packetfu 1.0.3.pre → 1.0.4.pre

data/.document

@@ -1,4 +1,3 @@
 lib/packetfu.rb
 lib/packetfu/
-examples/packetfu-shell.rb
-
+README

data/README

@@ -1,11 +1,12 @@
 = PacketFu
 
 A library for reading a writing packets to an interface or to a libpcap-formatted file.
-It is maintained at http://code.google.com/p/packetfu
+
+It is maintained at http://code.google.com/p/packetfu and https://github.com/todb/packetfu (which repository will win?)
 
 == Documentation
 
-PacketFu is rdoc-compatable. In the same directory as this file, run "rdoc" by itself, and then view doc/index.html with your favored browser. Once that's done, navigate at the top, and read up on how to create a Packet or Capture from an interface with show_live or whatever.
+PacketFu is rdoc-compatible, which means it's sdoc compatible. In the same directory as this file, run "sdoc" by itself (gem install sdoc), and then view doc/index.html with your favored browser. Once that's done, navigate at the top, and read up on how to create a Packet or Capture from an interface with show_live or whatever.
 
 == Requirements
 
@@ -19,10 +20,41 @@ $ rvm gem install pcaprub
 
 Marshall Beddoe's PcapRub is required only for packet reading and writing from a network interfaces (which is a pretty big only). PcapRub itself relies on libpcap 0.9.8 or later for packet injection. PcapRub also requires root privilieges to access the interface directly. 
 
+=== Platforms
+
+I tend to test with the following (with bash):
+
+    date > /tmp/tests.txt; for i in default 1.8.6-p420 1.8.7-p334 1.9.1-p431 1.9.2-p180 1.9.3-head
+    do rvm use $i >> /tmp/tests.txt
+    echo Testing with $i
+    echo $i >> /tmp/tests.txt; echo +++++++++++++++++++++++ >> /tmp/tests.txt
+    rvmsudo ./all_tests.rb >> /tmp/tests.txt; rspec . >> /tmp/tests.txt
+    done
+
+==== Passing Platforms
+
+* 1.9.1-p378 -- my favorite and my best
+* 1.8.7-p334
+* 1.9.2-p180
+* 1.9.3-head
+
+==== Problem Platforms
+
+* 1.8.6-p420 -- Has problems with pcaprub and capture/inject
+* 1.9.1-p431 -- Has problems with loading gems in general, see http://redmine.ruby-lang.org/issues/2404
+
+Technically, these are pcaprub problems and not PacketFu problems, but PacketFu should at least fail better at them.
+
+Incidentally, I suspect these Ruby problems are the crux of the Mac OSX problems that people report. Try a different Ruby build and please let me know what works for you.
+
+
 == Examples
 
 PacketFu ships with dozens and dozens of tests, built on Test::Unit. These should give good pointers on how you're expected to use it. See the /tests directory. Furthermore, PacketFu also ships with packetfu-shell.rb, which should be run via IRB (as root, if you intend to use your interfaces).
 
 == Author
 
-PacketFu is maintained primarily by Tod Beardsley <todb@planb-security.net>
+PacketFu is maintained primarily by Tod Beardsley todb@planb-security.net, with help from Open Source Land.
+
+See LICENSE for licensing details.
+

data/examples/new-simple-stats.rb

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+
+# new-simple-stats.rb demonstrates the performance difference
+# between the old and busted way to parse pcap files and the
+# new hotness of stream parsing. Spoiler alert: Against a pcap
+# file of 1GB, the old way would eat all your memory and take
+# forever. This still takes kinda forever, but at 5000 packets
+# every 11 seconds (my own benchmark) for this script, at least
+# it doesn't hog up all your memory.
+
+require 'examples' # For path setting slight-of-hand
+require 'packetfu'
+
+def print_results(stats)
+	stats.each_pair { |k,v| puts "%-12s: %10d" % [k,v] }
+end
+
+# Takes a file name, parses the packets, and records the packet
+# type based on its PacketFu class.
+def count_packet_types(file)
+	stats = {}
+	count = 0
+	start_time = Time.now
+	PacketFu::PcapFile.read_packets(file) do |pkt|
+		kind = pkt.proto.last.to_sym
+		stats[kind] ? stats[kind] += 1 : stats[kind] = 1
+		count += 1
+		elapsed = (Time.now - start_time).to_i
+		if count % 5_000 == 0
+			puts "After #{count} packets (#{elapsed} seconds elapsed):"
+			print_results(stats)
+		end
+	end
+	puts "Final results for #{count} packets (#{elapsed} seconds elapsed):"
+	print_results(stats)
+end
+
+if File.readable?(infile = (ARGV[0] || 'in.pcap'))
+	title = "Packets by packet type in '#{infile}'"
+	puts "-" * title.size
+	puts title
+	puts "-" * title.size
+	count_packet_types(infile)
+else
+	raise RuntimeError, "Need an infile, like so: #{$0} in.pcap"
+end
+
+
+
+
+

