packetfu 1.1.5 → 1.1.6

data/.document

@@ -1,4 +1,7 @@
 lib/packetfu.rb
 lib/packetfu/
-README
-LICENSE
+-
+LICENSE.txt
+INSTALL.rdoc
+README.rdoc
+examples/*.rb

data/.gitignore

@@ -1,3 +1,4 @@
 *.gem
 doc/
 pkg/
+test/*test.pcap

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2008-2011, Tod Beardsley
+Copyright (c) 2008-2012, Tod Beardsley
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

data/bench/after-2012-07-28.txt

@@ -0,0 +1,25 @@
+Parsing a TCP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    1.670000   0.010000   1.680000 (  1.664486)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.179386)
+PacketFu::IPPacket.new.read()    0.410000   0.000000   0.410000 (  0.415767)
+PacketFu::TCPPacket.new.read()    1.380000   0.000000   1.380000 (  1.375509)
+
+Parsing a UDP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    1.750000   0.000000   1.750000 (  1.757758)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.179951)
+PacketFu::IPPacket.new.read()    0.420000   0.000000   0.420000 (  0.416224)
+PacketFu::UDPPacket.new.read()    0.720000   0.000000   0.720000 (  0.715579)
+
+Parsing a ARP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    0.820000   0.000000   0.820000 (  0.823303)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.182247)
+PacketFu::ARPPacket.new.read()    0.670000   0.000000   0.670000 (  0.672712)
+
+Parsing a IPv6 Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    0.700000   0.000000   0.700000 (  0.695721)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.180608)
+PacketFu::IPv6Packet.new.read()    0.530000   0.000000   0.530000 (  0.527124)

data/bench/before-2012-07-28.txt

@@ -0,0 +1,25 @@
+Parsing a TCP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    3.290000   0.000000   3.290000 (  3.290771)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.181850)
+PacketFu::IPPacket.new.read()    0.490000   0.000000   0.490000 (  0.484150)
+PacketFu::TCPPacket.new.read()    2.970000   0.000000   2.970000 (  2.977186)
+
+Parsing a UDP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    2.530000   0.010000   2.540000 (  2.529333)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.179065)
+PacketFu::IPPacket.new.read()    0.490000   0.000000   0.490000 (  0.487412)
+PacketFu::UDPPacket.new.read()    1.060000   0.000000   1.060000 (  1.067339)
+
+Parsing a ARP Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    0.860000   0.000000   0.860000 (  0.851042)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.183220)
+PacketFu::ARPPacket.new.read()    0.720000   0.000000   0.720000 (  0.718533)
+
+Parsing a IPv6 Packet...
+       user     system      total        real
+PacketFu::Packet.parse()    0.750000   0.000000   0.750000 (  0.753657)
+PacketFu::EthPacket.new.read()    0.180000   0.000000   0.180000 (  0.182015)
+PacketFu::IPv6Packet.new.read()    0.610000   0.000000   0.610000 (  0.611805)

