RubyGems - pcap_tools - Versions diffs - 0.0.4 → 0.0.5 - Mend

pcap_tools 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/bin/pcap_tools CHANGED Viewed

@@ -20,7 +20,7 @@ OptionParser.new do |opts|
 end.parse!
-data = ARGV.map{|f| puts "Loading #{f}"; PacketFu::PcapFile.file_to_array(f)}
+data = ARGV.map{|f| puts "Loading #{f}"; PcapTools::Parser::load_file(f)}
 tcps = PcapTools::extract_tcp_streams(data)
@@ -28,24 +28,32 @@ puts "Tcp streams extracted : #{tcps.size}"
 puts "Parsing mode : #{options[:mode]}"
 puts
+def format_time t
+  "#{t} #{t.nsec / 1000}"
+end
 if options[:mode] == :http
   tcps.each do |tcp|
     PcapTools::extract_http_calls(tcp).each do |req, resp|
-      puts ">>>> #{req["pcap-src"]}:#{req["pcap-src-port"]} > #{req["pcap-dst"]}:#{req["pcap-dst-port"]}"
+      puts ">>>> #{req["pcap-src"]}:#{req["pcap-src-port"]} > #{req["pcap-dst"]}:#{req["pcap-dst-port"]} #{format_time req.time}"
       puts "#{req.method} #{req.path}"
       req.each_capitalized_name.reject{|x| x =~ /^Pcap/ }.each do |x|
         puts "#{x}: #{req[x]}"
       end
       puts
       puts req.body unless options[:no_body]
-      puts "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< #{resp.time}"
-      puts "#{resp.code} #{resp.message}"
-      resp.each_capitalized_name.reject{|x| x =~ /^Pcap/ }.each do |x|
-        puts "#{x}: #{resp[x]}"
+      puts "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< #{format_time resp.time}"
+      if resp
+        puts "#{resp.code} #{resp.message}"
+        resp.each_capitalized_name.reject{|x| x =~ /^Pcap/ }.each do |x|
+          puts "#{x}: #{resp[x]}"
+        end
+        puts
+        puts resp.body unless options[:no_body]
+      else
+        puts "No response in pcap file"
       end
       puts
-      puts resp.body unless options[:no_body]
-      puts
     end
   end
 end
@@ -54,7 +62,7 @@ if options[:mode] == :tcp
   tcps.each do |tcp|
     tcp.each do |packet|
       type = packet[:type] == :out ? ">>>>" : "<<<<<"
-      puts "#{type} #{packet[:from]}:#{packet[:from_port]} > #{packet[:to]}:#{packet[:to_port]}, size #{packet[:data].size}"
+      puts "#{type} #{packet[:from]}:#{packet[:from_port]} > #{packet[:to]}:#{packet[:to_port]}, size #{packet[:data].size}  #{format_time packet[:time]}"
       puts packet[:data]
       puts
     end

