pstream 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 49d303c1bea9a3531778ce20c6fb023bf20109b4
+  data.tar.gz: ec4f4c2aa67ccd3266cadda652cbef2b938634b4
+SHA512:
+  metadata.gz: 952f3f520e597628ae22b6890c002357d2dd84d3e17ff1ed44c193d19db7f37e3dcedeabc8f95042cc28562c293a1b29b7cca6ed33f9b3a6666a4eb6b99ef84f
+  data.tar.gz: a30dee7152071b7da0b1428c384b17ad6ba917fc22ce7e25cc62863101303880fa9c69d5048c0105844553125392f0cc2f885c29aa4682660d4d825cb2662107

data/bin/pstream

@@ -0,0 +1,98 @@
+#!/usr/bin/env ruby
+
+require "optparse"
+require "pstream"
+require "string"
+
+class PStreamExit
+    GOOD = 0
+    INVALID_OPTION = 1
+    INVALID_ARGUMENT = 2
+    MISSING_ARGUMENT = 3
+    EXTRA_ARGUMENTS = 4
+    EXCEPTION = 5
+end
+
+def parse(args)
+    options = Hash.new
+    options["ciphers"] = false
+    options["prot"] = "tcp"
+    options["stream"] = nil
+
+    info = "Analyze pcap files. Can view tcp/udp streams or " \
+        "ciphersuites in use."
+
+    parser = OptionParser.new do |opts|
+        opts.banner = "Usage: #{File.basename($0)} [OPTIONS] <pcap>"
+
+        opts.on(
+            "-c",
+            "--ciphersuites",
+            "Show ciphersuite negotiation from ssl handshakes"
+        ) do
+            options["ciphers"] = true
+        end
+
+        opts.on("-h", "--help", "Display this help message") do
+            puts opts
+            exit PStreamExit::GOOD
+        end
+
+        opts.on("-s", "--stream=NUM", "Show specified stream") do |s|
+            options["stream"] = s.to_i
+        end
+
+        opts.on("-u", "--udp", "Use UDP") do
+            options["prot"] = "udp"
+        end
+
+        opts.on("", info.word_wrap(80))
+    end
+
+    begin
+        parser.parse!
+    rescue OptionParser::InvalidOption => e
+        puts e.message
+        puts parser
+        exit PStreamExit::INVALID_OPTION
+    rescue OptionParser::InvalidArgument => e
+        puts e.message
+        puts parser
+        exit PStreamExit::INVALID_ARGUMENT
+    rescue OptionParser::MissingArgument => e
+        puts e.message
+        puts parser
+        exit PStreamExit::MISSING_ARGUMENT
+    end
+
+    if (args.length != 1)
+        puts parser
+        exit PStreamExit::EXTRA_ARGUMENTS
+    end
+
+    options["pcap"] = args[0]
+    return options
+end
+
+options = parse(ARGV)
+
+begin
+    pstream = PStream.new(options["pcap"])
+
+    if (options["stream"])
+        case options["prot"]
+        when "tcp"
+            puts pstream.tcp_streams[options["stream"]].contents
+        when "udp"
+            puts pstream.udp_streams[options["stream"]].contents
+        end
+    elsif (options["ciphers"])
+        puts pstream.ciphers
+    else
+        puts pstream.summary
+    end
+rescue PStream::Error => e
+    puts e.message
+    exit PStreamExit::EXCEPTION
+end
+exit PStreamExit::GOOD

data/lib/pstream/error/pcap_not_found.rb

@@ -0,0 +1,5 @@
+class PStream::Error::PcapNotFound < PStream::Error
+    def initialize(pcap)
+        super("File not found: #{pcap}")
+    end
+end

data/lib/pstream/error/pcap_not_readable.rb

@@ -0,0 +1,5 @@
+class PStream::Error::PcapNotReadable < PStream::Error
+    def initialize(pcap)
+        super("File not readable: #{pcap}")
+    end
+end

data/lib/pstream/error/tshark_not_found.rb

@@ -0,0 +1,5 @@
+class PStream::Error::TsharkNotFound < PStream::Error
+    def initialize
+        super("Please install tshark!")
+    end
+end

data/lib/pstream/error.rb

@@ -0,0 +1,6 @@
+class PStream::Error < RuntimeError
+end
+
+require "pstream/error/pcap_not_found"
+require "pstream/error/pcap_not_readable"
+require "pstream/error/tshark_not_found"

