rb-pcap 0.1.0

data/README.markdown

@@ -0,0 +1,10 @@
+rb-pcap
+=======
+
+A simple ruby wrapper for the pcap library.
+
+Compiling
+---------
+
+    ruby extconf.rb
+    make

data/ext/extconf.rb

@@ -0,0 +1,6 @@
+require 'mkmf'
+
+dir_config('pcap')
+fail "Couldn't find libpcap." unless have_library("pcap", "pcap_open_live", "pcap.h")
+
+create_makefile("rb_pcap")

data/ext/rb_pcap.c

@@ -0,0 +1,29 @@
+#include "rb_pcap.h"
+
+void Init_rb_pcap() {
+  cCapture = rb_define_class("Capture", rb_cObject);
+  rb_include_module(cCapture, rb_mEnumerable); 
+  rb_define_singleton_method(cCapture, "open", capture_open, -1);
+  rb_define_singleton_method(cCapture, "open_offline", capture_open_offline, 1);
+  rb_define_method(cCapture, "close", capture_close, 0);
+  rb_define_method(cCapture, "dispatch", capture_dispatch, -1);
+  rb_define_method(cCapture, "each", capture_loop, -1);
+  rb_define_method(cCapture, "each_packet", capture_loop, -1);
+  rb_define_method(cCapture, "filter=", capture_setfilter, 1);
+  rb_define_method(cCapture, "limit", capture_getlimit, 0);
+  rb_define_method(cCapture, "limit=", capture_setlimit, 1);
+  rb_define_method(cCapture, "dissector", capture_getdissector, 0);
+  rb_define_method(cCapture, "dissector=", capture_setdissector, 0);
+  rb_define_method(cCapture, "datalink", capture_datalink, 0);
+  rb_define_method(cCapture, "snapshot_length", capture_snapshot, 0);
+  
+  cFilter = rb_define_class_under(cCapture, "Filter", rb_cObject);
+  rb_define_alloc_func(cFilter, filter_alloc);
+  rb_define_method(cFilter, "initialize", filter_init, -1);
+  rb_define_method(cFilter, "expression", filter_source, 0);
+  rb_define_method(cFilter, "=~", filter_match, 1);
+  rb_define_method(cFilter, "===", filter_match, 1);
+  
+  eCaptureError    = rb_define_class_under(cCapture, "CaptureError", rb_eStandardError);
+  eTruncatedPacket = rb_define_class_under(cCapture, "TruncatedPacket", eCaptureError);
+}

data/ext/rb_pcap.h

@@ -0,0 +1,12 @@
+#ifndef __RB_PCAP_H__
+#define __RB_PCAP_H__
+
+#include "rb_pcap_capture.h"
+#include "rb_pcap_filter.h"
+
+VALUE cCapture;
+VALUE cFilter;
+VALUE eCaptureError;
+VALUE eTruncatedPacket;
+
+#endif

data/ext/rb_pcap_capture.c

@@ -0,0 +1,365 @@
+#include "rb_pcap_capture.h"
+
+void closed_capture()
+{
+  rb_raise(rb_eRuntimeError, "device is already closed");
+}
+
+void free_capture(struct capture_object *cap)
+{
+  if (cap->pcap != NULL) {
+    rb_thread_fd_close(pcap_fileno(cap->pcap));
+    pcap_close(cap->pcap);
+    cap->pcap = NULL;
+  }
+  
+  free(cap);
+}
+
+VALUE capture_close(VALUE self)
+{
+  struct capture_object *cap;
+
+  GetCapture(self, cap);
+
+  if (cap->dumper) {
+    pcap_dump_close(cap->dumper);
+  }
+
+  rb_thread_fd_close(pcap_fileno(cap->pcap));
+  pcap_close(cap->pcap);
+  cap->pcap = NULL;
+  return Qnil;
+}
+
+VALUE capture_setfilter(VALUE self, VALUE v_filter)
+{
+  struct capture_object *cap;
+  struct bpf_program program;
+
+  GetCapture(self, cap);
+
+  if (IsKindOf(v_filter, cFilter)) {
+    struct filter_object *f;
+    GetFilter(v_filter, f);
+    program = f->program;
+  } else {
+    Check_Type(v_filter, T_STRING);
+    char *filter = RSTRING(v_filter)->ptr;
+    
+    if (pcap_compile(cap->pcap, &program, filter, 1, cap->netmask) < 0) {
+      rb_raise(eCaptureError, "setfilter: %s", pcap_geterr(cap->pcap));
+    }
+  }
+  
+  if (pcap_setfilter(cap->pcap, &program) < 0) {
+    rb_raise(eCaptureError, "setfilter: %s", pcap_geterr(cap->pcap));
+  }
+  
+  return v_filter;
+}
+
+
+VALUE capture_setdissector(VALUE self, VALUE dissector)
+{
+  if (!(IsKindOf(dissector, rb_cProc) || dissector == Qnil)) {
+    rb_raise(rb_eArgError, "dissector must be proc or nil");
+  }
+        
+  struct capture_object *cap;
+  GetCapture(self, cap);
+  
+  cap->dissector = dissector;
+  
+  return dissector;  
+}
+
+VALUE capture_open(int argc, VALUE *argv, VALUE class)
+{
+  VALUE v_device, v_snaplen = Qnil, v_promisc = Qnil, v_to_ms = Qnil, v_filter = Qnil, v_limit = Qnil, v_dissector = Qnil, v_dump = Qnil;
+  char *device;
+  char *dump;
+  int snaplen, promisc, to_ms;
+  int rs;
+  VALUE self;
+  struct capture_object *cap;
+  pcap_t *pcap;
+  bpf_u_int32 net, netmask;
+  
+  rs = rb_scan_args(argc, argv, "13", &v_device, &v_snaplen,&v_promisc, &v_to_ms);
+  
+  if (IsKindOf(v_device, rb_cHash)) {
+    v_snaplen   = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("snapshot_length")));
+    v_to_ms     = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("timeout")));
+    v_promisc   = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("promiscuous")));
+    v_limit     = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("limit")));
+    v_filter    = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("filter")));
+    v_dissector = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("dissector")));
+    v_dump      = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("dump")));
+    v_device    = rb_funcall(v_device, rb_intern("[]"), 1, ID2SYM(rb_intern("device")));
+    
+    if (v_device == Qnil) {
+      rb_raise(rb_eArgError, ":device must be specified");
+    }
+  }
+  
+  Check_SafeStr(v_device);
+  device = RSTRING(v_device)->ptr;
+  
+  if (v_snaplen != Qnil) {
+    Check_Type(v_snaplen, T_FIXNUM);
+    snaplen = FIX2INT(v_snaplen);
+  } else {
+    snaplen = DEFAULT_SNAPLEN;
+  }
+  
+  if (snaplen <  0) {
+    rb_raise(rb_eArgError, "invalid snaplen");
+  }
+  
+  if (v_promisc != Qnil) {
+    promisc = RTEST(v_promisc);
+  } else {
+    promisc = DEFAULT_PROMISC;
+  }
+  
+  if (v_to_ms != Qnil) {
+    Check_Type(v_to_ms, T_FIXNUM);
+    to_ms = FIX2INT(v_to_ms);
+  } else {
+    to_ms = DEFAULT_TO_MS;
+  }
+  
+  char pcap_errbuf[PCAP_ERRBUF_SIZE];
+  
+  pcap = pcap_open_live(device, snaplen, promisc, to_ms, pcap_errbuf);
+  
+  if (pcap == NULL) {
+    rb_raise(eCaptureError, "%s", pcap_errbuf);
+  }
+  
+  if (pcap_lookupnet(device, &net, &netmask, pcap_errbuf) == -1) {
+    netmask = 0;
+    rb_warning("cannot lookup net: %s\n", pcap_errbuf);
+  }
+  
+  self = Data_Make_Struct(class, struct capture_object, 0, free_capture, cap);
+  cap->pcap = pcap;
+  cap->netmask = netmask;
+  cap->dl_type = pcap_datalink(pcap);
+  capture_setdissector(self, v_dissector);
+  
+  if (v_dump != Qnil) {
+    Check_Type(v_dump, T_STRING);
+    cap->dumper = pcap_dump_open(cap->pcap, RSTRING(v_dump)->ptr);
+  } else {
+    cap->dumper = NULL;
+  }
+  
+  if (v_limit != Qnil) {
+    Check_Type(v_limit, T_FIXNUM);
+    cap->limit = FIX2INT(v_limit);
+  } else {
+    cap->limit = -1;
+  }
+  
+  if (v_filter != Qnil) {
+    capture_setfilter(self, v_filter);
+  }
+  
+  if (rb_block_given_p()) {
+    rb_yield(self);
+    capture_close(self);
+    return Qnil;
+  } else
+    return self;
+}
+
+VALUE capture_open_offline(VALUE class, VALUE fname)
+{
+  VALUE self;
+  struct capture_object *cap;
+  pcap_t *pcap;
+  
+  /* open offline */
+  Check_SafeStr(fname);
+  char pcap_errbuf[PCAP_ERRBUF_SIZE];
+  pcap = pcap_open_offline(RSTRING(fname)->ptr, pcap_errbuf);
+  if (pcap == NULL) {
+    rb_raise(eCaptureError, "%s", pcap_errbuf);
+  }
+
+  /* setup instance */
+  self = Data_Make_Struct(class, struct capture_object, 0, free_capture, cap);
+  cap->pcap = pcap;
+  cap->netmask = 0;
+  cap->dl_type = pcap_datalink(pcap);
+
+  return self;
+}
+
+void handler1(struct capture_object *cap, const struct pcap_pkthdr *pkthdr, const u_char *data)
+{
+  if (cap->dissector != Qnil) {
+    VALUE dissected = rb_funcall(cap->dissector, rb_intern("call"), 1, rb_str_new((char *)data, pkthdr->caplen));
+    
+    rb_yield_values(1, dissected); // not sure why rb_yield doesn't work here, but it wasn't for me
+  } else
+    rb_yield_values(1, rb_str_new((char *)data, pkthdr->caplen));
+}
+
+
+void handler2(struct capture_object *cap, const struct pcap_pkthdr *pkthdr, const u_char *data)
+{
+  if (cap->dissector != Qnil) {
+    VALUE dissected = rb_funcall(cap->dissector, rb_intern("call"), 1, rb_str_new((char *)data, pkthdr->caplen));
+
+    rb_yield_values(2, dissected, rb_time_new(pkthdr->ts.tv_sec, pkthdr->ts.tv_usec));
+  } else
+    rb_yield_values(2, rb_str_new((char *)data, pkthdr->caplen), rb_time_new(pkthdr->ts.tv_sec, pkthdr->ts.tv_usec));  
+}
+
+VALUE capture_dispatch(int argc, VALUE *argv, VALUE self)
+{
+  VALUE v_cnt;
+  int cnt;
+  struct capture_object *cap;
+  int ret;
+
+  GetCapture(self, cap);
+
+  if (cap->dumper == NULL) {
+    rb_raise(rb_eRuntimeError, "No dump file specified, use each to retrieve packets.");
+  }
+
+  /*VALUE proc = rb_block_proc();
+  VALUE v_arity = rb_funcall(proc, rb_intern("arity"), 0);
+    
+  int arity = FIX2INT(v_arity);
+  
+  pcap_handler handler = (arity < 2) ? (pcap_handler)handler1 : (pcap_handler)handler2;
+  */
+  
+  /* scan arg */
+  if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+    FIXNUM_P(v_cnt);
+    cnt = FIX2INT(v_cnt);
+  } else {
+    cnt = -1;
+  }
+  
+  TRAP_BEG;
+  ret = pcap_dispatch(cap->pcap, cnt, pcap_dump, (u_char *)cap->dumper);
+  TRAP_END;
+  
+  if (ret == -1)
+    rb_raise(eCaptureError, "dispatch: %s", pcap_geterr(cap->pcap));
+
+  return INT2FIX(ret);
+}
+
+VALUE capture_loop(int argc, VALUE *argv, VALUE self)
+{
+  VALUE v_cnt;
+  int cnt;
+  struct capture_object *cap;
+  int ret;
+
+  GetCapture(self, cap);
+
+  VALUE proc = rb_block_proc();
+  VALUE v_arity = rb_funcall(proc, rb_intern("arity"), 0);
+    
+  int arity = FIX2INT(v_arity);
+
+  pcap_handler handler = (arity < 2) ? (pcap_handler)handler1 : (pcap_handler)handler2;
+
+  /* scan arg */
+  if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+    FIXNUM_P(v_cnt);
+    cnt = FIX2INT(v_cnt);
+    } else
+    cnt = cap->limit;
+
+    if (pcap_file(cap->pcap) != NULL) {
+    TRAP_BEG;
+    ret = pcap_loop(cap->pcap, cnt, handler, (u_char *)cap);
+    TRAP_END;
+  } else {
+    int fd = pcap_fileno(cap->pcap);
+    fd_set rset;
+    struct timeval tm;
+
+    FD_ZERO(&rset);
+    tm.tv_sec = 0;
+    tm.tv_usec = 0;
+    for (;;) {
+      do {
+        FD_SET(fd, &rset);
+        if (select(fd+1, &rset, NULL, NULL, &tm) == 0) {
+          rb_thread_wait_fd(fd);
+        }
+        TRAP_BEG;
+        ret = pcap_read(cap->pcap, 1, handler, (u_char *)cap);
+        TRAP_END;
+      } while (ret == 0);
+      if (ret <= 0)
+        break;
+      if (cnt > 0) {
+        cnt -= ret;
+        if (cnt <= 0)
+          break;
+      }
+    }
+  }
+
+    return INT2FIX(ret);
+}
+
+VALUE capture_datalink(VALUE self)
+{
+    struct capture_object *cap;
+
+    GetCapture(self, cap);
+
+    return INT2NUM(pcap_datalink(cap->pcap));
+}
+
+VALUE capture_snapshot(VALUE self)
+{
+    struct capture_object *cap;
+
+    GetCapture(self, cap);
+
+    return INT2NUM(pcap_snapshot(cap->pcap));
+}
+
+VALUE capture_getlimit(VALUE self)
+{
+  struct capture_object *cap;
+  GetCapture(self, cap);
+
+  return INT2FIX(cap->limit);
+}
+
+
+VALUE capture_setlimit(VALUE self, VALUE limit)
+{
+  Check_Type(limit, T_FIXNUM);
+
+  struct capture_object *cap;
+  GetCapture(self, cap);
+
+  cap->limit = FIX2INT(limit);
+
+  return limit;  
+}
+
+VALUE capture_getdissector(VALUE self)
+{
+  struct capture_object *cap;
+  GetCapture(self, cap);
+
+  return cap->dissector;
+}
+

