packetfu 1.1.9 → 1.1.10

data/examples/simple-stats.rb

@@ -16,33 +16,33 @@ require 'packetfu'
 # Takes a file name, parses the packets, and records the packet
 # type based on its PacketFu class.
 def count_packet_types(file)
-  file = File.open(file) {|f| f.read}
-  stats = {}
-  count = 0
-  pcapfile = PacketFu::PcapPackets.new
-  pcapfile.read(file)
-  pcapfile.each do |p|
-    # Now it's a PacketFu packet struct.
-    pkt = PacketFu::Packet.parse(p.data) 
-    kind = pkt.class.to_s.split("::").last
-    if stats[kind]
-      stats[kind] += 1
-    else
-      stats[kind] = 0
-    end
-    count += 1
-    break if count >= 1_000
-  end
-  stats.each_pair { |k,v| puts "%-12s: %4d" % [k,v] }
+	file = File.open(file) {|f| f.read}
+	stats = {}
+	count = 0
+	pcapfile = PacketFu::PcapPackets.new
+	pcapfile.read(file)
+	pcapfile.each do |p|
+		# Now it's a PacketFu packet struct.
+		pkt = PacketFu::Packet.parse(p.data) 
+		kind = pkt.class.to_s.split("::").last
+		if stats[kind]
+			stats[kind] += 1
+		else
+			stats[kind] = 0
+		end
+		count += 1
+		break if count >= 1_000
+	end
+	stats.each_pair { |k,v| puts "%-12s: %4d" % [k,v] }
 end
 
 if File.readable?(infile = (ARGV[0] || 'in.pcap'))
-  title = "Packets by packet type in '#{infile}'"
-  puts title
-  puts "-" * title.size
-  count_packet_types(infile)
+	title = "Packets by packet type in '#{infile}'"
+	puts title
+	puts "-" * title.size
+	count_packet_types(infile)
 else
-  raise RuntimeError, "Need an infile, like so: #{$0} in.pcap"
+	raise RuntimeError, "Need an infile, like so: #{$0} in.pcap"
 end
 
 

data/examples/slammer.rb

@@ -14,7 +14,7 @@ include PacketFu
 slammer = "\004\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001" + "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\334\311\260B\353\016" + "\001\001\001\001\001\001\001p\256B\001p\256B\220\220\220\220\220\220\220\220h\334\311\260B\270\001\001" + "\001\0011\311\261\030P\342\3755\001\001\001\005P\211\345Qh.dllhel32hkernQhounthickChGetTf" + "\271llQh32.dhws2_f\271etQhsockf\271toQhsend\276\030\020\256B\215E\324P\377\026P\215E\340P\215E\360P\377" + "\026P\276\020\020\256B\213\036\213\003=U\213\354Qt\005\276\034\020\256B\377\026\377\3201\311QQP\201\361" + "\003\001\004\233\201\361\001\001\001\001Q\215E\314P\213E\300P\377\026j\021j\002j\002\377\320P\215E\304P" + "\213E\300P\377\026\211\306\t\333\201\363<a\331\377\213E\264\215\f@\215\024\210\301\342\004\001\302\301" + "\342\b)\302\215\004\220\001\330\211E\264j\020\215E\260P1\311Qf\201\361x\001Q\215E\003P\213E\254P\377\326" + "\353\312"
 
 def rand_source_ip
-  [rand(0xffffffff)].pack("N")
+	[rand(0xffffffff)].pack("N")
 end
 
 kill_packet = UDPPacket.new
@@ -26,9 +26,9 @@ kill_packet.recalc
 kill_packet.payload = slammer
 
 if action == 'file'.downcase
-  puts kill_packet.to_f
+	puts kill_packet.to_f
 else
-  puts kill_packet.to_w(action.downcase)
+	puts kill_packet.to_w(action.downcase)
 end
 
 

