(f)
+          end
+          expect(@shb.block_len.to_i).to eq(52)
+          expect(@shb.has_options?).to be(true)
+        end
+      end
+    end
+  end
+end

data/spec/pcapng/spb_spec.rb

@@ -0,0 +1,43 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+
+module PacketFu
+  module PcapNG
+    describe SPB do
+      before(:each) { @spb = SPB.new }
+
+      it 'should have correct initialization values' do
+        expect(@spb).to be_a(SPB)
+        expect(@spb.endian).to eq(:little)
+        expect(@spb.type.to_i).to eq(PcapNG::SPB_TYPE.to_i)
+        expect(@spb.orig_len.to_i).to eq(0)
+        expect(@spb.block_len.to_i).to eq(SPB::MIN_SIZE)
+        expect(@spb.block_len2).to eq(@spb.block_len)
+      end
+
+      context 'when reading' do
+        it 'should accept a String' do
+          str = ::File.read(::File.join(__dir__, '../..', 'test',
+                                        'sample-spb.pcapng'))[128, 0x14c]
+          expect { @spb.read str }.to_not raise_error
+          expect(@spb.type.to_i).to eq(PcapNG::SPB_TYPE.to_i)
+          expect(@spb.block_len.to_i).to eq(0x14c)
+          expect(@spb.orig_len.to_i).to eq(0x13a)
+          expect(@spb.data.size).to eq(0x13a)
+        end
+
+        it 'should accept an IO' do
+          ::File.open(::File.join(__dir__, '../..', 'test', 'sample-spb.pcapng')) do |f|
+            f.seek(128, :CUR)
+            @spb.read f
+          end
+          expect(@spb.type.to_i).to eq(PcapNG::SPB_TYPE.to_i)
+          expect(@spb.block_len.to_i).to eq(0x14c)
+          expect(@spb.orig_len.to_i).to eq(0x13a)
+          expect(@spb.data.size).to eq(0x13a)
+        end
+      end
+    end
+  end
+end

data/spec/pcapng/unknown_block_spec.rb

@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'packetfu'
+
+module PacketFu
+  module PcapNG
+    describe UnknownBlock do
+      before(:each) { @ub = UnknownBlock.new }
+
+      it 'should have correct initialization values' do
+        expect(@ub).to be_a(UnknownBlock)
+        expect(@ub.endian).to eq(:little)
+        expect(@ub.type.to_i).to eq(0)
+        expect(@ub.block_len.to_i).to eq(UnknownBlock::MIN_SIZE)
+        expect(@ub.block_len2).to eq(@ub.block_len)
+      end
+
+      context 'when reading' do
+        it 'should accept a String' do
+          str = "\xff\xff\xff\xff\x0c\x00\x00\x00\x0c\x00\x00\x00"
+          expect { @ub.read(str) }.to_not raise_error
+          expect(@ub.type.to_i).to eq(0xffffffff)
+          expect(@ub.block_len.to_i).to eq(12)
+        end
+
+        it 'should accept an IO' do
+          ::File.open(::File.join(__dir__, '../..', 'test', 'sample.pcapng')) do |f|
+            @ub.read(f)
+          end
+          expect(@ub.type.to_i).to eq(0x0a0d0d0a)
+          expect(@ub.block_len.to_i).to eq(52)
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,6 +1,5 @@
-
-$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
-require 'packetfu'
+require 'coveralls'
+Coveralls.wear!
 
 puts "rspec #{RSpec::Core::Version::STRING}"
 if RSpec::Core::Version::STRING[0] == '3'
@@ -13,32 +12,5 @@ if RSpec::Core::Version::STRING[0] == '3'
   end
 end
 
+require 'packetfu/common'
 
