RubyGems - ruby-pcap - Versions diffs - 0.7.8 - Mend

ruby-pcap 0.7.8

Files changed (39) hide show

@@ -0,0 +1,54 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html> <head>
+<title>Ruby/Pcap Library</title>
+</head>
+<body bgcolor="ffffff">
+<h1>Ruby/Pcap��ĥ�饤�֥��</h1>
+LBL �� libpcap (Packet Capture library) �ؤ� ruby ���󥿥ե������Ǥ���
+<h2>�⥸�塼��</h2>
+<ul>
+  <li><a href="Pcap.html"><code>Pcap</code></a>
+</ul>
+<h2>���饹</h2>
+�ʲ��Υ��饹������ <code>Pcap</code> �⥸�塼��β����������Ƥ��ޤ���
+�������äƻ��Ѥ���Ȥ��� <code>Pcap</code> �⥸�塼���
+<code>include</code> ���뤫���⤷���� <code>Pcap::Capture</code> �Τ�
+���˻��Ȥ��Ƥ���������
+<ul>
+  <li><a href="Capture.html"><code>Capture</code></a>
+  <li><a href="Pcaplet.html"><code>Pcaplet</code></a>
+  <li><a href="Packet.html"><code>Packet</code></a>
+      <ul>
+	<li><a href="IPPacket.html"><code>IPPacket</code></a>
+	    <ul>
+	      <li><a href="TCPPacket.html"><code>TCPPacket</code></a>
+	      <li><a href="UDPPacket.html"><code>UDPPacket</code></a>
+	      <li><a href="ICMPPacket.html"><code>ICMPPacket</code></a>
+	    </ul>
+      </ul>
+  <li><a href="IPAddress.html"><code>IPAddress</code></a>
+  <li><a href="Dumper.html"><code>Dumper</code></a>
+  <li><a href="Filter.html"><code>Filter</code></a>
+</ul>
+<h2>�㳰</h2>
+<ul>
+  <li><a href="PcapError.html"><code>PcapError</code></a>
+      <ul>
+	<li><a href="TruncatedPacket.html"><code>TruncatedPacket</code></a>
+      </ul>
+</ul>
+<hr>
+<P ALIGN="RIGHT">
+<A HREF="mailto:fukusima@goto.info.waseda.ac.jp">
+fukusima@goto.info.waseda.ac.jp</A><BR>
+</P>
+</body> </html>

data/examples/httpdump.rb ADDED

@@ -0,0 +1,27 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'pcaplet'
+httpdump = Pcaplet.new('-s 1500')
+HTTP_REQUEST  = Pcap::Filter.new('tcp and dst port 80', httpdump.capture)
+HTTP_RESPONSE = Pcap::Filter.new('tcp and src port 80', httpdump.capture)
+httpdump.add_filter(HTTP_REQUEST | HTTP_RESPONSE)
+httpdump.each_packet {|pkt|
+  data = pkt.tcp_data
+  case pkt
+  when HTTP_REQUEST
+    if data and data =~ /^GET\s+(\S+)/
+      path = $1
+      host = pkt.dst.to_s
+      host << ":#{pkt.dst_port}" if pkt.dport != 80
+      s = "#{pkt.src}:#{pkt.sport} > GET http://#{host}#{path}"
+    end
+  when HTTP_RESPONSE
+    if data and data =~ /^(HTTP\/.*)$/
+      status = $1
+      s = "#{pkt.dst}:#{pkt.dport} < #{status}"
+    end
+  end
+  puts s if s
+}

data/examples/rewrite_time.rb ADDED

@@ -0,0 +1,28 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'pcap'
+if 3 != ARGV.size
+  STDERR.puts "Usage: #{$0} in.pcap out.pcap delta"
+  exit(2)
+end
+in_filename, out_filename, delta = ARGV
+inp = outc = outp = nil
+begin
+  inp = Pcap::Capture.open_offline(in_filename)
+  outc = Pcap::Capture.open_dead(inp.datalink, inp.snaplen)
+  outp = Pcap::Dumper.open(outc, out_filename)
+  inp.loop(-1) do |pkt|
+    pkt.time_i += delta.to_i
+    outp.dump(pkt)
+  end
+rescue Exception => e
+  STDERR.puts e.message,e.backtrace
+ensure
+  inp.close if inp
+  outp.close if outp
+  outc.close if outc
+end

data/examples/tcpdump.rb ADDED

@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'pcaplet'
+include Pcap
+class Time
+  # tcpdump style format
+  def to_s
+    sprintf "%0.2d:%0.2d:%0.2d.%0.6d", hour, min, sec, tv_usec
+  end
+end
+pcaplet = Pcaplet.new
+pcaplet.each_packet { |pkt|
+  print "#{pkt.time} #{pkt}"
+  if pkt.tcp?
