ruby-pcap 0.7.8

data/ext/ruby_pcap.h

@@ -0,0 +1,134 @@
+/*
+ *  ruby_pcap.h
+ *
+ *  $Id: ruby_pcap.h,v 1.4 2000/08/13 06:56:15 fukusima Exp $
+ *
+ *  Copyright (C) 1998-2000  Masaki Fukushima
+ */
+
+#ifndef RUBY_PCAP_H
+#define RUBY_PCAP_H
+
+#include "ruby.h"
+#include <pcap.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#ifndef IP_OFFMASK
+# define IP_OFFMASK 0x1fff
+#endif
+#ifdef linux
+# define __FAVOR_BSD
+#endif
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#ifdef DEBUG
+# define DEBUG_PRINT(x) do {\
+    ((RTEST(ruby_debug) && RTEST(ruby_verbose))?\
+    (fprintf(stderr, "%s\n", x),fflush(stderr)) : 0)\
+} while (0)
+#else
+# define DEBUG_PRINT(x) do {} while (0)
+#endif
+
+#define UINT32_2_NUM(i) rb_uint2inum(i)
+#ifndef UINT2NUM
+# define UINT2NUM(i) rb_uint2inum(i)
+#endif
+#define MIN(x, y)       ((x)<(y) ? (x) : (y))
+
+
+#define PACKET_MARSHAL_VERSION  1
+
+/* ruby config.h defines WORDS_BIGENDIAN if big-endian */
+struct packet_object_header {
+#ifdef WORDS_BIGENDIAN
+    u_char version:4;           /* marshal format version       */
+    u_char flags:4;             /* flags                        */
+#else
+    u_char flags:4;             /* flags                        */
+    u_char version:4;           /* marshal format version       */
+#endif
+#define POH_UDATA 0x01          /* flag: user data exists       */
+#define POH_RSVD1 0x02          /*       (reserved)             */
+#define POH_RSVD2 0x03          /*       (reserved)             */
+#define POH_RSVD3 0x04          /*       (reserved)             */
+    u_char dl_type;             /* data-link type (DLT_*)       */
+    u_short layer3_off;         /* layer 3 header offset        */
+    u_short layer4_off;         /* layer 4 header offset        */
+    u_short layer5_off;         /* layer 5 header offset        */
+#define OFF_NONEXIST 0xffff     /* offset value for non-existent layer  */
+    struct pcap_pkthdr pkthdr;  /* pcap packet header           */
+};
+
+struct packet_object {
+    struct packet_object_header hdr;    /* packet object header */
+    u_char *data;                       /* packet data          */
+    VALUE udata;                        /* user data            */
+};
+
+#define PKTFLAG_TEST(pkt, flag) ((pkt)->hdr.flags & (flag))
+#define PKTFLAG_SET(pkt, flag, val) \
+    ((val) ? ((pkt)->hdr.flags |= (flag)) : ((pkt)->hdr.flags &= ~(flag)))
+
+#define LAYER2_HDR(pkt) ((pkt)->data)
+#define LAYER3_HDR(pkt) ((pkt)->data + (pkt)->hdr.layer3_off)
+#define LAYER4_HDR(pkt) ((pkt)->data + (pkt)->hdr.layer4_off)
+#define LAYER5_HDR(pkt) ((pkt)->data + (pkt)->hdr.layer5_off)
+
+#define GetPacket(obj, pkt) Data_Get_Struct(obj, struct packet_object, pkt)
+#define Caplen(pkt, from) ((pkt)->hdr.pkthdr.caplen - (from))
+#define CheckTruncate(pkt, from, need, emsg) (\
+    (from) + (need) > (pkt)->hdr.pkthdr.caplen ? \
+        rb_raise(eTruncatedPacket, (emsg)) : 0 \
+)
+
+#define IsKindOf(v, class) RTEST(rb_obj_is_kind_of(v, class))
+#define CheckClass(v, class) ((IsKindOf(v, class)) ? 0 :\
+    rb_raise(rb_eTypeError, "wrong type %s (expected %s)",\
+        rb_class2name(CLASS_OF(v)), rb_class2name(class)))
+
+
+/* Pcap.c */
+extern VALUE mPcap, rbpcap_convert;
+extern VALUE ePcapError;
+extern VALUE eTruncatedPacket;
+extern VALUE cFilter;
+void Init_pcap(void);
+VALUE filter_match(VALUE self, VALUE v_pkt);
+
+/* packet.c */
+extern VALUE cPacket;
+void Init_packet(void);
+VALUE new_packet(const u_char *, const struct pcap_pkthdr *, int);
+
+/* ip_packet.c */
+#define IP_HDR(pkt)     ((struct ip *)LAYER3_HDR(pkt))
+#define IP_DATA(pkt)    ((u_char *)LAYER4_HDR(pkt))
+extern VALUE cIPPacket;
+void Init_ip_packet(void);
+VALUE setup_ip_packet(struct packet_object *, int);
+VALUE new_ipaddr(struct in_addr *);
+
+/* tcp_packet.c */
+extern VALUE cTCPPacket;
+void Init_tcp_packet(void);
+VALUE setup_tcp_packet(struct packet_object *, int);
+
+/* udp_packet.c */
+extern VALUE cUDPPacket;
+void Init_udp_packet(void);
+VALUE setup_udp_packet(struct packet_object *, int);
+
+/* icmp_packet.c */
+extern VALUE cICMPPacket;
+void Init_icmp_packet(void);
+VALUE setup_icmp_packet(struct packet_object *, int);
+
+#endif /* RUBY_PCAP_H */