data/lib/packetfu.rb

@@ -13,133 +13,133 @@ require 'rubygems' if RUBY_VERSION =~ /^1\.[0-8]/
 
 module PacketFu
 
-  # Picks up all the protocols defined in the protos subdirectory
-  def self.require_protos(cwd)
-    protos_dir = File.join(cwd, "packetfu", "protos")
-    Dir.new(protos_dir).each do |fname|
-      next unless fname[/\.rb$/]
-      begin 
-        require File.join(protos_dir,fname)
-      rescue
-        warn "Warning: Could not load `#{fname}'. Skipping."
-      end
-    end
-  end
-
-  # Deal with Ruby's encoding by ignoring it.
-  def self.force_binary(str)
-    str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
-  end
-
-  # Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
-  @byte_order = :little
-
-  # Checks if pcaprub is loaded correctly.
-  @pcaprub_loaded = false
-
-  # PacketFu works best with Pcaprub version 0.8-dev (at least)
-  # The current (Aug 01, 2010) pcaprub gem is 0.9, so should be fine.
-  def self.pcaprub_platform_require
-    begin
-      require 'pcaprub'
-    rescue LoadError
-      return false
-    end
-    @pcaprub_loaded = true 
-  end
-
-  pcaprub_platform_require
-
-  if @pcaprub_loaded
-    pcaprub_regex = /[0-9]\.([8-9]|[1-7][0-9])(-dev)?/ # Regex for 0.8 and beyond.
-    if Pcap.version !~ pcaprub_regex 
-      @pcaprub_loaded = false # Don't bother with broken versions
-      raise LoadError, "PcapRub not at a minimum version of 0.8-dev"
-    end
-    require "packetfu/capture" 
-    require "packetfu/inject"
-  end
-
-  # Returns the status of pcaprub
-  def self.pcaprub_loaded?
-    @pcaprub_loaded
-  end
-
-  # Returns an array of classes defined in PacketFu
-  def self.classes
-    constants.map { |const| const_get(const) if const_get(const).kind_of? Class}.compact
-  end
-
-  # Adds the class to PacketFu's list of packet classes -- used in packet parsing.
-  def self.add_packet_class(klass)
-    raise "Need a class" unless klass.kind_of? Class
-    if klass.name !~ /[A-Za-z0-9]Packet/
-      raise "Packet classes should be named 'ProtoPacket'"
-    end
-    @packet_classes ||= []
-    @packet_classes << klass
-    @packet_classes_dirty = true
-    @packet_classes.sort! {|x,y| x.name <=> y.name}
-  end
-
-  # Presumably, there may be a time where you'd like to remove a packet class.
-  def self.remove_packet_class(klass)
-    raise "Need a class" unless klass.kind_of? Class
-    @packet_classes ||= []
-    @packet_classes.delete klass
-    @packet_classes_dirty = true
-    @packet_classes 
-  end
-
-  # Returns an array of packet classes
-  def self.packet_classes
-    @packet_classes || []
-  end
-
-  # Returns an array of packet types by packet prefix.
-  def self.packet_prefixes
-    return [] if @packet_classes.nil?
-    return @packet_class_prefixes if @packet_classes_dirty == false
-    @packet_classes_dirty = false
-    @packet_class_prefixes = @packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
-    return @packet_class_prefixes
-  end
-
-  # The current inspect style. One of :hex, :dissect, or :default
-  # Note that :default means Ruby's default, which is usually
-  # far too long to be useful.
-  def self.inspect_style
-    @inspect_style ||= :dissect
-  end
-
-  # Setter for PacketFu's @inspect_style
-  def self.inspect_style=(arg)
-    @inspect_style = case arg
-      when :hex, :pretty
-        :hex
-      when :dissect, :verbose
-        :dissect
-      when :default, :ugly
-        :default
-      else
-        :dissect
-      end
-  end
-
-  # Switches inspect styles in a round-robin fashion between 
-  # :dissect, :default, and :hex
-  def toggle_inspect
-    case @inspect_style
-    when :hex, :pretty
-      @inspect_style = :dissect
-    when :dissect, :verbose
