Status of libpcap

Ghislain_MARY · 8 April 2005 14:15

Hi all,

I found the ruby-libpcap library from http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html but unfortunately this library seems quite a bit old (based on libpcap-0.6 I think).

So I was wondering if you know of an other library to handle pcap files in ruby or if someone is working on a newer version for this library. If not, I could try to update it to handle the last version of libpcap.

Thanks,

Ghislain MARY

Jonathan_Paisley · 11 April 2005 09:39

I've used that library and linked against libpcap 0.8.3. I don't think the
libpcap API has changed much.

The only change I made was to correct a run-time warning to do with symbols.
See patch below.

diff -ur orig/pcap/Pcap.c pcap/Pcap.c
--- orig/pcap/Pcap.c Sun Aug 13 06:56:31 2000
+++ pcap/Pcap.c Tue Dec 9 02:08:19 2003
@@ -782,9 +782,9 @@
     /* define class PcapStat */
     cPcapStat = rb_funcall(rb_cStruct, rb_intern("new"), 4,
                           Qnil,
- INT2NUM(rb_intern("recv")),
- INT2NUM(rb_intern("drop")),
- INT2NUM(rb_intern("ifdrop")));
+ ID2SYM(rb_intern("recv")),
+ ID2SYM(rb_intern("drop")),
+ ID2SYM(rb_intern("ifdrop")));
     rb_define_const(mPcap, "Stat", cPcapStat);

/* define exception classes */

···

On Sat, 09 Apr 2005 00:15:14 +0900, Ghislain Mary wrote:

So I was wondering if you know of an other library to handle pcap files
in ruby or if someone is working on a newer version for this library. If
not, I could try to update it to handle the last version of libpcap.

Martin_Pirker · 12 April 2005 15:09

I've used that library and linked against libpcap 0.8.3. I don't think the
libpcap API has changed much.

A dumpfile of e.g. Ethereal sometimes causes exceptions when opened by
Pcap::Capture.open_offline, seems some new structures are not (yet)
handled by the Ruby bindings.

The only change I made was to correct a run-time warning to do with symbols.
See patch below.

This fixes the warnings, thanks!

Martin

···

Jonathan Paisley <jp-www@dcs.gla.ac.uk> wrote:

Ghislain_MARY · 13 April 2005 23:15

Hi,

Martin Pirker a écrit :

I've used that library and linked against libpcap 0.8.3. I don't think the
libpcap API has changed much.

A dumpfile of e.g. Ethereal sometimes causes exceptions when opened by
Pcap::Capture.open_offline, seems some new structures are not (yet)
handled by the Ruby bindings.

Yes, that's exactly the problem I'm having. I try to load a capture of IEEE802.11 frames with prism headers. Opening my capture file with Pcap::Capture.open_offline and trying to iterate over each packets I get a PcapError telling me "Unknow data-link type 119" which corresponds to the libcap constant DLT_PRISM_HEADER. So I have managed to define this constant in ruby-pcap. But that is not sufficient. But as it is done for now, in packet.c the struct datalinks suppose that the ids of the different datalinks types are incremented by 1, whereas this is not the case, having gaps between different constants in the libpcap. So it looks like that this is not that easy to make it work. I'll keep telling here what I find, and if someone could help me that would be wery cool

Ghislain

···

Jonathan Paisley <jp-www@dcs.gla.ac.uk> wrote: