Class PacketFu::Capture
In: lib/packetfu/capture.rb
Parent: Object

The Capture class is used to construct PcapRub objects in order to collect packets from an interface.

This class requires PcapRub. In addition, you will need root (or root-like) privileges in order to capture from the interface.

Note, on some wireless cards, setting :promisc => true will disable capturing.

Example

 # Typical use
 cap = PacketFu::Capture.new(:iface => 'eth0', :promisc => true)
 cap.start
 sleep 10
 cap.save
 first_packet = cap.array[0]

 # Tcpdump-like use
 cap = PacketFu::Capture.new(:start => true)
 cap.show_live(:save => true, :filter => 'tcp and not port 22')

See Also

Read, Write

Methods

bpf   capture   clear   new   next   save   setup_params   show_live   start   w2a   wire_to_array  

Attributes

array  [RW] 
iface  [R] 
promisc  [R] 
snaplen  [R] 
stream  [RW] 
timeout  [R] 

Public Class methods

Public Instance methods

bpf(args={})

bpf() sets a bpf filter on a capture session. Valid arugments are: 

  :filter
    Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
capture(args={})

capture() initializes the @stream varaible. Valid arguments are: 

  :filter
    Provide a bpf filter to enable for the capture. For example, 'ip and not tcp'
  :start
    When true, start capturing packets to the @stream variable. Defaults to true
clear(args={})

clear() clears the @stream and @array variables, essentially starting the capture session over. Valid arguments are: 

  :array
    If true, the @array is cleared.
  :stream
    If true, the @stream is cleared.
next()

next() exposes the Stream object‘s next method to the outside world.

save(args={})

save() is a equivalent to wire_to_array()

show_live(args={})

show_live() is a method to capture packets and display peek() data to stdout. Valid arguments are: 

  :filter
    Provide a bpf filter to captured packets.
  :save
    Save the capture in @array
  :verbose
    TODO: Not implemented yet; do more than just peek() at the packets.
  :quiet
    TODO: Not implemented yet; do less than peek() at the packets.
start(args={})

start() is equivalent to capture().

w2a(args={})

w2a() is a equivalent to wire_to_array()

wire_to_array(args={})

wire_to_array() saves a packet stream as an array of binary strings. From here, packets may accessed by other functions. Note that the wire_to_array empties the stream, so multiple calls will append new packets to @array. Valid arguments are: 

  :filter
    Provide a bpf filter to apply to packets moving from @stream to @array.

[Validate]