Sign upLogin

pcaprub/pcaprub

View on GitHub
Star
USAGE.rdoc

Summary

Maintainability
Test Coverage
= Usage of Pcaprub

Pcaprub is a ruby wrapper to the libpcap libary. It provides a common method to access the c bindings defined in libpcap. 

Many of the methods require the Pcap instance to be "ready". 

 - "Ready" is defined as being initiated with open_live open_dead or open_offline.
 
== Basics of Pcaprub  

  require "rubygems"
  require "pcaprub"

  mypcap = PCAPRUB::Pcap.new  
  
== Backwards Compatibility

Pcaprub is included automatically upon load. This mixes in ::Pcap for backwards compatibility.

  require "rubygems"
  require "pcaprub"

  mypcap = ::Pcap.new  


== Setting up a live Capture

  dev = PCAPRUB::Pcap.lookupdev

  snaplength = 65535
  promiscous_mode = true 
  timeout = 0 
  
  system("ifconfig", dev, "up")
  
  capture = ::Pcap.open_live(dev, snaplength, promiscous_mode, timeout)  
  
== Open an existing pcap file
  
  pcapfile = File.dirname(__FILE__) + "/foo.pcap"
  
  if(not File.exists?(pcapfile))
    raise RuntimeError, "The PCAP file #{pcapfile} could not be found"
  end
  
  capture = ::Pcap.open_offline(pcapfile)
  
== Setting a BPF Filter
  
  bpf = "ip and not net 10.0.0.0/8"
  
  capture.setfilter(bpf)

== Reading Capture Statistics

Packets Received 
  capture.stats['recv']

Packets Dropped  
    capture.stats['drop']

Packets Dropped by Interface
    capture.stats['ifdrop']

== Running the Capture

Sniffing a set number of packets and also letting the user Interrupt Early

  capture_packets = 100
  
  begin
    capture.each do |packet|
      p packet 
      # Handling the number of packets to process
      capture_packets -= 1
      if capture_packets == 0
        break
      end
    end
    
  # ^C to stop sniffing
  rescue Interrupt
    puts "\nPacket Capture stopped by interrupt signal."
    
  rescue Exception => e
    puts "\nERROR: #{e}"
    retry
  end
    
== Examining the DataLink

Ethernet or Linux loopback
  if capture.datalink == PCAPRUB::Pcap::DLT_EN10MB
    puts "Ethernet 10MB Link detected"
  end

== Examining Packet Internals

Sniffing and yielding Packet Objects using "each_packet"

  require 'pcaprub'
  SNAPLENGTH = 65535
  capture = PCAPRUB::Pcap.open_live('wlan0', SNAPLENGTH, true, 0)
  capture.setfilter('port 80')

  capture_packets = 10
  capture.each_packet do |packet|
    puts packet.class
    puts Time.at(packet.time)
    puts "micro => #{packet.microsec}"
    puts "Packet Length => #{packet.length}"
    p packet.data
    
    capture_packets -= 1
    if capture_packets == 0
      break
    end
  end  

  
== Using the Packet Dump Capabilities
Write to file Example.pcap the first 10 packets on eth0.

  require 'pcaprub'
  SNAPLENGTH = 65535
  capture = PCAPRUB::Pcap.open_live('eth0', SNAPLENGTH, true, 0)
  dumper = capture.dump_open('./Example.pcap')

  capture_packets = 10
  capture.each do |packet|
    capture.dump(packet.length, packet.length, packet)
    capture_packets -= 1
    if capture_packets == 0
      break
    end
  end
  
  capture.dump_close