packetgen 0.1.0

data/lib/packetgen/pcapng.rb

@@ -0,0 +1,39 @@
+require 'stringio'
+
+module PacketGen
+
+  # Module to handle PCAP-NG file format.
+  # See http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii
+  module PcapNG
+
+    # Section Header Block type number
+    SHB_TYPE = StructFu::Int32.new(0x0A0D0D0A, :little)
+    # Interface Description Block type number
+    IDB_TYPE = StructFu::Int32.new(1, :little)
+    # Simple Packet Block type number
+    SPB_TYPE = StructFu::Int32.new(3, :little)
+    # Enhanced Packet Block type number
+    EPB_TYPE = StructFu::Int32.new(6, :little)
+
+    # Various LINKTYPE values from http://www.tcpdump.org/linktypes.html
+    # FIXME: only ETHERNET type is defined as this is the only link layer
+    # type supported by PacketGen
+    LINKTYPE_ETHERNET = 1
+
+    # Base error class for PcapNG
+    class Error < PacketGen::Error; end
+    # Invalid PcapNG file error
+    class InvalidFileError < Error; end
+
+  end
+
+end
+
+
+require_relative 'pcapng/block.rb'
+require_relative 'pcapng/unknown_block.rb'
+require_relative 'pcapng/shb.rb'
+require_relative 'pcapng/idb.rb'
+require_relative 'pcapng/epb.rb'
+require_relative 'pcapng/spb.rb'
+require_relative 'pcapng/file.rb'

data/lib/packetgen/pcapng/block.rb

@@ -0,0 +1,32 @@
+module PacketGen
+  module PcapNG
+
+    # Mixin module to declare some common methods for block classes.
+    module Block
+
+      # Has this block option?
+      # @return [Boolean]
+      def has_options?
+        self[:options].size > 0
+      end
+
+      # Calculate block length and update :block_len and block_len2 fields
+      # @return [void]
+      def recalc_block_len
+        len = to_a.map(&:to_s).join.size
+        self[:block_len].value = self[:block_len2].value = len
+      end
+
+      # Pad given field to 32 bit boundary, if needed
+      # @param [Array<Symbol>] fields block fields to pad
+      # @return [void]
+      def pad_field(*fields)
+        fields.each do |field|
+          unless self[field].size % 4 == 0
+            self[field] << "\x00" * (4 - (self[field].size % 4))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/packetgen/pcapng/epb.rb