data/bench/benchit.rb

@@ -0,0 +1,68 @@
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
+require 'benchmark'
+class String
+  def bin
+    self.scan(/../).map {|x| x.to_i(16).chr}.join
+  end
+end
+
+file_pfx = ARGV.shift
+
+IPV6_PACKET = "3333000000fb442a60c14d7b86dd60000000006611fffe80000000000000462a60fffec14d7bff0200000000000000000000000000fb14e914e900664ed1000000000002000000020000145542432d437573746f6d6572732d695061642d33056c6f63616c0000ff0001c00c00ff0001c00c001c0001000000780010fe80000000000000462a60fffec14d7bc00c0001000100000078000448d77827".bin
+
+ARP_PACKET = "ffffffffffff001e6837bcf708060001080006040001001e6837bcf748d7780100000000000048d779f7000000000000000000000000000000000000".bin
+
+UDP_PACKET = "01005e7ffffa100ba9eb63400800450000a12d7c0000011159b446a5fb7ceffffffacdf3076c008d516e4d2d534541524348202a20485454502f312e310d0a486f73743a3233392e3235352e3235352e3235303a313930300d0a53543a75726e3a736368656d61732d75706e702d6f72673a6465766963653a496e7465726e6574476174657761794465766963653a310d0a4d616e3a22737364703a646973636f766572220d0a4d583a330d0a0d0a".bin
+
+TCP_PACKET = "e0f8472161a600254ba0760608004500004403554000400651d0c0a83207c0a832370224c1d22d94847f0b07c4ba8018ffff30ba00000101080a8731821433564b8c01027165000000000000200000000000".bin
+
+iters = 5_000
+data = []
+data = []
+data = []
+data = []
+puts "Parsing a TCP Packet..."
+require 'pp'
+Benchmark.bm do |bm|
+  data << bm.report("PacketFu::Packet.parse()  ") { iters.times {PacketFu::Packet.parse(TCP_PACKET)} }
+  data << bm.report("PacketFu::EthPacket.new.read()  ") { iters.times {PacketFu::EthPacket.new.read(TCP_PACKET)} }
+  data << bm.report("PacketFu::IPPacket.new.read()  ") { iters.times {PacketFu::IPPacket.new.read(TCP_PACKET)} }
+  data << bm.report("PacketFu::TCPPacket.new.read()  ") { iters.times {PacketFu::TCPPacket.new.read(TCP_PACKET)} }
+  nil
+end
+
+puts ""
+puts "Parsing a UDP Packet..."
+Benchmark.bm do |bm|
+  data << bm.report("PacketFu::Packet.parse()  ") { iters.times {PacketFu::Packet.parse(UDP_PACKET)} }
+  data << bm.report("PacketFu::EthPacket.new.read()  ") { iters.times {PacketFu::EthPacket.new.read(UDP_PACKET)} }
+  data << bm.report("PacketFu::IPPacket.new.read()  ") { iters.times {PacketFu::IPPacket.new.read(UDP_PACKET)} }
+  data << bm.report("PacketFu::UDPPacket.new.read()  ") { iters.times {PacketFu::UDPPacket.new.read(UDP_PACKET)} }
+  nil
+end
+
+puts ""
+puts "Parsing a ARP Packet..."
+Benchmark.bm do |bm|
+  data << bm.report("PacketFu::Packet.parse()  ") { iters.times {PacketFu::Packet.parse(ARP_PACKET)} }
+  data << bm.report("PacketFu::EthPacket.new.read()  ") { iters.times {PacketFu::EthPacket.new.read(ARP_PACKET)} }
+  data << bm.report("PacketFu::ARPPacket.new.read()  ") { iters.times {PacketFu::ARPPacket.new.read(ARP_PACKET)} }
+  nil
+end
+
+puts ""
+puts "Parsing a IPv6 Packet..."
+Benchmark.bm do |bm|
+  data << bm.report("PacketFu::Packet.parse()  ") { iters.times {PacketFu::Packet.parse(IPV6_PACKET)} }
+  data << bm.report("PacketFu::EthPacket.new.read()  ") { iters.times {PacketFu::EthPacket.new.read(IPV6_PACKET)} }
+  data << bm.report("PacketFu::IPv6Packet.new.read()  ") { iters.times {PacketFu::IPv6Packet.new.read(IPV6_PACKET)} }
+  nil
+end
+if file_pfx
+  filename = "#{file_pfx}.dat"
+  puts "dumping data to #{filename}"
+  fio = File.open(filename, "w")
+  Marshal.dump(data, fio)
+  fio.close
+end

data/bench/calc_delta.rb

@@ -0,0 +1,17 @@
+require 'benchmark'
+require 'pp'
+
+before = ARGV.shift
+after = ARGV.shift
+
+fio = File.open(before)
+before_data = Marshal.load(fio)
+fio.close
+
+fio = File.open(after)
+after_data = Marshal.load(fio)
+fio.close
+
+before_data.each_with_index do |data, i|
+  puts (data.total / after_data[i].total)
+end

