packetfu 1.0.5.pre → 1.1.0

data/examples/100kpackets.rb

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+
+# Used mainly to test for memory leaks and to demo the preferred ways of
+# reading and writing packets to and from pcap files.
+require './examples' # For path setting slight-of-hand
+require 'packetfu'
+
+include PacketFu
+puts "Generating packets... (#{Time.now.utc})"
+
+File.unlink("/tmp/out.pcap") if File.exists? "/tmp/out.pcap"
+start_time = Time.now.utc
+count = 0
+
+100.times do
+	@pcaps = []
+	1000.times do 
+		u = UDPPacket.new
+		u.ip_src = [rand(2**32-1)].pack("N")
+		u.ip_dst = [rand(2**32-1)].pack("N")
+		u.recalc
+		@pcaps << u
+	end
+	pfile = PcapFile.new
+	res = pfile.array_to_file(:filename => "/tmp/out.pcap", :array => @pcaps, :append => true)
+	count += res.last
+	puts "Wrote #{count} packets in #{Time.now.utc - start_time} seconds"
+end
+
+read_bytes_start = Time.now.utc
+puts "Reading packet bytes..."
+packet_bytes = PcapFile.read_packet_bytes "/tmp/out.pcap"
+puts "Read #{packet_bytes.size} packet byte blobs in #{Time.now.utc - read_bytes_start} seconds."
+
+read_packets_start = Time.now.utc
+puts "Reading packets..."
+packet_bytes = PcapFile.read_packets "/tmp/out.pcap"
+puts "Read #{packet_bytes.size} parsed packets in #{Time.now.utc - read_packets_start} seconds."
+
+
+

data/examples/simple-sniffer.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+require 'examples'
+require 'packetfu'
+
+puts "Simple sniffer for PacketFu #{PacketFu.version}"
+include PacketFu
+iface = ARGV[0] || "eth0"
+
+def sniff(iface)
+	cap = Capture.new(:iface => iface, :start => true)
+	cap.stream.each do |p|
+		pkt = Packet.parse p
+		if pkt.is_ip?
+			next if pkt.ip_saddr == Utils.ifconfig[:ip_saddr]
+			packet_info = [pkt.ip_saddr, pkt.ip_daddr, pkt.size, pkt.proto.last]
+			puts "%-15s -> %-15s %-4d %s" % packet_info
+		end
+	end
+end
+
+sniff(iface)
+
+=begin 
+Results look like this:
+145.58.33.95    -> 192.168.11.70   1514 TCP
+212.233.158.76  -> 192.168.11.70   110  UDP
+88.174.164.147  -> 192.168.11.70   110  UDP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+8.8.8.8         -> 192.168.11.70   143  UDP
+41.237.73.186   -> 192.168.11.70   60   TCP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+145.58.33.95    -> 192.168.11.70   1514 TCP
+8.8.8.8         -> 192.168.11.70   143  UDP
+8.8.8.8         -> 192.168.11.70   128  UDP
+8.8.8.8         -> 192.168.11.70   187  UDP
+24.45.247.232   -> 192.168.11.70   70   TCP
+=end 

data/lib/packetfu.rb

@@ -25,6 +25,11 @@ module PacketFu
 		end
 	end
 
+	# Deal with Ruby's encoding by ignoring it.
+	def self.force_binary(str)
+		str.force_encoding "binary" if str.respond_to? :force_encoding
+	end
+
 	# Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
 	@byte_order = :little
 
@@ -93,6 +98,43 @@ module PacketFu
 		@packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
 	end
 
+	# The current inspect style. One of :hex, :dissect, or :default
+	# Note that :default means Ruby's default, which is usually
+	# far too long to be useful.
+	def self.inspect_style
+		@inspect_style ||= :dissect
+	end
+
+	# Setter for PacketFu's @inspect_style
+	def self.inspect_style=(arg)
+		@inspect_style = case arg
+			when :hex, :pretty
+				:hex
+			when :dissect, :verbose
+				:dissect
+			when :default, :ugly
+				:default
+			else
+				:dissect
+			end
+	end
+
+	# Switches inspect styles in a round-robin fashion between 
+	# :dissect, :default, and :hex
+	def toggle_inspect
+		case @inspect_style
+		when :hex, :pretty
+			@inspect_style = :dissect
+		when :dissect, :verbose
+			@inspect_style = :default
+		when :default, :ugly
+			@inspect_style = :hex
+		else
+			@inspect_style = :dissect
+		end
+	end
+
+
 end
 