data/lib/pstream/stream.rb

@@ -0,0 +1,25 @@
+class PStream::Stream
+    attr_accessor :desc
+    attr_accessor :frames
+    attr_accessor :id
+
+    def contents
+        out = %x(
+            tshark -r #{@pcap} -z follow,#{@prot},hex,#{@id} | \
+                 sed "s|^	||" | \grep -E "^[0-9A-Fa-f]{8}"
+        )
+        return out
+    end
+
+    def initialize(pcap, prot, id, desc, frames)
+        @desc = desc
+        @frames = frames
+        @id = id
+        @pcap = pcap
+        @prot = prot
+    end
+
+    def to_s()
+        return contents
+    end
+end

data/lib/pstream.rb

@@ -0,0 +1,97 @@
+require "pathname"
+require "scoobydoo"
+
+class PStream
+    attr_accessor :tcp_streams
+    attr_accessor :udp_streams
+
+    def ciphers
+        # List ciphers during ssl handshake
+        out = %x(
+            tshark -r #{@pcap} -Y ssl.handshake.ciphersuite -V | \
+                 \grep -E "Internet Protocol|Hostname:|Cipher Suite"
+        )
+        return out
+    end
+
+    def get_streams(prot)
+        streams = Array.new
+
+        out = %x(
+            tshark -r #{@pcap} -z conv,#{prot} | \grep -E "<->" | \
+                awk '{print $1, $2, $3, "|", $8, "Frames"}'
+        )
+
+        count = 0
+        out.split("\n").each do |line|
+            desc, frames = line.split(" | ")
+
+            id = count
+            id = desc.gsub(" <-> ", ",") if (prot == "udp")
+
+            streams.push(Stream.new(@pcap, prot, id, desc, frames))
+            count += 1
+        end
+
+        return streams
+    end
+    private :get_streams
+
+    def initialize(pcap)
+        if (ScoobyDoo.where_are_you("tshark").nil?)
+            raise PStream::Error::TsharkNotFound.new
+        end
+
+        @pcap = Pathname.new(pcap).expand_path
+
+        if (!@pcap.exist?)
+            raise PStream::Error::PcapNotFound.new(@pcap)
+        elsif (!@pcap.readable?)
+            raise PStream::Error::PcapNotReadable.new(@pcap)
+        end
+
+        @tcp_streams = get_streams("tcp")
+        @udp_streams = get_streams("udp")
+    end
+
+    def summary
+        ret = Array.new
+
+        # List TCP streams
+        ret.push("TCP Streams:")
+        count = 0
+        @tcp_streams.each do |stream|
+            ret.push("#{count} | #{stream.desc} | #{stream.frames}")
+            count += 1
+        end
+        ret.push("")
+
+        # List UDP streams
+        ret.push("UDP Streams:")
+        count = 0
+        @udp_streams.each do |stream|
+            ret.push("#{count} | #{stream.desc} | #{stream.frames}")
+            count += 1
+        end
+        ret.push("")
+
+        # List ciphers that were actually selected
+        ret.push("Ciphers in use:")
+        f = "ssl.handshake.ciphersuite && ssl.handshake.type == 2"
+        out = %x(
+            tshark -r #{@pcap} -Y "#{f}" -V | \
+                \grep -E "Cipher Suite:" | \
+                sed -r "s|^ +Cipher Suite: ||g" | sort -u
+        )
+        ret.concat(out.split("\n"))
+
+        return ret.join("\n")
+    end
+
+    def to_s
+        return summary
+    end
+end
+
+require "pstream/error"
+require "pstream/stream"

data/lib/string.rb

@@ -0,0 +1,32 @@
+# Redefine String class to allow for colorizing, rsplit, and word wrap
+class String
+    def blue
+        return colorize(36)
+    end
+
+    def colorize(color)
+        return "\e[#{color}m#{self}\e[0m"
+    end
+
+    def green
+        return colorize(32)
+    end
+
+    def red
+        return colorize(31)
+    end
+
+    def rsplit(pattern)
+        ret = rpartition(pattern)
+        ret.delete_at(1)
+        return ret
+    end
+
+    def white
+        return colorize(37)
+    end
+
+    def word_wrap(width = 70)
+        return scan(/\S.{0,#{width}}\S(?=\s|$)|\S+/).join("\n")
+    end
+end

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: pstream
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Miles Whittaker
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: scoobydoo
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+description: ''
+email: mjwhitta@gmail.com
+executables:
+- pstream
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/pstream
+- lib/pstream.rb
+- lib/pstream/error.rb
+- lib/pstream/error/pcap_not_found.rb
+- lib/pstream/error/pcap_not_readable.rb
+- lib/pstream/error/tshark_not_found.rb
+- lib/pstream/stream.rb
+- lib/string.rb
+homepage: http://mjwhitta.github.io/pstream
+licenses:
+- GPL-3.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: ''
+test_files: []