maiha/pcap.cr maiha/pcap.cr

Low level bindings C Bindings
  • Stars
    star
    24
  • Rank 954,203 (Top 20 %)
  • Language
    Crystal
  • License
    MIT License
  • Created almost 8 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
maiha/pcap.cr
github

maiha

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Crystal bindings for libpcap

pcap.cr Build Status

Crystal high level bindings for libpcap.

  • crystal-libpcap(libpcap.cr) is a low level bindings for libpcap created by [puppetpies].

  • pcap.cr is a wrapper for it and provides rich interface for packets like ruby-pcap.

  • Crystal: 0.31.1 0.32.1 0.33.0 0.34.0

  • x86_64 binary: https://github.com/maiha/pcap.cr/releases

Usage : loop with handler

  • Pcap::Capture#loop : NoReturn

is a easiest way to read all packets, and loop forever. tcpdump uses this style to capture packets.

require "pcap"

pcap = Pcap::Capture.open_live("eth0")
pcap.setfilter("tcp port 80")
pcap.loop do |pkt|
  if pkt.tcp_data?
    # p pkt.ether_header
    # p pkt.ip_header
    # p pkt.tcp_header
    p pkt.tcp_data.to_s
  end
end
"GET / HTTP/1.1\r\nHost: localhost\r\nUser-Agent: curl/7.47.0\r\nAccept: */*\r\n\r\n"
"HTTP/1.1 200 OK\r\nServer: nginx/1.10.0 (Ubuntu)\r\nDate: Mon, 13 Jun 2016 ...

Usage : reads a packet without blocking

  • Pcap::Capture#next_ex : Pcap::NextError | Pcap::Packet

reads a next packet without blocking.

pkt = pcap.next_ex
case pkt
when Pcap::Packet            ; # use pkt as you like
when Pcap::NextError::Timeout; # try again
when Pcap::NextError::Error  ; abort "libpcap error"
when Pcap::NextError::EOF    ; # found only in offline mode
end
  • Pcap::Capture#get? : Pcap::Packet?

is a easiest way to read a packet. This api would block because get? = next_ex + timeout retry.

if pkt = pcap.get?
  puts pkt
else
  abort "EOF reached"
end
22:36:51.327153 IP 127.0.0.1.56903 > 127.0.0.1.6379: Flags [S], seq 3742863884, win 43690, length 0

Status

  • support only tcp

TODO

  • libpcap api (0.1.0)
  • Crystal closure support in Pcap::Handler (0.2.0)
  • Ether Header (0.1.0)
    • parse
    • inspect
  • Ip Header (0.1.0)
    • parse
    • inspect
  • Tcp Header (0.1.0)
    • parse
    • inspect
  • Udp Header
    • parse
    • inspect
  • Other Headers
    • parse
    • inspect
  • Test
    • Pcap::Capture offline

Installation

Add this to your application's shard.yml:

dependencies:
  pcap:
    github: maiha/pcap.cr
    version: 0.6.1

And then

$ shards update

Example applications

filtertest

Test a string of pcap-filter.

$ filtertest 'tcp'
$ filtertest 'tcp 80'
syntax error
$ filtertest 'tcp port 80'
$ filtertest -f filter.data # for large string

(As it works, this command will not display any output.)