 require File.join(cwd,"packetfu","version")

data/lib/packetfu/capture.rb

@@ -31,7 +31,7 @@ module PacketFu
 		def initialize(args={})
 			@array = [] # Where the packet array goes.
 			@stream = [] # Where the stream goes.
-			@iface = args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo"
+			@iface = (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo").to_s
 			@snaplen = args[:snaplen] || 0xffff
 			@promisc = args[:promisc] || false # Sensible for some Intel wifi cards
 			@timeout = args[:timeout] || 1

data/lib/packetfu/config.rb

@@ -36,17 +36,20 @@ module PacketFu
 				@iface = args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo" 
 			end	
 			@pcapfile = "/tmp/out.pcap"
-			args.each_pair { |k,v| self.instance_variable_set(("@" + k.to_s).intern,v) }
+			args.each_pair { |k,v| self.instance_variable_set(("@#{k}"),v) }
 		end
 
 		# Returns all instance variables as a hash (including custom variables set at initialization).
 		def config(arg=nil)
-			if arg.nil?
+			if arg
+				arg.each_pair {|k,v| self.instance_variable_set(("@" + k.to_s).intern, v)}
+			else
 				config_hash = {}
-				self.instance_variables.each { |v| config_hash[v.delete("@").intern] = self.instance_variable_get(v) }
+				self.instance_variables.each do |v| 
+					key = v.to_s.gsub(/^@/,"").to_sym
+					config_hash[key] = self.instance_variable_get(v) 
+				end
 				config_hash
-			else
-				arg.each_pair {|k,v| self.instance_variable_set(("@" + k.to_s).intern, v)}
 			end
 		end
 

data/lib/packetfu/packet.rb

@@ -102,7 +102,7 @@ module PacketFu
 		# Put the entire packet on the wire by creating a temporary PacketFu::Inject object.
 		# TODO: Do something with auto-checksumming?
 		def to_w(iface=nil)
-			iface = iface || self.iface || PacketFu::Config.new.config[:iface]
+			iface = (iface || self.iface || PacketFu::Config.new.config[:iface]).to_s
 			inj = PacketFu::Inject.new(:iface => iface)
 			inj.array = [@headers[0].to_s]
 			inj.inject
@@ -467,11 +467,7 @@ module PacketFu
 			if self.class.name =~ /(::|^)PacketFu::Packet$/
 				raise NoMethodError, "method `new' called for abstract class #{self.class.name}"
 			end
-			if args[:inspect_style]
-				@inspect_style = args[:inspect_style]
-			else
-				@inspect_style = :dissect
-			end
+			@inspect_style = args[:inspect_style] || PacketFu.inspect_style || :dissect
 			if args[:config]
 				args[:config].each_pair do |k,v|
 					case k
@@ -484,6 +480,13 @@ module PacketFu
 			end
 		end
 
+		# Delegate to PacketFu's inspect_style, since the
+		# class variable name is the same. Yay for namespace
+		# pollution!
+		def inspect_style=()
+			PacketFu.inspect_style(arg)
+		end
+
 		#method_missing() delegates protocol-specific field actions to the apporpraite
 		#class variable (which contains the associated packet type)
 		#This register-of-protocols style switch will work for the 
@@ -525,21 +528,6 @@ module PacketFu
 		end
 
 	end # class Packet
-
-	# Switches inspect styles between :dissect, :default, and :hex
-	def toggle_inspect
-		case @inspect_style
-		when :hex, :pretty
-			@inspect_style = :dissect
-		when :dissect, :verbose
-			@inspect_style = :default
-		when :default, :ugly
-			@inspect_style = :hex
-		else
-			@inspect_style = :dissect
-		end
-	end
-
 end
 
 # vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby

data/lib/packetfu/pcap.rb

@@ -246,34 +246,32 @@ module PacketFu
 
 			# Takes a given file name, and reads out the packets. If given a block,
 			# it will yield back a PcapPacket object per packet found.
-			def read(fname,&block)
+			def read(fname,&block) 
+				file_header = PcapHeader.new
+				pcap_packets = PcapPackets.new 
+				unless File.readable? fname
+					raise ArgumentError, "Cannot read file `#{fname}'"
+				end
 				begin
-					file_handle = File.open(fname, "rb")
-					pcap_packets = PcapPackets.new unless block
-					file_header = PcapHeader.new
-					file_header.read file_handle.read(24)
-					packet_count = 0
-					pcap_packet = PcapPacket.new(:endian => file_header.endian)
-					while pcap_packet.read file_handle.read(16) do
-						len = pcap_packet.incl_len
-						pcap_packet.data = StructFu::String.new.read(file_handle.read(len.to_i))
-						packet_count += 1
-						if pcap_packet.data.size < len.to_i
-							warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
-							break
-						end
-						if block
-							yield pcap_packet
-						else
-							pcap_packets << pcap_packet
-						end
-					end
-					unless block
-						return pcap_packets 
+				file_handle = File.open(fname, "rb")
+				file_header.read file_handle.read(24)
+				packet_count = 0
+				pcap_packet = PcapPacket.new(:endian => file_header.endian)
+				while pcap_packet.read file_handle.read(16) do
+					len = pcap_packet.incl_len
+					pcap_packet.data = StructFu::String.new.read(file_handle.read(len.to_i))
+					packet_count += 1
+					if pcap_packet.data.size < len.to_i
+						warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
+						break
 					end
+					pcap_packets << pcap_packet.clone
+					yield pcap_packets.last if block
+				end
 				ensure
 					file_handle.close
 				end
+				block ? packet_count : pcap_packets
 			end
 
 			# Takes a filename, and an optional block. If a block is given, 
@@ -453,7 +451,11 @@ module PacketFu
 			end
 			append = args[:append]
 			if append
-				File.open(filename,'ab') {|file| file.write(self.body.to_s)}
+				if File.exists? filename
+					File.open(filename,'ab') {|file| file.write(self.body.to_s)}
+				else
+					File.open(filename,'wb') {|file| file.write(self.to_s)}
+				end
 			else
 				File.open(filename,'wb') {|file| file.write(self.to_s)}
 			end

data/lib/packetfu/protos/arp.rb

@@ -26,14 +26,17 @@ module PacketFu
 		include StructFu
 
 		def initialize(args={})
+			src_mac = args[:arp_src_mac] || (args[:config][:eth_src] if args[:config])
+			src_ip_bin = args[:arp_src_ip]   || (args[:config][:ip_src_bin] if args[:config])
+
 			super( 
 				Int16.new(args[:arp_hw] || 1), 
 				Int16.new(args[:arp_proto] ||0x0800),
 				Int8.new(args[:arp_hw_len] || 6), 
 				Int8.new(args[:arp_proto_len] || 4), 
 				Int16.new(args[:arp_opcode] || 1),
-				EthMac.new.read(args[:arp_src_mac]),
-				Octets.new.read(args[:arp_src_ip]), 
+				EthMac.new.read(src_mac),
+				Octets.new.read(src_ip_bin),
 				EthMac.new.read(args[:arp_dst_mac]),
 				Octets.new.read(args[:arp_dst_ip]),
 				StructFu::String.new.read(args[:body])

data/lib/packetfu/protos/eth.rb

@@ -132,6 +132,12 @@ module PacketFu
 	# For more on the construction on MAC addresses, see 
 	# http://en.wikipedia.org/wiki/MAC_address
 	#
+	# TODO: Need to come up with a good way of dealing with vlan
+	# tagging. Having a usually empty struct member seems weird,
+	# but there may not be another way to do it if I want to preserve
+	# the Eth-ness of vlan-tagged 802.1Q packets. Also, may as well
+	# deal with 0x88a8 as well (http://en.wikipedia.org/wiki/802.1ad)
+	#
 	# ==== Header Definition
 	#
 	#  EthMac  :eth_dst                     # See EthMac
@@ -251,11 +257,17 @@ module PacketFu
 	#   eth_pkt.eth_daddr="00:1c:24:aa:bb:cc"
 	#
 	#   eth_pkt.to_w('eth0') # Inject on the wire. (require root)
+	#
 	class	EthPacket < Packet
 		attr_accessor :eth_header
 
