Packet Capture with Ruby, pcaplet and libpcap


Some years ago I made use of a Windows based (and free) packet analsyer tool Packetyzer, from Network Chemistry) It did the job and proved to be invaluable for testing and building different packet headers – for projects just like this – but as a fan of Ruby, I had to see if this could be done in the language of my choice.

Just a few months ago I began doing a little research into GPRS packets for a potential ‘location-based’ mobile web service. To do this I was hoping to use Ruby and through pCap I was able to.

To start monitoring packets, you’ll first have to install libpcap – a low level packet capture library (authored in C) – from LBNL’s Network Research Group. The libpcap library grabs packets from any network adaptor on your system, giving you the raw data to work with. Doing this is immensely powerful, you could write listeners to monitor anything from email traffic to instant message conversations (provided the traffic isn’t encrypted of course).

Next, to allow us to write Ruby code to interface with this library, you’ll need to install pcaplet – This Ruby binding library makes writing capture programs easy. Its as simple as using require ‘pcaplet’ at the head of your Ruby code and your off.

I was able to use these libraries to examine TCP/IP packets from my mobile device (sent via GPRS over TCP/IP) to my server. The following Ruby script extracted the information I was interested in (data addressed to HTTP) using a regular expression;

#!/usr/bin/env ruby

require 'pcaplet'

# create a sniffer that grabs the first 1500 bytes of each packet
$network ='-s 1500')

# create a filter that uses our query string and the sniffer we just made
$filter ='tcp and dst port 80', $network.capture)

# the packet sniffer loop
for p in $network
  # if the packet matches the filter and the regexp...
  if $filter =~ p and p.tcp_data =~ /GET(.*)HTTP.*/
    # print all packet data for each packet that matches
     puts p.tcp_data

Then save this and run the script with something like;

ruby packet_filter_regex.rb 
# you may need to run this as root if you have permission problems

The add_filter function, with ‘tcp and dst port 80’ – means all tcp traffic directed at port 80 on the adapter. This code will be a useful tool for me in another project -looking at streaming video and audio.

Another article at Linux.Ars roughly describes what is behind this and shows some more example Ruby scripts for packet monitoring (including an aim chat sniffer). There are also a few more example filters on the pcaplet site.

Apr-07 UPDATESylvain Sarmejeanne has just released Scruby a Ruby application that works on UNIX providing a shell where you can perform packet creation, sending and sniffing functions in a Ruby-esque fashion. It requires libpcap and uses PCapRub (a mininal PCAP wrapper) rather than using PCAP directly. The package is well documented and has an irb-like interface, accepting command line input for debugging.

2 comments so far

  • photo of zell zell May 05, 2011

    what if we only want to get DNS query and replies.. what filter should we put in the add_filter function? can u tell me? im new in this and trying to learn.

  • photo of Matthew Hutchinson Matthew Hutchinson May 05, 2011

    Apologies but this post is now some 4 years old and i’m no longer familiar with this library.

Leave a comment