-      @inspect_style = :default
-    when :default, :ugly
-      @inspect_style = :hex
-    else
-      @inspect_style = :dissect
-    end
-  end
+	# Picks up all the protocols defined in the protos subdirectory
+	def self.require_protos(cwd)
+		protos_dir = File.join(cwd, "packetfu", "protos")
+		Dir.new(protos_dir).each do |fname|
+			next unless fname[/\.rb$/]
+			begin 
+				require File.join(protos_dir,fname)
+			rescue
+				warn "Warning: Could not load `#{fname}'. Skipping."
+			end
+		end
+	end
+
+	# Deal with Ruby's encoding by ignoring it.
+	def self.force_binary(str)
+		str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
+	end
+
+	# Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
+	@byte_order = :little
+
+	# Checks if pcaprub is loaded correctly.
+	@pcaprub_loaded = false
+
+	# PacketFu works best with Pcaprub version 0.8-dev (at least)
+	# The current (Aug 01, 2010) pcaprub gem is 0.9, so should be fine.
+	def self.pcaprub_platform_require
+		begin
+			require 'pcaprub'
+		rescue LoadError
+			return false
+		end
+		@pcaprub_loaded = true 
+	end
+
+	pcaprub_platform_require
+
+	if @pcaprub_loaded
+		pcaprub_regex = /[0-9]\.([8-9]|[1-7][0-9])(-dev)?/ # Regex for 0.8 and beyond.
+		if Pcap.version !~ pcaprub_regex 
+			@pcaprub_loaded = false # Don't bother with broken versions
+			raise LoadError, "PcapRub not at a minimum version of 0.8-dev"
+		end
+		require "packetfu/capture" 
+		require "packetfu/inject"
+	end
+
+	# Returns the status of pcaprub
+	def self.pcaprub_loaded?
+		@pcaprub_loaded
+	end
+
+	# Returns an array of classes defined in PacketFu
+	def self.classes
+		constants.map { |const| const_get(const) if const_get(const).kind_of? Class}.compact
+	end
+
+	# Adds the class to PacketFu's list of packet classes -- used in packet parsing.
+	def self.add_packet_class(klass)
+		raise "Need a class" unless klass.kind_of? Class
+		if klass.name !~ /[A-Za-z0-9]Packet/
+			raise "Packet classes should be named 'ProtoPacket'"
+		end
+		@packet_classes ||= []
+		@packet_classes << klass
+		@packet_classes_dirty = true
+		@packet_classes.sort! {|x,y| x.name <=> y.name}
+	end
+
+	# Presumably, there may be a time where you'd like to remove a packet class.
+	def self.remove_packet_class(klass)
+		raise "Need a class" unless klass.kind_of? Class
+		@packet_classes ||= []
+		@packet_classes.delete klass
+		@packet_classes_dirty = true
+		@packet_classes 
+	end
+
+	# Returns an array of packet classes
+	def self.packet_classes
+		@packet_classes || []
+	end
+
+	# Returns an array of packet types by packet prefix.
+	def self.packet_prefixes
+		return [] if @packet_classes.nil?
+		return @packet_class_prefixes if @packet_classes_dirty == false
+		@packet_classes_dirty = false
+		@packet_class_prefixes = @packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
+		return @packet_class_prefixes
+	end
+
+	# The current inspect style. One of :hex, :dissect, or :default
+	# Note that :default means Ruby's default, which is usually
+	# far too long to be useful.
+	def self.inspect_style
+		@inspect_style ||= :dissect
+	end
+
+	# Setter for PacketFu's @inspect_style
+	def self.inspect_style=(arg)
+		@inspect_style = case arg
+			when :hex, :pretty
+				:hex
+			when :dissect, :verbose
+				:dissect
+			when :default, :ugly
+				:default
+			else
+				:dissect
+			end
+	end
+
+	# Switches inspect styles in a round-robin fashion between 
+	# :dissect, :default, and :hex
+	def toggle_inspect
+		case @inspect_style
+		when :hex, :pretty
+			@inspect_style = :dissect
+		when :dissect, :verbose
+			@inspect_style = :default
+		when :default, :ugly
+			@inspect_style = :hex
+		else
+			@inspect_style = :dissect
+		end
+	end
 
