Class: PacketFu::PcapHeader

Inherits:

Struct

• Object
• Struct
• PacketFu::PcapHeader

Includes:

StructFu

Defined in:

lib/packetfu/pcap.rb

Overview

PcapHeader represents the header portion of a libpcap file (the packets themselves are in the PcapPackets array). See wiki.wireshark.org/Development/LibpcapFileFormat for details.

Depending on the endianness (set with :endian), elements are either :little endian or :big endian.

PcapHeader Definition

Symbol  :endian     Default: :little
Int32   :magic      Default: 0xa1b2c3d4 # :big is 0xd4c3b2a1
Int16   :ver_major  Default: 2
Int16   :ver_minor  Default: 4
Int32   :thiszone
Int32   :sigfigs
Int32   :snaplen    Default: 0xffff
Int32   :network    Default: 1

Constant Summary

MAGIC_INT32 =

0xa1b2c3d4

MAGIC_LITTLE =

[MAGIC_INT32].pack("V")

MAGIC_BIG =

[MAGIC_INT32].pack("N")

Instance Attribute Summary

• #endian ⇒ Object

  Returns the value of attribute endian.

• #magic ⇒ Object

  Returns the value of attribute magic.

• #network ⇒ Object

  Returns the value of attribute network.

• #sigfigs ⇒ Object

  Returns the value of attribute sigfigs.

• #snaplen ⇒ Object

  Returns the value of attribute snaplen.

• #thiszone ⇒ Object

  Returns the value of attribute thiszone.

• #ver_major ⇒ Object

  Returns the value of attribute ver_major.

• #ver_minor ⇒ Object

  Returns the value of attribute ver_minor.

Instance Method Summary

• #init_fields(args = {}) ⇒ Object

  Called by initialize to set the initial fields.

• #initialize(args = {}) ⇒ PcapHeader constructor

  A new instance of PcapHeader.

• #read(str) ⇒ Object

  Reads a string to populate the object.

• #to_s ⇒ Object

  Returns the object in string form.

Methods included from StructFu

#body=, #clone, #set_endianness, #sz, #typecast

Methods inherited from Struct

#force_binary

Constructor Details

#initialize(args = {}) ⇒ PcapHeader

Returns a new instance of PcapHeader.

# File 'lib/packetfu/pcap.rb', line 53

def initialize(args={})
  set_endianness(args[:endian] ||= :little)
  init_fields(args)
  super(args[:endian], args[:magic], args[:ver_major],
        args[:ver_minor], args[:thiszone], args[:sigfigs],
        args[:snaplen], args[:network])
end

Instance Attribute Details

#endian ⇒ Object

Returns the value of attribute endian

Returns:

• (Object) —

  the current value of endian

# File 'lib/packetfu/pcap.rb', line 45

def endian
  @endian
end

#magic ⇒ Object

Returns the value of attribute magic

Returns:

• (Object) —

  the current value of magic

# File 'lib/packetfu/pcap.rb', line 45

def magic
  @magic
end

#network ⇒ Object

Returns the value of attribute network

Returns:

• (Object) —

  the current value of network

# File 'lib/packetfu/pcap.rb', line 45

def network
  @network
end

#sigfigs ⇒ Object

Returns the value of attribute sigfigs

Returns:

• (Object) —

  the current value of sigfigs

# File 'lib/packetfu/pcap.rb', line 45

def sigfigs
  @sigfigs
end

#snaplen ⇒ Object

Returns the value of attribute snaplen

Returns:

• (Object) —

  the current value of snaplen

# File 'lib/packetfu/pcap.rb', line 45

def snaplen
  @snaplen
end

#thiszone ⇒ Object

Returns the value of attribute thiszone

Returns:

• (Object) —

  the current value of thiszone

# File 'lib/packetfu/pcap.rb', line 45

def thiszone
  @thiszone
end

#ver_major ⇒ Object

Returns the value of attribute ver_major

Returns:

• (Object) —

  the current value of ver_major

# File 'lib/packetfu/pcap.rb', line 45

def ver_major
  @ver_major
end

#ver_minor ⇒ Object

Returns the value of attribute ver_minor

Returns:

• (Object) —

  the current value of ver_minor

# File 'lib/packetfu/pcap.rb', line 45

def ver_minor
  @ver_minor
end

Instance Method Details

#init_fields(args = {}) ⇒ Object

Called by initialize to set the initial fields.

# File 'lib/packetfu/pcap.rb', line 62

def init_fields(args={})
  args[:magic] = @int32.new(args[:magic] || PcapHeader::MAGIC_INT32)
  args[:ver_major] = @int16.new(args[:ver_major] || 2)
  args[:ver_minor] ||= @int16.new(args[:ver_minor] || 4)
  args[:thiszone] ||= @int32.new(args[:thiszone])
  args[:sigfigs] ||= @int32.new(args[:sigfigs])
  args[:snaplen] ||= @int32.new(args[:snaplen] || 0xffff)
  args[:network] ||= @int32.new(args[:network] || 1)
  return args
end

#read(str) ⇒ Object

Reads a string to populate the object. TODO: Need to test this by getting a hold of a big endian pcap file. Conversion from big to little shouldn’t be that big of a deal.

# File 'lib/packetfu/pcap.rb', line 81

def read(str)
  force_binary(str)
  return self if str.nil?
  str.force_encoding(Encoding::BINARY) if str.respond_to? :force_encoding
  if str[0,4] == self[:magic].to_s
    self[:magic].read str[0,4]
    self[:ver_major].read str[4,2]
    self[:ver_minor].read str[6,2]
    self[:thiszone].read str[8,4]
    self[:sigfigs].read str[12,4]
    self[:snaplen].read str[16,4]
    self[:network].read str[20,4]
  else
    raise "Incorrect magic for libpcap"
  end
  self
end

#to_s ⇒ Object

Returns the object in string form.

# File 'lib/packetfu/pcap.rb', line 74

def to_s
  self.to_a[1,7].map {|x| x.to_s}.join
end