 		def self.can_parse?(str)
-			str.size >= 14
+			# XXX Temporary fix. Need to extend the EthHeader class to handle more.
+			valid_eth_types = [0x0800, 0x0806, 0x86dd]
+			return false unless str.size >= 14
+			type = str[12,2].unpack("n").first rescue nil
+			return false unless valid_eth_types.include? type
+			true
 		end
 
 		def read(str=nil,args={})

data/lib/packetfu/protos/icmp.rb

@@ -1,9 +1,10 @@
 module PacketFu
 
-	# ICMPHeader is a complete ICMP struct, used in ICMPPacket. ICMP is typically used for network
-	# administration and connectivity testing.
+	# ICMPHeader is a complete ICMP struct, used in ICMPPacket. ICMP is 
+	# typically used for network administration and connectivity testing.
 	#
-	# For more on ICMP packets, see http://www.networksorcery.com/enp/protocol/icmp.htm
+	# For more on ICMP packets, see 
+	# http://www.networksorcery.com/enp/protocol/icmp.htm
 	# 
 	# ==== Header Definition
 	#

data/lib/packetfu/protos/ip.rb

@@ -162,11 +162,29 @@ module PacketFu
 		# Getter for the checksum.
 		def ip_sum; self[:ip_sum].to_i; end
 		# Setter for the source IP address.
-		def ip_src=(i); typecast i; end
+		def ip_src=(i)
+			case i
+			when Numeric
+				self[:ip_src] = Octets.new.read([i].pack("N"))
+			when Octets
+				self[:ip_src] = i
+			else
+				typecast i
+			end
+		end
 		# Getter for the source IP address.
 		def ip_src; self[:ip_src].to_i; end
 		# Setter for the destination IP address.
-		def ip_dst=(i); typecast i; end
+		def ip_dst=(i)
+			case i
+			when Numeric
+				self[:ip_dst] = Octets.new.read([i].pack("N"))
+			when Octets
+				self[:ip_dst] = i
+			else
+				typecast i
+			end
+		end
 		# Getter for the destination IP address.
 		def ip_dst; self[:ip_dst].to_i; end
 

data/lib/packetfu/protos/tcp.rb

@@ -546,14 +546,10 @@ module PacketFu
 			opts
 		end
 
-		def force_binary(str)
-			str.force_encoding "binary" if str.respond_to? :force_encoding
-		end
-
 		# Reads a string to populate the object.
 		def read(str)
-			self.clear if self.size > 0
-			force_binary(str)
+			self.clear 
+			PacketFu.force_binary(str)
 			return self if(!str.respond_to? :to_s || str.nil?)
 			i = 0
 			while i < str.to_s.size

data/lib/packetfu/structfu.rb

@@ -33,9 +33,13 @@ module StructFu
 		end
 	end
 
-	# Handle deep copies correctly
+	# Handle deep copies correctly. Marshal in 1.9, re-read myself on 1.8
 	def clone
-		Marshal.load(Marshal.dump(self))
+		begin
+			Marshal.load(Marshal.dump(self))
+		rescue
+			self.class.new.read(self.to_s)
+		end
 	end
 
 	# Ints all have a value, an endianness, and a default value.
@@ -282,7 +286,7 @@ class Struct
 	# Monkeypatch for Struct to include some string safety -- anything that uses
 	# Struct is going to presume binary strings anyway.
 	def force_binary(str)
-		str.force_encoding "binary" if str.respond_to? :force_encoding
+		PacketFu.force_binary(str)
 	end
 
