packetfu 1.1.8 → 1.1.9

data/lib/packetfu/pcap.rb

@@ -1,608 +1,609 @@
 #!/usr/bin/env ruby
+# -*- coding: binary -*-
 
 module StructFu
 
-	# Set the endianness for the various Int classes. Takes either :little or :big.
-	def set_endianness(e=nil)
-		unless [:little, :big].include? e
-			raise ArgumentError, "Unknown endianness for #{self.class}" 
-		end
-		@int32 = e == :little ? Int32le : Int32be
-		@int16 = e == :little ? Int16le : Int16be
-		return e
-	end
-
-	# Instead of returning the "size" of the object, which is usually the
-	# number of elements of the Struct, returns the size of the object after
-	# a to_s. Essentially, a short version of self.to_size.size
-	def sz
-		self.to_s.size
-	end
+  # Set the endianness for the various Int classes. Takes either :little or :big.
+  def set_endianness(e=nil)
+    unless [:little, :big].include? e
+      raise ArgumentError, "Unknown endianness for #{self.class}" 
+    end
+    @int32 = e == :little ? Int32le : Int32be
+    @int16 = e == :little ? Int16le : Int16be
+    return e
+  end
+
+  # Instead of returning the "size" of the object, which is usually the
+  # number of elements of the Struct, returns the size of the object after
+  # a to_s. Essentially, a short version of self.to_size.size
+  def sz
+    self.to_s.size
+  end
 