-module FakePacket
-  def layer
-    7
-  end
-end
-
-class PacketFu::FooPacket < PacketFu::Packet
-  extend FakePacket
-end
-
-class PacketFu::BarPacket < PacketFu::Packet
-  extend FakePacket
-end
-
-class PacketBaz
-end
-
-def add_fake_packets
-  PacketFu.add_packet_class(PacketFu::FooPacket)
-  PacketFu.add_packet_class(PacketFu::BarPacket)
-end
-
-def remove_fake_packets
-  PacketFu.remove_packet_class(PacketFu::FooPacket)
-  PacketFu.remove_packet_class(PacketFu::BarPacket)
-end
-
-remove_fake_packets

data/spec/tcp_spec.rb

@@ -1,4 +1,8 @@
 require 'spec_helper'
+require 'packetfu/protos/eth'
+require 'packetfu/protos/ip'
+require 'packetfu/protos/tcp'
+require 'packetfu/pcap'
 
 include PacketFu
 
@@ -97,4 +101,3 @@ describe TCPPacket do
   end
 
 end
-

data/spec/udp_spec.rb

@@ -1,18 +1,130 @@
 require 'spec_helper'
+require 'packetfu/protos/eth'
+require 'packetfu/protos/ip'
+require 'packetfu/protos/ipv6'
+require 'packetfu/protos/udp'
+require 'packetfu/pcap'
 
 include PacketFu
 
+class String
+  def bin
+    self.scan(/../).map {|x| x.to_i(16).chr}.join
+  end
+end
 
 describe UDPPacket do
 
-  context "new" do
+  context 'when read from a pcap file' do
+    context '(UDP over IPv4)' do
+      before(:all) do
+        @udp4_packet = PcapFile.read_packets(File.join(File.dirname(__FILE__),
+                                                       "ipv4_udp.pcap")).first
+      end
+
+      it 'should be recognized as a UDP packet' do
+        expect(@udp4_packet.is_udp?).to be(true)
+        expect(@udp4_packet.ipv6?).to be(false)
+      end
+
+      it 'should have the right port numbers' do
+        expect(@udp4_packet.udp_src).to eq(41000)
+        expect(@udp4_packet.udp_dst).to eq(42000)
+      end
+
+      it 'should have the right length' do
+        expect(@udp4_packet.udp_len).to eq(24)
+      end
+
+      it 'should have the right checksum' do
+        expect(@udp4_packet.udp_sum).to eq(0xbd81)
+      end
+    end
+
+    context '(UDP over IPv6)' do
+      before(:all) do
+        @udp6_packet = PcapFile.read_packets(File.join(File.dirname(__FILE__),
+                                                       "ipv6_udp.pcap")).first
+      end
+
+      it 'should be recognized as a UDP packet' do
+        expect(@udp6_packet.is_udp?).to be(true)
+        expect(@udp6_packet.ipv6?).to be(true)
+      end
+
+      it 'should have the right port numbers' do
+        expect(@udp6_packet.udp_src).to eq(6809)
+        expect(@udp6_packet.udp_dst).to eq(6810)
+      end
 