data/ext/rb_pcap_capture.h

@@ -0,0 +1,53 @@
+#ifndef __RB_PCAP_CAPTURE_H__
+#define __RB_PCAP_CAPTURE_H__
+
+#include <ruby.h>
+#include <rubysig.h>
+#include <pcap.h>
+
+#include "rb_pcap_filter.h"
+
+#define DEFAULT_DATALINK  DLT_EN10MB
+#define DEFAULT_SNAPLEN  256
+#define DEFAULT_PROMISC  1
+#define DEFAULT_TO_MS  1000
+
+extern VALUE eCaptureError;
+extern VALUE eTruncatedPacket;
+extern VALUE cCapture;
+
+struct capture_object {
+  pcap_t        *pcap;
+  pcap_dumper_t *dumper;
+  int            limit;      
+  bpf_u_int32    netmask;
+  int            dl_type;
+  VALUE          dissector;
+};
+
+#define GetFilter(obj, filter) Data_Get_Struct(obj, struct filter_object, filter)
+#define GetPacket(obj, pkt) Data_Get_Struct(obj, struct packet_object, pkt)
+#define GetCapture(obj, cap) { Data_Get_Struct(obj, struct capture_object, cap); if (cap->pcap == NULL) closed_capture(); }
+#define Caplen(pkt, from) ((pkt)->hdr.pkthdr.caplen - (from))
+#define CheckTruncate(pkt, from, need, emsg) ((from) + (need) > (pkt)->hdr.pkthdr.caplen ? rb_raise(eTruncatedPacket, (emsg)) : 0)
+#define IsKindOf(v, class) RTEST(rb_obj_is_kind_of(v, class))
+#define CheckClass(v, class) ((IsKindOf(v, class)) ? 0 : rb_raise(rb_eTypeError, "wrong type %s (expected %s)", rb_class2name(CLASS_OF(v)), rb_class2name(class)))
+
+void closed_capture();
+void free_capture(struct capture_object *cap);
+VALUE capture_close(VALUE self);
+VALUE capture_setfilter(VALUE self, VALUE v_filter);
+VALUE capture_setdissector(VALUE self, VALUE dissector);
+VALUE capture_open(int argc, VALUE *argv, VALUE class);
+VALUE capture_open_offline(VALUE class, VALUE fname);
+void handler1(struct capture_object *cap, const struct pcap_pkthdr *pkthdr, const u_char *data);
+void handler2(struct capture_object *cap, const struct pcap_pkthdr *pkthdr, const u_char *data);
+VALUE capture_dispatch(int argc, VALUE *argv, VALUE self);
+VALUE capture_loop(int argc, VALUE *argv, VALUE self);
+VALUE capture_datalink(VALUE self);
+VALUE capture_snapshot(VALUE self);
+VALUE capture_getlimit(VALUE self);
+VALUE capture_setlimit(VALUE self, VALUE limit);
+VALUE capture_getdissector(VALUE self);
+
+#endif