 
 end

data/lib/packetfu/capture.rb

@@ -1,173 +1,173 @@
 # -*- coding: binary -*-
 module PacketFu
 
-  # The Capture class is used to construct PcapRub objects in order to collect
-  # packets from an interface.
-  #
-  # This class requires PcapRub. In addition, you will need root (or root-like) privileges 
-  # in order to capture from the interface.
-  #
-  # Note, on some wireless cards, setting :promisc => true will disable capturing.
-  #
-  # == Example
-  #
-  #  # Typical use
-  #  cap = PacketFu::Capture.new(:iface => 'eth0', :promisc => true)
-  #  cap.start
-  #  sleep 10
-  #  cap.save
-  #  first_packet = cap.array[0]
-  #
-  #  # Tcpdump-like use
-  #  cap = PacketFu::Capture.new(:start => true)
-  #  cap.show_live(:save => true, :filter => 'tcp and not port 22')
-  #
-  # == See Also
-  #
-  # Read, Write
-  class Capture
-    attr_accessor :array, :stream # Leave these public and open.
-    attr_reader :iface, :snaplen, :promisc, :timeout, :filter
-
-    def initialize(args={})
-      @array = [] # Where the packet array goes.
-      @stream = [] # Where the stream goes.
-      @iface = (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo").to_s
-      @snaplen = args[:snaplen] || 0xffff
-      @promisc = args[:promisc] || false # Sensible for some Intel wifi cards
-      @timeout = args[:timeout] || 1
-      @filter  = args[:filter] || args[:bpf]
-      setup_params(args)
-    end
-
-    # Used by new().
-    def setup_params(args={})
-      filter = args[:filter] || args[:bpf] || @filter
-      start = args[:start] || false
-      capture if start
-      bpf(:filter=>filter) if filter
-    end
-
-    # capture() initializes the @stream varaible. Valid arguments are:
-    #
-    #   :filter
-    #     Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
-    #   :start
-    #     When true, start capturing packets to the @stream variable. Defaults to true
-    def capture(args={})
-      if Process.euid.zero?
-        filter = args[:filter] || args[:bpf] || @filter
-        start = args[:start] || true
-        if start
-          begin
-            @stream = Pcap.open_live(@iface,@snaplen,@promisc,@timeout)
-          rescue RuntimeError
-            $stderr.print "Are you sure you're root? Error: "
-            raise
-          end
-          bpf(:filter=>filter) if filter
-        else
-          @stream = []
-        end
-        @stream
-      else
-        raise RuntimeError,"Not root, so can't capture packets. Error: "
-      end
-    end
-
-    # start() is equivalent to capture().
-    def start(args={})
-      capture(args)
-    end
-
-    # clear() clears the @stream and @array variables, essentially starting the
-    # capture session over. Valid arguments are:
-    #
-    #   :array 
-    #     If true, the @array is cleared.
-    #   :stream
-    #     If true, the @stream is cleared.
-    def clear(args={})
-      array = args[:array] || true
-      stream = args[:stream] || true
-      @array = [] if array
-      @stream = [] if stream
-    end
-
-    # bpf() sets a bpf filter on a capture session. Valid arugments are:
-    #
-    #   :filter
-    #     Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
-    def bpf(args={})
-      filter = args[:filter] || args[:bpf] || @filter
-      capture if @stream.class == Array
-      @stream.setfilter(filter) if filter
-      @filter = filter
-    end
-
-    alias :filter :bpf
-
-    # wire_to_array() saves a packet stream as an array of binary strings. From here,
-    # packets may accessed by other functions. Note that the wire_to_array empties
-    # the stream, so multiple calls will append new packets to @array.
-    # Valid arguments are:
-    #
-    #   :filter
-    #     Provide a bpf filter to apply to packets moving from @stream to @array.
-    def wire_to_array(args={})
-      filter = args[:filter] || args[:bpf] || @filter
-      bpf(:filter=>filter) if filter
-
-      while this_pkt = @stream.next
-        @array << this_pkt
-      end
-      @array.size
-    end
-
-    # next() exposes the Stream object's next method to the outside world.
-    def next
-      return @stream.next
-    end
-
-    # w2a() is a equivalent to wire_to_array()
-    def w2a(args={})
-      wire_to_array(args)
-    end
-
-    # save() is a equivalent to wire_to_array()
-    def save(args={})
-      wire_to_array(args)
-    end
-
-    # show_live() is a method to capture packets and display peek() data to stdout. Valid arguments are:
-    #
-    #   :filter
-    #     Provide a bpf filter to captured packets.
-    #   :save
-    #     Save the capture in @array
-    #   :verbose
-    #     TODO: Not implemented yet; do more than just peek() at the packets.
-    #   :quiet
-    #     TODO: Not implemented yet; do less than peek() at the packets.
-    def show_live(args={})
-      filter = args[:filter] || args[:bpf] || @filter
-      save = args[:save]
-      verbose = args[:verbose] || args[:v] || false
-      quiet = args[:quiet] || args[:q] || false # Setting q and v doesn't make a lot of sense but hey.
-
-      # Ensure the capture's started.
-      if @stream.class == Array