 end
 
 module PacketFu
 
-	# PcapHeader represents the header portion of a libpcap file (the packets
-	# themselves are in the PcapPackets array). See 
-	# http://wiki.wireshark.org/Development/LibpcapFileFormat for details.
-	#
-	# Depending on the endianness (set with :endian), elements are either
-	# :little endian or :big endian. 
-	#
-	# ==== PcapHeader Definition
-	#
-	#   Symbol  :endian     Default: :little
-	#   Int32   :magic      Default: 0xa1b2c3d4 # :big is 0xd4c3b2a1
-	#   Int16   :ver_major  Default: 2
-	#   Int16   :ver_minor  Default: 4
-	#   Int32   :thiszone
-	#   Int32   :sigfigs
-	#   Int32   :snaplen    Default: 0xffff
-	#   Int32   :network    Default: 1
-	class PcapHeader < Struct.new(:endian, :magic, :ver_major, :ver_minor,
-																:thiszone, :sigfigs, :snaplen, :network)
-		include StructFu
-
-		MAGIC_INT32  = 0xa1b2c3d4
-		MAGIC_LITTLE = [MAGIC_INT32].pack("V")
-		MAGIC_BIG    = [MAGIC_INT32].pack("N")
-
-		def initialize(args={})
-			set_endianness(args[:endian] ||= :little)
-			init_fields(args) 
-			super(args[:endian], args[:magic], args[:ver_major], 
-						args[:ver_minor], args[:thiszone], args[:sigfigs], 
-						args[:snaplen], args[:network])
-		end
-		
-		# Called by initialize to set the initial fields. 
-		def init_fields(args={})
-			args[:magic] = @int32.new(args[:magic] || PcapHeader::MAGIC_INT32)
-			args[:ver_major] = @int16.new(args[:ver_major] || 2)
-			args[:ver_minor] ||= @int16.new(args[:ver_minor] || 4)
-			args[:thiszone] ||= @int32.new(args[:thiszone])
-			args[:sigfigs] ||= @int32.new(args[:sigfigs])
-			args[:snaplen] ||= @int32.new(args[:snaplen] || 0xffff)
-			args[:network] ||= @int32.new(args[:network] || 1)
-			return args
-		end
-
-		# Returns the object in string form.
-		def to_s
-			self.to_a[1,7].map {|x| x.to_s}.join
-		end
-
-		# Reads a string to populate the object.
-		# TODO: Need to test this by getting a hold of a big endian pcap file.
-		# Conversion from big to little shouldn't be that big of a deal.
-		def read(str)
-			force_binary(str)
-			return self if str.nil?
-			str.force_encoding(Encoding::BINARY) if str.respond_to? :force_encoding
-			if str[0,4] == self[:magic].to_s 
-				self[:magic].read str[0,4]
-				self[:ver_major].read str[4,2]
-				self[:ver_minor].read str[6,2]
-				self[:thiszone].read str[8,4]
-				self[:sigfigs].read str[12,4]
-				self[:snaplen].read str[16,4]
-				self[:network].read str[20,4]
-			else
-				raise "Incorrect magic for libpcap"
-			end
-			self
-		end
-
-	end
-
-	# The Timestamp class defines how Timestamps appear in libpcap files.
-	#
-	# ==== Header Definition
-	#
-	#  Symbol  :endian  Default: :little
-	#  Int32   :sec
-	#  Int32   :usec
-	class Timestamp < Struct.new(:endian, :sec, :usec)
-		include StructFu
-
-		def initialize(args={})
-			set_endianness(args[:endian] ||= :little)
-			init_fields(args)
-			super(args[:endian], args[:sec], args[:usec])
-		end
-
-		# Called by initialize to set the initial fields. 
-		def init_fields(args={})
-			args[:sec] = @int32.new(args[:sec])
-			args[:usec] = @int32.new(args[:usec])
-			return args
-		end
-
-		# Returns the object in string form.
-		def to_s
-			self.to_a[1,2].map {|x| x.to_s}.join
-		end
-
-		# Reads a string to populate the object.
-		def read(str)
-			force_binary(str)
-			return self if str.nil?
-			self[:sec].read str[0,4]
-			self[:usec].read str[4,4]
-			self
-		end
-
-	end
-
-	# PcapPacket defines how individual packets are stored in a libpcap-formatted
-	# file.
-	#
-	# ==== Header Definition
-	#
-	# Timestamp  :timestamp
-	# Int32      :incl_len
-	# Int32      :orig_len
-	# String     :data
-	class PcapPacket < Struct.new(:endian, :timestamp, :incl_len,
-															 :orig_len, :data)
-		include StructFu
-		def initialize(args={})
-			set_endianness(args[:endian] ||= :little)
-			init_fields(args)
-			super(args[:endian], args[:timestamp], args[:incl_len],
-					 args[:orig_len], args[:data])
-		end
-
-		# Called by initialize to set the initial fields. 
-		def init_fields(args={})
-			args[:timestamp] = Timestamp.new(:endian => args[:endian]).read(args[:timestamp])
-			args[:incl_len] = args[:incl_len].nil? ? @int32.new(args[:data].to_s.size) : @int32.new(args[:incl_len])
-			args[:orig_len] = @int32.new(args[:orig_len])
-			args[:data] = StructFu::String.new.read(args[:data])
-		end
-
-		# Returns the object in string form.
-		def to_s
-			self.to_a[1,4].map {|x| x.to_s}.join
-		end
-
-		# Reads a string to populate the object.
-		def read(str)
-			return unless str
-			force_binary(str)
-			self[:timestamp].read str[0,8]
-			self[:incl_len].read str[8,4]
-			self[:orig_len].read str[12,4]
-			self[:data].read str[16,self[:incl_len].to_i]
-			self
-		end
-
-	end
-
-	# PcapPackets is a collection of PcapPacket objects.
-	class PcapPackets < Array
-
-		include StructFu
-
-		attr_accessor :endian # probably ought to be read-only but who am i.
-
-		def initialize(args={})
-			@endian = args[:endian] || :little
-		end
-
-		def force_binary(str)
-			str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
-		end
-
-		# Reads a string to populate the object. Note, this read takes in the 
-		# whole pcap file, since we need to see the magic to know what 
-		# endianness we're dealing with.
-		def read(str)
-			force_binary(str)
-			return self if str.nil?
-			if str[0,4] == PcapHeader::MAGIC_BIG
-				@endian = :big
-			elsif str[0,4] == PcapHeader::MAGIC_LITTLE
-				@endian = :little
-			else
-				raise ArgumentError, "Unknown file format for #{self.class}"
-			end
-			body = str[24,str.size]
-			while body.size > 16 # TODO: catch exceptions on malformed packets at end
-				p = PcapPacket.new(:endian => @endian)
-				p.read(body)
-				self<<p
-				body = body[p.sz,body.size]
-			end
-		self
-		end
-
-		def to_s
-			self.join
-		end
-
-	end
-
-	# PcapFile is a complete libpcap file struct, made up of two elements, a 
-	# PcapHeader and PcapPackets.
-	#
-	# See http://wiki.wireshark.org/Development/LibpcapFileFormat
-	#
-	# PcapFile also can behave as a singleton class, which is usually the better
