pcap_tools 0.0.8 → 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.markdown +6 -0
- data/bin/pcap_tools +10 -2
- data/lib/pcap_tools/loader.rb +34 -20
- data/lib/pcap_tools/packet_processors/tcp.rb +5 -0
- data/pcap_tools.gemspec +1 -1
- metadata +2 -2
data/README.markdown
CHANGED
|
@@ -127,3 +127,9 @@ The request and response object have some new attributes
|
|
|
127
127
|
For the response object body, the following "Content-Encoding" type are honored :
|
|
128
128
|
|
|
129
129
|
* gzip
|
|
130
|
+
|
|
131
|
+
# FAQ
|
|
132
|
+
|
|
133
|
+
* `pcap_tools` found nothing in my pcap_files. Try to remove the wiresark profile, and re launch: `rm -rf $HOME/.wireshark/profiles/pcap_tools`.
|
|
134
|
+
|
|
135
|
+
|
data/bin/pcap_tools
CHANGED
|
@@ -15,7 +15,7 @@ OptionParser.new do |opts|
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
opts.on("--tshark_path", "Path to tshark executable") do |x|
|
|
18
|
-
OPTIONS[:
|
|
18
|
+
OPTIONS[:tshark] = x
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
opts.on("--one-tcp-stream [index]", Integer, "Display only one tcp stream") do |x|
|
|
@@ -26,6 +26,14 @@ OptionParser.new do |opts|
|
|
|
26
26
|
OPTIONS[:mode] = m
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
+
opts.on("--pdml", "Use pdml file as input instead of pcap") do |x|
|
|
30
|
+
OPTIONS[:pdml] = true
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
opts.on("--keep_retransmission", "Do not ignore retransmitted packets") do |x|
|
|
34
|
+
OPTIONS[:keep_retransmission] = true
|
|
35
|
+
end
|
|
36
|
+
|
|
29
37
|
end.parse!
|
|
30
38
|
|
|
31
39
|
def format_time t
|
|
@@ -135,7 +143,7 @@ else
|
|
|
135
143
|
end
|
|
136
144
|
|
|
137
145
|
ARGV.each do |f|
|
|
138
|
-
PcapTools::Loader::load_file(f,
|
|
146
|
+
PcapTools::Loader::load_file(f, OPTIONS) do |index, packet|
|
|
139
147
|
processor.inject index, packet
|
|
140
148
|
end
|
|
141
149
|
end
|
data/lib/pcap_tools/loader.rb
CHANGED
|
@@ -8,13 +8,14 @@ module PcapTools
|
|
|
8
8
|
|
|
9
9
|
class MyParser < ::Ox::Sax
|
|
10
10
|
|
|
11
|
-
def initialize block
|
|
11
|
+
def initialize opts, block
|
|
12
12
|
@current_packet_index = 0
|
|
13
13
|
@current_packet = nil
|
|
14
14
|
@current_processing = nil
|
|
15
15
|
@current_proto_name = nil
|
|
16
16
|
@current_field_name = nil
|
|
17
17
|
@block = block
|
|
18
|
+
@opts = opts
|
|
18
19
|
end
|
|
19
20
|
|
|
20
21
|
def attr name, value
|
|
@@ -47,6 +48,10 @@ module PcapTools
|
|
|
47
48
|
@current_packet[:tcp_flags][:ack] = value == "1"
|
|
48
49
|
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.flags.syn"
|
|
49
50
|
@current_packet[:tcp_flags][:syn] = value == "1"
|
|
51
|
+
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.retransmission"
|
|
52
|
+
@current_packet[:tcp_retransmission] = true
|
|
53
|
+
elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.lost_segment"
|
|
54
|
+
@current_packet[:tcp_lost_segment] = true
|
|
50
55
|
end
|
|
51
56
|
elsif name == :value
|
|
52
57
|
if @current_proto_name == "fake-field-wrapper" && @current_field_name == "data"
|
|
@@ -83,6 +88,9 @@ module PcapTools
|
|
|
83
88
|
$stderr.puts "Malformed packet #{@current_packet_index}"
|
|
84
89
|
return
|
|
85
90
|
end
|
|
91
|
+
if @current_packet[:tcp_retransmission] && !@opts[:keep_retransmission]
|
|
92
|
+
return
|
|
93
|
+
end
|
|
86
94
|