data/ext/rb_pcap_filter.c

@@ -0,0 +1,85 @@
+#include "rb_pcap_filter.h"
+
+void free_filter(struct filter_object *filter)
+{
+  free(filter->expr);
+  free(filter);
+}
+
+VALUE filter_alloc(VALUE self)
+{
+  struct filter_object *filter = (struct filter_object *)xmalloc(sizeof(struct filter_object));
+  
+  filter->expr = NULL;
+  
+  return Data_Wrap_Struct(self, NULL, free_filter, filter);
+}
+
+VALUE filter_init(int argc, VALUE* argv, VALUE self)
+{
+  VALUE v_expr, v_optimize, v_netmask;
+  struct filter_object *filter;
+  char *expr;
+  int n, optimize, snaplen, linktype;
+  bpf_u_int32 netmask;
+  
+  n = rb_scan_args(argc, argv, "12", &v_expr, &v_optimize, &v_netmask);
+  
+  /* filter expression */
+  Check_Type(v_expr, T_STRING);
+  expr = STR2CSTR(v_expr);
+  
+  snaplen   = DEFAULT_SNAPLEN;
+  linktype  = DEFAULT_DATALINK;
+
+  /* optimize flag */
+  optimize = 1;
+  if (n >= 3) {
+    optimize = RTEST(v_optimize);
+  }
+    /* netmask */
+  netmask = 0;
+  if (n >= 4) {
+    bpf_u_int32 mask = NUM2UINT(v_netmask);
+    netmask = htonl(mask);
+  }
+  
+  GetFilter(self, filter);
+  
+  if (pcap_compile_nopcap(snaplen, linktype, &filter->program, expr, optimize, netmask) == -1) {
+    rb_raise(eCaptureError, "pcap_compile_nopcap error");
+  }
+  
+  filter->datalink  = linktype;
+  filter->snaplen   = snaplen;
+  filter->expr      = strdup(expr);
+  filter->optimize  = optimize ? Qtrue : Qfalse;
+  filter->netmask   = INT2NUM(ntohl(netmask));
+  
+  return self;
+}
+
+VALUE filter_source(VALUE self)
+{
+    struct filter_object *filter;
+
+    GetFilter(self, filter);
+    return rb_str_new2(filter->expr);
+}
+
+
+VALUE filter_match(VALUE self, VALUE v_pkt)
+{
+  struct filter_object *filter;
+  struct packet_object *pkt;
+
+  GetFilter(self, filter);
+
+  int v_pkt_len = RSTRING(v_pkt)->len;
+  
+  if (bpf_filter(filter->program.bf_insns, (unsigned char *)StringValuePtr(v_pkt), v_pkt_len, v_pkt_len)) {
+    return Qtrue;
+  }
+  
+  return Qfalse;
+}

data/ext/rb_pcap_filter.h

@@ -0,0 +1,28 @@
+#ifndef __RB_PCAP_FILTER_H__
+#define __RB_PCAP_FILTER_H__
+
+#include <ruby.h>
+#include <rubysig.h>
+#include <pcap.h>
+
+#include "rb_pcap_capture.h"
+
+struct filter_object {
+  char                *expr;
+  struct bpf_program  program;
+  int                 datalink;
+  int                 snaplen;
+  VALUE               optimize;
+  VALUE               netmask;
+};
+
+extern VALUE cFilter;
+
+void mark_filter(struct filter_object *filter);
+void free_filter(struct filter_object *filter);
+VALUE filter_alloc(VALUE self);
+VALUE filter_init(int argc, VALUE *argv, VALUE class);
+VALUE filter_source(VALUE self);
+VALUE filter_match(VALUE self, VALUE v_pkt);
+
+#endif

data/lib/rb-pcap.rb

@@ -0,0 +1 @@
+require 'rb_pcap'

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification 
+name: rb-pcap
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Cory T. Cornelius
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-08-02 00:00:00 -04:00
+default_executable: 
+dependencies: []
+
+description: See README.markdown for more information.
+email: 
+- cory.t.cornelius@dartmouth.edu
+executables: []
+
+extensions: 
+- ext/extconf.rb
+extra_rdoc_files: []
+
+files: 
+- README.markdown
+- lib/rb-pcap.rb
+- ext/extconf.rb
+- ext/rb_pcap_capture.c
+- ext/rb_pcap_capture.h
+- ext/rb_pcap_filter.c
+- ext/rb_pcap_filter.h
+- ext/rb_pcap.c
+- ext/rb_pcap.h
+has_rdoc: true
+homepage: http://github.com/dxoigmn/rb-pcap
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Simple libpcap wrapper.
+test_files: []
+