data/bench/octets.rb

@@ -0,0 +1,22 @@
+require 'benchmark'
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)), "..", "lib")
+require 'packetfu'
+
+IPV4_RAW = "\x01\x02\x03\x04"
+IPV4_STR = "1.2.3.4"
+
+
+iters = 50_000
+Benchmark.bm do |bm|
+	bm.report("Octets.new.read(...)         ") {iters.times {PacketFu::Octets.new.read(IPV4_RAW)}}
+	bm.report("Octets.new.read_quad(...)    ") {iters.times {PacketFu::Octets.new.read_quad(IPV4_STR)}}
+
+	octets = PacketFu::Octets.new
+	bm.report("octets#read(...)             ") {iters.times {octets.read(IPV4_RAW)}}
+	bm.report("octets#read_quad(...)        ") {iters.times {octets.read_quad(IPV4_STR)}}
+
+	octets.read(IPV4_RAW)
+	bm.report("octets#to_x()                ") {iters.times {octets.to_x}}
+	bm.report("octets#to_i()                ") {iters.times {octets.to_i}}
+	bm.report("octets#to_s()                ") {iters.times {octets.to_s}}
+end

data/bench/octets_after.txt

@@ -0,0 +1,8 @@
+       user     system      total        real
+Octets.new.read(...)           0.480000   0.000000   0.480000 (  0.485710)
+Octets.new.read_quad(...)      0.480000   0.000000   0.480000 (  0.480071)
+octets#read(...)               0.180000   0.000000   0.180000 (  0.184558)
+octets#read_quad(...)          0.180000   0.000000   0.180000 (  0.175781)
+octets#to_x()                  0.120000   0.000000   0.120000 (  0.120217)
+octets#to_i()                  0.040000   0.000000   0.040000 (  0.043496)
+octets#to_s()                  0.100000   0.010000   0.110000 (  0.093341)

data/bench/octets_after_refactor.txt

@@ -0,0 +1,8 @@
+       user     system      total        real
+Octets.new.read(...)           0.200000   0.000000   0.200000 (  0.207577)
+Octets.new.read_quad(...)      0.290000   0.000000   0.290000 (  0.285364)
+octets#read(...)               0.080000   0.000000   0.080000 (  0.074826)
+octets#read_quad(...)          0.140000   0.000000   0.140000 (  0.145170)
+octets#to_x()                  0.140000   0.000000   0.140000 (  0.139427)
+octets#to_i()                  0.020000   0.000000   0.020000 (  0.016444)
+octets#to_s()                  0.040000   0.000000   0.040000 (  0.042925)

data/bench/octets_before.txt

@@ -0,0 +1,8 @@
+       user     system      total        real
+Octets.new.read(...)           0.480000   0.000000   0.480000 (  0.482913)
+Octets.new.read_quad(...)      1.390000   0.460000   1.850000 (  1.858652)
+octets#read(...)               0.190000   0.000000   0.190000 (  0.186785)
+octets#read_quad(...)          1.030000   0.400000   1.430000 (  1.435857)
+octets#to_x()                  1.010000   0.470000   1.480000 (  1.480452)
+octets#to_i()                  0.830000   0.420000   1.250000 (  1.250348)
+octets#to_s()                  0.150000   0.000000   0.150000 (  0.157041)

data/lib/packetfu.rb

@@ -27,7 +27,7 @@ module PacketFu
 
 	# Deal with Ruby's encoding by ignoring it.
 	def self.force_binary(str)
-		str.force_encoding "binary" if str.respond_to? :force_encoding
+		str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
 	end
 
 	# Sets the expected byte order for a pcap file. See PacketFu::Read.set_byte_order
@@ -77,6 +77,7 @@ module PacketFu
 		end
 		@packet_classes ||= []
 		@packet_classes << klass
+		@packet_classes_dirty = true
 		@packet_classes.sort! {|x,y| x.name <=> y.name}
 	end
 