-        capture
-      end
-
-      @stream.setfilter(filter) if filter
-      while true
-        @stream.each do |pkt|
-          puts Packet.parse(pkt).peek
-          @array << pkt if args[:save]
-        end
-      end
-    end
-
-  end
+	# The Capture class is used to construct PcapRub objects in order to collect
+	# packets from an interface.
+	#
+	# This class requires PcapRub. In addition, you will need root (or root-like) privileges 
+	# in order to capture from the interface.
+	#
+	# Note, on some wireless cards, setting :promisc => true will disable capturing.
+	#
+	# == Example
+	#
+	#  # Typical use
+	#  cap = PacketFu::Capture.new(:iface => 'eth0', :promisc => true)
+	#  cap.start
+	#  sleep 10
+	#  cap.save
+	#  first_packet = cap.array[0]
+	#
+	#  # Tcpdump-like use
+	#  cap = PacketFu::Capture.new(:start => true)
+	#  cap.show_live(:save => true, :filter => 'tcp and not port 22')
+	#
+	# == See Also
+	#
+	# Read, Write
+	class Capture
+		attr_accessor :array, :stream # Leave these public and open.
+		attr_reader :iface, :snaplen, :promisc, :timeout, :filter
+
+		def initialize(args={})
+			@array = [] # Where the packet array goes.
+			@stream = [] # Where the stream goes.
+			@iface = (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo").to_s
+			@snaplen = args[:snaplen] || 0xffff
+			@promisc = args[:promisc] || false # Sensible for some Intel wifi cards
+			@timeout = args[:timeout] || 1
+			@filter  = args[:filter] || args[:bpf]
+			setup_params(args)
+		end
+
+		# Used by new().
+		def setup_params(args={})
+			filter = args[:filter] || args[:bpf] || @filter
+			start = args[:start] || false
+			capture if start
+			bpf(:filter=>filter) if filter
+		end
+
+		# capture() initializes the @stream varaible. Valid arguments are:
+		#
+		#   :filter
+		#     Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
+		#   :start
+		#     When true, start capturing packets to the @stream variable. Defaults to true
+		def capture(args={})
+			if Process.euid.zero?
+				filter = args[:filter] || args[:bpf] || @filter
+				start = args[:start] || true
+				if start
+					begin
+						@stream = Pcap.open_live(@iface,@snaplen,@promisc,@timeout)
+					rescue RuntimeError
+						$stderr.print "Are you sure you're root? Error: "
+						raise
+					end
+					bpf(:filter=>filter) if filter
+				else
+					@stream = []
+				end
+				@stream
+			else
+				raise RuntimeError,"Not root, so can't capture packets. Error: "
+			end
+		end
+
+		# start() is equivalent to capture().
+		def start(args={})
+			capture(args)
+		end
+
+		# clear() clears the @stream and @array variables, essentially starting the
+		# capture session over. Valid arguments are:
+		#
+		#   :array 
+		#     If true, the @array is cleared.
+		#   :stream
+		#     If true, the @stream is cleared.
+		def clear(args={})
+			array = args[:array] || true
+			stream = args[:stream] || true
+			@array = [] if array
+			@stream = [] if stream
+		end
+
+		# bpf() sets a bpf filter on a capture session. Valid arugments are:
+		#
+		#   :filter
+		#     Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
+		def bpf(args={})
+			filter = args[:filter] || args[:bpf] || @filter
+			capture if @stream.class == Array
+			@stream.setfilter(filter) if filter
+			@filter = filter
+		end
+
+		alias :filter :bpf
+
+		# wire_to_array() saves a packet stream as an array of binary strings. From here,
+		# packets may accessed by other functions. Note that the wire_to_array empties
+		# the stream, so multiple calls will append new packets to @array.
+		# Valid arguments are:
+		#
+		#   :filter
+		#     Provide a bpf filter to apply to packets moving from @stream to @array.
+		def wire_to_array(args={})
+			filter = args[:filter] || args[:bpf] || @filter
+			bpf(:filter=>filter) if filter
+
+			while this_pkt = @stream.next
+				@array << this_pkt
+			end
+			@array.size
+		end
+
+		# next() exposes the Stream object's next method to the outside world.
+		def next
+			return @stream.next
+		end
+
+		# w2a() is a equivalent to wire_to_array()
+		def w2a(args={})
+			wire_to_array(args)
+		end
+
+		# save() is a equivalent to wire_to_array()
+		def save(args={})
+			wire_to_array(args)
+		end
+
+		# show_live() is a method to capture packets and display peek() data to stdout. Valid arguments are:
+		#
+		#   :filter
+		#     Provide a bpf filter to captured packets.
+		#   :save
+		#     Save the capture in @array
+		#   :verbose
+		#     TODO: Not implemented yet; do more than just peek() at the packets.
+		#   :quiet
+		#     TODO: Not implemented yet; do less than peek() at the packets.
+		def show_live(args={})
+			filter = args[:filter] || args[:bpf] || @filter
+			save = args[:save]
+			verbose = args[:verbose] || args[:v] || false
+			quiet = args[:quiet] || args[:q] || false # Setting q and v doesn't make a lot of sense but hey.
+
+			# Ensure the capture's started.
+			if @stream.class == Array
+				capture
+			end
+
+			@stream.setfilter(filter) if filter
+			while true
+				@stream.each do |pkt|
+					puts Packet.parse(pkt).peek
+					@array << pkt if args[:save]
+				end
+			end
+		end
+
+	end
 end