 end

data/lib/packetfu/utils.rb

@@ -27,13 +27,12 @@ module PacketFu
 		#  It goes without saying, spewing forged ARP packets on your network is a great way to really
 		#  irritate your co-workers.
 		def self.arp(target_ip,args={})
-			arp_pkt = PacketFu::ARPPacket.new(:flavor => (args[:flavor] || :none))
-			arp_pkt.eth_saddr = arp_pkt.arp_saddr_mac = (args[:eth_saddr] || ($packetfu_default.config[:eth_saddr] if $packetfu_default) || "00:00:00:00:00:00" )
+			iface = args[:iface] || :eth0
+			args[:config] ||= whoami?(:iface => iface)
+			arp_pkt = PacketFu::ARPPacket.new(:flavor => (args[:flavor] || :none), :config => args[:config])
 			arp_pkt.eth_daddr = "ff:ff:ff:ff:ff:ff"
 			arp_pkt.arp_daddr_mac = "00:00:00:00:00:00"
-			arp_pkt.arp_saddr_ip = (args[:ip_saddr] || ($packetfu_default.config[:ip_saddr] if $packetfu_default) || "0.0.0.0")
-			arp_pkt.arp_daddr_ip = target_ip 
-			iface = (args[:iface] || ($packetfu_default.iface if $packetfu_default) || "eth0")
+			arp_pkt.arp_daddr_ip = target_ip
 			# Stick the Capture object in its own thread.
 			cap_thread = Thread.new do
 				target_mac = nil
@@ -59,9 +58,15 @@ module PacketFu
 		# operation; a UDP packet is generated and dropped on to the default (or named)
 		# interface, and then captured (which means you need to be root to do this).
 		#
-		# whoami? returns a hash of :eth_saddr, :eth_src, :ip_saddr, :ip_src,
-		# :eth_dst, and :eth_daddr (the last two are usually suitable for a
-		# gateway mac address). It's most useful as an argument to PacketFu::Config.new.
+		# whoami? returns a hash of :eth_saddr, :eth_src, :ip_saddr, :ip_src, 
+		# :ip_src_bin, :eth_dst, and :eth_daddr (the last two are usually suitable 
+		# for a gateway mac address). It's most useful as an argument to 
+		# PacketFu::Config.new, or as an argument to the many Packet constructors.
+		#
+		# Note that if you have multiple interfaces with the same route (such as when
+		# wlan0 and eth0 are associated to the same network), the "first" one
+		# according to Pcap.lookupdev will be used, regardless of which :iface you 
+		# pick.
 		#
 		# === Parameters
 		#   :iface => "eth0"
@@ -72,7 +77,10 @@ module PacketFu
 		#    Since this network is IANA reserved (for now), this network should be handled by your default gateway
 		#    and default interface.
 		def self.whoami?(args={})
-			if args[:iface] =~ /^lo/ # Linux loopback more or less. Need a switch for windows loopback, too.
+			unless args.kind_of? Hash
+				raise ArgumentError, "Argument to `whoami?' must be a Hash"
+			end
+			if args[:iface].to_s =~ /^lo/ # Linux loopback more or less. Need a switch for windows loopback, too.
 				dst_host = "127.0.0.1"
 			else
 				dst_host = (args[:target] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
@@ -80,8 +88,11 @@ module PacketFu
 
 			dst_port = rand(0xffff-1024)+1024
 			msg = "PacketFu whoami? packet #{(Time.now.to_i + rand(0xffffff)+1)}"
-			cap = PacketFu::Capture.new(:iface => (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo" ), :start => true, :filter => "udp and dst host #{dst_host} and dst port #{dst_port}")
-			UDPSocket.open.send(msg,0,dst_host,dst_port)
+			iface = (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || :lo ).to_s
+			cap = PacketFu::Capture.new(:iface => iface, :promisc => false, :start => true, :filter => "udp and dst host #{dst_host} and dst port #{dst_port}")
+			udp_sock = UDPSocket.new
+			udp_sock.send(msg,0,dst_host,dst_port)
+			udp_sock = nil
 			cap.save
 			pkt = Packet.parse(cap.array[0]) unless cap.save.zero?
 			timeout = 0
@@ -90,12 +101,13 @@ module PacketFu
 					timeout = 1.1 # Cancel the timeout
 					if pkt.payload == msg
 					my_data =	{
-						:iface => args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo",
+						:iface => (args[:iface] || ENV['IFACE'] || Pcap.lookupdev || "lo").to_s,
 						:pcapfile => args[:pcapfile] || "/tmp/out.pcap",
 						:eth_saddr => pkt.eth_saddr,
 						:eth_src => pkt.eth_src.to_s,
 						:ip_saddr => pkt.ip_saddr,
-						:ip_src => pkt.ip_src.to_s,
+						:ip_src => pkt.ip_src,
+						:ip_src_bin => [pkt.ip_src].pack("N"),
 						:eth_dst => pkt.eth_dst.to_s,
 						:eth_daddr => pkt.eth_daddr
 					}
@@ -107,7 +119,7 @@ module PacketFu
 					cap.save
 					pkt = Packet.parse(cap.array[0]) unless cap.save.zero?
 				end
-				raise SocketError, "Didn't receive the whomi() packet." if !pkt
+				raise SocketError, "Didn't receive the whomi() packet, can't automatically configure." if !pkt
 				cap = nil
 			end
 			my_data
@@ -161,7 +173,7 @@ module PacketFu
 				end
 				ifconfig_data.each do |s|
 					case s
-					when /inet addr:[\s]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9])(.*Mask:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]))?/i
+					when /inet addr:[\s]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(.*Mask:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+))?/i
 						ret[:ip_saddr] = $1
 						ret[:ip_src] = [IPAddr.new($1).to_i].pack("N")
 						ret[:ip4_obj] = IPAddr.new($1)

