Class: Mu::Pcap::Pkthdr

Inherits:

Object

• Object
• Mu::Pcap::Pkthdr

Defined in:

lib/mu/pcap/pkthdr.rb

Constant Summary

FMT_NNNN =

'NNNN'

FMT_VVVV =

'VVVV'

BSD_AF_INET6 =

See wiki.wireshark.org/NullLoopback and epan/aftypes.h in wireshark code.

[
    OPENBSD_AF_INET6 = 24,
    FREEBSD_AF_INET6 = 28,
    DARWIN_AF_INET6 = 30
]

Instance Attribute Summary

• #caplen ⇒ Object

  Returns the value of attribute caplen.

• #endian ⇒ Object

  Returns the value of attribute endian.

• #len ⇒ Object

  Returns the value of attribute len.

• #pkt ⇒ Object

  Returns the value of attribute pkt.

• #pkt_raw ⇒ Object

  Returns the value of attribute pkt_raw.

• #ts_sec ⇒ Object

  Returns the value of attribute ts_sec.

• #ts_usec ⇒ Object

  Returns the value of attribute ts_usec.

Class Method Summary

• .decode_en10mb(bytes) ⇒ Object
• .decode_linux_sll(bytes) ⇒ Object
• .decode_null(endian, bytes) ⇒ Object
• .read(io, endian = BIG_ENDIAN) ⇒ Object

Instance Method Summary

• #==(other) ⇒ Object
• #decode!(endian, linktype) ⇒ Object
• #initialize(endian = BIG_ENDIAN, ts_sec = 0, ts_usec = 0, caplen = 0, len = 0, pkt = nil) ⇒ Pkthdr constructor

  A new instance of Pkthdr.

• #write(io) ⇒ Object

Constructor Details

#initialize(endian = BIG_ENDIAN, ts_sec = 0, ts_usec = 0, caplen = 0, len = 0, pkt = nil) ⇒ Pkthdr

Returns a new instance of Pkthdr.

# File 'lib/mu/pcap/pkthdr.rb', line 11

def initialize endian=BIG_ENDIAN, ts_sec=0, ts_usec=0, caplen=0, len=0, pkt=nil
    @endian = endian
    @ts_sec = ts_sec
    @ts_usec = ts_usec
    @caplen = caplen
    @len = len
    @pkt = pkt
    @pkt_raw = pkt
end

Instance Attribute Details

#caplen ⇒ Object

Returns the value of attribute caplen.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def caplen
  @caplen
end

#endian ⇒ Object

Returns the value of attribute endian.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def endian
  @endian
end

#len ⇒ Object

Returns the value of attribute len.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def len
  @len
end

#pkt ⇒ Object

Returns the value of attribute pkt.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def pkt
  @pkt
end

#pkt_raw ⇒ Object

Returns the value of attribute pkt_raw.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def pkt_raw
  @pkt_raw
end

#ts_sec ⇒ Object

Returns the value of attribute ts_sec.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def ts_sec
  @ts_sec
end

#ts_usec ⇒ Object

Returns the value of attribute ts_usec.

# File 'lib/mu/pcap/pkthdr.rb', line 9

def ts_usec
  @ts_usec
end

Class Method Details

.decode_en10mb(bytes) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 115

def self.decode_en10mb bytes
    return Ethernet.from_bytes(bytes)
end

.decode_linux_sll(bytes) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 119

def self.decode_linux_sll bytes
    Pcap.assert bytes.length >= 16, 'Truncated PCAP packet header: ' +
        "expected at least 16 bytes, got #{bytes.length} bytes"
    packet_type, link_type, addr_len = bytes.unpack('nnn')
    type = bytes[14, 2].unpack('n')[0]
    bytes = bytes[16..-1]
    ethernet = Ethernet.new
    ethernet.type = type
    ethernet.src = '00:01:01:00:00:01'
    ethernet.dst = '00:01:01:00:00:02'
    ethernet.payload = ethernet.payload_raw = bytes 
    begin
        case type
        when Ethernet::ETHERTYPE_IP
            ethernet.payload = IPv4.from_bytes ethernet.payload
        when Ethernet::ETHERTYPE_IP6
            ethernet.payload = IPv6.from_bytes ethernet.payload
        end
    rescue ParseError => e
        Pcap.warning e
    end
    return ethernet
end