data/examples/simple-stats.rb

@@ -3,6 +3,11 @@
 # Simple-stats.rb takes a pcap file, and gives some simple 
 # stastics on the protocols found. It's mainly used to
 # demonstrate a method to parse pcap files.
+#
+# XXX: DO NOT USE THIS METHOD TO READ PCAP FILES.
+#
+# See new-simple-stats.rb for an example of the streaming
+# parsing method.
 
 require 'examples' # For path setting slight-of-hand
 require 'packetfu'
@@ -12,6 +17,7 @@ require 'packetfu'
 def count_packet_types(file)
 	file = File.open(file) {|f| f.read}
 	stats = {}
+	count = 0
 	pcapfile = PacketFu::PcapPackets.new
 	pcapfile.read(file)
 	pcapfile.each do |p|
@@ -23,6 +29,8 @@ def count_packet_types(file)
 		else
 			stats[kind] = 0
 		end
+		count += 1
+		break if count >= 1_000
 	end
 	stats.each_pair { |k,v| puts "%-12s: %4d" % [k,v] }
 end

data/lib/packetfu/packet.rb

@@ -173,7 +173,7 @@ module PacketFu
 		# different ones off of (like a fuzzer might), you'll want
 		# to use clone()
 		def clone
-			Marshal.load(Marshal.dump(self))
+			Packet.parse(self.to_s)
 		end
 
 		# If two packets are represented as the same binary string, and
@@ -209,7 +209,7 @@ module PacketFu
 		# peek traverses the @header list in reverse to find a suitable
 		# format.
 		#
-		# == Format
+		# === Format
 		# 
 		#   * A one or two character protocol initial. It should be unique
 		#   * The packet size
@@ -218,7 +218,7 @@ module PacketFu
 		# Ideally, related peek_formats will all line up with each other
 		# when printed to the screen.
 		#
-		# == Example
+		# === Example
 		#
 		#    tcp_packet.peek
 		#    #=> "T  1054 10.10.10.105:55000   ->   192.168.145.105:80 [......] S:adc7155b|I:8dd0"
@@ -283,11 +283,10 @@ module PacketFu
 
 		# Hexify provides a neatly-formatted dump of binary data, familar to hex readers.
 		def hexify(str)
-			if str.respond_to? :force_encoding
-				str.force_encoding("ASCII-8BIT")
-			end
+			str.force_encoding("ASCII-8BIT") if str.respond_to? :force_encoding
 			hexascii_lines = str.to_s.unpack("H*")[0].scan(/.{1,32}/)
-			chars = str.to_s.gsub(/[\x00-\x1f\x7f-\xff]/,'.')
+			regex = Regexp.new('[\x00-\x1f\x7f-\xff]', nil, 'n')
+			chars = str.to_s.gsub(regex,'.')
 			chars_lines = chars.scan(/.{1,16}/)
 			ret = []
 			hexascii_lines.size.times {|i| ret << "%-48s  %s" % [hexascii_lines[i].gsub(/(.{2})/,"\\1 "),chars_lines[i]]}

data/lib/packetfu/pcap.rb

@@ -44,6 +44,10 @@ module PacketFu
 																:thiszone, :sigfigs, :snaplen, :network)
 		include StructFu
 
+		MAGIC_INT32  = 0xa1b2c3d4
+		MAGIC_LITTLE = [MAGIC_INT32].pack("V")
+		MAGIC_BIG    = [MAGIC_INT32].pack("N")
+
 		def initialize(args={})
 			set_endianness(args[:endian] ||= :little)
 			init_fields(args) 
@@ -54,7 +58,7 @@ module PacketFu
 		
 		# Called by initialize to set the initial fields. 
 		def init_fields(args={})
-			args[:magic] = @int32.new(args[:magic] || 0xa1b2c3d4)
+			args[:magic] = @int32.new(args[:magic] || PcapHeader::MAGIC_INT32)
 			args[:ver_major] = @int16.new(args[:ver_major] || 2)
 			args[:ver_minor] ||= @int16.new(args[:ver_minor] || 4)
 			args[:thiszone] ||= @int32.new(args[:thiszone])
@@ -76,7 +80,7 @@ module PacketFu
 			force_binary(str)
 			return self if str.nil?
 			str.force_encoding("binary") if str.respond_to? :force_encoding
-			if str[0,4] == self[:magic].to_s || true # TODO: raise if it's not magic.
+			if str[0,4] == self[:magic].to_s 
 				self[:magic].read str[0,4]
 				self[:ver_major].read str[4,2]
 				self[:ver_minor].read str[6,2]
@@ -84,6 +88,8 @@ module PacketFu
 				self[:sigfigs].read str[12,4]
 				self[:snaplen].read str[16,4]
 				self[:network].read str[20,4]
+			else
+				raise "Incorrect magic for libpcap"
 			end
 			self
 		end
@@ -163,6 +169,7 @@ module PacketFu
 
 		# Reads a string to populate the object.
 		def read(str)
+			return unless str
 			force_binary(str)
 			self[:timestamp].read str[0,8]
 			self[:incl_len].read str[8,4]
@@ -194,10 +201,9 @@ module PacketFu
 		def read(str)
 			force_binary(str)
 			return self if str.nil?
-			magic = "\xa1\xb2\xc3\xd4"
-			if str[0,4] == magic
+			if str[0,4] == PcapHeader::MAGIC_BIG
 				@endian = :big
-			elsif str[0,4] == magic.reverse
+			elsif str[0,4] == PcapHeader::MAGIC_LITTLE
 				@endian = :little
 			else
 				raise ArgumentError, "Unknown file format for #{self.class}"
@@ -288,10 +294,6 @@ module PacketFu
 
 		alias_method :f2a, :file_to_array
 
-		def self.file_to_array(fname)
-			PcapFile.new.file_to_array(:f => fname)
-		end
-
 		# Takes an array of packets (as generated by file_to_array), and writes them
 		# to a file. Valid arguments are:
 		#
@@ -397,6 +399,94 @@ module PacketFu
 
 	end
 
+	# PcapFile also can behave as a singleton class, which is usually the better
+	# way to handle pcap files of really any size, since it doesn't require
+	# storing packets before handing them off to a given block. This is really
+	# the way to go.
+	class PcapFile
+		class << self
+
+			# Takes a given file and returns an array of the packet bytes. Here 
+			# for backwards compatibilty.
+			def file_to_array(fname)
+				PcapFile.new.file_to_array(:f => fname)
+			end
+
+			# Takes a given file name, and reads out the packets. If given a block,
+			# it will yield back a PcapPacket object per packet found.
+			def read(fname,&block)
+				begin
+					file_handle = File.open(fname, "rb")
+					pcap_packets = PcapPackets.new unless block
+					file_header = PcapHeader.new
+					file_header.read file_handle.read(24)
+					packet_count = 0
+					pcap_packet = PcapPacket.new(:endian => file_header.endian)
+					while pcap_packet.read file_handle.read(16) do
+						len = pcap_packet.incl_len
+						pcap_packet.data = StructFu::String.new.read(file_handle.read(len.to_i))
+						packet_count += 1
+						if pcap_packet.data.size < len.to_i
+							warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
+							break
+						end
+						if block
+							yield pcap_packet
+						else
+							pcap_packets << pcap_packet
+						end
+					end
+					unless block
+						return pcap_packets 
+					end
+				ensure
+					file_handle.close
+				end
+			end
+
+			# Takes a filename, and an optional block. If a block is given, 
+			# yield back the raw packet data from the given file. Otherwise,
+			# return an array of parsed packets.
+			def read_packet_bytes(fname,&block)
+				count = 0
+				packets = [] unless block
+				read(fname) do |packet| 
+					if block
+						count += 1
+						yield packet.data.to_s
+					else
+						packets << packet.data.to_s
+					end
+				end
+				block ? count : packets
+			end
+
+			alias :file_to_array :read_packet_bytes 
+
+			# Takes a filename, and an optional block. If a block is given,
+			# yield back parsed packets from the given file. Otherwise, return
+			# an array of parsed packets.
+			#
+			# This is a brazillian times faster than the old methods of extracting
+			# packets from files.
+			def read_packets(fname,&block)
+				count = 0
+				packets = [] unless block
+				read_packet_bytes(fname) do |packet| 
+					if block
+						count += 1
+						yield Packet.parse(packet)
+					else
+						packets << Packet.parse(packet)
+					end
+				end
+				block ? count : packets
+			end
+
+		end
+
+	end
+
 end
 