data/ext/tcp_packet.c

@@ -0,0 +1,121 @@
+/*
+ *  tcp_packet.c
+ *
+ *  $Id: tcp_packet.c,v 1.1.1.1 1999/10/27 09:54:38 fukusima Exp $
+ *
+ *  Copyright (C) 1998, 1999  Masaki Fukushima
+ */
+
+#include "ruby_pcap.h"
+#include <limits.h>
+
+#define TCP_HDR(pkt)    ((struct tcphdr *)LAYER4_HDR(pkt))
+#define TCP_DATA(pkt)   ((u_char *)LAYER5_HDR(pkt))
+#define TCP_DATALEN(pkt) (ntohs(IP_HDR(pkt)->ip_len) - \
+    (IP_HDR(pkt)->ip_hl + TCP_HDR(pkt)->th_off) * 4)
+
+VALUE cTCPPacket;
+
+#define CheckTruncateTcp(pkt, need) \
+    CheckTruncate(pkt, pkt->hdr.layer4_off, need, "truncated TCP")
+
+VALUE
+setup_tcp_packet(pkt, tl_len)
+     struct packet_object *pkt;
+     int tl_len;
+{
+    VALUE class;
+
+    DEBUG_PRINT("setup_tcp_packet");
+
+    class = cTCPPacket;
+    if (tl_len > 20) {
+        int hl = TCP_HDR(pkt)->th_off * 4;
+        int layer5_len = tl_len - hl;
+        if (layer5_len > 0) {
+            pkt->hdr.layer5_off = pkt->hdr.layer4_off + hl;
+            /* upper layer */
+        }
+    }
+    return class;
+}
+
+#define TCPP_METHOD(func, need, val) \
+static VALUE\
+(func)(self)\
+     VALUE self;\
+{\
+    struct packet_object *pkt;\
+    struct tcphdr *tcp;\
+    DEBUG_PRINT(#func);\
+    GetPacket(self, pkt);\
+    CheckTruncateTcp(pkt, (need));\
+    tcp = TCP_HDR(pkt);\
+    return (val);\
+}
+
+TCPP_METHOD(tcpp_sport,   2, INT2FIX(ntohs(tcp->th_sport)))
+TCPP_METHOD(tcpp_dport,   4, INT2FIX(ntohs(tcp->th_dport)))
+TCPP_METHOD(tcpp_seq,     8, UINT32_2_NUM(ntohl(tcp->th_seq)))
+TCPP_METHOD(tcpp_acknum, 12, UINT32_2_NUM(ntohl(tcp->th_ack)))
+TCPP_METHOD(tcpp_off,    13, INT2FIX(tcp->th_off))
+TCPP_METHOD(tcpp_flags,  14, INT2FIX(tcp->th_flags))
+TCPP_METHOD(tcpp_win,    16, INT2FIX(ntohs(tcp->th_win)))
+TCPP_METHOD(tcpp_sum,    18, INT2FIX(ntohs(tcp->th_sum)))
+TCPP_METHOD(tcpp_urp,    20, INT2FIX(ntohs(tcp->th_urp)))
+
+#define TCPP_FLAG(func, flag) \