tcpsniffer

  • (run as root)
$ crystal examples/tcpsniffer.cr

# (or binary)
$ tcpsniffier -p 6379
$ tcpsniffier -f '(tcp port 80) or (tcp port 8080)' 
$ tcpsniffier -i eth0 -p 10080
  • send some packets to your specified port by curl localhost
12:29:01.445261 IP 127.0.0.1.56016 > 127.0.0.1.80: Flags [S], seq 746220255, win 43690, length 0
12:29:01.445282 IP 127.0.0.1.80 > 127.0.0.1.56016: Flags [SA], seq 4032610561, ack 746220256, win 43690, length 0
further output
  • -x prints hexdump of packets
$ tcpsniffer -x
12:30:12.305080 IP 127.0.0.1.56018 > 127.0.0.1.80: Flags [S], seq 4253528483, win 43690, length 0
        0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
        0x0010:  003c 8c99 4000 4006 b020 7f00 0001 7f00  .<..@.@.. ......
        0x0020:  0001 dad2 0050 fd87 b1a3 0000 0000 a002  .....P..........
        0x0030:  aaaa fe30 0000 0204 ffd7 0402 080a 092a  ...0...........*
        0x0040:  3d3a 0000 0000 0103 0307                 =:........
  • -v prints packet structures (calls inspect internally)
$ tcpsniffer -v
--------------------------------------------------------------------------------
Packet Header
  Time         : 2016-06-11 22:42:09 +0900 (1465652529.994580)
  Packet Size  : 68 (total: 74) bytes

Ethernet Header
  Destination eth addr  : 00:00:00:00:00:00
  Source ether addr     : 00:00:00:00:00:00
  Packet type ID        : IPv4 (2048)

IpHeader
  Version         : 4
  Header Length   : 5 words (20 bytes)
  Service Type    : 0
  Total Length    : 60
  Identification  : 4307
  Flags           : 16384
  TTL             : 64
  Protocol        : 6
  Header Checksum : 11239
  Src IP Addr     : 127.0.0.1
  Dst IP Addr     : 127.0.0.1
...
  • -d prints only packets where tcp data exist
  • -b prints body oriented format (body mode)
  • -x ignore all packets that contain only white spaces
$ tcpsniffer -b -d
17:12:24.261729: "GET / HTTP/1.1\r\nHost: localhost\r\nUser-Agent: curl/7.47.0\r\nAccept: */*\r\n\r\n"
17:12:24.262003: "HTTP/1.1 200 OK\r\nServer: nginx/1.10.0 (Ubuntu)\r\nDate: Mon, 13 Jun 2016 ...
  • -W DIR writes each tcp data by file in the DIR
$ tcpsniffer -p 6379 -d -W pcap
16:37:03.683540 IP 127.0.0.1.52182 > 127.0.0.1.6379: Flags [PA], seq 3176296709, ack 3372892385, win 342, length 14
16:37:03.683611 IP 127.0.0.1.6379 > 127.0.0.1.52182: Flags [PA], seq 3372892385, ack 3176296723, win 342, length 7

$ redis-cli ping
PONG

$ ls -l pcap
-rw-r--r-- 1 root root 14 Mar  6 16:37 1.pcap
-rw-r--r-- 1 root root  7 Mar  6 16:37 2.pcap

$ hd pcap/1.pcap
00000000  2a 31 0d 0a 24 34 0d 0a  50 49 4e 47 0d 0a        |*1..$4..PING..|
0000000e

$ hd pcap/2.pcap
00000000  2b 50 4f 4e 47 0d 0a                              |+PONG..|
00000007
replay
  • -r file reads from pcap file (same as tcpdump -r)
# record packets by root with tcpdump
$ tcpdump -i lo -s 0 -w /tmp/redis.dump 'port 6379'

# in other shell
$ redis-cli ping

# stop tcpdump by `Ctl-c`

# reply by tcpsniffer
$ tcpsniffer -r /tmp/redis.dump -p 6379 -b -d
reading from file: /tmp/redis.dump
11:47:14.001208: "*1\r\n$4\r\nping\r\n"
11:47:14.001569: "+PONG\r\n"

Contributing

  1. Fork it ( https://github.com/maiha/pcap.cr/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

Contributors

More Repositories

1

rcm.cr

Redis Cluster Manager in Crystal
Crystal
45
star
2

kafka.cr

kafka utilities written in crystal
Crystal
34
star
3

rocksdb.cr

RocksDB client for Crystal
Crystal
34
star
4

crystal-examples

This has been completely rewritten in 2019. The old implementation has moved to the alpha branch.
Crystal
31
star
5

