Class PacketFu::PcapFile
In: lib/packetfu/pcap.rb
Parent: Struct.new(:endian, :head, :body)

PcapFile is a complete libpcap file struct, made up of two elements, a PcapHeader and PcapPackets.

See wiki.wireshark.org/Development/LibpcapFileFormat

Methods

a2f   a2f!   append   array_to_file   array_to_file!   clear   f2a   file_to_array   init_fields   new   read   read!   readfile   to_f   to_file   to_s   write  

Included Modules

StructFu

Public Class methods

Public Instance methods

a2f(args={})

Alias for array_to_file

a2f!(arr)

Alias for array_to_file!

append(filename='out.pcap')

Shorthand method for appending to a file. Can take either :file => ‘name.pcap’ or simply ‘name.pcap‘

array_to_file(args={})

Takes an array of packets (as generated by file_to_array), and writes them to a file. Valid arguments are: 

  :filename
  :array      # Can either be an array of packet data, or a hash-value pair of timestamp => data.
  :timestamp  # Sets an initial timestamp
  :ts_inc     # Sets the increment between timestamps. Defaults to 1 second.
  :append     # If true, then the packets are appended to the end of a file.
array_to_file!(arr)

Just like array_to_file, but clears any existing packets from the array first.

clear()

Clears the contents of the PcapFile.

f2a(args={})

Alias for file_to_array

file_to_array(args={})

file_to_array() translates a libpcap file into an array of packets. Note that this strips out pcap timestamps — if you‘d like to retain timestamps and other libpcap file information, you will want to use read() instead.

Note, invoking this requires the somewhat clumsy sytax of, PcapFile.new.file_to_array(:f => ‘filename.pcap’)

init_fields(args={})

Called by initialize to set the initial fields.

read(str)

Reads a string to populate the object. Note that this appends new packets to any existing packets in the PcapFile.

read!(str)

Clears the contents of the PcapFile prior to reading in a new string.

readfile(file)

A shorthand method for opening a file and reading in the packets. Note that readfile clears any existing packets, since that seems to be the typical use.

to_f(args={})

Alias for to_file

to_file(args={})

Writes the PcapFile to a file. Takes the following arguments: 

  :filename # The file to write to.
  :append   # If set to true, the packets are appended to the file, rather than overwriting.
to_s()

Returns the object in string form.

write(filename='out.pcap')

Shorthand method for writing to a file. Can take either :file => ‘name.pcap’ or simply ‘name.pcap‘

[Validate]