+    print " (#{pkt.tcp_data_len})"
+    print " ack #{pkt.tcp_ack}" if pkt.tcp_ack?
+    print " win #{pkt.tcp_win}"
+  end
+  if pkt.ip?
+    print " (DF)" if pkt.ip_df?
+  end
+  print "\n"
+}
+pcaplet.close

data/examples/test.rb ADDED

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'pcap'
+dev = Pcap.lookupdev
+cap = Pcap::Capture.open_live(dev)
+cap.setfilter("ip")
+cap.loop do |pkt|
+    print pkt, "\n"
+end
+cap.close

data/ext/Pcap.c ADDED

@@ -0,0 +1,938 @@
+/*
+ *  Pcap.c
+ *
+ *  $Id: Pcap.c,v 1.10 2000/08/13 05:56:31 fukusima Exp $
+ *
+ *  Copyright (C) 1998-2000  Masaki Fukushima
+ */
+#include "ruby_pcap.h"
+#include "rubysig.h"
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+#define DEFAULT_DATALINK        DLT_EN10MB
+#define DEFAULT_SNAPLEN 68
+#define DEFAULT_PROMISC 1
+#define DEFAULT_TO_MS   1000
+#ifdef PCAP_DONT_TRAP
+#define MAYBE_TRAP_BEG do {} while (0)
+#define MAYBE_TRAP_END do {} while (0)
+#else
+#define MAYBE_TRAP_BEG TRAP_BEG
+#define MAYBE_TRAP_END TRAP_END
+#endif
+static char pcap_errbuf[PCAP_ERRBUF_SIZE];
+VALUE mPcap, rbpcap_convert = Qnil;
+VALUE ePcapError;
+VALUE eTruncatedPacket;
+VALUE cFilter;
+static VALUE cCapture;
+static VALUE cPcapStat;
+static VALUE cDumper;
+struct filter_object {
+    char *expr;
+    struct bpf_program program;
+    int datalink;
+    int snaplen;
+    VALUE param;
+    VALUE optimize;
+    VALUE netmask;
+};
+#define GetFilter(obj, filter) \
+    Data_Get_Struct(obj, struct filter_object, filter)
+static VALUE
+pcap_s_lookupdev(self)
+    VALUE self;
+{
+    char *dev;
+    dev = pcap_lookupdev(pcap_errbuf);
+    if (dev == NULL) {
+        rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    return rb_str_new2(dev);
+}
+static VALUE
+pcap_s_findalldevs(self)
+    VALUE self;
+{
+    pcap_if_t *alldevsp;
+    VALUE return_ary;
+    char pcap_errbuf[PCAP_ERRBUF_SIZE];
+    return_ary = rb_ary_new();
+    pcap_findalldevs(&alldevsp, pcap_errbuf);
+    if (alldevsp == NULL) // List is empty, probably an error
+           rb_raise(ePcapError, "%s", pcap_errbuf);
+    for (; alldevsp->next != NULL; alldevsp = alldevsp->next)
+            rb_ary_push(return_ary, rb_str_new2(alldevsp->name));
+    pcap_freealldevs(alldevsp);
+    return return_ary;
+}
+static VALUE
+pcap_s_lookupnet(self, dev)
+    VALUE self;
+    VALUE dev;
+{
+    bpf_u_int32 net, mask, m;
+    struct in_addr addr;
+    Check_Type(dev, T_STRING);
+    if (pcap_lookupnet(StringValuePtr(dev), &net, &mask, pcap_errbuf) == -1) {
+        rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    addr.s_addr = net;
+    m = ntohl(mask);
+    return rb_ary_new3(2, new_ipaddr(&addr), UINT32_2_NUM(m));
+}
+static VALUE
+pcap_s_convert(self)
+    VALUE self;
+{
+    return rbpcap_convert;
+}
+static VALUE
+pcap_s_convert_set(self, val)
+    VALUE self;
+{
+    rbpcap_convert = val;
+    return Qnil;
+}
+/*
+ * Capture object
+ */
+struct capture_object {
+    pcap_t      *pcap;
+    bpf_u_int32 netmask;
+    int         dl_type;        /* data-link type (DLT_*)               */
+};
+static void
+closed_capture()
+{
+    rb_raise(rb_eRuntimeError, "device is already closed");
+}
+#define GetCapture(obj, cap) {\
+    Data_Get_Struct(obj, struct capture_object, cap);\
+    if (cap->pcap == NULL) closed_capture();\
+}
+/* called from GC */
+static void
+free_capture(cap)
+     struct capture_object *cap;
+{
+    DEBUG_PRINT("free_capture");
+    if (cap->pcap != NULL) {
+        DEBUG_PRINT("closing capture");
+        rb_thread_fd_close(pcap_fileno(cap->pcap));
+        pcap_close(cap->pcap);
+        cap->pcap = NULL;
+    }
+    free(cap);
+}
+static VALUE
+capture_open_live(argc, argv, class)
+     int argc;
+     VALUE *argv;
+     VALUE class;
+{
+    VALUE v_device, v_snaplen, v_promisc, v_to_ms;
+    char *device;
+    int snaplen, promisc, to_ms;
+    int rs;
+    VALUE self;
+    struct capture_object *cap;
+    pcap_t *pcap;
+    bpf_u_int32 net, netmask;
+    DEBUG_PRINT("capture_open_live");
+    /* scan arg */
+    rs = rb_scan_args(argc, argv, "13", &v_device, &v_snaplen,
+                      &v_promisc, &v_to_ms);
+    /* device */
+    Check_SafeStr(v_device);
+    device = RSTRING_PTR(v_device);
+    /* snaplen */
+    if (rs >= 2) {
+        Check_Type(v_snaplen, T_FIXNUM);
+        snaplen = FIX2INT(v_snaplen);
+    } else {
+        snaplen = DEFAULT_SNAPLEN;
+    }
+    if (snaplen <  0)
+        rb_raise(rb_eArgError, "invalid snaplen");
+    /* promisc */
+    if (rs >= 3) {
+        promisc = RTEST(v_promisc);
+    } else {
+        promisc = DEFAULT_PROMISC;
+    }
+    /* to_ms */
+    if (rs >= 4) {
+        Check_Type(v_to_ms, T_FIXNUM);
+        to_ms = FIX2INT(v_to_ms);
+    } else
+        to_ms = DEFAULT_TO_MS;
+    /* open */
+    pcap = pcap_open_live(device, snaplen, promisc, to_ms, pcap_errbuf);
+    if (pcap == NULL) {
+        rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    if (pcap_lookupnet(device, &net, &netmask, pcap_errbuf) == -1) {
+        netmask = 0;
+        rb_warning("cannot lookup net: %s\n", pcap_errbuf);
+    }
+    /* setup instance */
+    self = Data_Make_Struct(class, struct capture_object,
+                            0, free_capture, cap);
+    cap->pcap = pcap;
+    cap->netmask = netmask;
+    cap->dl_type = pcap_datalink(pcap);
+    return self;
+}
+static VALUE
+capture_open_offline(class, fname)
+     VALUE class;
+     VALUE fname;
+{
+    VALUE self;
+    struct capture_object *cap;
+    pcap_t *pcap;
+    DEBUG_PRINT("capture_open_offline");
+    /* open offline */
+    Check_SafeStr(fname);
+    pcap = pcap_open_offline(RSTRING_PTR(fname), pcap_errbuf);
+    if (pcap == NULL) {
+        rb_raise(ePcapError, "%s", pcap_errbuf);
+    }
+    /* setup instance */
+    self = Data_Make_Struct(class, struct capture_object,
+                            0, free_capture, cap);
+    cap->pcap = pcap;
+    cap->netmask = 0;
+    cap->dl_type = pcap_datalink(pcap);
+    return self;
+}
+static VALUE
+capture_open_dead(argc, argv, class)
+     int argc;
+     VALUE *argv;
+     VALUE class;
+{
+    VALUE self;
+    struct capture_object *cap;
+    pcap_t *pcap;
+    VALUE v_linktype, v_snaplen;
+    int linktype, snaplen;
+    int rs;
+    DEBUG_PRINT("capture_open_dead");
+    /* scan arg */
+    rs = rb_scan_args(argc, argv, "02", &v_linktype, &v_snaplen);
+    if (rs >= 1) {
+      Check_Type(v_linktype, T_FIXNUM);
+      linktype = FIX2INT(v_linktype);
+    } else {
+      linktype = DEFAULT_DATALINK;
+    }
+    if (rs == 2) {
+      Check_Type(v_snaplen, T_FIXNUM);
+      snaplen = FIX2INT(v_snaplen);
+    } else {
+      snaplen = DEFAULT_SNAPLEN;
+    }
+    pcap = pcap_open_dead(linktype, snaplen);
+    if (pcap == NULL) {
+      rb_raise(ePcapError, "Error calling pcap_open_dead");
+    }
+    /* setup instance */
+    self = Data_Make_Struct(class, struct capture_object,
+                            0, free_capture, cap);
+    cap->pcap = pcap;
+    cap->netmask = 0;
+    cap->dl_type = pcap_datalink(pcap);
+    return self;
+}
+static VALUE
+capture_close(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+    DEBUG_PRINT("capture_close");
+    GetCapture(self, cap);
+    rb_thread_fd_close(pcap_fileno(cap->pcap));
+    pcap_close(cap->pcap);
+    cap->pcap = NULL;
+    return Qnil;
+}
+static void
+handler(cap, pkthdr, data)
+     struct capture_object *cap;
+     const struct pcap_pkthdr *pkthdr;
+     const u_char *data;
+{
+    rb_yield(new_packet(data, pkthdr, cap->dl_type));
+}
+static VALUE
+capture_dispatch(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    VALUE v_cnt;
+    int cnt;
+    struct capture_object *cap;
+    int ret;
+    DEBUG_PRINT("capture_dispatch");
+    GetCapture(self, cap);
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+        FIXNUM_P(v_cnt);
+        cnt = FIX2INT(v_cnt);
+    } else {
+        cnt = -1;
+    }
+    MAYBE_TRAP_BEG;
+    ret = pcap_dispatch(cap->pcap, cnt, handler, (u_char *)cap);
+    MAYBE_TRAP_END;
+    if (ret == -1) {
+        rb_raise(ePcapError, "dispatch: %s", pcap_geterr(cap->pcap));
+    }
+    return INT2FIX(ret);
+}
+static VALUE
+capture_fh(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    VALUE v_cnt;
+    int cnt;
+    struct capture_object *cap;
+    int ret;
+    DEBUG_PRINT("capture_fh");
+    GetCapture(self, cap);
+    return rb_funcall(rb_path2class("IO"), rb_intern("new"), 1, INT2FIX(pcap_fileno(cap->pcap)));
+}
+static VALUE
+capture_loop(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    VALUE v_cnt;
+    int cnt;
+    struct capture_object *cap;
+    int ret;
+    DEBUG_PRINT("capture_loop");
+    GetCapture(self, cap);
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "01", &v_cnt) >= 1) {
+        FIXNUM_P(v_cnt);
+        cnt = FIX2INT(v_cnt);
+    } else {
+        cnt = -1;
+    }
+    if (pcap_file(cap->pcap) != NULL) {
+        MAYBE_TRAP_BEG;
+        ret = pcap_loop(cap->pcap, cnt, handler, (u_char *)cap);
+        MAYBE_TRAP_END;
+    }
+    else {
+        int fd = pcap_fileno(cap->pcap);
+        fd_set rset;
+        struct timeval tm;
+        FD_ZERO(&rset);
+        tm.tv_sec = 0;
+        tm.tv_usec = 0;
+        for (;;) {
+            do {
+                FD_SET(fd, &rset);
+                if (select(fd+1, &rset, NULL, NULL, &tm) == 0) {
+                    rb_thread_wait_fd(fd);
+                }
+                MAYBE_TRAP_BEG;
+                ret = pcap_dispatch(cap->pcap, 1, handler, (u_char *)cap);
+                MAYBE_TRAP_END;
+            } while (ret == 0);
+            if (ret <= 0)
+                break;
+            if (cnt > 0) {
+                cnt -= ret;
+                if (cnt <= 0)
+                    break;
+            }
+        }
+    }
+    return INT2FIX(ret);
+}
+static VALUE
+capture_setfilter(argc, argv, self)
+     int argc;
+     VALUE *argv;
+     VALUE self;
+{
+    struct capture_object *cap;
+    VALUE vfilter, optimize;
+    char *filter;
+    int opt;
+    struct bpf_program program;
+    DEBUG_PRINT("capture_setfilter");
+    GetCapture(self, cap);
+    /* scan arg */
+    if (rb_scan_args(argc, argv, "11", &vfilter, &optimize) == 1) {
+        optimize = Qtrue;
+    }
+    /* check arg */
+    if (IsKindOf(vfilter, cFilter)) {
+        struct filter_object *f;
+        GetFilter(vfilter, f);
+        filter = f->expr;
+    } else {
+        Check_Type(vfilter, T_STRING);
+        filter = RSTRING_PTR(vfilter);
+    }
