Some years ago I made use of a Windows based (and free) packet analsyer tool Packetyzer, from Network Chemistry) It did the job and proved to be invaluable for testing and building different packet headers – for projects just like this – but as a fan of Ruby, I had to see if this could be done in the language of my choice.
Just a few months ago I began doing a little research into GPRS packets for a potential ‘location-based’ mobile web service. To do this I was hoping to use Ruby and through pCap I was able to.
To start monitoring packets, you’ll first have to install libpcap – a low level packet capture library (authored in C) – from LBNL’s Network Research Group. The libpcap library grabs packets from any network adaptor on your system, giving you the raw data to work with. Doing this is immensely powerful, you could write listeners to monitor anything from email traffic to instant message conversations (provided the traffic isn’t encrypted of course).
Next, to allow us to write Ruby code to interface with this library, you’ll need to install pcaplet – This Ruby binding library makes writing capture programs easy. Its as simple as using require ‘pcaplet’ at the head of your Ruby code and your off.
I was able to use these libraries to examine TCP/IP packets from my mobile device (sent via GPRS over TCP/IP) to my server. The following Ruby script extracted the information I was interested in (data addressed to HTTP) using a regular expression;
#!/usr/bin/env ruby require 'pcaplet' # create a sniffer that grabs the first 1500 bytes of each packet $network = Pcaplet.new('-s 1500') # create a filter that uses our query string and the sniffer we just made $filter = Pcap::Filter.new('tcp and dst port 80', $network.capture) $network.add_filter($filter) # the packet sniffer loop for p in $network # if the packet matches the filter and the regexp... if $filter =~ p and p.tcp_data =~ /GET(.*)HTTP.*/ # print all packet data for each packet that matches puts p.tcp_data end end
Then save this and run the script with something like;
ruby packet_filter_regex.rb # you may need to run this as root if you have permission problems
The add_filter function, with ‘tcp and dst port 80’ – means all tcp traffic directed at port 80 on the adapter. This code will be a useful tool for me in another project -looking at streaming video and audio.
Another article at Linux.Ars roughly describes what is behind this and shows some more example Ruby scripts for packet monitoring (including an aim chat sniffer). There are also a few more example filters on the pcaplet site.
Apr-07 UPDATE – Sylvain Sarmejeanne has just released Scruby a Ruby application that works on UNIX providing a shell where you can perform packet creation, sending and sniffing functions in a Ruby-esque fashion. It requires libpcap and uses PCapRub (a mininal PCAP wrapper) rather than using PCAP directly. The package is well documented and has an irb-like interface, accepting command line input for debugging.