 module PacketFu
@@ -411,7 +501,7 @@ module PacketFu
 			# Reads the magic string of a pcap file, and determines
 			# if it's :little or :big endian.
 			def get_byte_order(pcap_file)
-				byte_order = ((pcap_file[0,4] == "\xd4\xc3\xb2\xa1") ? :little : :big)
+				byte_order = ((pcap_file[0,4] == PcapHeader::MAGIC_LITTLE) ? :little : :big)
 				return byte_order
 			end
 

data/lib/packetfu/protos/tcp.rb

@@ -609,7 +609,7 @@ module PacketFu
 		# Note that by using TcpOptions#encode, strings supplied as values which
 		# can be converted to numbers will be converted first.
 		#
-		# == Example
+		# === Example
 		#
 		#   t = TcpOptions.new
 		#   t.encode("MS:1460,WS:6")
@@ -774,10 +774,15 @@ module PacketFu
 
 		# Getter for the TCP Header Length value.
 		def tcp_hlen; self[:tcp_hlen].to_i; end
-		# Setter for the TCP Header Length value.
+		# Setter for the TCP Header Length value. Can take
+		# either a string or an integer. Note that if it's
+		# a string, the top four bits are used.
 		def tcp_hlen=(i)
-			if i.kind_of? PacketFu::TcpHlen
-				self[:tcp_hlen]=i
+			case i
+			when PacketFu::TcpHlen
+				self[:tcp_hlen] = i
+			when Numeric
+				self[:tcp_hlen] = TcpHlen.new(:hlen => i.to_i)
 			else
 				self[:tcp_hlen].read(i)
 			end
@@ -787,8 +792,15 @@ module PacketFu
 		def tcp_reserved; self[:tcp_reserved].to_i; end
 		# Setter for the TCP Reserved field.
 		def tcp_reserved=(i)
-			if i.kind_of? PacketFu::TcpReserved
+			case i
+			when PacketFu::TcpReserved
 				self[:tcp_reserved]=i
+			when Numeric
+				args = {}
+				args[:r1] = (i & 0b100) >> 2
+				args[:r2] = (i & 0b010) >> 1
+				args[:r3] = (i & 0b001)
+				self[:tcp_reserved] = TcpReserved.new(args)
 			else
 				self[:tcp_reserved].read(i)
 			end
@@ -798,8 +810,15 @@ module PacketFu
 		def tcp_ecn; self[:tcp_ecn].to_i; end
 		# Setter for the ECN bits. 
 		def tcp_ecn=(i)
-			if i.kind_of? PacketFu::TcpEcn
+			case i
+			when PacketFu::TcpEcn
 				self[:tcp_ecn]=i
+			when Numeric
+				args = {}
+				args[:n] = (i & 0b100) >> 2
+				args[:c] = (i & 0b010) >> 1
+				args[:e] = (i & 0b001)
+				self[:tcp_ecn] = TcpEcn.new(args)
 			else
 				self[:tcp_ecn].read(i)
 			end
@@ -809,7 +828,8 @@ module PacketFu
 		def tcp_opts; self[:tcp_opts].to_s; end
 		# Setter for TCP Options.
 		def tcp_opts=(i)
-			if i.kind_of? PacketFu::TcpOptions
+			case i
+			when PacketFu::TcpOptions
 				self[:tcp_opts]=i
 			else
 				self[:tcp_opts].read(i)
@@ -846,7 +866,7 @@ module PacketFu
 		def tcp_flags_dotmap
 			dotmap = tcp_flags.members.map do |flag|
 				status = self.tcp_flags.send flag
-				status == 0 ? "." : flag.to_s.upcase[0]
+				status == 0 ? "." : flag.to_s.upcase[0].chr
 			end
 			dotmap.join
 		end

data/lib/packetfu/structfu.rb

@@ -118,12 +118,12 @@ module StructFu
 
 	end
   
-	# Int16be is a two byte value in big-endian format.
+	# Int16be is a two byte value in big-endian format. The endianness cannot be altered.
 	class Int16be < Int16
 		undef :endian=
 	end
 
-	# Int16le is a two byte value in little-endian format.
+	# Int16le is a two byte value in little-endian format. The endianness cannot be altered.
 	class Int16le < Int16
 		undef :endian=
 		def initialize(v=nil, e=:little)
@@ -147,12 +147,12 @@ module StructFu
 
 	end
 
-	# Int32be is a four byte value in big-endian format.
+	# Int32be is a four byte value in big-endian format. The endianness cannot be altered.
 	class Int32be < Int32
 		undef :endian=
 	end
 