-	# way to handle pcap files of really any size, since it doesn't require
-	# storing packets before handing them off to a given block. This is really
-	# the way to go.
-	class PcapFile < Struct.new(:endian, :head, :body)
-		include StructFu
-
-		class << self
-
-			# Takes a given file and returns an array of the packet bytes. Here 
-			# for backwards compatibilty.
-			def file_to_array(fname)
-				PcapFile.new.file_to_array(:f => fname)
-			end
-
-			# Takes a given file name, and reads out the packets. If given a block,
-			# it will yield back a PcapPacket object per packet found.
-			def read(fname,&block) 
-				file_header = PcapHeader.new
-				pcap_packets = PcapPackets.new 
-				unless File.readable? fname
-					raise ArgumentError, "Cannot read file `#{fname}'"
-				end
-				begin
-				file_handle = File.open(fname, "rb")
-				file_header.read file_handle.read(24)
-				packet_count = 0
-				pcap_packet = PcapPacket.new(:endian => file_header.endian)
-				while pcap_packet.read file_handle.read(16) do
-					len = pcap_packet.incl_len
-					pcap_packet.data = StructFu::String.new.read(file_handle.read(len.to_i))
-					packet_count += 1
-					if pcap_packet.data.size < len.to_i
-						warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
-						break
-					end
-					if block
-						yield pcap_packet
-					else
-						pcap_packets << pcap_packet.clone
-					end
-				end
-				ensure
-					file_handle.close
-				end
-				block ? packet_count : pcap_packets
-			end
-
-			# Takes a filename, and an optional block. If a block is given, 
-			# yield back the raw packet data from the given file. Otherwise,
-			# return an array of parsed packets.
-			def read_packet_bytes(fname,&block)
-				count = 0
-				packets = [] unless block
-				read(fname) do |packet| 
-					if block
-						count += 1
-						yield packet.data.to_s
-					else
-						packets << packet.data.to_s
-					end
-				end
-				block ? count : packets
-			end
-
-			alias :file_to_array :read_packet_bytes 
-
-			# Takes a filename, and an optional block. If a block is given,
-			# yield back parsed packets from the given file. Otherwise, return
-			# an array of parsed packets.
-			#
-			# This is a brazillian times faster than the old methods of extracting
-			# packets from files.
-			def read_packets(fname,&block)
-				count = 0
-				packets = [] unless block
-				read_packet_bytes(fname) do |packet| 
-					if block
-						count += 1
-						yield Packet.parse(packet)
-					else
-						packets << Packet.parse(packet)
-					end
-				end
-				block ? count : packets
-			end
-
-		end
-
-		def initialize(args={})
-			init_fields(args)
-			@filename = args.delete :filename
-			super(args[:endian], args[:head], args[:body])
-		end
-
-		# Called by initialize to set the initial fields. 
-		def init_fields(args={})
-			args[:head] = PcapHeader.new(:endian => args[:endian]).read(args[:head])
-			args[:body] = PcapPackets.new(:endian => args[:endian]).read(args[:body])
-			return args
-		end
-
-		# Returns the object in string form.
-		def to_s
-			self[:head].to_s + self[:body].map {|p| p.to_s}.join
-		end
-
-		# Clears the contents of the PcapFile.
-		def clear
-			self[:body].clear
-		end
-
-		# Reads a string to populate the object. Note that this appends new packets to
-		# any existing packets in the PcapFile.
-		def read(str)
-			force_binary(str)
-			self[:head].read str[0,24]
-			self[:body].read str
-			self
-		end
-
-		# Clears the contents of the PcapFile prior to reading in a new string.
-		def read!(str)
-			clear	
-			force_binary(str)
-			self.read str
-		end
-
-		# A shorthand method for opening a file and reading in the packets. Note
-		# that readfile clears any existing packets, since that seems to be the
-		# typical use.
-		def readfile(file)
-			fdata = File.open(file, "rb") {|f| f.read}
-			self.read! fdata
-		end
-
-		# Calls the class method with this object's @filename
-		def read_packet_bytes(fname=@filename,&block)
-			raise ArgumentError, "Need a file" unless fname
-			return self.class.read_packet_bytes(fname, &block)
-		end
-
-		# Calls the class method with this object's @filename
-		def read_packets(fname=@filename,&block)
-			raise ArgumentError, "Need a file" unless fname
-			return self.class.read_packets(fname, &block)
-		end
-
-		# file_to_array() translates a libpcap file into an array of packets.
-		# Note that this strips out pcap timestamps -- if you'd like to retain
-		# timestamps and other libpcap file information, you will want to 
-		# use read() instead.
-		def file_to_array(args={})
-			filename = args[:filename] || args[:file] || args[:f]
-			if filename
-				self.read! File.open(filename, "rb") {|f| f.read}
-			end
-			if args[:keep_timestamps] || args[:keep_ts] || args[:ts]
-				self[:body].map {|x| {x.timestamp.to_s => x.data.to_s} }
-			else
-				self[:body].map {|x| x.data.to_s}
-			end
-		end
-
-		alias_method :f2a, :file_to_array
-
-		# Takes an array of packets (as generated by file_to_array), and writes them
-		# to a file. Valid arguments are:
-		#
-		#   :filename
-		#   :array      # Can either be an array of packet data, or a hash-value pair of timestamp => data.
-		#   :timestamp  # Sets an initial timestamp
-		#   :ts_inc     # Sets the increment between timestamps. Defaults to 1 second.
-		#   :append     # If true, then the packets are appended to the end of a file.
-		def array_to_file(args={})
-			if args.kind_of? Hash
-				filename = args[:filename] || args[:file] || args[:f]
-				arr = args[:array] || args[:arr] || args[:a]
-				ts = args[:timestamp] || args[:ts] || Time.now.to_i
-				ts_inc = args[:timestamp_increment] || args[:ts_inc] || 1
-				append = !!args[:append]
-			elsif args.kind_of? Array
-				arr = args
-				filename = append = nil
-			else
-				raise ArgumentError, "Unknown argument. Need either a Hash or Array."
-			end
-			unless arr.kind_of? Array
-				raise ArgumentError, "Need an array to read packets from"
-			end
-			arr.each_with_index do |p,i|
-				if p.kind_of? Hash # Binary timestamps are included
-					this_ts = p.keys.first
-					this_incl_len = p.values.first.size