@@ -0,0 +1,131 @@
+module PacketGen
+  module PcapNG
+
+    # {EPB} represents a Enhanced Packet Block (EPB) of a pcapng file.
+    #
+    # == EPB Definition
+    #   Int32   :type           Default: 0x00000006
+    #   Int32   :block_len
+    #   Int32   :interface_id
+    #   Int32   :tsh (timestamp high)
+    #   Int32   :tsl (timestamp low)
+    #   Int32   :cap_len
+    #   Int32   :orig_len
+    #   String  :data
+    #   String  :options
+    #   Int32   :block_len2
+    class EPB < Struct.new(:type, :block_len, :interface_id, :tsh, :tsl,
+                           :cap_len, :orig_len, :data, :options, :block_len2)
+      include StructFu
+      include Block
+
+      # @return [:little, :big]
+      attr_accessor :endian
+      # @return [IPB]
+      attr_accessor :interface
+
+      # Minimum EPB size
+      MIN_SIZE     = 8*4
+
+      # @param [Hash] options
+      # @option options [:little, :big] :endian set block endianness
+      # @option options [Integer] :type
+      # @option options [Integer] :block_len block total length
+      # @option options [Integer] :interface_id specifies the interface this packet
+      #   comes from
+      # @option options [Integer] :tsh timestamp (high nibbles)
+      # @option options [Integer] :tsl timestamp (low nibbles)
+      # @option options [Integer] :cap_len number of octets captured from the packet
+      # @option options [Integer] :orig_len actual length of the packet when it was
+      #   transmitted on the network
+      # @option options [::String] :data
+      # @option options [::String] :options
+      # @option options [Integer] :block_len2 block total length
+      def initialize(options={})
+        @endian = set_endianness(options[:endian] || :little)
+        init_fields(options)
+        super(options[:type], options[:block_len], options[:interface_id], options[:tsh],
+              options[:tsl], options[:cap_len], options[:orig_len], options[:data],
+              options[:options], options[:block_len2])
+      end
+
+      # Used by {#initialize} to set the initial fields
+      # @param [Hash] options
+      # @see #initialize possible options
+      # @return [Hash] return +options+
+      def init_fields(options={})
+        options[:type]  = @int32.new(options[:type] || PcapNG::EPB_TYPE.to_i)
+        options[:block_len] = @int32.new(options[:block_len] || MIN_SIZE)
+        options[:interface_id] = @int32.new(options[:interface_id] || 0)
+        options[:tsh] = @int32.new(options[:tsh] || 0)
+        options[:tsl] = @int32.new(options[:tsl] || 0)
+        options[:cap_len] = @int32.new(options[:cap_len] || 0)
+        options[:orig_len] = @int32.new(options[:orig_len] || 0)
+        options[:data] = StructFu::String.new(options[:data] || '')
+        options[:options] = StructFu::String.new(options[:options] || '')
+        options[:block_len2] = @int32.new(options[:block_len2] || MIN_SIZE)
+        options
+      end
+
+      # Reads a String or a IO to populate the object
+      # @param [::String,IO] str_or_io
+      # @return [self]
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        self[:type].read io.read(4)
+        self[:block_len].read io.read(4)
+        self[:interface_id].read io.read(4)
+        self[:tsh].read io.read(4)
+        self[:tsl].read io.read(4)
+        self[:cap_len].read io.read(4)
+        self[:orig_len].read io.read(4)
+        self[:data].read io.read(self[:cap_len].to_i)
+        data_pad_len = (4 - (self[:cap_len].to_i % 4)) % 4
+        io.read data_pad_len
+        options_len = self[:block_len].to_i - self[:cap_len].to_i - data_pad_len
+        options_len -= MIN_SIZE
+        self[:options].read io.read(options_len)
+        self[:block_len2].read io.read(4)
+
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Extended Packet Block'
+        end
+      
+        self
+      end
+
+      # Return timestamp as a Time object
+      # @return [Time]
+      def timestamp
+        Time.at((self[:tsh].to_i << 32 | self[:tsl].to_i) * ts_resol)
+      end
+
+      # Return the object as a String
+      # @return [String]
+      def to_s
+        pad_field :data, :options
+        recalc_block_len
+        to_a.map(&:to_s).join
+      end
+
+
+      private
+
+      def ts_resol
+        if @interface.nil?
+          1E-6
+        else
+          @interface.ts_resol
+        end
+      end
+
+    end
+
+  end
+end

data/lib/packetgen/pcapng/file.rb

@@ -0,0 +1,345 @@
+module PacketGen
+  module PcapNG
+
+    # PcapNG::File is a complete Pcap-NG file handler.
+    class File
+      # Get file sections
+      # @return [Array]
+      attr_accessor :sections
+
+      def initialize
+        @sections = []
+      end
+
+      # Read a string to populate the object. Note that this appends new blocks to
+      # the Pcapng::File object.
+      # @param [String] str
+      # @return [self]
+      def read(str)
+        PacketGen.force_binary(str)
+        io = StringIO.new(str)
+        parse_section(io)
+        self
+      end
+
+      # Clear the contents of the Pcapng::File prior to reading in a new string.
+      # This string should contain a Section Header Block and an Interface Description
+      # Block to create a conform pcapng file.
+      # @param [String] str
+      # @return [self]
+      def read!(str)
+        clear
+        read(str)
+      end
+
+      # Read a given file and analyze it.
+      # If given a block, it will yield PcapNG::EPB or PcapNG::SPB objects.
+      # This is the only way to get packet timestamps.
+      # @param [String] fname pcapng file name
+      # @yieldparam [EPB,SPB] block
+      # @return [Integer] return number of yielded blocks (only if a block is given)
+      # @raise [ArgumentError] cannot read +fname+
+      def readfile(fname, &blk)
+        unless ::File.readable?(fname)
+          raise ArgumentError, "cannot read file #{fname}"
+        end
+
+        ::File.open(fname, 'rb') do |f|
+          while !f.eof? do
+            parse_section(f)
+          end
+        end
+
+        if blk
+          count = 0
+          @sections.each do |section|
+            section.interfaces.each do |intf|
+              intf.packets.each { |pkt| count += 1; yield pkt }
+            end
+          end
+          count
+        end
+      end
+
+      # Give an array of parsed packets (raw data from packets).
+      # If a block is given, yield raw packet data from the given file.
+      # @overload read_packet_bytes(fname)
+      #  @param [String] fname pcapng file name
+      #  @return [Array] array of packet raw data
+      # @overload read_packet_bytes(fname)
+      #  @param [String] fname pcapng file name
+      #  @yieldparam [String] raw packet raw data
+      #  @return [Integer] number of packets
+      # @raise [ArgumentError] cannot read +fname+
+      def read_packet_bytes(fname, &blk)
+        count = 0
+        packets = [] unless blk
+
+        readfile(fname) do |packet|
+          if blk
+            count += 1
+            yield packet.data.to_s
+          else
+            packets << packet.data.to_s
+          end
+        end
+
+        blk ? count : packets
+      end
+
+      # Return an array of parsed packets.
+      # If a block is given, yield parsed packets from the given file.
+      # @overload read_packets(fname)
+      #  @param [String] fname pcapng file name
+      #  @return [Array<Packet>]
+      # @overload read_packets(fname)
+      #  @param [String] fname pcapng file name
+      #  @yieldparam [Packet] packet
+      #  @return [Integer] number of packets
+      # @raise [ArgumentError] cannot read +fname+
+      def read_packets(fname, &blk)
+        count = 0
+        packets = [] unless blk
+
+        read_packet_bytes(fname) do |packet|
+          if blk
+            count += 1
+            yield Packet.parse(packet)
+          else
+            packets << Packet.parse(packet)
+          end
+        end
+
+        blk ? count : packets
+      end
+
+      # Return the object as a String
+      # @return [String]
+      def to_s
+        @sections.map { |section| section.to_s }.join
+      end
+
+      # Clear the contents of the Pcapng::File.
+      # @return [void]
+      def clear
+        @sections.clear
+      end
+
+      # Translates a {File} into an array of packets.
+      # Note that this strips out timestamps -- if you'd like to retain
+      # timestamps and other pcapng file information, you will want to
+      # use {#read} instead.
+      # @param [Hash] options
+      # @option options [String] :filename if given, object is cleared and filename
+      #   is analyzed before generating array. Else, array is generated from +self+
+      # @option options [String] :file same as +:filename+
+      # @option options [Boolean] :keep_timestamps if +true+ (default value: +false+),
+      #   generates an array of hashes, each one with timestamp as key and packet
+      #   as value. There is one hash per packet.
+      # @option options [Boolean] :keep_ts same as +:keep_timestamp+
+      # @return [Array<Packet>,Array<Hash>]
+      def file_to_array(options={})
+        filename = options[:filename] || options[:file]
+        if filename
+          clear
+          readfile filename
+        end
+
+        ary = []
+        @sections.each do |section|
+          section.interfaces.each do |itf|
+            if options[:keep_timestamps] || options[:keep_ts]
+              ary.concat itf.packets.map { |pkt| { pkt.timestamp => pkt.data.to_s } }
+            else
+              ary.concat itf.packets.map { |pkt| pkt.data.to_s}
+            end
+          end
+        end
+        ary
+      end
+
+      # Writes the {File} to a file.
+      # @param [Hash] options
+      # @option options [Boolean] :append (default: +false+) if set to +true+,
+      #   the packets are appended to the file, rather than overwriting it
+      # @return [Array] array of 2 elements: filename and size written
+      def to_file(filename, options={})
+        mode = ''
+        if options[:append] and ::File.exists? filename
+          mode = 'ab'
+        else
+          mode = 'wb'
+        end
+        ::File.open(filename, mode) {|f| f.write(self.to_s)}
+        [filename, self.to_s.size]
+      end
+      alias_method :to_f, :to_file
+
+      # Shorthand method for writing to a file.
+      # @param [#to_s] filename
+      # @return [Array] see return value from {#to_file}