data/lib/pcap_parser.rb ADDED Viewed

@@ -0,0 +1,218 @@
+require 'bindata'
+module PcapTools
+  module Parser
+    module HasParent
+      attr_accessor :parent
+    end
+    class PcapFile < BinData::Record
+      endian :little
+      struct :header do
+        uint32 :magic
+        uint16 :major
+        uint16 :minor
+        int32 :this_zone
+        uint32 :sig_figs
+        uint32 :snaplen
+        uint32 :linktype
+      end
+      array :packets, :read_until => :eof do
+        uint32 :ts_sec
+        uint32 :ts_usec
+        uint32 :incl_len
+        uint32 :orig_len
+        string :data, :length => :incl_len
+      end
+    end
+    # Present IP addresses in a human readable way
+    class IPAddr < BinData::Primitive
+      array :octets, :type => :uint8, :initial_length => 4
+      def set(val)
+        ints = val.split(/\./).collect { |int| int.to_i }
+        self.octets = ints
+      end
+      def get
+        self.octets.collect { |octet| "%d" % octet }.join(".")
+      end
+    end
+    # TCP Protocol Data Unit
+    class TCP_PDU < BinData::Record
+      mandatory_parameter :packet_length
+      endian :big
+      uint16 :src_port
+      uint16 :dst_port
+      uint32 :seq
+      uint32 :ack_seq
+      bit4 :doff
+      bit4 :res1
+      bit2 :res2
+      bit1 :urg
+      bit1 :ack
+      bit1 :psh
+      bit1 :rst
+      bit1 :syn
+      bit1 :fin
+      uint16 :window
+      uint16 :checksum
+      uint16 :urg_ptr
+      string :options, :read_length => :options_length_in_bytes
+      string :payload, :read_length => lambda { packet_length - payload.rel_offset }
+      def options_length_in_bytes
+        (doff - 5 ) * 4
+      end
+      def type
+        "TCP"
+      end
+      include HasParent
+    end
+    # UDP Protocol Data Unit
+    class UDP_PDU < BinData::Record
+      mandatory_parameter :packet_length
+      endian :big
+      uint16 :src_port
+      uint16 :dst_port
+      uint16 :len
+      uint16 :checksum
+      string :payload, :read_length => lambda { packet_length - payload.rel_offset }
+      def type
+        "UDP"
+      end
+      include HasParent
+    end
+    # IP Protocol Data Unit
+    class IP_PDU < BinData::Record
+      endian :big
+      bit4 :version, :asserted_value => 4
+      bit4 :header_length
+      uint8 :tos
+      uint16 :total_length
+      uint16 :ident
+      bit3 :flags
+      bit13 :frag_offset
+      uint8 :ttl
+      uint8 :protocol
+      uint16 :checksum
+      ip_addr :src_addr
+      ip_addr :dst_addr
+      string :options, :read_length => :options_length_in_bytes
+      choice :payload, :selection => :protocol do
+        tcp_pdu 6, :packet_length => :payload_length_in_bytes
+        udp_pdu 17, :packet_length => :payload_length_in_bytes
+        string :default, :read_length => :payload_length_in_bytes
+      end
+      def header_length_in_bytes
+        header_length * 4
+      end
+      def options_length_in_bytes
+        header_length_in_bytes - options.rel_offset
+      end
+      def payload_length_in_bytes
+        total_length - header_length_in_bytes
+      end
+      def type
+        "IP"
+      end
+      include HasParent
+    end
+    class MacAddr < BinData::Primitive
+      array :octets, :type => :uint8, :initial_length => 6
+      def set(val)
+        ints = val.split(/\./).collect { |int| int.to_i }
+        self.octets = ints
+      end
+      def get
+        self.octets.collect { |octet| "%02x" % octet }.join(":")
+      end
+    end
+    IPV4 = 0x0800
+    class Ethernet < BinData::Record
+      endian :big
+      mac_addr :dst
+      mac_addr :src
+      uint16 :protocol
+      choice :payload, :selection => :protocol do
+        ip_pdu IPV4
+        rest :default
+      end
+      include HasParent
+    end
+    class LinuxCookedCapture < BinData::Record
+      endian :big
+      uint16 :type
+      uint16 :address_type
+      uint16 :address_len
+      array :octets, :type => :uint8, :initial_length => 8
+      uint16 :protocol
+      choice  :payload, :selection => :protocol do
+        ip_pdu IPV4
+        rest :default
+      end
+      include HasParent
+    end
+    def load_file f
+      packets = []
+      File.open(f, 'rb') do |io|
+        content = PcapFile.read(io)
+        raise 'Wrong endianess' unless content.header.magic.to_i.to_s(16) == "a1b2c3d4"
+        content.packets.each do |original_packet|
+          packet = case content.header.linktype
+          when 113 then LinuxCookedCapture.read(original_packet.data)
+          when 1 then Ethernet.read(original_packet.data)
+          else raise "Unknown network #{content.header.linktype}"
+          end
+          packet.parent = original_packet
+          while packet.respond_to?(:payload) && packet.payload.is_a?(BinData::Choice)
+            packet.payload.parent = packet
+            packet = packet.payload
+          end
+          packets << packet
+        end
+      end
+      packets
+    end
+    module_function :load_file
+  end
+end