-					this_orig_len = this_incl_len
-					this_data = p.values.first
-				else # it's an array
-					this_ts = Timestamp.new(:endian => self[:endian], :sec => ts + (ts_inc * i)).to_s
-					this_incl_len = p.to_s.size
-					this_orig_len = this_incl_len
-					this_data = p.to_s
-				end
-				this_pkt = PcapPacket.new({:endian => self[:endian],
-																  :timestamp => this_ts,
-																	:incl_len => this_incl_len,
-																	:orig_len => this_orig_len,
-																	:data => this_data }
-																 )
-				self[:body] << this_pkt
-			end
-			if filename
-				self.to_f(:filename => filename, :append => append)
-			else
-				self
-			end
-		end
-
-		alias_method :a2f, :array_to_file
-
-		# Just like array_to_file, but clears any existing packets from the array first.
-		def array_to_file!(arr)
-			clear
-			array_to_file(arr)
-		end
-
-		alias_method :a2f!, :array_to_file!
-
-		# Writes the PcapFile to a file. Takes the following arguments:
-		#
-		#   :filename # The file to write to.
-		#   :append   # If set to true, the packets are appended to the file, rather than overwriting.
-		def to_file(args={})
-			filename = args[:filename] || args[:file] || args[:f]
-			unless (!filename.nil? || filename.kind_of?(String))
-				raise ArgumentError, "Need a :filename for #{self.class}"
-			end
-			append = args[:append]
-			if append
-				if File.exists? filename
-					File.open(filename,'ab') {|file| file.write(self.body.to_s)}
-				else
-					File.open(filename,'wb') {|file| file.write(self.to_s)}
-				end
-			else
-				File.open(filename,'wb') {|file| file.write(self.to_s)}
-			end
-			[filename, self.body.sz, self.body.size]
-		end
-
-		alias_method :to_f, :to_file
-
-		# Shorthand method for writing to a file. Can take either :file => 'name.pcap' or
-		# simply 'name.pcap'
-		def write(filename='out.pcap')
-			if filename.kind_of?(Hash)
-				f = filename[:filename] || filename[:file] || filename[:f] || 'out.pcap'
-			else
-				f = filename.to_s
-			end
-			self.to_file(:filename => f.to_s, :append => false)
-		end
-
-		# Shorthand method for appending to a file. Can take either :file => 'name.pcap' or
-		# simply 'name.pcap'
-		def append(filename='out.pcap')
-			if filename.kind_of?(Hash)
-				f = filename[:filename] || filename[:file] || filename[:f] || 'out.pcap'
-			else
-				f = filename.to_s
-			end
-			self.to_file(:filename => f, :append => true)
-		end
-
-	end
+  # PcapHeader represents the header portion of a libpcap file (the packets
+  # themselves are in the PcapPackets array). See 
+  # http://wiki.wireshark.org/Development/LibpcapFileFormat for details.
+  #
+  # Depending on the endianness (set with :endian), elements are either
+  # :little endian or :big endian. 
+  #
+  # ==== PcapHeader Definition
+  #
+  #   Symbol  :endian     Default: :little
+  #   Int32   :magic      Default: 0xa1b2c3d4 # :big is 0xd4c3b2a1
+  #   Int16   :ver_major  Default: 2
+  #   Int16   :ver_minor  Default: 4
+  #   Int32   :thiszone
+  #   Int32   :sigfigs
+  #   Int32   :snaplen    Default: 0xffff
+  #   Int32   :network    Default: 1
+  class PcapHeader < Struct.new(:endian, :magic, :ver_major, :ver_minor,
+                                :thiszone, :sigfigs, :snaplen, :network)
+    include StructFu
+
+    MAGIC_INT32  = 0xa1b2c3d4
+    MAGIC_LITTLE = [MAGIC_INT32].pack("V")
+    MAGIC_BIG    = [MAGIC_INT32].pack("N")
+
+    def initialize(args={})
+      set_endianness(args[:endian] ||= :little)
+      init_fields(args) 
+      super(args[:endian], args[:magic], args[:ver_major], 
+            args[:ver_minor], args[:thiszone], args[:sigfigs], 
+            args[:snaplen], args[:network])
+    end
+    
+    # Called by initialize to set the initial fields. 
+    def init_fields(args={})
+      args[:magic] = @int32.new(args[:magic] || PcapHeader::MAGIC_INT32)
+      args[:ver_major] = @int16.new(args[:ver_major] || 2)
+      args[:ver_minor] ||= @int16.new(args[:ver_minor] || 4)
+      args[:thiszone] ||= @int32.new(args[:thiszone])
+      args[:sigfigs] ||= @int32.new(args[:sigfigs])
+      args[:snaplen] ||= @int32.new(args[:snaplen] || 0xffff)
+      args[:network] ||= @int32.new(args[:network] || 1)
+      return args
+    end
+
+    # Returns the object in string form.
+    def to_s
+      self.to_a[1,7].map {|x| x.to_s}.join
+    end
+
+    # Reads a string to populate the object.
+    # TODO: Need to test this by getting a hold of a big endian pcap file.
+    # Conversion from big to little shouldn't be that big of a deal.
+    def read(str)
+      force_binary(str)
+      return self if str.nil?
+      str.force_encoding(Encoding::BINARY) if str.respond_to? :force_encoding
+      if str[0,4] == self[:magic].to_s 
+        self[:magic].read str[0,4]
+        self[:ver_major].read str[4,2]
+        self[:ver_minor].read str[6,2]
+        self[:thiszone].read str[8,4]
+        self[:sigfigs].read str[12,4]
+        self[:snaplen].read str[16,4]
+        self[:network].read str[20,4]
+      else
+        raise "Incorrect magic for libpcap"
+      end
+      self
+    end
+
+  end
+
+  # The Timestamp class defines how Timestamps appear in libpcap files.
+  #
+  # ==== Header Definition
+  #
+  #  Symbol  :endian  Default: :little
+  #  Int32   :sec
+  #  Int32   :usec
+  class Timestamp < Struct.new(:endian, :sec, :usec)
+    include StructFu
+
+    def initialize(args={})
+      set_endianness(args[:endian] ||= :little)
+      init_fields(args)
+      super(args[:endian], args[:sec], args[:usec])
+    end
+
+    # Called by initialize to set the initial fields. 
+    def init_fields(args={})
+      args[:sec] = @int32.new(args[:sec])
+      args[:usec] = @int32.new(args[:usec])
+      return args
+    end
+
+    # Returns the object in string form.
+    def to_s
+      self.to_a[1,2].map {|x| x.to_s}.join
+    end
+
+    # Reads a string to populate the object.
+    def read(str)
+      force_binary(str)
+      return self if str.nil?
+      self[:sec].read str[0,4]
+      self[:usec].read str[4,4]
+      self
+    end
+
+  end
+
+  # PcapPacket defines how individual packets are stored in a libpcap-formatted