@@ -85,6 +86,7 @@ module PacketFu
 		raise "Need a class" unless klass.kind_of? Class
 		@packet_classes ||= []
 		@packet_classes.delete klass
+		@packet_classes_dirty = true
 		@packet_classes 
 	end
 
@@ -95,8 +97,11 @@ module PacketFu
 
 	# Returns an array of packet types by packet prefix.
 	def self.packet_prefixes
-		return [] unless @packet_classes
-		@packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
+		return [] if @packet_classes.nil?
+		return @packet_class_prefixes if @packet_classes_dirty == false
+		@packet_classes_dirty = false
+		@packet_class_prefixes = @packet_classes.map {|p| p.to_s.split("::").last.to_s.downcase.gsub(/packet$/,"")}
+		return @packet_class_prefixes
 	end
 
 	# The current inspect style. One of :hex, :dissect, or :default

data/lib/packetfu/packet.rb

@@ -19,7 +19,7 @@ module PacketFu
 
 		# Force strings into binary.
 		def self.force_binary(str)
-			str.force_encoding "binary" if str.respond_to? :force_encoding
+			str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
 		end
 
 		# Parse() creates the correct packet type based on the data, and returns the apporpiate
@@ -284,7 +284,7 @@ module PacketFu
 
 		# Hexify provides a neatly-formatted dump of binary data, familar to hex readers.
 		def hexify(str)
-			str.force_encoding("ASCII-8BIT") if str.respond_to? :force_encoding
+			str.force_encoding(Encoding::BINARY) if str.respond_to? :force_encoding
 			hexascii_lines = str.to_s.unpack("H*")[0].scan(/.{1,32}/)
 			regex = Regexp.new('[\x00-\x1f\x7f-\xff]', nil, 'n')
 			chars = str.to_s.gsub(regex,'.')

data/lib/packetfu/pcap.rb

@@ -79,7 +79,7 @@ module PacketFu
 		def read(str)
 			force_binary(str)
 			return self if str.nil?
-			str.force_encoding("binary") if str.respond_to? :force_encoding
+			str.force_encoding(Encoding::BINARY) if str.respond_to? :force_encoding
 			if str[0,4] == self[:magic].to_s 
 				self[:magic].read str[0,4]
 				self[:ver_major].read str[4,2]
@@ -192,7 +192,7 @@ module PacketFu
 		end
 
 		def force_binary(str)
-			str.force_encoding "binary" if str.respond_to? :force_encoding
+			str.force_encoding Encoding::BINARY if str.respond_to? :force_encoding
 		end
 
 		# Reads a string to populate the object. Note, this read takes in the 
@@ -265,8 +265,11 @@ module PacketFu
 						warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
 						break
 					end
-					pcap_packets << pcap_packet.clone
-					yield pcap_packets.last if block
+					if block
+						yield pcap_packet
+					else
+						pcap_packets << pcap_packet.clone
+					end
 				end
 				ensure
 					file_handle.close
@@ -317,6 +320,7 @@ module PacketFu
 
 		def initialize(args={})
 			init_fields(args)
+			@filename = args.delete :filename
 			super(args[:endian], args[:head], args[:body])
 		end
 
@@ -361,6 +365,18 @@ module PacketFu
 			self.read! fdata
 		end
 
+		# Calls the class method with this object's @filename
+		def read_packet_bytes(fname=@filename,&block)
+			raise ArgumentError, "Need a file" unless fname
+			return self.class.read_packet_bytes(fname, &block)
+		end
+
+		# Calls the class method with this object's @filename
+		def read_packets(fname=@filename,&block)
+			raise ArgumentError, "Need a file" unless fname
+			return self.class.read_packets(fname, &block)
+		end
+
 		# file_to_array() translates a libpcap file into an array of packets.
 		# Note that this strips out pcap timestamps -- if you'd like to retain
 		# timestamps and other libpcap file information, you will want to 