-	# Int32le is a four byte value in little-endian format.
+	# Int32le is a four byte value in little-endian format. The endianness cannot be altered.
 	class Int32le < Int32
 		undef :endian=
 		def initialize(v=nil, e=:little)
@@ -208,8 +208,8 @@ module StructFu
 		# is calculated upon assignment. If you'd prefer to have
 		# an incorrect value, use the syntax, obj[:string]="value"
 		# instead. Note, by using the alternate form, you must
-		# #calc before you can trust the int's value. Think of the
-		# = assignment as "set to equal," while the []= assignment
+		# #calc before you can trust the int's value. Think of the = 
+		# assignment as "set to equal," while the []= assignment
 		# as "boxing in" the value. Maybe.
 		def string=(s)
 			self[:string] = s
@@ -246,9 +246,13 @@ module StructFu
 		# is used is dependant on which :mode is set (with self.mode).
 		#
 		# :parse : Read the length, and then read in that many bytes of the string. 
-		#          The string may be truncated or padded out with nulls, as dictated by the value.
-		# :fix   : Skip the length, read the rest of the string, then set the length to what it ought to be.
-		# else   : If neither of these modes are set, just perfom a normal read(). This is the default.
+		# The string may be truncated or padded out with nulls, as dictated by the value.
+		#
+		# :fix   : Skip the length, read the rest of the string, then set the length 
+		# to what it ought to be.
+		#
+		# else   : If neither of these modes are set, just perfom a normal read().
+		# This is the default.
 		def parse(s)
 			unless s[0,int.width].size == int.width
 				raise StandardError, "String is too short for type #{int.class}"

data/lib/packetfu/version.rb

@@ -1,13 +1,14 @@
 module PacketFu
 
 	# Check the repo's for version release histories
-	VERSION = "1.0.3" 
+	VERSION = "1.0.4" 
 
+	# Returns PacketFu::VERSION
 	def self.version
 		VERSION
 	end
 
-	# Returns the version in a binary format for easy comparisons.
+	# Returns a version string in a binary format for easy comparisons.
 	def self.binarize_version(str)
 		if(str.respond_to?(:split) && str =~ /^[0-9]+(\.([0-9]+)(\.[0-9]+)?)?\..+$/)
 			bin_major,bin_minor,bin_teeny = str.split(/\x2e/).map {|x| x.to_i}

data/lib/packetfu.rb

@@ -1,7 +1,7 @@
 
 # :title: PacketFu Documentation
+# :main: ../README
 # :include: ../README
-# :include: ../INSTALL
 # :include: ../LICENSE
 
 cwd = File.expand_path(File.dirname(__FILE__))
@@ -14,6 +14,19 @@ require 'rubygems' if RUBY_VERSION =~ /^1\.[0-8]/
 
 module PacketFu
 
+	# Picks up all the protocols defined in the protos subdirectory
+	def self.require_protos(cwd)
+		protos_dir = File.join(cwd, "packetfu", "protos")
+		Dir.new(protos_dir).each do |fname|
+			next unless fname[/\.rb$/]
+			begin 
+				require File.join(protos_dir,fname)
+			rescue
+				warn "Warning: Could not load `#{fname}'. Skipping."
+			end
+		end
+	end
+
 	# Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
 	@byte_order = :little
 
@@ -32,6 +45,7 @@ module PacketFu
 	end
 
 	pcaprub_platform_require
+
 	if @pcaprub_loaded
 		if Pcap.version !~ /[0-9]\.[7-9][0-9]?(-dev)?/ # Regex for 0.7-dev and beyond.
 			@pcaprub_loaded = false # Don't bother with broken versions
@@ -41,6 +55,7 @@ module PacketFu
 		require "packetfu/inject"
 	end
 
+	# Returns the status of pcaprub
 	def self.pcaprub_loaded?
 		@pcaprub_loaded
 	end
@@ -50,6 +65,7 @@ module PacketFu
 		constants.map { |const| const_get(const) if const_get(const).kind_of? Class}.compact
 	end
 
+	# Adds the class to PacketFu's list of packet classes -- used in packet parsing.
 	def self.add_packet_class(klass)
 		raise "Need a class" unless klass.kind_of? Class
 		if klass.name !~ /[A-Za-z0-9]Packet/
@@ -60,6 +76,7 @@ module PacketFu
 		@packet_classes.sort! {|x,y| x.name <=> y.name}
 	end
 
+	# Presumably, there may be a time where you'd like to remove a packet class.
 	def self.remove_packet_class(klass)
 		raise "Need a class" unless klass.kind_of? Class
 		@packet_classes ||= []
@@ -67,10 +84,12 @@ module PacketFu
 		@packet_classes 
 	end
 