+    TCPP_METHOD(func, 14, (tcp->th_flags & flag) ? Qtrue : Qfalse)
+TCPP_FLAG(tcpp_fin, TH_FIN)
+TCPP_FLAG(tcpp_syn, TH_SYN)
+TCPP_FLAG(tcpp_rst, TH_RST)
+TCPP_FLAG(tcpp_psh, TH_PUSH)
+TCPP_FLAG(tcpp_ack, TH_ACK)
+TCPP_FLAG(tcpp_urg, TH_URG)
+
+static VALUE
+tcpp_data(self)
+     VALUE self;
+{
+    struct packet_object *pkt;
+    VALUE v_len;
+    int len;
+
+    DEBUG_PRINT("tcpp_data");
+    GetPacket(self, pkt);
+
+    if (pkt->hdr.layer5_off == OFF_NONEXIST) return Qnil;
+
+    len = MIN(Caplen(pkt, pkt->hdr.layer5_off), TCP_DATALEN(pkt));
+    if (len < 1) return Qnil;
+    return rb_str_new(TCP_DATA(pkt), len);
+}
+
+void
+Init_tcp_packet(void)
+{
+    DEBUG_PRINT("Init_tcp_packet");
+
+    /* define class TcpPacket */
+    cTCPPacket = rb_define_class_under(mPcap, "TCPPacket", cIPPacket);
+
+    rb_define_method(cTCPPacket, "tcp_sport", tcpp_sport, 0);
+    rb_define_method(cTCPPacket, "sport", tcpp_sport, 0);
+    rb_define_method(cTCPPacket, "tcp_dport", tcpp_dport, 0);
+    rb_define_method(cTCPPacket, "dport", tcpp_dport, 0);
+    rb_define_method(cTCPPacket, "tcp_seq", tcpp_seq, 0);
+    rb_define_method(cTCPPacket, "tcp_ack", tcpp_acknum, 0);
+    rb_define_method(cTCPPacket, "tcp_off", tcpp_off, 0);
+    rb_define_method(cTCPPacket, "tcp_hlen", tcpp_off, 0);
+    rb_define_method(cTCPPacket, "tcp_flags", tcpp_flags, 0);
+    rb_define_method(cTCPPacket, "tcp_win", tcpp_win, 0);
+    rb_define_method(cTCPPacket, "tcp_sum", tcpp_sum, 0);
+    rb_define_method(cTCPPacket, "tcp_urp", tcpp_urp, 0);
+    rb_define_method(cTCPPacket, "tcp_fin?", tcpp_fin, 0);
+    rb_define_method(cTCPPacket, "tcp_syn?", tcpp_syn, 0);
+    rb_define_method(cTCPPacket, "tcp_rst?", tcpp_rst, 0);
+    rb_define_method(cTCPPacket, "tcp_psh?", tcpp_psh, 0);
+    rb_define_method(cTCPPacket, "tcp_ack?", tcpp_ack, 0);
+    rb_define_method(cTCPPacket, "tcp_urg?", tcpp_urg, 0);
+    rb_define_method(cTCPPacket, "tcp_data", tcpp_data, 0);
+}