data/lib/packetfu/version.rb

@@ -1,7 +1,7 @@
 module PacketFu
 
 	# Check the repo's for version release histories
-	VERSION = "1.0.4" 
+	VERSION = "1.1.0" 
 
 	# Returns PacketFu::VERSION
 	def self.version

data/test/all_tests.rb

@@ -19,6 +19,7 @@
 
 $:.unshift File.expand_path(File.dirname(__FILE__) + "/../lib/")
 require 'packetfu'
+puts "Testing PacketFu v#{PacketFu::VERSION}"
 dir = Dir.new(File.dirname(__FILE__))
 
 dir.each { |file|

data/test/ethpacket_spec.rb

@@ -0,0 +1,74 @@
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
+
+include PacketFu
+
+describe EthPacket, "when read from a pcap file" do
+
+	before :all do
+		parsed_packets = PcapFile.read_packets(File.join(".","sample.pcap"))
+		@eth_packet = parsed_packets.first
+	end
+
+	context "is a regular ethernet packet" do
+
+		subject { @eth_packet }
+
+		it "should be an EthPacket kind of packet" do
+			subject.should be_kind_of EthPacket
+		end
+
+		it "should have a dest mac address" do
+			subject.eth_daddr.should == "00:03:2f:1a:74:de"
+		end
+
+		it "should have a source mac address" do
+			subject.eth_saddr.should == "00:1b:11:51:b7:ce"
+		end
+
+		its(:size) { should == 78 }
+
+		it "should have a payload in its first header" do
+			subject.headers.first.body.should_not be_nil
+		end
+
+		context "an EthPacket's first header" do
+
+			subject { @eth_packet.headers.first }
+
+			it "should be 64 bytes" do
+				subject.body.sz.should == 64
+			end
+
+			context "EthHeader struct members" do
+				if RUBY_VERSION =~ /^1\.8/
+					its(:members) { should include :eth_dst.to_s }
+					its(:members) { should include :eth_src.to_s }
+					its(:members) { should include :eth_proto.to_s }
+					its(:members) { should include :body.to_s }
+				else
+					its(:members) { should include :eth_dst }
+					its(:members) { should include :eth_src }
+					its(:members) { should include :eth_proto }
+					its(:members) { should include :body }
+				end
+			end
+
+		end
+
+	end
+
+	context "isn't a regular Ethernet packet" do
+
+		subject {
+			parsed_packets = PcapFile.read_packets(File.join(".","vlan-pcapr.cap"))
+			parsed_packets.first
+		}
+
+		it "should not be an EthPacket" do
+			subject.should_not be_kind_of EthPacket
+		end
+
+	end
+
+end

data/test/packet_spec.rb

@@ -1,4 +1,5 @@
-require File.join("..","lib","packetfu")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
 
 describe PacketFu::Packet, "abstract packet class behavior" do
 

data/test/packet_subclasses_spec.rb

@@ -1,4 +1,5 @@
-require File.join("..","lib","packetfu")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
 
 PacketFu.packet_classes.each do |pclass|
 	describe pclass, "peek format" do

data/test/packetfu_spec.rb

@@ -1,4 +1,5 @@
-require File.join("..","lib","packetfu")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
 
 unless %x{#{$0} --version} =~ /^2\.6/
 	puts "PacketFu needs rspec 2.6 or so."