+    opt = RTEST(optimize);
+    /* operation */
+    if (pcap_compile(cap->pcap, &program, filter,
+                     opt, cap->netmask) < 0)
+        rb_raise(ePcapError, "setfilter: %s", pcap_geterr(cap->pcap));
+    if (pcap_setfilter(cap->pcap, &program) < 0)
+        rb_raise(ePcapError, "setfilter: %s", pcap_geterr(cap->pcap));
+    return Qnil;
+}
+static VALUE
+capture_datalink(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+    DEBUG_PRINT("capture_datalink");
+    GetCapture(self, cap);
+    return INT2NUM(pcap_datalink(cap->pcap));
+}
+static VALUE
+capture_snapshot(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+    DEBUG_PRINT("capture_snapshot");
+    GetCapture(self, cap);
+    return INT2NUM(pcap_snapshot(cap->pcap));
+}
+static VALUE
+capture_stats(self)
+     VALUE self;
+{
+    struct capture_object *cap;
+    struct pcap_stat stat;
+    VALUE v_stat;
+    DEBUG_PRINT("capture_stats");
+    GetCapture(self, cap);
+    if (pcap_stats(cap->pcap, &stat) == -1)
+        return Qnil;
+    v_stat = rb_funcall(cPcapStat, rb_intern("new"), 3,
+                        UINT2NUM(stat.ps_recv),
+                        UINT2NUM(stat.ps_drop),
+                        UINT2NUM(stat.ps_ifdrop));
+    return v_stat;
+}
+static VALUE
+capture_inject(self, v_buf)
+   VALUE self;
+   VALUE v_buf;
+{
+    struct capture_object *cap;
+    const void *buf;
+    size_t bufsiz;
+    int r;
+    DEBUG_PRINT("capture_inject");
+    GetCapture(self, cap);
+    Check_Type(v_buf, T_STRING);
+    buf = (void *)RSTRING_PTR(v_buf);
+    bufsiz = RSTRING_LEN(v_buf);
+    r = pcap_inject(cap->pcap, buf, bufsiz);
+    if (0 > r) {
+        rb_raise(ePcapError, "pcap_inject failure: %s", pcap_geterr(cap->pcap));
+    }
+    if (bufsiz != r) {
+        rb_raise(ePcapError, "pcap_inject expected to write %d but actually wrote %d", bufsiz, r);
+    }
+    return Qnil;
+}
+/*
+ * Dumper object
+ */
+struct dumper_object {
+    pcap_dumper_t *pcap_dumper;
+    int dl_type;
+    bpf_u_int32 snaplen;
+};
+static void
+closed_dumper()
+{
+    rb_raise(rb_eRuntimeError, "dumper is already closed");
+}
+#define GetDumper(obj, dumper) {\
+    Data_Get_Struct(obj, struct dumper_object, dumper);\
+    if (dumper->pcap_dumper == NULL) closed_dumper();\
+}
+/* called from GC */
+static void
+free_dumper(dumper)
+     struct dumper_object *dumper;
+{
+    DEBUG_PRINT("free_dumper");
+    if (dumper->pcap_dumper != NULL) {
+        DEBUG_PRINT("closing dumper");
+        pcap_dump_close(dumper->pcap_dumper);
+        dumper->pcap_dumper = NULL;
+    }
+    free(dumper);
+}
+static VALUE
+dumper_open(class, v_cap, v_fname)
+     VALUE class;
+     VALUE v_cap;
+     VALUE v_fname;
+{
+    struct dumper_object *dumper;
+    struct capture_object *cap;
+    pcap_dumper_t *pcap_dumper;
+    VALUE self;
+    DEBUG_PRINT("dumper_open");
+    CheckClass(v_cap, cCapture);
+    GetCapture(v_cap, cap);
+    Check_SafeStr(v_fname);
+    pcap_dumper = pcap_dump_open(cap->pcap, RSTRING_PTR(v_fname));
+    if (pcap_dumper == NULL) {
+        rb_raise(ePcapError, "dumper_open: %s", pcap_geterr(cap->pcap));
+    }
+    self = Data_Make_Struct(class, struct dumper_object, 0,
+                            free_dumper, dumper);
+    dumper->pcap_dumper = pcap_dumper;
+    dumper->dl_type = cap->dl_type;
+    dumper->snaplen = pcap_snapshot(cap->pcap);
+    return self;
+}
+static VALUE
+dumper_close(self)
+     VALUE self;
+{
+    struct dumper_object *dumper;
+    DEBUG_PRINT("dumper_close");