data/lib/packetfu/protos/arp.rb

@@ -1,163 +1,10 @@
-module PacketFu
-
-	# ARPHeader is a complete ARP struct, used in ARPPacket. 
-	#
-	# ARP is used to discover the machine address of nearby devices.
-	#
-	# See http://www.networksorcery.com/enp/protocol/arp.htm for details.
-	#
-	# ==== Header Definition
-	#
-	#	 Int16   :arp_hw          Default: 1       # Ethernet
-	#	 Int16   :arp_proto,      Default: 0x8000  # IP
-	#	 Int8    :arp_hw_len,     Default: 6
-	#	 Int8    :arp_proto_len,  Default: 4
-	#	 Int16   :arp_opcode,     Default: 1       # 1: Request, 2: Reply, 3: Request-Reverse, 4: Reply-Reverse
-	#	 EthMac  :arp_src_mac                      # From eth.rb
-	#	 Octets  :arp_src_ip                       # From ip.rb
-	#	 EthMac  :arp_dst_mac                      # From eth.rb
-	#	 Octets  :arp_dst_ip                       # From ip.rb
-	#	 String  :body
-	class ARPHeader < Struct.new(:arp_hw, :arp_proto, :arp_hw_len,
-															 :arp_proto_len, :arp_opcode,
-															 :arp_src_mac, :arp_src_ip,
-															 :arp_dst_mac, :arp_dst_ip,
-															 :body)
-		include StructFu
-
-		def initialize(args={})
-			src_mac = args[:arp_src_mac] || (args[:config][:eth_src] if args[:config])
-			src_ip_bin = args[:arp_src_ip]   || (args[:config][:ip_src_bin] if args[:config])
-
-			super( 
-				Int16.new(args[:arp_hw] || 1), 
-				Int16.new(args[:arp_proto] ||0x0800),
-				Int8.new(args[:arp_hw_len] || 6), 
-				Int8.new(args[:arp_proto_len] || 4), 
-				Int16.new(args[:arp_opcode] || 1),
-				EthMac.new.read(src_mac),
-				Octets.new.read(src_ip_bin),
-				EthMac.new.read(args[:arp_dst_mac]),
-				Octets.new.read(args[:arp_dst_ip]),
-				StructFu::String.new.read(args[:body])
-			)
-		end
-
-		# Returns the object in string form.
-		def to_s
-			self.to_a.map {|x| x.to_s}.join
-		end
+require 'packetfu/protos/eth/header'
+require 'packetfu/protos/eth/mixin'
 
-		# Reads a string to populate the object.
-		def read(str)
-			force_binary(str)
-			return self if str.nil?
-			self[:arp_hw].read(str[0,2])
-			self[:arp_proto].read(str[2,2])
-			self[:arp_hw_len].read(str[4,1])
-			self[:arp_proto_len].read(str[5,1])
-			self[:arp_opcode].read(str[6,2])
-			self[:arp_src_mac].read(str[8,6])
-			self[:arp_src_ip].read(str[14,4])
-			self[:arp_dst_mac].read(str[18,6])
-			self[:arp_dst_ip].read(str[24,4])
-			self[:body].read(str[28,str.size])
-			self
-		end
+require 'packetfu/protos/arp/header'
+require 'packetfu/protos/arp/mixin'
 