+  # file.
+  #
+  # ==== Header Definition
+  #
+  # Timestamp  :timestamp
+  # Int32      :incl_len
+  # Int32      :orig_len
+  # String     :data
+  class PcapPacket < Struct.new(:endian, :timestamp, :incl_len,
+                               :orig_len, :data)
+    include StructFu
+    def initialize(args={})
+      set_endianness(args[:endian] ||= :little)
+      init_fields(args)
+      super(args[:endian], args[:timestamp], args[:incl_len],
+           args[:orig_len], args[:data])
+    end
+
+    # Called by initialize to set the initial fields. 
+    def init_fields(args={})
+      args[:timestamp] = Timestamp.new(:endian => args[:endian]).read(args[:timestamp])
+      args[:incl_len] = args[:incl_len].nil? ? @int32.new(args[:data].to_s.size) : @int32.new(args[:incl_len])
+      args[:orig_len] = @int32.new(args[:orig_len])
+      args[:data] = StructFu::String.new.read(args[:data])
+    end
+
+    # Returns the object in string form.
+    def to_s
+      self.to_a[1,4].map {|x| x.to_s}.join
+    end
+
+    # Reads a string to populate the object.
+    def read(str)
+      return unless str
+      force_binary(str)
+      self[:timestamp].read str[0,8]
+      self[:incl_len].read str[8,4]
+      self[:orig_len].read str[12,4]
+      self[:data].read str[16,self[:incl_len].to_i]
+      self
+    end
+
+  end
+
+  # PcapPackets is a collection of PcapPacket objects.
+  class PcapPackets < Array
+
+    include StructFu
+
+    attr_accessor :endian # probably ought to be read-only but who am i.
+
+    def initialize(args={})
+      @endian = args[:endian] || :little
+    end
+
+    def force_binary(str)
+      str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
+    end
+
+    # Reads a string to populate the object. Note, this read takes in the 
+    # whole pcap file, since we need to see the magic to know what 
+    # endianness we're dealing with.
+    def read(str)
+      force_binary(str)
+      return self if str.nil?
+      if str[0,4] == PcapHeader::MAGIC_BIG
+        @endian = :big
+      elsif str[0,4] == PcapHeader::MAGIC_LITTLE
+        @endian = :little
+      else
+        raise ArgumentError, "Unknown file format for #{self.class}"
+      end
+      body = str[24,str.size]
+      while body.size > 16 # TODO: catch exceptions on malformed packets at end
+        p = PcapPacket.new(:endian => @endian)
+        p.read(body)
+        self<<p
+        body = body[p.sz,body.size]
+      end
+    self
+    end
+
+    def to_s
+      self.join
+    end
+
+  end
+
+  # PcapFile is a complete libpcap file struct, made up of two elements, a 
+  # PcapHeader and PcapPackets.
+  #
+  # See http://wiki.wireshark.org/Development/LibpcapFileFormat
+  #
+  # PcapFile also can behave as a singleton class, which is usually the better
+  # way to handle pcap files of really any size, since it doesn't require
+  # storing packets before handing them off to a given block. This is really
+  # the way to go.
+  class PcapFile < Struct.new(:endian, :head, :body)
+    include StructFu
+
+    class << self
+
+      # Takes a given file and returns an array of the packet bytes. Here 
+      # for backwards compatibilty.
+      def file_to_array(fname)
+        PcapFile.new.file_to_array(:f => fname)
+      end
+
+      # Takes a given file name, and reads out the packets. If given a block,
+      # it will yield back a PcapPacket object per packet found.
+      def read(fname,&block) 
+        file_header = PcapHeader.new
+        pcap_packets = PcapPackets.new 
+        unless File.readable? fname
+          raise ArgumentError, "Cannot read file `#{fname}'"
+        end
+        begin
+        file_handle = File.open(fname, "rb")
+        file_header.read file_handle.read(24)
+        packet_count = 0
+        pcap_packet = PcapPacket.new(:endian => file_header.endian)
+        while pcap_packet.read file_handle.read(16) do
+          len = pcap_packet.incl_len
+          pcap_packet.data = StructFu::String.new.read(file_handle.read(len.to_i))
+          packet_count += 1
+          if pcap_packet.data.size < len.to_i
+            warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
+            break
+          end
+          if block
+            yield pcap_packet
+          else
+            pcap_packets << pcap_packet.clone
+          end
+        end
+        ensure
+          file_handle.close
+        end
+        block ? packet_count : pcap_packets
+      end
+
+      # Takes a filename, and an optional block. If a block is given, 
+      # yield back the raw packet data from the given file. Otherwise,
+      # return an array of parsed packets.
+      def read_packet_bytes(fname,&block)
+        count = 0
+        packets = [] unless block
+        read(fname) do |packet| 
+          if block
+            count += 1
+            yield packet.data.to_s
+          else
+            packets << packet.data.to_s
+          end
+        end
+        block ? count : packets
+      end
+
+      alias :file_to_array :read_packet_bytes 
+
+      # Takes a filename, and an optional block. If a block is given,
+      # yield back parsed packets from the given file. Otherwise, return
+      # an array of parsed packets.
+      #
+      # This is a brazillian times faster than the old methods of extracting
+      # packets from files.
+      def read_packets(fname,&block)
+        count = 0
+        packets = [] unless block
+        read_packet_bytes(fname) do |packet| 
+          if block
+            count += 1
+            yield Packet.parse(packet)
+          else
+            packets << Packet.parse(packet)
+          end
+        end
+        block ? count : packets
+      end
+
+    end
+
+    def initialize(args={})
+      init_fields(args)
+      @filename = args.delete :filename
+      super(args[:endian], args[:head], args[:body])
+    end
+
+    # Called by initialize to set the initial fields. 
+    def init_fields(args={})
+      args[:head] = PcapHeader.new(:endian => args[:endian]).read(args[:head])
+      args[:body] = PcapPackets.new(:endian => args[:endian]).read(args[:body])
