Ruby/pcap with threads

Hi Everyone,

Can someone please explain why I don’t see any output from the
following code? I’m stumped. By the way, “en1” is the name of my
network device. Thanks.

code:

  1 require 'pcaplet'
  2
  3 include Pcap
  4
  5
  6 x = Thread.new {
  7   pcaplet = Pcaplet.new("-i en1")
  8
  9   pcaplet.each_packet { |pkt|
 10     puts "#{pkt.src.to_num_s}:#{pkt.sport}

#{pkt.dst.to_num_s}:#{pkt.dport}" if pkt.ip?
11 }
12
13 }
14
15 x.join
16

From: kenny roytman [mailto:[email protected]]

Hi Everyone,

Can someone please explain why I don’t see any output from the

following code? I’m stumped. By the way, “en1” is the name of my

network device. Thanks.

code:

1 require ‘pcaplet’

2

3 include Pcap

4

5

6 x = Thread.new {

7 pcaplet = Pcaplet.new(“-i en1”)

8

9 pcaplet.each_packet { |pkt|

10 puts "#{pkt.src.to_num_s}:#{pkt.sport}

#{pkt.dst.to_num_s}:#{pkt.dport}" if pkt.ip?

11 }

12

13 }

14

15 x.join

16

i simplified your code, but it works…
pcaplet is quite old, you might try modifying some to remove deprecation
warnings…

botp@pc4all:~/pcap$ cat test.rb
require ‘pcaplet’
include Pcap
x = Thread.new {
pcaplet = Pcaplet.new(“-i eth0”)
pcaplet.each_packet { |pkt|
puts pkt
}
}
x.join

botp@pc4all:~/pcap$ sudo ruby test.rb
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not
use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not
use Fixnums as Symbols
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/pcap.so: warning: do not
use Fixnums as Symbols
10.2.87.95:6771 > 239.192.152.143:6771 len 127 sum 35035
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
10.2.10.123:2048 > pc4all.bugo.dmpi:22 .A…
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…

kind regards -botp

On Nov 16, 2:05 am, Peña, Botp [email protected] wrote:

4

14

pcaplet = Pcaplet.new(“-i eth0”)
10.2.87.95:6771 > 239.192.152.143:6771 len 127 sum 35035
pc4all.bugo.dmpi:22 > 10.2.10.123:2048 .AP…
kind regards -botp
wierd, i’m not seeing this behavior. I’m running on Mac OS X. I
wonder if that’s a problem …

On Nov 16, 2007, at 07:55 , kenny roytman wrote:

wierd, i’m not seeing this behavior. I’m running on Mac OS X. I
wonder if that’s a problem …

I had to go with a fork model for OS X, something in pcap doesn’t
allow switching threads.

See Capture#run for a stupid-simple way of doing this:

http://segment7.net/projects/ruby/snippets/httpdump.rb

If you need better communication, instead of parsing #inspect output,
use Marshal.dump and Marshal.load.