-		# Setter for the ARP hardware type.
-		def arp_hw=(i); typecast i; end
-		# Getter for the ARP hardware type.
-		def arp_hw; self[:arp_hw].to_i; end
-		# Setter for the ARP protocol.
-		def arp_proto=(i); typecast i; end
-		# Getter for the ARP protocol.
-		def arp_proto; self[:arp_proto].to_i; end
-		# Setter for the ARP hardware type length.
-		def arp_hw_len=(i); typecast i; end
-		# Getter for the ARP hardware type length.
-		def arp_hw_len; self[:arp_hw_len].to_i; end
-		# Setter for the ARP protocol length.
-		def arp_proto_len=(i); typecast i; end
-		# Getter for the ARP protocol length.
-		def arp_proto_len; self[:arp_proto_len].to_i; end
-		# Setter for the ARP opcode. 
-		def arp_opcode=(i); typecast i; end
-		# Getter for the ARP opcode. 
-		def arp_opcode; self[:arp_opcode].to_i; end
-		# Setter for the ARP source MAC address.
-		def arp_src_mac=(i); typecast i; end
-		# Getter for the ARP source MAC address.
-		def arp_src_mac; self[:arp_src_mac].to_s; end
-		# Getter for the ARP source IP address.
-		def arp_src_ip=(i); typecast i; end
-		# Setter for the ARP source IP address.
-		def arp_src_ip; self[:arp_src_ip].to_s; end
-		# Setter for the ARP destination MAC address.
-		def arp_dst_mac=(i); typecast i; end
-		# Setter for the ARP destination MAC address.
-		def arp_dst_mac; self[:arp_dst_mac].to_s; end
-		# Setter for the ARP destination IP address.
-		def arp_dst_ip=(i); typecast i; end
-		# Getter for the ARP destination IP address.
-		def arp_dst_ip; self[:arp_dst_ip].to_s; end
-
-		# Set the source MAC address in a more readable way.
-		def arp_saddr_mac=(mac)
-			mac = EthHeader.mac2str(mac)
-			self[:arp_src_mac].read(mac)
-			self.arp_src_mac
-		end
-
-		# Get a more readable source MAC address.
-		def arp_saddr_mac
-			EthHeader.str2mac(self[:arp_src_mac].to_s)
-		end
-
-		# Set the destination MAC address in a more readable way.
-		def arp_daddr_mac=(mac)
-			mac = EthHeader.mac2str(mac)
-			self[:arp_dst_mac].read(mac)
-			self.arp_dst_mac
-		end
-
-		# Get a more readable source MAC address.
-		def arp_daddr_mac
-			EthHeader.str2mac(self[:arp_dst_mac].to_s)
-		end
-
-		# Set a more readable source IP address. 
-		def arp_saddr_ip=(addr)
-			self[:arp_src_ip].read_quad(addr)
-		end
-
-		# Get a more readable source IP address. 
-		def arp_saddr_ip
-			self[:arp_src_ip].to_x
-		end
-
-		# Set a more readable destination IP address.
-		def arp_daddr_ip=(addr)
-			self[:arp_dst_ip].read_quad(addr)
-		end
-		
-		# Get a more readable destination IP address.
-		def arp_daddr_ip
-			self[:arp_dst_ip].to_x
-		end
-
-		# Readability aliases
-
-		alias :arp_src_mac_readable :arp_saddr_mac
-		alias :arp_dst_mac_readable :arp_daddr_mac
-		alias :arp_src_ip_readable :arp_saddr_ip
-		alias :arp_dst_ip_readable :arp_daddr_ip
-
-		def arp_proto_readable
-			"0x%04x" % arp_proto
-		end
-
-	end # class ARPHeader
+module PacketFu
 
 	# ARPPacket is used to construct ARP packets. They contain an EthHeader and an ARPHeader.
 	# == Example
@@ -184,6 +31,8 @@ module PacketFu
 	#  :config
 	#   A hash of return address details, often the output of Utils.whoami?
 	class ARPPacket < Packet
+    include ::PacketFu::EthHeaderMixin
+    include ::PacketFu::ARPHeaderMixin
 
 		attr_accessor :eth_header, :arp_header
 
@@ -197,8 +46,6 @@ module PacketFu
 		def read(str=nil,args={})
 			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
 			@eth_header.read(str)
-			@arp_header.read(str[14,str.size])
-			@eth_header.body = @arp_header
 			super(args)
 			self
 		end