+      return args
+    end
+
+    # Returns the object in string form.
+    def to_s
+      self[:head].to_s + self[:body].map {|p| p.to_s}.join
+    end
+
+    # Clears the contents of the PcapFile.
+    def clear
+      self[:body].clear
+    end
+
+    # Reads a string to populate the object. Note that this appends new packets to
+    # any existing packets in the PcapFile.
+    def read(str)
+      force_binary(str)
+      self[:head].read str[0,24]
+      self[:body].read str
+      self
+    end
+
+    # Clears the contents of the PcapFile prior to reading in a new string.
+    def read!(str)
+      clear	
+      force_binary(str)
+      self.read str
+    end
+
+    # A shorthand method for opening a file and reading in the packets. Note
+    # that readfile clears any existing packets, since that seems to be the
+    # typical use.
+    def readfile(file)
+      fdata = File.open(file, "rb") {|f| f.read}
+      self.read! fdata
+    end
+
+    # Calls the class method with this object's @filename
+    def read_packet_bytes(fname=@filename,&block)
+      raise ArgumentError, "Need a file" unless fname
+      return self.class.read_packet_bytes(fname, &block)
+    end
+
+    # Calls the class method with this object's @filename
+    def read_packets(fname=@filename,&block)
+      raise ArgumentError, "Need a file" unless fname
+      return self.class.read_packets(fname, &block)
+    end
+
+    # file_to_array() translates a libpcap file into an array of packets.
+    # Note that this strips out pcap timestamps -- if you'd like to retain
+    # timestamps and other libpcap file information, you will want to 
+    # use read() instead.
+    def file_to_array(args={})
+      filename = args[:filename] || args[:file] || args[:f]
+      if filename
+        self.read! File.open(filename, "rb") {|f| f.read}
+      end
+      if args[:keep_timestamps] || args[:keep_ts] || args[:ts]
+        self[:body].map {|x| {x.timestamp.to_s => x.data.to_s} }
+      else
+        self[:body].map {|x| x.data.to_s}
+      end
+    end
+
+    alias_method :f2a, :file_to_array
+
+    # Takes an array of packets (as generated by file_to_array), and writes them
+    # to a file. Valid arguments are:
+    #
+    #   :filename
+    #   :array      # Can either be an array of packet data, or a hash-value pair of timestamp => data.
+    #   :timestamp  # Sets an initial timestamp
+    #   :ts_inc     # Sets the increment between timestamps. Defaults to 1 second.
+    #   :append     # If true, then the packets are appended to the end of a file.
+    def array_to_file(args={})
+      if args.kind_of? Hash
+        filename = args[:filename] || args[:file] || args[:f]
+        arr = args[:array] || args[:arr] || args[:a]
+        ts = args[:timestamp] || args[:ts] || Time.now.to_i
+        ts_inc = args[:timestamp_increment] || args[:ts_inc] || 1
+        append = !!args[:append]
+      elsif args.kind_of? Array
+        arr = args
+        filename = append = nil
+      else
+        raise ArgumentError, "Unknown argument. Need either a Hash or Array."
+      end
+      unless arr.kind_of? Array
+        raise ArgumentError, "Need an array to read packets from"
+      end
+      arr.each_with_index do |p,i|
+        if p.kind_of? Hash # Binary timestamps are included
+          this_ts = p.keys.first
+          this_incl_len = p.values.first.size
+          this_orig_len = this_incl_len
+          this_data = p.values.first
+        else # it's an array
+          this_ts = Timestamp.new(:endian => self[:endian], :sec => ts + (ts_inc * i)).to_s
+          this_incl_len = p.to_s.size
+          this_orig_len = this_incl_len
+          this_data = p.to_s
+        end
+        this_pkt = PcapPacket.new({:endian => self[:endian],
+                                  :timestamp => this_ts,
+                                  :incl_len => this_incl_len,
+                                  :orig_len => this_orig_len,
+                                  :data => this_data }
+                                 )
+        self[:body] << this_pkt
+      end
+      if filename
+        self.to_f(:filename => filename, :append => append)
+      else
+        self
+      end
+    end
+
+    alias_method :a2f, :array_to_file
+
+    # Just like array_to_file, but clears any existing packets from the array first.
+    def array_to_file!(arr)
+      clear
+      array_to_file(arr)
+    end
+
+    alias_method :a2f!, :array_to_file!
+
+    # Writes the PcapFile to a file. Takes the following arguments:
+    #
+    #   :filename # The file to write to.
+    #   :append   # If set to true, the packets are appended to the file, rather than overwriting.
+    def to_file(args={})
+      filename = args[:filename] || args[:file] || args[:f]
+      unless (!filename.nil? || filename.kind_of?(String))
+        raise ArgumentError, "Need a :filename for #{self.class}"
+      end
+      append = args[:append]
+      if append
+        if File.exists? filename
+          File.open(filename,'ab') {|file| file.write(self.body.to_s)}
+        else
+          File.open(filename,'wb') {|file| file.write(self.to_s)}
+        end
+      else
+        File.open(filename,'wb') {|file| file.write(self.to_s)}
+      end
+      [filename, self.body.sz, self.body.size]
+    end
+
+    alias_method :to_f, :to_file
+
+    # Shorthand method for writing to a file. Can take either :file => 'name.pcap' or
+    # simply 'name.pcap'
+    def write(filename='out.pcap')
+      if filename.kind_of?(Hash)
+        f = filename[:filename] || filename[:file] || filename[:f] || 'out.pcap'
+      else
+        f = filename.to_s
+      end
+      self.to_file(:filename => f.to_s, :append => false)
+    end
+
+    # Shorthand method for appending to a file. Can take either :file => 'name.pcap' or
+    # simply 'name.pcap'
+    def append(filename='out.pcap')
+      if filename.kind_of?(Hash)
+        f = filename[:filename] || filename[:file] || filename[:f] || 'out.pcap'
+      else
+        f = filename.to_s
+      end
+      self.to_file(:filename => f, :append => true)
+    end
+
+  end
 