crt.cr

Bindings for libncursesw and crt class
Crystal
28
star
6

try.cr

Try monad for crystal
Crystal
26
star
7

crb

A cucumber console that offers cucumber world enviroment on irb
Ruby
20
star
8

xq.cr

Command-line XML processor inspired by `jq`
Crystal
17
star
9

redis-cluster-benchmark.cr

Benchmark utils for Redis Cluster
Crystal
16
star
10

pretty.cr

Something attentive, conservative and pretty stuff for Crystal
Crystal
16
star
11

jq.cr

thin JSON::Any wrapper to emulate jq for crystal
Crystal
16
star
12

must

a runtime specification tool
Ruby
15
star
13

grafana-redis.cr

Grefana Datasource for Redis storage
Crystal
15
star
14

gatling-amqp

Gatling AMQP support
Scala
15
star
15

typed

A Ruby library for Typed variables
Ruby
14
star
16

redis-cluster.cr

redis-cluster library for Crystal
Crystal
13
star
17

htpasswd

ActionPack plugin for authorizing users with HTTP basic/digest authentications
Ruby
12
star
18

memoized.cr

Time-based memoized library for Crystal
Crystal
11
star
19

tokyocabinet

unofficial repository for TokyoCabinet
C
11
star
20

pg-copy-ch

Simply copy the current PostgreSQL data to ClickHouse
Crystal
10
star
21

clickhouse-cluster-examples

Examples of the cluster topologies in ClickHouse
Makefile
10
star
22

facebook.cr

CLI for the Facebook Marketing API.
Crystal
9
star
23

ircbot

old fashioned irc bot
Ruby
9
star
24

rrr

Ruby programming with RR
Ruby
9
star
25

mod_cband

mod_cband Apache2 module
C
8
star
26

dsl_accessor

Ruby
8
star
27

ccp

A Ruby library for Composite Command Programming
Ruby
7
star
28

hq.cr

a simple wrapper for crystal-xml
Crystal
7
star
29

sexy_auto_complete

Rails plugin for better auto_complete, especially it gets along with ActiveScaffold nested forms
Ruby
7
star
30

comment-spec.cr

Comment driven spec builder for Crystal
Crystal
6
star
31

shard.cr

compile-time shard.yml reader for Crystal
Crystal
6
star
32

http-gate

Quite simple http port forwarder
Crystal
6
star
33

auto_nested_layouts

Use multiple nested layout files in Rails
Ruby
6
star
34

curl.cr

high level curl library for crystal
Crystal
6
star
35

open-uri-mapping

a wrapper to open-uri that offers filename mapping, which is useful for test
Ruby
5
star
36

mjs

A Ruby library that offers quite easy-to-use Ajax actions like RJS with jQuery
Ruby
5
star
37

css_parser

hpricot helper that scrapes html easily by parser class defined css selector
Ruby
5
star
38

protobuf-storage.cr

A handy local storage library for Protobuf
Crystal
5
star
39

rows_logger

ActiveRecord plugin for writing rows count information in query log
Ruby
5
star
40

cuke-utils

Goodies for cuke
Ruby
5
star
41

chawan

A cup for chasen that provides an easy to use for extracting Japanese
Ruby
5
star
42

rails_log

Rails log analyzer application with Ext-JS
Ruby
5
star
43

redis-tsv.cr

import and export data from Redis in TSV format
Crystal
5
star
44

request_id

Rails plugin that adds a new method (Controller#request_id) to distinguish requests
Ruby
4
star
45

ext

ActionPack plugin for using Ext-JS
Ruby
4
star
46

tdiary_google_calendar_plugin

A tdiary plugin that shows event list from google calendar
Ruby
4
star
47

unicode_japanese

Japanese charset converter especially for hankaku and zenkaku characters
Ruby
4
star
48

selenium-chrome.cr

A handy and thin wrapper for `selenium-webdriver-crystal`
Crystal
4
star
49

kafka-utils

Simple Kafka Utils in Scala
Scala
4
star
50

clickhouse.cr

ClickHouse client for Crystal
Crystal
4
star
51

mvc-benchmark-2010

A sample applications to bench MVC frameworks
4
star
52

merb_inspector

no needs to prepare views, scaffold and pagination. just inspect it
Ruby
4
star
53