raise "No data found in packet #{@current_packet_index}, protocols found #{@current_packet[:protos]}" if @current_packet[:data].nil? && @current_packet[:size] > 0
|
|
87
95
|
@current_packet.delete :protos
|
|
88
96
|
@block.call @current_packet_index, @current_packet
|
|
@@ -93,27 +101,33 @@ module PcapTools
|
|
|
93
101
|
end
|
|
94
102
|
|
|
95
103
|
def self.load_file f, options = {}, &block
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
FileUtils.mkdir_p profile_dir
|
|
108
|
-
File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
|
|
104
|
+
if options[:pdml]
|
|
105
|
+
f = File.open(f, 'rb')
|
|
106
|
+
Ox.sax_parse(MyParser.new(options, block), f)
|
|
107
|
+
f.close
|
|
108
|
+
else
|
|
109
|
+
tshark_executable = options[:tshark] || "tshark"
|
|
110
|
+
accepted_protocols = ["geninfo", "tcp", "ip", "eth", "sll", "frame", "null", "ethertype"]
|
|
111
|
+
accepted_protocols += options[:accepted_protocols] if options[:accepted_protocols]
|
|
112
|
+
profile_name = "pcap_tools"
|
|
113
|
+
profile_dir = "#{ENV['HOME']}/.wireshark/profiles/#{profile_name}"
|
|
114
|
+
status = POpen4::popen4("#{tshark_executable} -v") do |stdout, stderr, stdin, pid|
|
|
109
115
|
end
|
|
110
|
-
raise "#{tshark_executable}
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
116
|
+
raise "#{tshark_executable} not found" unless status
|
|
117
|
+
unless File.exist? "#{profile_dir}/disabled_protos"
|
|
118
|
+
status = POpen4::popen4("#{tshark_executable} -G protocols") do |stdout, stderr, stdin, pid|
|
|
119
|
+
list = stdout.read.split("\n").map { |x| x.split(" ").last }.reject { |x| accepted_protocols.include? x }
|
|
120
|
+
FileUtils.mkdir_p profile_dir
|
|
121
|
+
File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
|
|
122
|
+
end
|
|
123
|
+
raise "#{tshark_executable} execution error when listing protocols" unless status.exitstatus == 0
|
|
124
|
+
end
|
|
125
|
+
status = POpen4::popen4("#{tshark_executable} -n -C #{profile_name} -T pdml -r #{f}") do |stdout, stderr, stdin, pid|
|
|
126
|
+
Ox.sax_parse(MyParser.new(options, block), stdout)
|
|
127
|
+
$stderr.puts stderr.read
|
|
128
|
+
end
|
|
129
|
+
raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
|
|
115
130
|
end
|
|
116
|
-
raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
|
|
117
131
|
end
|
|
118
132
|
|
|
119
133
|
end
|
|
@@ -20,6 +20,7 @@ module PcapTools
|
|
|
20
20
|
@streams[stream_index] = {
|
|
21
21
|
:first => packet,
|
|
22
22
|
:data => [],
|
|
23
|
+
:tcp_lost_segment => false,
|
|
23
24
|
}
|
|
24
25
|
elsif packet[:tcp_flags][:fin] || packet[:tcp_flags][:rst]
|
|
25
26
|
if @streams[stream_index]
|
|
@@ -35,6 +36,10 @@ module PcapTools
|
|
|
35
36
|
packet[:type] = (packet[:from] == @streams[stream_index][:first][:from] && packet[:from_port] == @streams[stream_index][:first][:from_port]) ? :out : :in
|
|
36
37
|
packet.delete :tcp_flags
|
|
37
38
|
@streams[stream_index][:data] << packet if packet[:size] > 0
|
|
39
|
+
if packet[:tcp_lost_segment]
|
|
40
|
+
@streams.delete stream_index
|
|
41
|
+
$stderr.puts "Ignoring tcp stream #{stream_index}, tcp segments are missing"
|
|
42
|
+
end
|
|
38
43
|
end
|
|
39
44
|
end
|
|
40
45
|
end
|
data/pcap_tools.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pcap_tools
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.9
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-11-
|
|
12
|
+
date: 2014-11-15 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: popen4
|