 end
 
 module PacketFu
 
-	# Read is largely deprecated. It was current in PacketFu 0.2.0, but isn't all that useful
-	# in 0.3.0 and beyond. Expect it to go away completely by version 1.0. So, the main use
-	# of this class is to learn how to do exactly the same things using the PcapFile object.
-	class Read
+  # Read is largely deprecated. It was current in PacketFu 0.2.0, but isn't all that useful
+  # in 0.3.0 and beyond. Expect it to go away completely by version 1.0. So, the main use
+  # of this class is to learn how to do exactly the same things using the PcapFile object.
+  class Read
 
-		class << self
+    class << self
 
-			# Reads the magic string of a pcap file, and determines
-			# if it's :little or :big endian.
-			def get_byte_order(pcap_file)
-				byte_order = ((pcap_file[0,4] == PcapHeader::MAGIC_LITTLE) ? :little : :big)
-				return byte_order
-			end
+      # Reads the magic string of a pcap file, and determines
+      # if it's :little or :big endian.
+      def get_byte_order(pcap_file)
+        byte_order = ((pcap_file[0,4] == PcapHeader::MAGIC_LITTLE) ? :little : :big)
+        return byte_order
+      end
 
-			# set_byte_order is pretty much totally deprecated.
-			def set_byte_order(byte_order)
-				PacketFu.instance_variable_set(:@byte_order,byte_order)
-				return true
-			end
+      # set_byte_order is pretty much totally deprecated.
+      def set_byte_order(byte_order)
+        PacketFu.instance_variable_set(:@byte_order,byte_order)
+        return true
+      end
 