.decode_null(endian, bytes) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 80

def self.decode_null endian, bytes
    Pcap.assert bytes.length >= 4, 'Truncated PCAP packet header: ' +
        "expected at least 4 bytes, got #{bytes.length} bytes"
    if endian == BIG_ENDIAN
        format = 'N'
    elsif endian == LITTLE_ENDIAN
        format = 'V'
    end
    family = bytes[0, 4].unpack(format)[0]
    bytes = bytes[4..-1]
    ethernet = Ethernet.new
    ethernet.src = '00:01:01:00:00:01'
    ethernet.dst = '00:01:01:00:00:02'
    ethernet.payload = ethernet.payload_raw = bytes
    if family != Socket::AF_INET and family != Socket::AF_INET6 and
            not BSD_AF_INET6.include?(family)
        raise ParseError, "Unknown PCAP packet header family: #{family}"
    end
    begin
        case family
        when Socket::AF_INET
            ethernet.type = Ethernet::ETHERTYPE_IP
            ethernet.payload = IPv4.from_bytes ethernet.payload
        when Socket::AF_INET6, FREEBSD_AF_INET6, OPENBSD_AF_INET6, DARWIN_AF_INET6
            ethernet.type = Ethernet::ETHERTYPE_IP6
            ethernet.payload = IPv6.from_bytes ethernet.payload
        else
            raise NotImplementedError
        end
    rescue ParseError => e
        Pcap.warning e
    end
    return ethernet
end

.read(io, endian = BIG_ENDIAN) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 23

def self.read io, endian=BIG_ENDIAN
    if endian == BIG_ENDIAN
        format = FMT_NNNN
    elsif endian == LITTLE_ENDIAN
        format = FMT_VVVV
    end
    bytes = io.read 16
    if not bytes 
        raise EOFError, 'Missing PCAP packet header'
    end
    if not bytes.length == 16
        raise ParseError, "Truncated PCAP packet header: expected 16 bytes, got #{bytes.length} bytes"
    end
    ts_sec, ts_usec, caplen, len = bytes.unpack format
    pkt = io.read(caplen)
    if not pkt 
        raise ParseError, 'Missing PCAP packet header packet'
    end
    if not pkt.length == caplen
        raise ParseError, "Truncated PCAP packet header: expected #{pkthdr.caplen} bytes, got #{pkthdr.pkt.length} bytes"
    end
    pkthdr = Pkthdr.new endian, ts_sec, ts_usec, caplen, len, pkt
    return pkthdr
end

Instance Method Details

#==(other) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 143

def == other
    return self.class == other.class &&
        self.endian   == other.endian &&
        self.ts_sec   == other.ts_sec &&
        self.ts_usec  == other.ts_usec &&
        self.caplen   == other.caplen &&
        self.len      == other.len &&
        self.pkt      == other.pkt
end

#decode!(endian, linktype) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 62

def decode! endian, linktype
    @pkt = case linktype
    when DLT_NULL;      Pkthdr.decode_null endian, @pkt
    when DLT_EN10MB;    Pkthdr.decode_en10mb @pkt
    when DLT_RAW;       raise NotImplementedError
    when DLT_LINUX_SLL; Pkthdr.decode_linux_sll @pkt
    else raise ParseError, "Unknown PCAP linktype: #{linktype}"
    end
end

#write(io) ⇒ Object

# File 'lib/mu/pcap/pkthdr.rb', line 48

def write io
    if @pkt.is_a? String
        pkt = @pkt
    else
        string_io = StringIO.new
        @pkt.write string_io
        pkt = string_io.string
    end
    len = pkt.length
    bytes = [@ts_sec, @ts_usec, len, len].pack FMT_NNNN
    io.write bytes
    io.write pkt
end