data/ext/udp_packet.c

@@ -0,0 +1,96 @@
+/*
+ *  udp_packet.c
+ *
+ *  $Id: udp_packet.c,v 1.1.1.1 1999/10/27 09:54:38 fukusima Exp $
+ *
+ *  Copyright (C) 1999  Masaki Fukushima
+ */
+
+#include "ruby_pcap.h"
+#include <limits.h>
+
+#define UDP_HDR(pkt)    ((struct udphdr *)LAYER4_HDR(pkt))
+#define UDP_DATA(pkt)   ((u_char *)LAYER5_HDR(pkt))
+#define UDP_LENGTH(pkt) (ntohs(UDP_HDR(pkt)->uh_ulen))
+
+VALUE cUDPPacket;
+
+#define CheckTruncateUdp(pkt, need) \
+    CheckTruncate(pkt, pkt->hdr.layer4_off, need, "truncated UDP")
+
+VALUE
+setup_udp_packet(pkt, tl_len)
+     struct packet_object *pkt;
+     int tl_len;
+{
+    VALUE class;
+
+    DEBUG_PRINT("setup_udp_packet");
+
+    class = cUDPPacket;
+    if (tl_len > 8) {
+        int hl = 8;
+        int layer5_len;
+
+        tl_len = MIN(tl_len, UDP_LENGTH(pkt));
+        layer5_len = tl_len - hl;
+        if (layer5_len > 0) {
+            pkt->hdr.layer5_off = pkt->hdr.layer4_off + hl;
+            /* upper layer */
+        }
+    }
+    return class;
+}
+
+#define UDPP_METHOD(func, need, val) \
+static VALUE\
+(func)(self)\
+     VALUE self;\
+{\
+    struct packet_object *pkt;\
+    struct udphdr *udp;\
+    DEBUG_PRINT(#func);\
+    GetPacket(self, pkt);\
+    CheckTruncateUdp(pkt, (need));\
+    udp = UDP_HDR(pkt);\
+    return (val);\
+}
+
+UDPP_METHOD(udpp_sport,   2, INT2FIX(ntohs(udp->uh_sport)))
+UDPP_METHOD(udpp_dport,   4, INT2FIX(ntohs(udp->uh_dport)))
+UDPP_METHOD(udpp_len,     6, INT2FIX(ntohs(udp->uh_ulen)))
+UDPP_METHOD(udpp_sum,     8, INT2FIX(ntohs(udp->uh_sum)))
+
+static VALUE
+udpp_data(self)
+    VALUE self;
+{
+    struct packet_object *pkt;
+    int len;
+
+    DEBUG_PRINT("udpp_data");
+    GetPacket(self, pkt);
+    CheckTruncateUdp(pkt, 8);
+
+    if (pkt->hdr.layer5_off == OFF_NONEXIST) return Qnil;
+
+    len = MIN(Caplen(pkt, pkt->hdr.layer5_off), UDP_LENGTH(pkt)-8);
+    return rb_str_new(UDP_DATA(pkt), len);
+}
+
+void
+Init_udp_packet(void)
+{
+    DEBUG_PRINT("Init_udp_packet");
+
+    /* define class UdpPacket */
+    cUDPPacket = rb_define_class_under(mPcap, "UDPPacket", cIPPacket);
+
+    rb_define_method(cUDPPacket, "udp_sport", udpp_sport, 0);
+    rb_define_method(cUDPPacket, "sport", udpp_sport, 0);
+    rb_define_method(cUDPPacket, "udp_dport", udpp_dport, 0);
+    rb_define_method(cUDPPacket, "dport", udpp_dport, 0);
+    rb_define_method(cUDPPacket, "udp_len", udpp_len, 0);
+    rb_define_method(cUDPPacket, "udp_sum", udpp_sum, 0);
+    rb_define_method(cUDPPacket, "udp_data", udpp_data, 0);
+}

data/lib/pcap_misc.rb

@@ -0,0 +1,80 @@
+
+module Pcap
+  class Packet
+    def to_s
+      'Some packet'
+    end
+
+    def inspect
+      "#<#{self.class}: #{self}>"
+    end
+  end
+
+  class IPPacket
+    def to_s
+      "#{ip_src} > #{ip_dst}"
+    end
+  end
+
+  class TCPPacket
+    def tcp_data_len
+      ip_len - 4 * (ip_hlen + tcp_hlen)
+    end
+
+    def tcp_flags_s
+      return \
+	(tcp_urg? ? 'U' : '.') +
+	(tcp_ack? ? 'A' : '.') +
+	(tcp_psh? ? 'P' : '.') +
+	(tcp_rst? ? 'R' : '.') +
+	(tcp_syn? ? 'S' : '.') +
+        (tcp_fin? ? 'F' : '.')
+    end
+
+    def to_s
+      "#{src}:#{sport} > #{dst}:#{dport} #{tcp_flags_s}"
+    end
+
+    def src_mac_address
+      return unpack_hex_string(raw_data[6, 12])
+    end
+
+    def dst_mac_address
+      return unpack_hex_string(raw_data[0, 6])
+    end
+
+    def unpack_hex_string(hex)
+      return hex.unpack('H2H2H2H2H2H2').join('')
+    end
+  end
+
+  class UDPPacket
+    def to_s
+      "#{src}:#{sport} > #{dst}:#{dport} len #{udp_len} sum #{udp_sum}"
+    end
+  end
+
+  class ICMPPacket
+    def to_s
+      "#{src} > #{dst}: icmp: #{icmp_typestr}"
+    end
+  end
+
+  #
+  # Backword compatibility
+  #
+  IpPacket = IPPacket
+  IpAddress = IPAddress
+  TcpPacket = TCPPacket
+  UdpPacket = UDPPacket
+
+end
+
+class Time
+  # tcpdump style format
+  def tcpdump
+    sprintf "%0.2d:%0.2d:%0.2d.%0.6d", hour, min, sec, tv_usec
+  end
+end
+
+autoload :Pcaplet, 'pcaplet'

data/lib/pcaplet.rb

@@ -0,0 +1,127 @@
+require 'pcap'
+require 'optparse'
+
+def pcaplet_usage()
+  $stderr.print <<END
+Usage: #{File.basename $0} [ -dnv ] [ -i interface | -r file ]
+       #{' ' * File.basename($0).length} [ -c count ] [ -s snaplen ] [ filter ]
+Options:
+  -n  do not convert address to name
+  -d  debug mode
+  -v  verbose mode
+END
+end
+
+module Pcap
+  class Pcaplet
+    def usage(status, msg = nil)
+      $stderr.puts msg if msg
+      pcaplet_usage
+      exit(status)
+    end
+
+    def initialize(args = nil)
+      if args
+        ARGV[0,0] = args.split(/\s+/)
+      end
+      @device = nil
+      @rfile = nil
+      @count = -1
+      @snaplen = 68
+      @log_packets = false
+      @duplicated = nil
+
+      opts = OptionParser.new do |opts|
+        opts.on('-d') {$DEBUG = true}
+        opts.on('-v') {$VERBOSE = true}
+        opts.on('-n') {Pcap.convert = false}
+        opts.on('-i IFACE') {|s| @device = s}
+        opts.on('-r FILE') {|s| @rfile = s}
+        opts.on('-c COUNT', OptionParser::DecimalInteger) {|i| @count = i}
+        opts.on('-s LEN', OptionParser::DecimalInteger) {|i| @snaplen = i}
+        opts.on('-l') { @log_packets = true }
+      end
+      begin
+        opts.parse!
+      rescue
+        usage(1)
+      end
+
+      @filter = ARGV.join(' ')
+
+      # check option consistency
+      usage(1) if @device && @rfile
+      if !@device and !@rfile
+        @device = Pcap.lookupdev
+      end
+
+      # open
+      begin
+        if @device
+          @capture = Capture.open_live(@device, @snaplen)
+        elsif @rfile
+          if @rfile !~ /\.gz$/
+            @capture = Capture.open_offline(@rfile)
+          else
+            $stdin = IO.popen("gzip -dc < #@rfile", 'r')
+            @capture = Capture.open_offline('-')
+          end
+        end
+        @capture.setfilter(@filter)
+      rescue PcapError, ArgumentError
+        $stdout.flush
+        $stderr.puts $!
+        exit(1)
+      end
+    end
+
+    attr('capture')
+
+    def add_filter(f)
+      if @filter == nil || @filter =~ /^\s*$/  # if empty
+        @filter = f
+      else
+        f = f.source if f.is_a? Filter
+        @filter = "( #{@filter} ) and ( #{f} )"
+      end
+      @capture.setfilter(@filter)
+    end
+
+    def each_packet(&block)
+      begin
+        @duplicated ||= (RUBY_PLATFORM =~ /linux/ && @device == "lo")
+        if !@duplicated
+          @capture.loop(@count, &block)
+        else
+          flip = true
+          @capture.loop(@count) do |pkt|
+            flip = (! flip)
+            next if flip
+
+            block.call pkt
+          end
+        end
+      rescue Exception => e
+        $stderr.puts "exception when looping over each packet loop: #{e.inspect}"
+        raise
+      ensure
+        # print statistics if live
+        if @device && @log_packets
+          stat = @capture.stats
+          if stat
+            $stderr.print("#{stat.recv} packets received by filter\n");
+            $stderr.print("#{stat.drop} packets dropped by kernel\n");
+          end
+        end
+      end
+    end
+
+    alias :each :each_packet
+
+    def close
+      @capture.close
+    end
+  end
+end
+
+Pcaplet = Pcap::Pcaplet