+      def write(filename='out.pcapng')
+        self.to_file(filename.to_s, :append => false)
+      end
+
+      # Shorthand method for appending to a file.
+      # @param [#to_s] filename
+      # @return [Array] see return value from {#to_file}
+      def append(filename='out.pcapng')
+        self.to_file(filename.to_s, :append => true)
+      end
+
+      # @overload array_to_file(ary)
+      #  Update {File} object with packets.
+      #  @param [Array] ary as generated by {#file_to_array} or Array of Packet objects.
+      #                 Update {File} object without writing file on disk
+      #  @return [self]
+      # @overload array_to_file(options={})
+      #  Update {File} and/or write it to a file
+      #  @param [Hash] options
+      #  @option options [String] :filename file written on disk only if given
+      #  @option options [Array] :array can either be an array of packet data,
+      #                                 or a hash-value pair of timestamp => data.
+      #  @option options [Time] :timestamp set an initial timestamp
+      #  @option options [Integer] :ts_inc set the increment between timestamps.
+      #                                    Defaults to 1
+      #  @option options [Boolean] :append if +true+, append packets to the end of
+      #                                    the file
+      #  @return [Array] see return value from {#to_file}
+      def array_to_file(options={})
+        case options
+        when Hash
+          filename = options[:filename] || options[:file]
+          ary = options[:array] || options[:arr]
+          unless ary.kind_of? Array
+            raise ArgumentError, ':array parameter needs to be an array'
+          end
+          ts = options[:timestamp] || options[:ts] || Time.now
+          ts_inc = options[:ts_inc] || 1
+          append = !!options[:append]
+        when Array
+          ary = options
+          ts = Time.now
+          ts_inc = 1
+          filename = nil
+          append = false
+        else
+          raise ArgumentError, 'unknown argument. Need either a Hash or Array'
+        end
+
+        section = SHB.new
+        @sections << section
+        itf = IDB.new(:endian => section.endian)
+        classify_block section, itf
+
+        ary.each_with_index do |pkt, i|
+          case pkt
+          when Hash
+            this_ts = pkt.keys.first.to_i
+            this_cap_len = pkt.values.first.to_s.size
+            this_data = pkt.values.first.to_s
+          else
+            this_ts = (ts + ts_inc * i).to_i
+            this_cap_len = pkt.to_s.size
+            this_data = pkt.to_s
+          end
+          this_ts = (this_ts / itf.ts_resol).to_i
+          this_tsh = this_ts >> 32
+          this_tsl = this_ts & 0xffffffff
+          this_pkt = EPB.new(:endian       => section.endian,
+                             :interface_id => 0,
+                             :tsh          => this_tsh,
+                             :tsl          => this_tsl,
+                             :cap_len      => this_cap_len,
+                             :orig_len     => this_cap_len,
+                             :data         => this_data)
+          classify_block section, this_pkt
+        end
+
+        if filename
+          self.to_f(filename, :append => append)
+        else
+          self
+        end
+      end
+
+
+      private
+
+      # Parse a section. A section is made of at least a SHB. It than may contain
+      # others blocks, such as  IDB, SPB or EPB.
+      # @param [IO] io
+      # @return [void]
+      def parse_section(io)
+        shb = SHB.new
+        type = StructFu::Int32.new(0, shb.endian).read(io.read(4))
+        io.seek(-4, IO::SEEK_CUR)
+        shb = parse(type, io, shb)
+        raise InvalidFileError, 'no Section header found' unless shb.is_a?(SHB)
+
+        if shb.section_len.to_i != 0xffffffffffffffff
+          # Section length is defined
+          section = StringIO.new(io.read(shb.section_len.to_i))
+          while !section.eof? do
+            shb = @sections.last
+            type = StructFu::Int32.new(0, shb.endian).read(section.read(4))
+            section.seek(-4, IO::SEEK_CUR)
+            block = parse(type, section, shb)
+          end
+        else
+          # section length is undefined
+          while !io.eof?
+            shb = @sections.last
+            type = StructFu::Int32.new(0, shb.endian).read(io.read(4))
+            io.seek(-4, IO::SEEK_CUR)
+            block = parse(type, io, shb)
+          end
+        end
+      end
+
+      # Parse a block from its type
+      # @param [StructFu::Int32] type
+      # @param [IO] io stream from which parse block
+      # @param [SHB] shb header of current section
+      # @return [void]
+      def parse(type, io, shb)
+        types = PcapNG.constants(false).select { |c| c.to_s =~ /_TYPE/ }.
+          map { |c| [PcapNG.const_get(c).to_i, c] }
+        types = Hash[types]
+
+        if types.has_key?(type.to_i)
+          klass = PcapNG.const_get(types[type.to_i].to_s.gsub(/_TYPE/, '').to_sym)
+          block = klass.new(endian: shb.endian)
+        else
+          block = UnknownBlock.new(endian: shb.endian)
+        end
+
+        classify_block shb, block
+        block.read(io)
+      end
+
+      # Classify block from its type
+      # @param [SHB] shb header of current section
+      # @param [Block] block block to classify
+      # @return [void]
+      def classify_block(shb, block)
+        case block
+        when SHB
+          @sections << block
+        when IDB
+          shb << block
+          block.section = shb
+        when EPB
+          shb.interfaces[block.interface_id.to_i] << block
+          block.interface = shb.interfaces[block.interface_id.to_i]
+        when SPB
+          shb.interfaces[0] << block
+          block.interface = shb.interfaces[0]
+        else
+          shb.unknown_blocks << block
+          block.section = shb
+        end
+      end
+    end
+  end
+end