+    GetDumper(self, dumper);
+    pcap_dump_close(dumper->pcap_dumper);
+    dumper->pcap_dumper = NULL;
+    return Qnil;
+}
+static VALUE
+dumper_dump(self, v_pkt)
+     VALUE self;
+     VALUE v_pkt;
+{
+    struct dumper_object *dumper;
+    struct packet_object *pkt;
+    DEBUG_PRINT("dumper_dump");
+    GetDumper(self, dumper);
+    CheckClass(v_pkt, cPacket);
+    GetPacket(v_pkt, pkt);
+    if (pkt->hdr.dl_type != dumper->dl_type)
+        rb_raise(rb_eArgError, "Cannot dump this packet: data-link type mismatch");
+    if (pkt->hdr.pkthdr.caplen > dumper->snaplen)
+        rb_raise(rb_eArgError, "Cannot dump this packet: too large caplen");
+    pcap_dump((u_char *)dumper->pcap_dumper, &pkt->hdr.pkthdr, pkt->data);
+    return Qnil;
+}
+static VALUE
+dumper_dump_raw(self, v_buf)
+    VALUE self;
+    VALUE v_buf;
+{
+    struct dumper_object *dumper;
+    const u_char *buf;
+    struct pcap_pkthdr pkt_hdr;
+    DEBUG_PRINT("dumper_dump_raw");
+    GetDumper(self, dumper);
+    Check_Type(v_buf, T_STRING);
+    buf = (void *)RSTRING_PTR(v_buf);
+    gettimeofday(&(pkt_hdr.ts), NULL);
+    pkt_hdr.caplen = dumper->snaplen;
+    pkt_hdr.len = RSTRING_LEN(v_buf);
+    pcap_dump((u_char *)dumper->pcap_dumper, &pkt_hdr, buf);
+    return Qnil;
+}
+/*
+ * Filter object
+ */
+/* called from GC */
+static void
+mark_filter(filter)
+     struct filter_object *filter;
+{
+    rb_gc_mark(filter->param);
+    rb_gc_mark(filter->optimize);
+    rb_gc_mark(filter->netmask);
+}
+static void
+free_filter(filter)
+     struct filter_object *filter;
+{
+    free(filter->expr);
+    free(filter);
+    /*
+     * This cause memory leak because filter->program hold some memory.
+     * We overlook it because libpcap does not implement pcap_freecode().
+     */
+}
+static VALUE
+filter_new(argc, argv, class)
+     int argc;
+     VALUE *argv;
+     VALUE class;
+{
+    VALUE self, v_expr, v_optimize, v_capture, v_netmask;
+    struct filter_object *filter;
+    struct capture_object *capture;
+    pcap_t *pcap;
+    char *expr;
+    int n, optimize, snaplen, linktype;
+    bpf_u_int32 netmask;
+    n = rb_scan_args(argc, argv, "13", &v_expr, &v_capture,
+                     &v_optimize, &v_netmask);
+    /* filter expression */
+    Check_Type(v_expr, T_STRING);
+    expr = StringValuePtr(v_expr);
+    /* capture object */
+    if (IsKindOf(v_capture, cCapture)) {
+        CheckClass(v_capture, cCapture);
+        GetCapture(v_capture, capture);
+        pcap = capture->pcap;
+    } else if (NIL_P(v_capture)) {
+        /* assume most common case */
+        snaplen  = DEFAULT_SNAPLEN;
+        linktype = DEFAULT_DATALINK;
+        pcap = 0;
+    } else {
+        snaplen  = NUM2INT(rb_funcall(v_capture, rb_intern("[]"), 1, INT2FIX(0)));
+        linktype = NUM2INT(rb_funcall(v_capture, rb_intern("[]"), 1, INT2FIX(1)));
+        pcap = 0;
+    }
+    /* optimize flag */
+    optimize = 1;
+    if (n >= 3) {
+        optimize = RTEST(v_optimize);
+    }
+    /* netmask */
+    netmask = 0;
+    if (n >= 4) {
+        bpf_u_int32 mask = NUM2UINT(v_netmask);
+        netmask = htonl(mask);
+    }
+    filter = (struct filter_object *)xmalloc(sizeof(struct filter_object));
+    if (pcap) {
+        if (pcap_compile(pcap, &filter->program, expr, optimize, netmask) < 0)
+            rb_raise(ePcapError, "%s", pcap_geterr(pcap));
+        filter->datalink = pcap_datalink(pcap);
+        filter->snaplen  = pcap_snapshot(pcap);
+    } else {