+      it 'should have the right length' do
+        expect(@udp6_packet.udp_len).to eq(12)
+      end
+
+      it 'should have the right checksum' do
+        expect(@udp6_packet.udp_sum).to eq(0xb9be)
+      end
+    end
+
+    context 'UDP over IPv4 v2' do
+      it "should have all the UDP attributes" do
+        udp_packet = PcapFile.new.file_to_array(:f => 'test/sample.pcap')[0]
+        udp_pkt = Packet.parse(udp_packet)
+        expect(udp_pkt).to be_kind_of(UDPPacket)
+        expect(udp_pkt.udp_sum.to_i).to eql(0x8bf8)
+      end
+    end
+
+    context 'UDP over IPv4 alter' do
+      it "should read and allow us to alert the payload" do
+        udp_packet = PcapFile.new.file_to_array(:f => 'test/sample.pcap')[0]
+        udp_pkt = Packet.parse(udp_packet)
+        expect(udp_pkt).to be_kind_of(UDPPacket)
+
+        udp_pkt.payload = udp_pkt.payload.gsub(/metasploit/,"MeatPistol")
+        udp_pkt.recalc
+        expect(udp_pkt.udp_sum).to eql(0x8341)
+      end
+    end
+  end
+
+  context "when initializing UDPHeader from scratch" do
+    before(:each) { @udp_header = UDPHeader.new }
+    it 'should have the right instance variables' do
+      expect(@udp_header).to be_kind_of(UDPHeader)
+      expect(@udp_header.to_s.size).to eql(8)
+      expect(@udp_header.to_s).to eql("\x00\x00\x00\x00\x00\b\x00\x00")
+      expect(@udp_header.udp_src).to eq(0)
+      expect(@udp_header.udp_dst).to eq(0)
+      expect(@udp_header.udp_len).to eq(8)
+      expect(@udp_header.udp_sum).to eq(0)
+    end
+
+    it 'should allow setting of port numbers' do
+      @udp_header.udp_src = 1024
+      @udp_header.udp_dst = 1025
+      expect(@udp_header.udp_src).to eq(1024)
+      expect(@udp_header.udp_dst).to eq(1025)
+    end
+  end
+
+  context "when initializing UDPPacket from scratch" do
     it "should create UDP on IPv4 packets by default" do
       udp = UDPPacket.new
       expect(udp.ip_header).to be_a(IPHeader)
       expect(udp.ipv6_header).to be_nil
     end
 
+    it "should allow re-reading" do
+      udp_packet = PacketFu::UDPPacket.new
+      udp_packet2 = Packet.parse(udp_packet.to_s)
+
+      expect(udp_packet).to be_kind_of(UDPPacket)
+      expect(udp_packet2).to be_kind_of(UDPPacket)
+      expect(udp_packet.is_udp?).to be(true)
+      expect(udp_packet2.is_udp?).to be(true)
+    end
+
     it "should create UDP on IPv6 packets" do
       udp = UDPPacket.new(:on_ipv6 => true)
       expect(udp.ip_header).to be_nil
@@ -28,5 +140,41 @@ describe UDPPacket do
       expect(udp.udp_len).to eq(24)
     end
 
+    it 'should support peek functionnality (IPv4 case)' do
+      udp = UDPPacket.new
+      udp.ip_saddr = '192.168.1.1'
+      udp.ip_daddr = '192.168.1.254'
+      udp.udp_src = 32756
+      udp.udp_dst = 80
+      udp.payload = 'abcdefghijklmnopqrstuvwxyz'
+      udp.recalc
+      expect(udp.peek).to match(/U  68\s+192.168.1.1:32756\s+->\s+192.168.1.254:80/)
+    end
+
+    it 'should support peek functionnality (IPv6 case)' do
+      udp = UDPPacket.new(:on_ipv6 => true)
+      udp.ipv6_saddr = '2000::1'
+      udp.ipv6_daddr = '2001::1'
+      udp.udp_src = 32756
+      udp.udp_dst = 80
+      udp.payload = 'abcdefghijklmnopqrstuvwxyz'
+      udp.recalc
+      expect(udp.peek).to match(/6U 88\s+2000::1:32756\s+->\s+2001::1:80/)
+    end
   end
+
+  context "when reading UDPPacket from string" do
+    it "should create UDPPacket and strip extra bytes" do
+      str = "01005e7ffffa100ba9eb63400800450000a12d7c0000011159b446a5fb7ceffffffacdf3076c008d516e4d2d534541524348202a20485454502f312e310d0a486f73743a3233392e3235352e3235352e3235303a313930300d0a53543a75726e3a736368656d61732d75706e702d6f72673a6465766963653a496e7465726e6574476174657761794465766963653a310d0a4d616e3a22737364703a646973636f766572220d0a4d583a330d0a0d0a".bin
+      str << "0102".bin # Tacking on a couple extra bytes tht we'll strip off.
+      not_stripped = UDPPacket.new
+      not_stripped.read(str)
+      expect(not_stripped.udp_header.body.length).to eql(135)
+
+      stripped = UDPPacket.new
+      stripped.read(str, :strip => true)
+      expect(stripped.udp_header.body.length).to eql(133)
+    end
+  end
+
 end