scoped_access

restrict database access by using with_scope
Ruby
4
star
54

pon.cr

Maiha's private ORM for Crystal
Crystal
4
star
55

tokyotyrant

unofficial repository for TokyoTyrant
4
star
56

ohm-arfreaks

Ohm::Model extensions for AR freaks
Ruby
3
star
57

night-time

A ruby gem that treats over-midnight time easily
Ruby
3
star
58

sexy_actions

defining actions by block
Ruby
3
star
59

hash-path

path accessor to hierarchical hash
Ruby
3
star
60

http-mock

Real http server for stubbing and expectations in Scala
Scala
3
star
61

innodb-cluster-docker

a helper for running InnoDB Cluster on docker
Shell
3
star
62

named_options

Ruby
3
star
63

merb_background

a merb slice for background-fu
Ruby
3
star
64

2ch

local image storage application for 2ch
JavaScript
3
star
65

rack_format_response

A Rack middleware for automatically formatting response body
Ruby
3
star
66

opts.cr

a wrapper for OptionParser to provide default values and handy args
Crystal
3
star
67

acts_with_comma

Rails plugin that accepts numeric value with comma in AR#setter and text_field
Ruby
3
star
68

var.cr

`Object.var` macro for Crystal
Crystal
3
star
69

merb_rjs

Merb plugin that enables you to use 'page' object in your controllers like RJS of Rails
3
star
70

redisniffer

Sniff redis packets and summarize count of commands
Crystal
3
star
71

genspec

A Rails utils that automatically generates a rspec file for the latest action written in a log file
3
star
72

dm-ys

a DataMapper extension that uses html table as its schema and data powerfully like YunkerStar
Ruby
3
star
73

twitter-ads.cr

Twitter Ads API SDK for Crystal
Crystal
2
star
74

crystal-init.sh

a simple wrapper for crystal init command
Shell
2
star
75

crc16.cr

crc16 for Crystal
Crystal
2
star
76

james-bond

James is a bond framework for web development
Ruby
2
star
77

yak-farm

A farm view for Yak
2
star
78

lmdb.cr

Lmdb client for Crystal
Crystal
2
star
79

scalerity

Scalerity = Scala + Celerity
Scala
2
star
80

record_dumper

ActiveRecord plugin for printing record value to various formats
Ruby
2
star
81

hosts_access

Rails/Merb plugin that controls host access like hosts.allow
Ruby
2
star
82

web_api

Basic classes for general Web API
Ruby
2
star
83

toml-config.cr

TOML::Config class for handy use of crystal-toml
Crystal
2
star
84

tokyocabinet.cr

TokyoCabinet client for Crystal
Crystal
2
star
85

clickhouse-table

A standalone ClickHouse table manager that provides partial data updates
Crystal
2
star
86

optionize

method arguments utils
2
star
87

cmds.cr

Yet another CLI Builder library for Crystal
Crystal
2
star
88

base32.cr

Base32 Encoding for Crockford's Base32
Crystal
2
star
89

edd

Error driven development plugin for Rails
2
star
90

wildcard

A ruby library to expand wildcard string like shell command line
2
star
91

active_record_view

Ruby
2
star
92

active_seven

ActiveRecord plugin for 7th normal form
Ruby
2
star
93

include_for

Ruby
2
star
94

sandboxed_methods

Avoid conflicting method and variable names between modules
Ruby
2
star
95

akka-watch-child

study: to know whether a parent actor will watch its child automatically or not.
Scala
2
star
96

neo4j

Neo4j manager that provides many commands such as load,dump,touch,inspect,list
2
star
97

migration2

Yet another migartion library for ActiveRecord
Ruby
2
star
98

habto

ActiveRecord plugin for habtm utils
Ruby
2
star
99

active-scaffold.cr

ActiveScaffold for Amber on Crystal
CSS
2
star
100

traildb.cr

TrailDB bindings for Crystal
Crystal
1
star