+#ifdef HAVE_PCAP_COMPILE_NOPCAP
+        if (pcap_compile_nopcap(snaplen, linktype, &filter->program, expr, optimize, netmask) < 0)
+            /* libpcap-0.5 provides no error report for pcap_compile_nopcap */
+            rb_raise(ePcapError, "pcap_compile_nopcap error");
+        filter->datalink = linktype;
+        filter->snaplen  = snaplen;
+#else
+        rb_raise(rb_eArgError, "pcap_compile_nopcap needs libpcap-0.5 or later");
+#endif
+    }
+    self = Data_Wrap_Struct(class, mark_filter, free_filter, filter);
+    filter->expr        = strdup(expr);
+    filter->param       = v_capture;
+    filter->optimize    = optimize ? Qtrue : Qfalse;
+    filter->netmask     = INT2NUM(ntohl(netmask));
+    return self;
+}
+VALUE
+filter_match(self, v_pkt)
+    VALUE self, v_pkt;
+{
+    struct filter_object *filter;
+    struct packet_object *pkt;
+    struct pcap_pkthdr *h;
+    GetFilter(self, filter);
+    CheckClass(v_pkt, cPacket);
+    GetPacket(v_pkt, pkt);
+    h = &pkt->hdr.pkthdr;
+    if (filter->datalink != pkt->hdr.dl_type)
+        rb_raise(rb_eRuntimeError, "Incompatible datalink type");
+    if (filter->snaplen < h->caplen)
+        rb_raise(rb_eRuntimeError, "Incompatible snaplen");
+    if (bpf_filter(filter->program.bf_insns, pkt->data, h->len, h->caplen))
+        return Qtrue;
+    else
+        return Qfalse;
+}
+static VALUE
+filter_source(self)
+    VALUE self;
+{
+    struct filter_object *filter;
+    GetFilter(self, filter);
+    return rb_str_new2(filter->expr);
+}
+static VALUE
+new_filter(expr, param, optimize, netmask)
+    char *expr;
+    VALUE param, optimize, netmask;
+{
+    return rb_funcall(cFilter,
+                      rb_intern("new"), 4,
+                      rb_str_new2(expr), param, optimize, netmask);
+}
+static VALUE
+filter_or(self, other)
+    VALUE self, other;
+{
+    struct filter_object *filter, *filter2;
+    char *expr;
+    CheckClass(other, cFilter);
+    GetFilter(self, filter);
+    GetFilter(other, filter2);
+    expr = ALLOCA_N(char, strlen(filter->expr) + strlen(filter2->expr) + 16);
+    sprintf(expr, "( %s ) or ( %s )", filter->expr, filter2->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+static VALUE
+filter_and(self, other)
+    VALUE self, other;
+{
+    struct filter_object *filter, *filter2;
+    char *expr;
+    CheckClass(other, cFilter);
+    GetFilter(self, filter);
+    GetFilter(other, filter2);
+    expr = ALLOCA_N(char, strlen(filter->expr) + strlen(filter2->expr) + 16);
+    sprintf(expr, "( %s ) and ( %s )", filter->expr, filter2->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+static VALUE
+filter_not(self)
+    VALUE self;
+{
+    struct filter_object *filter;
+    char *expr;
+    GetFilter(self, filter);
+    expr = ALLOCA_N(char, strlen(filter->expr) + 16);
+    sprintf(expr, "not ( %s )", filter->expr);
+    return new_filter(expr, filter->param, filter->optimize, filter->netmask);
+}
+/*
+ * Class definition
+ */
+void
+Init_pcap(void)
+{
+    DEBUG_PRINT("Init_pcap");
+    /* define module Pcap */
+    mPcap = rb_define_module("Pcap");
+    rb_define_module_function(mPcap, "lookupdev", pcap_s_lookupdev, 0);
+    rb_define_module_function(mPcap, "findalldevs", pcap_s_findalldevs, 0);
+    rb_define_module_function(mPcap, "lookupnet", pcap_s_lookupnet, 1);
+    rb_global_variable(&rbpcap_convert);
+    rb_define_singleton_method(mPcap, "convert?", pcap_s_convert, 0);
+    rb_define_singleton_method(mPcap, "convert=", pcap_s_convert_set, 1);
+    rb_define_const(mPcap, "DLT_NULL",   INT2NUM(DLT_NULL));
+    rb_define_const(mPcap, "DLT_EN10MB", INT2NUM(DLT_EN10MB));
+    rb_define_const(mPcap, "DLT_EN3MB", INT2NUM(DLT_EN3MB));
+    rb_define_const(mPcap, "DLT_AX25", INT2NUM(DLT_AX25));
+    rb_define_const(mPcap, "DLT_PRONET", INT2NUM(DLT_PRONET));
+    rb_define_const(mPcap, "DLT_CHAOS", INT2NUM(DLT_CHAOS));
+    rb_define_const(mPcap, "DLT_IEEE802", INT2NUM(DLT_IEEE802));
+    rb_define_const(mPcap, "DLT_ARCNET", INT2NUM(DLT_ARCNET));
+    rb_define_const(mPcap, "DLT_SLIP", INT2NUM(DLT_SLIP));
+    rb_define_const(mPcap, "DLT_PPP", INT2NUM(DLT_PPP));
+    rb_define_const(mPcap, "DLT_FDDI", INT2NUM(DLT_FDDI));
+    rb_define_const(mPcap, "DLT_ATM_RFC1483", INT2NUM(DLT_ATM_RFC1483));
+#ifdef DLT_RAW
+    rb_define_const(mPcap, "DLT_RAW", INT2NUM(DLT_RAW));
+    rb_define_const(mPcap, "DLT_SLIP_BSDOS", INT2NUM(DLT_SLIP_BSDOS));
+    rb_define_const(mPcap, "DLT_PPP_BSDOS", INT2NUM(DLT_PPP_BSDOS));
+#endif
+    /* define class Capture */
+    cCapture = rb_define_class_under(mPcap, "Capture", rb_cObject);
+    rb_include_module(cCapture, rb_mEnumerable);
+    rb_define_singleton_method(cCapture, "open_live", capture_open_live, -1);
+    rb_define_singleton_method(cCapture, "open_offline", capture_open_offline, 1);
+    rb_define_singleton_method(cCapture, "open_dead", capture_open_dead, -1);
+    rb_define_method(cCapture, "close", capture_close, 0);
+    rb_define_method(cCapture, "dispatch", capture_dispatch, -1);
+    rb_define_method(cCapture, "loop", capture_loop, -1);
+    rb_define_method(cCapture, "each_packet", capture_loop, -1);
+    rb_define_method(cCapture, "each", capture_loop, -1);
+    rb_define_method(cCapture, "fh", capture_fh, -1);
+    rb_define_method(cCapture, "setfilter", capture_setfilter, -1);
+    rb_define_method(cCapture, "datalink", capture_datalink, 0);
+    rb_define_method(cCapture, "snapshot", capture_snapshot, 0);
+    rb_define_method(cCapture, "snaplen", capture_snapshot, 0);
+    rb_define_method(cCapture, "stats", capture_stats, 0);
+    rb_define_method(cCapture, "inject", capture_inject, 1);
+    /* define class Dumper */
+    cDumper = rb_define_class_under(mPcap, "Dumper", rb_cObject);
+    rb_define_singleton_method(cDumper, "open", dumper_open, 2);
+    rb_define_method(cDumper, "close", dumper_close, 0);
+    rb_define_method(cDumper, "dump", dumper_dump, 1);
+    rb_define_method(cDumper, "dump_raw", dumper_dump_raw, 1);
+    /* define class Filter */
+    cFilter = rb_define_class_under(mPcap, "Filter", rb_cObject);
+    rb_define_singleton_method(cFilter, "new", filter_new, -1);
+    rb_define_singleton_method(cFilter, "compile", filter_new, -1);
+    rb_define_method(cFilter, "=~", filter_match, 1);
+    rb_define_method(cFilter, "===", filter_match, 1);
+    rb_define_method(cFilter, "source", filter_source, 0);
+    rb_define_method(cFilter, "|", filter_or, 1);
+    rb_define_method(cFilter, "&", filter_and, 1);
+    rb_define_method(cFilter, "~@", filter_not, 0);
+    /*rb_define_method(cFilter, "&", filter_and, 1);*/
+    /* define class PcapStat */
+    cPcapStat = rb_struct_define(NULL, "recv", "drop", "ifdrop", NULL);
+    rb_define_const(mPcap, "Stat", cPcapStat);
+    /* define exception classes */
+    ePcapError       = rb_define_class_under(mPcap, "PcapError", rb_eStandardError);
+    eTruncatedPacket = rb_define_class_under(mPcap, "TruncatedPacket", ePcapError);
+    Init_packet();
+    rb_f_require(Qnil, rb_str_new2("pcap_misc"));
+}