-			# A wrapper for PcapFile#file_to_array, but only returns the array. Actually
-			# using the PcapFile object is going to be more useful.
-			def file_to_array(args={})
-				filename = args[:filename] || args[:file] || args[:out]
-				raise ArgumentError, "Need a :filename in string form to read from." if (filename.nil? || filename.class != String)
-				PcapFile.new.file_to_array(args)
-			end
+      # A wrapper for PcapFile#file_to_array, but only returns the array. Actually
+      # using the PcapFile object is going to be more useful.
+      def file_to_array(args={})
+        filename = args[:filename] || args[:file] || args[:out]
+        raise ArgumentError, "Need a :filename in string form to read from." if (filename.nil? || filename.class != String)
+        PcapFile.new.file_to_array(args)
+      end
 
-			alias_method :f2a, :file_to_array
+      alias_method :f2a, :file_to_array
 
-		end
+    end
 
-	end
+  end
 
 end
 
 module PacketFu
 
-	# Write is largely deprecated. It was current in PacketFu 0.2.0, but isn't all that useful
-	# in 0.3.0 and beyond. Expect it to go away completely by version 1.0, as working with
-	# PacketFu::PcapFile directly is generally going to be more rewarding.
-	class Write
-
-		class << self
-
-			# format_packets: Pretty much totally deprecated.
-			def format_packets(args={})
-				arr = args[:arr] || args[:array] || []
-				ts = args[:ts] || args[:timestamp] || Time.now.to_i
-				ts_inc = args[:ts_inc] || args[:timestamp_increment]
-				pkts = PcapFile.new.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
-																					:arr => arr,
-																					:ts => ts,
-																					:ts_inc => ts_inc)
-				pkts.body
-			end
-
-			# array_to_file is a largely deprecated function for writing arrays of pcaps to a file.
-			# Use PcapFile#array_to_file instead.
-			def array_to_file(args={})
-				filename = args[:filename] || args[:file] || args[:out] || :nowrite
-				arr = args[:arr] || args[:array] || []
-				ts = args[:ts] || args[:timestamp] || args[:time_stamp] || Time.now.to_f
-				ts_inc = args[:ts_inc] || args[:timestamp_increment] || args[:time_stamp_increment]
-				byte_order = args[:byte_order] || args[:byteorder] || args[:endian] || args[:endianness] || :little
-				append = args[:append]
-				Read.set_byte_order(byte_order) if [:big, :little].include? byte_order
-				pf = PcapFile.new
-				pf.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
-												 :arr => arr,
-												 :ts => ts,
-												 :ts_inc => ts_inc)
-				if filename && filename != :nowrite
-					if append
-						pf.append(filename)
-					else
-						pf.write(filename)
-					end
-					return [filename,pf.to_s.size,arr.size,ts,ts_inc]
-				else
-					return [nil,pf.to_s.size,arr.size,ts,ts_inc]
-				end
-
-			end
-
-			alias_method :a2f, :array_to_file
-
-			# Shorthand method for appending to a file. Also shouldn't use.
-			def append(args={})
-				array_to_file(args.merge(:append => true))
-			end
-
-		end
-
-	end
+  # Write is largely deprecated. It was current in PacketFu 0.2.0, but isn't all that useful
+  # in 0.3.0 and beyond. Expect it to go away completely by version 1.0, as working with
+  # PacketFu::PcapFile directly is generally going to be more rewarding.
+  class Write
+
+    class << self
+
+      # format_packets: Pretty much totally deprecated.
+      def format_packets(args={})
+        arr = args[:arr] || args[:array] || []
+        ts = args[:ts] || args[:timestamp] || Time.now.to_i
+        ts_inc = args[:ts_inc] || args[:timestamp_increment]
+        pkts = PcapFile.new.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
+                                          :arr => arr,
+                                          :ts => ts,
+                                          :ts_inc => ts_inc)
+        pkts.body
+      end
+
+      # array_to_file is a largely deprecated function for writing arrays of pcaps to a file.
+      # Use PcapFile#array_to_file instead.
+      def array_to_file(args={})
+        filename = args[:filename] || args[:file] || args[:out] || :nowrite
+        arr = args[:arr] || args[:array] || []
+        ts = args[:ts] || args[:timestamp] || args[:time_stamp] || Time.now.to_f
+        ts_inc = args[:ts_inc] || args[:timestamp_increment] || args[:time_stamp_increment]
+        byte_order = args[:byte_order] || args[:byteorder] || args[:endian] || args[:endianness] || :little
+        append = args[:append]
+        Read.set_byte_order(byte_order) if [:big, :little].include? byte_order
+        pf = PcapFile.new
+        pf.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
+                         :arr => arr,
+                         :ts => ts,
+                         :ts_inc => ts_inc)
+        if filename && filename != :nowrite
+          if append
+            pf.append(filename)
+          else
+            pf.write(filename)
+          end
+          return [filename,pf.to_s.size,arr.size,ts,ts_inc]
+        else
+          return [nil,pf.to_s.size,arr.size,ts,ts_inc]
+        end
+
+      end
+
+      alias_method :a2f, :array_to_file
+
+      # Shorthand method for appending to a file. Also shouldn't use.
+      def append(args={})
+        array_to_file(args.merge(:append => true))
+      end
+
+    end
+
+  end
 
 end