Ruby/pcap with threads

ruby-talk
1

Hi Everyone,

Can someone please explain why I don't see any output from the
following code? I'm stumped. By the way, "en1" is the name of my
network device. Thanks.

code:

      1 require 'pcaplet'
      2
      3 include Pcap
      4
      5
      6 x = Thread.new {
      7 pcaplet = Pcaplet.new("-i en1")
      8
      9 pcaplet.each_packet { |pkt|
     10 puts "#{pkt.src.to_num_s}:#{pkt.sport}
#{pkt.dst.to_num_s}:#{pkt.dport}" if pkt.ip?
     11 }
     12
     13 }
     14
     15 x.join
     16

2

# Hi Everyone,
# Can someone please explain why I don't see any output from the
# following code? I'm stumped. By the way, "en1" is the name of my
# network device. Thanks.

···

From: kenny roytman [mailto:kenny.roytman@gmail.com]
#
# code:
# 1 require 'pcaplet'
# 2
# 3 include Pcap
# 4
# 5
# 6 x = Thread.new {
# 7 pcaplet = Pcaplet.new("-i en1")
# 8
# 9 pcaplet.each_packet { |pkt|
# 10 puts "#{pkt.src.to_num_s}:#{pkt.sport}
# #{pkt.dst.to_num_s}:#{pkt.dport}" if pkt.ip?
# 11 }
# 12
# 13 }
# 14
# 15 x.join
# 16

i simplified your code, but it works..
pcaplet is quite old, you might try modifying some to remove deprecation warnings...

botp@pc4all:~/pcap$ cat test.rb
require 'pcaplet'
include Pcap
x = Thread.new {
  pcaplet = Pcaplet.new("-i eth0")
  pcaplet.each_packet { |pkt|
    puts pkt
  }
}
x.join

botp@pc4all:~/pcap$ sudo ruby test.rb
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
10.2.87.95:6771 > 239.192.152.143:6771 len 127 sum 35035
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
<ctl-c interrupt>

kind regards -botp

3

wierd, i'm not seeing this behavior. I'm running on Mac OS X. I
wonder if that's a problem ...

···

On Nov 16, 2:05 am, Peña, Botp <b...@delmonte-phil.com> wrote:

From: kenny roytman [mailto:kenny.royt...@gmail.com]
# Hi Everyone,
# Can someone please explain why I don't see any output from the
# following code? I'm stumped. By the way, "en1" is the name of my
# network device. Thanks.
#
# code:
# 1 require 'pcaplet'
# 2
# 3 include Pcap
# 4
# 5
# 6 x = Thread.new {
# 7 pcaplet = Pcaplet.new("-i en1")
# 8
# 9 pcaplet.each_packet { |pkt|
# 10 puts "#{pkt.src.to_num_s}:#{pkt.sport}
# #{pkt.dst.to_num_s}:#{pkt.dport}" if pkt.ip?
# 11 }
# 12
# 13 }
# 14
# 15 x.join
# 16

i simplified your code, but it works..
pcaplet is quite old, you might try modifying some to remove deprecation warnings...

botp@pc4all:~/pcap$ cat test.rb
require 'pcaplet'
include Pcap
x = Thread.new {
  pcaplet = Pcaplet.new("-i eth0")
  pcaplet.each_packet { |pkt|
    puts pkt
  }}

x.join

botp@pc4all:~/pcap$ sudo ruby test.rb
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not use Fixnums as Symbols
10.2.87.95:6771 > 239.192.152.143:6771 len 127 sum 35035
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A....
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP...
<ctl-c interrupt>

kind regards -botp

4

I had to go with a fork model for OS X, something in pcap doesn't allow switching threads.

See Capture#run for a stupid-simple way of doing this:

http://segment7.net/projects/ruby/snippets/httpdump.rb

If you need better communication, instead of parsing #inspect output, use Marshal.dump and Marshal.load.

···

On Nov 16, 2007, at 07:55 , kenny roytman wrote:

wierd, i'm not seeing this behavior. I'm running on Mac OS X. I
wonder if that's a problem ...

--
Poor workers blame their tools. Good workers build better tools. The
best workers get their tools to do the work for them. -- Syndicate Wars