data/test/structfu_spec.rb

@@ -1,4 +1,5 @@
-require File.join("..","lib","packetfu")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
 
 describe StructFu, "mixin methods" do
 

data/test/tcp_spec.rb

@@ -1,4 +1,5 @@
-require File.join("..","lib","packetfu")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
 
 include PacketFu
 

data/test/test_arp.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 class ArpTest < Test::Unit::TestCase
 	include PacketFu

data/test/test_eth.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "lib"))
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 puts "Testing #{PacketFu.version}: #{$0}"
 

data/test/test_hsrp.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class HSRPTest < Test::Unit::TestCase

data/test/test_icmp.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class ICMPTest < Test::Unit::TestCase

data/test/test_inject.rb

@@ -1,11 +1,9 @@
 #!/usr/bin/env ruby
-$:.unshift File.expand_path(File.dirname(__FILE__) + "/../lib/")
-
 require 'test/unit'
-
-# Needed if you're using the gem version of pcaprub. Obviated in 1.9.
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
+
 class InjectTest < Test::Unit::TestCase
 
 	def test_cap

data/test/test_invalid.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class InvalidTest < Test::Unit::TestCase

data/test/test_ip.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class OctetsTest < Test::Unit::TestCase

data/test/test_ip6.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class IPv6AddrTest < Test::Unit::TestCase

data/test/test_octets.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class OctetTest < Test::Unit::TestCase

data/test/test_packet.rb

@@ -2,7 +2,6 @@
 require 'test/unit'
 $:.unshift File.expand_path(File.join(File.dirname(__FILE__), "..", "lib"))
 require 'packetfu'
-puts "Testing #{PacketFu.version}: #{$0}"
 
 class NewPacketTest < Test::Unit::TestCase
 	include PacketFu

data/test/test_pcap.rb

@@ -1,7 +1,6 @@
 #!/usr/bin/env ruby
-
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class PcapHeaderTest < Test::Unit::TestCase

data/test/test_structfu.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 # Whee unit testing.

data/test/test_tcp.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class String

data/test/test_udp.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'test/unit'
-$: << File.expand_path(File.dirname(__FILE__) + "/../lib/")
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
 require 'packetfu'
 
 class UDPTest < Test::Unit::TestCase

metadata

@@ -1,14 +1,8 @@
 --- !ruby/object:Gem::Specification 
 name: packetfu
 version: !ruby/object:Gem::Version 
-  hash: -1329738657
-  prerelease: 6
-  segments: 
-  - 1
-  - 0
-  - 5
-  - pre
-  version: 1.0.5.pre
+  prerelease: 
+  version: 1.1.0
 platform: ruby
 authors: 
 - Tod Beardsley
@@ -16,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-06 00:00:00 -05:00
+date: 2011-06-11 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -27,11 +21,6 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 63
-        segments: 
-        - 0
-        - 9
-        - 2
         version: 0.9.2
   type: :development
   version_requirements: *id001
@@ -43,7 +32,6 @@ extensions: []
 
 extra_rdoc_files: 
 - README
-- INSTALL
 - .document
 files: 
 - lib/packetfu.rb
@@ -89,7 +77,9 @@ files:
 - test/arp_test.pcap
 - test/test_inject.rb
 - test/test_eth.rb
+- test/ethpacket_spec.rb
 - test/packet_spec.rb
+- test/vlan-pcapr.cap
 - test/sample-ipv6.pcap
 - test/test_hsrp.rb
 - test/test_structfu.rb
@@ -105,6 +95,7 @@ files:
 - examples/examples.rb
 - examples/simple-stats.rb
 - examples/arphood.rb
+- examples/simple-sniffer.rb
 - examples/ethernet.rb
 - examples/arp.rb
 - examples/slammer.rb
@@ -113,8 +104,9 @@ files:
 - examples/ackscan.rb
 - examples/ids.rb
 - examples/new-simple-stats.rb
+- examples/100kpackets.rb
 has_rdoc: true
-homepage: http://code.google.com/p/packetfu/
+homepage: https://github.com/todb/packetfu
 licenses: 
 - BSD
 post_install_message: 
@@ -127,27 +119,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version 
-      hash: 25
-      segments: 
-      - 1
-      - 3
-      - 1
-      version: 1.3.1
+      version: "0"
 requirements: 
 - sdoc, for generating local documentation
 - rspec, v2.6.2 or later, for testing
 - pcaprub v0.9.2 or later, for packet capture/inject
 rubyforge_project: packetfu
-rubygems_version: 1.4.2
+rubygems_version: 1.6.2
 signing_key: 
 specification_version: 3
 summary: PacketFu is a mid-level packet manipulation library.