+	# Returns an array of packet classes
 	def self.packet_classes
 		@packet_classes || []
 	end
 
+	# Returns an array of packet types by packet prefix.
 	def self.packet_prefixes
 		return [] unless @packet_classes
 		@packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
@@ -78,22 +97,10 @@ module PacketFu
 
 end
 
-def require_protos(cwd)
-	protos_dir = File.join(cwd, "packetfu", "protos")
-	Dir.new(protos_dir).each do |fname|
-		next unless fname[/\.rb$/]
-		begin 
-			require File.join(protos_dir,fname)
-		rescue
-			warn "Warning: Could not load `#{fname}'. Skipping."
-		end
-	end
-end
-
 require File.join(cwd,"packetfu","version")
 require File.join(cwd,"packetfu","pcap")
 require File.join(cwd,"packetfu","packet")
-require_protos(cwd)
+PacketFu.require_protos(cwd)
 require File.join(cwd,"packetfu","utils")
 require File.join(cwd,"packetfu","config")
 

data/test/packetfu_spec.rb

@@ -1,8 +1,13 @@
 require File.join("..","lib","packetfu")
 
+unless %x{#{$0} --version} =~ /^2\.6/
+	puts "PacketFu needs rspec 2.6 or so."
+	exit 1
+end
+
 describe PacketFu, "version information" do
 	it "reports a version number" do
-		PacketFu::VERSION.should == "1.0.2"
+		PacketFu::VERSION.should match /^1\.[0-9]\.[0-9]$/
 	end
 	its(:version) {should eq PacketFu::VERSION} 
 

data/test/tcp_spec.rb

@@ -0,0 +1,100 @@
+require File.join("..","lib","packetfu")
+
+include PacketFu
+
+def unusual_numeric_handling_headers(header,i)
+	camelized_header = header.to_s.split("_").map {|x| x.capitalize}.join
+	header_class = PacketFu.const_get camelized_header
+	specify { subject.send(header).should == i }
+	specify { subject.send(header).should be_kind_of Integer }
+	specify { subject.headers.last[header].should be_kind_of header_class }
+end
+
+def tcp_hlen_numeric(i)
+	unusual_numeric_handling_headers(:tcp_hlen,i)
+end
+
+def tcp_reserved_numeric(i)
+	unusual_numeric_handling_headers(:tcp_reserved,i)
+end
+
+def tcp_ecn_numeric(i)
+	unusual_numeric_handling_headers(:tcp_ecn,i)
+end
+
+
+describe TCPPacket do
+
+	subject do
+		bytes = PcapFile.file_to_array("sample2.pcap")[2]
+		packet = Packet.parse(bytes)
+	end
+
+	context "TcpHlen reading and setting" do
+		context "TcpHlen set via #read" do
+			tcp_hlen_numeric(8)
+		end
+		context "TcpHlen set via an Integer for the setter" do
+			(0..15).each do |i|
+				context "i is #{i}" do
+					before { subject.tcp_hlen = i }
+					tcp_hlen_numeric(i)
+				end
+			end
+		end
+		context "TcpHlen set via a String for the setter" do
+			before { subject.tcp_hlen = "\x60" }
+			tcp_hlen_numeric(6)
+		end
+		context "TcpHlen set via a TcpHlen for the setter" do
+			before { subject.tcp_hlen = TcpHlen.new(:hlen => 7) }
+			tcp_hlen_numeric(7)
+		end
+	end
+
+	context "TcpReserved reading and setting" do
+		context "TcpReserved set via #read" do
+			tcp_reserved_numeric(0)
+		end
+		context "TcpReserved set via an Integer for the setter" do
+			(0..7).each do |i|
+				context "i is #{i}" do
+					before { subject.tcp_reserved = i }
+					tcp_reserved_numeric(i)
+				end
+			end
+		end
+		context "TcpReserved set via a String for the setter" do
+			before { subject.tcp_reserved = "\x03" }
+			tcp_reserved_numeric(3)
+		end
+		context "TcpReserved set via a TcpReserved for the setter" do
+			before { subject.tcp_reserved = TcpReserved.new(:r1 => 1, :r2 => 0, :r3 => 1) }
+			tcp_reserved_numeric(5)
+		end
+	end
+
+	context "TcpEcn reading and setting" do
+		context "TcpEcn set via #read" do
+			tcp_ecn_numeric(0)
+		end
+		context "TcpEcn set via an Integer for the setter" do
+			(0..7).each do |i|
+				context "i is #{i}" do
+					before { subject.tcp_ecn = i }
+					tcp_ecn_numeric(i)
+				end
+			end
+		end
+		context "TcpEcn set via a String for the setter" do
+			before { subject.tcp_ecn = "\x00\xc0" }
+			tcp_ecn_numeric(3)
+		end
+		context "TcpEcn set via a TcpEcn for the setter" do
+			before { subject.tcp_ecn = TcpEcn.new(:n => 1, :c => 0, :e => 1) }
+			tcp_ecn_numeric(5)
+		end
+	end
+
+end
+

data/test/test_arp.rb

@@ -107,7 +107,7 @@ class ArpTest < Test::Unit::TestCase
 		puts "ARP Peek format: "
 		puts a.peek
 		puts "\n"
-		assert_equal(66,a.peek.size)
+		assert(a.peek.size <= 80)
 	end
 
 	def test_arp_pcap

data/test/test_hsrp.rb

@@ -15,57 +15,6 @@ class HSRPTest < Test::Unit::TestCase
 		# pkt.to_f('udp_test.pcap','a')
 	end
 
-=begin
-# The rest of these tests are snarfed from UDP. TODO: need to update
-# these for hsrp, shouldn't be long.
-	def test_hsrp_pcap
-		u = UDPPacket.new
-		assert_kind_of UDPPacket, u
-		u.recalc
-		u.to_f('udp_test.pcap','a')
-		u.ip_saddr = "10.20.30.40"
-		u.ip_daddr = "50.60.70.80"
-		u.payload = "+some fakey-fake udp packet"
-		u.udp_src = 1205
-		u.udp_dst = 13013
-		u.recalc
-		u.to_f('udp_test.pcap','a')
-	end
-
-	def test_udp_peek
-		u = UDPPacket.new
-		u.ip_saddr = "10.20.30.40"
-		u.ip_daddr = "50.60.70.80"
-		u.udp_src = 53
-		u.udp_dport = 1305
-		u.payload = "abcdefghijklmnopqrstuvwxyz"
-		u.recalc
-		puts "\n"
-		puts "UDP Peek format: "
-		puts u.peek
-		assert_equal 78,u.peek.size
-	end
-
-	def test_udp_checksum
-		sample_packet = PcapFile.new.file_to_array(:f => 'sample.pcap')[0]
-		pkt = Packet.parse(sample_packet)
-		assert_kind_of UDPPacket, pkt
-		pkt.recalc
-		assert_equal(0x8bf8, pkt.udp_sum.to_i)
-		pkt.to_f('udp_test.pcap','a')
-	end
-
-	def test_udp_alter
-		sample_packet = PcapFile.new.file_to_array(:f => 'sample.pcap')[0]
-		pkt = Packet.parse(sample_packet)
-		assert_kind_of UDPPacket, pkt
-		pkt.payload = pkt.payload.gsub(/metasploit/,"MeatPistol")
-		pkt.recalc
-		assert_equal(0x8341, pkt.udp_sum)
-		pkt.to_f('udp_test.pcap','a')
-	end
-=end
-
 end
 
 # vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby

data/test/test_icmp.rb

@@ -24,7 +24,7 @@ class ICMPTest < Test::Unit::TestCase
 		puts "\n"
 		puts "ICMP Peek format: "
 		puts i.peek
-		assert_equal 78,i.peek.size
+		assert (i.peek.size <= 80)
 	end
 
 	def test_icmp_pcap

data/test/test_ip.rb

@@ -48,7 +48,7 @@ class IPTest < Test::Unit::TestCase
 		puts "\n"
 		puts "IP Peek format: "
 		puts i.peek
-		assert_equal 78,i.peek.size
+		assert (i.peek.size <= 80)
 	end
 
 	def test_ip_pcap

data/test/test_ip6.rb

@@ -47,7 +47,7 @@ class IPv6Test < Test::Unit::TestCase
 		puts "\n"
 		puts "IPv6 Peek format: "
 		puts i.peek
-		assert_equal 78, i.peek.size
+		assert (i.peek.size <= 80)
 	end
 
 =begin

data/test/test_tcp.rb

@@ -262,7 +262,7 @@ class TCPPacketTest < Test::Unit::TestCase
 		puts "\n"
 		puts "TCP Peek format: "
 		puts t.peek
-		assert_equal 78,t.peek.size
+		assert (t.peek.size <= 80)
 	end
 
 	def test_tcp_pcap

data/test/test_udp.rb

@@ -24,7 +24,7 @@ class UDPTest < Test::Unit::TestCase
 		puts "\n"
 		puts "UDP Peek format: "
 		puts u.peek
-		assert_equal 78,u.peek.size
+		assert (u.peek.size <= 80)
 	end
 
 	def test_udp_pcap

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification 
 name: packetfu
 version: !ruby/object:Gem::Version 
-  hash: -1237194367
+  hash: 199653271
   prerelease: 6
   segments: 
   - 1
   - 0
-  - 3
+  - 4
   - pre
-  version: 1.0.3.pre
+  version: 1.0.4.pre
 platform: ruby
 authors: 
 - Tod Beardsley
@@ -78,7 +78,6 @@ files:
 - lib/packetfu/protos/hsrp.rb
 - lib/packetfu/utils.rb
 - lib/packetfu/packet.rb
-- CHANGES
 - INSTALL
 - LICENSE
 - README
@@ -88,7 +87,6 @@ files:
 - test/udp_test.pcap
 - test/sample2.pcap
 - test/sample.pcap
-- test/dissect_thinger.rb
 - test/test_ip6.rb
 - test/all_tests.rb
 - test/test_invalid.rb
@@ -98,6 +96,7 @@ files:
 - test/icmp_test.pcap
 - test/test_udp.rb
 - test/sample_hsrp_pcapr.cap
+- test/tcp_spec.rb
 - test/test_tcp.rb
 - test/tcp_test.pcap
 - test/test_arp.rb
@@ -127,6 +126,7 @@ files:
 - examples/idsv2.rb
 - examples/ackscan.rb
 - examples/ids.rb
+- examples/new-simple-stats.rb
 has_rdoc: true
 homepage: http://code.google.com/p/packetfu/
 licenses: []

data/CHANGES

@@ -1,36 +0,0 @@
-= Changelog
-
-== Version 1.0.0 # to be released July 29, 2010
-	Missed a bunch of updates in the Changelog. Mea culpa.
-	Squashed all Ruby version bugs -- works now on 1.8.6, 1.8.7, 1.9.1, and 1.9.2-head.
-	Added ENV['IFACE'] parsing for interface selection. Sadly, rvmsudo doesn't preserve ENV by default, but system ruby should work fine. 
-	Removed my own distros of pcaprub. You're on your own, now, but shadowbq's or Metasploit's versions should do just fine.
-
-== Version 0.1.1 # February 18, 2009
-	Added .is_proto? functions, self.proto function, Packet.headers attr_accessor across the board.
-	Removed dependency on pcaprub to read pcap-formatted files. (r54)
-	Added ability to preserve timestamps when reading files using :keep_ts => true argument on Read#f2a and Write honors both saved timestamp or invented timestamps. (r55)
-  Various minor bugs. (r56)
-	Relaxed the requirement for PcapRub to 0.7-dev now that I handle packet reading on my own. Windows users and threading will be broke without 0.8-dev, though. (r57)
-	Endianness of pcap files (for both reading and writing) is now supported (r58).
-	Handle non-version-4 IP packets correctlier (r59) (thanks tmanning!).
-	Merge of Metasploit-local patches, including Write.append (byte-order safe). (r60)
-
-== Version 0.1.0 # September 13, 2008
-  Various minor bugs fixed.
-  Added a Windows compatability mode via a compiled pcaprub.
-    Note: Works fine on XP, works okay on Vista. Users are encouraged to compile their own pcaprub installations.
-
-== Verison 0.0.3 # September 3, 2008 # r25
-  First tagged version. Naturally, bugs were found that moment.
-
-== Version 0.3.0 # January 11, 2010 # r129
-  Rewrote pretty much everything using Struct instead of BinData. Huge success.
-  Start to get back in the habit of documentation changes.
-
-== Version 0.3.1 # FUTURE
-  r130: Add convenience methods for checking the version.
-  r131: Fix TCP option setting.
-	r132: pcaprub to 0.9-dev.
-
-

data/test/dissect_thinger.rb

@@ -1,15 +0,0 @@
-# This just allows you to eyeball the dissection stuff to make sure it's all right.
-
-require File.join("..","lib","packetfu")
-puts "Loaded: PacketFu v#{PacketFu.version}"
-# $: << File.join(File.expand_path(File.dirname(__FILE__)),"..","lib")
-
-include PacketFu
-
-packets = PcapFile.file_to_array "test/sample2.pcap"
-packets.each do |packet|
-	puts packet.inspect
-	pkt = Packet.parse(packet)
-	puts pkt.dissect
-	sleep 1
-end