data/lib/pcap_tools.rb CHANGED Viewed

@@ -1,8 +1,9 @@
 require 'rubygems'
-require 'packetfu'
 require 'net/http'
 require 'zlib'
+require File.join(File.dirname(__FILE__), 'pcap_parser')
 module Net
   class HTTPRequest
@@ -28,7 +29,8 @@ module PcapTools
     def insert_tcp sym, packet
       data = packet.payload
       return if data.size == 0
-      self << {:type => sym, :data => data, :from => packet.ip_saddr, :to => packet.ip_daddr, :from_port => packet.tcp_src, :to_port => packet.tcp_dst}
+      timestamp = Time.at(packet.parent.parent.parent.ts_sec, packet.parent.parent.parent.ts_usec)
+      self << {:type => sym, :data => data, :from => packet.parent.src_addr, :to => packet.parent.dst_addr, :from_port => packet.src_port, :to_port => packet.dst_port, :time => timestamp}
     end
     def rebuild_packets
@@ -66,25 +68,25 @@ module PcapTools
     packets = []
     captures.each do |capture|
       capture.each do |packet|
-        packets << PacketFu::Packet.parse(packet)
+        packets << packet
       end
     end
     streams = []
     packets.each_with_index do |packet, k|
-      if packet.is_a?(PacketFu::TCPPacket) && packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
+      if packet.respond_to?(:type) && packet.type == "TCP" && packet.syn == 1 && packet.ack == 0
         kk = k
         tcp = TcpStream.new
         while kk < packets.size
           packet2 = packets[kk]
-          if packet2.is_a?(PacketFu::TCPPacket)
-            if packet.tcp_dst == packet2.tcp_dst && packet.tcp_src == packet2.tcp_src
+          if packet2.respond_to?(:type) && packet.type == "TCP"
+            if packet.dst_port == packet2.dst_port && packet.src_port == packet2.src_port
               tcp.insert_tcp :out, packet2
-              break if packet.tcp_flags.fin == 1 || packet2.tcp_flags.fin == 1
+              break if packet.fin == 1 || packet2.fin == 1
             end
-            if packet.tcp_dst == packet2.tcp_src && packet.tcp_src == packet2.tcp_dst
+            if packet.dst_port == packet2.src_port && packet.src_port == packet2.dst_port
               tcp.insert_tcp :in, packet2
-              break if packet.tcp_flags.fin == 1 || packet2.tcp_flags.fin == 1
+              break if packet.fin == 1 || packet2.fin == 1
             end
           end
           kk += 1

data/pcap_tools.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@ require 'rake'
 Gem::Specification.new do |s|
   s.name        = 'pcap_tools'
-  s.version     = '0.0.4'
+  s.version     = '0.0.5'
   s.authors     = ['Bertrand Paquet']
   s.email       = 'bertrand.paquet@gmail.com'
   s.summary     = 'Tools for extracting data from pcap files'
@@ -11,5 +11,5 @@ Gem::Specification.new do |s|
   s.files       = `git ls-files`.split($/)
   s.license     = 'BSD'
-  s.add_runtime_dependency('packetfu', '>= 1.1.9')
+  s.add_runtime_dependency('bindata', '>= 1.6.0')
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pcap_tools
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
   prerelease:
 platform: ruby
 authors:
@@ -9,16 +9,16 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-09-26 00:00:00.000000000 Z
+date: 2013-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: packetfu
+  name: bindata
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.6.0
 description:
 email: bertrand.paquet@gmail.com
 executables:
@@ -36,6 +36,7 @@ extra_rdoc_files: []
 files:
 - README.markdown
 - bin/pcap_tools
+- lib/pcap_parser.rb
 - lib/pcap_tools.rb
 - pcap_tools.gemspec
 homepage: https://github.com/bpaquet/pcap_tools
@@ -64,3 +65,4 @@ signing_key:
 specification_version: 3
 summary: Tools for extracting data from pcap files
 test_files: []
+has_rdoc: